What Nobody Tells You About Shipping a Vibe-Coded App

In February 2026, I shipped a working multi-tenant SaaS app in four days. Claude wrote most of the code. I directed it like a product manager who happened to read TypeScript. The frontend looked clean, the API responded fast, and the held up in front of three potential early users. I felt like I’d broken the game in a good way. Two weeks later, a friend with a security background spent forty minutes with the codebase and found five vulnerabilities, two of them critical. One let any authenticated user pull another user’s invoices by changing a single integer in a GET request.