Cheezy World

Delivering software with discipline and joy

Are Code Reviews and Pull Requests a Thing of the Past?

The pull request is one of the most entrenched rituals in modern software development. Open a branch, push your work, open a PR, wait for a colleague to read the diff, address their comments, wait again, and finally merge. We have built entire products, careers, and cultural norms around this loop. It is so universal that most developers have never seriously questioned whether it should exist.

I want to question it. Because once you have an AI-driven workflow that is tuned well, the traditional pull request and the human code review that rides along with it are, in most cases, no longer necessary. That is a strong claim, so let me be careful about what I mean by it - and then let me be equally honest about the fact that plenty of organizations are going to keep requiring reviews anyway, and what the right answer looks like for them.


The Product Team: How does AI change the structure of a larger product organization?

In The New Team I described what a single AI-driven product team looks like: one Product Owner and one or two Developers, working in tight feedback loops that produce shippable software in hours rather than weeks. That post was about the atomic unit. This post is about what happens when you zoom out.

Most product organizations were not designed around a single team. They were designed around the assumption that delivering software is slow, expensive, and risky. Every layer of the org chart - the directors, the program managers, the design ops leads, the release coordinators - exists to manage that slowness and risk. When the underlying work becomes fast and cheap, those layers do not automatically become useful. Many of them become friction.


The Security Review Plugin: My latest addition to the Stride plugin library

Yesterday I typed the following into Claude Code:

/stride-security-review:security-review --full

Forty-two agent dispatches and roughly twelve minutes later, I had a 72-finding security review of Stride. The breakdown was sobering: 0 critical, 12 high, 15 medium, 38 low, 7 info. Some of those findings I knew about from having ran a different security review tool. That previous tool found 17 items. The rest were new to me.

Then I spent the rest of the day fixing them - or more accurately watching Claude fix them.


Prose-Only Enforcement Is Unreliable. Mechanical Gating Works.

As many of you know, I’ve built a tool called Stride. It is a human / AI collaboration tool that offers a robust workflow with many features to drive collaboration and predictability. It takes the form of a hosted kanban-like app that manages the detailed tasks and agent plugins for all of the major AI agents. Even though it has several thousand users now, I have struggled with forcing the agents to always follow the workflow defined in the plugins. The plugins define a lifecycle that is decomposed into seven skills — one orchestrator (stride-workflow) and six sub-skills that handle individual phases (stride-claiming-tasks, stride-completing-tasks, and so on). The sub-skills exist because each phase has a non-trivial API contract that the agent has to get exactly right. The plugins also contain four subagents and a hook designed to execute developer defined commands at specific times during the lifecycle of the work.


Context Matters

At the AI Coffee Chat this past Wednesday we were having a great conversation about how to minimize the overall context that your Agent uses and what happens as the context gets full. I will not go into the details here of what the Agent context is and why it is important to not fill it up with unnecessary things. In the Chat session, I made the statement that a great way to minimize context usage is to understand the core thing you are asking your Agent to do and try to move everything else out to SubAgents, Hooks, or Skills.