B12. App already online but messy

What this page helps you do

Turn a shaky live app into something more stable without pretending you need a total rewrite first.

Why it matters

Many builders already launched. The problem is not “how do I go live?” It is “how do I stop feeling one mistake away from disaster?”

You should already have

• a live app or service

Skip this page if

• the app is not online yet

What to do

Start with the missing-risk basics:

1. R8. Launch checklist
2. R2. Secrets
3. R1. Backups
4. R7. Logs
5. R4. Rollback

Then fix the biggest real gaps first, not the prettiest ones.

If you are not sure what “biggest real gaps” means, use this order:

1. secrets that might be exposed
2. backups you are not sure you can restore
3. no logs or no clear way to see production failures
4. no rollback path
5. admin or dangerous routes that are too open
6. domain and HTTPS problems that make the app look broken

This page is for cleanup, not shame. A lot of real apps reach this stage.

Recommended default

Stabilize before optimizing.

For most messy live apps, the best first week looks like this:

• day 1: secrets, backups, logs
• day 2: rollback, monitoring, error visibility
• day 3: auth and admin protection
• day 4: deploy cleanup and documentation
• day 5: only then start polishing product rough edges

Common mistakes

• rebuilding everything instead of fixing the obvious weak points
• avoiding backups and rollback because the app is “already working”
• confusing launch polish with launch safety

Next step

Go to R8. Launch checklist and mark each item as found, likely missing, or could not verify.

Related pages

• T1. App works locally but not online
• T8. Leaked a secret
• H7. Keep your app running

Advanced notes

This page is a good starting point for agents doing cleanup-oriented audits.