Lovable, Bolt, Replit: 7 Limits of AI for Coding a Real Product
Quick answer. AI code generators (Lovable, Bolt.new, Replit Agent, v0, Cursor in agent mode) ship a working prototype in a few hours. But they hit 7 structural limits when it comes to holding up a real product in production: an architecture that does not scale, patched-up security, fragile third-party integrations, invisible technical debt, degraded performance, no observability, and code that nobody else can maintain.
Why this article does not say AI is useless
We use Claude Code, Cursor and v0 ourselves every day at FreshMarkom. These tools save us 30 to 50% of the time on repetitive tasks.
But for 18 months we have also seen a wave of "vibe-coded" projects land in our audits. Founders who shipped an MVP with Lovable or Bolt in 3 weeks, raised 200K€, then find themselves stuck when it is time to scale or to bring in a technical team.
This article breaks down the 7 concrete limits we flag on these projects. The goal is not to say "do not use AI", but to know where generative coding stops and the real product begins.
Limit 1: the architecture that does not hold up under load
The problem. AI generates code that works for 1 to 10 concurrent users. Beyond that, the monolithic architecture, the lack of caching, the N+1 queries, and the unoptimised server actions make response times explode.
Why the AI does not see it. It has no load context. It codes to make the nominal case pass. It does not know that at 200 concurrent users, your /api/dashboard endpoint will trigger 200 queries to Supabase instead of one batched query.
Recent audit example. A B2B SaaS vibe-coded with Bolt, 380 users in paid beta. Past 50 concurrent users, the dashboard took 12s to load. Cause: each widget ran its own query, with no batching, no cache, no memoisation. A 2-day refactor by our team brought it down to 1.2s.
Hidden cost. A sluggish SaaS loses 25 to 40% of its paying users within the 60 days after the peak. For a product at 50€/month and 380 users, that is 5,700€/month of recoverable churn.
How to fix it. Load audit with k6 or Artillery on the critical endpoints. Identify the bottlenecks, add caching (Redis, edge cache), batch the queries, paginate properly.
Limit 2: security that is patched up or absent
The problem. AI applies basic security patterns (HTTPS, password hashing with bcrypt), but misses the more advanced layers: Row Level Security, CSRF, strict server-side validation, secrets management, rate limiting.
Why the AI does not see it. It copies patterns seen in its training. Real security depends on the business context: who can see what, who can modify what, how to prevent escalations.
Typical cases observed:
- Supabase service role exposed in the client-side JavaScript bundle (gives full access to the database)
- No Row Level Security enabled, any authenticated user can read another's data
- Zod validation on the client only, bypassed in 30 seconds with curl
- Stripe / OpenAI / SendGrid API keys committed to Git
- No rate limiting, the APIs can be scraped or DDoS'd
Hidden cost. Variable but potentially catastrophic. An RLS flaw that exposes competitors' orders is the end of the product. An exposed Stripe key means fraudulent transactions + chargebacks.
Recent example. A vibe-coded B2C marketplace, 1,200 users. Our audit flagged that any authenticated user could read the emails and phone numbers of all the others through a direct Supabase query (no RLS). A massive potential PII leak. Fixed in 4 hours: strict RLS + service role server-side only.
How to fix it. A dedicated security audit: OWASP Top 10 checklist, RLS check for every table, bundle scan for exposed secrets, rate limiting test.
Limit 3: invisible technical debt
The problem. AI generates code that works, not code that is maintainable. 500-line components mixing business logic, UI, fetching and validation. Functions duplicated 4 times with slight variations. No reusable abstraction.
Why the AI does not see it. It has no memory between prompts. It does not know it already created a Button component 12 minutes earlier. It re-creates rather than reuses.
Typical symptoms of a vibe-coded project after 3 months:
- 40 slightly different
Buttoncomponents - 8 different implementations of "fetch the users"
- No shared types file, each component redefines its types
- Zero automated tests
- No design system
Hidden cost. When you want to evolve the product, each change touches 4 places instead of 1. Dev speed drops threefold after month 4.
How to fix it. A gradual refactor: extract the genuinely reusable components, create a minimal design system, set up strict TypeScript, add at least some tests on the critical flows.
Limit 4: fragile third-party integrations
The problem. AI knows how to call a REST API. It does not know how to handle the real error cases: a webhook that arrives twice, a payment that goes through but a response that times out, a third-party service that is down.
Why the AI does not see it. Robust integrations require having lived through the incidents: a Stripe webhook signature that changes, a race condition between payment and provisioning, operation idempotency.
Typical cases observed:
- Stripe webhook without signature verification (anyone can falsely credit accounts)
- No retry policy on OpenAI calls (a network timeout = broken service for the user)
- Transactional email sent before the transaction is committed to the DB
- No integration logs, impossible to debug when something goes wrong
- No fallback if the third-party service is down
Hidden cost. For a SaaS that depends on Stripe and OpenAI, one hour of bad integration can lose dozens of paying users who do not come back.
How to fix it. Each third-party integration must have: signature verification (webhooks), retry logic with backoff, idempotency keys, structured logs, error monitoring (Sentry), and a fallback plan.
