How to use this checklist

Two ways to use it. Option A: if you're moving a consumer vibe-coded app (Lovable, Bolt, V0, Replit) into enterprise production manually, every item is yours to build. Budget 4-12 weeks for a small team. Option B: if you're using an enterprise vibe coding platform like Clarista, most of these are already there — your checklist is verifying configurations, not building infrastructure.

The 14 points, in order:

  1. 1

    Security scanning on every commit

    SAST (static analysis) for code-level vulnerabilities. SCA (software composition analysis) for dependency CVEs. Secret scanning for leaked API keys. Hallucinated-package detection. Block deploy if anything fails.

    In Clarista: built-in. Every AI output is scanned before commit.
  2. 2

    Real authentication, not demo auth

    Replace any "log in with username/password stored in localStorage" with SSO via SAML or OIDC. Require MFA. Session expiry, refresh tokens, secure cookies, CSRF protection.

    In Clarista: SSO + MFA out of the box. Okta, Azure AD, Google Workspace, custom OIDC.
  3. 3

    Authorization (not just authentication)

    Logged in ≠ allowed. Add resource-level authorization: this user can only see this customer's data, this role can only access these tables. Row-level security at the database where possible.

    In Clarista: RBAC with per-row policies. Inherited from your IdP groups.
  4. 4

    Move to your own cloud

    Migrate the app off the vendor's shared infrastructure to your AWS, Azure, or GCP account. Pin region to your compliance zone (eu-central-1 for GDPR, us-east-1 for FedRAMP, etc.).

    In Clarista: deploys to your cloud by default. Bring-your-own AWS, Azure, GCP supported.
  5. 5

    Bring-your-own LLM

    Don't let model traffic route through a third party. Wire the app to your Anthropic, OpenAI, AWS Bedrock, or Azure OpenAI account so the LLM provider sees your traffic directly under your contract terms.

    In Clarista: BYO LLM with credentials in your vault. Vendor never touches model traffic.
  6. 6

    Audit logging

    Every user action, every admin change, every API call goes to a queryable log. Retain 7+ years for SOC 2, longer for some regulated industries. Logs are tamper-evident.

    In Clarista: every action logged with user, timestamp, before/after diff. Streams to your SIEM.
  7. 7

    Git + PR + CI/CD pipeline

    No more direct-to-prod. Every AI-generated change goes through a real Git commit, a PR with human review, CI tests, then deploy. Attribution is required for the audit trail.

    In Clarista: every prompt produces a Git commit, attributed to the user. PRs land in your repo of choice.
  8. 8

    Secrets management

    No hardcoded API keys, no .env files committed to repos. Move all secrets to a vault (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault). Rotate on a schedule.

    In Clarista: enforced by the build gate. Hardcoded secrets block deploy automatically.
  9. 9

    Monitoring + alerting

    Error tracking (Sentry, Rollbar). Performance monitoring (Datadog, New Relic). Uptime checks. PagerDuty integration. SLOs defined for the user-facing flows.

    In Clarista: native Sentry + Datadog integrations. Alerts wired to your existing on-call.
  10. 10

    Backups + disaster recovery

    Database backups every 24h minimum, point-in-time recovery enabled. Cross-region replication for critical apps. Documented RPO and RTO. A restore tested at least quarterly.

    In Clarista: managed Postgres with PITR. Cross-region replication for Enterprise tier.
  11. 11

    Rate limiting + abuse protection

    Edge rate limiting on every public endpoint, with stricter limits on auth routes. WAF for OWASP Top 10 attacks. Bot detection. CAPTCHA on sign-up where appropriate.

    In Clarista: Cloudflare WAF + rate limits applied by default to every deployed app.
  12. 12

    Compliance certifications attestation

    SOC 2 Type II report, ISO 27001 certificate, HIPAA BAA, GDPR DPA — whichever apply. These are non-negotiable for enterprise procurement.

    In Clarista: SOC 2 Type II, ISO 27001, HIPAA-ready. BAA available on Enterprise tier.
  13. 13

    SBOM + supply chain documentation

    Software Bill of Materials generated on every build. Documented provenance of every dependency. Signed artifacts (Sigstore, Cosign) for the deployable.

    In Clarista: SBOM auto-generated, attached to every deploy. SLSA L3 attestation supported.
  14. 14

    Runbook + incident response plan

    Documented procedures for the most likely incidents (database down, auth provider outage, dependency CVE). On-call rotation defined. Post-mortem template ready.

    In Clarista: runbook templates included. Status page + on-call routing pre-wired.

Option A vs Option B (the comparison)

ApproachBuild manually on Lovable / BoltEnterprise platform (Clarista)
Time to enterprise production4–12 weeks1–3 days
Engineering effort1–3 FTEs for 1–2 monthsConfiguration only
Compliance certificationsYou inherit nothing — start from zeroInherit SOC 2, ISO, HIPAA
Audit log infrastructureBuild + maintain yourselfNative
BYO LLMWire it yourselfConfiguration toggle
Total cost (Year 1)$200K–$600K of eng time + cloud$50K–$250K platform
SHORTCUT

Skip 11 of these 14 steps

Clarista is built around this checklist. Items 1, 2, 3, 4, 5, 6, 7, 8, 9, 12, 13 are built-in. You configure 10, 11, 14 and you're done.

See Enterprise Vibe Coding →

The one mistake everyone makes

The most common mistake we see: teams ship the app to production first, then try to layer the 14 items on after. By that point, real users are using real data, and instrumenting audit logs retroactively means you can't answer "what happened before Tuesday." Compliance gates that should have been pre-launch become post-launch fire drills.

Order matters. Items 1–8 are pre-launch. Items 9–14 should be active by launch day. None of them are optional in enterprise production.

Vibe coding best practices for production

The 14-point checklist above is the structural answer. Underneath it, four vibe coding best practices consistently separate teams that successfully run vibe coding in production from teams that crash and burn: (1) treat the AI's output like any other code — PR review, CI, security scan, no direct-to-prod; (2) require attribution on every AI commit so audit trail is real; (3) keep humans in the loop for high-stakes operations (deletes, financial transactions, prod deploys); (4) plan for the long tail — 80% of production incidents come from edge cases AI didn't anticipate. Tooling alone doesn't solve this — process does.

FAQ

Can my engineering team handle this checklist themselves?

Yes — that's option A. Budget 4-12 weeks of focused engineering work, depending on team size and the maturity of your existing infrastructure. The math usually favors a platform when you compare total cost.

What's the highest-risk item to skip?

Audit logging. Once an app is in production without proper logging, retroactive instrumentation can't recover the missing data. You're permanently blind to anything that happened before logging was added. Auditors won't accept "we'll log from now on."

Do I need all 14 items for an internal-only app?

For internal apps with non-sensitive data, you can skip items 11, 13, and parts of 12. Everything else still applies — internal apps still need auth, audit logs, backups, and security scanning.