Updated May 1, 2026
Move an AI-generated prototype to production
A production checklist for teams taking Lovable, Bolt.new, Replit Agent, or v0 output into a real codebase.
An AI-generated prototype becomes production software only after ownership changes. The code has to move from “the tool made a demo” to “the team can explain, test, deploy, and recover it.” That handoff is where many vibe-coded apps break.
Move The Code Into A Real Repo
Export the project or copy the useful parts into a repository your team controls. Then do a clean install from scratch. Do not trust the tool’s preview environment as proof that the project is reproducible.
Check these items first:
- Package manager and lockfile.
- Framework version and runtime version.
- Environment variable names and which ones are server-only.
- Generated files that should be deleted.
- Placeholder secrets, demo accounts, and fake webhook URLs.
- Deployment target and required build command.
Write a short README section before adding features. Future maintainers need to know how to run, test, seed, and deploy the app.
Map The Architecture
Create a one-page map of the app before hardening it:
| Area | Questions to answer |
|---|---|
| Auth | Which provider, how sessions work, where protected routes are enforced |
| Data | Main tables, tenant boundaries, deletion rules, indexes |
| API | Server routes, validation, error handling, rate limits |
| Billing | Webhook verification, plan state, failed-payment behavior |
| Jobs | Background work, retries, idempotency |
| Client | Loading states, empty states, error states, accessibility |
Ask Codex or Claude Code to produce the first architecture map, then verify it manually against the code. The map is not documentation theater; it is the checklist for what must be made safe.
Harden The Paths That Can Hurt Users
Start with signup, login, permissions, billing, data writes, and destructive actions. For each path, add tests for success and failure. Generated apps often have a smooth happy path and weak rejection behavior.
Minimum tests:
- A user cannot read another tenant’s records.
- Protected routes reject logged-out users on the server.
- Paid features come from verified billing state, not client redirects.
- Webhooks verify signatures and are safe to retry.
- Dangerous actions require the right role.
- User input is validated server-side.
Add Operations Before Launch
Production needs recovery paths:
- Error monitoring.
- Structured logs for auth, billing, and admin actions.
- Database backups and restore practice.
- Dependency scanning.
- Secret rotation.
- Rate limits for expensive or sensitive endpoints.
- A rollback plan.
Keep the first launch small. If real customers, payments, or private data are involved, get a human security review before broad release.