Bolt to Production: The €3,500 Fixed-Price Playbook

TL;DR. Bolt.new ships demos. It doesn't ship production code. Per Veracode's Spring 2026 report, 45% of AI-generated code contains security vulnerabilities even when syntax correctness exceeds 95%. This post is the exact playbook Soatech uses to take a Bolt prototype to production in 1 week for €3,500 fixed — the same architecture pattern that shipped wintura.ai.

What "Bolt to Production" Actually Means

Bolt to production is the process of transforming a working Bolt.new prototype into production-grade code ready for paying users. This means adding the security, reliability, and observability patterns Bolt doesn't generate: production-grade authentication, multi-tenant data isolation, webhook signature verification, structured error handling, accessibility compliance, and end-to-end test coverage. The output is code that fails safely under load instead of code that merely runs in demo conditions.

Bolt.new is excellent at what it targets: the prompt-to-preview loop. You describe a feature, Bolt generates code, you see it running. The loop is fast, and the code works. The problem isn't that Bolt generates bad code — the problem is that Bolt optimizes for demo-ready, not production-ready.

These are different optimization targets.

The Verified Gap (Q2 2026 Numbers)

Three data points establish why "Bolt to production" is now a defined market category:

1. Security vulnerability rate. Per Veracode's Spring 2026 GenAI Code Security report, AI-generated code has a 55% security pass rate — meaning 45% contains vulnerabilities. Syntax correctness rates exceed 95%. The implication: the code runs but fails under adversarial conditions. Bolt code is syntactically correct, functionally incomplete.

2. Rebuild cost. Per Chrono Innovation's Feb 2026 cost breakdown, the rebuild-to-production cost for AI-generated prototypes runs $20K–$100K depending on complexity. Simple internal tools: $8K–$20K. Complex multi-tenant SaaS: $50K–$100K. The variance reflects the gap between "it works in demo" and "it survives paying users."

3. Code rewrite rate. Per AppyCodes' Apr 2026 study covering 20 Bolt/Lovable-to-production engagements, the average rewrite rate is 59% of original code. Simple internal tools average 27% rewrite. Complex marketplaces average 76% rewrite. The Bolt-generated code is mostly a scaffold — over half gets replaced.

The fixed-price playbook below targets the 27–59% band: prototypes that need production hardening, not a full rewrite.

The 5-Pattern Production Checklist

Every Bolt codebase I've audited for Soatech Production Lift engagements has the same five gaps. Not similar — identical. These are the exact patterns the playbook addresses.

Pattern 1: Application-Layer Tenancy (No Database Enforcement)

What Bolt generates:

// Bolt-generated query
export async function listProposals(userId: string) {
  return db.query('SELECT * FROM proposals WHERE user_id = $1', [userId]);
}

Why it fails in production: Every query function needs to remember the userId filter. The day someone writes SELECT * FROM proposals without the WHERE clause — you have a cross-tenant data leak. Application-layer tenancy is a time bomb.

The production fix: Row-Level Security at the database layer. Per the wintura.ai multi-tenancy pattern:

ALTER TABLE proposals ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON proposals
  USING (tenant_id = current_setting('app.current_tenant_id')::uuid);

Now even raw SQL queries against the database can't return rows for the wrong tenant. The database is the enforcement point, not the application.

Estimated fix time: 2–4 hours (Production Lift Day 1)

Pattern 2: Auth That Handles Only the Happy Path

What Bolt generates: Sign-up, sign-in, sign-out — all working. The user can register and log in. Looks complete.

What's missing for production:

• Password reset that resists enumeration (returns identical response regardless of email existence)
• Magic-link tokens that are single-use and expire in 15 minutes
• Session cookies locked to apex domain (no subdomain leakage)
• CSRF tokens that rotate on privilege change
• Rate limiting per IP per auth endpoint

The production fix: NextAuth v5 configured per the Wintura auth hardening pattern:

• Cookie domain locked to apex
• Password reset endpoint responds identically whether email exists or not (timing matched to within 50ms)
• Magic-link tokens: 32-byte random, single-use, 15-minute expiry
• CSRF rotation on role change
• Rate limiting: 10 requests/IP/minute per auth endpoint via Vercel Edge Middleware

Estimated fix time: 3–6 hours (Production Lift Day 2)

Pattern 3: Stripe Webhooks Without Signature Verification

What Bolt generates:

// Bolt-generated webhook handler
export async function POST(req: Request) {
  const event = await req.json();
  if (event.type === 'checkout.session.completed') {
    await processOrder(event.data.object);
  }
  return Response.json({ received: true });
}

Why it fails in production: This handler processes any HTTP POST with a Stripe-shaped JSON body. An attacker who finds the URL can fire fake checkout.session.completed events and create fraudulent orders.

