Vibe Coder’s Guide to MVP
Resources · Idea to Funding

Pre-build due diligence

Before you write code, the four hours of research that decide whether the next four weeks are worth it. Vertical compliance, competition, positioning, and the comply-or-block geographic call.

Coding agents made the cost of an MVP collapse. What used to be a six-week sprint is now a long weekend, and that has changed exactly nothing about whether the thing you're building is worth building. The bar to start writing code is on the floor. The bar to ship something that survives contact with users, regulators, and a search engine is right where it always was. Four hours of research up front decides whether the next four weeks are wasted. Most founders skip this; it costs them three weeks at month four when a customer asks for a SOC 2 report or a Cease and Desist arrives from a competitor's lawyer.

The 4-hour pre-build pass

Four hours is a real number, not aspirational. One hour for vertical compliance — what laws apply, what they cost to ignore. One hour for competitive landscape — five to eight incumbents in a spreadsheet. One hour for positioning — find the gap, write the sentence. One hour for the geographic call — comply with GDPR/CCPA or block the IPs at the edge.

The output of this pass is a PROJECT.md at the root of the repo with eight sections: vertical, regulatory frameworks in scope, competitive table, gap, positioning statement, geographic strategy, audience, and pricing hypothesis. Sub-skill 01 (project initialization) reads this file and uses it to anchor every downstream decision the agent makes — so does sub-skill 03 (legal pages), sub-skill 04 (signup flows), sub-skill 09 (pricing), and sub-skill 18 (pitch deck). If PROJECT.md is wrong or missing, the agent makes plausible defaults that are usually wrong for your specific situation.

The reason this matters more in 2026 than in 2020 is leverage. When an MVP took six weeks, the research was 5% of the project budget. When an MVP takes a long weekend, the research is 50% of the project budget — and skipping it doesn't make you faster, it just makes you wrong faster.

Vertical compliance research

Before any code, figure out which regulatory frameworks apply. The shape of your product on the B2C-vs-B2B-Enterprise × general-vs-regulated matrix tells you what you're signing up for.

  • B2C, general (recipe app, habit tracker): GDPR if any EU traffic, CCPA/CPRA if any California traffic, COPPA if anyone under 13 might use it.
  • B2C, regulated (mental health journal, kids learning app, BNPL): the above plus HIPAA-adjacent concerns, COPPA hard requirements, GLBA for anything touching consumer credit.
  • B2B SMB, general (project management for agencies): GDPR/CCPA exposure via your customers' data, light SOC 2 conversations starting around year two.
  • B2B Enterprise, regulated (HR tech, fintech, healthtech): SOC 2 Type II is table stakes, ISO 27001 if international, HIPAA Business Associate Agreements, PCI-DSS scope if you touch a card.

The frameworks that actually matter at MVP scale:

GDPR applies the moment you have one EU user. Fines run up to EUR 20 million or 4% of global revenue. The MVP-stage minimum: a privacy policy that names your processors, a cookie banner if you set non-essential cookies, a working "delete my account" flow, and a Data Processing Addendum with every sub-processor (Vercel, Supabase, Resend, Stripe). Cost to ignore: roughly EUR 0 until a regulator notices, then non-trivial.

CCPA/CPRA applies if you have California users and either (a) USD 25 million in revenue, (b) 100,000 California consumers' data, or (c) derive 50% of revenue from selling personal info. Most MVPs are exempt by revenue, but the "Do Not Sell My Personal Information" link and a privacy policy that explicitly addresses California rights are the MVP minimum. Cost to ignore at MVP scale: low. Cost to retrofit at series A: a week of legal review.

COPPA applies if your service is "directed to children under 13" or if you have actual knowledge a user is under 13. Fines are USD 51,744 per violation in 2026 dollars. If your product could plausibly attract under-13s, either age-gate aggressively or build to COPPA from day one. There is no cheap retrofit.

State US privacy laws — VCDPA (Virginia), CPA (Colorado), UCPA (Utah), CTDPA (Connecticut), plus Texas, Oregon, Montana, and a dozen more by 2026 — broadly mirror GDPR's data subject rights. A single privacy policy covering CCPA + GDPR generally covers the rest. The MVP minimum is one policy, not fifty.

HIPAA applies if you handle Protected Health Information for a Covered Entity or Business Associate. If you're building a wellness app where users self-report mood, you're probably not in scope. If you're building anything that connects to a doctor, clinic, EHR, or insurance carrier, you are in scope and you need a signed BAA with every sub-processor that touches PHI (AWS, GCP, and Vercel offer BAAs; Supabase requires the Team plan at USD 599/mo). Fines run from USD 100 to USD 50,000 per violation. There is no MVP-stage minimum that is also HIPAA-compliant — either you build for it or you don't take PHI.

