The failure pattern is consistent
Bolt, Replit, v0, Cursor, and Claude can produce impressive application code quickly. The weak spots usually appear at the boundary between generated code and real operations.
A demo has one user, one happy path, and no long-term ownership. A production system has forgotten passwords, duplicate submissions, webhook retries, bad inputs, flaky networks, expired cards, and people clicking things twice.
The risk areas to inspect
- Auth and permissions: can one customer reach another customer's data?
- Data model: are important records normalized, indexed, and durable?
- Deployment: is the app tied to a temporary preview environment or a real release path?
- Secrets: are tokens, API keys, and webhook secrets server-side only?
- Email and notifications: are failed sends visible, retried, and audited?
- Logs: can you explain what happened when a user reports a bug?
Hardening is not a rewrite by default
The right move is not always to throw the generated app away. Sometimes the app needs a smaller pass: fix the deployment, tighten the database rules, add monitoring, and document the support path.
PAS starts with the risk review so the work matches the actual problem. Some apps need one sprint. Some need managed ownership. Some should stay as prototypes until the business case is clearer.
PAS makes AI-built apps production-ready
Send the app, repo, or public URL. PAS will review the production risks and map the next step: keep it simple, harden it, launch it, or move it into managed engineering support.