Blog
- An agency's guide to inheriting a client's vibe-coded appDraft
7 July 2026
A client hands you an app they built with AI and wants you to run it. Here's how to assess the risk, scope the work, and price it before you say yes.
- Vendor lock-in with AI app builders: what's actually portableDraft
7 July 2026
Not all lock-in is equal. Here's how to tell which parts of your AI-built app you can take with you and which parts you'd have to rebuild, before you're forced to choose.
- Your AI-generated app probably has no real backup. Here's the riskDraft
7 July 2026
AI builders make it easy to ship, easy to skip backups. Here's how to check whether your app is actually backed up, and how to fix it if it isn't.
- What breaks first when an AI-generated MVP gets real trafficDraft
7 July 2026
Your AI-built app runs fine with ten users. Here's what falls over first at a thousand, and how to fix each failure before it costs you the launch.
- Background jobs and queues: what AI app builders don't set up for youDraft
7 July 2026
AI tools wire slow work straight into the web request, so your app times out or drops tasks. Here's a simple, reliable Postgres-backed job queue you can add today.
- How to back up your Lovable or Supabase app (and actually test the restore)
7 July 2026
Lovable Cloud gives you 14 days of daily backups. Here's how to set up your own tested backup with point-in-time recovery, and why the restore test matters more than the backup itself.
- Signs your Base44 app has outgrown the platformDraft
7 July 2026
Base44 gets you from idea to working app fast. Here are the concrete signs you've outgrown it, and what to weigh before you move.
- Bolt.new custom domain setup: DNS, SSL, and the gotchasDraft
7 July 2026
Point your own domain at a Bolt.new app the right way, with the DNS records, SSL fixes, and propagation traps that trip people up.
- Bolt.new database connection limits and what they mean for your launchDraft
7 July 2026
Your Bolt.new app runs fine in the editor, then falls over on launch day. Here's why database connection limits are usually the cause, and how to check yours.
- Building a managed hosting business as a team of oneDraft
7 July 2026
An honest look at building a managed hosting business solo: where the time goes, what one person can promise, and what has to be automated or dropped.
- Caddy vs Nginx for a side project you're about to make realDraft
7 July 2026
An honest Caddy vs Nginx comparison for small apps, with real config for both and a clear call on which one to reach for when you're going from prototype to production.
- Choosing a real stack once your AI-generated prototype actually worksDraft
7 July 2026
Your vibe-coded prototype works and now you're wondering what to build it on for real. A decision framework for picking a stack you won't regret in six months.
- Deploying a Claude Code or Cursor project to a Hetzner server the right way
7 July 2026
An end-to-end guide to deploying your own vibe-coded app on a Hetzner VPS: hardening, Docker, automatic HTTPS with Caddy, and zero-downtime deploys.
- How Claude Code projects leak API keys, and how to catch it before launchDraft
7 July 2026
AI-generated projects often hardcode secrets or commit .env files by accident. Here's how to scan your Claude Code project for leaked keys in a few minutes.
- How to review a pull request when an AI wrote most of itDraft
7 July 2026
AI writes plausible code fast, which is exactly what makes it hard to review. Here's a concrete checklist for reviewing AI-generated pull requests.
- VPS vs cloud platform vs colocation for a small SaaS: how to actually decideDraft
7 July 2026
Three ways to host a small SaaS, honestly compared on cost, effort, and risk. Most small SaaS should not colocate, and here's when they should.
- What an hour of downtime actually costs a solo-founder SaaSDraft
7 July 2026
A back-of-envelope cost model for downtime at a small SaaS: lost revenue, refunds, support time, and the churn and reputation hit that outlast the outage.
- Is code from Cursor production-ready? A checklist before you shipDraft
7 July 2026
Cursor writes clean-looking code fast, but clean-looking isn't production-ready. A concrete checklist to run before you ship anything Cursor built.
- Data processing agreements for SaaS hosting: what to actually check forDraft
7 July 2026
A plain-language guide to reading a SaaS hosting DPA, so you know which clauses matter before you sign or file it away.
- Database export formats across AI app builders: what you can actually take with youDraft
7 July 2026
Some builders hand you a real Postgres dump. Others give you a CSV and a shrug. Here's what each one lets you export, and why the format matters.
