Vibe Coding an Enterprise Portal in 6 Hours with GitHub Copilot - What Actually Worked
A senior engineer shipped an enterprise portal in 6 hours using Copilot vibe-coding. Here's what actually worked, what broke, and where the human had to take over.
A post on r/developersIndia blew up last week. A senior engineer at a Bangalore fintech claimed they shipped a full enterprise portal - auth, dashboard, CRUD, role-based access - in 6 hours using GitHub Copilot 2026 and a vibe-coding workflow. The comments split cleanly: half called it a lie, half wanted the playbook.
I replicated the workflow. Here is what actually happened.
The Architecture
The stack: Next.js 15.0 on App Router, Tailwind CSS 4.0, Prisma with PostgreSQL, NextAuth.js v5. The portal was an internal vendor management system - nothing exotic, but representative of what mid-size Indian SaaS companies ship weekly.
npx create-next-app@15 vendor-portal --typescript --tailwind --app
npm install prisma @prisma/client next-auth@beta @auth/prisma-adapter
The "vibe-coding" part: you describe the feature in natural language inside Copilot Chat, accept the scaffolded output, then refine. You never start with a blank file. You start with a prompt and iterate on what comes back.
The backend choice mattered. Prisma + PostgreSQL because Copilot 2026 has seen a billion Prisma schemas. The pattern recognition is absurd for well-trodden paths. If I had picked something niche - say, Drizzle with Turso - the quality would have cratered.
What Compressed 3 Days Into 6 Hours
Three Copilot patterns did the heavy lifting.
Pattern 1: Schema-first generation. I wrote the Prisma schema manually (15 minutes), then let Copilot generate every CRUD route, every form component, every validation schema from it. One prompt per resource. The schema acts as a contract - Copilot stays consistent because it keeps re-reading the same types.
// Prompt: "Generate a Next.js Server Action for creating a vendor from this Prisma model.
// Include zod validation, error handling, and revalidation."
// Output was 90% correct - missed a revalidationPath call.
Pattern 2: Component composition from descriptions. I sketched the dashboard layout on paper, described it in text to Copilot Chat, and got a working Tailwind layout in one shot. Then I described each widget individually. The key: decompose the UI into small, describable units. "A card showing vendor count with a sparkline" works. "Build the dashboard" does not.
Pattern 3: Test generation from implementation. After each feature, I asked Copilot to generate Vitest tests. The tests caught real bugs - mostly around edge cases in date filtering and null handling. Writing tests manually would have taken 4 hours. Copilot did it in 40 minutes of prompt-and-fix cycles.
Time breakdown:
| Task | Manual Estimate | Actual with Copilot | Compression |
|---|---|---|---|
| Prisma schema + migrations | 1 hr | 20 min | 3x |
| CRUD API routes (5 resources) | 4 hrs | 1 hr | 4x |
| UI components + pages | 8 hrs | 2.5 hrs | 3.2x |
| Auth setup + RBAC | 3 hrs | 1 hr | 3x |
| Tests | 4 hrs | 40 min | 6x |
| Bug fixes + polish | 2 hrs | 30 min | 4x |
| Total | 22 hrs | 6 hrs | 3.7x |
The 3-day estimate assumes a single senior engineer working focused hours. That is realistic for a Bangalore SaaS shop where you are also in 3 standups a day.
Where Copilot Broke
Four hard failures.
Complex authorization logic. RBAC with resource-level permissions - "a vendor can only edit their own profile, an admin can edit all, a viewer can see but not touch" - Copilot generated code that looked correct but had a subtle privilege escalation. A vendor could update the role field on their own record via the API because the update route used req.body directly. I caught it during manual review. This is the exact class of bug that ships to production and becomes a postmortem.
Multi-step transactions. Vendor onboarding creates a vendor record, a user record, sends an email, and logs an audit entry. Copilot could not reliably sequence these with proper error rollback. It kept putting email sends inside transactions, which is wrong. I wrote this manually.
Custom Tailwind theming. The design system needed specific brand colors, spacing tokens, and a dark mode that was not just "invert everything." Copilot's Tailwind output is generic. It looks like every other SaaS dashboard. I spent 45 minutes on the theme file alone, which Copilot could not meaningfully help with because it does not understand visual brand identity.
Performance-sensitive queries. The dashboard aggregates data across 5 tables with date filters. Copilot wrote a query that worked but did 12 database roundtrips. I rewrote it as a single raw SQL query with Prisma $queryRaw. The page went from 800ms to 90ms.
