Skip to main content
GearedApp

When Vibe-Coded Apps Meet Reality

GearedApp
4 min read
keyboard in the front with two screens with code in the background

Hardening AI-Generated Applications Before They Go Live

AI is now part of everyday software development. At GearedApp, we use it constantly. It accelerates boilerplate, speeds up exploration and helps with initial code reviews and debugging.

But there is a clear line between a fast prototype and production-ready software. AI can generate working code. It does not guarantee maintainability, security or long-term resilience.

Recently, we reviewed a sizeable web application built with React 18, Supabase and TypeScript. It had been heavily AI-assisted. The stack was modern. The direction was sensible. The foundations were solid.

The execution told a more complicated story.

The Good News

This was not a chaotic legacy system.

  • The project structure was logical.
  • React Query was used correctly for server state.
  • Global state management was reasonable.
  • Supabase Row Level Security and storage policies were in place.
  • The database design showed intent and thought.

In short, it was absolutely something we would be happy to work with. But it was not ready for production in its current form.

Where AI-Assisted Development Shows Its Limits

1. Loose TypeScript Configuration

There was extensive use of any. TypeScript was technically present, but its safety guarantees had been effectively switched off.

When types are loose, errors surface at runtime rather than compile time. That increases risk, slows debugging and makes refactoring dangerous.

AI often generates permissive types because they “work”. Production software requires stricter discipline.

2. Very Large Components

Some components exceeded 3,000 lines.

Large files increase cognitive load, hide subtle bugs and make maintenance or onboarding new developers slower. They also make safe refactoring much harder.

AI will happily keep appending to the same file unless explicitly guided otherwise.

3. Duplicated Authentication Logic

Across more than 80 Supabase Edge Functions, authentication checks were repeated rather than centralised.

Supabase handles JWT verification correctly, but duplicated logic creates maintenance overhead and increases the risk of inconsistency over time.

Shared concerns should live in middleware or shared utilities, not copied across dozens of functions.

4. CORS and Environment Configuration

CORS settings allowed wildcard subdomains. Localhost access was still enabled in places.

Overall, the security architecture was good. These were not catastrophic issues. But permissive configurations are the kind of detail that can quietly introduce risk once traffic increases.

5. Database Scale and Indexing Risk

With over 70 tables already defined, the database complexity was growing.

That is not inherently a problem. It does, however, require a deliberate indexing strategy and query review. AI-generated schemas can scale quickly in structure but not always in performance.

6. Data Boundaries and Platform Lock-In

One of the more subtle risks in AI-assisted builds is clarity around data flow.

  • Where is data stored?
  • What environments does it pass through?
  • Which tools have access during development?
  • Are you becoming tightly coupled to a single platform without a migration strategy?

When AI tools are embedded into your workflow, these questions matter even more. Production readiness is not only about code quality. It is about understanding control and exposure.

This Is Not an Anti-AI Argument

AI coding tools in 2026 are powerful and improving rapidly. Most modern teams use them.

We do too.

But AI generates plausible code. It does not understand your long-term architecture, your compliance obligations or your commercial risk. Without experienced human oversight, you can unintentionally ship:

  • Technical debt at scale
  • Security misconfigurations
  • Performance bottlenecks
  • Inconsistent architectural patterns
  • Hidden coupling to a platform

Speed is valuable, and validation of ideas has never been easier. But only if what you build can survive contact with real users.

When Should You Pause and Review?

If you have built an AI-assisted application and you are about to:

  • Onboard real users
  • Integrate payments
  • Connect to internal systems
  • Store sensitive data
  • Seek investment
  • Scale marketing activity

That is the moment to pause. Not because the project is broken. Because it deserves to be hardened properly.

How Can We Help?

Rather than pushing teams into long engagements, we offer focused blocks of senior engineering time specifically for AI-assisted applications. Sometimes the result is reassurance. Sometimes it prevents a costly rewrite twelve months later. Either way, you move forward with clarity.

We believe AI is part of the future of software development. It is already part of ours, but production software requires accountability, structure and discipline.

If you have “vibe-coded” your way to a working application and you are unsure whether it is truly production-ready, that is a sensible instinct. If that conversation would be helpful, do get in touch; we are happy to allocate a focused review block and give you a straight answer.