- Fixing the missing indexes in an AI-generated database schemaDraft
7 July 2026
AI tools rarely add database indexes, so queries that were instant at 100 rows crawl at 100,000. Here's how to find the missing ones with EXPLAIN and fix them.
- Running database migrations on a live AI-generated app without downtimeDraft
7 July 2026
A schema change can lock your table and take your app offline mid-request. Here's the additive-first pattern that lets you change the database while users keep working.
- Keeping dependencies updated in code you didn't write yourselfDraft
7 July 2026
AI-built apps ship with dozens of packages you never chose. Here's how to find the vulnerable ones and keep them patched without breaking your app.
- A Docker Compose setup for AI-generated apps that actually works in productionDraft
7 July 2026
A production-ready docker-compose.yml for AI-built apps: app, Postgres, PgBouncer, and Caddy, plus the restart, health, and volume settings people forget.
- DPA vs terms of service: why they're not the same documentDraft
7 July 2026
A data processing agreement and terms of service do different jobs. Here's how to tell them apart and check you actually have the one GDPR requires.
- Environment parity: why your AI-generated app behaves differently in productionDraft
7 July 2026
It works on your laptop but breaks live. The usual cause is a mismatch between your dev and production settings. Here's how to find it and close the gap.
- EU data residency and AI app builders: who hosts whereDraft
7 July 2026
Where popular AI app builders store data by default, why it usually lands in the US, and how to check where your own app's data actually sits.
- EU hosting for AI apps: a checklist before your next customer security questionnaireDraft
7 July 2026
The EU hosting and data-residency questions a customer security questionnaire will ask about your AI-built app, and how to answer them before they do.
- Your Supabase keys are probably in your frontend bundle. Here's how to check in 5 minutes
7 July 2026
A copy-pasteable, 5-minute self-check for whether your Lovable or Supabase app is leaking a privileged key to anyone who opens the page.
- Audit trails for a vibe-coded fintech tool: what regulators expectDraft
7 July 2026
What an audit trail needs to record in a fintech context, and how to check whether your AI-built tool actually has one. Practical, not formal legal advice.
- Migrating from Firebase to Postgres: a complete guideDraft
7 July 2026
Real steps to move a Firebase app to Postgres: export Firestore, map documents to tables, migrate auth, and cut over without losing data.
- The first weeks of building Stackbastion in publicDraft
7 July 2026
An honest early-days look at building a hosting business in public: why it exists, what's built so far, and what's still just a plan.
- Framer AI sites and their backend limitations, explainedDraft
7 July 2026
Framer AI builds gorgeous sites fast, but it's a frontend tool. Here's what it can't do on the backend, and how people work around it.
- A freelancer's checklist before handing off an AI-built app to a clientDraft
7 July 2026
The handoff is where AI-built projects fall apart. A concrete checklist for credentials, backups, domain ownership, and docs so the client can actually run it.
- The 72-hour GDPR breach notification clock, and why AI-built tools miss itDraft
7 July 2026
How the 72-hour GDPR breach deadline works, what starts the clock, and why apps built fast on AI platforms are the ones that blow it.
- GDPR-compliant backups: what your retention policy actually needs to sayDraft
7 July 2026
How to write a backup retention policy that satisfies GDPR: how long to keep backups, when to delete, and how restores square with the right to erasure.
- GDPR-compliant hosting for AI-generated apps: what SME teams actually need to check
7 July 2026
A practical GDPR checklist for the AI-built internal tools your team already relies on: DPAs, data residency, and the questions your compliance officer will ask.
- Handling a data subject access request for an app nobody remembers buildingDraft
7 July 2026
A step-by-step way to answer a GDPR data subject access request when the app holding the data was AI-built and nobody owns it.
- AI-built tools in healthtech: the compliance risk nobody flaggedDraft
7 July 2026
Health data raises the GDPR stakes. What to check when an AI-built tool in a healthtech setting quietly starts holding patient or health information.
- Why we're building Stackbastion
7 July 2026
Vibe coding made building software easy. Almost nothing made running it in production easy. That's the gap this blog is about.
