Occupation manual 005 / Software engineering

Let AI help build. Require evidence before release.

A proof-first route from requirement to change plan, implementation, tests, security, accessibility, review, release, rollback, and monitoring—with no “one prompt shipped production” fiction.

Short answer: use AI as a scoped engineering assistant, not a product owner, security approver, reviewer, merger, deployer, or incident commander. Give it repository rules and explicit acceptance criteria. Require a visible plan, scoped diff, mapped test evidence, known limitations, human review, rollback route, and post-release signals.

Repository, data, and production boundaryNever place secrets, credentials, tokens, private customer data, proprietary code, or access-controlled material into an unapproved AI service. Never grant an assistant broader filesystem, repository, cloud, database, or production permissions than the job requires. High-risk changes need the project's actual security, privacy, accessibility, architecture, and release owners.

What the official sources make clear

AI can assist throughout the work

NIST's Secure Software Development Framework is designed to integrate security practices into any software development lifecycle. AI can help organize requirements, propose changes, generate tests, document evidence, and surface review questions inside those controls.

Production confidence needs evidence

CISA safe-deployment guidance calls for well-defined phases, robust testing, measurements, and preparation for failure. W3C accessibility criteria are testable, but full conformance cannot be inferred from a single automated scan or one component.

No guaranteeNIST, CISA, OWASP, and W3C guidance helps teams design stronger controls. A checklist, AI output, passing build, or selected tests do not prove that software is secure, accessible, reliable, compliant, or production-ready.

Build the seven-part Spec-to-Release Evidence Desk

01

Set the job and permissions

Name the user problem, repository owner, in-scope paths, out-of-scope systems, approved AI tool, forbidden actions, reviewers, merge/deploy authority, and risk level.

Output: job and permission card
02

Turn the request into testable requirements

Record acceptance criteria and their authoritative source. Include failure behavior, authorization, privacy, security, accessibility, performance, observability, migration, rollback, and compatibility where relevant.

Output: requirement and source ledger
03

Approve a scoped change plan

Inspect existing patterns, identify affected files and interfaces, consider alternatives, record tradeoffs, review dependencies and threats, and define a disable or rollback route before broad edits.

Output: architecture and change plan
04

Keep an implementation evidence log

Record each change unit, files, reason, AI role, human inspection, and unexpected effects. Do not hide copied code, generated dependencies, assumptions, warnings, failures, or manual steps.

Output: scoped change ledger
05

Map tests to claims and risks

Use unit, integration, browser, accessibility, security, performance, and manual evidence as appropriate. Test failure paths and permissions—not only the happy path—and keep untested areas visible.

Output: verification matrix
06

Require review before merge

Package the requirement links, scoped diff, test evidence, security/privacy/accessibility reviews, migrations, and limitations. AI confidence is not approval evidence.

Output: review and merge packet
07

Release with rollback and observation

Bind the exact artifact/version, deployment authority, staged or canary evidence, rollback triggers and steps, health signals, observation window, and incident route.

Output: release and monitoring receipt

Give AI bounded jobs, never invisible authority

JobApproved inputAI outputHuman gate
Requirement clerkUser request, product source, repository rulesQuestions and testable acceptance draftProduct/technical owner confirms intent
Change plannerApproved requirements and inspected codebaseScoped files, steps, risks, and alternativesResponsible developer approves the route
Implementation copilotApproved plan and least-privilege workspaceReviewable edits and explanationDeveloper inspects every material change
Test-prep clerkAcceptance criteria, risks, and current test patternsCandidate tests and evidence matrixHuman runs, interprets, and expands tests
Release-prep clerkExact build, approvals, runbook, and monitoring planRelease/rollback checklistAuthorized process or person deploys and observes

Do not delegate these decisions or actions

AI may prepare

  • requirement questions and acceptance drafts
  • architecture alternatives and change plans
  • scoped implementation edits
  • candidate test cases and fixtures
  • documentation and release notes
  • known-limit and failure summaries
  • rollback and monitoring checklists

Authorized humans/processes control

  • product scope and architecture decisions
  • secret, data, and environment access
  • dependency trust and license decisions
  • security/privacy/accessibility conclusions
  • code review and merge
  • schema, data, infrastructure, and production changes
  • release, rollback, incident response, and customer claims

Passing is only meaningful when the test matches the claim

A green build may prove syntax, compilation, or selected tests. It does not automatically prove user intent, authorization behavior, failure recovery, accessibility, security, performance, data integrity, or compatibility. Tie each material release claim to a requirement, environment, procedure, expected result, actual evidence, and reviewer.

Proof rule“Test passed” is incomplete. Record what ran, where it ran, what it covered, what it did not cover, and who evaluated the result.

Accessibility needs full-page and human evidence

WCAG 2.2 success criteria are testable and technology-neutral. W3C also explains that accessibility evaluation combines automated testing and human evaluation, and conformance applies to full pages—including responsive variations—not a cherry-picked component. State the intended target and evidence; do not claim conformance from one scanner.

Release planning starts before the deploy button

CISA safe-deployment guidance emphasizes defined phases, robust testing, measurements, and practices that prepare for flawed updates. Bind the release to an exact artifact, use the project's staging or canary path, define rollback triggers, test the rollback where feasible, and name who watches which signals for how long.

Production hard stopDo not treat “the user said deploy” as permission to improvise environment, account, audience, migration, data changes, or rollback. Confirm the exact target and approved action.

Use this prompt after repository inspection

Act as a software engineering preparation assistant, not a product owner, security approver, reviewer, merger, deployer, or incident commander.

Using the supplied repository rules and requirement ledger, produce: (1) unanswered requirement questions, (2) a scoped change plan, (3) candidate tests mapped to acceptance criteria and failure modes, (4) security/privacy/accessibility review flags, and (5) a release/rollback evidence checklist.

Do not invent requirements, claim tests ran, hide failures, expose secrets, add unreviewed dependencies, execute destructive commands, merge, deploy, or change production data. Mark assumptions and unverified areas explicitly.

Final review before release

First-party source desk

Build the evidence route before granting more agent access.

Download the desk, tailor it to the real repository and release system, and start with a small change whose requirements, tests, review, rollback, and monitoring can all be inspected.