The 17-skill checklist that ships an MVP
I've shipped a lot of MVPs. The ones that worked, worked because someone told me to do something I would have skipped. The ones that failed, failed because nobody did.
That's it. That's the whole thesis. The Vibe Coder's Guide to MVP is just the list of things a senior engineer would have told you to do, encoded so an AI agent can run through it with you.
Here's the list. If you read nothing else, read this.
1. Discover
Before any code, define: who is this for, what do they want to do, what does success look like in their first 60 seconds. If you can't answer those three questions in three sentences, you don't have an MVP yet — you have a feature.
2. Design
Lock in the visual language before you build screens. One palette, one display font, two weights, Tailwind + DaisyUI for primitives, Lucide for icons. No gradients on buttons or headings. Body text never below 16px. Header is the working surface; footer is the reference surface (About, Contact, Terms, Privacy go in the footer, not the header).
3. Auth
Pick the simplest auth that fits the audience and wire the full flow — signup, login, sign-out, email verification. Auth.js v5 with Resend for magic link covers 90% of MVPs and costs nothing. Never write your own password hashing.
4. AI integration
Standardize on OpenAI gpt-5-nano with reasoning effort minimal and Zod-typed structured output via the Responses API. One lib/ai.ts file, all calls go through it. For VC investability, research what competitors have shipped and propose one AI feature nobody else is doing. For community apps, wire OpenAI's free moderation API.
5. Chatbot (optional)
A persistent bottom-right assistant that searches the site's content index and answers user questions. Build the index at build time, two-call pattern at runtime: extract keywords, then answer using the top 5 hits as grounded context.
6. Admin dashboard (optional)
Password-gated /admin route with KPIs tailored to your product. Skip the founder-doesn't-know-what-to-track problem by analyzing the codebase first, proposing 5 KPIs that actually matter, then adding minimal instrumentation only where data is missing.
7. Monetization (optional)
AdSense for content sites, Stripe Checkout for SaaS. Walk through credentials. Stripe Checkout is mandatory — never write your own card form. Webhook signature verification on the fulfillment path; never grant access on the success-page redirect.
8. Compliance (optional but recommended)
Identify the minimum regulatory surface for your audience. GDPR if you have any EU users. CCPA "Do Not Sell or Share" link in the footer regardless. Tailored Terms of Service and Privacy Policy — never templates. Signup-flow consent checkboxes (TOS required, marketing optional and unticked).
9. Accessibility
WCAG 2.2 AA pass. Non-negotiable. Semantic HTML, keyboard navigation, focus rings, contrast, alt text, prefers-reduced-motion. Roughly 1 in 5 users has a disability that affects how they use software. Most accessibility wins are 30-minute fixes.
10. Security
Hygiene checklist: secrets in .env.local (never committed), security headers via Next.js next.config.ts, Zod validation on every server entry point, npm audit, rate limits on AI/email/DB-write endpoints, CORS allowlist on backends (never *), route inventory + delete orphans.
11. Performance
Lighthouse 90+ across Performance, Accessibility, Best Practices, SEO. Use next/image for all images, next/font for fonts, Server Components by default, cache aggressive on read endpoints, perceived performance via loading.tsx and <Suspense>.
12. Data optimization (optional)
For projects with backends. Audit the frontend↔backend data flow: over-fetch (return only fields the UI uses), under-fetch (consolidate N+1), pagination on every list endpoint, debounce inputs (200–400ms), optimistic updates, right transport choice (polling vs SSE vs WebSockets).
13. Deploy
Detect the existing deployment first. If the project already deploys to Vercel, Netlify, Cloudflare, Fly, Railway, or Heroku — use that. Don't migrate. If there's no deployment, set up Vercel: npx vercel link, push env vars, npx vercel --prod. Domain at *.vercel.app first; custom domain comes later.
14. Domain (optional)
Buy at GoDaddy. Project-tailored name suggestions. Add to Vercel. DNS records: A → 76.76.21.21, CNAME for www → cname.vercel-dns.com. Update OAuth redirects + Resend domain verification after DNS propagates.
15. End-to-end testing
Playwright in headed mode, real browser, real production URL. Walk every key flow. Capture full-page screenshots. Then visually inspect the screenshots yourself — most layout bugs only surface to a human eye. Fix and re-run.
16. Ship checklist
Final go/no-go. Functional (does the slice work end-to-end?), trust signals (real title, favicon, OG tags, no Lorem Ipsum), hygiene (.env.local not committed, audit clean, Lighthouse passing), resilience (404 page, error states, inline form errors), legal/social if applicable.
17. Deliverables (optional)
Founder-facing packaging. Pitch deck, investor one-pager, marketing one-pager, financial model, marketing strategy, research paper, ad creative, launch announcement. All generated into deliverables/ at the project root, Finder opens automatically when done.
What's not on this list
A lot of things. Microservices. Kubernetes. Custom CI pipelines. A monorepo. A design system. Storybook. Cypress as well as Playwright. A custom CMS. Server-sent events. Multi-region deployment. Internationalization. A mobile app.
These are all real things you might want eventually. None of them belong in an MVP. The job of an MVP is to find out whether anyone wants the thing. The job of the second version is everything else.
If you finish this list, you have a real product. If you skip half of it because the bullet points feel boring, you have a prototype that will sit in a folder.
The agent runs the list with you. Your job is to keep saying "yes."