From Vibe Coding to Production: the Complete Guide for Startup Founders

Vibe Coding: Why a Prototype Is Not Yet a Product

Today you can describe an app to an AI assistant and watch it appear in front of you in a few hours. It is called vibe coding, and it has a dangerous side effect: it convinces you that you are almost done, when in reality you have barely started.

Vibe coding is an extraordinary tool for mockups, analysis and early prototypes, exactly the work that used to take weeks. We see it every day at Castaldo Solutions: founders build their first MVP on their own, then hand it to us for hardening, security and a gradual move to production.

The truth is simple. Going all the way with vibe coding is possible today, but it requires a solid technical foundation that most founders do not have. Between a prototype running on your laptop and software that holds real, paying users with real data, there are 9 levels of work that no AI does for you unless you ask, and that you do not ask for because you do not know they exist.

This is the map of those 9 levels. It is the first article in a series: here you get the big picture, and in the deep dives we go into the detail of each level.

The 9 Levels to Take an App to Production

The pyramid reads from the bottom up. At the base are the technical foundations: get those wrong and everything you build on top is fragile. At the top is maintenance, the work that keeps the app alive after launch.

Every level you skip does not disappear. It becomes a silent problem that bills you when you least expect it, usually in production, with real users watching.

Level 0 - Which Stack to Choose When You Start Solo

If you are a founder starting from scratch, without a large team behind you, the technology choice is the decision that shapes everything else. My recommendation for the vast majority of cases is TypeScript.

The reason is practical. TypeScript unifies backend and frontend under a single language, has a huge ecosystem of frameworks and libraries, and is complete enough to cover almost any business need. One language means less context to manage, fewer integration errors, and a codebase the AI can follow more easily.

For the database, PostgreSQL is the sensible default for almost every application. If you work with vector data it can make sense to evaluate open source alternatives like Supabase, but otherwise Postgres gives you solidity and maturity. Add a client like Prisma and keep your database schema always aligned with your app entities, which speeds up development.

We cover this in detail in the deep dive on stack and database for vibe coding.

Level 1 - How to Stop Your Database From Becoming a Time Bomb

When the database is left entirely to an inexperienced founder, the same thing almost always happens: dead columns and relations, duplicated data, information scattered across multiple objects because there was no upfront analysis of the data model.

The result is data dirtiness that starts on day one and grows with the app. The more data you collect, the more the problem compounds, until you realize the information is not connected the right way and every report requires acrobatics.

Then there is something nobody controls early on: connection pooling. Without proper connection management, your app behaves fine while you are the only one testing it, then crashes as soon as real users arrive in parallel. Starting from an architectural analysis of the database means having something that is already production ready, not a fragile castle.

Level 2 - Authentication: Why You Should Not Write It Yourself

One of the most common mistakes in vibe coding is dragging along a fully custom authentication module written from scratch. It is a mistake because authentication is one of those pieces where you should not reinvent the wheel.

There are services and frameworks that solve the problem in a secure, battle-tested way. If you want a managed third-party service, Clerk is an excellent choice. If you prefer to keep authentication inside your application, Auth.js does the job.

Relying on mature solutions protects you from an entire category of vulnerabilities: broken logins, badly managed sessions, compromised accounts. Then there is the visibility side: without roles and without Row Level Security (RLS), one user can end up seeing another user's data. We dig into the whole security topic in the article on authentication, secrets and vulnerabilities in vibe coding.

Level 3 - Where NOT to Put Your .env File (and How to Handle Secrets)

This is the mistake you do not see right away. You notice it later, when you get a bill that burns your entire OpenAI account overnight.

More and more often, inexperienced developers put environment files in publicly exposed paths, with API keys and tokens that end up indexed on the web. Once exposed, a key is compromised, full stop.

The ideal is not even to have a .env file: it is a setup that stores all variables inside the environment or a secret manager, so there is no physical point to steal. Add periodic token rotation and you drastically reduce the attack surface. It is tedious, but it is the difference between sleeping at night and waking up to a four-figure bill.

Level 4 - Vulnerabilities and Dependencies: the Mandatory Check Before Production

This is the most critical part and, not by chance, the one most often ignored. It is not a refinement: it is a mandatory activity before going to production.

