AI CLEANUP
Cleaning up after AI.
From “seems to work” to
“safe to rely on.”
We audit, fix, and take over systems built with AI-assisted development (so-called vibe coding). Because we use AI in our own daily work, we know first-hand the typical problems hidden in AI-generated code — and we know how to clean them up.
SITUATIONS WE HANDLE
It works, but no one can explain why
AI built it, it runs, but the code is impenetrable. Every change and every incident is met with anxiety.
Security feels uncertain
You're not sure what to check or where to start. Secret management, authentication, and access control are unclear.
You don't know where your data lives
User data and business records are scattered across services and storage layers, with no clear picture of who can access what.
It broke as you grew
The prototype worked fine, but as data and users grew, response times degraded or the system started failing.
WHAT WE DO
Health Audit
We read the codebase end-to-end and document its structure, dependencies, and data flow — so a third party can actually understand it.
Security Review
Authentication, authorization, secret management, input validation, and data access control — reviewed, prioritized, and remediated.
Data Location Mapping
We map what is stored where (database, object storage, third-party services, the browser), and who can read and write it.
Fixes & Refactoring
Bug fixes, deduplication of repeated logic, removal of unnecessary abstractions, and the minimum tests needed to prevent regressions.
Handover-ready State
We produce the README, environment setup steps, architecture notes, and operational runbooks needed for someone else to take over.
Operational Foundations
Backups, logging and monitoring, deployment process, and proper separation between development and production environments.
COMMON PITFALLS IN AI-BUILT CODE
Real patterns we see in the field — listed plainly. If any of these sound familiar, that's a good reason to talk.
01
Auth checks only on the frontend
The UI hides things from unauthenticated users, but the API returns the same data to anyone who calls it directly. Anyone with browser dev tools can read or modify other people's records.
02
API keys and secrets exposed in the client
"It's in an environment variable" doesn't help when the variable is prefixed with NEXT_PUBLIC_ or VITE_, or baked into the bundle at build time — it's shipped to every visitor's browser.
03
Row-level security never configured (Supabase / Firebase)
The rules that say "users can only see their own rows" were never written. Once a user logs in, they can read or write anyone's data.
04
CORS wide open
Access-Control-Allow-Origin set to `*` and shipped to production. Any third-party site can call your API on behalf of a logged-in user.
05
Errors silently swallowed
Every exception caught and discarded. When something breaks in production, there's no trace, no log, no way to reproduce — just an unhappy user report.
06
Validation only on the client
Forms validate nicely in the UI, but the API trusts whatever it receives. Invalid types, oversized payloads, or malformed strings sail straight through.
07
Development happens against the production database
No staging environment. Experiments and mistakes go straight to live user data. One careless line can wipe records irreversibly.
08
Queries that assume small data
Worked fine with sample data, but with real volume it's N+1 queries everywhere or full-table scans. No load testing was ever done.
09
Copy-pasted logic everywhere
Asking AI to do the same thing repeatedly creates near-identical but subtly different code in many places. Fix one, leave the others stale — bugs reappear later.
10
Unpinned dependencies
Lockfiles ignored, or version ranges left as `^` or `~`. Every rebuild risks a behavioral change you didn't ask for.
PROCESS
- 01
Initial Discussion
We discuss the current setup, your concerns, and the outcome you want. Ideally we'll have a look at the source code and admin screens together.
- 02
Quick Investigation
One or two days of first-pass investigation to locate risks, set priorities, and size the effort required.
- 03
Proposal
We present options in tiers — audit only, audit plus top-priority fixes, or full rebuild — so you can choose the level of intervention.
- 04
Execution & Handover
We carry out the agreed scope and leave you with a system you (or any third party) can operate. Ongoing maintenance available on request.
CONTACT
Even a vague “something doesn't feel right” is enough to start. Initial investigation is free of charge.
If your situation is less “AI-built” and more “the engineer left and we need someone to keep this running,” see also System Handover.