Quick Answer
80% of vibe-coded prototypes never ship because the handoff to real engineering is skipped. This is the handoff.
What you get
- Convert a Lovable prototype into a version-controlled repo with CI in under 3 hours
- Get to test coverage on the paths that matter (auth, payments, data writes) before launch
- Cut the rewrite that kills most vibe-coded projects down to a targeted 3-5 day hardening pass
- Ship to production behind a real CI pipeline for $90/mo in tools
Step-by-Step Workflow
7 steps · 3 hours to set up · 3-5 focused days ongoing
- 1
Freeze the prototype and get it into Git
Stop prompting in Lovable and export the current state to a GitHub repo. Clone it locally. This freezes a known-good version you can always return to. From here, every change is a commit you can review, revert, and deploy, which is the entire point of the handoff.

Lovable - the interface you'll work in for this step. Screenshot of the tool's own UI, not our results. 20 minOutput: A GitHub repo with the prototype as commit oneTools: LovableTip: Tag this commit 'prototype-baseline'. When the hardening pass breaks something, you can diff against the version you know worked.
- 2
Have Claude Code audit the codebase
Run Claude Code in the repo and ask for a production-readiness audit against a specific list: exposed secrets, missing input validation, absent auth checks on server routes, missing row-level security, and lack of tests. Ask for findings as a prioritized list, not fixes yet. You want the map before you start driving.

Claude Code - the interface you'll work in for this step. Screenshot of the tool's own UI, not our results. 30 minOutput: A ranked list of production gaps with file referencesTools: Claude CodeTip: Ask it to rank by blast radius: anything touching payments, auth, or cross-user data reads is P0. Cosmetic issues are P3 and can wait.
- 3
Move secrets and lock down the backend
Fix the P0 security findings first. Move any keys out of client code into server-side env vars, enable Supabase row-level security with per-user policies, and add auth checks to every server route that writes or reads user data. Have Claude Code implement each fix as a separate commit so you can review them in isolation.
3-4 hrsOutput: No exposed secrets, RLS on, auth enforced on every protected routeTools: Claude Code, SupabaseTip: Write one RLS policy by hand and have Claude Code follow the pattern for the rest. Blindly generated policies are the easiest way to lock yourself out or leave a table open.
- 4
Add tests where risk lives
You do not need full coverage. You need tests on the paths where a bug costs you money or trust: authentication, the paid action, and any write that touches another user's data. Have Claude Code write these tests, run them, and fix what fails. This is the safety net that lets you keep shipping fast after the handoff.
3-4 hrsOutput: A test suite covering auth, payments, and cross-user writesTools: Claude CodeTip: Test the failure cases, not just the happy path. 'Unpaid user cannot access the paid action' catches more real bugs than 'paid user can'.
- 5
Set up CI and preview deploys
Connect the repo to Vercel so every branch gets a preview URL and every merge to main deploys. Have Claude Code write a GitHub Actions workflow that runs the tests and a type check on every PR, blocking merge on failure. Now a broken commit cannot reach production, which is the line between a prototype and a product.
1-2 hrsOutput: CI that runs tests on every PR and blocks merge on red; preview deploy per branchTools: Vercel, Claude CodeTip: Require the CI check to pass before merge in GitHub branch protection. A pipeline that does not block is theater.
- 6
Route AI changes through PRs with review
From now on, Claude Code opens a branch and a PR for every change rather than committing to main. Turn on CodeRabbit (or Graphite Agent) so each PR gets an automated review pass. This gives the fast AI-driven work a checkpoint, which matters most precisely when you are moving quickly and skipping your own review.

