Salvage assessment
Whether the codebase is best refactored in place, partially rebuilt, or set aside in favor of a fresh implementation. We default to salvage.
We review software built with Cursor, Bolt, Lovable, Claude Code, and Replit. We tell you what to fix first, what to leave alone, and what no developer should be paid to rebuild yet. We do not perform the cleanup ourselves.
They ask, “can you clean this up?”
That single question routinely returns quotes between eight and twenty-five thousand dollars, scopes that grow over time, and rebuilds that may not have been required in the first place.
The correct question is more difficult to ask. So we ask it for you.
What are the highest-impact technical risks in this codebase? Which must be addressed before launch? Which may safely wait? And which work should not be commissioned, at any price, at this stage of the business?
Each is reviewed by a senior engineer. Each is scored against the stage of your business. Each is documented in plain English.
Whether the codebase is best refactored in place, partially rebuilt, or set aside in favor of a fresh implementation. We default to salvage.
An ordered list of what to address first, weighted by exposure to your real users and your real infrastructure costs rather than by theoretical severity.
Whether the data model reflects the business you are actually building, and whether it will accommodate payments, roles, organizations, and reporting without later disruption.
Server-side enforcement of access, isolation of tenants, exposure of secrets, and the categories of issue that precipitate a breach notification.
Deployment posture, environment configuration, log retention, and the choices that generate disproportionate cloud spend at modest scale.
A document a competent engineer can quote against, with rough hour estimates and clear acceptance criteria. Not a wishlist.
A firm that charges for an audit and also performs the remediation has an irreconcilable conflict. The findings expand. The scope expands. The invoice expands.
We do not write production code for our audit clients. We deliver a report, and, in the Hiring Concierge engagement, introductions to two engineers we would hire ourselves to do the work.
We have no incentive to recommend work that does not need to be done.
You submit your repository or application URL. Within one business day, a senior engineer returns a brief written triage at no fee — a high-level read on whether a deeper audit is warranted.
If you proceed, we open one of the three engagements below. Each is fixed-fee. The lead engineer assigned to your engagement is named in the engagement letter.
You receive a written report and, on the larger engagements, a recorded walkthrough and follow-up correspondence. Where appropriate, we facilitate introductions to vetted implementation engineers.
One finding from a recent Handoff Audit. Details altered to protect the client.
The application conceals the administrative interface from regular users by hiding it in the navigation. The corresponding API endpoint, however, performs no server-side check on the caller’s role.
POST /api/admin/users HTTP/1.1
Cookie: session=<any-valid-non-admin>
→ 200 OK
[
{ "email": "founder@acme.com", "stripe_id": "cus_…" },
…
]A request made directly to /api/admin/users with any valid session cookie returns the complete user table, including email addresses and Stripe customer identifiers. Concealment in the user interface is not access control. We observe this pattern in approximately seven of every ten codebases reviewed.
Enforce server-side authorization at the route handler. Reject requests in which the session role is not admin with a 401 response. Add an automated test that exercises the endpoint without a session.
A typical Developer Handoff Audit contains 24 to 38 such findings.
We do not bill by the hour. We do not propose retainers. Every engagement is scoped, written, and delivered at a fee disclosed before work begins.
A one-page written diagnosis: salvage or rebuild, the five highest-impact risks, and whether a deeper audit is warranted.
The complete review across all six methodology areas, accompanied by a scope of work suitable for handoff to an implementation engineer.
The Handoff Audit, a strategy session, and warm introductions to two implementation engineers we would retain for the work ourselves.
Engagements include a seven-day refund window. Cancel within seven days of delivery, in writing, for any reason.
AI Launch Advisory is an independent practice that audits software built with AI coding assistants. Our engagements are commissioned by founders, operators, and investors who wish to understand the true condition of an AI-built application before committing capital to its remediation.
We were founded in 2026 in response to a pattern we observed in the market. Founders shipping with Cursor, Bolt, Lovable, Claude Code, and similar tools were producing functional products in days. The same tools produced consistent categories of latent failure: exposed secrets, client-only authorization, schema choices that did not survive growth, and infrastructure configurations that produced cloud bills disproportionate to traffic. These failures were not the product of incompetence — they were the product of tooling that optimized for working code, not durable code.
Each engagement is led by a senior engineer with a decade or more of production experience. Our lead engineers have, between them, built and operated payment, identity, scheduling, and data platforms at organizations from pre-seed companies to public corporations. The engineer assigned to your engagement is named in the engagement letter.
We do not perform the cleanup ourselves. We do not bill by the hour. We have no incentive to recommend work that does not need to be done.
The practice operates remotely, primarily within United States business hours. Inquiries are answered within one business day.
No. Source material is held in confidence and is reviewed only by the lead engineer assigned to your engagement. We do not retain copies after the engagement concludes, except in the case of public repositories, which we retain links to. Anonymized findings appear in public commentary only with the client's written permission.
Then the engagement has done its work, and you have not committed substantial capital to a remediation that was not required. We have, on occasion, returned findings that read essentially as: launch your application; correct three specific issues; do not retain a developer at this time. The fixed-fee structure ensures the practice does not benefit from over-scoping.
Automated scanners produce volumes of findings without judgment. They do not distinguish a serious access-control failure from a minor stylistic concern. The practice combines automated analysis with senior engineering judgment: each finding is reviewed by a person, ranked against the stage of the business, and accompanied by a recommendation a non-technical reader can act on.
Not for audit clients. The Hiring Concierge engagement includes introductions to implementation engineers we have personally vetted, but the work itself is performed by the introduced engineer, not by us. This separation is fundamental to our independence.
We accept engagements covering software built with Cursor, Claude Code, Bolt, Lovable, Replit, v0, GitHub Copilot, ChatGPT, and Claude. Common stacks include Next.js, React, Node, Python, Supabase, Postgres, MongoDB, Firebase, Vercel, Cloudflare, AWS, Stripe, NextAuth, and Clerk. If your stack is not listed, please inquire.
MVP Triage: one business day. Developer Handoff Audit: two to three business days. Hiring Concierge: five business days for the audit, followed by a two-week follow-up period.
Each paid engagement carries a seven-day refund window. Reply to any correspondence from the practice within seven days of delivery, in writing, and the engagement fee will be refunded in full. The Initial Triage is provided at no fee.
Submit your repository or application URL. A senior engineer will return a written triage within one business day. There is no obligation to engage further.
Or write to us directly at hello@ailaunch.help.