AI does not just write your code. It also brings in dependencies, the libraries your app relies on. And here there is a structural problem: models are trained on old versions, so they tend to suggest libraries that may be outdated or deprecated, sometimes with already published vulnerabilities.

That is why the first thing to check is dependencies and deprecated code. Tools like Dependabot on GitHub warn you automatically when a library has a known flaw and propose the update. The average AI does not know this: you have to.

Level 5 - Dead Code: the Skeleton in the Vibe Coding Closet

Vibe coding often leaves dead code behind: functions never called, abandoned logic, parts that are no longer needed. Every line of dead code is technical debt you carry around like a skeleton in the closet.

It is not just about tidiness. Dead code is also a security risk, because it belongs to logic that nobody maintains anymore and can hide flaws. Keeping a clean codebase from the start is the right thing to do.

There is a point here that applies to the whole article: when the application grows large, AI agents can no longer see all the dead code in it. The value of human control, of an expert who knows what to look for, grows exactly as the limits of the technology grow. We discussed this in the guide on how to use AI without creating technical debt.

Level 6 - Compliance and Legal: GDPR, AI Act and Who Owns Your Code

Before going to production you need your legal framework in place: cookies, privacy, terms and conditions filled in correctly. Doing it well requires advice from a legal tech lawyer, not a copy-paste found online.

Moving forward without that framework does not only expose you to legal trouble like GDPR and the AI Act. It exposes you on a front almost nobody considers: intellectual property. If you deliver consulting or build for a client without a well-structured license agreement from the start, that client can claim part of the code, especially in the case of customizations. This is something to avoid at all costs.

There is also a technical reason to plan this level early, even though it sits in the middle of the pyramid. With regulations like Italy's Law 132 or the AI Act, the risk is having to make changes that distort the application: huge refactors at the end of the project, and some business features that simply can no longer be built. Better to find out at the start than to face nasty surprises at the finish line. We cover this in depth in the article on compliance by design, with the AI Act, Law 132/2025 and fines; we have also dedicated deep dives to the AI Act for Italian companies and to the role of the legal tech analyst.

Level 7 - Infrastructure as Code: Environments Ready in Minutes, Not Days

Today you can describe your entire infrastructure inside files and containers. That means a development environment you can spin up in minutes, not days.

The advantage is not only setup speed. With tools like Docker you can run tests on ephemeral databases or infrastructure, created and destroyed only during the test run. You speed up development and you speed up testing, two things that usually slow a hand-built project to a crawl.

It is a level a founder or a junior developer rarely knows, and one that completely changes the quality and repeatability of what you ship. No more "it works only on my machine".

Level 8 - Maintenance: Backups, Cron Jobs and Notifications That Actually Work

Maintenance is the last block of the pyramid, and it is almost always the one set up worst from the start.

The classic scenarios are familiar: there are no periodic backups, so a single error can wipe out months of data. You want notifications, but they never fire, because the queues that handle them were never set up. Trivial operations like clearing the server cache do not yet fit into well-defined protocols you can fully delegate to AI.

All of this rests on technical knowledge that is hard to hand off to an assistant: cron jobs, queue management, backups and observability (tools like Sentry to understand what broke and PostHog to understand what users do). It is work you do not see, until it is missing. We cover the whole phase in the article on how to ship a vibe-coded app to production.

Does Vibe Coding Replace the Developer?

The honest answer is: in part yes, and that is exactly why the developer becomes more important, not less.

Much of the work of writing code is now accelerated by AI, and that is a good thing. But all the knowledge of production and maintenance, the 9 levels in this guide, is simply not replaceable. It takes experience, and it takes continuous maintenance that is too often ignored.

The good news is that building a SaaS today is simpler, faster and more cost-efficient than a few years ago. The bad news is that the early ease hides everything that comes after. Before you say the work is done, make sure you have climbed all nine levels.

Where to Start

If you have a prototype born in vibe coding and want to take it to production without disasters, the starting point is understanding which level of the pyramid you are really at. We do this every day: we take MVPs built by founders and make them secure, scalable and ready for real users, step by step.

Talk to us about your app and find out what stands between you and production.