§ S-10/prototype-to-production

AI prototype to production — Lovable, Bolt, Cursor, in 2–6 weeks.

Your AI-built MVP has users interested, investors watching, or revenue coming in. It cannot fall over. Hardened auth, Stripe that does not lose money, CI/CD, tests on the money paths, monitoring, and a seven-day post-launch on-call window.

price · from $7,499turnaround · 2–6 weeksguarantee · 7-day post-launch on-call

Start productionization — from $7,499_48-hour audit first

Quick verdict

AI prototype to production moves your Lovable, Bolt, Cursor, v0, or Replit MVP from 'works for the demo' to production-grade in 2 to 6 weeks — hardened auth, migrations, Stripe that doesn't lose money, CI/CD, critical-path tests, monitoring, and a clean handoff. We preserve your existing code and refactor incrementally; rewrites are a last resort. Fixed fee from $7,499 after a 48-hour audit. Seven days of post-launch on-call included.

90%
vibe-coded projects that never reach production: ~1/2
AI-generated code ships with CVEs (see our 2026 research): 85%
broken AI deploys failing on env, RLS, OAuth, Stripe, or SSL: 7d
post-launch on-call window included with every engagement

§ 01/diagnosis

Symptoms prototype-to-production fixes

Eight failure classes that separate a working AI preview from a launch that holds. Each row maps the symptom to the pattern AI builders ship and the patch we deliver.

diagnostic matrix · lovable to production · bolt prototype to launch · ai mvp production-ready

Symptom	Root cause (AI-builder pattern)	Our fix
App works in preview, dies on deploy	Lovable/Bolt preview auto-injects env vars that the production host does not have	Environment variable audit, Vercel/Netlify dashboard sync, preview URL smoke test on every PR
Users can sign up but not log back in	OAuth redirect URI still pointing at localhost or preview URL; session cookie scoped to wrong domain	Fix redirect allow-list, cookie domain/SameSite config, add session persistence test
Stripe Checkout completes, subscription never activates	Webhook endpoint missing signature verification or idempotency; event processed twice or rejected silently	Verify Stripe-Signature, idempotency on event.id, end-to-end Playwright test covering full purchase flow
One component crash blanks the whole app	No route-level error boundaries; effects throw synchronously and unmount the root	Error boundaries per route, Sentry integration, graceful fallback UI
Deploy is scary; rollback is a nightmare	No staging, no preview URLs, no rollback button; production is the only environment	CI/CD pipeline, staging environment, Vercel/Netlify preview deploys, documented rollback path
App falls over under 100 concurrent users	N+1 queries, no connection pooling, no cache, no CDN on static assets	Query profiling, add indexes on hot paths, pooling via PgBouncer, edge cache headers on static routes
Silent regressions every time AI edits	No CI, no type-check gate, no test gate on PRs	GitHub Actions: tsc, ESLint, Playwright smoke tests required to pass before merge
Due diligence incoming, code is unreadable	No architecture doc, no rules file, no test suite a reviewer can skim	Architecture overview, rules file, critical-path tests, clean handoff package

§ 02/schedule

Lovable to production schedule — audit to on-call

Five steps from the 48-hour audit through post-launch on-call. Every phase is fixed-fee and reviewable before the next begins.

D1–D2
48-hour productionization audit
We read the repo, test the current deploy path, and list every blocker between 'works for the demo' and 'survives on production.' Written plan, fixed fee, delivered in 48 hours.
W1
Stabilize auth, data, and payments
Week one: auth, data layer, Stripe. We fix the parts that break first when real users arrive. RLS on every table, Stripe webhooks idempotent, sessions that actually persist.
W2–W3
Productionize infrastructure
CI/CD, staging environment, monitoring, rollback, preview deploys. Launching changes stops being scary. Every PR gets a preview URL reviewers can check.
W3–W5
Tests, handoff docs, launch checklist
Integration tests on critical paths, architecture doc, runbooks, rules file. Final launch runs through a written checklist with rollback kept warm.
W5–W6
Post-launch on-call
Seven days of post-launch on-call. Any Sentry spike, uptime alert, or customer report gets triaged within two business hours. Optional Retainer handoff for ongoing support.

