PRTOTYPE.COM · Production studioAudit · Build · Maintain
PRoTOTYPE.COM
6 July 2026 · Field notes · By Jason Ensor

Vibe Coding Rescue: What It Takes to Get an AI-Built App to Production

Somewhere on your screen right now there is probably an app that shouldn't exist. You made it in a weekend with Lovable, or Bolt, or Cursor, or Replit. It has real users, or it's about to. And a quiet voice in the back of your head keeps asking the same question: is this thing actually safe?

Usually not. That's not an insult: it's a category. The industry has settled on a name for software built by prompting an AI straight towards production: vibe code. And a small industry has grown up around fixing it, which the market calls vibe coding rescue. Having done a fair amount of it, we can tell you what the work actually involves, what it costs, and how to tell a real rescue from an expensive rebuild in disguise. Pricing and process questions? The FAQ has straight answers.

The demo was never the hard part

Most AI projects don't fail at the demo. They fail in the gap between the demo and the day real customers arrive. By MIT Project NANDA's count, nineteen in twenty enterprise AI pilots never show a return, and it's almost never the model's fault. The gap is an engineering problem.

Vibe-coded apps fail in a remarkably consistent pattern, because the tools optimise for the same thing: a convincing demo, fast. The failures cluster in five places.

Authentication that performs rather than protects. Login screens that look right while sessions never expire, password resets leak, and admin routes answer to anyone who guesses the URL.

A data model nobody designed. The schema is whatever shape the AI reached for first. It works for ten users and one happy path. Concurrent writes, duplicate webhooks, and a user who edits the URL to read someone else's records will each find it, in roughly that order.

Security as an afterthought, or no thought. Hard-coded API keys. Client-side checks enforcing server-side rules. Database policies (row-level security, if it exists at all) that were pasted in until the error went away. Missing row-level security is the documented root cause of CVE-2025-48757, which exposed data across more than 170 production apps on one popular AI app builder, and further incidents through early 2026 kept finding the same class of gap.

Infrastructure that is really someone's free tier. No staging environment, no backups anyone has tested, no way to roll back, and a deploy process that is one person clicking one button in one browser tab.

Unmaintainability. The subtlest one. The person who shipped the code cannot explain why it works, because nobody wrote it in the sense that matters. Every change is a fresh gamble, so changes stop happening, so the product stops moving.

None of this means the prototype was a mistake. The prototype did its job: it proved the idea, cheaply, before you bet real money on it. That used to cost a consultancy engagement. Now it costs a weekend. The mistake is only in believing the demo and the product are the same object.

What a rescue actually involves

A serious rescue is not "more prompting", and it is not a developer glancing at your repo and quoting a number. It runs in a fixed order.

First, an audit. A senior engineer reads the system as it actually behaves (security, data model, infrastructure, compliance) and maps the honest distance to production. Not vibes about the vibes: findings, each one tied to a consequence you care about. See what a sample report actually contains if you want the shape of it before you commission one.

Second, a specification. The audit becomes a written spec: modules, acceptance criteria, and a price against each. This is the step most of the market skips, and it's the one that protects you. A spec turns "trust us" into a document you can hold anyone to, including whoever you hire instead. If a rescue firm won't put the scope in writing with prices attached, you are not buying engineering; you are buying a relationship with an invoice attached.

Third, takeover, not rebuild, wherever the code deserves it. A full rewrite throws away the parts the AI got right, and it got plenty right; that is why the demo worked. Real rescue work keeps what's structurally sound, replaces what isn't, and tests everything against the spec as it goes.

Fourth, someone stays. Production software decays: dependencies rot, models get retired, threats move. A rescue that ends at the deploy is a prototype with better lighting. Ask who monitors it, who patches it, and what you'll see each month to prove they did.

What it should cost

Here the category has a transparency problem. Almost nobody in vibe coding rescue publishes prices. You'll meet free consultations and "$0 assessments" (sales calls wearing lab coats) and you'll meet quotes that arrive only after your codebase has been read, priced against your visible anxiety rather than the work.

We publish ours, so here they are as an anchor: a production audit is $7,500, fixed, delivered in a week, and the report (spec and module prices included) is yours to keep whoever you build with. Builds start at $30,000 over four to ten weeks. Ongoing custody of the shipped system starts at $1,500 a month, with a named monthly report. Other firms will price differently, and reasonably so. What isn't reasonable is a firm that won't tell you the shape of the number until you're emotionally committed.

A useful test, whoever you talk to: ask what you own at each stage. The right answer is everything: code, designs, IP, and the spec itself.

How to choose a rescue team

Three questions do most of the filtering.

Ask what they've kept alive, not just what they've shipped. Maintaining production systems under real users is a different discipline from launching them.

Ask for the audit before the quote. Anyone pricing your rescue without a structured read of your codebase is guessing, and you'll pay for the guess either way.

Ask what happens when it's done. If the answer trails off after "launch", the decay is your problem again, which is exactly where you started.

Vibe coding got you a working demo for the price of a weekend. That part of the world has genuinely changed, and we're glad it has. Production is the part that hasn't. It still takes engineers, a written spec, and someone who stays.

That part's ours, if you want it: book a production consultation, or start with the one-week audit.


FAQ

Can a vibe-coded app be made production-ready without a rewrite? Usually, yes. The demo working means the AI got a lot right. A proper audit separates what's structurally sound from what's dangerous; a takeover keeps the former and replaces the latter against a written spec. Full rewrites are the exception, not the default.

How much does vibe coding rescue cost? Most firms don't publish prices. Ours: $7,500 for a fixed-price, one-week production audit including a module-priced specification you keep; builds from $30,000; ongoing custody from $1,500/month. Treat any quote issued without a structured audit as a guess.

What breaks first in vibe-coded apps? The order that tends to surface first is: authorisation (users reaching data that isn't theirs), then data-model failures under concurrent use, then security debt like hard-coded keys, then infrastructure with no staging or backups.

Production audit

Show us what’s creaking.

A senior review of your vibe-coded app or stalled pilot: security, data model, infrastructure, compliance. Fixed price, delivered in a week, no judgement.

$7,500 fixed · One week · Yours to keep
Book a Production Consultation