FinishKitFinishKit/Blog
Back to FinishKit
guides

How to Ship Your AI-Built App: A Production Readiness Guide

You built something amazing with Cursor, Bolt, or Lovable. But shipping it? That's a different challenge entirely. Here's the practical guide to closing the last-mile gap.

FinishKit Team10 min read

You know the feeling. It's Sunday night, you've been in the zone for six hours, and your AI-built app actually works. The landing page looks sharp. The auth flow is smooth. The dashboard pulls real data. You lean back, crack your knuckles, and think: "I'll ship this tomorrow."

Three weeks later, you're still not live.

The deploy keeps failing. There's a weird auth bug that only happens on mobile. Your API keys are hardcoded in three different files. You have zero tests. And every time you fix one thing, something else breaks. That beautiful weekend prototype has become a part-time job.

You're not alone. This is arguably the defining problem of the AI coding era. Millions of developers are building faster than ever, but the gap between "it works on my machine" and "it's live and reliable" has never been wider.

The Explosion Nobody Prepared For

The numbers are staggering. Cursor hit over 2 million users and $1 billion in annual recurring revenue in 2025, making it the fastest-scaling B2B software company in history. Bolt.new crossed 5 million users and $40 million ARR within five months of launch. Lovable surged to nearly 8 million users and $200 million ARR by the end of 2025. GitHub Copilot now has over 20 million cumulative users, with 90% of Fortune 100 companies on board. And over 4 million people have used Vercel's v0 to turn ideas into apps.

That's tens of millions of people building software with AI assistance. And here's the uncomfortable truth: the vast majority of those projects never ship.

A widely cited estimate suggests that over 90% of AI-assisted projects never make it to production. The reasons aren't mysterious. AI coding tools are exceptional at the happy path. They generate clean UI, wire up basic CRUD, and produce code that looks and feels like a real app. But production isn't the happy path. Production is the unhappy path. It's the edge cases, the error states, the security boundaries, and the infrastructure config that AI consistently under-delivers on.

What AI Tools Consistently Skip

Research in 2025 paints a clear picture. A CodeRabbit analysis of millions of pull requests found that AI-generated code produces 1.7x more issues than human-written code, with security vulnerabilities appearing at 1.5 to 2x the rate. Veracode's GenAI Code Security Report found that 45% of AI-generated code contains security vulnerabilities, with 86% of code samples failing to defend against cross-site scripting.

These aren't obscure edge cases. They're the bread and butter of production software:

  • Hardcoded credentials. AI loves pulling patterns from its training data, including the ones where API keys are dropped directly into source files. Apiiro's research across Fortune 50 enterprises found a 40% jump in secrets exposure in AI-generated code.
  • Client-side security logic. One viral case: a developer built an entire SaaS with Cursor, launched it, and within 72 hours users had bypassed the subscription by changing a single value in the browser console. All the authorization logic was client-side.
  • Missing input validation. AI-generated code consistently skips or under-implements validation, leading to SQL injection, XSS, and insecure deserialization vulnerabilities.
  • No error handling. Try/catch blocks around API calls? Loading states? Graceful degradation? AI tools rarely generate these unless you explicitly ask.
  • Zero tests. This is the norm, not the exception. AI produces code that works right now but includes no verification that it'll keep working after changes.

A May 2025 study found that 170 out of 1,645 Lovable-created web applications had security vulnerabilities that exposed personal data to anyone with a browser. If you've built with any AI tool, assume your app has similar issues until you've verified otherwise.

The Production Readiness Checklist

Here's the practical part. Before you ship, walk through each of these categories. This isn't about perfection. It's about catching the things that will embarrass you, cost you money, or get your users' data leaked.

Security

This is the big one. AI-generated code has a 62% chance of containing design flaws or known security vulnerabilities, according to the Cloud Security Alliance.

Check for exposed secrets. Search your entire codebase for API keys, database URLs, and tokens that aren't coming from environment variables. Pay special attention to files that AI generated early in your project, before you had your .env setup right.

# Quick scan for common secret patterns in your codebase
grep -rn "sk_live\|sk_test\|AKIA\|password.*=.*['\"]" --include="*.ts" --include="*.tsx" --include="*.js" src/ app/ lib/

Verify auth on the server. Every protected route needs server-side authentication. If your auth checks only happen in React components, anyone can bypass them with a direct API call.

Add rate limiting. AI never generates rate limiting. A single for loop from a bad actor can rack up hundreds of dollars in API costs or crash your database.

Sanitize inputs. Any user-provided data that touches a database query, an HTML render, or an API call needs validation and sanitization.

Error Handling

AI tools generate code for the scenario where everything goes right. Production is where everything goes wrong.

  • Wrap every API call in try/catch with meaningful error responses
  • Add loading and error states to every component that fetches data
  • Replace console.log with structured logging (or at minimum, remove console.logs that expose internal state)
  • Handle auth token expiry gracefully instead of showing a blank screen

Testing

You don't need 100% coverage. You need enough tests to catch the things that will break when you push a change at midnight.

