AI DevelopmentPlaybook12 min readPublished July 12, 2026

Zero-config deploys · GitHub → Vercel · the production gap is where engineering earns

Lovable to Vercel: Prototype to Production, Zero Config

On July 9, 2026, Vercel announced zero-configuration deployment for Lovable projects — sync to GitHub, import the repo, and Vercel auto-detects the TanStack Start output. That closes the build and deploy step. Auth, data model, observability, cost controls, and domains are still yours. This playbook maps exactly where the zero-config path ends and engineering begins.

DA
Digital Applied Team
Senior strategists · Published July 12, 2026
PublishedJuly 12, 2026
Read time12 min
SourcesVercel · Lovable · TanStack · Wiz
Zero-config Lovable deploys
Jul 9
Vercel changelog, 2026
Nitro zero-config head start
1yr
shipped July 2025, pre-Lovable
Production gaps still yours
5
auth · data · logs · cost · DNS
Vercel Pro
$20/user
per month + usage overage

Lovable to Vercel deployment is now zero-config: since July 9, 2026, Vercel auto-detects the TanStack Start output that Lovable generates and deploys it with no manual build configuration — sync your project to GitHub, import the repo, done. Every subsequent edit made in Lovable lands as a commit and triggers a fresh deployment.

That is genuinely useful, and it is also exactly one step of the journey. The zero-config path covers build detection, deploy triggers, and SSL. It does not touch authentication, the data model, observability, cost controls, or domain strategy — the five dimensions that separate a prototype that looks finished from a product that survives contact with real users. A February 2026 breach disclosure from security firm Wiz — involving a vibe-coded app that was not built on Lovable or this pipeline — shows what skipping that second half costs.

This playbook covers what the July 9 announcement actually shipped, the framework stack that makes zero-config detection work, a coverage map of what the pipeline handles versus what stays manual, and the engineering checklist for each remaining gap — auth, data, environment variables, observability, and spend.

Key takeaways
  1. 01
    Zero-config Lovable deploys are live on Vercel.Announced July 9, 2026: sync a Lovable project to GitHub, import the repo into Vercel, and the framework is auto-detected — no build configuration. Every Lovable edit syncs as a commit and redeploys.
  2. 02
    The underlying capability is a year older than the news.Vercel shipped zero-configuration Nitro support in July 2025, covering Nuxt, TanStack Start, and SolidStart. The July 2026 change is Lovable routing its generated output through that existing pipeline — which means other AI builders can follow the same path.
  3. 03
    Zero-config covers roughly one of five production dimensions.Build, sync, and SSL are handled. Environment variables and domains are partially handled. Authentication, data-model access policies, observability, and cost controls remain entirely the engineer's job.
  4. 04
    The data-model gap has a documented worst case.In February 2026, Wiz disclosed that Moltbook — an AI-built app unrelated to Lovable or Vercel — exposed roughly 4.75M records via a database with no row-level security and an API key hardcoded in client-side JavaScript.
  5. 05
    Cost and observability decisions belong before launch.Vercel Pro runs $20 per user per month plus usage overage; Observability Plus bills $1.20 per 1M events with 30-day log retention versus roughly a day on standard Pro. Picking tiers after the first incident is the expensive order of operations.

01The AnnouncementWhat shipped July 9: sync, import, deployed.

The Vercel changelog entry — "You can now deploy Lovable apps to Vercel," authored by Jeff See and Pooya Parsa — describes a three-step path with no configuration step in it. You sync your Lovable project to GitHub, import the repository into Vercel, and Vercel detects the framework and deploys. From then on, every edit you make in Lovable syncs to GitHub and triggers a fresh deployment automatically.

The mechanism underneath is a framework change on Lovable's side. "Lovable projects now use Nitro under the hood," the changelog explains — Lovable's generated apps are TanStack Start projects running on the Nitro server runtime, and Nitro is a framework family Vercel already auto-detects. If you have compared builders before — see how Lovable compares to v0, Bolt, and Replit — this is the export-path story changing underneath the product.

