The Vibe-Coded App Maintenance Checklist (2026)

You described it, the AI built it, real customers use it. This is the maintenance routine that keeps it that way — written for owners who never saw most of the code. Print it, pin it, run it. The full guide lives at nightlamp.app/guides/vibe-coded-app-maintenance.

Tip: use your browser’s Print dialog — this page is laid out for paper (or PDF).

Weekly · 5 minutesThe pulse check

• Open the published app like a customer — incognito window, real URL, not the builder preview.
• Run the money flow — reach the payment step (or complete a test purchase) and confirm the order shows up where you expect it.
• Submit the contact / lead form — then confirm it actually arrived in your inbox, CRM, or sheet. “Thanks!” on screen proves nothing.
• Request a login or magic-link email — confirm it arrives within a couple of minutes and signs you in.
• Confirm the scheduled stuff ran — last night’s sync, digest, reminder, or invoice job left evidence (a record, an email, a timestamp).

Why weekly: most vibe-coded apps fail at the seams — auth, payments, forms, webhooks — while every page still loads. Five minutes of acting like a customer catches what a green homepage hides.

After every prompt sessionThe publish check

• Treat the session as a deploy — every accepted AI change can touch code you didn’t ask it to touch.
• Re-test the flow you changed AND the two flows nearest it — regenerated code is the classic cause of “feature B broke when I asked for feature A”.
• Test on the published URL, not the preview — env vars, auth redirects, and payment integrations behave differently after publish on Lovable, Bolt, and Replit alike.
• Check secrets and environment variables survived — a republish that drops or resets one fails silently until the integration is needed.
• Write one line of changelog — date + what you asked for. When something breaks next week, “what changed?” is the first question.

Monthly · 20 minutesThe quota & key sweep

• List every integration the AI wired up for you — Stripe, Supabase, email, Zapier/Make, analytics. If you can’t list them, that’s the finding.
• Check usage against quota — automation task budgets, database row/storage limits, email sending credits. Quota exhaustion is the quietest outage there is.
• Check key and certificate expiry — API keys, webhook signing secrets, custom-domain SSL. Note the next expiry date on this sheet.
• Confirm webhooks still point at production — live mode, current domain, current endpoint path.
• Export or back up your data — confirm you could leave the platform with your customer data tomorrow.
• Pay-attention pass on platform emails — deprecation and policy-change notices from your builder and integrations often carry 30-day fuses.

When something breaksThe no-panic runbook

• Don’t re-prompt blindly first — regenerating code on top of an undiagnosed break is how one bug becomes three.
• Capture the evidence — screenshot the error, copy the browser console output, note the exact time and URL.
• Ask “what changed?” — your last prompt session, a platform update, an integration email, a key rotation. Check your one-line changelog.
• Check the seams before the code — platform status page, env vars/secrets, webhook destinations, quotas, auth redirect URLs. Most production breaks live there.
• Reproduce in incognito on the published URL — if it works in the builder but fails in production, the break is in the publish/config seam, not the generated code.
• Only then change code — one targeted fix, then re-run the publish check above.

The hard part isn’t running this list — it’s noticing the day a flow silently stops between runs. That’s the job Nightlamp does continuously: your key flows watched around the clock, and a real engineer’s plain-English diagnosis and fix recipe when one breaks (diagnosis tiers from $199/mo). Trial at nightlamp.app/signup — 14 days, no card.