Vibe Coding Plus Agency Retainer: The Model That Actually Works

The founder who prompts Lovable at 7am, ships three small iterations before lunch, and handles customer support in the afternoon does not need a traditional agency. They need a retainer that covers the things they cannot and will not do. Deploy to production without breaking the domain. Rotate a Supabase key at 2am when Stripe webhooks start bouncing. Audit the auth flow every quarter before it becomes the breach you read about on Hacker News. That work is the last mile, and it is where the vibe coding workflow either holds or falls apart.

Most agency retainer templates you find online assume the agency is writing the code. They price by full-time equivalents, charge discovery workshops, and bake in design sprints the founder already did themselves last Tuesday with a prompt and a screenshot. When a vibe coder signs one of those, the engagement collapses inside ninety days because half of what was billed is work the founder would rather do than explain. The retainer that actually works flips the assumption. The founder keeps the keyboard. The agency keeps the infrastructure, the audits, and the pager.

This article breaks down how to structure that relationship. We will cover the three retainer models in the market, the scope caps that prevent balloon, the pricing anchors tied to real deliverables rather than hours, the incident SLA language that does not trap either side into 3am expectations, and the specific clauses in the agreement that separate a clean engagement from the one you terminate after four months.

Why Standard Agency Retainers Break For Vibe Coders

The generic small-agency retainer is a bucket of hours. You buy ten or twenty a month, the agency draws down as tickets come in, and whatever is left forfeits on the thirty-first. This works for a founder who does not write code. It fails for a founder who writes or generates most of the code themselves, because the drawdown is unpredictable and the agency ends up either idle or overrun. When idle, the founder feels they paid for nothing visible. When overrun, the agency starts declining work inside the retainer, pushing it into overage, and the relationship turns into a negotiation instead of a service.

The second failure mode is undefined scope. A vibe coder ships daily, sometimes hourly. Every deploy is a potential production incident. If the retainer says "ongoing support" without caps, the founder will reasonably ping the agency every time Lovable refuses to push a migration, and the agency will reasonably start charging overage on the fourteenth ping of the week. The contract has no scope table, so nobody is wrong and both sides are angry.

The third failure mode is no audit cadence. The founder ships features. The agency handles tickets. Nobody is looking at the auth configuration, the row level security on the Supabase tables, the leaked service keys in the client bundle, or the fact that the last three dependency upgrades were skipped. Six months in, a quiet bug becomes a loud outage.

A retainer designed for vibe coders has to solve all three at once. Predictable monthly value, capped scope, scheduled audits.

The Hybrid Model: Founder Ships Daily, Agency Covers The Last Mile Weekly And Monthly

The working model splits the week into two rhythms. The founder owns the daily rhythm. That is prompt work in Lovable, Bolt, Cursor, or Claude Code. Writing, editing, previewing, pushing to the staging branch. They are the product, the designer, the first line of QA, and the customer support team. That workflow stays theirs because handing it to an agency would slow it down by a factor of five and cost ten times what it saves.

The agency owns the weekly and monthly rhythm. Weekly, they cover deploys to the production domain with whatever pre-checks belong there. They handle environment variable changes, third-party key rotations, DNS updates, and the merge conflicts that the AI tooling cannot resolve cleanly. They triage incidents when Stripe webhooks fail or Supabase auth stops issuing tokens. Monthly, they run an audit. Security posture, dependency versions, performance regressions, log noise, error budget. Quarterly or monthly depending on tier, they sit on a thirty-minute ops review call and walk through what is drifting.

The founder does not lose speed. The agency does not compete with the AI tooling. Each side works in the rhythm it is actually good at. That is the whole model.

Three Retainer Structures And Which One Fits Which Stage

There are three ways to price and scope a retainer, and each one fits a different stage of the vibe coder journey.

The hours-based retainer is the simplest. The founder buys a monthly bucket of engineering hours, usually between eight and thirty. The agency logs time against the bucket, rolls over a small percentage if unused, and charges an overage rate when the bucket is exhausted. This fits the earliest stage, where needs are unpredictable and the founder just wants someone on call. The downside is that it measures the wrong thing. Time spent is not deliverable shipped. Founders who sign hours-based retainers often feel, by month three, that they do not know what they bought.

The deliverable-based retainer prices the outputs rather than the inputs. A typical structure for a vibe coder would read: four production deploys per month, one quarterly audit, incident response up to a defined SLA, one monthly ops review. The agency absorbs the variance. If a deploy takes thirty minutes or three hours, the price is the same. This fits the founder who has shipped their MVP, has paying customers, and wants predictable monthly spend tied to visible outcomes. It requires tighter scope definitions, which is exactly what prevents balloon.

The pod-based retainer is a fractional team. A dedicated engineer for twenty hours a week plus a part-time PM or ops person, embedded into the founder's Slack and Linear. This fits seed stage and later, where the product is generating enough revenue to justify ten thousand dollars a month in engineering and the founder wants a strategic partner rather than a vendor. Pod pricing starts around $8,000 and runs to $15,000 a month depending on seniority and hours.

Most vibe coders land in the deliverable-based middle tier. That is the shape we will focus on for the rest of this article.

Scope That Does Not Balloon: The Cap Table

A retainer with no caps is a retainer that turns into a fight. The caps are what keep the relationship predictable on both sides.

In scope for a last-mile retainer, caps included: deploys to production up to N per month, where N is usually four, eight, or unlimited depending on tier. Environment variable and secret rotations. Domain and DNS changes. Database migrations up to a row threshold, commonly one hundred thousand rows. Auth provider integration and adjustment work. Third-party API key rotation and webhook repair. Observability setup including Sentry, uptime monitoring, and log review. Incident triage within the defined SLA. Small refactors, usually capped at two hundred lines of code touched per ticket. Dependency upgrades on a scheduled cadence.

