Skip to content

01 · Engineering

You ship code where the stakes are tenant isolation and PHI safety. Every merge passes CI gates that encode our invariants: RLS on every PHI table, a three-method supervisor, a capability-agnostic orchestrator, Firecracker/gVisor for anything touching PHI. Claude Code is your primary surface — it auto-loads CLAUDE.md, so the invariants are already in the room.

Use case: Build a new agent capability end-to-end.

You’re adding a new intake agent to the à la carte surface. You open Claude Code at the monorepo root and type:

Opening prompt Claude Code

Confirm you’ve loaded CLAUDE.md. I’m adding a new intake agent. Before writing code, state: (1) which architectural invariants apply, (2) which files you’ll touch, (3) whether this crosses the PHI boundary — if yes, name the sandbox and RLS controls that apply. Then wait for my go-ahead.

Claude responds with the invariant checklist and a file plan. The plan looks right, but you want the manifest handled first:

Follow-up 1 Claude Code

Good. Start with the agent manifest only: digest-pinned image, explicit egress allowlist, hard resource ceilings. Show me the manifest before touching the orchestrator.

You review the manifest and approve. Now the wiring:

Follow-up 2 Claude Code

Manifest approved. Wire the registration path. Remember: zero per-agent branches in orchestrator code — if you feel the urge to add a conditional keyed on agent type, stop and tell me instead.

Claude wires it cleanly. Before opening the PR:

Follow-up 3 Claude Code

Generate the pgTAP RLS tests for the new intake tables and a PR description with sections: What / Why / Security-relevant changes / Test evidence / Rollback plan.

Use case: Security-first code review. A teammate’s PR touches the gateway and a PHI table. You type:

Prompt Claude Code

Review this diff as a hostile security auditor for a multi-tenant healthcare platform. Check: cross-tenant leakage — is every PHI query scoped by (tenant_id, agent_id) with RLS as backstop, not just app-layer filtering? Supervisor surface — anything beyond the three permitted methods is a blocker. Egress — any network call outside the manifest allowlist? Secrets outside Vault? Output BLOCKER / WARN / NIT with file:line.

Use case: FSM change verification. A diff modifies the six-phase agent lifecycle. You type:

Prompt Claude Code

This diff touches the lifecycle FSM. Verify: no state reachable without manifest verification; every terminal state tears down the sandbox and wipes working memory; no transition lets an agent outlive its resource ceiling. If the state chart in ARCHITECTURE.md no longer matches the code, list the drift.

Use case: Debugging rubber duck. Something’s wrong between the orchestrator and a sandbox. You type:

Prompt Claude Code

I’m debugging. Don’t propose fixes yet. Ask me the 5 questions most likely to isolate the fault, one at a time, updating based on my answers. Stack: Rust/axum gateway, Go orchestrator, Supabase Postgres, Firecracker sandboxes, Linkerd mTLS. Symptom: [symptom].

Use case: Build a diff/approve surface.

Prompt Claude Code

Build the review-and-approve view for [agent] output per prds/02-frontend.md. Constraints: active-task PHI in memory only — nothing in localStorage, sessionStorage, or IndexedDB; state strip must reflect the real backend lifecycle states from ARCHITECTURE.md §5, not invented ones. Show me the component tree before writing code.

Use case: PHI-in-browser audit.

Prompt Claude Code

Audit this frontend diff for PHI persistence: any write to browser storage, any PHI in URL params, any PHI reaching analytics or logging calls. Also flag PHI that could survive in React Query cache beyond task completion.

Use case: Terraform / K8s sanity check.

Prompt Claude Code

Review this infra diff for: blast radius, anything widening egress beyond manifest allowlists, anything downgrading a PHI agent from Firecracker/gVisor toward plain runc, secrets outside Vault, drift from ARCHITECTURE.md. Output go/no-go with reasons.

Use case: Red-team a feature before build.

Prompt Claude chat · Claude Code

Before we build [feature], attack it. Attacker profiles: (a) malicious tenant admin, (b) compromised agent image, (c) insider with orchestrator repo access. For each: attack path → what invariant stops it → what test proves the invariant holds. Any path with no stopping invariant: say BLOCKED: NEEDS DESIGN and stop.

Use case: PR description generator.

Prompt Claude Code

Write a PR description from this diff. Sections: What / Why / Security-relevant changes (explicitly say “none” if none) / Test evidence / Rollback plan. Terse. No marketing language.