The Prototype-to-Production Gap Is the Biggest Failure Mode for Vibecoders
A Cursor or Lovable prototype gets you 60–80% of the way to a shipped app. The remaining 20–40% (auth hardening, performance, observability, billing, error handling) is where most vibecoder projects die before launch.
This guide walks through the exact checklist to take a prototype live, in the order it should happen.
What "Prototype" Means in Vibecoder Workflows
A typical Cursor/Lovable prototype includes:
- A working UI with most screens
- A database schema with happy-path CRUD
- Auth that "works on my machine"
- An API that returns the right shape under perfect inputs
- Deploy to a preview URL (Vercel/Netlify default)
What's almost never there:
- Real auth (magic links, OAuth, account recovery, session management)
- Rate limiting and abuse prevention
- Production-grade error handling (no console.log leaks, no PII in logs)
- Email deliverability (transactional + auth emails actually arriving)
- Backup and disaster recovery for the database
- Observability: logs, metrics, alerts
- Billing integration (Stripe webhooks, dunning, proration)
- Legal pages (Privacy, Terms, ToS) and GDPR compliance
The gap is real engineering work. The good news: most of it follows a predictable checklist.
The Production Checklist
| Phase | Hours estimate | Skip impact |
|---|---|---|
| 1. Foundations (hosting, env, db) | 4–8 | App goes down on first traffic spike |
| 2. Auth and security | 8–16 | Account takeover; data breach exposure |
| 3. Performance and reliability | 6–12 | Slow load; abandoned signups |
| 4. Observability | 4–8 | You can't diagnose bugs in production |
| 5. Billing and revenue | 6–12 | Manual invoicing; lost revenue |
| 6. Legal and compliance | 2–4 | Liability exposure |
| Total | 30–60 hours | The difference between launch and abandonment |
Phase 1: Foundations
Before anything else, lock down the infrastructure.
Hosting
- Move off of preview URLs. Buy a domain. Connect via DNS.
- Configure SSL. Vercel/Netlify auto-handles this, but verify the cert renews.
- Set up a staging environment that mirrors production. No more "fixing in prod."
Environment variables
- Separate env files for dev, staging, and prod.
- Move secrets into your hosting platform's secret manager. Never commit them.
- Rotate any keys that were in the Cursor/Lovable prototype. Assume they leaked.
Database
- Move from the prototype's default database (often a shared Lovable Postgres) to a managed instance: Supabase, Neon, or PlanetScale.
- Enable point-in-time recovery (PITR) so you can roll back data corruption.
- Set up daily automated backups, stored off the database host.
Phase 2: Auth and Security
This is where most vibecoder apps fail their first security audit.
Authentication
- Use a managed auth provider (Clerk, Auth.js, Supabase Auth, WorkOS), not hand-rolled JWT.
- Implement email verification for new signups.
- Add rate limiting on login attempts (5 per 5 minutes per IP, per email).
- Implement password reset with secure token expiration (15 minutes max).
Authorization
- Audit every API route. Each one needs an explicit auth check.
- For multi-tenant apps, use Row Level Security (RLS) at the database level, not just at the API layer.
- Test with two real user accounts: can User A see User B's data? If yes, you have a bug.
Input validation
- Every form input gets server-side validation. Zod or Yup are standard.
- Sanitize HTML inputs to prevent XSS.
- Parameterize all database queries to prevent SQL injection.
Secrets and tokens
- Never log API keys, tokens, passwords, or PII.
- Use a secret scanner (GitHub's built-in) in CI to catch leaks before merge.
Phase 3: Performance and Reliability
Load and speed
- Run Lighthouse on the homepage and 3 key user flows. Aim for 90+ on performance.
- Lazy-load anything below the fold (images, videos, heavy components).
- Use a CDN for static assets (Vercel/Netlify give you this for free).
Database
- Add indexes for every column you filter or sort by in production queries.
- Monitor slow queries. Supabase, Neon, and most managed Postgres providers ship dashboards for this.
- Cache aggressively: SWR or React Query on the client, Redis or KV on the server.
Error boundaries
- Wrap every page in a React error boundary. Show a friendly fallback, not a white screen.
- Catch and report API errors. Never let an unhandled exception kill a request.
Rate limiting
- Add rate limits to expensive endpoints (LLM calls, image uploads, search).
- Use Upstash Ratelimit or similar. Five lines of code.
Phase 4: Observability and Ops
If you can't see what's happening, you can't fix it.
- Logs: Send all server logs to a service (Axiom, Logflare, Vercel Logs). Searchable, with PII filtering.
- Errors: Hook up Sentry or Rollbar. Get notified within 60 seconds of any production exception.
- Uptime: BetterStack or UptimeRobot pings your site every minute. Alerts on Slack if it's down.
- Analytics: PostHog or Plausible for product analytics. Not just page views. Funnel events, retention, activation.
Phase 5: Billing and Revenue
Most vibecoders skip this until users ask "how do I pay you?" Then they scramble for two days.
- Use Stripe Checkout for the subscription flow. Don't build custom payment forms.
- Set up Stripe webhooks for: subscription created, subscription updated, subscription cancelled, payment failed.
- Implement a customer portal so users can cancel without emailing you.
- Add dunning emails for failed payments. Stripe handles the retry logic; you handle the email.
For one-time payments, Lemon Squeezy is often simpler than Stripe. They handle EU VAT and sales tax automatically.
Phase 6: Legal and Compliance
The boring but mandatory work.
- Privacy Policy: Use TermsHub, GetTerms, or Termly to generate one. Cost: $20–$50.
- Terms of Service: Same generators. Tailor the liability section to your app.
- Cookie consent: If you have EU traffic, you need this. Cookiebot or OneTrust handle it.
- Data retention policy: Document how long you keep user data and how users can delete it.
When to Call in Help
The phase-by-phase work above is doable solo. But three situations need outside help:
- You've never shipped a production app before. The first time, hire someone for 1–2 weeks to audit and harden the prototype.
- You're approaching launch with paying customers. Get a security audit. $1–3K spent here prevents a $100K incident later.
- Your stack hits something the AI tools don't handle well. Custom infrastructure, specific compliance (HIPAA, SOC2), and real-time multiplayer still benefit from senior engineering judgment.
Kastling takes vibecoder prototypes to production-grade AI products, covering exactly the gap this guide describes. Code in your repo, evals as the contract, IP transfer at the end. Start with an AI Readiness Audit and we scope the work from there.
FAQ
Q: How long does the prototype-to-production process take?
Solo, with focus: 30–60 hours of work, spread over 1–3 weeks. With a partner on it: 1–2 weeks calendar time.
Q: Can I skip any of these phases?
Yes. For very early MVPs (under 50 users), you can skip observability, billing, and some performance work. You cannot skip auth, security, or legal pages.
Q: What's the most common thing vibecoders skip that comes back to bite them?
Rate limiting on auth endpoints. A single bot attack can lock all users out, or worse, succeed at brute-forcing accounts.
Q: Do I need a co-founder or developer to ship to production?
No. The work is mechanical enough that one motivated vibecoder can do it solo. But it's slow, which is why founders often hire a partner for this phase.
Q: How do I know my prototype is ready to start the production process?
When your core user flow works end-to-end with two real test accounts, on a real domain, with no console errors. That's the green light to start Phase 1.
If you're hitting the prototype-to-production wall, talk to Kastling. We design, build, and launch AI products, and we take vibecoder prototypes to production. Code in your repo, evals as the contract, IP transfer at the end. Start with an AI Readiness Audit.