A vibe-coded inventory app, hardened for production.
Manytain is an inventory platform its founder built end-to-end on Firebase — vibe-coded into a working app with a React front-end, Firestore, Auth and Cloud Functions. It proves the idea. Our job is to make it something real businesses can run on: locked-down security rules, a data model built for scale, validated Cloud Functions, production email, and a real build-and-deploy pipeline — all without leaving Firebase or GCP.
The brief,
in three beats.
What they needed.
The founder shipped a working inventory app fast by vibe-coding it on Firebase — React, Firestore, Auth, Cloud Functions, Hosting. Perfect for proving the concept, but not yet safe to put paying businesses on: permissive security rules, an ad-hoc data model, writes the client could trust too much, and email that wasn't production-grade.
How we tackled it.
We don't rewrite — we harden. Audit the existing build, lock down Firestore and Storage security rules, restructure collections for the queries it actually runs, move business logic and validation into Cloud Functions, send transactional email through Resend, and put the whole thing behind CI with preview deploys. GCP and Firebase throughout — no platform migration.
What happened.
In progress. The target: a demo that becomes a product customers can trust — secured, structured to scale, and deployable on every commit. No fabricated metrics here yet; this engagement is live.
Inside the
engagement.
Audit the vibe-coded build
We read the whole app the way an attacker and a maintainer both would — mapping every data flow, every Firestore read and write, every Cloud Function. The output is a prioritised list of what's unsafe, what won't scale, and what's about to break, scored so the founder can see exactly what we're fixing and why.
- Firestore & Storage rules reviewed line by line
- Client-trusted writes flagged for server validation
- Data model mapped against real query patterns
- Dependency, secret and config hygiene checked
Lock down the rules
Firestore and Cloud Storage security rules rewritten per-collection and per-role, deny-by-default, and tested against the Firebase emulator suite. Auth flows tightened so a logged-in user can only ever touch their own organisation's data.
Restructure data & functions
Collections and documents restructured for the access patterns the app actually has, with composite indexes where they matter. Business logic and input validation moved into Cloud Functions so the client can't be the source of truth. Transactional email re-platformed onto Resend.
- Schema enforced server-side, not hoped-for client-side
- Cloud Functions for logic, validation and webhooks
- Resend for verification, alerts and receipts
Ship a real pipeline
GitHub → CI → Firebase Hosting, with preview channels per pull request, a staging/production split, and environment config kept out of the client bundle. Every commit is deployable; every change is reviewable before it reaches a customer.
I built Manytain to prove the idea. Evoke is turning it into something I can actually put customers on.
The tools
we shipped on.
Capabilities
behind this build.
Other
engagements.
— Let's make something —
Tell us what
you're building.
Trinidad & Tobago
09:00 — 17:00 AST
on business days