D1–D2
48-hour productionization audit
We read the repo, test the current deploy path, and list every blocker between 'works for the demo' and 'survives on production.' Written plan, fixed fee, delivered in 48 hours.
W1
Stabilize auth, data, and payments
Week one: auth, data layer, Stripe. We fix the parts that break first when real users arrive. RLS on every table, Stripe webhooks idempotent, sessions that actually persist.
W2–W3
Productionize infrastructure
CI/CD, staging environment, monitoring, rollback, preview deploys. Launching changes stops being scary. Every PR gets a preview URL reviewers can check.
W3–W5
Tests, handoff docs, launch checklist
Integration tests on critical paths, architecture doc, runbooks, rules file. Final launch runs through a written checklist with rollback kept warm.
W5–W6
Post-launch on-call
Seven days of post-launch on-call. Any Sentry spike, uptime alert, or customer report gets triaged within two business hours. Optional Retainer handoff for ongoing support.

§ 03/config-vignette

Production config AI builders skip

The next.config.ts and vercel.json pair we ship on every productionization — security headers, CSP, cache control per route, function memory limits, cron schedules. Lovable and Bolt ship neither file with the production-hardening an MVP actually needs.

next.config.ts

typescript

01// next.config.ts — production config AI builders skip02import type { NextConfig } from "next";03 04const securityHeaders = [05  { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains; preload" },06  { key: "X-Frame-Options", value: "DENY" },07  { key: "X-Content-Type-Options", value: "nosniff" },08  { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },09  { key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },10  {11    key: "Content-Security-Policy",12    value: [13      "default-src 'self'",14      "script-src 'self' 'unsafe-inline' https://js.stripe.com",15      "connect-src 'self' https://*.supabase.co https://api.stripe.com",16      "frame-src https://js.stripe.com https://hooks.stripe.com",17      "img-src 'self' data: https:",18    ].join("; "),19  },20];21 22const nextConfig: NextConfig = {23  reactStrictMode: true,24  poweredByHeader: false,25  env: {26    // read from platform dashboard — do NOT inline secrets here27  },28  async headers() {29    return [{ source: "/(.*)", headers: securityHeaders }];30  },31  async redirects() {32    return [33      // enforce canonical apex → www (or reverse) so auth cookies work34      { source: "/:path*", has: [{ type: "host", value: "www.example.com" }],35        destination: "https://example.com/:path*", permanent: true },36    ];37  },38  experimental: { serverActions: { bodySizeLimit: "1mb" } },39};40 41export default nextConfig;

Security headers + CSP allow-list scoped to Stripe and Supabase; redirects enforce a canonical host so auth cookies work.

vercel.json

json

01// vercel.json — cache + function config AI builders skip02{03  "$schema": "https://openapi.vercel.sh/vercel.json",04  "framework": "nextjs",05  "buildCommand": "npm run build",06  "installCommand": "npm ci",07  "functions": {08    "app/api/stripe/webhook/route.ts": {09      "maxDuration": 15,10      "memory": 51211    },12    "app/api/**/route.ts": {13      "maxDuration": 1014    }15  },16  "headers": [17    {18      "source": "/_next/static/(.*)",19      "headers": [20        { "key": "Cache-Control", "value": "public, max-age=31536000, immutable" }21      ]22    },23    {24      "source": "/api/(.*)",25      "headers": [26        { "key": "Cache-Control", "value": "private, no-store" }27      ]28    }29  ],30  "crons": [31    { "path": "/api/cron/cleanup-stale-sessions", "schedule": "0 3 * * *" }32  ]33}

Per-route cache control, function memory for Stripe webhook endpoint, scheduled cron for stale-session cleanup.

§ 04/ledger

What the production-ready engagement ships

Twelve deliverables covering the full production surface. Scope beyond these (migration, deep security audit, scale pass) is booked as a separate engagement.

