← Writing

30/03/2026

How to set your startup team up for AI-assisted development without breaking production

The panic moment is always the same. A developer uses an AI tool to push what looks like a routine change. Something breaks in production. Nobody’s quite sure what happened or why it worked locally.

That moment doesn’t mean AI tools are dangerous. It means your engineering setup wasn’t built for a team moving this fast.

Most teams I speak to have the same root issue: the codebase is a tangle of implicit knowledge that only 2 or 3 engineers actually understand. Every other developer is guessing. When you add AI tools on top of that, you’re adding speed to a wobbly foundation.

The fixes aren’t dramatic. A handful of structural changes to your repo, your environments, and your team process can turn AI from something scary into the most reliable velocity multiplier your team has ever had.

What’s in this guide

Why AI tools struggle with most startup codebases

AI coding assistants (Claude Code, Cursor, GitHub Copilot) are, at their core, very good at pattern recognition. They read your code, infer your conventions, and try to generate something consistent with what they see.

The problem is that most startup codebases don’t have clear conventions. They have archaeological layers — decisions made at different stages, by different people, under different constraints. The folder structure made sense at 3 engineers. It doesn’t at 15.

When an AI tool can’t infer your patterns, it fills in the gaps with generic ones. That’s when you get code that technically works but doesn’t match your standards, uses libraries you’re trying to move away from, or handles errors in a completely different way to everything else.

This isn’t a flaw in the AI. It’s a codebase legibility problem. Fix the legibility, and the AI becomes genuinely useful rather than constantly needing correction.

The 4 structural changes that make your codebase AI-readable

1. Add a context file to your repo root

The single highest-leverage thing you can do right now.

Tools like Claude Code read a file called CLAUDE.md in your repo root before they do anything else. Cursor reads .cursorrules. GitHub Copilot reads .github/copilot-instructions.md. Most serious AI tools support some version of this.

These files are instructions to the AI. Write them like you’d write instructions to a new developer on their first day.

A good context file covers:

  • What the project does (2-3 sentences)
  • The tech stack and why each piece was chosen
  • Folder structure and where things live
  • Naming conventions
  • How you handle errors, logging, and testing
  • What to always do (write tests, use TypeScript, follow this API pattern)
  • What to never do (don’t use library X, don’t push to main directly)

This takes 2-3 hours to write properly. It saves every developer — human and AI — hours every week.

An example opening section:

# Project: Acme API

Node.js REST API for the Acme platform. TypeScript throughout.
Postgres via Prisma, hosted on Railway.

## Architecture
/src/routes     — Express route handlers (thin, delegate to services)
/src/services   — Business logic (all data mutation happens here)
/src/models     — Prisma schema and generated types
/tests          — Jest unit tests mirroring /src structure

## Conventions
- All routes are async/await. No callbacks.
- Services throw typed errors. Routes catch and respond.
- Tests required for all services. 80% coverage minimum.
- Never mutate the database directly from a route handler.

Every AI tool that reads that file understands your codebase instantly. Every new developer does too.

2. Switch to TypeScript (if you haven’t)

This is one of the most measurable changes you can make for AI reliability.

Research from 2025 found that 94% of errors in AI-generated code are type failures — mistakes that a type system would catch before they even ran. When your codebase has explicit types, the AI has a contract to work against. It knows what a User looks like, what a PaymentIntent requires, what your API expects to receive and return.

Without types, the AI is guessing at your data shapes. Sometimes it guesses right. When it doesn’t, the error is subtle and slips past code review.

The migration doesn’t have to be all at once. Rename files to .ts gradually, add // @ts-check to files you haven’t converted yet, and set TypeScript’s strict mode from the start. A partial migration is still a significant improvement.

3. Add a README to every major folder or service

Not a 2,000-word document. A 10-line file that answers: what does this part of the codebase do, and what does a developer need to know before touching it?

# /src/payments

Handles Stripe integration for subscription management.

Entry points:
- createSubscription(userId, planId)
- cancelSubscription(subscriptionId)
- handleWebhook(event) — called from /routes/webhooks

Stripe webhook events are idempotent. Always check for
existing records before creating new ones.

When an AI tool needs to modify anything in /payments, it reads that README first. The context it gives means far fewer wrong assumptions, far less cleanup.