Out of scope unless separately contracted: new feature builds that exceed four hours. Redesigns or pivots. Large data migrations above the row threshold. Compliance certification work such as SOC2 or HIPAA readiness. Mobile app binary distribution and App Store operations. Anything that requires more than one engineer simultaneously.

Out-of-scope work does not kill the relationship. It goes into a separate statement of work with either an hourly rate, usually fifteen to twenty percent above the blended retainer rate, or a fixed bid. The key is that the line is drawn in the contract, not in the Slack message at the moment the request comes in.

Pricing Anchors: What Each Tier Actually Buys

Here is a concrete pricing structure that works for vibe coders in 2025, calibrated to US and EU market rates for a small senior agency. Your numbers may differ by region, but the shape holds.

The entry tier, call it Ship Safe, sits at roughly $1,800 per month. It buys eight hours of last-mile engineering, four production deploys, one audit per quarter covering security and performance, and incident response on a twenty-four hour SLA over email or Slack. There is a thirty-minute monthly ops review. This tier fits the solo founder who has shipped and has a handful of paying customers but is not yet at a scale where a missed hour of response time costs real money.

The middle tier, Ship Steady, sits at roughly $3,800 per month. It buys sixteen hours, eight deploys with a staging pipeline in place, a monthly audit, and incident response on a four-hour business-hour SLA. It includes biweekly ops reviews and basic observability wiring, meaning Sentry, uptime pings, and a weekly log review. This is the tier most vibe coders settle into once revenue crosses five thousand a month. The predictability is worth more than the extra two thousand dollars over the entry tier.

The upper tier, Ship Scale, sits at roughly $7,500 per month. Thirty-two hours, unlimited deploys, preview environments for every PR, monthly audit plus architecture review, incident response on a one-hour business-hour SLA and four-hour off-hours. Weekly ops review and a shared on-call roster. This is where the engagement approaches a fractional CTO relationship without the full cost.

Overage at any tier runs around $185 per hour, approved in writing for any block over two hours. Unused hours roll forward at twenty percent, expiring after sixty days. These numbers are not arbitrary. They compress the founder's need into something the agency can staff consistently, and they leave enough margin that the agency does not cut corners on the audit.

Incident Response SLA Without The 3am Trap

The word SLA gets thrown around loosely. In a retainer it needs to mean three specific things: what counts as an incident, how fast the agency acknowledges, and how fast they target resolution or workaround.

A tight SLA structure uses three priority levels. P0 is the site is down or money is broken. Payments failing, auth broken, full outage. Response within the SLA window, resolution or workaround target at four times the response window. P1 is a feature is broken but a workaround exists. Response at two times the P0 window. P2 is cosmetic or non-blocking. Next business day is fine.

Only the top tier should include genuine off-hours on-call. The lower tiers should read, in plain language, "business hours response with best-effort off-hours." Anything else either overpromises or prices the agency out of the founder's budget. The founder does not actually need 3am response for most issues, because most issues are not P0. What they need is a clear ladder for the ones that are.

Define incident in the contract. A user report is not an incident. An automated monitor firing is. A Slack message from the founder with the word "urgent" is an incident only if it maps to one of the three priorities. Without these definitions the SLA is a fog and every Tuesday becomes a P0.

The Agreement Template: Clauses That Actually Matter

The boilerplate parts of a retainer agreement, IP assignment, confidentiality, indemnity, do not vary much. The clauses that determine whether the engagement survives month four are smaller and specific.

Scope table with caps, reproduced verbatim in the agreement, with the out-of-scope rate spelled out alongside.

Overage approval threshold. Any work over two billable hours in a single ticket requires written approval. This prevents the drift where three small unapproved overages become a surprise invoice.

Rollover and expiration. Twenty percent rollover, sixty-day expiration is a reasonable default. Without expiration, rollovers accumulate into a liability the agency eventually has to write off.

Termination. Thirty days notice either side, prorated refund of unused prepaid time. No long-term lock-in for this tier of engagement. The founder should be able to leave, which is exactly what makes them stay.

Intellectual property. Founder owns everything. Agency retains no rights, no residual license, no marketing usage without explicit approval.

Repository access. Agency commits to a branch, founder reviews and merges, or auto-merge is enabled after a trust period, usually two months clean. Main branch should not be directly writable by the agency before that.

Communication channels. A single shared Slack or Linear workspace. One weekly async written update. Anything else is optional. This prevents the drift where the retainer becomes a meeting subscription.

Escalation path. A named contact on each side for when something breaks down. The founder's contact is the founder. The agency's contact is someone senior who can override the assigned engineer if an incident is mishandled.

How WitsCode Structures The Retainer

We run the three-tier model described above. Ship Safe, Ship Steady, Ship Scale. The scope tables and SLAs match what is in this article because this article is a description of how we actually work, not a hypothetical framework. Founders come in already fluent with Lovable, Bolt, Cursor, or Claude Code. We cover deploy, audits, incidents, and monthly ops. Most clients land in Ship Steady within the first month after starting on Ship Safe, because predictability on deploys and incident response is worth the step up.

If you are shipping daily with AI tooling and you have hit the point where the deploy or the audit or the 2am Stripe outage is the thing that is slowing you down, the hybrid retainer is the model. Our retainer engagement page walks through the three tiers with the scope tables visible up front, and you can book a call from there to size the right tier for your stage. The arrow is there when you are ready.

The last mile is not glamorous. It is what keeps the rest of the work you did this week from being the work you have to redo next week.