Step 1
Sync to GitHub
Two-way sync · one branch at a time

Lovable's GitHub integration is a genuine two-way sync, not a one-time export. Edits in Lovable push as discrete commits; commits pushed to the active branch pull back into Lovable. Default sync target is the repo's default branch.

docs.lovable.dev/integrations/github
Step 2
Import to Vercel
Framework preset: tanstack-start

Vercel auto-detects the TanStack Start output and applies the right build settings. In monorepos where detection can fail, the preset can be set manually via the dashboard, vercel.json, or the CLI.

vercel.com/kb — TanStack Start guide
Step 3
Every edit redeploys
Lovable edit → commit → deploy

Each AI-driven change in Lovable appears as a GitHub commit, and each commit to the connected branch triggers a fresh Vercel deployment — continuous deployment without writing a pipeline.

Vercel changelog · Jul 9, 2026

Two operational details from the Lovable docs are worth flagging before you rely on the sync. First, Lovable only syncs one branch at a time — by default the repo's default branch, usually main — so a branching workflow needs deliberate branch management. Second, renaming the connected repo is safe (Lovable tracks renames), but deleting it or transferring it to an unconnected account breaks the sync. GitHub Enterprise connections are limited to Lovable's Enterprise plan; Free, Pro, and Business plans connect to github.com only.

02The StackTanStack Start, Nitro, and a one-year head start.

TanStack Start is a full-stack framework powered by TanStack Router for React and Solid, built on Vite for the build layer and Nitro as the server runtime and deployment layer. Nitro is the piece doing the zero-config work: it is a universal server toolkit that adapts one application output to many hosting targets, which is why Vercel can recognize and deploy it without a config file.

"Nitro is the universal server toolkit that powers zero-config deployments for TanStack Start and many other frameworks on Vercel, so no manual build configuration is required."— Vercel changelog, July 9, 2026

Here is the part most coverage of the announcement skips: none of the underlying capability is new. Vercel shipped zero-configuration Nitro support on July 3, 2025 — a full year earlier — covering Nuxt, TanStack Start, and SolidStart. Dedicated TanStack Start framework support, with auto-detection and Fluid compute defaults, followed on November 10, 2025. What changed on July 9, 2026 is that Lovable moved its generated output onto TanStack Start and Nitro, routing itself into infrastructure that already existed. That reading matters for anyone evaluating the AI-builder landscape: the deployment rail is open, and any builder that emits a Nitro-based framework can plug into it — Lovable is first, not exclusive. It also fits the platform posture we mapped in Vercel's AI Cloud deployment model: make the path from AI-generated code to running infrastructure as short as possible, then monetize the running.

Portability cuts both ways, too. The TanStack Start hosting docs describe Nitro as "an agnostic layer that allows you to deploy TanStack Start applications to a wide range of hostings" — the same output deploys to Cloudflare Workers, Netlify, Railway, Node.js, Bun, and others. Choosing Vercel is a defaults decision, not a lock-in decision, which is the right frame for the cost section below. One practical prerequisite from Vercel's own deployment guide: TanStack Start apps need Node.js 20+ and the Nitro plugin registered in the project's Vite config before auto-detection kicks in — Lovable's generated projects are set up for this, but it is the first thing to check if detection ever fails.

03Coverage MapWhat zero-config covers versus what is still your job.

The changelog and most recaps of it stop at "it deploys." The table below is our own synthesis — built from the Vercel changelog and knowledge base, the Lovable docs, published pricing pages, and recurring items in third-party launch checklists — mapping nine production dimensions to what the pipeline actually handles, what breaks when a dimension is skipped, and the minimum engineering task that closes each gap.

