Nest Easy — AI-Assisted Production Build

AI

Technical Strategy — Internal + Client Brief

Can We

Actually Build

This With AI?

A direct, honest answer to the team's concerns — with evidence. Plus: the full POC-to-production build plan for Nest Easy, properly structured.

Project

Nest Easy — Manage & Build

Audience

Dev Team & Stakeholders

Prepared by

Agile Tech Solutions

Status

● Active Discussion

02 / The Concern — Addressed Directly

The developer is right to ask this.
Here's the honest answer.

Developer's Concern

"My concern is will we be able to complete the project with AI only? POC is not the project. Some features can be started with AI but completing them bug-free at production scale will be very hard."

— Lead Developer, Agile Tech Solutions

✅

They're correct about one thing

AI alone cannot complete a production-scale SaaS. Nobody credible is claiming otherwise. The POC proves the concept — it does not replace engineering rigour.

⚠️

The real question is different

The question isn't "AI only vs no AI." It's "where exactly does AI accelerate safely, and where must a human engineer own the work?" This deck answers that precisely.

🎯

Our position

AI-assisted development with human engineers in control of architecture, security, payments, and testing. Not AI-only. Not no-AI. The right tool for each layer.

01

Section One

The Evidence
For & Against

Honest data on where AI-assisted development genuinely helps, and where it falls short without human oversight.

04 / Where AI Genuinely Accelerates

Proven acceleration areas with evidence

🧱

Boilerplate & Scaffolding

NestJS modules, Prisma schemas, Next.js page layouts, DTO validation classes. AI generates correct, structured boilerplate in seconds. Studies show 55–75% time reduction on scaffolding tasks.

🔁

CRUD Operations

Standard create/read/update/delete endpoints with Prisma are highly repeatable. AI handles these correctly and consistently. Each module's CRUD is ~3hrs vs ~1.5 days manually.

🎨

UI Component Generation

Tailwind + React component generation from a design system is where AI excels. Consistent, fast. Dashboards, tables, forms — AI produces production-quality components reliably.

🧪

Test Writing

Given working code, AI writes comprehensive unit and integration tests faster than any human. Vitest unit tests, Jest mocks, Cypress E2E happy-paths — 80% coverage becomes achievable.

📝

Documentation

JSDoc, API docs, README files, architecture decision records. AI generates accurate, thorough documentation from code instantly. This alone saves 2–3 days per phase.

🔍

Code Review Support

AI catches common bugs, anti-patterns, missing error handling, and security issues in code review. Used as a second reviewer it improves quality without slowing the team.

GitHub (2023 Copilot Research)

Developers using AI assistance completed tasks 55% faster and reported higher satisfaction. The largest gains were in repetitive, well-structured tasks — exactly the profile of SaaS CRUD modules.

05 / Where AI Falls Short — The Honest Picture

These areas require human engineers

💳

Stripe & Payment Logic

AI can scaffold Stripe integration correctly. But webhook idempotency, race conditions in concurrent payments, and subscription state edge cases require a human engineer who understands Stripe's failure modes deeply. This is financial data — it must be owned by a person.

AI: scaffold Human: owns logic + edge cases

🔐

Auth, JWT & RBAC Security

AI generates correct JWT patterns. But token rotation edge cases, RBAC bypass vulnerabilities, and refresh token security are not things AI reliably gets right under adversarial conditions. Security decisions require a human to own and audit.

AI: boilerplate Human: security review + pen test

📊

Complex Business Logic

Awaab's Law compliance deadlines, rent arrears calculations, compliance RAG state transitions — these involve legal and financial rules that must be precisely correct. AI can draft, but a human must verify against the actual regulation.

AI: draft Human: verifies legal accuracy

🏗️

Production Architecture Decisions

Database indexing strategy, caching invalidation, connection pooling under load, and Docker network security require experienced engineering judgement. AI gives suggestions — a human decides and is accountable.

AI: options Human: decides + owns

🐛

Deep Bug Hunting

AI is good at fixing bugs it introduced. It's poor at diagnosing bugs caused by system interactions — race conditions, intermittent failures, environment-specific issues. These need a human to trace, reproduce, and fix systematically.

AI: simple bugs Human: systemic issues

📦

Data Migration & Production Ops

Zero-downtime migrations, Prisma migrate deploy on live data, rollback planning — these are high-stakes operations. A mistake deletes real client data. Must be planned and executed by an experienced engineer with a tested rollback plan.

AI: plan Human: executes + owns rollback

06 / Task Ownership Map

Who owns
what

Every task in the build mapped to AI-assist level vs human engineer ownership. Neither extreme — intelligent allocation.

AI accelerates heavily (≥70%)

AI assists, human reviews (40–70%)

Human leads, AI supports (≤40%)

Human owns entirely — no AI

02

Section Two

The POC
Structure

The POC is the foundation layer. Every subsequent feature builds on top of it — so it must be structured correctly from day one.