4. Think carefully about monorepo vs multi-repo

If you’re still in the early stages or are about to restructure: a monorepo is worth serious consideration for teams using AI tools heavily.

When everything is in one repo — frontend, backend, shared packages, infra config — an AI assistant can see the full picture. It understands how your React component connects to your API endpoint connects to your database schema. That cross-cutting awareness is where the quality gains are biggest.

Multi-repo setups fragment that context. The AI sees a slice, not the whole. You can partially compensate with workspace features in tools like Cursor, but you’re working against the grain.

If migrating to a monorepo isn’t practical right now, the context files and READMEs above matter even more. Give the AI as much context as you can about how the pieces connect.

Setting up environments so nothing can accidentally reach production

The fear your engineers have about AI tools pushing to production isn’t really about AI. It’s about missing guardrails. The same fear exists whenever you hire someone new. AI just makes the team move faster, which makes the absence of guardrails feel more urgent.

The solution is a 3-tier environment setup with gates between each layer.

The 3 tiers

Local dev is where all the experimentation happens. Developers — and AI tools — build here without any restrictions. Breaking something locally is fine. That’s what local is for.

Staging is a production mirror. It should be identical to prod: same infrastructure, same database schema (with anonymised data), same environment variables. Every pull request deploys automatically to staging via your CI/CD pipeline. This is where you test before anything touches real users.

Production only receives deployments after a human has reviewed and approved the staging version. Not just approved the code — actually looked at the running application and confirmed it behaves correctly.

Branch protection rules

These take about 20 minutes to set up in GitHub and prevent entire categories of accident.

The minimum setup for main branch protection:

  • Require at least 1 (ideally 2) approving reviews before merge
  • Require all CI checks to pass (tests, linting, type checking)
  • Block direct pushes to main — nobody, not even the founders
  • Require branches to be up to date before merging

This means the path from local → production is: feature branch → pull request → CI passes → human review → merge → auto-deploy to staging → manual approval → production.

Every step is a checkpoint. An AI tool can move fast through all of them. It cannot skip any of them.

CI/CD gates

Your CI pipeline should run automatically on every pull request and block the merge if anything fails.

The essentials:

  • Tests: aim for 80% coverage minimum. Below that, you’re guessing whether changes broke anything.
  • Type checking: tsc --noEmit must pass. This catches the majority of AI errors before they run.
  • Linting: ESLint with your project rules. AI-generated code often violates naming or formatting conventions that a linter catches immediately.
  • Security scanning: tools like npm audit or Snyk catch dependency vulnerabilities. AI tools sometimes suggest outdated packages.

The barrier to entry for CI is lower than it used to be. GitHub Actions with a basic Node.js workflow costs nothing and takes an afternoon to set up properly.

How to get 15 people building confidently without a gatekeeper

The biggest risk with a 15-person team isn’t that someone pushes a broken change. It’s that everyone becomes paralysed waiting for someone more senior to approve their work.

The goal is a setup where the guardrails do the gatekeeping, not the people.

Use trunk-based development with short-lived branches

Trunk-based development (TBD) means everyone commits to main frequently, via short-lived branches that live for less than 24 hours. No long-running feature branches sitting around for weeks accumulating conflicts.

This works particularly well with AI tools because AI generates code fast. You can start a feature branch, let an AI assist with the implementation, run the tests, open a PR, and merge — all in a single morning. Long-lived branches are a sign of friction, not thoroughness.

The constraint: every commit to main has to leave the codebase deployable. If it’s not ready for users, it ships behind a feature flag.

Feature flags over incomplete features

A feature flag is a simple boolean that controls whether a piece of functionality is active. You can deploy incomplete code to production (hiding it behind a flag set to off), test it in the live environment, and turn it on when you’re ready.

This separates deployment from release, which is one of the most important architectural separations a growing startup can make.

For a 15-person team, a simple in-house implementation is fine to start — a config value in your database or environment variables. If you want something more sophisticated, tools like Unleash (open source) or LaunchDarkly (paid) handle it well.

A lightweight PR review process for AI-written code

AI-generated code needs human review. Not because it’s worse than human code — in many ways it’s better. But because it doesn’t carry context about why decisions were made, and that context matters for maintainability.

