Smith/Platforms

Platform Capability Matrix

What each AI coding platform generates correctly, what breaks by default, and how to fix it. Community-maintained — every row links to the rescue guide.

Works by default Partial / inconsistent Broken by default

Bolt.new

AI-powered full-stack web app builder by StackBlitz. Generates Next.js + Supabase + Tailwind apps from natural language.

Authentication
Payments
Database
Deployment
Security

Last verified Jul 7, 2026 · View source

Loveable

AI product builder focused on visual design and rapid prototyping. Generates React + Supabase apps.

Authentication
Payments
Database
Deployment
Security

Last verified Jul 7, 2026 · View source

Replit

Browser-based IDE with AI agent (Replit Agent) that builds and runs full-stack apps in the cloud.

Authentication
Payments
Database
Deployment
Security

Last verified Jul 7, 2026 · View source

Check
Bolt.new
Loveable
Replit

Email / Password

Partial

Generates auth UI but missing session persistence — server components can't read the session because the browser client is used instead of the SSR client.

Fix guide
Partial

Auth flow generated correctly but getSession() used in server context instead of getUser() — returns stale data after logout.

Fix guide
Partial

Auth generated using Replit's built-in auth or NextAuth — works in Replit environment but configuration breaks when migrating to Vercel or Railway.

Fix guide

Google OAuth

Broken

OAuth callback route generated without exchangeCodeForSession — user is redirected in a loop and never signed in.

Fix guide
Partial

OAuth callback route present but exchangeCodeForSession is sometimes omitted — depends on prompt wording.

Fix guide
Partial

OAuth works within Replit hosting. Callback URLs hardcoded to repl.co domain — breaks on any other deployment target.

Fix guide

GitHub OAuth

Broken

Same missing callback issue as Google OAuth.

Fix guide
Partial

Same variability as Google OAuth. Explicitly requesting 'GitHub login' in the prompt improves output.

Fix guide
Partial

Same callback URL issue as Google OAuth.

Auth Middleware

Broken

Middleware generated but returns NextResponse.next() instead of the supabaseResponse object — session cookies are not forwarded, users are logged out on every hard refresh.

Fix guide
Partial

Middleware generated but inconsistently — sometimes session refresh is missing, sometimes route protection covers only some paths.

Fix guide
Partial

Route protection implemented but varies by framework. Next.js projects often missing middleware.ts.

Check
Bolt.new
Loveable
Replit

Stripe Checkout

Partial

Works in preview environment. Breaks in production because success/cancel URLs are hardcoded to localhost.

Fix guide
Works

Stripe Checkout session creation generated correctly. Success/cancel URLs use environment variables.

Fix guide
Partial

Stripe integration generated but webhook URLs point to the Replit development URL — non-persistent, changes on reboot.

Fix guide

Stripe Webhooks

Broken

Missing stripe.webhooks.constructEvent() — signature verification skipped entirely. Also uses request.json() instead of request.text(), which destroys the raw body Stripe needs for HMAC verification.

Fix guide
Partial

Webhook handler generated with constructEvent() present but often uses request.json() instead of request.text() — signature verification throws on every real Stripe event.

Fix guide
Broken

Webhook handler missing signature verification. The Replit environment makes webhook testing difficult, so this is often left broken.

Fix guide

Subscriptions

Partial

Basic subscription creation generated, but customer portal link and subscription status webhooks are incomplete.

Partial

Subscription creation works. Customer portal and cancellation flows require manual additions.

Partial

Basic integration possible but production readiness is limited by the hosting model.

Check
Bolt.new
Loveable
Replit

Row Level Security

Broken

All tables created with Row Level Security disabled. Any visitor with the public anon key can read, update, or delete every row.

Fix guide
Broken

Tables created without Row Level Security enabled. Same issue as other AI platforms — the anon key gives full database access.

Fix guide
Broken

When Supabase is used, RLS is not enabled — same pattern as other AI platforms.

Fix guide

Migration Files

Partial

Schema applied directly via Supabase dashboard — no migration files generated. No rollback path if something goes wrong.

Partial

Schema managed via Supabase dashboard, not migration files. Loveable does generate some SQL but doesn't wire it to a migration workflow.

Connection Pooling

Works

Uses the correct Supabase connection string with connection pooling enabled.

Works

Connection string generated correctly.

SQLite (Prod Risk)

Broken

Replit Agent defaults to SQLite for the database. SQLite is not persistent across Replit restarts and cannot scale — not production-ready.

Fix guide

Supabase Migration

Partial

Migration from SQLite to Supabase Postgres is possible but requires significant rework. Schema, queries, and auth all need updating.

Fix guide
Check
Bolt.new
Loveable
Replit

Vercel

Works

Deploys correctly to Vercel. Environment variables must be manually copied from the Bolt.new editor to Vercel project settings.

Works

Vercel deployment works well. Loveable's export feature provides a clean Next.js project.

Broken

Significant rework required. SQLite must be replaced, environment variables reconfigured, build pipeline adjusted. See the full migration guide.

Fix guide

Railway

Partial

Requires manual DATABASE_URL adjustment. Generated config targets development database.

Partial

No Railway-specific config generated — requires manual setup.

Partial

Railway is the recommended migration target — supports persistent PostgreSQL and similar Node.js hosting model.

Fix guide

Fly.io

Partial

Dockerfile generated but often missing a /health endpoint — Fly health checks fail on first deploy.

Netlify

Works

Netlify deployment also supported via export.

Replit Hosting

Works

Works correctly within Replit's own hosting infrastructure.

Production Ready

Broken

Replit apps are not production-ready without migration. No persistent file storage, SQLite database, and free-tier apps sleep after inactivity.

Fix guide
Check
Bolt.new
Loveable
Replit

Secret Exposure

Broken

Frequently prefixes server-only secrets (STRIPE_SECRET_KEY, OPENAI_API_KEY) with NEXT_PUBLIC_ — these are bundled into client JavaScript and visible in browser DevTools.

Fix guide
Partial

Less frequent than Bolt.new but NEXT_PUBLIC_ prefix errors still occur on sensitive keys when the developer iterates quickly.

Fix guide
Partial

Replit's Secrets management is used for env vars, but public Repls expose their code — secrets must be explicitly marked.

Fix guide

Service Role Key

Partial

Service role key occasionally used in client components when the developer asks for 'admin database access'. Bypasses all RLS policies.

Fix guide
Works

Service role key generally kept server-side in generated code.

Partial

When Supabase is added, service role key handling is inconsistent.

Rate Limiting

Broken

No rate limiting generated on any API routes — email, AI, and auth endpoints are all open to abuse.

Fix guide
Broken

No rate limiting on generated API routes.

Fix guide
Broken

No rate limiting generated.

Fix guide

Input Validation

Partial

Client-side form validation only. API routes accept and insert arbitrary input without server-side validation.

Fix guide
Partial

Zod schemas sometimes generated for forms, but API route validation is inconsistent.

Fix guide
Partial

Validation inconsistent across generated projects.

Fix guide

CSRF Protection

Partial

Server Actions have built-in CSRF protection, but custom API routes do not check Origin headers.

Fix guide
Partial

No explicit CSRF protection on API routes.

Fix guide
Partial

No explicit CSRF protection.

Found issues in your project?

Run npx smith-check to get a rescue score for your specific codebase, then hire a Smith to fix what it flags.

Data licensed CC BY-SA 4.0 · github.com/aismiths/platform-matrix