A UK senior engineer at a workstation reviewing a vibe-coded application's codebase and deployment configuration on a multi-monitor setup.

AI App Production Clinic

Your app works in Bolt.new, Lovable, or Replit's preview environment. The moment you push it to a real domain, it breaks, or it is carrying security exposures you cannot see. We are the engineering review between your prototype and the production environment it needs to reach.

Senior UK engineers. Fixed-price diagnostic audit from £495. Honest fix, refactor, or rebuild recommendation. No commitment required beyond the audit.

Book a Diagnostic Audit — £495See all service packages
Anthropic Consulting Partner · Registered in England & Wales No. 16138782 · Professional indemnity insured · UK GDPR Data Processing Agreement available · All credentials handled via 1Password — never email

The Last 20% That Breaks

AI coding tools are built to produce working prototypes in a browser preview environment. They are not built for production deployment, and the gap between the two states is where most AI-generated applications fail. The problem is not that the tools are poor. It is that they optimise for the demo, not for the finish line.

Works in preview, fails in production

Your app runs correctly in Bolt.new, Lovable, or Replit's built-in preview. The moment you point it at a custom domain or deploy to Vercel, it crashes. Build logs contain error messages that the AI cannot interpret without full context. Every suggested fix breaks something adjacent.

The AI has entered a fix loop

You have been prompting for the same class of error for two days. Each fix introduces a regression elsewhere. The AI does not have a coherent view of the full codebase. You are burning API credits and accumulating technical debt simultaneously.

You cannot tell if it is fixable

You have built something real. You cannot determine whether the remaining problems require a twenty-minute configuration change or a ground-up rebuild. Without an engineering assessment, any decision you make carries substantial risk.

What We Find in AI-Generated Codebases

Across the tools currently in widespread use, the same failure patterns recur. These are not edge cases.

  • Supabase Row Level Security misconfigurations. CVE-2025-48757 covered more than 170 Lovable-built applications with critical RLS gaps — either locking legitimate users out of their data or exposing all data to any authenticated user. RLS configuration requires human review before any application handles real user data.
  • Secrets exposed in client-side bundles. Escape.tech's scan of 5,600 vibe-coded applications found more than 400 exposed API keys and secrets in client-accessible code. The Moltbook breach (January 2026) exposed 1.5 million API tokens through this mechanism.
  • Authentication flows that break on custom domains. Auth sequences that function correctly in the tool's own preview environment frequently break when deployed under a custom domain, across OAuth redirect flows, or when JWT refresh token handling is required.
  • Environment variable handling. Build-time versus runtime variable resolution on Vercel and Netlify consistently breaks AI-built applications at deployment. The AI tool does not distinguish between the two contexts; the result is a deployed application that cannot reach its own backend.
  • Circular fix loops and accumulated technical debt. Once an AI agent begins patching TypeScript errors or dependency conflicts without full repository context, it enters a pattern of trial-and-error that burns credits and introduces regressions faster than it resolves the original fault.
  • UK GDPR exposure. AI-built applications handling personal data frequently lack the consent mechanisms, data minimisation practices, and documented lawful basis required under UK GDPR.

Veracode's 2025 analysis of 150 AI models found that 45% of AI-generated code fails basic security checks. A separate study of 5,600 vibe-coded applications identified more than 2,000 vulnerabilities. These figures are not from adversarial research — they reflect routine production conditions.

Service Packages

The Diagnostic Audit is the required first step for all engagements beyond a single named quick fix. We will not quote for remediation work on an AI-generated codebase without completing an audit first — AI-generated codebases have unpredictable underlying complexity that will destroy fixed-price margins if not scoped correctly.

PackageWhat it coversPriceTurnaround
AI App Diagnostic AuditSenior engineer reviews codebase, deployment, security, and architecture. Written report with fix, refactor, or rebuild recommendation.£495 (launch; standard £750)3 to 5 working days
Quick FixA single named, clearly scoped issue — one environment variable fault, one build configuration error, one named deployment blocker.£350 to £75024 to 72 hours
Deployment RescueApp functions locally or in preview; our team gets it live and stable on your target hosting platform.£1,250 to £3,5005 to 10 working days
Production-Ready UpgradeFull hardening from working prototype to a secure, deployable application. Auth, database security, payments integration, hosting, monitoring.£3,500 to £8,0002 to 4 weeks
Refactor or RebuildFor applications where accumulated circular-fix debt has made further patching unsafe. Project-managed delivery.£8,000 to £25,000+4 to 10 weeks
Monthly Technical SupportOngoing engineering retainer for teams continuing to build with AI coding tools who need a qualified engineer in the loop.£950 to £3,500/monthSame-day response

All prices quoted exclusive of VAT. UK VAT applies at the standard rate.

By Platform

We work with applications built on every major AI coding tool. Each platform has its own failure patterns and its own remediation approach.

Lovable Rescue

Supabase RLS, authentication, Stripe live mode, and environment variable issues.

Bolt.new Rescue

WebContainer environment portability, missing env vars, build configuration.

Replit Rescue

Dev mode versus Deployed mode, secrets migration, Replit Agent change audits.

Cursor & Claude Code Rescue

Context window exhaustion, agentic mode regressions, architectural drift.

