Vibe Coding Production Systems? We Make Sure They Don't Break.

A health and wellness DTC brand on Shopify had built a loyalty and retention system using Lovable connected to Klaviyo, Stripe, and a custom AI agent for customer service responses. The founder had built it in a sprint after watching a YouTube tutorial. It worked beautifully — until it didn't.

A non-idempotent Stripe webhook handler in the Lovable backend was occasionally double-charging customers when Stripe retried failed callbacks. The error rate was roughly 0.4% — small enough that customer service triaged each one as a one-off without escalating, large enough that £18,000 in duplicate charges had accumulated before anyone connected the dots. The AI customer service agent was also quoting return policies it had hallucinated, committing the brand to refunds outside the actual policy.

• Forensic audit of three months of Stripe transaction data to identify every duplicate charge and reconcile against orders
• Rebuilt the webhook handler with proper idempotency keys and a deduplication layer
• Implemented Sentry-based error monitoring with PagerDuty escalation for any payment-related anomaly
• Replaced the freeform AI customer service agent with a constrained version grounded in the actual returns policy document, with all responses logged for review
• Added a daily reconciliation job comparing Stripe charges to Shopify orders, flagging any mismatch by 9am
• Wrote the operations runbook the customer service team now uses for payment incidents

All £18,000 in duplicate charges identified, refunded with apology credit, and customers retained — net promoter score actually rose post-incident because of how it was handled. Zero payment incidents in the six months since. The AI customer service agent's accuracy on policy questions is now measurable and audited monthly.

A specialist tech recruitment firm had built a candidate sourcing and shortlisting pipeline using Cursor and Replit Agent — Python scripts pulling from LinkedIn Sales Navigator, enrichment via Apollo, AI-based CV scoring, and outreach automation across LinkedIn and email. Two consultants ran it. It was producing strong results.

The LinkedIn automation was sending connection requests at a velocity that flagged it for detection — the agency had already had one consultant's account permanently restricted but assumed it was bad luck. The AI shortlisting model had no documentation, no fairness review, and was trained on the agency's historical placement data — which embedded the same demographic patterns the agency had historically placed. There was no audit log of why a candidate was rejected. One Equality Act claim and the agency had no defensible process to point to. Candidate personal data was also being processed by three different AI services with no DPA in place with any of them.

• Rebuilt the LinkedIn outreach within Sales Navigator's actual ToS limits and added human-in-the-loop approval for connection requests
• Conducted a fairness audit on the shortlisting model, identified the bias vectors, and rebuilt it with explicit demographic-blind features and documented decision logging
• Put DPAs in place with every AI vendor handling candidate data; switched two of them out for UK/EU-based alternatives
• Implemented a candidate-facing privacy notice explaining AI involvement in shortlisting (a GDPR Article 22 obligation the agency hadn't realised applied)
• Wrote the AI hiring policy, the candidate data handling SOP, and a quarterly model review process the firm now runs internally
• Ongoing governance retainer: every change to the shortlisting model is reviewed before deployment

No further LinkedIn account restrictions. The agency successfully responded to a candidate subject access request that previously would have been impossible to answer. Shortlisting model demographic outcomes now monitored monthly with documented review. Two enterprise client wins where the agency's documented AI hiring process was specifically cited in the procurement decision.

A growing private clinic chain had built a patient communication system in Base44 connecting to their booking platform and sending WhatsApp and SMS reminders for appointments, post-procedure check-ins, and prescription readiness. The clinic manager had built it because the booking platform's native reminders were "too generic". It had been running for four months.

A logic error in the patient lookup function — the kind that AI-generated code can produce when handling edge cases — was occasionally matching the wrong patient record when two patients shared a first name and a postcode area. Wrong appointment details, wrong procedure information, and in two cases, prescription readiness alerts were sent to the wrong people. Each instance was a notifiable special category data breach under UK GDPR. The clinic had no DPIA, no clinical safety review of the AI-generated communications, and no audit log to even quantify how many patients had been affected.

