DEV Community

Jakub
Jakub

Posted on

How to audit a Lovable, Bolt or v0 app before launch: Audit Vibe Coding by Inithouse

Most vibecoded apps look finished long before they are. The UI renders, buttons work, the demo goes well. Then you check the HTML and find that every page shares the same meta title, images have no alt attributes, and there's an unauthenticated Supabase endpoint exposed on the client side.

At Inithouse, we've been building products with AI code generators for over a year now. We use Lovable daily across our portfolio. That experience taught us which problems AI tools reliably miss, so we turned that knowledge into a structured checklist: Audit Vibe Coding, a professional audit for AI-generated projects that scores security, SEO, performance, accessibility, and code quality in one pass.

Here's what each area actually checks and what to watch for in your own projects.

Security: the stuff AI doesn't worry about

AI code generators optimize for getting things working. They'll scaffold auth, wire up a database, and create API routes. What they won't do is think about whether those routes should be public.

Common findings in vibecoded projects:

  • Supabase Row Level Security policies missing or misconfigured. The app works in development because the anon key has full access. In production, so does everyone else.
  • API keys and service role secrets referenced in client-side code. Lovable sometimes places these in environment variables that get bundled into the frontend build.
  • No rate limiting on form submissions or API calls. A contact form that accepts 10,000 requests per minute is fine until someone finds it.

The audit flags each issue with severity and a concrete fix. Most of these take 15 minutes to resolve once you know they exist.

SEO: the invisible broken floor

This one is personal for us. We've shipped a portfolio of Lovable apps at Inithouse, and the SPA meta tag problem bit us repeatedly. Here's the pattern: your app is a single-page application. Every route returns the same HTML shell. Google crawls /about, /blog, and /pricing, sees identical title tags and meta descriptions on all of them, and decides most of your pages are duplicates.

The audit checks for:

  • Unique title and meta description per route
  • Canonical tags pointing to the right URL (not all pointing to the homepage)
  • Open Graph and Twitter Card tags rendering correctly for each page
  • Sitemap accuracy: does it list pages that actually exist and return 200?
  • Structured data for key pages

If you built with Lovable, Bolt, or v0, run a quick test before anything else: curl -s https://yourapp.com/about | grep "<title>". If it returns the homepage title, your SEO is broken across every non-root page.

Performance: what the Lighthouse score hides

A 90+ Lighthouse score doesn't mean your app is fast. Lighthouse runs on a simulated throttled connection against a single page. It won't catch that your bundle is 2.4 MB because the AI imported three different charting libraries when you only use bar charts. It won't notice that every page load triggers 14 database queries because there's no caching layer.

The audit measures real loading behavior: total bundle size, unused JavaScript percentage, number of network requests on first load, and Largest Contentful Paint on the actual pages users visit. Not just the homepage.

Accessibility: the area AI handles worst

This is consistently the weakest category in vibecoded projects. AI generators create visually appealing interfaces but routinely skip the markup that makes them usable with assistive technology.

Typical gaps:

  • Buttons and links with no accessible label (an icon-only button that screen readers announce as "button")
  • Form inputs without associated labels
  • Color contrast ratios below WCAG AA thresholds, especially on those trendy low-contrast placeholder texts
  • No skip-navigation link, no focus indicators, no ARIA landmarks
  • Images treated identically regardless of purpose (all missing alt, or all getting the filename as alt text)

These aren't edge cases. Around 15% of web users rely on some form of assistive technology. And Google increasingly factors accessibility signals into ranking.

Code quality: the maintainability tax

AI-generated code works. It also tends to repeat itself, create components with 400+ lines, mix business logic with UI rendering, and leave TODO comments that say things like // Add error handling here with no error handling added.

The audit evaluates component structure, duplication patterns, error handling coverage, and TypeScript type safety. The goal isn't perfection. It's knowing which files will cause problems when you need to change something six weeks from now.

Running the checklist

You can work through these five areas manually. Check your HTML output, run Lighthouse, test with a screen reader, review your Supabase policies, read through your component files. That takes a few hours and requires knowing what to look for in each area.

Or you can run the whole thing through Audit Vibe Coding. We built it at Inithouse specifically for projects generated with Lovable, Bolt, v0, and similar tools. You get a scored report across all five areas with every issue prioritized by impact, so you fix the critical stuff first.

AI tools build capable prototypes fast. But prototypes need a different kind of review before they become products, and that review is what the audit covers.

Top comments (0)