Vibe coding throwaway prototypes: when the tool deletes it for you

When the requirements are unclear and the spike will take hours rather than weeks. The whole reason to throw it away is that you are buying information about what to build, not the build itself. If you can answer the design question by hand-sketching, do that. If you cannot, a vibe-coded prototype that runs in the browser usually exposes the wrong assumption faster than any document. The rule of thumb a few people across DEV.to and Markus Borg's IEEE prototyping playbook converge on is: spike for a day or two, throw it away, then write the real version using the lessons. Do not try to grow the spike into the production app.

Three things, all in source. First, the sandbox is created with E2B_TIMEOUT_MS = 3_600_000 at src/core/e2b.ts line 33. That is one hour. The platform itself kills the sandbox at the wall-clock cap. Second, a Firestore-backed pool reaper at src/core/e2b.ts line 1896 declares any pool entry stale at POOL_MAX_AGE_MS = 45 * 60 * 1000 (45 minutes) and reaps it. Third, the session is anonymous: crypto.randomUUID() in localStorage at src/app/(landing)/page.tsx line 47. No email, no payment, no row in any users table you would need to delete later. You cannot accidentally let it linger.

Almost always: the prototype was good enough to demo, the stakeholder said "can we just ship that?", and three months later it is in production with no tests, the auth is a localStorage flag, and the data layer is a JSON file in the deployed bundle. Several writers have written this post by now (the dev.to "why shipping vibe-coded prototypes breaks products" piece is one). The fix is not to vibe code less. The fix is to pick a tool whose defaults make shipping the prototype actually annoying, so you have to consciously port it instead of accidentally promoting it. mk0r's hour-long sandbox is one such default. If you want to keep the artifact, you have to publish it explicitly.

Yes, but you have to choose to. Sign in (the anonymous session migrates to your user record) and click Publish, which provisions a stable subdomain and detaches the artifact from the throwaway sandbox lifecycle. The point is that this is a separate, deliberate action. The default path is throwaway. The save-it path requires intent. That asymmetry is what keeps the prototype actually disposable when you do not commit to it.

Each session boots a fresh git repo inside the sandbox during prewarm (ensureSessionRepo, src/core/e2b.ts). While the sandbox is alive you can pull the code or copy it out. Once the sandbox is killed at T+60 min the working tree is gone. If you treat the code as the artifact, save it before the wall clock hits zero. If you treat the running demo as the artifact, you do not need to save anything: the URL stops working, the friends who saw the demo already saw it, and the lesson the spike was meant to expose is now in your head.

Two reasons. One: account creation is the friction that turns a 30 second "let me try this" into a 5 minute "do I really want to give them my email for a thing I am going to delete?" Throwaway loops only stay tight if the on-ramp is shorter than the value of the spike. Two: an account is itself something you have to remember to clean up. Anonymous sessions cannot leak to the wrong inbox, cannot trigger marketing emails six months later, cannot become an attack surface. The keyboard shortcut for deleting your data is closing the tab.

Claude Haiku. Set as FREE_MODEL = "haiku" at src/app/api/chat/model/route.ts line 5. Haiku is fast enough that the streaming preview keeps up with you typing, and cheap enough that the platform can serve anonymous prototypes without metering the user. Switching to a stronger model requires signing in (the route returns a 402 with subscription_required for anonymous users on non-Haiku models). The signup gate is on model selection, not on building. That ordering matters: the first prototype is free, throwaway, and finishes streaming before you blink.

Adjacent but not the same. "One-shot" describes the input shape: you typed once, you got an app. "Throwaway" describes the output's intended lifespan: the artifact is meant to die. mk0r supports both at the same time because the structural answer to one (anonymous, prewarm) is also the structural answer to the other (no account to clean up, sandbox dies on its own). Most other AI app builders make one of those two cheap and the other expensive: signup-gated tools have throwaway artifacts but a sticky account; download-the-zip tools have throwaway accounts but artifacts that live forever in your downloads folder.

State, auth, and anything where being wrong has real consequences. The prototype is HTML, CSS, JavaScript, and whatever lives in the sandbox. There is no production database, no real auth, no payment processor, no audit trail. If the spike is to test "does this layout make sense" or "does this flow click for the user", you will get an answer in an afternoon. If the spike is to test "will this scale to 50,000 paying customers", you will not, and you should write the real version. We have a separate guide on where vibe coding stops carrying that goes into the failure modes in detail.