Home/ Writing/ rewrite ai app

rewrite ai app

When to Rewrite AI-Generated Code Instead of Fixing It

A decision framework for AI-built apps: harden in place, refactor a subsystem, or rebuild. How to tell which one your codebase actually needs.

When an AI-built app starts misbehaving — security gaps, slow features that get slower, bugs that come back after they’re fixed — there are three honest options. Harden it in place. Refactor a subsystem. Rebuild the dangerous part from scratch.

Founders almost always reach for option one because it sounds cheapest. It often is. But not always, and choosing wrong wastes more money than choosing the harder option earlier would have.

This post is the decision framework we use when a client asks “should I just rewrite this?”

The three options, plainly

Harden. Keep the codebase. Fix specific issues found in an audit. Add auth checks, logging, backups, monitoring. Tighten the perimeter. Don’t restructure the code, don’t change the architecture. The output looks the same; the failure modes are different.

Refactor. Keep most of the codebase. Replace one subsystem — billing, auth, the data layer, the AI integration — with a cleaner implementation, behind the same external interface. The rest of the app stays where it is.

Rebuild. Throw out a meaningful portion of the code (sometimes all of it). Re-implement, usually with a clearer domain model and the lessons learned from version one baked in.

Each is the right answer somewhere. Knowing which is right for your codebase is mostly a question of how much of the existing code is salvageable and how much pain you’re willing to absorb to find out.

Signals that you should harden in place

You can probably harden, not rebuild, if most of the following are true:

  • The app does what users expect, and users are not actively complaining about behavior (just about reliability or polish).
  • Bugs, when they happen, tend to live in one place. Fixing one does not reliably break two others.
  • You can describe the data model in a few sentences without contradicting yourself.
  • The code is roughly consistent. Same patterns in similar places. Same libraries used the same way.
  • The dependencies are mostly current and mostly justifiable.
  • An audit produces a finite list of specific, addressable issues, not a shrugging “everything is concerning.”

In this case the work is well-scoped. A senior engineer can deliver a fix list, work through it, and leave you with the same product, structurally intact, but materially safer. This is what Production Hardening is for.

Signals that you should refactor a subsystem

Refactor one part — not the whole app — when:

  • One specific area is the source of most of the recent bugs, support tickets, or near-misses. Often: auth, billing, file uploads, or anything that touches money.
  • That area’s interface to the rest of the app is reasonably narrow. You could replace it without rewriting twenty other files.
  • The existing implementation has a clear, addressable problem (no domain model, no validation, no transaction boundaries) that another iteration of patching won’t fix.
  • The rest of the codebase is fine. Hardening would help it; rewriting it would be vanity.

A common version of this: the AI generated a billing flow that “works” but has no idempotency, no audit trail, and three slightly-different versions of the same charge logic in different files. Hardening that flow means patching three places forever. Refactoring it means writing one correct version once.

The tell for “refactor, don’t rebuild” is that the rest of the app does not benefit from rewriting. Do not let one bad subsystem talk you into burning the parts of the codebase that are doing their job.

Signals that you should rebuild

Rebuilding is the right answer less often than founders think, but more often than founders want to admit. The signals:

  • An audit comes back not with a list of issues but with a meta-issue: “the same kind of mistake is everywhere, and fixing each one in place would take longer than rewriting.” This is the strongest signal.
  • The data model doesn’t match what the product actually does. The app has evolved but the schema hasn’t, so every feature is a workaround stacked on a workaround.
  • The codebase has no consistent shape. Authentication is checked four different ways in four different files. The same business rule is implemented in three places, slightly differently. Each new feature is an archaeology project.
  • The dependency graph is a junkyard. Multiple HTTP libraries. Two ORMs. Three logging libraries. None of it is intentional.
  • The app is small. Below a certain size — say, the kind of MVP a single founder vibe-coded over a few weeks — rebuilding is genuinely faster than reverse-engineering and patching.
  • You no longer trust the existing code in production, and that distrust is slowing every decision you make.

There is also a softer signal: when an experienced engineer reads the codebase and their honest first reaction is “I’d rather start over.” That reaction is sometimes wrong (and a good engineer will check it before acting on it). It is rarely from nowhere.

The trap of “we’ll rewrite later”

The most expensive option is usually the one nobody picks consciously: keep patching, indefinitely, while telling yourself a rewrite is coming. The codebase accumulates more workarounds, the rewrite gets bigger, the cost of the rewrite grows in proportion to the patches you’ve added since deciding to do it.

If the right answer is “rebuild this part,” doing it now, while it’s small, is much cheaper than doing it in six months when there are three more features built on top of it. If the right answer is “harden in place,” the discipline is to actually stop after the hardening is done and not let the conversation drift into a rewrite that wasn’t needed.

The decision deserves to be made on purpose, not by drift.

A short script for making the call

If you’re sitting on an AI-built app and trying to decide:

  1. Get an audit. You cannot make this decision well from the inside. The whole point of working with AI tools is that the codebase looks fine to you (and to the AI). It takes a senior pair of eyes that wasn’t part of building it. See AI Code Audit.
  2. Read the audit twice. Once for the list of issues, once for the shape of the issues. A flat list of unrelated bugs is a hardening job. A list where every item is a different version of the same root cause is a refactor or rebuild signal.
  3. Talk to a senior engineer about what you’d do differently if you were starting over. If the answer is small (“I’d add a domain model”), refactor. If the answer is large (“I’d not have built it like this at all”), rebuild that part. If the answer is “honestly nothing, I just want it tightened,” harden.
  4. Pick one option and commit. Mixing them is how you end up paying for all three over the next year.

This decision is exactly the kind of call a fractional CTO can help you make when the founding team isn’t deeply technical. It’s also the kind of call that’s much easier with one outside opinion than with none.

Bottom line

Most AI-built apps that have already shipped should be hardened, not rebuilt. A meaningful minority — usually the ones that grew faster than the codebase did — need a specific subsystem rewritten. A small but real number need a fresh start, and pretending otherwise is just paying for the rebuild a year later, with interest.

If you want help making the call on your codebase, get in touch.

If this is your week

Get a senior read on your codebase before launch.

A one-week audit, fixed price from $1,500. NDA before access. Written report your team can act on.

More writing