CodeRabbit - the interface you'll work in for this step. Screenshot of the tool's own UI, not our results. 30 min setup, then ongoingOutput: Every AI change lands via a reviewed PR, not a direct pushTools: CodeRabbit, Claude CodeTip: Read the AI review, but do not accept it blindly either. Treat CodeRabbit as a second opinion, not an approver.
- 7
Cut over to production and verify
Point your custom domain at the Vercel production deploy, swap in production Supabase and any live third-party keys, and run a full end-to-end pass as a brand-new user in an incognito window. Sign up, use the paid action, and confirm data lands correctly with RLS enforced. Only then announce it is live.
1-2 hrsOutput: A verified production deployment on your domainTools: Vercel, SupabaseTip: Do the incognito run before you tell anyone. Finding the broken signup yourself is free; finding it via a churned first user is not.
Vibe coding gets you a working prototype fast, but the code underneath is optimistic: thin error handling, no tests, secrets in the wrong place, and auth that works on the happy path only. The instinct is to throw it away and rewrite. That is the mistake that kills the project, because you lose the one thing the prototype gave you (a validated product) to chase clean code nobody has paid for. This workflow keeps the prototype and does a surgical hardening pass with Claude Code: put it under version control, add tests where risk lives, fix the security holes, and ship behind CI. Days, not a rewrite.
What a prototype is missing, specifically
A Lovable or Bolt prototype almost always ships with the same five gaps: no automated tests, secrets or API keys committed or exposed client-side, missing input validation on writes, no row-level security so any user can read any row, and no CI so a broken commit reaches production. None of these are visible when you click through the demo. All of them surface the day a real user hits an edge you did not click. The handoff is a checklist against exactly these gaps, not a vague 'make it production-grade'.
Stack cost breakdown
Public list prices as of July 2026. Optional tools are marked in the notes.
| Tool | Plan | Monthly cost | Notes |
|---|---|---|---|
| Lovable | Pro | $25/mo | Required. Owns the prototype and its GitHub sync. |
| Claude Code | Claude Pro | $20/mo | Required. The hardening engine: tests, refactors, security, CI. Upgrade to Max 5x ($100/mo) for heavy days. |
| Supabase | Pro | $25/mo | Required. Production database with row-level security and daily backups. |
| Vercel | Pro | $20/mo | Required. Production hosting, preview deploys per PR, custom domain. |
| CodeRabbit | Pro | $24/mo | Optional. Reviews every PR the AI opens so the handoff has a second set of eyes. |
| Cursor | Pro | $20/mo | Optional. Alternate IDE for hands-on editing alongside Claude Code. |
| Total | $90 - $134/mo($90 required, $134 with optional tools) | ||
Email me this stack as a checklist
Every tool, the plan to pick, and the monthly cost - in your inbox.
Real usage
What people actually run
No usage reports yet - be the first to share what you run. Tell us your real stack, your actual monthly cost, and any tools you swapped.
The audit prompt that drives the handoff
The whole workflow hinges on one prompt that turns a vague 'make it production-ready' into a concrete, rankable checklist.
Claude Code production-readiness audit prompt
Audit this codebase for production readiness. Check specifically for: (1) secrets or API keys exposed in client code or committed to the repo, (2) server routes that write or read user data without an auth check, (3) database tables without row-level security, (4) user inputs written to the database without validation, (5) code paths with no test coverage around auth and payments. Return a ranked list by blast radius (P0 = payments/auth/cross-user data, P3 = cosmetic). Do not fix anything yet; give me the list with file paths and line numbers.
Note: Naming the five gaps explicitly gets a far more useful audit than 'is this production-ready?', which tends to return generic advice.
Adjust for Your Situation
If the prototype is large or messy
Upgrade Claude Code to the Max 5x plan ($100/mo) for the hardening week. A big audit-fix-test loop burns through Pro limits fast, and hitting a rate limit mid-refactor is worse than the extra cost. Downgrade back to Pro once you are shipped.
If you are handing off to a human team, not just AI
Prioritize the docs and CI steps. Have Claude Code write a README and architecture notes so a new engineer can onboard, and make the test suite the contract they build against. The AI hardening becomes the bridge to human maintainers.
If there is no auth or payments yet
The audit list shrinks to input validation, error handling, and tests. You can compress the handoff to 1-2 days. But add RLS anyway the moment you introduce multi-user data; retrofitting it under load is painful.
Swap options
Drop-in substitutions if a tool does not fit your budget or stack. These trade cost or effort for the recommended setup.
| Swap out | Use instead | When |
|---|---|---|
| Lovable | Bolt.new or v0 by Vercel | Your prototype was built in a different prompt-to-app tool; the handoff steps are identical |
| Claude Code | Cursor or Windsurf | You prefer an IDE-centric agent over a terminal-centric one for the hardening work |
| CodeRabbit | Graphite Agent | You already use stacked PRs and want review inside that flow |
| Set up CI | GitHub Actions starter templates | You want a hand-written pipeline instead of an AI-generated one |
Common Pitfalls
- Deciding to rewrite instead of harden. You throw away the validated product to chase clean code, lose weeks, and often never ship. Keep the prototype.
- Fixing cosmetic issues before security. The lint warnings are visible and the open database table is not. Fix P0 blast-radius items first.
- Generating RLS policies without reading them. A wrong policy either locks you out or leaves a table world-readable. Verify each one against a test.
- CI that does not block merges. If a failing test does not stop the deploy, the pipeline is decoration and broken code still reaches users.
- Trusting AI test coverage numbers. High coverage on trivial code and zero on the payment path is worse than it looks. Aim tests at risk, not at the percentage.
Frequently Asked Questions
Why not just rewrite the prototype cleanly?
What does the required stack cost?
Can I do the handoff without knowing how to code?
Do I need CodeRabbit if Claude Code writes the code?
How is this different from just building in a weekend?
What if the prototype's architecture is fundamentally wrong?
How we built this workflow
ToolJunction's editorial team tests each workflow with real accounts and real budgets before publishing. Cost figures reflect public pricing pages as of July 2026. Reply rates, time estimates, and outcome metrics come from our own runs or vetted operator interviews. We update this page when a tool's pricing changes or a step stops working.
Last updated July 7, 2026; prices verified at publication.