• Immediate triage: paused the automation, identified all affected patients via a forensic review of WhatsApp and SMS send logs, supported the clinic's notification to the ICO under Article 33
• Rebuilt the patient matching logic with proper unique-identifier matching (NHS number where present, internal patient ID otherwise)
• Wrote the DPIA the clinic should have had from day one, plus the clinical safety case for AI-generated patient communications
• Implemented a two-stage approval workflow: AI drafts, human reviews, only then sends — for any communication containing clinical content
• Set up logging that retains every sent communication for the seven-year clinical record retention period
• Trained the clinic's operations team on the new policy and the incident escalation process

ICO accepted the breach notification with no enforcement action — specifically citing the documented remediation as a mitigating factor. Zero recurrence in the nine months since. The DPIA and clinical safety case are now part of the clinic's CQC inspection evidence pack. The clinic group has used the same framework when expanding to two new locations.

A boutique strategy consultancy with eight staff had built its entire client engagement workflow inside a combination of Base44, Notion, and a custom Cursor-built automation layer. Client onboarding, project tracking, document generation, time logging, and invoicing all ran through systems only the founder fully understood. She was about to go on maternity leave.

Pure key-person dependency. The founder had built everything herself, in her own naming conventions, with prompts saved nowhere and architectural decisions documented nowhere. Two of the integrations had hardcoded API keys that would expire during her leave. The invoicing automation had a known bug she'd been "meaning to fix". If any single piece broke, nobody else could diagnose it. She was preparing to either work through her leave or scale the business back to a level the rest of the team could manually manage.

• Two-week intensive documentation sprint: every system mapped, every integration documented, every credential rotated and properly stored, every prompt saved and version-controlled
• Identified and fixed the eleven highest-risk failure points, including the invoicing bug
• Built a "system health dashboard" the team can check daily without needing technical knowledge — green/amber/red on every critical workflow
• Wrote runbooks for the most likely failure modes, in plain language, that any team member can follow
• Trained the senior team on the system architecture so two other people fully understand how everything fits together
• Quarterly retainer for ongoing review and to be on-call as the technical escalation point during the founder's leave

The founder went on a full nine months of maternity leave. The business operated at full capacity throughout. Two automation issues arose during her leave; both were resolved by the team using the runbooks without needing escalation. The consultancy's enterprise value has materially increased — the systems are now documented assets rather than founder-dependent risks, which has changed the firm's positioning in ongoing acquisition conversations.

A Series A-stage SaaS startup had built rapidly using Base44 for customer onboarding, Lovable for the customer-facing portal, and traditional development for the core product. The vibe-coded layer had been brilliant for speed — they'd shipped onboarding flows in days that would have taken weeks. Then the Series A lead investor's CTO ran technical due diligence.

The CTO's report flagged three blockers. First: critical customer onboarding logic locked inside Base44 with no exportable backend, creating platform risk the investor wouldn't accept. Second: no SOC 2 readiness, which the investor required as a condition of investment. Third: customer data flowing through three separate vibe-coded systems with no documented data governance. The round was paused pending remediation. Three months of legal fees and momentum were on the line.

• Migrated the critical onboarding logic out of Base44 into the startup's existing Node.js stack, preserving the user experience while putting the code under version control and proper testing
• Implemented full data flow documentation across all systems — what data lives where, who can access it, how it's protected
• Set up the foundational SOC 2 controls (access management, change management, vendor management, incident response) and produced the policy documentation
• Kept Lovable for the customer portal but added monitoring, logging, and a documented exit plan
• Worked directly with the investor's CTO during the re-review to walk through the remediation
• Handed over to the startup's first technical hire with full documentation

Series A closed nine weeks after engagement start. The investor's CTO specifically called out the speed and quality of the remediation in the closing memo. The startup retained the velocity benefits of vibe-coded tools where appropriate while removing them from the diligence-blocking critical path.