Vibe-coded rescue
Your AI-built MVP is breaking. We rebuild without throwing it away.
A founder ships an MVP in a weekend with Cursor. Six months later we get the email. Stripe is leaking, Supabase is wide open, four auth patterns coexist, every senior who looks at the codebase quits within a week. We take this kind of project on weekly. Same defects every time. Same rescue every time.
The rescue
Timeline
14 days
Cost
$10K–$25K
48h
Audit report
0
Customer churn
If you see this, this is you
The signals.
What they actually mean.
“Free Pro tier unlocked from the browser console.”
Paywalls are enforced in React. The API does not check the user plan. Anyone with DevTools is on the paid plan.
“Supabase or Firestore is open to anonymous reads.”
RLS was off by default. The agent never turned it on. Wiz finds these in public scans.
“`.env` is in the repo. `NEXT_PUBLIC_*_SECRET` exists.”
Provider keys are in the client bundle. OpenAI charges drained the founder's card before he noticed.
“Four auth patterns live in one codebase.”
NextAuth, Supabase Auth, a custom JWT cookie, and a Stripe email link. The agent added each as needs arose. Nobody removed the old ones.
“Zero tests. Zero observability.”
The first sign of any bug is a Slack screenshot from a confused user. The founder thinks tests are *v2*. They are the only thing standing between the product and silent data loss.
“No senior engineer will touch the code for a salary.”
Every hire quits within a week. The founder is alone with a codebase he cannot read.
Our process
Five steps. 14 days.
Audit
We clone the repo and run our eleven-grep playbook. Score: how many defects, how deep. One-page report inside 48 hours.
Triage
Three piles: keep, rewrite, delete. Roughly 60/30/10. The UI usually survives. The data layer rarely does.
Foundation
Migrate auth to one provider. Lock down RLS. Rotate every key. Add Sentry, structured logs, CI with a real test suite. No new features ship in this window.
Migration
Move production customers to the new stack, one at a time, zero downtime. Old stack runs in parallel for 72 hours then shuts.
Handoff
Documented. CI green. Claude Code or Cursor still works on the new codebase, but inside guardrails. You can ship features the same week.
What we do with the code
Three piles. Honest splits.
Keep
60%Marketing site, brand, UI, anything stateless and reviewable.
Rewrite
30%Auth, payments, anything multi-tenant or AI-tool-connected.
Delete
10%Dead routes, ghost integrations, four ChatGPT calls the agent added in case they were needed.
Verdict
Who this is for.
FAQ
Questions founders ask.
Will my customers notice during the rescue?
No. We run the old stack in parallel for 72 hours during migration. Cutover is per-customer, zero downtime. Average churn during our last three rescues was zero.
Do you delete the code my last engineer wrote?
Mostly no. Roughly 60 percent stays. The UI usually survives untouched. We rewrite auth, the database layer, the payment flow, and anything multi-tenant. Everything stateless and reviewable stays.
What if my MVP is on Vercel + Supabase + Stripe + Clerk?
That is exactly the stack we rescue most often. We have a ready playbook for that combination. Faster than starting from a less-common stack.
Can we keep using Claude Code or Cursor after?
Yes. We leave the codebase set up for AI-assisted development, but with guardrails: typed schemas, tests on critical paths, a CLAUDE.md that scopes the agent. The agent helps. The agent does not own the codebase.
How fast can we start?
We can clone and audit your repo today. Triage report inside 48 hours. Rescue work usually starts within 7 days of the audit.
Deep reads
Long-form on this exact problem.
Send us the repo.
We reply in 48 hours.
Read-only GitHub access is fine. One-page audit comes back inside two days. No charge for the audit.
Start the rescue