The production fix:

import Stripe from 'stripe';

const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET!;

export async function POST(req: Request) {
  const sig = req.headers.get('stripe-signature');
  if (!sig) {
    return Response.json({ error: 'Missing signature' }, { status: 400 });
  }

  const body = await req.text();
  let event: Stripe.Event;
  try {
    event = stripe.webhooks.constructEvent(body, sig, webhookSecret);
  } catch {
    return Response.json({ error: 'Invalid signature' }, { status: 400 });
  }

  // Idempotency check — process each event exactly once
  if (await alreadyProcessed(event.id)) {
    return Response.json({ received: true, deduped: true });
  }

  // ... handle event
}

Same pattern for HubSpot, Resend, Cloudflare R2, or any webhook endpoint.

Estimated fix time: 1–2 hours per integration (Production Lift Day 3)

Pattern 4: Generic Error Handling

What Bolt generates:

try {
  const result = await externalApi.call();
  return Response.json({ success: true, result });
} catch (error) {
  console.error(error);
  return Response.json({ error: 'Something went wrong' }, { status: 500 });
}

Why it fails in production: All failures look identical to the client. No retry policy. No observability. Rate-limited errors, auth failures, and service outages all return the same generic 500.

The production fix: Structured error types per failure mode:

type ExternalApiError =
  | { type: 'rate_limited'; retryAfterMs: number }
  | { type: 'service_unavailable'; retryAfterMs: number }
  | { type: 'invalid_request'; field?: string }
  | { type: 'auth_failed' }
  | { type: 'unknown'; message: string };

Each error type gets its own HTTP status, Retry-After header, and observability event. The UI can display "Try again in 30 seconds" instead of "Something went wrong."

Estimated fix time: 2–4 hours (Production Lift Day 3–4)

Pattern 5: Zero Accessibility Coverage

What Bolt generates: A working UI with form elements, buttons, and clean visual design. axe-core is never run.

What's missing for production:

• Keyboard navigation (Tab, Shift+Tab, Enter, Escape, Arrow keys)
• ARIA labels on icon-only buttons
• Focus management when modals open/close
• Color contrast ratios ≥ 4.5:1 (WCAG 2.1 AA)
• Skip-to-content links
• Reduced-motion respect

The production fix: axe-core baked into Playwright e2e tests. Per the wintura.ai test matrix: 24 spec files include audit-a11y projects across public, private, and onboarding routes × mobile, tablet, and desktop viewports. Every PR runs the full matrix.

Estimated fix time: 2–4 hours (Production Lift Day 4–5)

The Week-by-Week Playbook

The Soatech Production Lift runs Mon–Fri:

Deliverables:

• Production-grade auth (NextAuth v5 or Clerk + OAuth)
• Multi-tenant Row-Level Security (Postgres RLS)
• Playwright e2e suite (≤15 spec files, critical flows)
• Security headers + CSRF + per-route rate limiting
• Vercel deploy + env management + preview environments per PR
• Sentry error tracking + Vercel Analytics
• 30-day post-ship bug fix window

What's NOT included:

• New feature development (scope a Feature Sprint)
• Mobile-native rewrite (responsive web only)
• Backend migration (Postgres → Mongo etc.)
• Performance optimization beyond Vercel defaults
• Complex AI pipeline reconfiguration

The Pricing Math

Bolt.new pricing (Q2 2026):

• Free: 150K tokens/day
• Pro: $20/month (10M tokens)
• Team: $40/user/month (30M tokens)

Rebuild cost without a playbook:

• Per Chrono Innovation: $20K–$100K
• Per AppyCodes: median $10K over 35 days; complex $22K over 65 days

Soatech Production Lift:

• €3,500 fixed, 1 week
• Scope-capped: ≤30K LOC, ≤10 routes, standard React/Next.js stack
• 30-day post-ship bug fix window included

The math: €3,500 (Production Lift) vs $10K–$22K (hourly agency) vs $20K–$100K (full rebuild). The Production Lift is the lowest-cost path to production for prototypes that need hardening, not rewrites.

