How We Build Production Apps with Claude Code (The Actual Workflow)
Most agencies using AI coding tools treat that fact like a trade secret — clients might ask why the invoice still reads like 2022. We do the opposite: the workflow is the product. Here’s exactly how a three-week production build runs here, tool names and all.
The principle: AI writes volume, humans own judgment
Claude Code is genuinely excellent at the volume of software work: scaffolding a typed codebase, CRUD, integrations, test suites, migrations, refactors. It is not accountable. It can’t weigh a data-model trade-off against your growth plan, notice that your pricing model makes a query pattern explosive, or push back on a feature that shouldn’t exist.
So the rule that governs everything: the AI proposes, a senior engineer disposes. Nothing merges without human review. Ever.
Week zero: the scope is the contract
Before any code, a 30-minute scoping call becomes a written document: features (defined precisely enough to be testable), ship date, fixed price. This isn’t just sales hygiene — a sharp scope is what makes AI-first development fast. Claude Code with a precise spec is a rocket; with a vague one, it confidently builds the wrong thing at incredible speed.
Week one: architecture by humans, scaffolding by AI
A senior engineer makes the decisions AI shouldn’t: stack, data model, auth strategy, infrastructure, what to buy vs. build. Then Claude Code turns those decisions into a working skeleton — typed project, CI pipeline, auth flow, deployed preview — usually within the first two days.
Your repo is created in your GitHub org on day one, and every commit lands there. You can read the diffs, click the preview, and see progress daily. No “trust us” weeks.
Week two: features in review loops
Each feature runs the same loop:
- The engineer writes a focused brief (intent, constraints, edge cases)
- Claude Code implements — code and tests together
- The engineer reviews the pull request like they would a human’s: logic, security, performance, taste
- Anything off gets rewritten — by the AI, under direction, or by hand
- Merge, deploy to preview, next
The review isn’t ceremony. This is where AI’s characteristic failures get caught: hallucinated APIs, missing authorization checks, plausible-but-wrong business logic, N+1 queries. Independent audits find security vulnerabilities in most AI-generated code — the review loop is why that statistic doesn’t ship (the exact failures it catches are in our security checklist post).
Week three: the hardening pass
The last week belongs to the security checklist: auth and session handling against OWASP, authorization on every endpoint, secrets audit (hardcoded keys are the #1 vibe-coding failure — scrapers find exposed AWS keys within minutes), input validation, rate limiting, payment failure paths, monitoring and alerts. Automated tests run on every push; the suite has to be green and the checklist signed before we ship.
Then: production deploy on your infrastructure, handover call, docs, and 30 days of included fixes.
What the AI is not allowed to do
Worth stating explicitly, because this is where AI-first differs from vibe coding:
- No architecture decisions. It implements them.
- No unreviewed merges. 100% of code passes senior eyes.
- No security-critical code without a human pass — auth, payments, and data handling get line-by-line review.
- No inventing scope. Feature briefs come from the written scope, not the model’s enthusiasm.
Why this is the whole business model
A senior engineer directing Claude Code ships what used to take a small team a quarter. We pass that difference on as fixed prices — $4,995 to $25,000 instead of the market’s $20,000–$120,000 — rather than billing phantom hours. The transparency isn’t altruism; in a market full of black boxes, being inspectable is the moat.
Want to see it on your project? A scoping call gets you the written scope in 24 hours, and this workflow gets you to production three weeks later.