All posts
8 May 2026 · 6 min

What 'production-ready' actually means

What 'production-ready' really means — the checklist we run before any vibed.ventures build goes live, from auth to backups.

Why this matters

Most 'MVPs' shipped by AI-augmented teams aren't production-ready — they're demos with a domain pointed at them. The difference shows up on day one of real users: lost data, leaked emails, downtime nobody notices.

Auth and accounts

Email verification on signup. Password reset that actually works. Sessions that expire sensibly. Rate limiting on login. Role-based access if there's more than one user type. No 'admin' user with the password in a Notion doc.

Data and backups

A real database with point-in-time recovery. Daily off-site backups we've tested by restoring. Migrations versioned in git. Foreign keys and constraints — not just 'we'll validate in the app layer'.

Observability

Error tracking (Sentry or equivalent). Uptime monitoring with alerts to a phone, not just an inbox. Structured logs you can search. A way to answer 'what did user X see at 3pm yesterday' without SSHing into anything.

Security basics

HTTPS everywhere. Secrets in a vault, not the repo. CSRF protection on forms. SQL injection impossible by construction (parameterised queries, ORM). Dependencies scanned weekly. A plan for what happens when — not if — something leaks.

Billing and legal

Real Stripe (or equivalent) with webhooks that survive retries. Invoices that meet local tax law. A privacy policy and terms that reflect what the app actually does. Cookie consent if you're in the EU/UK.

What we don't ship without

Every one of the above. It's the difference between a side project and a product. The whole list adds maybe two days to a two-week build — and it's the cheapest insurance you'll ever buy.

More posts