Introduction
Andrej Karpathy coined the term "vibe coding" in February 2025. By the end of that year, Collins Dictionary named it Word of the Year. The idea is simple: instead of writing code line by line, you describe what you want in plain English, and an AI generates it. Lovable does this. So does Bolt.new, v0.dev, Cursor, and a dozen others.
The market is massive. Vibe coding hit $4.7 billion in 2026 and is projected to reach $12.3 billion by 2027 at a 38% CAGR (Second Talent). Lovable alone has 8 million users and hit $400 million ARR. Bolt.new reached $40 million ARR in 4.5 months. These tools work, for prototypes.
Then people ship them. And that's where the trouble starts. According to the 2025 Stack Overflow Developer Survey, 84% of developers now use AI coding tools, but only 29% trust the accuracy of the output. The gap between adoption and trust exists because vibe-coded apps break in production in predictable, fixable, expensive ways.
This guide covers everything the team at Geminate Solutions has learned auditing vibe-coded apps for clients across Lovable, Bolt.new, v0, and Cursor. You'll find the 15-point production checklist, the cost breakdown of fixing versus rebuilding, the vibe-then-harden workflow that saves 60 to 70 percent of rebuild cost, and a decision framework for when to bring in professional help.
● QUICK ANSWER
Is vibe coding production ready? Not by default. 45% of AI-generated code fails security tests (Veracode 2025). 84% of developers use AI tools but only 29% trust the output. Every vibe-coded app needs 15 specific production fixes before launch.
- The gap: AI tools (Lovable, Bolt.new, v0, Cursor) nail the first 80%, the demo. The last 20%, security, scale, edge cases, breaks in production.
- The security problem: 100% of tested vibe-coded apps lacked CSRF protection. 8-12 distinct vulnerabilities per app is typical.
- The fix: The "vibe-then-harden" workflow, build with AI, harden with engineers. Costs 60-70% less than rebuilding. $8K-$20K for a standard SaaS MVP.
> The five biggest gaps in vibe-coded apps: missing CSRF protection (100% of tested apps), exposed API keys in client code, no server-side input validation, weak session management, and zero security headers (CSO Online, December 2025). Fix these five and you prevent about 80% of production incidents.
What Is Vibe Coding and Why Does It Fail in Production?
Vibe coding is the practice of building software through natural language prompts instead of writing code manually. Karpathy's original tweet described it as "fully giving in to the vibes, embracing exponentials, and forgetting that the code even exists." That's a great description of prototyping. It's a terrible description of production engineering.
The fundamental problem is what we call the 80/20 wall. AI tools handle the first 80% of software brilliantly, the happy path, the demo flow, the pretty UI. The last 20% is where projects die. Edge cases, security, performance under load, integrations with real third-party APIs, error handling, observability, deployment pipelines. That last 20% requires exactly the engineering skills these tools promised you wouldn't need.
Veracode's 2025 GenAI Code Security Report tested over 100 LLMs on 80 coding tasks. 45% of generated code failed security tests. Java apps failed at 72%. XSS-secure code was generated only 12 to 13 percent of the time. This is the state of the art, not the worst case.
CodeRabbit's December 2025 analysis of 470 GitHub pull requests found AI-written code produces 1.7x more issues overall, 75% more logic errors, and 8x more performance issues than human-written code. Nearly 3 in 10 merges to main fail at high-adoption teams. Review times have jumped 91% at those same teams.
There's also a trust paradox. Per the 2025 Stack Overflow Developer Survey, positive AI favorability among developers dropped from 72% to 60% year over year. 46% of developers now actively distrust AI output. 66% say they spend MORE time fixing AI-generated code than they save. 45% cite 'almost right but not quite' as their number one frustration.
None of this means vibe coding is useless. It means vibe coding is a prototyping tool being used as a production tool, and the mismatch is expensive. The fix isn't to stop using AI. The fix is to use AI for what it's good at, rapid iteration, and bring in real engineering for the production pass.
Which Vibe Coding Tools Are People Using, and Where Do They Break?
Four tools dominate the vibe coding landscape in 2026: Lovable, Bolt.new, v0.dev, and Cursor. Each has different strengths and each breaks differently in production. Understanding the failure modes of the tool you used matters because the hardening checklist shifts slightly based on what was generated and how.
Lovable (8 million users, $6.6B valuation). Generates React plus Next.js apps backed by Supabase. Best for SaaS dashboards, marketplaces, and CRUD apps. Breaks on: Supabase RLS misconfiguration, exposed client-side keys, missing error boundaries, and database queries without indexes. See our Lovable to production guide for the complete hardening checklist.
