Home/ Track 4/ CC-403

CC-403: Deployment Capstone

Listen instead
CC-403 Deployment Capstone
0:00

Learning Guide

This capstone module brings together everything from Tracks 1 through 4. You've learned the tools, configured the environment, built multi-agent systems, and established governance. Now we focus on taking agent-assisted development into production: hardening security, deploying reliably, scaling operations, measuring effectiveness, and building the organizational capability to sustain it. This is where theory becomes practice.

Production Readiness Checklist

Before deploying any agent-assisted workflow to production, verify every item on this checklist. Skip nothing.

Code Quality

  • TypeScript strict mode enabled, zero any types, zero type errors.
  • ESLint passing with zero errors and zero warnings (--max-warnings 0).
  • No console.log statements in server code.
  • No TODO or FIXME comments in production code.
  • All text inputs bounded with .max() in Zod schemas.
  • All arrays bounded. All numbers bounded. All JSONB fields use boundedJsonb.

Security

  • No hardcoded secrets in source code. All secrets in environment variables.
  • Authentication on every protected route.
  • Authorization (permission checks) on every mutating endpoint.
  • Input validation on every POST/PATCH handler with Zod schemas.
  • SQL injection prevention: parameterized queries throughout.
  • SSRF protection: URL validation blocking private IP ranges.
  • CSRF protection: Origin/Referer validation for cookie-authenticated requests.
  • Security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options.
  • Rate limiting on authentication endpoints, exports, and high-cost operations.
  • TOCTOU prevention: all UPDATE/DELETE WHERE clauses include organization scoping.

Reliability

  • Every database query has a .limit() or is an aggregate/single-row operation.
  • Statement timeout configured on the database pool (e.g., 30 seconds).
  • Body size limits enforced (e.g., 1MB via Content-Length check).
  • Every route handler wrapped in try/catch with handleApiError.
  • Health check endpoints returning meaningful status.
  • Graceful shutdown handling for long-running connections.

Testing

  • Test coverage above threshold: 90%+ lines, 80%+ branches.
  • All tests passing. Zero failures, zero skipped tests in CI.
  • Integration tests for critical paths (auth flows, payment flows, data mutations).
  • Dependency audit clean: zero known vulnerabilities in production dependencies.

The Checklist Is Not Optional: Every item on this list exists because skipping it has caused production incidents in real systems. An agent can run through this entire checklist in minutes. A human team might take days. Use the agent advantage.

Scaling Agent Operations

Moving from a single developer using Claude Code to a team or organization requires scaling patterns:

Shared Configuration

The project-level .claude/ directory should be committed to the repository. This ensures every team member gets the same CLAUDE.md instructions, the same skill definitions, and the same governance hooks. Individual preferences go in the user-level ~/.claude/ directory, which is not committed.

Skill Libraries

As your team develops useful skills (review checklists, deployment workflows, testing patterns), collect them into a shared skill library. Version the library alongside the codebase. New team members inherit the team's accumulated agent expertise on day one.

Memory Partitioning

In a team setting, some memories are personal (editor preferences, workflow habits) and some are shared (architecture decisions, coding conventions, deployment procedures). Design your memory system with clear partitioning so that shared knowledge is accessible to all team members while personal preferences remain individual.

Monitoring and Observability

Agent operations in production need the same monitoring rigor as any production system:

  • Execution logs: Every agent invocation should be logged with input, output, duration, and outcome. This enables debugging when agents produce unexpected results.
  • Cost tracking: Monitor API token consumption per operation. Identify expensive workflows and optimize them. Set budget alerts to prevent runaway costs.
  • Quality metrics: Track the rate of agent-generated code that passes review on the first attempt, the rate of test failures in agent-generated code, and the percentage of agent suggestions accepted by human reviewers.
  • Latency monitoring: Agent operations can be slow. Track end-to-end latency for common workflows and identify bottlenecks.
  • Error rates: Monitor agent failure rates, categorize failures (context overflow, tool errors, incorrect output), and feed this data back into prompt and workflow improvements.

Security Hardening

Permission Lockdown

In production, agents should operate with minimal permissions. A CI agent that runs tests needs Read, Bash, and Glob -- it does not need Write or Edit. A deployment agent needs specific deployment tools but should not have arbitrary code execution. Lock down permissions to the minimum required set.

Hook Guards

Production hooks should be defensive. The PreToolUse hook for Bash commands should block dangerous patterns: rm -rf, curl | bash, chmod 777, database drop commands, and any command that could compromise system integrity. Maintain an allowlist of safe command patterns rather than a blocklist of dangerous ones -- blocklists always have gaps.