FERPA applies if you handle student education records on behalf of a school. School-as-customer means FERPA. Direct-to-student with no school relationship usually doesn't. Cost to ignore when in scope: loss of federal funding for your customer, which means loss of your customer.

GLBA applies if you're a "financial institution" handling consumer financial information. Lending, advice, account aggregation. The Safeguards Rule has teeth.

PCI-DSS applies the second you touch a credit card number. The MVP-stage answer is always Stripe Checkout or Stripe Elements with the iframe — that puts you in SAQ A scope, the lightest tier, and the only one a solo founder should ever live in. Never let a card number touch your servers.

SOC 2 Type II is not a law, it's a procurement requirement. Mid-market and enterprise B2B buyers will ask for it before signing. Vanta and Drata both run roughly USD 8,000 to USD 15,000 per year for the platform plus USD 10,000 to USD 25,000 for the auditor. The MVP-stage answer is a one-page security overview at /security and "SOC 2 Type II in progress" once you have your first paid pilot. Don't spend a dollar on Vanta until you have a deal that requires it.

ISO 27001 matters for international enterprise sales, especially in Europe. Roughly USD 25,000 to USD 40,000 for first certification. Same rule as SOC 2: don't pay until a deal requires it.

EU AI Act classifies AI systems by risk. High-risk includes hiring, credit scoring, medical, education, and biometric identification. If your product is in scope as high-risk, you need conformity assessment, technical documentation, and human oversight provisions before deployment. Fines run up to EUR 35 million or 7% of global revenue. Most MVPs land in "limited risk" (chatbots) or "minimal risk" (everything else) and only need transparency disclosures. Read the act before building anything that decides who gets hired, fired, lent to, or treated.

The output of this hour: a list in PROJECT.md of which frameworks apply, what the MVP-stage minimum is for each, and what gets deferred to post-traction.

Competitive landscape research

"Notion exists" is not competitive analysis. The deeper version is a spreadsheet of five to eight incumbents with one row each, captured in PROJECT.md:

  • Name + URL
  • Audience (who they actually sell to, not who they say they sell to)
  • What they do best (the one thing reviewers and users praise)
  • What users complain about most — pulled from G2 reviews, Reddit threads in the relevant subreddit, Twitter/X searches with the product name + "annoying" or "wish it had"
  • Pricing model (freemium, per-seat, usage-based, flat)
  • Traction signal (funding stage, employee count on LinkedIn, public ARR if disclosed, app store reviews count)

Mix three categories. Direct competitors (same job for the same audience). Adjacent competitors (same audience, different job; or same job, different audience). Substitutes (the spreadsheet, the Slack channel, the pen and paper that customers use today instead of any product).

This is the input to your positioning, not the output. If you do this hour and discover seven well-funded competitors all doing the exact thing you planned, the answer is not "we'll be better at AI." The answer is to find a gap or pick a different problem.

Find the gap

Five gap types, in roughly increasing difficulty to defend:

Underserved audience segment. The incumbent serves enterprise; you serve solo practitioners. Calendly served everybody; SavvyCal served power users who wanted scheduling that respected their preferences. Figma served design teams; Excalidraw served engineers sketching diagrams.

Underserved job-to-be-done. The incumbent does ten things badly for everyone; you do one thing well for the same audience. Loom is "Zoom for one-way video." Linear is "Jira for teams that ship weekly."

Pricing gap. The incumbent charges per seat at USD 25/user/month; you charge a flat USD 99/month for unlimited users. Or the inverse — Notion is per-seat freemium, Obsidian is one-time license. Pricing is positioning.

UX gap. The incumbent has every feature and a 90-second onboarding video; you have three features and ship the user to value in 15 seconds. Superhuman versus Gmail. Cron (now Notion Calendar) versus Google Calendar in 2022.

Trust gap. The incumbent is venture-backed and pivots every 18 months; you commit to the boring version forever. Fastmail versus Gmail. Kagi versus Google Search. This gap is hardest to communicate but most defensible if you can.

Differentiate concretely

For B2C, differentiation is emotional and experiential. "The one that respects your time." "The one that doesn't make you feel guilty." "The one your dad can use." These are not features; they're feelings the product is engineered to produce.

For B2B, differentiation is structural. "The one with proper SSO from day one." "The one with a working API." "The one with Postgres-row-level multi-tenancy you can audit." "The one that doesn't require a sales call to see pricing."