How It Works

  1. Submit the intake form. Describe your app, your stack, what works, and what does not. Takes five minutes.
  2. 20-minute triage call. Free. We confirm the stack is within scope and discuss urgency and budget.
  3. Purchase the Diagnostic Audit (£495). You grant read-only access to your repository. We do not require write access at this stage.
  4. Receive the written report. 8 to 10 pages, a Loom walkthrough, and a scoped quote for the recommended next step. Fix, refactor, or rebuild — with the reasoning that supports the recommendation.
  5. Decide. You can proceed with us, take the report elsewhere, or pause. The audit fee is not conditional on further work.

Tools We Work With

We support applications built with, or targeting deployment on, the following tools and platforms:

AI builders: Bolt.new, Lovable, v0 by Vercel, Base44, Replit Agent, Cursor, Windsurf, Claude Code, OpenAI Codex, GitHub Copilot

Backends: Supabase (Postgres, Auth, RLS, Edge Functions), Firebase (Firestore, Auth, Hosting, Rules)

Hosting and deployment: Vercel, Netlify, Railway, Cloudflare Pages, Replit Deployments, Firebase Hosting

Payments and auth: Stripe (one-time and subscriptions), Clerk, NextAuth.js, Supabase Auth, OAuth flows

Who This Is For

  • Non-technical founders and solo SaaS builders who have spent weeks in an AI fix loop, have a working prototype, and cannot determine whether the remaining problems are solvable without a professional assessment.
  • UK SME internal teams who have used Bolt.new, Lovable, Replit, or Cursor to build an internal tool, and now need to deploy it to production or put it in front of clients — without exposing the organisation to security or compliance risk.
  • Consultants and agencies who have built a client prototype using AI coding tools and need an independent engineering review before delivery. White-label engagements available under NDA.

This service is not suitable for: native mobile applications, regulated medical devices, or applications where the client cannot confirm legal ownership of the codebase.

Who Carries Out the Work

Diagnostic Audits are conducted by Jay Matharu, senior consultant at The AI Consultancy. Jay leads AI solutions delivery across the consultancy's client base in logistics, financial services, healthcare, and professional services. All remediation and rebuild work is delivered by the same team — there is no subcontracting to unvetted third parties.

The AI Consultancy is a registered Anthropic Consulting Partner and holds professional indemnity insurance covering software diagnostic and remediation work. All credential handling follows a formal 1Password protocol; credentials are never transmitted via email, Slack, or any plaintext channel. A UK GDPR Data Processing Agreement is available as standard for applications that handle personal data.

Frequently asked questions

Do you work specifically with AI-generated code, or any codebase?+
The AI App Production Clinic is designed specifically for codebases built using AI coding tools — Bolt.new, Lovable, Replit, Cursor, Claude Code, v0, and similar platforms. The failure patterns in AI-generated code are distinct from those in hand-written code, and our diagnostic process is calibrated accordingly. If you have a legacy codebase with no AI-generation history, our standard AI implementation consulting is the more appropriate route.
What if the codebase needs a full rebuild?+
If the Diagnostic Audit concludes that a rebuild is the correct path, we will say so — with the reasoning and a scoped quote. We will not recommend a rebuild unless it is genuinely warranted, and we will not recommend a fix if the codebase cannot be safely patched. The audit fee (£495) is not affected by which recommendation the report reaches.
Do I need a GitHub account or an existing repository?+
A GitHub, GitLab, or Bitbucket repository is the preferred route for sharing code. If your application was built in a tool that does not generate a repository (some Bolt.new and Lovable builds), a zip export is acceptable. If no exportable code exists at all, let us know at intake — this is a scoping consideration, not an automatic disqualifier.
How do you handle API keys and database credentials securely?+
All credentials are handled via a 1Password shared vault, established at the start of the engagement. We do not accept credentials via email, Slack, or any plaintext channel. We request read-only repository access at the diagnostic stage; write access is only requested on a named feature branch if remediation work is confirmed. We recommend rotating all shared credentials at the close of the engagement.
What is included in the Diagnostic Audit?+
The 8 to 10 page written report covers: codebase architecture assessment; security posture review (secrets management, authentication design, database security rules); deployment configuration analysis; a clear fix, refactor, or rebuild recommendation with supporting rationale; and a scoped quote for the recommended next step. A Loom video walkthrough accompanies the written report. UK GDPR considerations are flagged where the application handles personal data.
How long does a Production-Ready Upgrade take?+
A Production-Ready Upgrade — covering auth hardening, database security, payments integration, hosting, and basic monitoring — typically takes two to four weeks following the Diagnostic Audit. Exact timing depends on codebase complexity, which the audit will establish. We do not quote a fixed timeline without completing the diagnostic first.
What happens after the 14-day post-delivery support window?+
After the 14-day window closes, ongoing support is available via the Monthly Technical Support retainer (£950 to £3,500 per month). This provides defined engineering hours, on-call escalation, and a monthly code health review. Many clients who continue to build with AI tools find a retainer useful as a quality gate for new features.
Can you handle applications that process personal data or operate in regulated sectors?+
Yes. We have delivered AI solutions across financial services (FCA-regulated), healthcare (dental, medical), legal practice, and logistics. Our diagnostic process includes a UK GDPR awareness review as standard, and we flag FCA, SRA, or sector-specific regulatory considerations where relevant. A UK GDPR Data Processing Agreement is available for all engagements. If your application processes special-category data, let us know at intake.

Start With a Diagnostic

The £495 Diagnostic Audit gives you an independent engineering assessment, a written report, and a clear recommendation — regardless of whether you proceed with us or not.

Or call +44 2033 550 558