2 July 2026 · Platform Rescue · 4 min read

Is Your Vibe-Coded App Actually Production-Ready? A Checklist

Four engineering frameworks and UK data law agree on what 'production-ready' means. Lovable's own documentation says their tools don't replace a security review. Here are the nine checks most vibe-coded apps skip.
Is Your Vibe-Coded App Actually Production-Ready? A Checklist
Google's SRE handbook, the AWS Well-Architected Framework, the OWASP Application Security Verification Standard and the Twelve-Factor App were written by different organisations, in different years, for different audiences. They converge on almost identical production-readiness categories: authentication, data protection, backups, monitoring, load handling, deployment, ownership and compliance. A vibe-coded app typically handles one or two of these. Production requires all of them. The tools that built your app won't check the rest, and their own terms of service say so explicitly.

What the vendors actually admit

Lovable's security documentation tells users that its built-in scanners "do not replace a thorough security review" and that the user is responsible for ensuring the app meets security requirements appropriate to its use case (docs.lovable.dev/features/security, accessed July 2026). Lovable's terms of service go further: the platform and all AI output are provided "as is", with no warranty of accuracy, reliability or fitness for purpose (lovable.dev/terms).

Other vibe-coding platforms carry equivalent disclaimers. The pattern is the same across the category: the tool helps you build, but production readiness is the responsibility of the person who deploys the code, not the platform that generated it.

The distinction matters because most founders treat a working demo as a green light. A working demo means the features function. Production-ready means the app can handle real users, real data, real money and real failure without losing any of them.


The nine checks

These categories appear repeatedly across Google SRE, AWS Well-Architected, OWASP ASVS Level 1, Cyber Essentials and UK GDPR. The convergence is what makes them defensible. No single vendor invented the list.

Authentication and access. Log in as one user, then change a URL parameter or API request to reference another user's record. AI-generated code frequently creates routes without access control at the API layer. If you can see data that belongs to someone else, the app is not production-ready. Full stop.

Data protection and privacy. UK GDPR Article 25 requires data protection by design before processing begins. You need a lawful basis for every category of personal data you collect, a privacy policy that matches your actual data flows, and a cookie consent mechanism that satisfies PECR. The ICO does not exempt small apps or early-stage products from any of this.

Backups and recovery. Restore from a backup. If you have never done this, or you have no automated backups, stop here. Supabase's free tier does not include point-in-time recovery. A single bad migration can destroy production data with no way back.

Monitoring and error tracking. If the app throws an error at 3am on a Saturday, how does anyone find out? Production applications need error tracking (Sentry, Bugsnag or equivalent), uptime monitoring and alerting. Without them, your first sign of trouble is a customer complaint or a social media post.


The tools that built your app disclaim responsibility for its production security. Their own terms say so.

Performance under load. Test with ten concurrent users performing the same action. AI-generated code rarely includes rate limiting, connection pooling or query optimisation. A single slow database query under concurrent load can bring down the entire application. We covered the specific security failures AI tools leave behind in a previous article; the performance gaps are just as consistent.

Payment handling. Stripe charges a flat £20 per dispute in the UK, non-refundable regardless of outcome (Stripe UK pricing, 2026). A second £20 applies if you contest the chargeback, refundable only if you win. Exceed the card schemes' chargeback thresholds (Visa's current VAMP limit is 1.5%, effective April 2026) and your account enters a monitoring programme that can end in termination. Webhook handling, failed-payment retry logic and clear refund flows need to be working before you take a single live payment.


The Production Readiness Gap: five items vibe-coding tools handle (UI components, feature logic, basic routing, database schema, preview deployment) versus nine production requirements, each tagged to a framework or regulation (OWASP, UK GDPR Art 25, AWS Well-Architected, Google SRE, Twelve-Factor, Stripe and PCI, ICO and PECR). Rocking Tech Data Infographic.

Deployment and rollback. Can you return to yesterday's working version in under five minutes? AI-generated projects often deploy from a single branch with no rollback mechanism. One bad deployment with no way back means downtime until you fix forward, live, under pressure.

Code and account ownership. Do you personally control the domain, the hosting account, the source code repository, the database credentials and the DNS records? If any of these sit in someone else's account, or in the AI tool's default hosting, you have a single point of dependency that you cannot survive losing.

Legal pages and compliance. Terms of service, a privacy policy, a cookie policy and a cancellation or refund policy are legal requirements for a UK business taking online payments. They need to be linked from every page and written to reflect what the app actually does, not copied from a template for a different product.


What skipping these costs

The DSIT Cyber Security Breaches Survey 2025/2026, published 30 April 2026, found that 43% of UK businesses experienced a cyber breach or attack in the previous twelve months (DSIT and Home Office, fieldwork August to December 2025). The ICO enforces a 72-hour breach notification window under UK GDPR; missing it is a separate compliance failure on top of whatever caused the breach.

Stripe's dispute fees eat margin on every chargeback. Card-scheme monitoring programmes can terminate your ability to accept payments entirely. IBM's Cost of a Data Breach Report 2025 UK edition puts the average breach cost for UK organisations at £3.29 million (Ponemon Institute, published July 2025, 47 UK organisations). That figure reflects larger companies, but the proportional impact on a startup running £10k in monthly revenue is worse, not better.

Every item on this checklist is cheaper to address before launch than to retrofit after a breach, a chargeback dispute or a customer data exposure. The cost of fixing a vibe-coded MVP climbs with every week a structurally unsound app spends in production. UK agencies that offer production-readiness reviews typically charge between £300 and £5,000 for the assessment alone.

Founders who can answer all nine checks positively are ready to launch. Most cannot, and the gaps tell you exactly what kind of help you need: a focused remediation if the structure is sound, or a Platform Discovery Sprint to scope a proper build if it is not. Either way, the checklist gives you an honest answer before your customers give you one.

Stuck in the fix-break-fix loop?

Book an app assessment call — 30 minutes, no commitment, no judgement.
We’ll discuss your app, confirm whether it’s worth investing further, and give you a straight answer about what you’re dealing with.
Book an App Assessment Call

Starts with a free assessment call · Discovery Sprint £4,500 · Full rebuilds from £25,000

Prefer email? hello@rockingtech.co.uk