Prototype rescue · Lovable

Make your Lovable app production-ready.

Kyln takes apps built in Lovable to production. Senior London engineers read what the AI wrote, from Supabase policies and auth to keys and deploys, then salvage, refactor or rebuild it into software you can charge for. Reviews start at £1,500, and every price is public.

React + Vite · Supabase · GitHub sync · review from £1,500
Where it breaks

Where Lovable apps break.

Lovable is the fastest route from idea to working demo: React in front, Supabase behind, publish in a click. The trouble starts when strangers begin to pay. Six failure modes do most of the damage.

Why the last 20% is the hard part

Row-level security that lies

Lovable apps lean on Supabase, and Supabase is only safe when row-level security is right. Generated policies are often missing or wrong, so any signed-in user can query other people's data. It looks fine in the demo. It is a breach the day a second customer signs up.

Keys in the browser

Secrets end up wherever they made the demo work, which is usually the client bundle. Anyone can open DevTools and take them. Moving them server-side properly means edge functions and a real config story, not a quick find-and-replace.

Auth that half-works

Sign-up generates cleanly, then the detail is missing: no email verification, no role model, admin pages protected by nothing but an unlisted URL.

One environment: production

There is no staging. Every prompt edits the app your users are on, and a regenerated page can quietly drop the feature next to it. The safety net is screenshots.

A schema nobody chose

The database grew by prompt: duplicate tables, no migration history, types that fight the product. Code can be regenerated in an afternoon; your customers' data cannot.

Prompt-loop economics

Past a certain size, each fix breaks something else and the credits go on regeneration roulette. That is usually the moment to put an engineer on the root cause rather than another hundred prompts at the symptoms.

The takeover

What survives, what changes.

A takeover is not a teardown. Lovable got the product in front of people, and the review names what that earned you before anything gets replaced.

What usually stays
  • The product. Lovable proved someone wants this, and that validation is the expensive part.
  • Your Supabase project. Data, auth users and storage usually stay put while policies and schema are fixed around them.
  • The repo. Lovable syncs to GitHub, so the work happens on real code in version control.
  • The design, mostly. Screens that convert are kept and componentised, not repainted.
What gets fixed
  • RLS policies rewritten and tested per table, per role.
  • Secrets out of the bundle and into server-side config.
  • Auth completed: verification, roles, sessions, protected routes.
  • Real environments: staging, previews and deploys that roll back.
  • Migrations, so the schema can change without hand-editing production.
  • Tests around money, auth and the flows that would hurt first.
The review · from £1,500 · about a week

First, someone senior reads it.

The entry point is a fixed-scope review, from £1,500, about a week from access to answer. A senior engineer reads the code. Josh, Kyln's founder, signs off every review.

You get a prioritised risk list tied to user and business impact, and a prescription with costs: salvage, refactor or rebuild. If the app is closer to ready than you feared, the review says that instead. The fee buys the honest answer, not a sales document. How that call gets made.

After the fix, most teams keep us on a care plan: hosting, monitoring, security updates and small changes, from £175 a month. Where the product needs someone to own where it goes next, not just keep it running, that can include fractional-CTO direction, from £3,000 a month.

What we read on a Lovable app
  • Every RLS policy against every table: who can actually read and write what.
  • The client bundle, for keys, tokens and endpoints that should not be public.
  • Auth end to end: sign-up, verification, reset, roles, admin surfaces.
  • Edge functions and the blast radius of the service-role key.
  • Schema and data model, and what a safe migration path looks like.
  • Deploys, custom domains and what happens the day you need to roll back.
Production readiness · free · 2 minutes

Is your AI-built product safe to sell yet?

The Production Readiness Scorecard is a two-minute self-assessment that grades how close your product is to something you can safely put in front of paying customers, and names the risks standing in the way.

  1. 01

    Describe what you built

    One line on what your product does and how many paying customers it has today.

  2. 02

    Answer honestly

    A short set of pointed questions across auth, data, security, testing and operations.

  3. 03

    Get your grade and risks

    An instant letter grade and a “% ready” score, then your three biggest risks ranked worst-first, specific to what you’ve built.

Get your grade
Free · no account · top-line grade is instant
How the grade is worked out
Kyln

C

64% ready

Promising, but not safe to charge for yet. Three issues would bite a real customer first.

Top risks · worst first

  • 01Admin endpoints have no authentication
  • 02API keys are committed to the repository
  • 03No automated tests run before deploy

Sample · your result is personalised

Lovable rescue questions

Want to talk through the fit? Email contact@kyln.digital

Yes. Lovable syncs to GitHub, so we work on the real code in version control while you keep the Lovable project. Where sync was never enabled, we export the code and set that up first.