If your Bolt prototype has >30K LOC, >10 routes, or non-standard stack — scope an MVP Sprint instead. The Production Lift converts toward MVP Sprint within 30 days if needed.

The Conversion Ladder

Not sure whether you need the Lift or something else?

Start with the Production Audit (€1,500, 3 days): Written diagnosis only — no code changes. You get a severity-ranked PDF report. If you commit to the Production Lift within 30 days, the €1,500 converts (net Lift cost: €2,000).

Production Audit (€1,500, 3 days)
    ↓ converts toward
Production Lift (€3,500, 1 week)
    ↓ or if scope exceeds cap
MVP Sprint Standard (€12,900, 6 weeks)

The Audit is for founders who want a written, defensible diagnosis before committing to the Lift. The Lift is for founders who already know the prototype needs production hardening. The MVP Sprint is for prototypes that need more than hardening — they need an actual rebuild.

Why Fixed-Price vs Hourly

Per WPP's 2026 Billing Model Report, 78% of B2B SaaS buyers in Q2 2026 prefer fixed-price engagements for projects with defined scope. The AI-accelerated development wave (Bolt, Lovable, Cursor) made fixed-price viable because variance is lower — the patterns are known, the fixes are repeatable, the timeline is predictable.

Hourly billing made sense when projects were novel and scope was uncertain. Bolt-to-production is neither. The five patterns above recur in every prototype. The fixes are documented. The timeline is one week.

€3,500 fixed absorbs the variance. No change orders. No surprise invoices. One price, one week, one handoff.

Self-Check: Does Your Bolt Prototype Need the Lift?

Five questions:

1. Tenancy: Can you write a database query without specifying a tenant ID, and would it return data?
2. Auth: Does your password-reset endpoint behave identically whether the email exists or not?
3. Webhooks: Does your Stripe handler call stripe.webhooks.constructEvent?
4. Errors: Do your catch blocks distinguish between rate-limited, auth-failed, and service-unavailable?
5. A11y: Have you ever run axe-core against your app?

Any "no" = the Production Lift work hasn't been done yet.

Frequently Asked Questions

How long does the Production Lift take?

5 working days (Mon–Fri). Day 1–2: audit + architecture mapping. Day 3–4: implementation across all 5 patterns. Day 5: deployment + handover.

What if my prototype is in Lovable, v0, or Cursor instead of Bolt?

Same patterns apply. Lovable generates better-typed code than Bolt but the same five gaps exist. v0's output varies by prompt. Cursor produces whatever you prompt for — if you didn't prompt for RLS, you don't have it. The Production Lift is framework-agnostic. See Lovable-to-Production-Lift for the direct comparison.

What if my prototype exceeds the scope caps (>30K LOC or >10 routes)?

The Production Lift caps at ≤30K LOC, ≤10 routes, standard React/Next.js stack. If your prototype exceeds this, scope an MVP Sprint (from €8,500) at the Technical Blueprint phase. The Lift is for hardening; the Sprint is for building.

Can I do this myself?

Yes. The patterns are documented in OWASP, Stripe's webhook docs, Next.js production checklist, and the Wintura case study. Learning takes 2–6 weeks; implementation takes 1–3 weeks. The Lift trades €3,500 for 1 week of expert work instead of 3–9 weeks of learning + doing.

What's the deliverable at the end?

Your code, your repo, walk-away ownership. Full source transferred to your GitHub org. Vercel production deploy live. Sentry + Vercel Analytics wired. 30-day post-ship bug fix window. No platform lock-in, no recurring fees.

How do I start?

Book a scoping call at soatech.co/#booking. 30 minutes. No upsell. You'll know by the end of the call whether the Production Lift fits your prototype or whether you need an MVP Sprint instead.

---

Ready to ship your Bolt prototype? The Production Lift is €3,500 fixed, 1 week. The same playbook that shipped wintura.ai applied to your specific app — no rebuild, no rewrite, just the production hardening the prototype was missing.