cd /news/developer-tools/who-fixes-broken-lovable-and-bolt-ap… · home topics developer-tools article
[ARTICLE · art-64921] src=dev.to ↗ pub= topic=developer-tools verified=true sentiment=· neutral

Who Fixes Broken Lovable and Bolt Apps? Your Real Options Compared

A developer compares four options for fixing broken apps built with AI coding assistants like Lovable and Bolt: self-fixing, hiring a freelancer, using a specialized rescue service, or engaging an agency. The post identifies five common failure patterns in AI-built apps, including Row Level Security policy issues, session cookie mismatches, email link token consumption, missing environment variables, and hardcoded preview URLs. The developer advises running targeted checks before paying for help.

read5 min views1 publishedJul 18, 2026

Broken Lovable and Bolt apps get fixed by four kinds of help: you, with a handful of targeted checks; a freelancer from a marketplace like Upwork or Fiverr; a specialized vibe-code rescue service; or a development agency. The right choice comes down to cost, speed, and risk, and since most breaks trace back to the same five failure patterns, run the checks below before paying anyone.

The one-sentence honest version of each option:

That answer also covers "my Lovable app broke after export, who can fix it" and "an AI coding assistant built my app and now it is broken, who do I hire". Apps from Lovable, Bolt, v0, Replit, and Cursor break in the same places.

These five patterns cover most of the broken AI-built apps we diagnose. Before changing anything, save the exact error text; it is the most useful thing to hand whoever fixes this.

The symptom: signup, save, or post actions fail, and the browser console or network tab shows code 42501

.

What it usually means: the table has Row Level Security enabled (correct) but no INSERT policy, or the policy is missing its WITH CHECK

clause. Builders switch RLS on but never generate the policy that lets authenticated users write rows.

The check: open the Supabase SQL editor and run the failing query while impersonating the authenticated

role, not anon

. If it fails there too, the policy is the problem, not your app code. The fix is writing the INSERT policy, never turning RLS off.

The symptom: a Next.js App Router app using @supabase/ssr

where server code can read the user, but the page renders as signed out, or login bounces you back to the login screen.

What it usually means: the session cookie does not survive the redirect after the auth callback, or the client reads a different cookie name than the server wrote.

The check: log the cookie names on the callback response, then compare with what the client receives. A missing cookie or two different names is your answer.

The symptom: users click the emailed login link and are told it expired, even when they click within seconds.

What it usually means: an email security scanner opened the link before the human did and consumed the one-time token. Corporate and university inboxes do this constantly.

The fix shape: switch to verifyOtp

with a typed code; a code the user types cannot be consumed by a scanner following links.

The symptom: the Vercel build passes, the deployment is green, and the live URL is a blank page. Locally everything works.

What it usually means: a missing or empty environment variable in the Vercel project settings. It works locally because .env.local

exists there; that file never deploys. An empty variable is just as fatal as a missing one and harder to spot.

The check: look for undefined configuration values in the browser console on the live URL, then compare the Vercel environment variable list against .env.local

line by line.

The symptom: everything worked on the builder preview URL; after export and deploy to your own domain, redirects land somewhere wrong or requests fail.

What it usually means: hardcoded preview URLs or auth redirect URLs still point at the builder's domain instead of yours.

The check: search the codebase for the builder's domain string, then confirm your auth site URL and redirect allow-list include the production domain.

If one of these matched, you may not need to hire anyone. If none did, or you do not want to touch the fix yourself, here is what hiring looks like.

Option Typical cost Speed The real risk
Yourself $0 An evening Silencing errors by disabling security
Marketplace freelancer $30 to $150 Hours to days, plus vetting time Quality variance
Specialized rescue service Flat rate Usually 1 to 2 days Wrong fit for full rebuilds
Agency $1,000 and up Days to weeks Paying for structure you do not need

Yourself. Free and genuinely viable when the failure matches a known pattern. One warning: never make a security error disappear by turning security off. Disabling RLS or putting a service role key in browser code leaves your database open to anyone on the internet.

Marketplace freelancers. Often the cheapest competent option, and there are excellent people there. The problem is variance: the same $80 can buy a clean fix or a mess that costs more to undo. A useful filter: does the reply name your specific error and a plausible cause, or just quote hours to "investigate"?

Specialized rescue services. A category that exists because these failures repeat; a specialist has usually fixed your exact error many times, which is what makes flat pricing possible. Two questions before you pay anyone here: is the diagnosis free, and do you pay before or after the fix is proven working?

Agencies. The right answer when the app needs sustained development or a partial rebuild, the wrong answer for a single broken deploy, where the minimum engagement dwarfs the work. A good agency will tell you this themselves.

We run one of the specialized services: Vibe-Code Rescue, at rescue.ticassociation.com. The diagnosis is free. You paste the error, we explain what broke and what fixing it involves, and the diagnosis is yours to take anywhere, including to a freelancer. If you want us to do the fix, it is a flat $90 founding rate, and you pay only after the fix is verified working on your live app. That is one option among the four above, not the only sensible one.

No matter who fixes your app, you can check the security of the result for free. Our Supabase RLS auditor at ticassociation.com/supabase-rls-audit is one read-only SQL file you run in the Supabase SQL editor. It writes nothing and changes nothing; it lists the tables with RLS disabled or policies missing, which is where AI-built apps tend to be quietly exposed.

Run the five checks first; they cover most broken Lovable and Bolt apps. If you need a human: a freelancer is the cheapest gamble, a rescue service trades a flat rate for predictability, and an agency only makes sense when one fix is not what you are buying. Whatever you choose, keep the exact error text, ask how the fix will be verified, and never accept "we turned the security rules off" as a solution.

A TIC Association creation.

── more in #developer-tools 4 stories · sorted by recency
── more on @lovable 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/who-fixes-broken-lov…] indexed:0 read:5min 2026-07-18 ·