What each AI coding platform generates correctly, what breaks by default, and how to fix it. Community-maintained — every row links to the rescue guide.
AI-powered full-stack web app builder by StackBlitz. Generates Next.js + Supabase + Tailwind apps from natural language.
Last verified Jul 7, 2026 · View source
AI product builder focused on visual design and rapid prototyping. Generates React + Supabase apps.
Last verified Jul 7, 2026 · View source
Browser-based IDE with AI agent (Replit Agent) that builds and runs full-stack apps in the cloud.
Last verified Jul 7, 2026 · View source
Email / Password
Generates auth UI but missing session persistence — server components can't read the session because the browser client is used instead of the SSR client.
Fix guideAuth flow generated correctly but getSession() used in server context instead of getUser() — returns stale data after logout.
Fix guideAuth generated using Replit's built-in auth or NextAuth — works in Replit environment but configuration breaks when migrating to Vercel or Railway.
Fix guideGoogle OAuth
OAuth callback route generated without exchangeCodeForSession — user is redirected in a loop and never signed in.
Fix guideOAuth callback route present but exchangeCodeForSession is sometimes omitted — depends on prompt wording.
Fix guideOAuth works within Replit hosting. Callback URLs hardcoded to repl.co domain — breaks on any other deployment target.
Fix guideGitHub OAuth
Same variability as Google OAuth. Explicitly requesting 'GitHub login' in the prompt improves output.
Fix guideSame callback URL issue as Google OAuth.
Auth Middleware
Middleware generated but returns NextResponse.next() instead of the supabaseResponse object — session cookies are not forwarded, users are logged out on every hard refresh.
Fix guideMiddleware generated but inconsistently — sometimes session refresh is missing, sometimes route protection covers only some paths.
Fix guideRoute protection implemented but varies by framework. Next.js projects often missing middleware.ts.
Stripe Checkout
Works in preview environment. Breaks in production because success/cancel URLs are hardcoded to localhost.
Fix guideStripe Checkout session creation generated correctly. Success/cancel URLs use environment variables.
Fix guideStripe integration generated but webhook URLs point to the Replit development URL — non-persistent, changes on reboot.
Fix guideStripe Webhooks
Missing stripe.webhooks.constructEvent() — signature verification skipped entirely. Also uses request.json() instead of request.text(), which destroys the raw body Stripe needs for HMAC verification.
Fix guideWebhook handler generated with constructEvent() present but often uses request.json() instead of request.text() — signature verification throws on every real Stripe event.
Fix guideWebhook handler missing signature verification. The Replit environment makes webhook testing difficult, so this is often left broken.
Fix guideSubscriptions
Basic subscription creation generated, but customer portal link and subscription status webhooks are incomplete.
Subscription creation works. Customer portal and cancellation flows require manual additions.
Basic integration possible but production readiness is limited by the hosting model.
Row Level Security
All tables created with Row Level Security disabled. Any visitor with the public anon key can read, update, or delete every row.
Fix guideTables created without Row Level Security enabled. Same issue as other AI platforms — the anon key gives full database access.
Fix guideMigration Files
Schema applied directly via Supabase dashboard — no migration files generated. No rollback path if something goes wrong.
Schema managed via Supabase dashboard, not migration files. Loveable does generate some SQL but doesn't wire it to a migration workflow.
Connection Pooling
Uses the correct Supabase connection string with connection pooling enabled.
Connection string generated correctly.
SQLite (Prod Risk)
Replit Agent defaults to SQLite for the database. SQLite is not persistent across Replit restarts and cannot scale — not production-ready.
Fix guideSupabase Migration
Migration from SQLite to Supabase Postgres is possible but requires significant rework. Schema, queries, and auth all need updating.
Fix guideVercel
Deploys correctly to Vercel. Environment variables must be manually copied from the Bolt.new editor to Vercel project settings.
Vercel deployment works well. Loveable's export feature provides a clean Next.js project.
Significant rework required. SQLite must be replaced, environment variables reconfigured, build pipeline adjusted. See the full migration guide.
Fix guideRailway
Requires manual DATABASE_URL adjustment. Generated config targets development database.
No Railway-specific config generated — requires manual setup.
Railway is the recommended migration target — supports persistent PostgreSQL and similar Node.js hosting model.
Fix guideFly.io
Dockerfile generated but often missing a /health endpoint — Fly health checks fail on first deploy.
Netlify
Netlify deployment also supported via export.
Replit Hosting
Works correctly within Replit's own hosting infrastructure.
Production Ready
Replit apps are not production-ready without migration. No persistent file storage, SQLite database, and free-tier apps sleep after inactivity.
Fix guideSecret Exposure
Frequently prefixes server-only secrets (STRIPE_SECRET_KEY, OPENAI_API_KEY) with NEXT_PUBLIC_ — these are bundled into client JavaScript and visible in browser DevTools.
Fix guideLess frequent than Bolt.new but NEXT_PUBLIC_ prefix errors still occur on sensitive keys when the developer iterates quickly.
Fix guideReplit's Secrets management is used for env vars, but public Repls expose their code — secrets must be explicitly marked.
Fix guideService Role Key
Service role key occasionally used in client components when the developer asks for 'admin database access'. Bypasses all RLS policies.
Fix guideService role key generally kept server-side in generated code.
When Supabase is added, service role key handling is inconsistent.
Rate Limiting
No rate limiting generated on any API routes — email, AI, and auth endpoints are all open to abuse.
Fix guideRun npx smith-check to get a rescue score for your specific codebase, then hire a Smith to fix what it flags.
Data licensed CC BY-SA 4.0 · github.com/aismiths/platform-matrix