AI code generators made a working demo cheap. They did not make a working business cheap. The distance between the two is measurable, and closes the same way it always has: with typed data models, real backends, tests, security review, and observability.
Below is the 21-point checklist we run every AI-built app through before it can be called production-ready. Score yours honestly. Everything below 15 is a migration conversation.
Data model integrity (points 1–5)
- 1Every entity has a canonical schema defined in code (not a Mongo blob or a stringified JSON column).
- 2Every foreign key is enforced at the database, not just the application.
- 3Every mutable field has a type, string, number, timestamp, not 'string that might be JSON.'
- 4Migrations are versioned and replayable, you can rebuild the schema from scratch by running scripts.
- 5Test data is generated from the schema, not copied from production.
Backend integration (points 6–10)
- 1Every external service call has retries, timeouts, and structured error handling.
- 2Rate limits and quotas are respected in code, not just prayed at.
- 3Idempotency keys used on every state-changing endpoint that a client might retry.
- 4Webhooks are signed, verified, and processed in a durable queue (not directly in the request cycle).
- 5Every integration has an observable, alerted health check.
Security (points 11–15)
- 1Authentication happens through a real provider (Clerk, Auth0, Firebase Auth), not a hand-rolled session.
- 2Every mutation is authorised at the row level, not just the route level.
- 3OWASP Top 10 is defended against, parameterised queries, output encoding, CSP, secure cookies, CSRF, etc.
- 4Secrets never appear in code, git history, chat, or issue trackers.
- 5Dependency audit runs on every merge and blocks known-critical CVEs.
Testing and delivery (points 16–21)
- 1Every critical user flow has an integration or E2E test that runs on every merge.
- 2Every server-side action has at least one unit test asserting authorisation.
- 3Deploys are automatic, reversible, and produce a versioned artifact.
- 4Errors go to a real error tracker (Sentry, Bugsnag) with source maps and user context.
- 5Structured logs go to a real store (Datadog, Grafana, or your cloud provider).
- 6You can answer 'what happened in the last hour' without reading the code.
Score < 12? You have a demo. 12–17? You have a working prototype. 18+? You have production code. Migration takes you from any point on the curve to 21.
How we run the migration
Two-week refactor sprint. Week 1 is data model, backend integration, and security. Week 2 is testing and observability. We work from the AI-generated codebase, not a clean rebuild, nothing you shipped gets thrown away unless it can't be salvaged.
If you'd like a scored review of your specific codebase, book a call, the review sits inside the first scoping conversation and is free.