
Fix Your Vibe Code: How We Rescue AI-Generated Apps
Vibe coding is real, and honestly - we like it. Founders who would have waited six months for a first version now show up with a working prototype, actual users, and sometimes actual revenue. That's a better starting point than a pitch deck.
But we've also noticed a pattern: a growing share of our inbound requests start with some version of "the app works, mostly, but we're afraid to touch it." This post is about that moment - why it happens, how to triage it, and how to decide whether your vibe-coded app needs a cleanup or a rebuild.
Why vibe-coded apps break
None of these are the AI's "fault" exactly. They're what happens when code is generated conversation-by-conversation with nobody holding the architecture in their head.
1. There is no architecture - there are 40 local decisions. Each prompt solved one problem well. Nobody decided how data flows through the app, so there are three different ways of fetching, two sources of truth for user state, and components that reach into each other's internals. It works until two of those decisions collide.
2. Security was never anyone's prompt. API keys hardcoded into client components. Routes with no auth checks because the happy path never needed one. Database queries assembled from user input. We find at least one of these in almost every rescue project - and unlike bugs, these don't announce themselves.
3. Error handling is whatever the model felt like that day.
Some functions have try/catch with silent failure, some crash loudly, some return null and let the crash happen three components later. The result: bugs that are trivial to cause and very expensive to trace.
4. Dependencies nobody chose. Each generation session added packages. Now there are four date libraries, two component kits with conflicting styles, and an abandoned auth package with a known CVE. Install size and attack surface both balloon.
5. It only runs on the machine it was vibed on. No environment separation, no build pipeline, config that assumes one very specific laptop. The first deploy to real hosting fails in ways that take days to untangle.
The triage: refactor or rebuild?
We run the same assessment on every rescue project, and it comes down to three questions:
- Does the data model make sense? If the database schema is roughly right, refactoring is usually viable - schemas are the hardest thing to change with users in production.
- Is there one consistent core? If 60%+ of the app follows some consistent pattern, we keep it and fix the outliers. If every feature is its own dialect, a rebuild is faster than archaeology.
- What breaks if we do nothing? Real security exposure or data-loss risk means stabilization comes first, before any architectural opinion.
Rough rule from our projects: under ~15k lines with a sane schema → refactor. Beyond that, or with a broken data model → rebuild on the same design, which is dramatically cheaper than the first build because the prototype already answered the product questions - what to build, for whom, and which features earn their place.
What a rescue actually looks like
- Audit (2-3 days). We read the code, map the data flow, scan dependencies, and check the obvious security surfaces. You get a written report either way - some teams take it and fix things themselves, which is a perfectly good outcome.
- Stabilize. Secrets out of the client, auth on every route that needs it, error boundaries where users actually hit failures. Not pretty - safe.
- Refactor or rebuild per the triage above: one data-fetching pattern, one state approach, typed interfaces at the seams, tests around the money paths (signup, checkout, whatever pays the bills).
- Ship with a pipeline. Staging environment, CI, deploy previews - so the next AI-assisted change (yes, keep using it) lands with a safety net instead of a prayer.
One part of the audit we don't do alone: the deep security pass. Finding the obvious holes is step one; finding the underlying ones - the exposed secret that's already been scraped, the injectable query three layers down, the auth bypass nobody has exploited yet - is a discipline of its own. For that we bring in our partner agency Teyrex, whose specialty is finding the security breaches hiding in vibe-coded apps. We rebuild the stack; they make sure nothing rotten survives the rebuild.
Keep vibing - with guardrails
We're not going to tell you to stop using AI to write code; we use it daily. The difference between a prototype that becomes a product and one that becomes a cautionary tale is guardrails: a real schema designed once, a typed API layer the AI has to conform to, code review on anything touching auth or payments, and CI that refuses to ship what doesn't build.
Vibe code got you users. Engineering keeps them.
Have an app that works, mostly? Send it to our Next.js team for an audit - we'll tell you in 2-3 days whether it needs a cleanup or a rebuild, with a fixed-scope estimate for either.
Do you want secure, fast website or application?