Lovable to Vercel production coverage map: nine production dimensions grouped by whether the zero-config pipeline handles them, what breaks if each is skipped, and the minimum engineering task to close the gap. Synthesis by Digital Applied from the Vercel changelog and knowledge base, Lovable documentation, Vercel and Lovable pricing pages, Wiz Research reporting, and practitioner deployment checklists, July 2026.
Production dimensionZero-config?What breaks if you skip itMinimum engineering task
Handled by the Lovable → Vercel zero-config pipeline
Build & framework detectionCoveredAuto-detection can miss in monorepo layouts, leaving the project preset unset and the build misconfigured.Confirm the tanstack-start framework preset in the dashboard; set it manually via vercel.json or the CLI if detection fails.
GitHub sync & deploy triggersCoveredLovable syncs one branch at a time — switch the active branch in Lovable and production can start tracking the wrong one.Confirm the active Lovable branch matches the branch Vercel deploys to production before inviting real users.
SSL certificatesCoveredLittle — adding a domain in project settings auto-provisions a Let's Encrypt certificate.Nothing beyond adding the domain; certificates provision and renew automatically.
Partially covered — verify before launch
Environment variablesPartialVITE_-prefixed variables missing at build time are a named blank-screen failure mode; server secrets bundled client-side leak to every visitor.Split public VITE_ values from server-only secrets and set both tiers in Vercel before the first deploy.
Custom domain & DNSPartialRoot and www both resolving as separate hosts invites duplicate-content and cookie-scoping issues.Pick one canonical host — root or www — and redirect the other.
Still the engineer's job
Authentication & sessionsNot coveredUntested auth flows are among the most-cited gaps in practitioner launch checklists — and the failure class behind real breaches.Walk every auth path by hand: signup, password reset, role boundaries, session expiry, and what an anonymous request can reach.
Data model & row-level accessNot coveredThe Moltbook incident exposed roughly 4.75M records through a database with no row-level security policy and an API key in client-side JavaScript.Write explicit row-level access policies and keep privileged keys server-side only — never in shipped client code.
Observability & alertingNot coveredHobby-tier logs persist for roughly an hour — production failures can vanish before anyone reads them.Wire up observability with meaningful retention and set alerts on error rates before real traffic arrives.
Cost controlsNot coveredUsage-billed overages accrue against traffic you didn't forecast — edge requests, data transfer, and active CPU all meter separately.Set spend alerts, understand Active CPU billing, and decide your plan tier before launch, not after the first invoice.

The "what breaks" column for the bottom group is not hypothetical. The recurring gaps named across independent Lovable-to-Vercel launch checklists — missing environment variables causing blank screens, broken deep links, untested auth flows, no analytics, no rollback plan — are practitioner consensus rather than an official vendor list, but they converge across sources for a reason: they're the failures teams actually hit. The next three sections take the biggest ones in order of blast radius.

04The Big GapAuth and the data model: where prototypes actually fail.

A vibe-coded prototype demonstrates flows; production authentication defends them. The difference is everything the demo never exercised: what happens when a session expires mid-action, whether a role boundary is enforced server-side or only hidden in the UI, and what an unauthenticated request to your API routes can actually reach. None of that is visible in a preview link, and none of it is covered by the deploy pipeline — which is a large part of why most AI-built projects stall before production.

The clearest recent illustration of the stakes comes from outside this pipeline. In February 2026, security firm Wiz disclosed that Moltbook — an AI-agent social platform whose founder was open about building it entirely through AI prompts — had exposed roughly 4.75 million database records, including about 1.5 million API authentication tokens and thousands of private messages. The root causes Wiz named were a database with no row-level security policy and an API key hardcoded into client-side JavaScript. The founder's own description of the build, quoted in Wiz's report: "I didn't write a single line of code for [Moltbook]. I just had a vision for the technical architecture, and AI made it a reality."

Not a Lovable incident
Moltbook was not built on Lovable or deployed through the Lovable → Vercel pipeline — Wiz's report names a misconfigured Supabase database on an unrelated AI-built platform. It is cited here as the documented worst case for the generic gap every vibe-coded app shares: the data model looks done because the app works, while the access policies that make it safe were never written. To Wiz's point about speed of remediation — the exposure was patched within roughly three hours of disclosure — the fix was small; the omission was structural.