Limit 5: performance and SEO unsuited to the real web
The problem. AI generates code that loads everything on the client. A 3 MB JS bundle, slow hydration, no image optimisation, no SSG, no structured schemas, no i18n, minimal accessibility.
Why the AI does not see it. Lovable and Bolt produce client-rendered React by default. It is simpler to generate, but unsuited to a site that needs to rank in SEO or be cited by conversational AI (GEO).
Hidden cost. For a B2C product or a SaaS whose acquisition partly comes from SEO, a vibe-coded site is invisible to Google and to ChatGPT. You pay for everything in advertising.
How to fix it. Move to Next.js App Router with Server Components, set up the Core Web Vitals, add the schemas (Article, Organization, BreadcrumbList), create a clean sitemap, optimise the images via next/image.
Limit 6: no observability
The problem. In production, your site will crash. The question is not if, but when. With no structured logs, no monitoring, no error tracking, you discover the bugs when a user writes to you.
Why the AI does not see it. It codes the feature, not the observability infrastructure. That is an ops topic, outside its default scope.
What is almost always missing:
- Sentry or equivalent for front and back errors
- Structured logs (Pino, Winston) instead of console.log
- Uptime monitoring (UptimeRobot, BetterStack)
- Business metrics (how many signups/day, how many payment errors/hour)
- Slack/email alerting on a critical error
Hidden cost. It takes you weeks to discover critical bugs. During that time, you lose users who do not come back.
How to fix it. Sentry install in 30 min, free uptime monitoring with UptimeRobot, structured logs to put in place on the critical flows (auth, payment, integrations).
Limit 7: impossible to bring in a real team
The problem. You raise funds. You want to hire a senior CTO or bring in an agency to scale. The developer looks at the code, winces, and tells you "it all needs rewriting".
Why. Code generated with no structure, no tests, no documentation, no conventions, no clear architecture is a turn-off for experienced developers. They cannot reason about it.
Hidden cost. You pay 2 to 4 months of rewriting to reach a state that is "workable by a team". For a cost that often exceeds 40,000€ to 100,000€. During that time, you are not evolving the product.
Real case. A rental-management SaaS, vibe-coded, 500K€ seed round. The hired CTO refused to continue on the existing base. Full rewrite Next.js + Supabase + tests: 11 weeks, equivalent to 65,000€ in-house. During that time, 3 impatient enterprise clients were lost.
How to fix it. From the moment your product gains traction (50+ paying users, 5,000+ visitors/month), have an independent audit done before you keep stacking features.
How to tell if your vibe-coded project is at risk
Quick checklist:
- Can you explain where your secrets are stored?
- Do you have at least 1 type of authenticated user that can test permissions?
- If you cut access to a third-party developer, could they pick up your code in 1 day?
- Do you have monitoring that alerts you when the site is down?
- Can you restore a backup in under 1h?
- Can you evolve an endpoint without breaking 3 other screens?
- Do you know how many concurrent users your site supports?
If you answer "no" to 3 questions or more, your project needs an audit before the next growth milestone.
FAQ
No, they are excellent for prototyping, validating an idea, shipping an MVP in a few weeks. They become problematic when the product has to scale, integrate critical services, or be maintained by a team.
When you reach 50+ paying users, 5,000+ visitors/month, or you raise more than 200K€. Before that, vibe coding stays relevant. After that, the cumulative technical cost exceeds the initial speed gain.
Between 8,000€ (audit + critical fixes) and 80,000€ (full rewrite). The cost depends on the level of debt accumulated and the functional scope to preserve. At FreshMarkom, a [redesign starts at 1,490€](/packages/refonte) and a [custom SaaS at 9,990€](/packages/saas-application-metier), the exact quote depends on the initial audit.
Yes, but in "co-pilot" mode rather than "autonomous agent" mode. Claude Code, Cursor, GitHub Copilot speed up an experienced developer by 30 to 50%. But it is the developer who structures, and the AI that implements.
Probably yes over 2 to 3 years. But today, in 2026, the limits listed are structural. They remain prototyping tools, not production tools.
Vibe coding if: you want to validate an idea in under 6 weeks, you have no fundraising coming before 6 months, you can afford to rewrite everything if it works. Professional development if: you are targeting a product usable in production by 100+ paying users from launch, you are raising funds, or you integrate critical services (payment, HR, health, finance).
In summary
AI code generators have made development accessible to tens of thousands of founders who could not have done it on their own. That is a positive transformation.
But they hit 7 structural limits when it comes to holding up a real product in production: architecture, security, technical debt, integrations, performance, observability, and maintainability.
If you want to grow a product beyond the MVP, you need to plan a professionalisation stage: an independent audit, a refactor of the critical layers, putting the missing infrastructure in place. It costs 8,000€ to 80,000€ depending on the scale. It is always cheaper than the full rewrite we have to do 12 months later if we wait.
At FreshMarkom, we regularly run these audits on vibe-coded products. If your project looks like a case described here, we can tell you in 30 minutes what should be the priority.
Article updated on 7 June 2026 with the official FreshMarkom rates in effect.