Free checklist
The Lovable-to-Production Checklist
The 10 things that break when your vibe-coded app meets real users.
You shipped fast in Lovable, Bolt, or Replit and got real users. That is the hard part, and most people never get there.
But the jump from “works in the demo” to “survives real users” is a different kind of work. Here are the things that break first, with the fix for each. No pitch. If your app is hitting any of these, you probably already feel it.
Row-level security is probably off
What breaks: Every user can read every other user’s data through the API, even when the UI hides it. Vibe-coded apps almost always ship with Supabase RLS disabled or set to "allow all." This is the most common way these apps leak their entire user table.
The fix: Turn RLS on for every table and write a policy that scopes rows to auth.uid(). Then test it by querying as two different users, not just by clicking around the UI.
Your API keys are in the browser
What breaks: Anyone can open dev tools, copy your OpenAI or Stripe key, and run up your bill. No-code builders love to call APIs straight from the client.
The fix: Move every third-party call behind a server route or edge function. The key lives on the server and never ships in the bundle.
There is no real billing, only a checkout button
What breaks: A customer pays, Stripe fires a webhook, your app misses it, and they never get access. Or they cancel and keep access. The hard part of billing was never the checkout, it was the webhooks and the ledger.
The fix: Handle the webhook events, make them idempotent (Stripe replays them), and treat your own database as the source of truth for subscription state.
LLM calls fail silently
What breaks: The model returns malformed JSON or times out, and your feature shows a blank screen with no error. The quiet failure is usually the retry layer, not the model.
The fix: Wrap every model and tool call with a schema check and a single retry, then fall back to a clear message the user can act on.
Nothing stops abuse or runaway cost
What breaks: One user or one bot hammers your AI endpoint and you wake up to a four-figure bill.
The fix: Add per-user rate limits and a hard spend cap on the LLM layer before you launch, not after the bill arrives.
You are editing production live
What breaks: There is one environment, it is prod, and every change is instantly live for real users. One bad edit takes the app down.
The fix: Split staging from production, put the database behind migrations instead of manual edits, and ship through a branch you can roll back.
Inputs are not validated
What breaks: Forms and API routes trust whatever they receive, which opens the door to injection, broken data, and XSS.
The fix: Validate and sanitize on the server with a schema, not just in the UI, and parameterize every query.
Secrets and auth tokens are mishandled
What breaks: Tokens stored in localStorage, no refresh-token rotation, sessions that never expire. Get this wrong and users get logged out at random, or stay logged in forever.
The fix: Use httpOnly cookies, rotate refresh tokens, and set sane session lifetimes.
The database has no structure to grow on
What breaks: No indexes, so queries crawl once you have real data; no foreign keys, so the data drifts out of sync.
The fix: Index the columns you filter and join on, add constraints, and stop relying on the builder’s default schema.
You cannot see what is happening in production
What breaks: A user reports a bug and you have no logs, no error tracking, and no way to reproduce it. You cannot fix what you cannot see.
The fix: Add structured logging and an error tracker on day one, plus automated backups you have actually tested restoring.
Built by Bill Fackelman, co-founder and CTO of Be Found Everywhere (7 AI apps in production) and founder of BoostFrame. I take on a couple of senior engagements at a time, turning Lovable and AI MVPs into production apps: auth, billing, multi-tenancy, the parts that bite later.
Book a free 15-minute architecture readNo pitch. TypeScript · Supabase · Stripe.