Engineering & Building · Workflow

Vibe-Coded Prototype to Production: The Lovable to Claude Code Handoff (2026)

How to take an AI-generated prototype and harden it into a shippable codebase without a full rewrite.

15 min readUpdated July 2026By ToolJunction Editorial

Difficulty

Intermediate

Time to implement

3 hours to set up the repo and CI, then 3-5 days to harden a prototype into production

Monthly cost

$90 - $134/mo

Last updated

July 7, 2026

Quick Answer

80% of vibe-coded prototypes never ship because the handoff to real engineering is skipped. This is the handoff.

What you get

  • Convert a Lovable prototype into a version-controlled repo with CI in under 3 hours
  • Get to test coverage on the paths that matter (auth, payments, data writes) before launch
  • Cut the rewrite that kills most vibe-coded projects down to a targeted 3-5 day hardening pass
  • Ship to production behind a real CI pipeline for $90/mo in tools

Step-by-Step Workflow

7 steps · 3 hours to set up · 3-5 focused days ongoing

  1. 1

    Freeze the prototype and get it into Git

    Stop prompting in Lovable and export the current state to a GitHub repo. Clone it locally. This freezes a known-good version you can always return to. From here, every change is a commit you can review, revert, and deploy, which is the entire point of the handoff.

    Lovable product interface
    Lovable - the interface you'll work in for this step. Screenshot of the tool's own UI, not our results.
    20 minOutput: A GitHub repo with the prototype as commit oneTools: Lovable

    Tip: Tag this commit 'prototype-baseline'. When the hardening pass breaks something, you can diff against the version you know worked.

  2. 2

    Have Claude Code audit the codebase

    Run Claude Code in the repo and ask for a production-readiness audit against a specific list: exposed secrets, missing input validation, absent auth checks on server routes, missing row-level security, and lack of tests. Ask for findings as a prioritized list, not fixes yet. You want the map before you start driving.

    Claude Code product interface
    Claude Code - the interface you'll work in for this step. Screenshot of the tool's own UI, not our results.
    30 minOutput: A ranked list of production gaps with file referencesTools: Claude Code

    Tip: Ask it to rank by blast radius: anything touching payments, auth, or cross-user data reads is P0. Cosmetic issues are P3 and can wait.

  3. 3

    Move secrets and lock down the backend

    Fix the P0 security findings first. Move any keys out of client code into server-side env vars, enable Supabase row-level security with per-user policies, and add auth checks to every server route that writes or reads user data. Have Claude Code implement each fix as a separate commit so you can review them in isolation.

    3-4 hrsOutput: No exposed secrets, RLS on, auth enforced on every protected routeTools: Claude Code, Supabase

    Tip: Write one RLS policy by hand and have Claude Code follow the pattern for the rest. Blindly generated policies are the easiest way to lock yourself out or leave a table open.

  4. 4

    Add tests where risk lives

    You do not need full coverage. You need tests on the paths where a bug costs you money or trust: authentication, the paid action, and any write that touches another user's data. Have Claude Code write these tests, run them, and fix what fails. This is the safety net that lets you keep shipping fast after the handoff.

    3-4 hrsOutput: A test suite covering auth, payments, and cross-user writesTools: Claude Code

    Tip: Test the failure cases, not just the happy path. 'Unpaid user cannot access the paid action' catches more real bugs than 'paid user can'.

  5. 5

    Set up CI and preview deploys

    Connect the repo to Vercel so every branch gets a preview URL and every merge to main deploys. Have Claude Code write a GitHub Actions workflow that runs the tests and a type check on every PR, blocking merge on failure. Now a broken commit cannot reach production, which is the line between a prototype and a product.

    1-2 hrsOutput: CI that runs tests on every PR and blocks merge on red; preview deploy per branchTools: Vercel, Claude Code

    Tip: Require the CI check to pass before merge in GitHub branch protection. A pipeline that does not block is theater.