- Deploying a Next.js app to Hetzner the right wayDraft
7 July 2026
A full walkthrough for deploying a Next.js app to a Hetzner server with Docker and Caddy, from provisioning the box to automatic HTTPS.
- Hetzner vs AWS for a small SaaS: what you're really paying forDraft
7 July 2026
A Hetzner box can cost 5x less than the AWS equivalent. Here's what that price gap actually buys you, and when AWS still wins.
- What to look for when hiring a developer to fix AI-generated codeDraft
7 July 2026
Hiring a dev to fix a vibe-coded app is different from normal hiring. The vetting questions that separate someone who'll help from someone who'll rewrite everything.
- How much does it actually cost to make a vibe-coded app production-ready?Draft
7 July 2026
Real cost ranges to take an AI-built app from demo to production: time, money, and the hidden costs nobody quotes you. Honest numbers, not a sales pitch.
- How we host this site (and why the product itself still runs on Hetzner)Draft
7 July 2026
How this site is hosted: the marketing site runs on Railway as a static site, while the customer product stays on Hetzner. Here's why the split is deliberate.
- How to deploy an AI-generated app when you've never touched a terminalDraft
7 July 2026
A beginner walkthrough for putting your AI-built app online, from picking a host to running your first real deploy command, with every step explained.
- What happens when your vibe-coded app goes down at 3amDraft
7 July 2026
A walkthrough of the anatomy of a vibe coded app down at 3am: the alert, the diagnosis, the fix, and the postmortem, from the inside.
- An incident response plan for a team of oneDraft
7 July 2026
When your app goes down and you're the only person who can fix it, you need a plan you can follow at 2am. Here's a runbook template for solo founders.
- Load-testing your app before a Product Hunt launchDraft
7 July 2026
A Product Hunt feature can send hundreds of people at once. Here's how to find your app's breaking point with a free tool before launch day does.
- Logging for AI-generated backends: what to capture before you need itDraft
7 July 2026
AI tools generate apps with console.log and nothing else. Here's the log-field checklist and structured format that turns a 3am outage into a 5-minute fix.
- My Lovable app got hacked: what to do in the first hourDraft
7 July 2026
A calm, ordered playbook for the first 60 minutes after your Lovable app is compromised: contain, rotate, assess, and recover without making it worse.
- Lovable Cloud vs your own Postgres: what you give up either wayDraft
7 July 2026
Lovable Cloud is fast and hands-off. Your own Postgres is portable and controllable. Here's an honest look at what each one costs you, so you can pick on purpose.
- Lovable environment variables: what's actually secret and what isn'tDraft
7 July 2026
Not every value in your Lovable env is a secret, and some things you think are safe aren't. Here's how to tell which is which before you ship.
- Exporting your Lovable app and self-hosting it: a real walkthroughDraft
7 July 2026
A step-by-step walkthrough for exporting your Lovable app to GitHub and self-hosting the frontend and Supabase backend on your own infrastructure.
- Moving Supabase Auth off Lovable without breaking every sessionDraft
7 July 2026
Migrating auth is where people log out their whole userbase by accident. Here's how to move Supabase Auth off a Lovable app while keeping existing sessions and users intact.
- Managed Postgres providers compared: Neon, Supabase, RDS, and self-hostedDraft
7 July 2026
An honest comparison of Neon, Supabase, Amazon RDS, and self-hosted Postgres on cost, backups, lock-in, and who each one actually fits.
- Monitoring error rates for a solo-founder app without an enterprise budgetDraft
7 July 2026
You don't need a $99/month plan to know when your app is throwing errors. Here are the low-cost and self-hosted options that actually work for one person.
- Moving off Replit to real production hosting: a step-by-step planDraft
7 July 2026
Replit is great for building. It's not built to be your production home. Here's an honest, step-by-step plan to move your app to real hosting.
- Why every AI-built tool needs a named, accountable ownerDraft
7 July 2026
Article 28 GDPR and the accountability principle mean someone must own each AI-built tool. Here's why, and how to assign ownership without slowing your team.
- A non-technical founder's guide to knowing if your app is production-readyDraft
7 July 2026
You built an app with AI but can't read the code. Here's a plain-language checklist to tell if it's safe to put in front of real, paying users.