Bolt.new ($40M ARR in 4.5 months). Supports Next.js, React, Vue, Svelte, Astro, and Remix. More framework flexibility than Lovable. Breaks on: context loss after 15 to 20 components, token drain during debugging (one developer spent $1,000 fixing a single auth bug), and the same CSRF and security header gaps. See our Bolt.new to production guide for the migration walkthrough.
v0.dev (frontend only). Generates React and Tailwind components. Does not generate applications, no routing, no state management, no API layer, no backend. Users report that v0 handles "maybe 30% of the work" and declining output quality through late 2025 into 2026 with more hallucinated imports and broken layouts. Locked to React, which means Angular, Vue, and Svelte users are shut out.
Cursor (coding assistant, not a generator). Used by developers who still write code but want AI autocomplete and refactoring help. A CMU study published in MSR 2026 found Cursor increases short-term velocity but causes a persistent increase in static analysis warnings and code complexity. A METR study found AI tooling actually slowed experienced developers by 19% on end-to-end tasks despite making them feel faster.
The common failure modes across all four tools: AI doesn't understand your business logic for access control. AI doesn't write tests unless you beg. AI doesn't configure CI/CD. AI doesn't set up monitoring. AI doesn't know your specific compliance requirements. AI can't debug its own regressions past a certain codebase size. Every tool in this list has the same blind spots.
What Are the Top 5 Security Gaps in AI-Generated Code?
The Tenzai December 2025 study tested 15 apps built by the top 5 AI coding tools, Cursor, Claude Code, Replit, Devin, and Codex. They found 69 distinct vulnerabilities. 100% of apps lacked CSRF protection. Zero set security headers. Every single app introduced Server Side Request Forgery vulnerabilities. These numbers repeat across tools and across tests.
Gap 1: Missing CSRF protection. Cross-Site Request Forgery lets an attacker trick a logged-in user into making unintended state-changing requests. AI tools rarely generate CSRF tokens because they're not visible in the demo. Fix: use middleware like
csrf-csrf for Node or Next.js's built-in CSRF handling.Gap 2: Exposed API keys in client code. This shows up in almost every audit. An OpenAI key, Stripe key, or Supabase service role key ends up in a client-side bundle. Anyone with browser DevTools can extract it. Fix: move every secret to environment variables and route secret-requiring calls through backend endpoints or edge functions.
Gap 3: No server-side input validation. AI tools generate client-side form validation for UX but skip server-side validation for security. Users bypass the frontend easily. Fix: use a schema library like Zod, Yup, or Valibot. Validate every incoming request on the backend. Reject anything that doesn't match your schema.
Gap 4: Weak authentication and session management. Default session tokens often last far longer than they should. Password policies allow short, simple passwords. OAuth redirect URLs include development hostnames. Email verification is optional. Fix: tighten session windows to 1 hour for access tokens and 7 days for refresh. Enforce 10+ character passwords with mixed types. Lock redirect URLs to production domains only.
Gap 5: Missing security headers. Content Security Policy stops XSS. HSTS forces HTTPS. X-Frame-Options prevents clickjacking. X-Content-Type-Options prevents MIME sniffing. AI tools skip all of these. Fix: add them in your framework's config file. It's a 15-minute change that raises the bar significantly.
Beyond these five, the team at Geminate Solutions has seen SSRF vulnerabilities in URL preview features, insecure direct object references in multi-tenant apps, missing rate limiting that lets a single script exhaust third-party API quotas, and logging configurations that leak PII into observability platforms. A comprehensive AI code audit typically finds 8 to 12 distinct issues, none catastrophic on their own, but collectively enough to sink the app under real attack.
What's the 15-Point Production Readiness Checklist for Any Vibe-Coded App?
According to Gartner, 40% of AI projects face cancellation by 2027 due to escalating costs and technical debt. 75% of tech decision-makers will face moderate-to-severe tech debt by 2026 (InfoQ). The checklist below is what the team at Geminate Solutions runs on every vibe-coded app we harden for clients, regardless of which tool built it.
1. Export to a real repository. Get the code out of the AI platform's sandbox. Push to GitHub or GitLab. This alone gives you version control, branching, and freedom from token billing.
2. Audit and rotate all secrets. Search for hardcoded keys and tokens. Rotate anything that was ever in client code (assume it's compromised). Move everything to environment variables.
3. Add CSRF protection. Every state-changing endpoint needs a CSRF token. Non-negotiable for apps with authentication.
4. Set security headers. CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Configure in your framework's config.
5. Implement server-side input validation. Use Zod, Yup, or Valibot. Never trust the client. Validate every request.
6. Add rate limiting. Cap requests per IP and per user. Upstash Redis, Vercel Rate Limit, or a middleware layer all work.
7. Configure proper error boundaries. Users should never see a blank screen or a stack trace. Wrap route components in error boundaries with fallback UI.