08 / POC vs Production — The Critical Distinction

The POC is the foundation.
Not the project.

What the POC proves

The tech stack works together correctly
The database schema is sound and extensible
The auth pattern and RBAC model is correct
The UI component system and design tokens work
The Docker stack runs in the target environment
The team can build this together

What the POC is NOT

Production-ready. It has no hardened error handling, no complete test coverage, no security audit, no performance validation. It is a working skeleton — not a finished product.

How POC becomes production

5

Production Hardening

Security audit, perf optimisation, migration plan, SLAs

Phase 4–5

4

Integration Layer

Stripe live, email SMTP, compliance alert scheduler, external APIs

Phase 3–4

3

Feature Modules

All 11 modules built on the foundation — CRUD + business logic

Phase 3

2

Foundation Layer

Auth, DB schema, component lib, Docker stack, CI/CD

Phase 2

1

POC (exists now)

Proves concept, validates stack, de-risks architecture decisions

✓ Done

09 / POC Correct Structure — What Must Be In Place

The POC must be structured to scale

Everything built in the POC will be extended — not replaced. This means the POC architecture must follow production patterns from day one, even if the features are incomplete.

🗂️

Monorepo Structure

apps/api and apps/web must follow the exact module pattern from the start. New features slot in as new modules — never as hacks on top of existing ones.

src/modules/feature/
├── feature.module.ts
├── feature.controller.ts
└── feature.service.ts

🛡️

Auth + RBAC From Day One

Every controller must use JwtAuthGuard + RolesGuard from the first module. Adding auth to 11 modules after the fact is a disaster. The POC must establish this pattern.

@UseGuards(JwtAuthGuard, RolesGuard)
@Roles(UserRole.MANAGER)
@Get(':id')

🐘

Schema Must Be Production-Shape

The Prisma schema in the POC must include PostGIS, Decimal types for money, and all relation keys. Changing schema shape mid-project breaks everything downstream.

rentAmount Decimal // NOT Float
geom Unsupported("geometry")
createdAt DateTime @default

🎨

Design Token System

Tailwind config with brand colours, spacing, and typography scale locked in POC. All 20+ screens use the same tokens. No inline styles or one-off colour values anywhere.

🐳

Docker Stack Mirrors Production

All 6 containers (API, Web, Nginx, PG+PostGIS, Redis, MinIO) must run locally during POC. "Works on my machine" without Docker is not acceptable at this stage.

📋

Error Handling Pattern

NestJS exception filters, HTTP exception classes, and frontend error boundaries must be established in the POC. Retrofitting error handling is the #1 cause of production fires.

03

Section Three

Full Build
Plan

The complete POC-to-production roadmap — every feature, every phase, with AI ownership vs human ownership clearly marked.

11 / Full Build Timeline — POC to Production

5 phases. 20 weeks. POC is layer zero.

🏗️

POC → Phase 1

Solidify &
Structure

Harden POC architecture. Establish all patterns. Schema finalised. Docker verified. Sign-off.

Weeks 1–3

⚡

Phase 2

Foundation
Complete

Auth hardened. Component library. CI/CD. Staging env live. Error handling patterns.

Weeks 4–6

🔧

Phase 3

All 11
Modules

Every feature module built. Tenant portal. Financial reporting. AI-assisted CRUD at speed.

Weeks 7–12

🔗

Phase 4

Integration
& QA

Stripe live, compliance alerts, E2E tests, UAT. Human-led security review and audit.

Weeks 13–16

🚀

Phase 5

Launch &
Handover

Go-live, domain switch, training, SEO baseline, documentation. Handover pack.

Weeks 17–20

Phase 1 Exit Gate

All POC patterns verified. Schema signed off. Docker stack confirmed. Auth tested. Both leads sign before Phase 2 starts.

Phase 2 Exit Gate

Staging URL live. Component library complete. Error handling verified. CI/CD pipeline running. No broken builds.

Phase 3 Exit Gate

All modules on staging. Tenant portal working. Basic payment flow tested. 60%+ test coverage. Client demo completed.

Phase 4–5 Exit Gate

80%+ test coverage. Security audit passed. UAT signed off. Live Stripe keys. Domain switched. Handover complete.

