Pocket Coach · CTO plan · 2026-05-10

AI-Native SDLC + GitHub Actions CI/CD

A safe delivery system for Pocket Coach: agents can move faster, but prod stays protected. This is a planning artifact only; no repo, GitHub, Supabase, EAS, secrets, or production systems were changed.

Gate: PASS WITH WARNINGS Dev/test first Prod approval required No app-side coaching logic

CTO conclusion

Pocket Coach is ready for an AI-native delivery system, but not for autonomous production deployment. Implement CI and PR governance first, then dev/test deployment, then production deployment behind GitHub Environments with Jack as required reviewer.

First move
Add PR checks, templates, secret scan, boundary scan, and Supabase static checks.

Second move
Add dev/test deployment using explicit dev Supabase project refs only.

Last move
Add production workflow only after Jack approves environments, secrets, and gates.

Evidence reviewed

Jack OS project/lane files: Pocket_Coach.md, engineering lane, engineering audit, dev/test segregation plan, prior implementation plan.
Repo docs: README.md, AGENTS.md, CLAUDE.md, DOCS/DECISIONS.md, DOCS/PRD-AI-COACH-BRIDGE.md.
Config: package.json, app.config.ts, eas.json, .env.example, lib/supabase.ts.
Backend: supabase/functions/ai-chat, shared AI provider registry/system prompt, OAuth initiate flow, migrations, Supabase config.
Existing release/QA agent docs and rigorous QA commands.

Target AI-native SDLC

Idea / signal intake

Jack, beta feedback, analytics, or bug signal becomes a GitHub Issue with scope, PRD links, acceptance criteria, env/data impact, and approval level.

Spec + implementation plan

Planning agent drafts a technical plan: in/out of scope, files touched, test plan, dev smoke, release, rollback, and open decisions.

Branch + agent implementation

Agents work on feature/*, fix/*, or claude/* branches. No direct push to main; no deploy from implementation agents.

Pull request

PR template requires linked issue, risk flags, tests run, migration/function/env/EAS impact, AI-boundary statement, dev smoke plan, and rollback notes.

CI + AI review

Typecheck, lint, Jest, secret scan, coaching-boundary scan, Supabase static checks, and advisory AI review summary.

Dev/test deploy

After merge or manual dispatch, migrations/functions deploy only to dev Supabase using explicit project refs. Optional EAS preview build.

Release candidate

Generate RC evidence pack: commits, PRs, migration/function/env impact, QA report, dev smoke evidence, rollback plan, production command preview.

Production deploy

Manual workflow dispatch, GitHub Environment production, Jack required reviewer, explicit prod project refs, post-release monitoring.

GitHub Actions architecture

Workflow	Trigger	Purpose	Deploys?
PR Quality	Pull request	Install, typecheck, lint, Jest	No
Security Static Checks	Pull request	Gitleaks + sensitive file diff checks	No
Coaching Boundary	Pull request	Flag app-side coaching intelligence	No
Supabase Static Checks	PR paths: `supabase/**`	Migration naming, RLS evidence, function auth/env scan	No
AI Review Summary	Pull request	Advisory risk and review focus	No
Deploy Dev/Test	Manual / approved merge	Dev migrations/functions/EAS preview	Dev only
Create RC	Manual	Evidence pack and approval artifact	No
Deploy Production	Manual	Prod migrations/functions/EAS build	Yes, approved only

Example PR quality workflow

name: PR Quality
on:
  pull_request:
    branches: [main]
jobs:
  quality:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npm run typecheck
      - run: npm run lint
      - run: npm test -- --runInBand

Example dev deploy guard

environment: development
env:
  SUPABASE_PROJECT_REF: ${{ secrets.SUPABASE_DEV_PROJECT_REF }}
run: |
  supabase db push --project-ref "$SUPABASE_PROJECT_REF"
  supabase functions deploy --project-ref "$SUPABASE_PROJECT_REF"

Supabase, EAS, and env handling

Supabase

Every command uses explicit --project-ref.
Dev migrations/functions before prod.
RLS evidence required for schema changes.
Function auth, env, and sensitive logs reviewed.
Secrets set per Supabase project, not in repo.

