Keys in the client bundle
Your Stripe and OpenAI keys are shipped to every visitor's browser, minified but not hidden. View Source is not a hack. Anyone can run up your bill.
// Services / App rescue
Built it in Lovable, Cursor, Bolt or v0 and hit the wall? We take vibe-coded apps the rest of the way: auth that holds, payments that clear, infrastructure that survives real users. No judgement. Bring the repo.
// What actually breaks
The model optimises for "runs on my machine", not "survives the internet". These are the six failures we find in almost every rescue.
This isn't us being dramatic. Independent analysis by Veracode found that roughly 45% of AI-generated code introduced security flaws from the OWASP Top 10. The model ships confident code. Confidence is not security.
Your Stripe and OpenAI keys are shipped to every visitor's browser, minified but not hidden. View Source is not a hack. Anyone can run up your bill.
Supabase row level security disabled because the tutorial said it was easier. It was. Now every user can read every row, including each other's.
The login check lives in React state, and the API behind it trusts whoever asks. Your protected routes are a curtain, not a lock.
Queries built by gluing strings together. One crafted input and a stranger is writing your SQL. This was a solved problem. The model unsolved it.
No test suite, so every new prompt is a coin flip. Fix the login, break the checkout. You can't ship what you can't trust to stay fixed.
It runs perfectly with one user: you. The second concurrent user hits a race condition, the tenth hits a timeout, and the launch becomes an apology.
// How the rescue works
01 The audit
48 hours after repo access you get a prioritised findings report: what's dangerous, what's fragile, what's fine. It's yours whether or not you continue.
02 Security first
Secrets rotated and moved out of the bundle. RLS on. Auth enforced server-side, where attackers actually live. The scary stuff dies first.
03 Foundations
Tests around the behaviour that matters, CI that blocks bad merges, a staging environment, real deploys. Boring on purpose.
04 Ship
Your feature list, built on ground that holds. This is the bit you wanted all along. The first three steps are why it works this time.
Keep building in Lovable if you love it. We harden what is underneath.
// Who this is for
Founders
Investors saw it. Users signed up. Now it needs to hold real money and real data, and you know the difference between a demo and a product. That instinct is correct.
Teams
Someone vibe-coded an internal tool over a weekend and now the whole company runs on it. Nobody wants to touch it. We do.
The quoted
A dev quoted you a ground-up rebuild and it felt like a punishment. Here's the thing: most of your app is fine. It needs a spine, not a funeral.
// Straight answers
The audit comes first, then a fixed quote based on what we actually find in your code. No hourly meter, no surprise invoices. Most rescues land well under the cost of a ground-up rebuild, because most of your app is worth keeping.
Yes. Repo access comes first, then we quote from the code, not the vibes. Half-finished features, abandoned branches, three different auth attempts: we work with whatever state it's in.
No. The model wrote it anyway. You shipped something real, which puts you ahead of everyone still writing specs. We just make sure it survives contact with the public internet.
No. We make them safe to keep using. Keep prompting in Lovable or Cursor, and we put tests, reviews and guardrails underneath so one bad generation can't take down production.
The audit typically starts within days of getting repo access. We reply within one business day, so if it's on fire, say so in the subject line.
// Start the rescue
Send it exactly as it is. Half-finished branches, hardcoded keys, console.logs everywhere. We've seen worse, and we'll tell you straight what it needs.
Replies within one business day. From the person who writes the code.