Usama Moin/Tools / AI App Readiness

Free tool · 3 minutes · No sign-up

Is your AI-built app
actually production-ready?

Lovable, Bolt, v0, and Replit get you to a working demo fast, but “works in the preview” and “safe for real users” are very different bars. Check off what you've actually handled and get an honest readiness score with the gaps that matter most.

About your app

Toggle what applies. The score only counts checks relevant to your app.

Security

API keys & secrets are server-side, not in the client bundleAI tools often inline keys into frontend code where anyone can read them.

Auth actually protects private routes and dataHiding a button is not security, the server must enforce it.

User input is validated and sanitised server-side

Queries are parameterised (no SQL / NoSQL injection)

CORS is locked to your own domains, not "*"

Dependencies audited for known vulnerabilitiesRun npm audit / Dependabot — AI tools pull in a lot of packages.

Public endpoints have rate limiting / abuse protection

Data & backend

Database access rules (RLS / auth checks) are enforcedA common Supabase/Firebase gap: the DB is wide open to any client.

Production environment variables are configured (nothing hardcoded)

Sensitive data (passwords, PII) is hashed / encrypted, never plaintext

Frequently-queried fields are indexed

Database backups exist and a restore has been testedAn untested backup is not a backup.

AI & LLM

A hard spend cap or budget alert is set on the AI/API accountThe classic vibe-coded surprise: a $14K OpenAI bill in a month.

Per-user limits stop one user draining your token budget

User text reaching the model is treated as untrusted (prompt-injection aware)Users can hijack a naive prompt to leak data or change behaviour.

AI output is validated/constrained before it is shown or acted on

No customer PII is sent to third-party AI providers without consent

The app degrades gracefully when the AI call fails or times out

Reliability

Errors are handled with real user-facing states

Tested on real devices/browsers: not just the previewPreview environments hide native build, CORS, and deploy issues.

External calls have timeouts and retries

Payment / write operations are idempotent (no double charges)A retried checkout must not charge the customer twice.

Loading and empty states exist across the app

Performance

Images are optimised and not shipping full-size

No unbounded or N+1 database queries on key screens

Expensive reads / AI responses are cached where sensible

Core Web Vitals are acceptable on a mid-range phone

Monitoring & ops

Error monitoring is installed (e.g. Sentry)

Uptime / health checks alert you when it goes down

Product analytics is capturing real usage

Server logs are retained and searchable

Launch & compliance

Custom domain live with working HTTPS

Basic accessibility: labels, contrast, keyboard navigation

Production-readiness score

0/100

Not production-ready

High risk of breaking, or leaking data, in production. Start with the fixes below.

Fix these first

CriticalAPI keys & secrets are server-side, not in the client bundle

CriticalAuth actually protects private routes and data

CriticalDatabase access rules (RLS / auth checks) are enforced

CriticalA hard spend cap or budget alert is set on the AI/API account

HighUser input is validated and sanitised server-side

Each prompt tells the AI to fix the item only if it really applies — otherwise it reports back that it's not relevant and you can mark it done.

Want someone to actually fix these for you?

Book a Free Call →

See the vibe-coded production service →

A self-assessment for planning, not a security audit. Nothing you enter leaves your browser.

Why “it works” isn't the same as “it's ready”

AI builders are genuinely impressive at turning a prompt into a working interface. What they are not built to do is reason about the things that only matter once real people use your app: whether your API keys are exposed, whether your database will hand any visitor every other user's data, whether the app survives a failed network request, and whether it even builds and deploys outside the sandbox it was created in.

None of this means AI-built apps are a bad idea: they are a fast, cheap way to get to a real product. It just means there is a hardening step between “the demo works” and “I can put this in front of customers.” The scorecard above is a quick way to see how much of that step is still ahead of you.

Frequently asked questions

What does "production-ready" actually mean for an AI-built app?

It means the app can safely handle real users and real data, not just a demo. The big gaps in AI-generated apps are security (exposed API keys, unprotected routes), data access rules, real error handling, and deployment outside the preview environment. A pretty UI that works in the builder is not the same as a production system.

Why do apps from Lovable, Bolt, v0, and Replit break in production?

These tools optimise for getting something working fast in a sandbox. They frequently inline secrets into frontend code, leave databases open with no access rules, skip server-side validation, and rely on preview environments that hide native build, CORS, and deployment issues. Those gaps only surface when real users, or attackers, arrive.

Is the biggest risk usually security?

Often, yes. The most common and most dangerous issues are exposed API keys in the client bundle and databases with no row-level security, which can leak or expose every user record. That is why those items are weighted highest in this scorecard.

Can you fix these issues for me?

Yes. Fixing AI-generated apps for production: security hardening, proper auth and data rules, real error handling, and clean deployment, is exactly what the vibe-coded production service does, across Lovable, Bolt, v0, Rork, and Replit.

Does this tool store my answers?

No. The scorecard runs entirely in your browser. Nothing you check is sent anywhere or stored.

Low score? I can get it production-ready.

I fix AI-built apps for production: security, auth, data rules, error handling, and clean deployment. Flat-rate, usually within 48 hours.

Book a Free Call →Vibe-Coded Production Service

Fix Lovable →Fix Bolt →Fix v0 →Fix Rork →Fix Replit →

Is your AI-built appactually production-ready?