How to make AI-generated code production-ready

"It works on my machine" and "it's ready for paying customers" are separated by a list of unglamorous things AI rarely adds on its own: input validation, authorization, logging, rate limits, migrations, and monitoring. None are hard individually; together they're what production means.

Validate every input — server-side

AI often validates on the client and trusts the server. Attackers skip your UI entirely. Every endpoint must validate and sanitize its inputs on the server, regardless of what the front end already checked.

Authorize, not just authenticate

Logging a user in is authentication. Checking that *this* user is allowed to touch *this* record is authorization — and it's the single most common hole in AI-built apps. Test it by changing an ID in a URL and confirming you can't read someone else's data.

The production checklist

• —Secrets in environment variables, never in client code or git
• —Server-side validation and row-level authorization on every route
• —Structured logging and an error tracker (so you see failures before users tweet them)
• —Rate limiting on auth and write endpoints
• —Database migrations, backups, and a tested restore
• —Dependencies pinned, scanned, and updated

If you can't confidently tick every box, get a production-readiness and security review before launch. Comestare's Security Audit and Launch Pack exist to take an AI-built app from "it runs" to "it's safe to charge money on."

AI writes code that runs. Production is the discipline of code that keeps running when real people, and real attackers, show up.