Summary
A structured 6-taskset sprint pattern moved the STRATT monorepo from development state to production-ready MVP (v1.0.0-rc.1) in a single session. The pattern — security, logic, tests, CI, docs, release — is sequencing-dependent: each phase builds on the prior and cannot be reordered without compromising quality.The Pattern
The critical insight is strict ordering: security holes must close before logic completion, logic must be correct before testing, tests must exist before CI gates them, CI must enforce before docs describe behaviour, and docs must be stable before release. Attempting to write tests before closing auth holes means testing incorrect behaviour. Attempting CI before tests means gating nothing. The sequence is load-bearing.Key Numbers
- Tests: 484 → 856 (+77% in one session)
- Packages with coverage: 0 → 8 (all packages)
- Security gaps closed: 4 (auth enforcement, domain access, agent validation, secret encryption)
- CI jobs: 0 → 4 (test matrix, typecheck, unit validation, coverage gate)
- Documentation pages: 0 → 5 (getting started, CLI ref, architecture, 2 guides)
What Surprised Us
- Auth was warning, not blocking —
out.warn(authError)allowed unauthenticated publishes. The fix was a one-line change per command but the blast radius was 4 files. - Coverage version pinning —
@vitest/coverage-v8v4 installed by default but vitest was v3. TheBaseCoverageProviderimport error is cryptic. Always pin:bun add -d @vitest/coverage-v8@^3.2. - IR generated code had silent auto-approves —
const approved = true; // TODO: implement gate approvalin generated TypeScript meant every gate step auto-approved. Replaced withthrow new Error(...). - Core rules weren’t auto-injected — TAD spec says “automatically inherited” but
resolveImportsonly followed explicitimports[]. A 15-lineinjectCoreRules()function fixed it.