You prompted your way to a working app. It does the thing. You’re proud of it — you should be. But there’s a gap between “it works on my machine” and “it’s ready for real users.”
Here’s what I check when a founder brings me their vibe-coded project.
1. Secrets aren’t in the code
AI tools love to hardcode API keys. Check your repo for anything that looks like a key, token, or password. Move them to environment variables. If they’ve ever been committed, rotate them — git history remembers.
2. Dependencies aren’t wildly outdated
AI models are trained on older code. Your package.json might reference packages with known vulnerabilities. Run npm audit and actually read the output.
3. Auth isn’t just “it looks like it works”
AI-generated auth often checks the happy path but misses edge cases — expired tokens, role escalation, session fixation. If your app has user accounts, this deserves a careful review.
4. There’s error handling beyond console.log
When something breaks in production, you need to know about it — not your users. Set up proper error boundaries, logging, and ideally an error tracking service.
5. It deploys without you manually doing things
If your deploy process is “SSH into the server and run some commands,” you’re one typo away from downtime. Set up CI/CD — push to main, it goes live.
6. There are actual tests
Not exhaustive coverage — just enough that you know the critical paths work. Can a user sign up? Can they do the main thing? Does the payment flow complete?
7. It handles load beyond you and your friend
AI doesn’t think about performance. Database queries without indexes, N+1 queries, no caching, no CDN. These don’t matter with 2 users. They matter a lot with 200.
8. The infrastructure isn’t comically over-provisioned
That $200/month database you spun up at 2am because the AI suggested it? You probably need the $15 tier. Right-size everything.
9. Someone else could understand the code
If you get hit by a bus (or just want a weekend off), could someone else figure out what’s going on? Clear naming, some structure, a README that isn’t the framework default.
10. It’s actually deployed somewhere with HTTPS
Not localhost. Not an IP address. A real domain with TLS. This is table stakes for user trust.
Most vibe-coded projects need about half of these fixed. The good news: none of them require rewriting your app. They’re all things that can be layered on top of what you’ve already built.
Not sure where your project stands? Book an Intro Call — 30 minutes, €50, and I’ll give you an honest read.
Want help getting your project production-ready?