I review AI-built codebases for a living. Here's what's actually inside them.

We migrate apps off Lovable, Replit, and Bolt to production infrastructure. Every week we open a new codebase. The pattern is always the same.

The founder builds something with AI. It works. Users sign up. Revenue starts coming in. The UI is polished. The features are solid. By every visible measure, the product is ready.

Then they hit one of these walls:

• They try to hire a developer. The dev looks at the code and says "I'd rather start over than maintain this." The founder thinks the dev is being dramatic. The dev is not being dramatic.
• An investor asks for technical due diligence. Their advisor opens the repo. The funding conversation changes.
• A feature that should take a day takes two weeks. Changing one component breaks three others because the AI doesn't refactor - it appends. Functions grow to 3,000 lines. Nobody can safely touch them.
• They discover their Stripe integration doesn't verify that payments actually went through. Users get access whether the card was charged or not.

Last month we reviewed a codebase with 600,000 lines of TypeScript. Built entirely on Lovable by a solo non-technical founder in 6 months. Genuinely impressive product - complete RBAC, 120+ custom hooks, multi-role auth with audit logging. The AI built things that would take a traditional team over a year.

But underneath:

Passwords generated with Math.random() instead of crypto. Database security policies wide open for the first two months. Every API endpoint accepting requests from any website on the internet. Over 30 AI functions hardwired to the platform's proprietary gateway - if the founder ever leaves Lovable, every AI feature dies instantly with no fallback. And 2 test files for the entire 600,000 line codebase.

This week, Lovable itself had a security breach. A researcher made 5 API calls from a free account and accessed other users' source code, database credentials, Stripe keys, and full AI chat histories. The vulnerability was reported in March and ignored for 48 days.

The pattern is consistent across every platform: AI is great at the visible (UI, features, flows) and weak at the invisible (security, testing, architecture, vendor dependencies). The founder sees a product ready to scale. We see a list of things that will break under pressure.

Three things you can check yourself right now:

• Search your codebase for USING (true) in any migration files. If you find it, your database is wide open to any authenticated user.
• Check whether you have a Stripe webhook handler that verifies checkout.session.completed. If you don't, your app might grant access without confirming payment went through.
• Look at what domain your serverless functions call. If every AI feature routes through your platform's gateway URL instead of a direct API (like api.openai.com), you're locked in.

What it costs to fix:

An audit at the stage where you have a working MVP and some revenue is typically $500 and takes 2-3 days. You get a prioritised list of what's actually wrong and what to fix first.

Fixing the critical security issues (open database policies, missing payment verification, exposed credentials) is usually 1-2 days of work. Not expensive. Not dramatic.

A full migration off the platform to your own infrastructure runs $2,000-15,000 depending on size and complexity. For context, that's roughly what most founders spend on 2-4 months of no-code platform subscriptions and AI credits combined.

The expensive path is discovering these issues from a security incident, a failed funding round, or a developer who quits after two weeks because the codebase is unmaintainable. That costs 3-5x more to fix than catching it early.

Happy to answer questions about what I see in these codebases - I've reviewed over 50 at this point.