What NOT to Vibe-Code
Hard rules after this experiment:
- Authentication and authorization. Use Copilot for boilerplate, but review every line. The cost of a bug here is not a broken page - it is a data breach.
- Payment integration. Razorpay webhook handling, idempotency keys, signature verification. Copilot will generate plausible code that misses edge cases. Do not trust it.
- Database migrations on production data. Copilot can write migrations, but you must reason about rollback safety yourself.
- Any code where the business logic is the product. If your company's competitive advantage is in the algorithm, do not outsource it to a model that trained on your competitors' public code.
The Demo-Production Line
The 6-hour portal was a working demo. Making it production-ready took another 8 hours. Here is what was missing:
- Proper error boundaries with user-facing messages (Copilot generates
console.errorand generic toast notifications) - Rate limiting on API routes
- Input sanitization beyond zod validation (XSS in rich text fields)
- Database connection pooling configuration
- Environment variable validation at startup
- Logging with structured context (not just
console.log) - A deployment pipeline with preview environments
The original r/developersIndia poster acknowledged this. The 6-hour claim was for a working prototype that stakeholders could click through. Production hardening is a different phase. Conflating the two is how you end up with a Zerodha-style outage.
Real Cost in API Tokens
GitHub Copilot 2026 on the Business plan: $19/month ($19/month, roughly ₹1,590/month). I used Copilot Chat heavily - roughly 140 prompts over 6 hours. The token cost is bundled into the subscription, so marginal cost per session was effectively zero.
But if you are using Claude Code v1.x or similar token-billed tools for the same workflow:
| Tool | Session Tokens | Cost (USD) | Cost (INR) |
|---|---|---|---|
| GitHub Copilot Business | Included | $0 marginal | ₹0 marginal |
| Claude Code v1.x (Sonnet) | ~180K input + 90K output | $2.70 | ₹227 |
| Claude Code v1.x (Opus) | ~180K input + 90K output | $8.10 | ₹681 |
Copilot's flat pricing makes vibe-coding economically viable for extended sessions. Token-billed models add up fast when you are iterating through 140 prompts.
What Teammates Thought
I showed the portal to three colleagues at a Hyderabad product company.
The tech lead's reaction: "This looks like it was built in a week, not a day. But I would not merge it without a full review - the patterns are too uniform. When everything looks the same, you stop reading carefully."
The junior developer: "I could never do this. I do not know enough to catch the bugs Copilot introduces." This is the real danger. Vibe-coding is a senior engineer's acceleration tool, not a junior's replacement for understanding.
The PM: "Can we do this for every feature?" No. The compression ratio drops sharply for novel problems. This worked because vendor management is a solved problem with thousands of reference implementations in Copilot's training data.
Quick takeaways
- Vibe-coding with Copilot gives a 3-4x speedup on well-trodden CRUD patterns, but the compression vanishes for novel or security-critical code.
- Always generate from a schema or contract first - it keeps Copilot consistent across files and prevents the "slightly different types everywhere" problem.
- Budget 50-60% of the "saved" time for production hardening. The 6-hour demo is not the 6-hour production deploy.
- Never vibe-code auth, payments, or anything where a bug means a breach. Use Copilot for the boilerplate, then review every line yourself.
- The economics work on flat-rate plans. On token-billed models, a 6-hour vibe-coding session can cost ₹227-₹681 per feature, which adds up across a sprint.
Related
More AI Coding
Building a Custom MCP Server in Python: Claude Reaches My Stack
Claude Code is sharp until it hits the edge of your machine and your private tools. I wrote three small MCP servers in Python to close that gap. Here is the real pattern, the real gotcha that bit me, and what it costs.
Claude Code Subagents in Practice: Fork Flag, Cache Leak, Worktree Trap
Fanning out subagents in Claude Code looks free until you hit the cap or your forks clobber each other's commits. These are the real fixes I learned running fanouts: the fork env flag that shares the parent's cache, the WebFetch cache leak, and the worktree pattern for parallel writers.
I Gave My AI Agents a Memory With SQLite FTS5 (No Vector DB)
Most agent-memory setups reach for Pinecone or pgvector by reflex. I put 2000+ markdown files behind SQLite FTS5 with BM25 ranking, and my agents now answer their own 'who is X' questions in under a second for zero tokens. Here is the schema, the query, and the one place lexical search loses.