Minimum viable test strategy:

  • One integration test for your auth flow (sign up, sign in, protected route)
  • One test per critical API endpoint (does it return the right shape? does it reject bad input?)
  • One end-to-end test for your core user journey

That's maybe 10-15 tests. It'll take an afternoon. It'll save you from shipping a broken app after a "quick fix."

You can actually use AI to write these tests. Ask Cursor or Copilot to "write integration tests for this auth flow that cover the happy path and three common failure modes." The irony: AI is better at writing tests for existing code than it is at writing tests alongside new code. Tools like FinishKit automate this by scanning your codebase and generating a prioritized list of what needs tests first.

Deployment Configuration

The gap between npm run dev and a production deploy is where most AI-built apps die.

  • Environment variables. Create a checklist of every env var your app needs. Verify each one is set in your production environment. AI-generated code often references env vars that only exist in your local .env file.
  • Build configuration. Run npm run build locally before deploying. Fix every TypeScript error and warning. If your next.config has ignoreBuildErrors: true, remove it now.
  • Database migrations. If you've been modifying your database schema through a GUI, you need migration files before you can reliably deploy. Otherwise, your production DB and your code will drift apart.
  • CORS and headers. AI rarely sets up proper CORS configuration. If your frontend and API are on different domains, this will silently break in production.

UX Polish

This is the difference between "it works" and "it's ready."

  • Test on mobile. Open your app on an actual phone. AI-generated layouts frequently break on small screens.
  • Add proper loading states. Skeleton screens or spinners for every async operation. Users shouldn't stare at blank space.
  • Check accessibility basics. Alt text on images, proper heading hierarchy, keyboard navigation on forms. These aren't nice-to-haves; they're legal requirements in many jurisdictions.
  • Handle empty states. What does your dashboard look like with zero data? AI always builds for the state with data.

Step by Step: From Prototype to Production

You've got the checklist. Here's the order to tackle it in, designed to catch the highest-risk issues first.

Step 1: Security audit (2-4 hours). Run the secret scan above. Move every hardcoded credential to environment variables. Verify that every protected API route checks auth on the server. Add basic rate limiting to public endpoints.

// Before: AI-generated route with no auth check
export async function GET(request: Request) {
  const data = await db.query("SELECT * FROM user_data");
  return Response.json(data);
}
 
// After: Server-side auth + input validation
export async function GET(request: Request) {
  const session = await getServerSession();
  if (!session?.user?.id) {
    return Response.json({ error: "Unauthorized" }, { status: 401 });
  }
 
  const { searchParams } = new URL(request.url);
  const limit = Math.min(Number(searchParams.get("limit")) || 20, 100);
 
  const data = await db.query(
    "SELECT * FROM user_data WHERE user_id = $1 LIMIT $2",
    [session.user.id, limit]
  );
  return Response.json(data);
}

Step 2: Error handling pass (2-3 hours). Go through every page and component that makes an API call. Add try/catch, loading states, and error boundaries. This is tedious but mechanical. AI can actually help here if you prompt it file by file.

Step 3: Write your minimum viable tests (3-4 hours). Auth flow, critical API endpoints, core user journey. Don't aim for coverage. Aim for confidence that the big things work.

Step 4: Fix the build (1-2 hours). Run the production build locally. Fix every error. Remove ignoreBuildErrors. Fix TypeScript issues the AI left behind.

Step 5: Deploy to staging (1-2 hours). Push to a staging environment that mirrors production. Verify env vars are set. Test the full flow end to end. Check it on your phone.

Step 6: Monitor the first 48 hours. Set up basic error tracking (Sentry's free tier is fine). Watch for patterns. The first real users will find things you missed.

That's roughly 10-15 hours of work. A weekend. Not three weeks.

Tools That Help Close the Gap

The ecosystem is catching up to this problem. Vercel and Netlify make deployment straightforward if your build is clean. Supabase handles auth and database with built-in security defaults. Sentry and LogRocket give you visibility into production errors. ESLint and TypeScript strict mode catch entire categories of bugs before they ship.

For the specific challenge of going from AI prototype to production, FinishKit automates the checklist above. It scans your full repo, generates a prioritized Finish Plan covering security, tests, error handling, and deploy config, then creates pull requests to fix the issues it finds. Think of it as an automated code review specifically tuned for the patterns AI tools leave behind.

The point isn't to use any one tool. It's to recognize that shipping is a distinct skill from building, and the tooling to support it is getting better fast.

Ship It

Here's what I want you to take away from this: the last 10% of shipping is not some mysterious dark art. It's a finite, knowable set of tasks. Security, error handling, testing, deploy config, and basic polish. You can learn it. You can checklist it. And increasingly, you can automate it.

The vibe-coded prototype on your laptop is closer to production than you think. It doesn't need a rewrite. It needs a finishing pass.

The builders who win in 2026 won't be the ones who prototype the fastest. They'll be the ones who ship. The gap between "I built this" and "people use this" is smaller than it feels. Close it.