How to Take a Lovable Codebase to Production
Most AI-generated codebases work in the demo and break in production. This guide walks through the six-step process of taking a Lovable, Bolt.new, v0, or Cursor-generated codebase from “it works on my machine” to “it works for 100,000 users.”
Step 1: Code audit
Before you change anything, audit. The audit covers six areas:
- Security: exposed API keys (the most common Lovable bug — keys in frontend code), Supabase RLS policies (usually overly permissive or disabled), OAuth scopes, rate limits.
- Code quality: duplicated logic, god components (Lovable generates these), missing tests, dead code from abandoned prompts.
- Database: schema review (Lovable generates reasonable schemas but misses indexes), query performance, foreign key constraints, RLS policies.
- Integrations: Stripe webhooks (usually missing idempotency), OpenAI/Anthropic calls (usually missing retry and cost guards), edge functions (usually missing error handling).
- Deployment: environment separation (Lovable ships with one environment), CI/CD (usually absent), observability (usually absent).
- Compliance: GDPR data export/deletion, SOC 2 audit logs, data retention policies.
The output is a 30-page report with prioritised fixes. The audit takes 1 week for a typical Lovable codebase.
Step 2: Supabase RLS hardening
This is the single highest-leverage fix for most Lovable codebases. Lovable generates Supabase projects with RLS either disabled or with policies that allow any authenticated user to read or modify any row. The fix:
- Enable RLS on every table.
- Write policies that enforce “users can only access their own data” by default.
- Use
auth.uid()in every policy — nevertrueor1=1. - Add
SECURITY DEFINERfunctions for queries that need to cross user boundaries (admin views, analytics). - Test with a second user account — if user B can see user A’s data, the policy is wrong.
This is a 2-3 day project for a typical Lovable codebase with 10-20 tables.
Step 3: Architecture refactor
Lovable generates code that works but is not maintainable. The typical issues:
- God components: a single React component that does everything (data fetching, rendering, state, side effects). Break these into smaller components with clear responsibilities.
- Duplicated logic: the same API call appears in 5 places. Extract to a shared hook or service.
- No layering: UI code calls Supabase directly. Introduce a thin data layer (even just a
lib/db.ts) that centralises all database access.
This is a 1-2 week project for a codebase with 20-50 components.
Step 4: Environment separation
Lovable ships with one Supabase project and one deployment. For production, you need:
- Development: the Lovable-managed Supabase project (for iteration).
- Staging: a dedicated Supabase project for testing before production.
- Production: a dedicated Supabase project with hardened RLS, proper backups, and point-in-time recovery.
The frontend should use environment variables to switch between these. Vercel’s preview environments map cleanly to staging Supabase projects.
This is a 2-3 day project, mostly configuration.
Step 5: Deployment and observability
- CI/CD: GitHub Actions or Vercel’s built-in. Every push to main deploys to production; every push to a branch deploys to preview.
- Error tracking: Sentry or similar. Set up before you ship, not after.
- Logging: structured logging (not
console.log). Use a service like Axiom, Logflare, or Better Stack. - Metrics: latency, error rate, cost per request. Set up a simple dashboard.
- Alerts: if error rate > 1%, alert. If latency p95 > 2s, alert.
This is a 1-week project.
Step 6: Compliance (if regulated)
If you’re in healthcare, financial services, or the EU, you need:
- GDPR: data export endpoint, data deletion endpoint, cookie consent, privacy policy.
- SOC 2: audit logs (who did what, when), access controls, encryption at rest and in transit.
- HIPAA (US healthcare): BAA with Supabase (they support this), PHI encryption, access logging.
- EU AI Act (if AI features): classify your AI system, document the risk tier, implement the required controls.
This is a 2-4 week project depending on the regulatory scope.
Total timeline
For a typical Lovable codebase going to production:
| Step | Duration | Output |
|---|---|---|
| 1. Code audit | 1 week | 30-page report |
| 2. RLS hardening | 2-3 days | Hardened Supabase |
| 3. Architecture refactor | 1-2 weeks | Maintainable codebase |
| 4. Environment separation | 2-3 days | Dev/Staging/Prod |
| 5. Deployment + observability | 1 week | Production-ready |
| 6. Compliance (optional) | 2-4 weeks | Audit-ready |
| Total (without compliance) | 4-6 weeks | Production-ready |
| Total (with compliance) | 6-10 weeks | Audit-ready |
How to engage
If you’re shipping a Lovable, Bolt, or v0 codebase and want it production-ready, the AI Codebase to Production consulting engagement is designed for exactly this. A 1-week audit starts at USD 5K. Full engagements are USD 25K-150K.
The first 30-minute call is free. Book it before you launch.
Related Articles
Supabase RLS Hardening: A Practical Guide
How to audit and harden Supabase Row Level Security policies. The most common security vulnerability in AI-generated apps, and the fix.
AI Agent Safety: The Substrate Pattern in Practice
How to implement the Substrate Pattern for AI agent safety in production. The layer below the model that decides what the agent is allowed to do.
Federated Learning Implementation: A CTO's Guide
How to implement federated learning in production. Framework selection, data partitioning, privacy mechanisms, aggregation, and deployment. The consulting practice of the Fed-Focal Loss author.