Take-home deployment: the deploy click is solved. Six decay vectors aren't.
Every major vibe-coding platform now publishes to a free auto-subdomain on a single click. The participant goes home with a working URL. Then it rots. This dashboard tracks the six decay vectors that silently kill workshop apps in the two-week tail, and ranks the platforms by which failure modes they expose.
Platforms scanned
13
7 deploy hosts + 6 databases
Decay vectors tracked
6
all silent — none page the user
Confirmed kill-shots
3
paused DB · auth 401 · cred leak
01 ▸ decay vectors
mean-time-to-failure, ordered by severity
CRIT
DB pause — Supabase
MTTF 7d
Free projects pause after 7 days of database inactivity. Dashboard visits don't count — only real DB queries reset the timer [52]. Data survives, but the resume is ~30s typical, hours worst-case, and the unpause button has been known to fail entirely [54] [55].
FIXcard line: "if it says 'paused' or 'unavailable', log into Supabase and click resume — your data is safe" [53]. Or pre-empt: ship with Neon (sub-second resume) or Turso (always-on) instead.
affects:
supabase-backed apps · any Lovable/Bolt default
CRIT
Auth rot — Google OAuth
MTTF 7d
Google OAuth refresh tokens expire after 7 days while the consent screen is in Testing mode, and after ~6 months of non-use even when published [66]. Workshop apps almost always ship in Testing mode → guaranteed silent death by day 8. Friends and family open the link and get nothing.
FIXuse the platform's bundled auth (Bolt Cloud, Lovable Cloud) instead of rolling Google sign-in. Removes the 7-day clock entirely [60].
affects:
any app with "sign in with google"
CRIT
Authorization inverted
MTTF at deploy
A study of 170 Lovable-built apps found anonymous visitors with full data access and logged-in users blocked [68]. The app looks fine on the participant's own login but breaks for the friend they share it with — the canonical "works on mine, broken for grandma" failure [71].
FIXcard line: "if a friend says it's broken but it works for you, ask the AI: 'anonymous users can see everything but logged-in users get nothing, fix it'" [68].
affects:
vibe-coded apps with any login flow
CRIT
Credential leak — bundled API keys
MTTF hours
Lovable apps routinely embed Stripe / OpenAI / SendGrid keys directly in the JavaScript bundle where credential-harvesters find them within hours [61]. In March 2026 a single vibe-coded app leaked 1.5M API keys and OWASP added a dedicated 2025 Top-10 category for vibe-coding patterns [62].
FIXworkshop policy: no real keys in workshop apps. Use bundled cloud (auto-managed creds) or test/throwaway keys only.
affects:
any AI-generated app prompted naively
CRIT
DB deletion — Render free Postgres
MTTF 30d + 14d
Render's free PostgreSQL databases expire 30 days after creation (cut from 90 in 2026), with a 14-day grace period before deletion along with all data. No backups available [32]. A guaranteed data-loss event for any workshop participant who needed a DB on Render.
FIXdon't deploy take-home apps on Render free. Cold starts already kill the "show grandma" link [31]; the 30-day DB clock makes it terminal.
affects:
any participant who picked Render manually
WARN
Credit ceiling — edit budget
MTTF ~1mo
Free-tier edit caps vary wildly: Lovable 5/day, 30/month [44]; v0 $5 credit + 7 msg/day [47]; Base44 5/day, 25/month [11]; Bolt 1M tokens/mo (loosest) [4]. Participant burns the month in one afternoon trying to fix a bug.
FIXcard line: "you have X edits per day on the free plan". Drill the three-strike rule (revert after 2 failed corrections) in session.
affects:
all free-tier AI builders
WARN
Cold start — Replit free sleep
MTTF 5 min idle
Replit's free tier sleeps after 5 minutes of inactivity with 10–30s cold starts on the next request [8]. The "show grandma" URL looks dead. Always-On requires the $20/mo Core plan. Render free has the same problem with longer (~60s) cold starts [30].
affects:
replit free · render free web services
INFO
Filesystem ephemeral — SQLite trap
MTTF next redeploy
Vercel officially: SQLite cannot be used — each serverless function gets its own ephemeral filesystem [56]. Replit: local filesystem writes disappear on every redeploy [58]. Both AIs happily generate SQLite code when prompted naively → "Save my todos" silently loses every entry on the participant's next edit.