Expo / EAS

app.config.ts already splits dev/prod identity.
eas.json sets dev vs prod APP_ENV.
Production builds require approval and build number bump.
Keep TestFlight submit manual initially.
Review hardcoded EAS Updates URL before using OTA.

Do not store AI provider keys, OAuth secrets, Supabase service role keys, App Store Connect keys, or beta user data in repo, PR text, workflow logs, or AI review payloads.

AI agent roles and guardrails

Role	Model recommendation	Permission
Spec / Product Intake	GPT-5.5 or Claude Sonnet	Draft issues/specs; approval before risky scope
Planning Architect	GPT-5.5 high reasoning	Read-only plan by default
Implementation Agent	Claude Sonnet / GPT-5.5	Branch writes only; no deploy
Database / Edge Engineer	GPT-5.5 / Sonnet	Branch writes only; migration/function evidence required
QA Reviewer	Fast model + escalation	Read-only audit
Release Manager	Sonnet / GPT-5.5	No prod without Jack approval

The central guardrail: agents may help the app assemble context, stream AI responses, execute tool calls, and display AI-returned data. They must not add app-side readiness scoring, training analysis, nutrition interpretation, recommendations, or coaching logic.

Developer-ready implementation backlog

Phase 0 · Governance

PR template, issue templates, branch protection, environments, required reviewers.

Phase 1 · PR CI

Typecheck, lint, Jest, Node/package manager pinning, artifacts.

Phase 2 · Security + boundary

Gitleaks, sensitive diff, coaching-boundary scan, tuned from advisory to blocking.

Phase 3 · Supabase checks

Migration naming, RLS evidence, Edge Function auth/env checks.

Phase 4 · AI review

Advisory PR summary with privacy-safe diff bundle.

Phase 5 · Dev deploy

Manual dev migrations/functions/EAS preview with explicit dev refs.

Phase 6 · RC

Evidence pack, QA report, rollback plan, production command preview.

Phase 7 · Production

Manual approved prod workflow; TestFlight submit later.

Acceptance criteria and approval gates

PR acceptance

Linked issue/spec, passing CI, no secrets, boundary check clear or approved exception.
Migration/function/env/EAS/AI impact stated.
Rollback notes included.

Dev/test acceptance

Uses dev Supabase only; app points to dev Supabase/PostHog.
AI chat streams; safe tool-call write lands only in dev.
OAuth returns to pocketcoachdev:// when touched.

Production acceptance

RC evidence pack exists.
QA is PASS/PASS WITH WARNINGS accepted by Jack.
Jack approves GitHub Environment production.
Prod smoke and monitoring completed; release log updated.

Rollback strategy

Change type	Rollback
App-only	Rebuild previous known-good commit or ship hotfix with incremented build number.
Edge Function	Redeploy previous function version from known-good commit; monitor errors and sync logs.
Migration/schema	Prefer forward-only rollback migration; avoid destructive changes; require backup for risky ops.
Secret/env	Restore from approved secret store; verify values are not exposed in logs.
OAuth	Restore provider console settings from baseline; smoke both prod and dev app schemes.
EAS/TestFlight	Stop rollout/remove build if possible; hotfix from known-good commit.

Recommended first PR

Start with governance and CI only. Do not include Supabase deploy, EAS build, or production workflow in the first PR.

.github/pull_request_template.md
.github/ISSUE_TEMPLATE/*.yml
.github/workflows/pr-quality.yml
.github/workflows/security-static.yml
.github/workflows/coaching-boundary.yml in advisory mode
CONTRIBUTING.md with AI-agent and release rules

Source markdown: Jack_OS/DEEP_WORK/active/2026-05-10-ai-native-cicd/lane-outputs/Pocket_Coach_AI_Native_CICD_Plan.md
HTML artifact: Jack_OS/DEEP_WORK/active/2026-05-10-ai-native-cicd/html/pocket-coach-ai-native-cicd/index.html