- PlanetScale vs self-hosted Postgres for an app that's outgrown its free tierDraft
7 July 2026
PlanetScale vs self-hosted Postgres compared on cost, scaling, and effort, so you can pick the right database once your free tier runs out.
- Point-in-time recovery for Postgres: what it actually buys youDraft
7 July 2026
A daily snapshot restores you to last midnight. Point-in-time recovery restores you to the exact second before things broke. Here's the mechanism, and how to run it.
- Why your AI-generated app needs PgBouncer, not just more database connectionsDraft
7 July 2026
AI-built apps open a new Postgres connection per request and hit the wall under load. Here's why raising max_connections backfires, and the PgBouncer config that fixes it.
- Postmortem: a connection pool exhaustion that looked like a hackDraft
7 July 2026
How a database connection pool ran dry, why it looked like an attack, and the simple fix that would have prevented it.
- Postmortem: an exposed API key and a surprise billDraft
7 July 2026
How a single API key left in frontend code turned into a four-figure bill overnight, and the checks that stop it.
- Postmortem: the backup that looked fine until it was neededDraft
7 July 2026
A backup ran every night for months and still couldn't restore the data. Here's why, and how to test yours before you need it.
- The production checklist for Lovable apps: 15 things to fix before real users arrive
7 July 2026
A 15-point checklist for Lovable, Bolt, and Claude Code apps: real commands to check leaked keys, missing backups, and open admin routes before you get real users.
- Ten questions to ask before you launch an AI-built app to real usersDraft
7 July 2026
A 10-question pre-launch checklist for vibe-coded apps. If you can't answer all ten with a clear yes, you're not ready for real users yet.
- Rate limiting, CORS, and debug mode: the 20-minute hardening pass for AI-generated backendsDraft
7 July 2026
Three config fixes that stop the most common attacks on AI-built backends: a rate limit, a locked-down CORS policy, and debug mode turned off.
- Render vs Railway vs Hetzner: cost and control compared for a growing appDraft
7 July 2026
A plain comparison of Render, Railway, and Hetzner on price, effort, and control, so you can pick the right host as your app grows.
- Replit Always On vs real hosting: what you're actually paying forDraft
7 July 2026
Replit Always On keeps your Repl awake, but that's not the same as production hosting. Here's what the feature does, what it doesn't, and when you've outgrown it.
- Replit's included database: what it's fine for, and where it isn'tDraft
7 July 2026
Replit ships with a built-in database that's great for prototypes. Here's an honest look at what it handles well and the points where a real app outgrows it.
- Replit deployment alternatives: when Replit hosting isn't enoughDraft
7 July 2026
A clear-eyed look at where Replit hosting hits its limits and the alternatives worth moving to when your app gets real traffic.
- Secrets management for vibe-coded apps: beyond .env filesDraft
7 July 2026
A .env file is fine on your laptop and a liability in production. Here's how to run a real secrets setup without a heavyweight vault.
- Self-hosting vs PaaS: the real cost once you add backups and monitoringDraft
7 July 2026
The honest total cost of self-hosting vs PaaS once you add tested backups, monitoring, and your own time. The €5 server isn't €5.
- Shadow IT: the AI-generated internal tool nobody in compliance knows aboutDraft
7 July 2026
AI tools let anyone ship an internal app in a weekend. Here's how to find the ones compliance never reviewed, and what to do about them.
- Softr + Airtable: where the scaling problems startDraft
7 July 2026
The Softr and Airtable combo is brilliant for launching fast, then hits hard walls: record caps, API rate limits, and slow reads. Here's where they bite.
- Automating SSL certificate renewal so it never expires on you againDraft
7 July 2026
An expired certificate turns your whole site into a scary browser warning. Here's how to make renewal automatic so it never happens, using Caddy or certbot.
- Why your AI-generated app needs a staging environment, and how to add one cheaplyDraft
7 July 2026
Testing changes on your live app means your users are your test suite. Here's how to add a staging environment for a few euros a month.
- Why your Supabase project paused itself, and how to stop it happening in productionDraft
7 July 2026
Supabase pauses free-tier projects after a week of inactivity. Here's why it happens, how to bring a paused project back, and how to make sure it never happens to a live app.