Independent security research on AI-generated code has repeatedly found meaningful rates of exploitable vulnerabilities when output ships without human review — the point is not a precise percentage, it's that generated code inherits no security posture from the tool that generated it. The minimum production bar for a Lovable app handling real user data: server-side enforcement of every role and ownership rule, explicit row-level security policies on every table, privileged keys kept out of client bundles, and a manual walk of signup, reset, and session-expiry paths before launch.

05ConfigurationEnvironment variables, deep links, and domains.

The environment-variable model is the most common first-deploy trap. Two tiers apply in a Vite-based project like Lovable's output: variables prefixed with VITE_ are bundled into client-side code at build time and are therefore public, while unprefixed variables stay server-side only. Getting the split wrong fails in both directions — a missing VITE_ variable at build time is a named cause of blank-screen launches, and a server secret accidentally given the prefix ships to every browser. Set both tiers in Vercel before the first deploy, and treat anything prefixed as public by definition. Vercel's build pipeline also redacts detected secrets from build logs — we covered the mechanics in how Vercel handles secrets in build logs — but redaction is a backstop, not a substitute for the split.

Two more items from the practitioner checklists round out the configuration pass. Deep links: launch checklists repeatedly flag missing rewrite rules as the cause of 404s on direct URL visits in single-page-app setups — with a server-backed TanStack Start deploy this is less of a risk than in static exports, but testing a hard refresh on every route costs five minutes and catches it either way. Domains: adding a custom domain auto-provisions SSL, but choosing a canonical host is on you. Pick either the root domain or www, redirect the other, and you avoid the duplicate-content and cookie-scoping issues that come from serving both.

06OperationsObservability and cost controls: decide before launch.

A prototype that nobody monitors is fine — a product that nobody monitors is an outage you learn about from users. On Vercel the observability decision is mostly a retention decision: Hobby-tier logs persist on the order of an hour, standard Pro roughly a day, and Observability Plus extends retention to 30 days with usage-based billing. TanStack Start apps on Vercel also default to Fluid compute, which TanStack Start apps use by default, billing active CPU time rather than idle function duration — good economics, but a metering model worth understanding before traffic arrives. For a wider view of how function pricing compares across platforms, see our guide to serverless function pricing across platforms.

Vercel Pro
Plus usage overage
$20/user/mo

Beyond included allowances, overage meters separately: $2 per 1M edge requests past 10M included, $0.15/GB fast data transfer past 1TB, $0.128/hour active CPU. Hobby stays free with 1M edge requests and 4 active-CPU hours monthly.

vercel.com/pricing
Observability Plus
30-day log retention
$1.20/1M events

Pure usage billing since April 2, 2026, when Vercel removed the $10/month base fee. Retention steps up from roughly an hour on Hobby and a day on standard Pro to 30 days.

No base fee since Apr 2026
Lovable Pro
100 credits monthly
$25/mo

Free tier: 5 build credits/day up to 30/month plus 20 monthly Cloud credits. Business is $50/month for the same 100-credit tier plus SSO and data opt-out. Monthly-plan credits expire two months after issuance.

lovable.dev/pricing
What actually changed, and when
Don't misread the observability pricing timeline: the $1.20 per 1M events rate is not new to 2026 — Vercel set that per-event price back in December 2024, when it cut monitoring pricing by up to 87%. The April 2, 2026 change removed the remaining $10/month base fee and moved Observability Plus to pure usage billing. If you skipped Observability Plus over the base fee, the reason is gone; the rate you were quoted has been the rate for over a year.

The cost-control task list is short and boring, which is exactly why it gets skipped: set spend alerts before launch, know which plan tier you're on and what its included allowances are, and understand that edge requests, data transfer, and active CPU all meter separately. A vibe-coded app that unexpectedly gets traffic is a success story only if someone capped the downside first.

07The PlaybookWhen the prototype is enough — and when to bring engineering.

The right amount of engineering depends on what the deployment is for. A stakeholder demo needs none of the hardening above; a product holding customer data needs all of it. The matrix below is how we scope it.

