SpringCode

← All writing

What this is, and what's coming

A quick intro before the writing actually starts. Who we are, what we'll be publishing, and what's queued for the next few weeks.

June 21, 2026 · 2 min read · Jacob P

New here? Get future field notes in your inbox →

Quick context before the writing actually starts.

This site is run by the two of us. Senior developers in Canada who spend our days auditing apps built on Lovable, Base44, Replit, Cursor, Claude Code, and the rest of the AI building stack. We open codebases that were stitched together by AI agents and look for the things the agent didn't think about. Auth flows that lie. RLS policies that don't enforce anything. Secrets sitting in client bundles. Then we either fix them, or we write up what we found so the founder can.

This site is where we write about what we see. Not vendor blogs. Not "5 ways to optimize your stack" listicles. Not anything you've already read on Hacker News three times. Field notes from real audits, in the voice of the person who did them.

A preview of what's queued

Base44 is great until you want your code back.

The case for migrating off. What it takes to move a Base44 app onto your own Supabase and Vercel, and what you gain on the other side: your code, your data, no credit meter, no lock-in, and security you can finally control yourself.

The vulnerabilities I'm finding most this summer.

Pattern recognition. The same handful of holes turning up in nearly every app we open right now: RLS that doesn't enforce anything, service keys shipped to the browser, auth that checks the wrong thing, and the public breaches that prove they're not hypothetical.

Keep building in Lovable. Just stop letting it host your app.

The setup we recommend. You don't have to leave Lovable to escape the lock-in: point it at your own Supabase, ship the frontend from your own Vercel, and keep vibe coding while you actually own the thing. Where it's easy, where it bites, and what you have to lock down once it's yours.

Which AI builder is hardest to walk away from.

A ranking. Lovable, Base44, Bolt, Replit, v0, scored by how trapped you are once you've built. Because "fastest to start" and "easiest to leave" are very different numbers, and nobody tells you the second one up front.

What happens to your app after you stop vibe coding.

The part nobody plans for. It shipped, it works, real users showed up, and now dependencies rot, the agent quietly broke something three prompts ago, and no one's watching. What goes wrong in the weeks after launch, and how to catch it.

Cadence

Roughly weekly. Sometimes shorter notes between, sometimes longer pieces when something's worth the depth. No fixed schedule beyond that.

If you'd rather get these in your inbox than check back, the form below does that. If after a few posts you'd rather have us look at your code than read about it, hire us at springcode.ai.

First real post soon.