u/Due-Guard221

Been helping a few builders this week, and this is what mostly breaks in vibe-coded apps. Same patterns keep showing up:

1. Row-level security is off or wrong, and your data is publicly readable. This is the scariest one. CVE-2025-48757 hit 170+ Lovable apps last year because RLS policies were missing or too permissive, attackers dumped full user tables and payment records just by tweaking a query. Lovable's built-in security scan checks whether RLS exists, not whether it actually blocks unauthorized access. If you have users on your app and you've never manually verified your policies, your app is probably exposed. This is the most common fix I do and the one most builders don't know they need.
2. App freezes or shows blank screen after login. Almost always the Supabase onAuthStateChange deadlock. The AI puts an async fetch inside the auth listener, Supabase docs explicitly warn against this. Lovable will try to fix it five or six times by tweaking loading states and never get to the root cause. Real fix is wrapping the async call in setTimeout(() => ..., 0).
3. "Login with Google" works in preview, breaks when you publish. Supabase's Site URL still pointing at localhost or your old preview URL. Two-minute fix when you know where to look, can eat your whole weekend if you don't.
4. Stripe payment goes through, feature doesn't unlock. Webhook handler not verified, edge function missing secrets, or the user record isn't getting updated. Almost always the webhook.
5. The fix-and-break loop. You ask for a filter, the table breaks. You fix the table, the filter disappears. Context-window loss, the AI is rewriting code it can't see. Fix is structural, not a prompt: split features into files, prompt with file references, stop saying "fix the app".
6. Edge functions silently failing on deploy. Missing env vars or secrets not configured in Supabase. Logs tell you exactly which one but most builders don't know to check the Cloud tab.
7. API keys leaking into the frontend. The service_role key is the dangerous one, it bypasses RLS by design. Should never be in your client code, sometimes Lovable puts it there.
8. App doesn't show up on Google. Lovable apps are client-side rendered by default, no SSR. If your product is content/marketing facing, you're invisible to search. Workarounds exist but only if you know to ask for them up front.

If you're stuck on something here or something not on this list, drop your repo or a screenshot in DMs and I'll take a look.