Internal demo
Validating an idea with stakeholders

The zero-config path is genuinely sufficient. Sync, import, share the URL. Skip the hardening — the speed is the point, and no real user data is at stake.

Ship the prototype as-is
Real users, real data
The production threshold

The moment real users and their data arrive, auth and the data model come first: server-side role enforcement, row-level security on every table, secrets out of client bundles, auth paths walked by hand.

Harden auth + data before launch
Traffic you pay for
Usage-billed production

Wire observability with retention that outlives an incident, set spend alerts, and confirm the plan tier matches expected traffic. Do this before launch — the first invoice is the wrong monitoring tool.

Add observability + cost caps
Regulated or customer-facing
Compliance and continuity stakes

Full engineering review: threat model, data-retention policy, rollback plan, domain and DNS strategy, and a second pair of eyes on everything the AI generated. This is a rebuild-what-matters pass, not a rewrite.

Bring in an engineering team

This is the shape of the work we do most often with AI-built prototypes: keep the vibe-coded frontend that already earned stakeholder sign-off, and rebuild the production layer underneath it — auth, data policies, observability, spend controls, domains. It is days of engineering, not months, precisely because the deploy pipeline and the UI are already done. If you have a Lovable prototype that needs to survive real users, our web development team runs exactly this prototype-to-production pass, and for teams making the build-vs-buy call across their whole AI stack, our AI transformation engagements start with that scoping.

Looking forward, the direction of travel seems clear: the deploy-and-build layer is commoditizing fast, and it is commoditizing on open rails — Nitro's whole design is host-agnostic, and the zero-config infrastructure Lovable just plugged into had been waiting for a year. Expect more AI builders to adopt Nitro-based output, and expect the differentiation between them to migrate up the stack to exactly the dimensions in our coverage map. The gap between "it deploys" and "it's a product" is not shrinking; it's becoming the whole job.

08ConclusionZero-config is the starting line, not the finish.

Prototype to production, July 2026

The deploy step is solved. The production step is where engineering earns.

The July 9 announcement is real progress: a Lovable prototype now reaches a live Vercel URL with zero build configuration, and every edit redeploys itself. For validation, demos, and iteration speed, that's the best this path has ever been.

But the zero-config path covers build, sync, and SSL — and stops. Authentication, row-level data access, observability, cost controls, and domain strategy remain manual, and the Moltbook disclosure is a standing reminder of what the data-model gap costs when it ships unexamined. The honest reading of the coverage map: roughly a third of production readiness is now automatic, and it's the third that was never the hard part.

The practical move is to use the pipeline for what it's genuinely great at — speed to a shareable, continuously-deployed prototype — and to treat the moment real users arrive as a hard gate that triggers the engineering pass. Teams that internalize that sequencing get the best of both: vibe-coded velocity on the way in, engineered durability on the way out.

Prototype to production

Keep the vibe-coded prototype. Rebuild the production layer.

Our team takes AI-built prototypes — Lovable, v0, Bolt — and rebuilds the production layer underneath them: auth, data policies, observability, cost controls, and domains, delivered in days not months.

Free consultationExpert guidanceTailored solutions
What we work on

Prototype-to-production engagements

  • Auth hardening — roles, sessions, server-side enforcement
  • Data-model review — row-level security on every table
  • Observability wiring — retention, alerting, rollback plans
  • Cost controls — spend alerts, tier fit, usage forecasting
  • Domain, DNS & launch checklist execution
FAQ · Lovable to Vercel

The questions we get every week.

Vercel published a changelog entry titled 'You can now deploy Lovable apps to Vercel,' announcing zero-configuration deployment for Lovable projects. The path: sync your Lovable project to GitHub, import the repository into Vercel, and Vercel auto-detects the framework and deploys — no manual build configuration. Every subsequent edit made in Lovable syncs to GitHub as a commit and triggers a fresh Vercel deployment. The mechanism is a framework change on Lovable's side: Lovable projects now use TanStack Start running on the Nitro server runtime, which Vercel's existing zero-config pipeline already detects.