A useful addition to your PR template:

## AI assistance used?
- [ ] Yes — I've reviewed all logic, edge cases, and tests independently
- [ ] No

## What did you verify manually?

This creates a habit of conscious review rather than rubber-stamping. It also surfaces where the team is using AI tools and what they’re comfortable reviewing independently.

Rotate a weekly AI review lead

Pick one person per week to be the team’s AI shepherd. Their job is to:

  • Review any AI-assisted PRs with extra scrutiny
  • Flag anything that looks like an AI hallucination (incomplete error handling, hardcoded values, copy-pasted patterns that don’t fit)
  • Share what they learned with the team at the end of the week

This distributes expertise rather than concentrating it. Within a month, everyone on the team has done it at least once and has a real mental model of where AI tools help and where they need supervision.

What a CTO actually does here

Everything above is knowable by a senior engineer. Most of it isn’t complicated. The gap for most startups isn’t knowledge — it’s time, prioritisation, and someone who’s done it before knowing which order to do it in.

A fractional CTO working with a 15-person team typically spends the first 4-6 weeks doing exactly this work: auditing the codebase, setting up the context files, building the CI/CD pipeline, configuring the environments, and running the team through how to use AI tools well. Then stepping back into a review and guidance role as the team picks up speed.

The result isn’t dependency on the CTO. It’s a team that can move faster independently, because the infrastructure is doing the gatekeeping work that used to slow everyone down.

If you’re at the point where you’re wondering whether you need someone to set this up — the answer is probably yes, and it’ll take a fraction of the time you’re spending worrying about it.

FAQ

Do we need a monorepo to use AI coding tools effectively?

No, but it helps. A monorepo gives AI tools full cross-service context, which improves the quality of suggestions across your stack. If you’re in a multi-repo setup, context files and per-service READMEs partially compensate. Migrating to a monorepo is a significant undertaking — worth doing at a natural architecture decision point, not just for AI tooling.

What’s the difference between CLAUDE.md, AGENTS.md, and .cursorrules?

They’re the same idea implemented differently per tool. CLAUDE.md is read by Claude Code, AGENTS.md is a more generic standard some tools follow, and .cursorrules is specific to Cursor. If your team uses multiple tools, maintain them in sync — or write a master context file and symlink or copy from it.

Our codebase is in JavaScript, not TypeScript. Is it worth migrating?

Yes, particularly if you’re using AI tools heavily. The productivity cost of the migration is real but bounded — most teams doing it incrementally are done within 2-3 months. The ongoing quality improvement is permanent. Start with new files in TypeScript, add // @ts-check to existing files, and convert the highest-traffic services first.

How do we handle database migrations safely with AI-generated code?

This is a common gap. AI tools can generate schema migrations, but they don’t know what’s in your production database. The safest setup: use a migration tool (Prisma Migrate, Flyway, or Drizzle’s migration system), require all migrations to be reviewed by a human who knows the data, and test them against a database snapshot before they run in prod. Never auto-run migrations as part of a deployment without a human sign-off.

Our engineers are worried the AI will override their judgment. How do we manage that?

Frame it correctly from the start: AI writes first drafts, humans make decisions. An AI suggestion is a suggestion, not an instruction. The review process exists precisely so engineers apply their judgment. In practice, the engineers who feel most confident with AI tools are the ones who’ve learned to push back on the AI and ask it to justify its choices — which it will.

When should we stop using a fractional CTO?

When the infrastructure is in place, the team has the habits, and you’re at a point where you need someone thinking about architecture and technical strategy full-time — not part-time. That’s usually Series B territory, or when your engineering headcount is 25-plus and the complexity of cross-team coordination is itself a full-time problem. Until then, a fractional arrangement gives you senior thinking without the full-time overhead.

How long does it take to set this up properly?

The context files and branch protection rules can be done in a day. CI/CD setup and environment configuration take a week or two depending on your current infrastructure. Getting the team into good habits with feature flags and trunk-based development takes a month of conscious effort. The whole thing is a 4-6 week project, not a 6-month one.

Written by

Fame Razak

Fractional CTO with 26 years of experience at AKQA, AnalogFolk, Wunderman, Digitas, and Critical Mass. Technical lead on work for Nike, HSBC, Microsoft, and Citi. Now helping creative agencies and ambitious founders build with confidence.

Want someone to set this up for you?

Book a free 30-minute discovery call. We'll talk through your situation and I'll tell you honestly whether I can help.

Book a discovery call