Where vibe coding stops carrying you, in three named seams

It is the moment in a session when the AI app builder can no longer move you forward by itself. You finish a prompt, the model returns a working preview, and the next thing you want is something the tool cannot autocomplete: a real account attached to your work, a custom domain instead of a sandbox URL, or just continuing past the silent point where the sandbox times out. People describe this as a wall, but in any specific tool it is a small number of named seams. In mk0r there are three, each is in source, each behaves differently, and each has a different right move on the user side.

It is the requireAuth function at src/components/auth-provider.tsx line 172. The function takes any action callback. If the current Firebase user exists and is not anonymous, it runs the action immediately. Otherwise it parks the action in a ref, sets showSignIn to true, and the modal appears. The actions that go through requireAuth are the ones that touch persistent identity: switching the underlying model from the default Haiku, clicking Publish, and a few other gated UI surfaces. Anonymous Firebase sign-in already happened on first paint, so up to that line you can prompt, watch the app build, iterate, refresh the tab, come back, and keep iterating without a single form field. The seam is exactly where ownership starts mattering. Sign in with Google once, the action you queued runs immediately, and the same session continues.

Yes, today it is. The handler is at src/app/api/publish/route.ts line 101. The deploy action calls sendEmail({ to: 'i@m13v.com', subject: '[mk0r] Deploy request: <domain>' }) with the requested domain, the project name, the session key, the VM ID, the user email, and the live preview URL. A real person reads that email and finishes the domain mapping. Until that point you have a working app at https://<vmId>.mk0r.com, served straight from your sandbox. After that point you have your own domain in front of the same app. The honest framing: the iteration loop is fully automated, the publish-to-real-domain step is human-in-loop on purpose. If you came expecting a one-click deploy that just works for any DNS configuration, this is the seam, and it is the right time to send the email.

E2B_TIMEOUT_MS at src/core/e2b.ts line 33 is set to 3,600,000 milliseconds, which is one hour. Sandboxes are created with lifecycle: { onTimeout: 'pause', autoResume: true } at line 309, so when the hour elapses the sandbox pauses rather than dying. Coming back to the tab calls Sandbox.connect, which auto-resumes the paused sandbox and refreshes the timeout window via setTimeout. There is also a warm pool with POOL_MAX_AGE_MS = 45 minutes (line 1896) where unused pool entries are evicted, so cold starts after long idle gaps go through createSandbox again. The seam, in practice: short sessions never notice the timeout, long single-session marathons hit a brief reconnect pause, and sessions that go truly cold can be reaped, at which point the project is restored from the head SHA in Firestore on the next prompt. None of those failure modes lose committed work, but they are the moments where the tool stops feeling instantaneous.

The first-prompt fan-out is the unusual part. provisionServices in src/core/service-provisioning.ts uses Promise.allSettled to fire three external API calls in parallel before the agent boots: a Neon Postgres 17 project (constants at lines 47 to 49), a Resend audience plus a sending-only restricted API key (line 45), and a private GitHub repo at m13v/mk0r-{slug} (lines 51 to 52). PostHog runs synchronously and gives the app its own appId. A /app/.env file is written into the sandbox before the agent runs anything. None of those values were ever pasted by you, and none of them require a separate signup with the upstream vendors. Then the iteration loop itself is the second long carry: a persistent ACP session per sandbox (reuse logic around src/core/e2b.ts line 909), per-turn git commits via commitTurn (line 1635), and byte-exact undo via undoTurn (line 1731). That is the long flat stretch where you can stay in the chat without thinking about infrastructure.

Honest answer: first draft, plus iteration runway. The product description says it generates full HTML, CSS, and JS mobile apps from a single sentence, and the qualification list is explicit that the right user is fine with a disposable first draft before investing engineering time. The carry is real but bounded, and the bound is precisely the three seams above. If your app idea would need native iOS or Android, real-time multi-user state, or backend logic that generated HTML and JS cannot cover, mk0r will carry you through the prototype and not the production version. If your idea fits inside a one-page mobile app with a small Postgres for persistence and a Resend audience for email, the carry can stretch surprisingly far before any of the three seams force a decision.

At the auth seam, sign in once with Google when you want to keep the work attached to an identity. The queued action runs immediately, no second click. At the publish seam, type the domain you actually want, send the request, and expect a real human to respond rather than a status spinner. At the sandbox seam, do not panic when a long pause happens after a long idle, the next prompt either auto-resumes the paused sandbox or restores from the last committed SHA. And the meta move at all three seams is the same: read the file path. Knowing requireAuth lives at line 172 of auth-provider, knowing the publish handler lives at line 101 of route.ts, knowing the timeout constant lives at line 33 of e2b.ts, makes each seam predictable rather than mysterious.