// Hook guard example: blocking dangerous bash commands
const BLOCKED_PATTERNS = [
  /rm\s+(-rf|-fr)\s+\//,        // recursive delete from root
  /curl.*\|\s*(bash|sh)/,        // pipe to shell
  /chmod\s+777/,                  // world-writable permissions
  /DROP\s+(DATABASE|TABLE)/i,     // destructive SQL
  /git\s+push.*--force\s+.*main/, // force push to main
];

function preToolUse(toolName, params) {
  if (toolName === 'Bash') {
    for (const pattern of BLOCKED_PATTERNS) {
      if (pattern.test(params.command)) {
        return { blocked: true, reason: 'Command matches blocked pattern' };
      }
    }
  }
}

Input Validation

Every piece of data that flows into an agent-generated system must be validated. This includes API request bodies (Zod schemas), URL parameters (UUID validation), query parameters (pagination bounds), and file uploads (type and size checks). Agent-generated validation code should be reviewed for completeness -- agents occasionally miss edge cases in validation logic.

Docker Deployment Patterns

Docker provides consistent, reproducible deployment for agent-built applications:

  • Multi-stage builds: Separate build and runtime stages. The build stage installs dev dependencies and compiles. The runtime stage contains only production artifacts. This minimizes image size and attack surface.
  • Health checks: Every service container should have a health check that verifies the application is actually serving requests, not just that the process is running.
  • Resource limits: Set memory and CPU limits on every container. An unconstrained container can consume all host resources during a traffic spike or memory leak.
  • Non-root execution: Run application processes as a non-root user inside the container. This limits the damage from container escape vulnerabilities.
  • Secret management: Use Docker secrets or environment variable injection -- never bake secrets into images.

CI/CD Integration

Claude Code integrates into CI/CD pipelines as both a producer and consumer:

As a Producer

Agents generate code, tests, and configurations that flow through the standard CI/CD pipeline. The pipeline treats agent-generated code the same as human-written code: it must pass all quality gates, reviews, and tests.

As a Consumer

Agents can be triggered by CI/CD events. A failing test in CI can trigger an agent to analyze the failure, propose a fix, and open a PR. A new dependency vulnerability detected by npm audit can trigger an agent to evaluate and apply the patch. This creates a self-healing development pipeline.

# CI/CD pipeline with agent integration
stages:
  - lint        # ESLint + TypeScript check
  - test        # Vitest with coverage
  - security    # npm audit + secret scan
  - build       # Production build
  - review      # Agent code review
  - deploy      # Staging then production
  - verify      # Post-deployment health checks

Team Onboarding Strategies

Bringing a team onto Claude Code requires more than installing the tool. Effective onboarding covers:

  1. CLAUDE.md workshop: Walk the team through the project's CLAUDE.md file. Explain every rule, convention, and gotcha. This file IS the agent's training manual for your project.
  2. Skill demonstration: Show the team the available skills and how to use them. Run a live feature implementation using the brainstorm-plan-implement-review cycle.
  3. Governance walkthrough: Explain the approval gates, audit trail, and permission boundaries. Make sure every team member understands what the agent will and won't do autonomously.
  4. Pair sessions: Have experienced users pair with newcomers. The experienced user demonstrates effective prompting, agent specialization, and common patterns.
  5. Feedback loop: Create a channel for sharing effective prompts, useful skill modifications, and lessons learned. The team's collective intelligence about agent usage should be a shared resource.

Measuring Agent Effectiveness

You cannot improve what you do not measure. Track these metrics to assess and improve your agent-assisted development:

  • Cycle time: Time from feature request to production deployment. Compare before and after agent adoption.
  • Defect rate: Bugs per feature in agent-generated code vs. manually written code.
  • Test coverage delta: How much test coverage improved since adopting agent-assisted testing.
  • Review turnaround: Time from PR opening to review completion with agent reviews vs. human-only reviews.
  • Developer satisfaction: Survey the team. Are agents helping or getting in the way? Which workflows are most valued?
  • Cost per feature: API costs for agent usage vs. time saved. This determines ROI.

Measurement Advice: Start measuring before you fully deploy agents. You need a baseline to demonstrate improvement. If you adopt agents first and measure later, you'll never know how much they actually helped.

The Future of Agentic Development

The patterns covered in this course are the foundation, not the ceiling. The trajectory of agentic development points toward:

  • Persistent agent teams: Instead of dispatching agents per-task, maintaining standing teams of specialized agents that own specific parts of a codebase.
  • Self-evolving codebases: Agents that not only write code but continuously monitor, refactor, and improve existing code without human prompting.
  • Cross-repository orchestration: Agent systems that span multiple repositories, managing cross-service changes atomically.
  • Natural language interfaces to production: Describing what you want a system to do and having agents make it so -- from infrastructure to application code to deployment.

The developers who master these patterns now will be best positioned to leverage whatever comes next. The fundamental skills -- decomposition, orchestration, governance, measurement -- will remain relevant regardless of how the tooling evolves.

For CLI usage patterns and deployment configuration, see the Claude Code CLI Usage documentation.

← Previous Module CC-402: Agentic SDLC Blueprint