01Hardened auth — sessions, password reset, email verification, role-based access
02Production database — migrations checked in, indexes on hot queries, daily backups, staging environment
03Stripe payments that hold up — Checkout, subscriptions, idempotent webhooks, failed payments, refunds
04Reliable deploys — CI/CD, preview environments, rollback in under five minutes
05Critical-path integration tests on the flows that touch money or user data
06Monitoring and alerts — Sentry, uptime, Slack. You know before users do.
07Security pass — RLS, secrets, CORS, rate limits, webhook signatures, input validation
08Performance pass — N+1 elimination, connection pooling, caching on hot paths
09Error boundaries so one component cannot blank the whole app
10Architecture overview document for onboarding the next engineer
11Project rules file (.cursorrules / CLAUDE.md) to keep the codebase on-track
12Seven days of post-launch on-call, plus an optional retainer handoff

§ 05/price

Fixed-fee Lovable to production pricing

most common

price

$7,499

turnaround: 2–6 weeks
scope: Small-to-mid AI-built app with a working preview · full productionization
guarantee: 7 days post-launch on-call included

Finish My MVP · from $7,499→

§ 06/comparison

vs hourly contractor · vs a full Bolt prototype to launch rewrite

Why the fixed-fee productionization beats the alternatives on the specific failure shapes AI builders ship.

Dimension	Hourly contractor	Afterbuild Labs productionization
Pricing model	$150–$250/hr, open-ended scope creep	Fixed fee from $7,499 after $1,500 audit
Approach	Often pushes a rewrite from day one	Refactor in place; rewrites are a last resort we flag explicitly
AI-specific failures	Treats the codebase like any other legacy project	Knows Lovable, Bolt, Cursor, v0, Replit failure modes by shape
Deploy reliability	Inconsistent; rarely ships rollback or staging	CI/CD + staging + preview URLs + documented rollback under 5 minutes
Post-launch	Invoices stop, phone goes silent	7-day on-call included, optional Retainer handoff

§ 07/fit

Who the prototype-to-production service is for

Pick the productionization if…

→You built an MVP on Lovable, Bolt, Replit, v0, Base44, or Cursor and have users, press, investors, or revenue incoming
→You are two weeks from launch and the app works in preview but dies on deploy
→You are about to raise and investors want a clean codebase with tests and architecture docs
→A full-time engineer is about to join and has already quoted a rewrite — we usually save the code
→Stripe, OAuth, Supabase RLS, and deploys are each half-working and you cannot ship any of them alone

Don't pick it if…

→You only have one broken bug — book Emergency Triage ($299, 48h) instead
→You only need a security audit — use the $499 Security Audit
→You need a framework migration (pages router → app router, CRA → Vite) — scope App Migration separately
→The app genuinely needs a full rewrite — we will tell you in the 48-hour audit and quote a rebuild instead

§ 08/specialists

Production engineers who run this launch

Production is the deploy, the backend, and the type-safety pass. Three specialists cover those three surfaces.

Vercel deployment expert

Wires CI/CD, preview environments, rollback, env var discipline — turning scary AI-builder deploys into boring by-design cutovers with a real staging environment.

Supabase expert

Hardens auth and Supabase — sessions that persist, password reset that arrives, RLS on every table, migrations checked in, backups scheduled — before real users hit the app.

TypeScript refactor expert

Refactors AI-generated spaghetti into strict TypeScript with Zod at boundaries — so the prototype does not regress the moment a new dev or a new prompt touches the code post-launch.

§ 09/production-anatomy

Anatomy of an AI MVP production-ready pass

Roughly 90% of vibe-coded projects never reach production. The ones that do tend to share the same shape on the day they become real: the builder preview works, the demo video is recorded, the waitlist is real, and then the first deploy to a custom domain breaks in one of five places — environment variables, Supabase RLS, OAuth redirects, Stripe webhooks, or SSL/canonical host routing. The productionization pass exists to clear those five in a defined order before launch day turns into an incident post-mortem.

Week zero is the 48-hour audit. Two senior engineers read the repo, run the current deploy, and reproduce every known bug the founder documented. We map every environment variable between the preview and the production host, enumerate every Supabase table for RLS posture, test every OAuth redirect URI, verify every Stripe webhook, and confirm SSL + canonical host routing on the production domain. The output is a written productionization plan: phased checklist, fixed fee, fixed window, with every known blocker either scheduled or explicitly out of scope.

Week one is auth, data, and payments. These three surfaces share a property: when any of them is broken in production, the user experience is effectively zero. A user who cannot log in is a user who has already churned. Supabase RLS goes on every table that reads or writes tenant data. Stripe webhook handlers get signature verification and idempotency keyed on event.id. Session cookies get their domain, SameSite, and Secure attributes set correctly for the production host. Every change lands as its own commit, tagged and reviewable, so the founder sees progress daily.