  6. 6

    Route AI changes through PRs with review

    From now on, Claude Code opens a branch and a PR for every change rather than committing to main. Turn on CodeRabbit (or Graphite Agent) so each PR gets an automated review pass. This gives the fast AI-driven work a checkpoint, which matters most precisely when you are moving quickly and skipping your own review.

    CodeRabbit product interface
    CodeRabbit - the interface you'll work in for this step. Screenshot of the tool's own UI, not our results.
    30 min setup, then ongoingOutput: Every AI change lands via a reviewed PR, not a direct pushTools: CodeRabbit, Claude Code

    Tip: Read the AI review, but do not accept it blindly either. Treat CodeRabbit as a second opinion, not an approver.

  7. 7

    Cut over to production and verify

    Point your custom domain at the Vercel production deploy, swap in production Supabase and any live third-party keys, and run a full end-to-end pass as a brand-new user in an incognito window. Sign up, use the paid action, and confirm data lands correctly with RLS enforced. Only then announce it is live.

    1-2 hrsOutput: A verified production deployment on your domainTools: Vercel, Supabase

    Tip: Do the incognito run before you tell anyone. Finding the broken signup yourself is free; finding it via a churned first user is not.

Vibe coding gets you a working prototype fast, but the code underneath is optimistic: thin error handling, no tests, secrets in the wrong place, and auth that works on the happy path only. The instinct is to throw it away and rewrite. That is the mistake that kills the project, because you lose the one thing the prototype gave you (a validated product) to chase clean code nobody has paid for. This workflow keeps the prototype and does a surgical hardening pass with Claude Code: put it under version control, add tests where risk lives, fix the security holes, and ship behind CI. Days, not a rewrite.

What a prototype is missing, specifically

A Lovable or Bolt prototype almost always ships with the same five gaps: no automated tests, secrets or API keys committed or exposed client-side, missing input validation on writes, no row-level security so any user can read any row, and no CI so a broken commit reaches production. None of these are visible when you click through the demo. All of them surface the day a real user hits an edge you did not click. The handoff is a checklist against exactly these gaps, not a vague 'make it production-grade'.

Stack cost breakdown

Public list prices as of July 2026. Optional tools are marked in the notes.

ToolPlanMonthly costNotes
LovablePro$25/moRequired. Owns the prototype and its GitHub sync.
Claude CodeClaude Pro$20/moRequired. The hardening engine: tests, refactors, security, CI. Upgrade to Max 5x ($100/mo) for heavy days.
SupabasePro$25/moRequired. Production database with row-level security and daily backups.
VercelPro$20/moRequired. Production hosting, preview deploys per PR, custom domain.
CodeRabbitPro$24/moOptional. Reviews every PR the AI opens so the handoff has a second set of eyes.
CursorPro$20/moOptional. Alternate IDE for hands-on editing alongside Claude Code.
Total$90 - $134/mo($90 required, $134 with optional tools)

Email me this stack as a checklist

Every tool, the plan to pick, and the monthly cost - in your inbox.

We'll email this once you confirm - no spam.

Real usage

What people actually run

No usage reports yet - be the first to share what you run. Tell us your real stack, your actual monthly cost, and any tools you swapped.

The audit prompt that drives the handoff

The whole workflow hinges on one prompt that turns a vague 'make it production-ready' into a concrete, rankable checklist.

Claude Code production-readiness audit prompt

Audit this codebase for production readiness. Check specifically for: (1) secrets or API keys exposed in client code or committed to the repo, (2) server routes that write or read user data without an auth check, (3) database tables without row-level security, (4) user inputs written to the database without validation, (5) code paths with no test coverage around auth and payments. Return a ranked list by blast radius (P0 = payments/auth/cross-user data, P3 = cosmetic). Do not fix anything yet; give me the list with file paths and line numbers.

Note: Naming the five gaps explicitly gets a far more useful audit than 'is this production-ready?', which tends to return generic advice.

Adjust for Your Situation

If the prototype is large or messy

Upgrade Claude Code to the Max 5x plan ($100/mo) for the hardening week. A big audit-fix-test loop burns through Pro limits fast, and hitting a rate limit mid-refactor is worse than the extra cost. Downgrade back to Pro once you are shipped.

