ServicesWorkContact
Start a project
Toronto · Est. 2016
← All posts·April 28, 2026·3 min read
EngineeringVibe CodeBest Practices

What Rescuing 320,000 Lines of Vibe-Code Taught Us

After auditing and refactoring vibe-coded MVPs for two years, patterns emerge. Here's what breaks, what survives, and how to know which is which.

By Techrangle Team
What Rescuing 320,000 Lines of Vibe-Code Taught Us

We've now audited or refactored over 320,000 lines of code generated by Cursor, v0, Lovable, Bolt, and the occasional unhinged Claude session. Across B2B SaaS, e-commerce, booking platforms, and internal tools for clinics.

Here's what we've learned.

The pattern is always the same

Vibe-coded MVPs tend to fail in one of four ways, in roughly this order of frequency:

1. Authentication is a house of cards. Session management copy-pasted from a blog post. JWT secrets hardcoded in .env.example and committed. Route protection that only applies client-side. We've seen this in seven of the last ten audits.

2. The database has no schema discipline. Every new feature added a new column. Nullable fields everywhere because the AI "wasn't sure if this would be needed." Indexes? What indexes? At a few thousand rows everything is fine. At a hundred thousand, the app becomes unusable.

3. Error handling is decorative. try { ... } catch (e) { console.log(e) } — everywhere. The app looks fine in happy-path demos. Prod is a different story.

4. There's no separation between UI and business logic. The fetch call is inside the React component. The formatting function is co-located with the API call. One change ripples everywhere and nobody knows why.

What actually survives

Here's the part that surprises people: the UI usually holds up. Modern AI tools are genuinely good at producing clean, accessible markup and reasonable CSS. The visual layer is often more than salvageable — it's good.

The routing and state management is usually fine too, as long as it was generated with a specific framework in mind. Next.js App Router pages generated by v0 tend to be clean.

What breaks is almost always in the invisible plumbing — auth, data access, error boundaries, environment configuration, and secrets management.

Our triage process

When a new client comes to us with a vibe-coded codebase, we run it through a fixed checklist before touching anything:

  1. Secrets audit — scan for hardcoded keys, tokens, connection strings. Non-negotiable first step.
  2. Auth flow trace — follow a session from login to protected resource. Map every assumption.
  3. Database inspection — look at the schema, the query patterns, the index coverage.
  4. Error surface — what happens when an external call fails? What happens when the DB is slow?
  5. Dependency auditnpm audit, outdated packages, anything with a known CVE.

The results of this audit determine scope. Sometimes it's a two-week targeted refactor. Sometimes it's a rebuild with the UI layer preserved.

The thing nobody tells founders

Vibe-coded MVPs are genuinely useful. They let non-technical founders validate ideas at a speed that wasn't possible three years ago. We're not here to shame anyone for using them.

But they have a ceiling. That ceiling is usually somewhere between "it works in the demo" and "it works for a hundred paying customers." If you're approaching that ceiling, the cost of fixing it now is a fraction of what it will cost after a security incident, a data loss event, or a six-month performance degradation that drives your best customers away.

The $497 Vibe-Code Audit Toolkit is our attempt to give you the same checklist we run — so you can at least know what you're sitting on before you scale.

And if what you find is too scary to handle alone, that's what we're here for.

← All postsView packages