Ground StatesBook a call

You shipped it with Lovable. Now it's breaking.

Or Bolt. Or Cursor, v0, Replit Agent, Claude Code. The tool doesn't matter — the symptoms are always the same. Users hit bugs you can't reproduce. You're not sure if your database is exposed. You're scared to touch the code.

We're a small engineering practice that fixes that — on a fixed price, in writing, without telling anyone.

See how an engagement works

02 — symptoms

Does this sound familiar?

If two or three of these are true, you don't need another tool. You need someone to look at it.

  1. Your app is live but you're afraid to deploy changes.

  2. You don't know if your Supabase keys are exposed in the client.

  3. Users hit errors you can't reproduce on your laptop.

  4. You need to add a feature but the codebase is a tangle of half-finished refactors.

  5. You're not sure anything is backed up.

  6. You can't tell what's a real bug and what's working as designed.

03 — what you can hire us for

Three ways in.

Most engagements start with the audit. The rest is optional, and we'll tell you which parts you actually need.

The Audit

A fixed-price assessment of your codebase, infrastructure, and deployment. We read every file that matters, run it locally, look at your hosting, and write you a report. You get a prioritized list of issues, what each one would cost to fix, and an honest answer to the question "is this salvageable." The audit is a written report, not a sales pitch — if the verdict is "don't bother fixing it," that's what we'll write.

about three days · $2,400 flatless than two days of agency time

Remediation

A defined sprint to fix the critical issues from the audit — security, auth, data integrity, observability, anything actively losing you customers. Scope and price are set in writing before we start. No retainer trap. When the sprint ends, you have a working app and a paper trail of what changed.

2–4 weeks · $8k–$25k

Reliability retainer

Ongoing monthly support for founders who want a senior engineer on call after remediation. On-call for incidents, monthly review of dependencies and logs, small feature work as capacity allows. Optional. Cancel any time with thirty days' notice.

from $3k/mo · optional

04 — how it works

An audit, end to end.

This is the audit engagement, in order. Remediation and retainer engagements look different and we'll walk you through them on the call.

  1. Day 0

    A 20-minute call. You describe what you've built and what you're worried about. We tell you whether an audit is the right next step.

  2. Day 1

    You give us read-only access to the repo and a deployed staging URL. We send back a one-page engagement letter and an NDA if you want one.

  3. Days 2–3

    We read the code, run it, exercise the auth flows, look at your database, and check your hosting. Nothing is changed in your account.

  4. Day 4

    You get a written report — typically 10–20 pages — with prioritized findings, fix estimates, and a verdict on what to do next.

  5. Day 5

    A 60-minute walkthrough. We answer questions and decide together whether remediation makes sense. No pressure either way.

05 — what our work looks like

We don't have client case studies to share yet.

We're new. Instead, here's a real audit we wrote on a deliberately broken Lovable app, so you can see exactly how we work, how we write, and what we catch.

It's the actual artifact you'd receive — not a marketing summary.

Excerpt — Finding 03 of 17severity: critical · est. fix: ~2 hours
The Supabase service-role key is bundled into the client. Anyone with browser DevTools can read or write any row in your database, including users you haven't authenticated. We confirmed this from a logged-out incognito session.
Read the full sample audit (PDF, 14 pages)

06 — about us

Who you'd actually be working with.

We're production engineers — between us, a couple of decades shipping payments infrastructure that moved real money, running on-call rotations for systems that couldn't go down, and cleaning up after launches that did. We're not naming employers here; we'd rather you judge us on the audit you're about to read.

We don't touch your production environment without written sign-off. Code reviews happen on sandboxed forks. NDAs are available on request, signed before any access is granted. All credentials, repo access, and shared documents are revoked within seven days of an engagement ending.

We're a new practice, but not new engineers. Our first clients get founder-level attention and case-study pricing.

07 — questions

Reasonable questions.

08 — get in touch

If your app is live and something feels off, write to us.

Twenty minutes, no slides. You describe what you've built and what's worrying you. We tell you whether an audit is the right next step — or whether you don't need us at all. Either way, you'll leave the call with a clearer picture of your codebase than you came in with.

Book a callor email hello@groundstates.cocurrent lead time: about a week