Weeks two and three are infrastructure. A CI/CD pipeline on Vercel or Netlify running type-check, ESLint, and Playwright smoke tests on every PR before merge. A staging environment on a non-production database so deploys can be rehearsed. Preview URLs on every PR so reviewers can click before code lands. A documented rollback path — the Vercel dashboard or a single CLI command — that a founder who has never rolled a deploy back can execute on a Saturday night. Monitoring via Sentry for errors, uptime checks for the home route and the critical auth + purchase paths, and a Slack channel that gets paged the moment any of them breach threshold.

Weeks three to five are tests, documentation, and launch. We write Playwright smoke tests for the three critical paths — sign-up, sign-in, and the primary money path (checkout, subscription start, or whatever the product does). We add integration tests on the Stripe webhook handler and the Supabase RLS policies. We write an architecture overview — folder conventions, data flow, deploy checklist, rollback runbook, incident playbook. We write a project rules file so the next time the founder prompts Cursor or Claude Code, the AI sees the conventions first and stays on-architecture. Launch day runs through the written checklist with rollback kept warm.

Week six is post-launch on-call. Seven days of active monitoring. Any Sentry spike, any uptime alert, any customer report gets triaged within two business hours. Most weeks nothing dramatic happens; occasionally we catch a regression in a third-party dependency, an edge-case RLS policy, or a Stripe webhook retry that surfaces a race condition. If you want ongoing coverage after the seven days, the Retainer engagement picks up where on-call ends.

What the productionization will not do. We will not redesign the product. We will not pick a different framework unless the current one is genuinely broken for production. We will not run a full security pen-test — use the $499 Security Audit first if that is the primary concern. We will not rewrite AI-generated code the founder is still actively adding to; freeze AI commits during the engagement or book AI-generated code cleanup before production hardening begins. The productionization pass is one discipline: move an AI-built prototype from working-for-the-demo to surviving-real-users in a fixed window.

FAQ

How long does AI prototype to production actually take?

Most Lovable-to-production or Bolt-prototype-to-launch engagements ship in 2 to 6 weeks depending on scope. Small single-domain apps with a working preview land in 2 to 3 weeks. Complex apps with multiple integrations, auth complexity, and data volume take 4 to 6 weeks. We quote a fixed fee and a fixed window after the 48-hour audit.

Do you preserve our Lovable, Bolt, or Cursor code during the productionization?

Yes. We refactor incrementally and only rewrite what is genuinely unsalvageable — usually under 10% of the codebase. AI-generated code has a bad reputation, but most of it is shippable with a cleanup pass, a security pass, and real test coverage. Full rewrites are a last resort we flag in the 48-hour audit.

What does 'AI MVP production-ready' actually mean?

Three things: users can sign up, pay, and use the core flows without errors (the happy path is reliable); the app does not fall over under load (connection pooling, indexes, monitoring); and a new engineer can read the code, extend it, and deploy safely. Every engagement ends when those three are true, measured, and documented.

Can you work with our existing team during the Lovable-to-production pass?

Yes. We pair with in-house engineers, review PRs, and coach on directing AI tools for production work. Many clients keep their team prompting in Lovable, Cursor, or Claude Code while we handle the production concerns — RLS, Stripe edges, deploys, tests. Clean handoff is built into every engagement.

How do you price AI prototype to production?

Fixed fee after the 48-hour audit. $7,499 for Finish My MVP on smaller apps with a working preview. $15,000 to $25,000 for complex apps with multiple integrations and real data volume. Larger engagements scoped separately. No hourly, no scope creep. The 48-hour audit ($1,500) is rolled into the engagement if you proceed.

What if the Bolt prototype is not salvageable as a launch?

We will tell you in the 48-hour audit. Roughly 5 to 10% of the apps we audit are genuinely better-rewritten-than-rescued. When that is the case we quote a rebuild instead — preserving the UX, business logic, and data; replacing the code. Either way you get a written recommendation before committing to the 2-to-6-week engagement.

§ 11/related-services

Related production services

§ 11/related-case-studies

Related launch case studies

authority sources · Next.js deployment docs · Vercel deployments · Supabase RLS

Next step

Ready to ship?

48-hour audit first — $1,500, rolled into the 2–6 weeks productionization. Fixed-fee plan follows, seven days post-launch on-call included.

Book free diagnostic →