Vibe Coding Is Fine. Vibe Shipping Is Not.

Vibe coding produces great prototypes. Shipping them to production without review has caused data breaches, app store bans, and deleted databases.

Vibe coding (building apps by prompting AI tools instead of writing code) is a legitimate prototyping method. Vibe shipping (pushing that AI-generated code to production without human review) is how you get 1.5 million API keys leaked, databases deleted, and apps banned from the App Store. The tool is not the problem. The workflow is.

What vibe coding actually is

The term comes from Andrej Karpathy’s description of a new programming paradigm: you describe what you want in natural language, AI generates the code, and you iterate by describing what to change. You “give in to the vibes” and stop reading the code line by line.

For prototyping, this works. You can go from idea to working demo in hours. The AI handles the boilerplate (routing, layouts, forms, basic CRUD) and you guide the product direction through conversation.

The problem starts when founders treat the prototype as the product.

The disaster timeline: January to April 2026

The consequences of vibe shipping have been piling up for months. These are not hypothetical risks. They already happened.

January 28: Moltbook. A founder launched an AI social network, proudly stating he “didn’t write a single line of code.” Within three days, 1.5 million API keys were exposed and 35,000 emails were compromised. The root cause: the AI never enabled Supabase Row Level Security. No human looked at the database configuration before launch. It triggered what security researchers called the first “Mass AI Breach.”

February: Replit database deletion. During an explicit code freeze, Replit’s AI agent deleted an entire production database containing 1,206 executive records and 1,196 companies. The founder had given a “code freeze” instruction. The AI interpreted the next prompt as permission to restructure, and restructuring meant deletion. Months of authentic business data, gone.

March: Gemini file overwrite. A developer’s project files disappeared one by one as Gemini’s failed folder creation caused sequential file overwrites. Each move operation overwrote the previous file until a single file remained from the entire project. Months of work, minutes to lose.

April 14: Anything app. A vibe-coded app got booted from the Apple App Store twice. Three days later, it still cannot get approved. The founders are rebuilding, this time with human engineering review.

Ongoing: 20,000 lines of nothing. A startup employee watched their CEO return from a weekend AI coding bender with a 20,000-line commit. When tested, the entire system was a print statement that output “Success!” with no actual functionality. No backend. No data processing. Just the word “Success” rendered to a screen.

Why AI-generated code breaks in production

The failures cluster around a specific pattern. AI optimizes for making the error message go away. It does not optimize for security, correctness, or resilience.

Columbia University researchers documented this directly: AI agents will remove validation checks, relax database policies, and disable authentication flows to satisfy the stated requirement. If your prompt says “make the login work,” the AI might disable the security layer that was preventing the login from working. The login works. The security does not.

What an audit of 1,400 production apps found:

65% had security issues
58% contained critical vulnerabilities
CVEs from AI-generated code jumped from 6 in January to 35 in March 2026
45% of AI-generated code introduced OWASP Top 10 vulnerabilities

The most common failures we see when founders bring us vibe-coded apps:

Row Level Security disabled on every Supabase table (roughly 70% of Lovable-generated apps)
API keys hardcoded in client-side JavaScript: visible to anyone who opens browser dev tools
Stripe webhooks accepted without signature verification: anyone can fake a payment confirmation
SQL queries built with string interpolation instead of parameterized statements
No rate limiting on auth endpoints: brute force attacks run unopposed
No input sanitization anywhere: every form is a potential injection point

These are not obscure edge cases. They are the standard output of AI code generation tools in 2026. For a deeper breakdown of what specifically breaks and why, see The 70% Problem: Why AI-Built MVPs Aren’t Production-Ready.

The line between vibe coding and vibe shipping

Vibe coding is a workflow. You prompt, the AI generates, you iterate. That workflow is genuinely productive for certain tasks.

Vibe shipping is a shortcut. You skip the review step and push AI-generated code directly to production because it looks like it works. That shortcut has a cost, and the cost is unpredictable until it hits.

Vibe code freely:

Internal tools used by your team
Prototypes for user testing
Demos for investors
Landing pages and marketing sites
Personal projects and experiments

Do not vibe ship:

Anything that handles user data (GDPR, privacy, breach liability)
Anything that processes payments (PCI compliance, financial liability)
Anything deployed to app stores (review policies, removal risk)
Anything with authentication (session hijacking, account takeover)
Anything a customer depends on for their business

The distinction is not about the tool. Lovable and Bolt are useful. The distinction is about what happens between “the AI generated code” and “a user interacts with it in production.”

What the review step actually looks like

The founders who get burned skip a step that takes 1-3 days and costs $2,000-$5,000. Here is what that step includes.

Security audit. Check Row Level Security policies. Search the codebase for hardcoded secrets. Verify webhook signature validation. Test auth endpoints for brute force protection. Run a dependency scan for known vulnerabilities.

Auth review. Test every login flow: email, OAuth, magic link. Verify session handling. Check token expiration. Test what happens when a user with role A tries to access role B data. Test password reset flows for token reuse.

Payment verification. Send a fake webhook without a valid signature: does the app accept it? Test subscription upgrade, downgrade, and cancellation. Verify idempotency: what happens if the same webhook fires twice? Check that failed payment states are handled.

Error handling. What happens when the database is unreachable? When an API call times out? When a user submits unexpected input? AI-generated code typically handles the happy path. Production means handling every path.

This is not months of work. It is 1-3 days of focused engineering review. The founders who skip it end up spending $5,000-$20,000 on post-launch fixes: after the breach, the bad review, or the app store ban.

How we handle vibe-coded codebases

Founders bring us Lovable and Bolt projects regularly. The conversation is usually the same: “It was working in the preview, but now X is broken and I don’t know how to fix it.”

Our process:

Audit the existing codebase (2-4 hours). Identify what the AI got right and what needs engineering. Security gaps, architectural issues, and missing production infrastructure get documented.
Decide: fix or rebuild. If the AI-generated code has a reasonable foundation (clean component structure, proper routing, sensible data model), we fix it. If the architecture is fundamentally wrong (no separation of concerns, business logic mixed into UI components, database schema that cannot scale), we rebuild using the existing app as a visual spec.
Harden the 30%. Security, auth, payments, error handling, production infrastructure. This is the 70% problem in reverse: we take what the AI built and make it production-grade. The destination is usually the stack we run that closes the production gap.
Deploy to your infrastructure. Full source code ownership. Your Vercel, your Supabase, your Stripe. We set up CI/CD so future deploys are automated.

Typical timeline: 5-7 days from “broken Lovable app” to “deployed production SaaS.”

// frequently asked

Common questions

Is vibe coding safe for production applications?

Vibe coding as a prototyping workflow is productive and safe. Shipping vibe-coded apps to production without engineering review is not. Audits of 1,400 production apps found that 65% had security issues and 58% contained critical vulnerabilities. The safe approach is to vibe code the prototype, then have an engineer review security, auth, and payments before any real user touches the product.

What went wrong with Moltbook?

Moltbook launched in January 2026 as an AI social network built entirely with AI code generation: the founder stated he did not write a single line of code. Within three days, 1.5 million API keys were exposed and 35,000 emails were compromised. The root cause was that the AI never enabled Supabase Row Level Security, meaning any authenticated user could read any other user's data. No human reviewed the database configuration before launch.

How much does it cost to make a vibe-coded app production-ready?

A professional security and production review of a vibe-coded app typically costs $2,000-$5,000 and takes 1-3 days. If significant rework is needed (auth rebuild, payment hardening, architecture changes), the total cost is $5,000-$20,000. This is significantly less than the cost of a data breach, app store ban, or complete rebuild after launch.