Defensibility at MVP scale is mostly about the choice you made, not the code you wrote. "We're better at AI" is not defensible — every competitor has the same model API key. "We're vertical-specific for veterinary clinics" is defensible — no horizontal competitor will rebuild for one vertical. "We don't store user data" is defensible — competitors built on a different premise can't rip it out.

The positioning statement

One sentence:

For [target customer], [product] is the [category] that [unique differentiator], unlike [primary alternative] which [shortcoming].

This sentence is the anchor for the landing page hero, the pitch deck cover slide, the cold email opener, and every customer call. If it's vague, all of those are vague. Three worked examples:

For home cooks who plan dinner the morning of, Mealthread is the recipe app that builds a grocery list from what's already in your fridge, unlike Paprika which assumes you start every recipe from an empty pantry.

For Rust developers shipping CLI tools, Crateship is the release platform that handles cross-compilation, signing, and Homebrew formulae in one command, unlike GoReleaser which is Go-only and cargo-dist which doesn't sign macOS binaries.

For 10-50 person agencies billing hourly, Cliently is the project management tool with native QuickBooks invoicing built in, unlike Asana which requires three Zapier hops to bill a client.

Note the structure: a specific customer (not "everyone"), a specific category (not "platform"), a concrete differentiator (not "AI-powered"), and a named alternative with a real shortcoming. Vague sentences here cost months downstream.

Geographic compliance — comply or block

Two honest options. Pick one and write it in PROJECT.md.

Option A: comply. Privacy policy that addresses GDPR + CCPA. Cookie banner with granular consent for non-essential cookies. Working data subject access request flow (account export, account deletion). DPA in place with every sub-processor. Sub-skill 03 will scaffold the legal pages once it knows you've chosen this path.

Option B: block. Vercel Edge Middleware returns HTTP 451 ("Unavailable For Legal Reasons") to requests originating from EU member states and California. The privacy surface area collapses. The trade-off is real: you lose VPN users, US travelers in EU airports, and the option to ever sell to those markets without unblocking and complying anyway.

The middleware is small:

// middleware.ts
import { NextResponse, type NextRequest } from "next/server"
import { geolocation } from "@vercel/functions"

const BLOCKED_COUNTRIES = new Set([
  "AT","BE","BG","HR","CY","CZ","DK","EE","FI","FR","DE","GR",
  "HU","IE","IT","LV","LT","LU","MT","NL","PL","PT","RO","SK",
  "SI","ES","SE","IS","LI","NO","GB",
])

export function middleware(req: NextRequest) {
  const { country, region } = geolocation(req)
  const blockedUS = country === "US" && region === "CA"
  if (country && (BLOCKED_COUNTRIES.has(country) || blockedUS)) {
    return new NextResponse(
      "This service is not available in your region.",
      { status: 451 },
    )
  }
  return NextResponse.next()
}

export const config = {
  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
}

When does each make sense? If your audience is a global SaaS market, comply. If your audience is a US-only B2B niche (US-based veterinary clinics, US small-business payroll), blocking is rational and saves real money on legal review. If your audience is consumer and you want App Store distribution worldwide, comply — you can't block the App Store reviewer in Berlin and expect approval.

The wrong answer is "we'll worry about it later." Later is when a regulator's letter arrives or a Reddit thread about your missing privacy policy hits the front page. Pick A or B in hour four.

What the agent does with this

Once PROJECT.md lands at the repo root, the agent reads it before every meaningful decision. Sub-skill 01 (project initialization) confirms the framework choices and scaffolds the directory structure with compliance pages stubbed if Option A. Sub-skill 03 (TOS / Privacy / DPA) drafts the legal pages from the framework list — GDPR clauses if EU traffic, CCPA section if California traffic, COPPA disclosure if under-13 audience plausible. Sub-skill 04 (signup form) wires consent checkboxes only for the frameworks that apply, instead of the maximalist "agree to everything" pattern that tanks conversion. Sub-skill 09 (pricing tier design) uses the competitive table to position your tiers — never identical pricing, never identical feature splits, always a structural reason for the difference. Sub-skill 18 (pitch deck) opens with the positioning statement verbatim and uses the competitive table for the "competition" slide.

Without PROJECT.md, every sub-skill reverts to a sensible default that is sensible for nobody in particular. The four hours up front buys you a downstream agent that knows what it's building and for whom.

Where to go next

Read authentication and databases when you've finished the research and are ready to start sub-skill 01. Read post-launch workflow when you've shipped and the first hundred users have arrived. Read accelerator programs when revenue is real enough to consider raising. Read compliance when a customer first says the word "SOC 2" — and not a day before.

← Previous
Idea to funding — the roadmap