8. Tighten authentication. Session expiration, password policies, OAuth redirect locks, email verification, MFA for sensitive apps.
9. Review database access control. If you're using Supabase, check RLS on every table. If you're using custom APIs, audit every endpoint for proper authorization.
10. Add database indexes. AI tools don't index queries. Add indexes on columns used in WHERE clauses. The difference between indexed and unindexed queries grows with data volume.
11. Set up monitoring and alerting. Sentry for errors, an uptime monitor, log aggregation for debugging. You need visibility before users become your error reporters.
12. Configure automated backups. Daily database backups at minimum. Test the restore process before you need it.
13. Build a proper CI/CD pipeline. GitHub Actions. Run tests, linting, security scans. Deploy through the pipeline, not through a dashboard button.
14. Add structured logging. Replace
console.log with Pino, Winston, or similar. You'll need searchable logs when something breaks at 2 AM.15. Write a runbook. Document how to roll back, where logs live, who to contact when things break, and what to do in a security incident. Your future self will thank you.
If you can only do five items before launch, do items 1, 2, 3, 4, and 5, export, secrets, CSRF, security headers, and server-side validation. Those five prevent about 75% of the incidents we see in vibe-coded apps.
How Much Does It Cost to Fix vs. Rebuild a Vibe-Coded App?
BuildMVPFast estimates over 8,000 startups currently need full or partial rebuilds of AI-generated code, with individual project costs running $50,000 to $500,000. Total industry cleanup is estimated at $400 million to $4 billion. These aren't abstract numbers. This is what vibe coding costs when you don't harden early.
The single most important cost insight: fixing gets dramatically more expensive the longer you wait. Here's the breakdown from real client engagements the team at Geminate Solutions has handled over the past year.
Stage 1: Fix at prototype (pre-launch). Cost: $5,000 to $10,000. Timeline: 1 to 2 weeks. What happens: a standard hardening pass covering the 15-point checklist. No user data at risk yet. No downtime. Cheapest possible option.
Stage 2: Fix at early traction (100 to 1,000 users). Cost: $10,000 to $20,000. Timeline: 2 to 4 weeks. What happens: hardening plus database migration if you had schema issues, plus data backfill if validation was missing. Technical debt has started to compound but is still manageable.
Stage 3: Fix after a security incident. Cost: $25,000 to $50,000. Timeline: 4 to 8 weeks. What happens: everything in Stage 2 plus incident response, forensic review, user notifications, potential legal fees, and trust recovery. You can't un-leak data.
Stage 4: Full rebuild after scaling failure. Cost: $65,000 to $100,000 or more. Timeline: 3 to 6 months. What happens: start over. New architecture, new codebase, data migration from the broken app. This is what happens when fixing isn't an option anymore.
The cost curve is exponential, not linear. A $5,000 prototype fix becomes a $50,000 incident response in weeks, not months. We've seen this pattern play out across every vibe coding tool. The team at Geminate Solutions has also found that rebuilds are rarely necessary, in our experience, 85% of vibe-coded apps can be hardened rather than rebuilt, saving 60 to 70 percent of the cost.
For a deeper breakdown with platform-specific cost comparisons, see our real cost of vibe coding guide.
What Is the Vibe-Then-Harden Workflow?
Vibe-then-harden is the team at Geminate Solutions's workflow for clients who want to move fast without eating the production tax. The premise is simple: use AI tools for what they're good at, then bring in humans for what they're bad at. Split the work along its natural seam instead of pretending one tool can do both.
Phase 1: Build with vibe coding. Use Lovable, Bolt.new, or v0 to generate the initial app. Prioritize speed and iteration. Don't worry about security, tests, or architecture at this stage. The goal is to validate the idea, not ship a production system.
Phase 2: Get user feedback. Put the prototype in front of 5 to 20 real users. Watch what breaks. Watch what they ignore. Watch what they demand. Most vibe-coded apps fail here, not because of code quality, but because the product isn't what users wanted. Finding this out before hardening saves thousands.
Phase 3: Harden with professional engineering. Once the idea is validated, bring in experienced developers for the production pass. Run the 15-point checklist. Add tests. Set up CI/CD. Migrate off the vibe coding platform's hosting if needed. This typically takes 2 to 4 weeks for a standard app.
Phase 4: Scale with real engineering. From this point on, new features get built with the normal software development lifecycle. You might still use AI autocomplete via Cursor. You won't use AI to generate entire features unsupervised.
Why this approach costs 60 to 70 percent less than rebuilding: you keep the validated product. You keep the working data model. You keep the UI patterns users already understand. Hardening adds discipline without throwing away the work. Rebuilding means starting over, new code, new bugs, new onboarding, months of lost momentum.