If you are handing off to a human team, not just AI

Prioritize the docs and CI steps. Have Claude Code write a README and architecture notes so a new engineer can onboard, and make the test suite the contract they build against. The AI hardening becomes the bridge to human maintainers.

If there is no auth or payments yet

The audit list shrinks to input validation, error handling, and tests. You can compress the handoff to 1-2 days. But add RLS anyway the moment you introduce multi-user data; retrofitting it under load is painful.

Swap options

Drop-in substitutions if a tool does not fit your budget or stack. These trade cost or effort for the recommended setup.

Swap outUse insteadWhen
LovableBolt.new or v0 by VercelYour prototype was built in a different prompt-to-app tool; the handoff steps are identical
Claude CodeCursor or WindsurfYou prefer an IDE-centric agent over a terminal-centric one for the hardening work
CodeRabbitGraphite AgentYou already use stacked PRs and want review inside that flow
Set up CIGitHub Actions starter templatesYou want a hand-written pipeline instead of an AI-generated one

Common Pitfalls

  • Deciding to rewrite instead of harden. You throw away the validated product to chase clean code, lose weeks, and often never ship. Keep the prototype.
  • Fixing cosmetic issues before security. The lint warnings are visible and the open database table is not. Fix P0 blast-radius items first.
  • Generating RLS policies without reading them. A wrong policy either locks you out or leaves a table world-readable. Verify each one against a test.
  • CI that does not block merges. If a failing test does not stop the deploy, the pipeline is decoration and broken code still reaches users.
  • Trusting AI test coverage numbers. High coverage on trivial code and zero on the payment path is worse than it looks. Aim tests at risk, not at the percentage.

Frequently Asked Questions

Why not just rewrite the prototype cleanly?
Because a rewrite trades your one asset (a validated product users want) for clean code nobody is paying for, and it usually takes weeks you do not have. The hardening pass keeps the working product and fixes only what actually breaks in production: security, tests, and CI. It is 3-5 days versus a multi-week rewrite that frequently stalls.
What does the required stack cost?
$90/mo: Lovable Pro ($25), Claude Code via Claude Pro ($20), Supabase Pro ($25), and Vercel Pro ($20). Adding CodeRabbit ($24) for PR review and Cursor ($20) as an alternate IDE brings it to $134/mo. For a heavy hardening week, temporarily upgrading Claude Code to Max 5x ($100) is the one splurge worth making.
Can I do the handoff without knowing how to code?
Partly. Claude Code can implement every fix, but you need enough judgment to review the security-critical diffs, especially auth and row-level security, where a plausible-looking wrong answer leaks data. If you cannot review those, get one experienced engineer to sign off on the P0 fixes before launch. Everything else you can drive solo.
Do I need CodeRabbit if Claude Code writes the code?
It is optional but valuable precisely because the same tool wrote the code. An independent review pass on each PR catches issues the author (human or AI) is blind to. On a solo project moving fast, CodeRabbit is the cheapest way to get a second opinion. Skip it if budget is tight and you are reviewing diffs yourself carefully.
How is this different from just building in a weekend?
The weekend build gets you to a live product. This workflow assumes you already have a prototype and focuses entirely on the gap between 'it demos' and 'it survives real users': security, tests, and CI. If you are starting from an idea, do the weekend build first, then this.
What if the prototype's architecture is fundamentally wrong?
Then the audit will surface it as a P0, and you make a scoped decision: rebuild that one subsystem, not the whole app. AI-generated prototypes are usually structurally fine (standard React + Supabase) and wrong only in the details. A truly bad foundation is rare; verify it is actually the foundation before you rewrite anything.

How we built this workflow

ToolJunction's editorial team tests each workflow with real accounts and real budgets before publishing. Cost figures reflect public pricing pages as of July 2026. Reply rates, time estimates, and outcome metrics come from our own runs or vetted operator interviews. We update this page when a tool's pricing changes or a step stops working.

Last updated July 7, 2026; prices verified at publication.

Related Workflows