- What Supabase actually costs once you're past the free tierDraft
7 July 2026
The free tier is generous until it isn't. Here's what Supabase really costs at Pro and beyond, including the add-ons that quietly inflate the bill.
- Supabase row-level security exposed: how to audit your policies in 15 minutesDraft
7 July 2026
A copy-pasteable SQL audit that finds every Supabase table with RLS off or protected by a policy that lets everyone in, in about 15 minutes.
- Migrating from Supabase to your own Postgres: the complete guideDraft
7 July 2026
The real decisions in a Supabase-to-Postgres move aren't the data dump. They're auth, RLS, and rollback. Here's the decision tree that keeps you safe.
- Where technical debt actually hides in AI-generated appsDraft
7 July 2026
AI-built apps carry a specific kind of debt: duplicated logic, missing indexes, no error handling. Here's where to look and how to spot each one.
- The total cost of ownership of managing your own hosting vs paying for managedDraft
7 July 2026
A €16 server looks cheaper than a €89 managed plan until you price your own time. Here's the real TCO math, hours included.
- Uptime monitoring for solo founders: what to set up in one afternoonDraft
7 July 2026
Self-hosted uptime monitoring with Uptime Kuma, set up in an afternoon. Know your app is down before your users email you, with alerts to your phone.
- v0 apps and the database limits nobody mentionsDraft
7 July 2026
v0 builds a beautiful frontend fast, then quietly hands you a database with limits that bite at scale. Here's what to watch before they do.
- A vendor risk assessment template for AI app buildersDraft
7 July 2026
A simple, copy-ready vendor risk assessment for Lovable, Bolt, and other AI app builders, so your team can score a tool before it holds real data.
- Vercel hosting costs once your AI-built app starts scalingDraft
7 July 2026
Vercel is smooth to start and painful to predict at scale. Here's what actually drives the bill, and where usage-based pricing bites hardest.
- Vercel vs Railway vs self-hosting for AI-built apps: honest cost and risk comparisonDraft
7 July 2026
A real three-way comparison of Vercel, Railway, and self-hosting for AI-built apps, covering cost, effort, and risk, with the scenarios where each one actually wins.
- Custom domain and SSL for a vibe-coded app: the parts that trip people upDraft
7 July 2026
Pointing a domain at your AI-built app and getting HTTPS working sounds simple until it isn't. Here's the DNS and SSL walkthrough, plus the gotchas that waste an afternoon.
- The vibe coding security checklist for people who've never run a serverDraft
7 July 2026
A plain-English security checklist for AI-built apps. Learn what SSL, env vars, and RLS mean, and the seven things to check before real users show up.
- Securing webhooks in an AI-generated app: signature verification done rightDraft
7 July 2026
Your webhook endpoint trusts anyone who knows the URL. That's a payment-fraud waiting to happen. Here's how to verify signatures so only the real sender gets through.
- What is vibe coding? A plain-language glossary for founders and their lawyersDraft
7 July 2026
Plain-language definitions of vibe coding, RLS, DPA, PITR, env vars and more. The terms your developer uses, explained so a founder or lawyer can follow.
- When DIY hosting stops making sense for a growing appDraft
7 July 2026
Running your own server is fine until it isn't. Here are the concrete signals that tell you DIY has stopped paying off, and when it's still the right call.
- When to leave Lovable hosting (and when to stay)
7 July 2026
Lovable Cloud now includes hosting and daily backups. Here's an honest look at when that's enough, and when it isn't.
- Why not just use Coolify? An honest answerDraft
7 July 2026
Coolify is a genuinely good free self-hosting tool. Here's an honest look at what it does well, and the real reasons you might still pay for managed hosting.
- Why we host the product on Hetzner instead of AWS, GCP, or AzureDraft
7 July 2026
The honest reasoning behind running our customers' apps on Hetzner: why hetzner over aws gcp azure comes down to cost, control, and simplicity.
- Deploying a Windsurf project to production: what changesDraft
7 July 2026
Windsurf gets you a working app on localhost. Production is a different animal. Here's exactly what changes and the checklist to get there safely.
- Zero-downtime deploys, explained for people who've only ever redeployed by restartingDraft
7 July 2026
If deploying means stopping the app and starting the new one, users see errors every release. Here's how rolling deploys and health checks fix that.