Is Your Vibe-Coded App Actually Production-Ready? A Checklist
What the vendors actually admit
Lovable's security documentation tells users that its built-in scanners "do not replace a thorough security review" and that the user is responsible for ensuring the app meets security requirements appropriate to its use case (docs.lovable.dev/features/security, accessed July 2026). Lovable's terms of service go further: the platform and all AI output are provided "as is", with no warranty of accuracy, reliability or fitness for purpose (lovable.dev/terms).
Other vibe-coding platforms carry equivalent disclaimers. The pattern is the same across the category: the tool helps you build, but production readiness is the responsibility of the person who deploys the code, not the platform that generated it.
The distinction matters because most founders treat a working demo as a green light. A working demo means the features function. Production-ready means the app can handle real users, real data, real money and real failure without losing any of them.
The nine checks
These categories appear repeatedly across Google SRE, AWS Well-Architected, OWASP ASVS Level 1, Cyber Essentials and UK GDPR. The convergence is what makes them defensible. No single vendor invented the list.
Authentication and access. Log in as one user, then change a URL parameter or API request to reference another user's record. AI-generated code frequently creates routes without access control at the API layer. If you can see data that belongs to someone else, the app is not production-ready. Full stop.
Data protection and privacy. UK GDPR Article 25 requires data protection by design before processing begins. You need a lawful basis for every category of personal data you collect, a privacy policy that matches your actual data flows, and a cookie consent mechanism that satisfies PECR. The ICO does not exempt small apps or early-stage products from any of this.
Backups and recovery. Restore from a backup. If you have never done this, or you have no automated backups, stop here. Supabase's free tier does not include point-in-time recovery. A single bad migration can destroy production data with no way back.
Monitoring and error tracking. If the app throws an error at 3am on a Saturday, how does anyone find out? Production applications need error tracking (Sentry, Bugsnag or equivalent), uptime monitoring and alerting. Without them, your first sign of trouble is a customer complaint or a social media post.
Performance under load. Test with ten concurrent users performing the same action. AI-generated code rarely includes rate limiting, connection pooling or query optimisation. A single slow database query under concurrent load can bring down the entire application. We covered the specific security failures AI tools leave behind in a previous article; the performance gaps are just as consistent.
Payment handling. Stripe charges a flat £20 per dispute in the UK, non-refundable regardless of outcome (Stripe UK pricing, 2026). A second £20 applies if you contest the chargeback, refundable only if you win. Exceed the card schemes' chargeback thresholds (Visa's current VAMP limit is 1.5%, effective April 2026) and your account enters a monitoring programme that can end in termination. Webhook handling, failed-payment retry logic and clear refund flows need to be working before you take a single live payment.
Deployment and rollback. Can you return to yesterday's working version in under five minutes? AI-generated projects often deploy from a single branch with no rollback mechanism. One bad deployment with no way back means downtime until you fix forward, live, under pressure.
Code and account ownership. Do you personally control the domain, the hosting account, the source code repository, the database credentials and the DNS records? If any of these sit in someone else's account, or in the AI tool's default hosting, you have a single point of dependency that you cannot survive losing.
Legal pages and compliance. Terms of service, a privacy policy, a cookie policy and a cancellation or refund policy are legal requirements for a UK business taking online payments. They need to be linked from every page and written to reflect what the app actually does, not copied from a template for a different product.
What skipping these costs
The DSIT Cyber Security Breaches Survey 2025/2026, published 30 April 2026, found that 43% of UK businesses experienced a cyber breach or attack in the previous twelve months (DSIT and Home Office, fieldwork August to December 2025). The ICO enforces a 72-hour breach notification window under UK GDPR; missing it is a separate compliance failure on top of whatever caused the breach.
Stripe's dispute fees eat margin on every chargeback. Card-scheme monitoring programmes can terminate your ability to accept payments entirely. IBM's Cost of a Data Breach Report 2025 UK edition puts the average breach cost for UK organisations at £3.29 million (Ponemon Institute, published July 2025, 47 UK organisations). That figure reflects larger companies, but the proportional impact on a startup running £10k in monthly revenue is worse, not better.
Every item on this checklist is cheaper to address before launch than to retrofit after a breach, a chargeback dispute or a customer data exposure. The cost of fixing a vibe-coded MVP climbs with every week a structurally unsound app spends in production. UK agencies that offer production-readiness reviews typically charge between £300 and £5,000 for the assessment alone.
Founders who can answer all nine checks positively are ready to launch. Most cannot, and the gaps tell you exactly what kind of help you need: a focused remediation if the structure is sound, or a Platform Discovery Sprint to scope a proper build if it is not. Either way, the checklist gives you an honest answer before your customers give you one.
Stuck in the fix-break-fix loop?
Starts with a free assessment call · Discovery Sprint £4,500 · Full rebuilds from £25,000
Prefer email? hello@rockingtech.co.uk