affects:
any naive AI scaffold
02 ▸ platform health · take-home survivability
green = stable · amber = degrades · red = fails the 2-week test
URL*.bolt.host
Cardno
Free cap1M tok/mo
Sleepsno
DB+Authbundled
Domainpaid only
URL*.lovable.app
Cardno
Free cap30/mo
Sleepsno
DB+Authbundled
Mobile appios+android
URL*.vercel.app
Cardno
Free cap7 msg/day
Sleepsno
DB+Authnone
Domainfree attach
URL*.replit.app
Cardno
Free capagent caps
Sleeps5min/10-30s
DBPG 20GB
Domainpaid only
Avoid for take-home. 5-min sleep + 10-30s cold start is the "show grandma" killer. Core $20/mo fixes it. [8]
URL*.vercel.app
Cardno
Free capnon-commercial
Sleepsnever
Domainfree attach
DBnone + no SQLite
URL*.netlify.app
Cardno
Free cap100GB bw
Sleepsnever
Domainfree attach
DBnone
Solid static. Only suspends if quota blown — no auto-recharge, no surprise bill. [39]
URL*.pages.dev
Cardno
Free cap100k req/day
Cold start<5ms
Bandwidthunlimited
Domainfree attach
Structurally immune to the cold-start problem — V8 isolates. Most boring + reliable option. [35]
URLclaude.ai/public
Cardno
Free capclaude plan
Sleepsno
Domainnever
Re-publishblocked
Static one-shots only. Zero friction for non-account viewers. No DB, no auth, no custom domain ever. [9]
URL*.base44.app
Cardno
Free cap5/day · 25/mo
Sleepsno
DB+Authbundled
Tightest follow-up budget of the bundled-cloud builders. [11]
URL*.onrender.com
Cardno
Sleeps15min/~60s
Free PGdies @ 30d
Domainn/a
URLn/a
Cardrequired
Free cap30d trial
Trial$5 credit
No real free tier. Card required at signup → not workshop-grade. [33]
URLn/a
Cardrequired
Free cap7d trial
Trial2 VM-hours
Free tier removed for new signups in 2024. Same reason as Railway — not workshop-grade. [34]
URL*.created.app
Cardno
Free capin-editor
Sleepsno
DB+Authnone
Lesser-known but no-friction publish. No bundled cloud. [12]
03 ▸ database tier · left-alone-for-2-months ranking
the silent killer of workshop appsManaged Postgres since Dec 2025 (off Neon). Reliable, but the host Repl sleeps. [57]
Data survives the pause, but resume is manual and a community of cron pingers exists only to defeat this. [27] [28]
Guaranteed data loss at day 44. Disqualifying. [32]
PlanetScale free
No free path. Excluded from workshop options. [37]
04 ▸ credential & auth incident log · 2026
the dead-link of week three
2026-03
CRIT
1.5M API keys leaked from a single vibe-coded app shipped without security review. OWASP adds dedicated 2025 Top-10 category for vibe-coding risk patterns.Lesson: assume any AI-generated app has secrets in the bundle. Workshop policy must forbid real keys. [62]
2026-04-04
CRIT
Anthropic bans subscription OAuth tokens in third-party tools. Every app with an embedded Claude subscription token breaks instantly; pay-as-you-go API key migration required.Lesson: any LLM key the AI bakes into the participant's app is a future fault. [63]
2026-04-27
INFO
Lovable ships free iOS + Android mobile app — first mature phone-iteration path. Voice or text prompts; project syncs with desktop.Reframes the "two months later" iteration story for Lovable picks. [41]
2026-05-15
WARN
Replit iPhone app ships first update in four months after App Store review dispute. Live fragility example for mobile-iteration path.Don't promise alumni a smooth mobile-update cadence. [49]
ongoing
CRIT
Google OAuth refresh tokens expire at 7 days while consent screen is in Testing mode. Workshop apps almost always ship in Testing mode → silent 401 on day 8.Mitigation: use bundled-cloud auth, not Google sign-in. [66]
05 ▸ take-home card · printed runbook
no canonical published template exists; this is synthesised from failure-mode writeups
# take-home_card.md — print on 4×6, hand to participant at minute 175
[1] YOUR URL
printed verbatim — plus a QR code [5]
[2] HOW YOU SIGNED IN
"sign in with google, the address ending in @____"
# handles the 'wrong account at home' failure [42]
[3] IF IT SAYS 'PAUSED' OR 'UNAVAILABLE'
→ log into the platform dashboard
→ click resume
→ your data is safe [53]
[4] IF A FRIEND SAYS IT'S BROKEN BUT IT WORKS FOR YOU
→ ask the AI:
"anonymous users can see everything but logged-in users get nothing,
fix it" [68]
[5] DAILY EDIT BUDGET
you have X edits per day on the free plan
# don't burn the month in a single afternoon [44]
[6] PERMISSION TO ABANDON
if the prototype turned out wrong, throw it away.
# reduces facilitator-help load [72]
[7] RE-ENTRY URLS
discord · meetup · office-hours · facilitator email
# list multiple channels — not one [69] [73] [74]
[8] SECURITY · ONE LINE
don't put real API keys, passwords, or credit card details into your app [61]
# debugging note for facilitators: the single most-reported pain point in-session
# is debugging. The proven mitigation is teaching participants to query the AI to
# explain errors rather than touch the code [67].
06 ▸ recommended stack by workshop shape
match the pick to the participant population
▸ Generic 2-3 hr "ship a working app" for laymen
Bolt.new + Bolt Cloud
Most generous free tier, no card, persistent DB bundled, never sleeps. [4] [60]
▸ Participants likely to iterate on phones
Lovable + Lovable Cloud
Only mature mobile app in May 2026. Accept the 30/mo credit ceiling as the tradeoff. [41]
▸ UI prototyping only · no backend
v0.dev → Vercel Hobby
One-click deploy, never sleeps, custom domain free. [6] [29]
▸ Static "hello world" for absolute beginners
Claude Artifacts
Zero account-creation friction for the viewer. Static only. [9]