12 / Complete Feature Build Plan

Every feature — phase, AI role, human role, risk level

Feature / Module	Phase	AI Role	Human Must Own	Risk
FOUNDATION
Auth System (JWT + RBAC)	Ph 1–2	Module scaffold, DTO, guards boilerplate	Token rotation logic, security audit, pen test	High
Database Schema + Prisma	Ph 1	Initial schema generation, migration files	Decimal types, PostGIS config, index strategy	Med
Docker Stack + Nginx	Ph 1–2	Compose file, Dockerfile templates	IP allowlists, rate limits, security headers	High
UI Component Library	Ph 2	All components, Tailwind config, Storybook	Accessibility audit, WCAG compliance check	Low
CORE MODULES (Phase 3)
Property Management	Ph 3	Full CRUD, search, filters, portfolio view	PostGIS integration, geospatial query optimisation	Low
Tenancy Management	Ph 3	Lifecycle CRUD, status engine scaffold	Edge case state transitions, legal field accuracy	Med
Rent Collection (Stripe)	Ph 3	Payment UI, basic webhook handler scaffold	Idempotency, race conditions, refund logic, live keys	High
Compliance Tracking	Ph 3	RAG dashboard, cert CRUD, alert scaffold	Awaab's Law accuracy, legal deadline verification	High
Maintenance & Repairs	Ph 3	Workflow CRUD, contractor assignment, photos	Awaab's deadlines, cost tracking accuracy	Med
Document Management	Ph 3	MinIO integration, upload/download UI	Presigned URL security, bucket policies, file size limits	Med
Financial Reporting	Ph 3	Dashboard UI, table components, chart scaffold	Calculation accuracy, Decimal precision, CSV/PDF export	High
Notifications + Audit Log	Ph 3	In-app bell, email templates, Bull queue setup	Audit log immutability guarantees, SMTP reliability	Med
Tenant Portal	Ph 3	Dedicated UI, payment form, request forms	Data isolation — tenant must never see other tenant data	High
Admin Panel	Ph 3	User management UI, audit log viewer	Role escalation prevention, admin-only route guards	Med
INTEGRATION + QA (Phase 4)
E2E Test Suite	Ph 4	Cypress test generation for all happy paths	Edge case tests, payment failure scenarios, auth bypass tests	Med
Performance Optimisation	Ph 4	Query suggestions, caching recommendations	DB explain plans, N+1 diagnosis, Redis strategy decisions	Med
Security Hardening	Ph 4	Dependency audit, header configuration	Full security review, RBAC bypass testing, JWT attack vectors	High
POST-LAUNCH SCOPE (Future Phases)
Subscription Billing UI	Future	Stripe Customer Portal UI, tier management	Subscription state machine, upgrade/downgrade edge cases	Med
Digital Tenancy Signing	Future	DocuSign API integration scaffold	Legal validity, signature audit trail, storage compliance	High
Property Map View	Future	Map UI components, PostGIS query layer	PostGIS query optimisation, map performance at scale	Low
Mobile App (React Native)	Future	Screen scaffolding, shared type usage	Native permissions, push notifications, app store compliance	High
Two-Factor Auth (TOTP)	Future	TOTP UI, authenticator app flow scaffold	Security implementation, backup codes, account recovery	High
White-Label Multi-Tenancy	Future	Branding config system, theme tokens	Data isolation architecture, tenant boundary enforcement	High
CI/CD Pipeline	Future	GitHub Actions workflow scaffolding	Deployment strategy, rollback procedures, secret management	Med
PDF Compliance Packs	Future	Puppeteer template generation	Legal formatting requirements, branding accuracy	Low

04

Section Four

AI Tooling
Strategy

Exactly which tools, how they're used, and the workflow that keeps a human engineer in control at every critical decision point.

14 / AI Tool Allocation

Right tool, right layer

⚡

Cursor + Claude Sonnet

Primary development tool. Inline autocomplete, multi-file edits, context-aware suggestions. Used for all CRUD modules, UI components, and test generation. The developer drives — Cursor accelerates.

🧠

Claude (Anthropic API)

Architecture reasoning, complex business logic review, security review prompts, and documentation generation. Used for longer-context tasks where Cursor's context window is insufficient.

🐙

GitHub Copilot

Secondary inline suggestion layer, especially for repetitive patterns. Good for Prisma query completion, TypeScript type generation, and NestJS decorator patterns where the pattern is highly predictable.

.

The workflow rule

A simple rule that resolves the developer's concern. Every AI output goes through a human gate before it is merged.

1

AI drafts the code

Cursor generates the module, component, or test. Full output in editor.

AI

2

Developer reviews line by line

Human reads every line. Checks logic, error handling, edge cases. No blind merges.

Human

3

High-risk areas: human rewrites

Payments, auth, compliance logic — human writes these. AI is reference only.

Human writes

4

PR review + tests must pass

Code review by second dev. Tests written (AI-assisted). CI pipeline must be green.

Gate

5

Merges to main

Only after all gates pass. Staging auto-deploys. Lead developer confirms on staging before sprint close.

✓ Merged

15 / Risk Register — AI-Assisted Development

Known risks & how we mitigate them

💳

Critical

AI generates incorrect Stripe logic

Payment edge cases — concurrent requests, webhook replay, refund states — are frequently wrong in AI-generated code.