The team at Geminate Solutions has run this workflow on dozens of projects across Lovable, Bolt.new, and Cursor. The pattern holds: fast initial iteration, real user feedback, disciplined hardening, then normal scaling. Our custom development team handles the hardening phase end to end. AI integration services cover apps that need additional AI features added safely.
When Does a Vibe-Coded App Need Professional Help?
There are five trigger events we consistently see that move founders from "I'll fix it myself" to "I need help now." Recognizing these triggers early saves weeks of frustration and thousands of dollars.
Trigger 1: First paying customer. Real users with real money change the stakes. If the app breaks, you lose revenue and reputation. This is the cheapest time to harden, before the incident happens.
Trigger 2: Investor due diligence. A VC's technical advisor asks to review your codebase. They find 14 issues in 30 minutes. You need those fixed before the term sheet. Timeline pressure is high, scope is clear, budget is available.
Trigger 3: Security incident or data exposure. Somebody finds a hole. User data was exposed. Maybe it made the news. Now you're responding to an incident and hardening simultaneously. Most expensive moment to fix.
Trigger 4: Scaling failure. Product Hunt launch, viral tweet, feature on a podcast. Traffic spikes. The app crashes. You lose 90% of the signups that came in during the spike. This happens because vibe-coded apps don't set up rate limiting, don't add database indexes, and don't optimize for real load.
Trigger 5: Feature wall. You've been fighting the AI for three days on one feature. Payment integration keeps breaking other things. Every prompt introduces a new regression. Your token spend has passed what a developer would charge. This is the moment to stop and bring in help.
You can probably handle it yourself if: Your app has fewer than 5 database tables, serves a single user role, doesn't process payments or sensitive data, and you're comfortable reading code in an IDE. The checklist in this guide will get you 80% of the way there.
You should bring in professional help if: You handle financial transactions or sensitive personal data. You have multiple user roles with different permissions. You need to pass a security audit. You have paying customers whose data matters. Or simply: if you've hit any of the five triggers above.
The gap between a vibe-coded prototype and a production app is real but manageable. You built something valuable in a weekend, the team at Geminate Solutions exists to protect that investment without making you start over. Track record: AI features integrated into 10+ client products and engineering teams delivered across 12 industries. Our hire React developers page covers the team structure. The AI code audit guide covers what we find. For the platform-specific hardening walkthroughs, see Lovable to production, Bolt.new to production, and v0 to production. For the cost breakdown of fixing versus rebuilding, see real cost of vibe coding.
Next step: Book a free 30-minute vibe coding production readiness call with the team at Geminate Solutions. We'll review your Lovable, Bolt.new, v0, or Cursor project live, identify the biggest risks, and give you a clear scope for hardening. No sales pitch, no commitment. Start here →
Frequently Asked Questions
What is vibe coding?
Vibe coding is building software through natural language prompts with AI tools like Lovable, Bolt.new, v0, and Cursor instead of manual coding. Andrej Karpathy coined the term in February 2025. Collins Dictionary named it Word of the Year for 2025.
Is AI-generated code production ready?
Not by default. Veracode's 2025 research found 45% of AI-generated code fails security tests. CodeRabbit analysis of 470 pull requests found AI code produces 1.7x more issues, 75% more logic errors, and 8x more performance issues than human code.
How much does it cost to fix a vibe-coded app?
Fixing at prototype costs $5,000 to $10,000 over 1 to 2 weeks. Fixing after early traction costs $10,000 to $20,000. Post-incident remediation jumps to $25,000 to $50,000. Full rebuilds run $65,000 to $100,000+. Vibe-then-harden saves 60 to 70 percent versus rebuilding.
What are the biggest security gaps in vibe-coded apps?
Tenzai's December 2025 study found 69 vulnerabilities across 15 vibe-coded apps. 100% lacked CSRF protection. Zero apps set security headers. Every app had SSRF vulnerabilities (CSO Online).
Which vibe coding tool is best for production?
None are production-ready by default. Lovable is best for React plus Supabase. Bolt.new supports more frameworks. v0 is frontend-only components. Cursor is a coding assistant. All require hardening before production.
When should I hire developers to fix my AI-built app?
When you handle financial transactions, have paying customers, need a security audit, or have spent more than a week fighting a single bug. The cheapest time to fix a vibe-coded app is before it has users.
What is the vibe-then-harden workflow?
Build prototypes fast with AI tools, validate with real users, then bring in experienced developers for production hardening. This approach costs 60 to 70 percent less than rebuilding while delivering production quality.
How long does it take to make an AI-built app production-ready?
A typical vibe-coded MVP takes 2 to 4 weeks for professional hardening. Complex apps with payments, multiple roles, or real-time features may take 4 to 8 weeks. DIY timelines run 3 to 8 weeks.
