Skip to main content
Back to Blog
Launch6 min read

The Complete Vibe Coding Production Checklist: From Prototype to Live Product

A five-phase checklist for taking any vibe-coded app from prototype to production. Covers security, reliability, code quality, deployment, and launch readiness — with links to tool-specific guides.

Share:

You've built your app with an AI coding tool. It works. It looks good. Now you want real users on it. The problem is that every AI tool — Lovable, Bolt, Cursor, Replit, v0 — optimises for getting you to a working prototype. None of them optimise for production.

This checklist covers the five phases between "it works" and "it's ready for real users." Work through them in order. Each phase builds on the one before it.

Phase 1: Security

Security gaps are the highest-risk issues in vibe-coded apps. Fix these first, before anything else.

  • [ ] No secrets in client-side code — API keys, database URLs, and tokens must be server-side only. The only acceptable client-side keys are public keys explicitly designed for browser use (like Supabase's anon key).
  • [ ] Input validation on every endpoint — Every form, every API route, every server action that accepts user input must validate it. Client-side validation is for UX. Server-side validation is for security.
  • [ ] Authentication on protected routes — Verify that every page and API route that should be behind auth actually requires a valid session. AI tools frequently miss routes.
  • [ ] Row Level Security enabled (if using Supabase) — Ensure every table has RLS policies that restrict access by auth.uid(). This is the most common security mistake in Lovable apps and affects other tools too.
  • [ ] HTTPS enforced — No HTTP access. All traffic encrypted.
  • [ ] Security headers configured — Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options at minimum.
  • [ ] Rate limiting on public endpoints — Authentication routes, form submissions, and any public API must have rate limits to prevent abuse.

For a deeper security review, use our 15-point security checklist.

Phase 2: Reliability

A working prototype handles one user on a good day. Production handles many users on bad days.

  • [ ] Error boundaries installed — A single component failure shouldn't crash the entire app. Wrap major UI sections in error boundaries.
  • [ ] Error monitoring configured — Install Sentry or equivalent. Get alerted when errors happen in production, not when users complain.
  • [ ] Loading and empty states — Every data fetch needs a loading state. Every list needs an empty state. AI tools almost always skip these.
  • [ ] Session expiry handled — What happens when a user's auth token expires mid-session? If the answer is "the app breaks," fix it.
  • [ ] Database queries optimised — Add indexes on frequently queried columns. Add pagination to list endpoints. Use connection pooling.
  • [ ] No SQLite in production — If your Replit or Bolt app uses SQLite, migrate to PostgreSQL before launch. SQLite can't handle concurrent writes.
  • [ ] Graceful degradation — If a third-party service goes down (analytics, email, payment provider), the core app should keep working.

To understand why AI-generated apps crash, read why your AI-generated app keeps crashing.

Phase 3: Code Quality

You don't need perfect code, but you do need code you can safely modify without breaking things.

  • [ ] TypeScript strict mode enabled — Turn on strict: true in tsconfig.json. Fix the resulting errors. Each one is a potential runtime bug.
  • [ ] No any types on boundaries — Remove any from API responses, form inputs, and database queries. These are where type safety matters most.
  • [ ] Tests on critical paths — Authentication, payments, and data mutations need test coverage. You don't need 100% coverage. You need confidence that the important things work.
  • [ ] Dead code removed — AI tools generate code they later don't use. Remove unused components, functions, and imports.
  • [ ] Consistent patterns — Pick one way to do data fetching, error handling, and validation. Apply it everywhere. AI tools often use different patterns in different parts of the same app.
  • [ ] Dependencies audited — Run npm audit. Update any packages with known vulnerabilities. Remove packages you're not actually using.

For a look at specific issues in Cursor-generated code, read what a senior dev finds in Cursor code.

Phase 4: Deployment

Don't deploy by copying files or running commands manually. Set up a proper pipeline.

  • [ ] Code in version control — Git repository on GitHub, GitLab, or Bitbucket. Not just on Replit or in a StackBlitz sandbox.
  • [ ] CI/CD pipeline configured — Every push runs lint, type-check, and tests. Passing CI triggers deployment automatically.
  • [ ] Environment variables configured — All secrets set in your hosting provider's dashboard. Nothing hardcoded. Different values for staging and production.
  • [ ] Preview deployments enabled — Every pull request gets its own URL for testing before merging.
  • [ ] Hosting provider chosen — Vercel for Next.js, Railway for Node.js/Express, Fly.io for custom setups. Match the host to your stack.
  • [ ] Custom domain connected — With HTTPS enforced and DNS properly configured.
  • [ ] Database backups — Automated backups on a schedule. Test that you can actually restore from them.

Tool-specific deployment guides

Each AI tool has unique deployment considerations. Follow the guide for your tool:

Phase 5: Launch Readiness

The technical work is done. Now make sure the product is ready for actual humans.

  • [ ] Tested on real devices — Open the app on a real phone, not just browser dev tools. Test every flow: sign up, core features, settings, payment (if applicable), log out.
  • [ ] Analytics installed — Track page views, sign-up conversion, key feature usage, and error rates from day one.
  • [ ] SEO basics configured — Title tags, meta descriptions, Open Graph images, canonical URLs, sitemap.
  • [ ] Performance acceptable — Core Web Vitals passing. Page loads under 3 seconds on mobile. No layout shifts.
  • [ ] Legal pages in place — Privacy policy and terms of service. Required by law if you collect any user data.
  • [ ] Feedback channel available — Users need a way to report bugs and request features. Even a simple email address works.

For advice on launching effectively, read how to launch your AI-built app on Product Hunt.

The reality

Most vibe-coded apps need 1-3 weeks of focused hardening work before they're genuinely ready for production. The gap between "it works" and "it's production-ready" is predictable and fixable — but it's real, and skipping it leads to the crashes, security incidents, and user complaints that give AI-built apps a bad reputation.

If you want to check whether your specific app is production-ready, request a free audit. We'll review your app and give you a prioritised list of exactly what needs fixing before launch.

Get articles like this in your inbox

Practical tips on shipping vibe-coded apps. No spam.

Keep reading

4 min readIs Your AI-Built App Production Ready? The 15-Point Checklist5 min readHow to Launch Your AI-Built App on Product Hunt

Want to know where your app stands?

Get a free 5-point security snapshot from our dev team — no strings attached.

Get Free Audit →Book a Call