→ Human engineer writes all payment logic. AI scaffold only. Stripe test mode + all failure scenarios tested before live keys.

🔐

Critical

Security vulnerability in auth

AI can produce JWT implementations with subtle flaws — missing expiry checks, improper secret handling, RBAC bypass via role injection.

→ Human writes auth core. Dedicated security review pass in Phase 4. OWASP checklist. External pen test if budget allows.

📐

High

AI-generated code inconsistency

Different AI sessions produce code in different styles. Without strict patterns, the codebase becomes inconsistent and hard to maintain.

→ ESLint + Prettier enforced. Module pattern templates. PR review catches style drift. One AI context per module session.

⚖️

High

Legal logic errors (Awaab's Law)

AI does not know Awaab's Law precisely. Deadlines or compliance categories coded incorrectly creates legal liability for the client.

→ Human writes compliance deadline logic. Legal spec reviewed with client. Integration tests verify every deadline rule.

🏃

Medium

Over-reliance slows experienced devs

If devs accept AI output without reviewing, they lose touch with the codebase. Debugging becomes harder as familiarity drops.

→ AI is a tool, not the author. Devs explain every AI-generated section in PR review. Ownership is non-negotiable.

🐛

Medium

Subtle bugs at integration points

AI builds modules in isolation well. Integration — where Property module talks to Compliance which talks to Notifications — is where bugs hide.

→ Integration tests written for every module boundary. E2E Cypress tests run full user journeys across all modules before each merge.

16 / The Time Savings Case

The numbers
make sense.

Conservative estimates based on documented developer productivity studies and the specific task mix of this project.

Bottom Line

AI-assisted development on this project saves an estimated 8–12 weeks of developer time on low-to-medium risk tasks — enabling a 4–5 month delivery that would otherwise take 7–8 months with the same team size.

The Developer's Concern — Resolved

The answer is: No, we cannot do this with AI only. But with AI-assisted human engineering, following the workflow and risk mitigations in this deck, we can deliver production-quality code in the timeline and budget.

Estimated time savings by task category

17 / Complete Feature Scope — Including All Post-Scope Additions

Everything in scope across all phases

MVP Core

Auth + JWT + RBAC (5 roles)
Property management (multi-type)
Tenancy lifecycle management
Rent collection (Stripe)
Compliance tracking (6 types)
Awaab's Law enforcement
Maintenance & repairs workflow
Document management (MinIO)
Financial reporting + forecasting
In-app notifications + bell
Email alerts (Nodemailer/SMTP)
Tenant portal (dedicated UI)
Admin panel + user management
Immutable audit log

Phase 1–3

Infrastructure

Docker 6-service stack
Nginx reverse proxy + rate limiting
Cloudflare DDoS + CDN
PostgreSQL 15 + PostGIS
Redis (Bull queue + caching)
MinIO S3-compatible storage
Prisma ORM + migrations
Next.js 14 App Router (SSR)
NestJS 10 modular API
TypeScript 5 end-to-end
Tailwind CSS component lib
TanStack Query (state)
Storybook component docs
Vitest + Cypress test suites

Phase 1–2

Production & QA

80%+ test coverage
E2E Cypress user journeys
Security hardening + OWASP
RBAC penetration review
Core Web Vitals ≥ 90
DB index optimisation
Redis caching strategy
Zero-downtime deployment
Prisma migrate deploy (safe)
Cloudflare IP allowlisting
Live Stripe keys + webhooks
SendGrid SMTP (production)
Environment secrets audit
Client UAT sign-off

Phase 4–5

Post-Launch Roadmap

Subscription billing UI (Stripe)
Digital tenancy signing
Property map view (PostGIS)
Mobile app (React Native)
Two-factor auth (TOTP)
White-label multi-tenancy
CI/CD pipeline (GitHub Actions)
PDF compliance packs
SEO review (3 months post-launch)
Advanced analytics dashboard
Contractor mobile app
API access for integrations

Future scope

YES

Summary — The Answer

AI only?

No.

AI-assisted +

human-led?

Yes.

Human owns — no AI

Stripe payment logic + edge cases
Auth security review + pen test
Compliance legal accuracy
Architecture decisions
Production deployment + rollback

AI drafts, human reviews

Business logic modules
Financial calculations
DB schema design
Integration layer code
Complex state management

AI accelerates (≥70%)

All CRUD modules
UI components + pages
Test suite generation
Documentation
Boilerplate + scaffolding

The developer's concern is valid and has been heard. This build plan puts human engineers in control of every critical, risky, or legally sensitive part of the system. AI handles the repeatable heavy-lifting so the team can focus their expertise where it matters.

20 weeks£55,0005 phases