Not all vibe-coded apps are disasters. Some are genuinely impressive — functional, well-structured, fast. But after reviewing dozens of them, we've started recognizing the fingerprints. Five things show up almost every time. If your app was built with Cursor, Bolt, Lovable, or any AI assistant, it probably has at least three of these.

Number one: the deployment environment mismatch. The AI builds the app. You test it on localhost. It works perfectly. You deploy it and it immediately breaks. This is almost always an environment variable problem — secrets that the AI hardcoded in the source because it couldn't access your .env file, or relative URLs that work in development but break on a real domain. The fix is straightforward but requires a methodical audit of every environment-dependent value.

Number two: authentication that works in demos but not in production. JWT tokens with no expiry date ('I'll add that later' — you didn't). Middleware that checks auth on nine out of ten routes. Password reset flows that don't actually invalidate the old token. Social login that works when the AI implements it and breaks when you update a dependency. Authentication is genuinely complex, and AI models tend to implement the happy path while quietly skipping the edge cases.

Number three: database schema that can't survive real data. The AI designs a schema that works for the test cases it imagines. Foreign key constraints? Absent. Indexes on columns you'll filter by? Not there. Data types that fit the actual content? Sometimes. The result is a database that works fine with synthetic test data and starts failing in mysterious ways when real users show up with real — and sometimes unexpected — inputs.

Number four: error handling that crashes instead of recovering. The AI writes the success path in detail and the error path as a shrug. Unhandled promise rejections that bring down the whole Node process. API errors that surface raw stack traces to end users. Missing null checks on data that sometimes doesn't arrive. These aren't hard to fix, but they require actually thinking about what can go wrong — something AI models do inconsistently.

Number five: dependencies that are either outdated, hallucinated, or both. The AI confidently imports packages that don't exist. It uses deprecated APIs from packages that do exist. It adds 47 dependencies when five would do, creating a massive attack surface and slow install times. We've seen apps with package.json entries for npm packages the AI invented wholesale — packages with plausible names that simply don't exist on any registry.

If your app has two or more of these, don't panic. These are all fixable problems. What matters is knowing they exist so you can address them before they cause a data breach, a production outage, or a very awkward conversation with your users.