AI coding workflow patterns that survive review
Four AI coding workflow patterns that keep agent work reviewable: CLAUDE.md precedence, replay sandwiches, connector cards, and child receipts.

An AI coding workflow pattern is a small written contract that says how an agent may work: its scope, its permissions, how it verifies, and what proof travels with the change. The good ones share one trait. The contract lives in a file, not in someone's head, so a reviewer who never watched the session can still defend the merge. Below are the four we set up first when a team adopts Cursor (Anysphere's AI code editor), Claude Code (Anthropic's coding agent), or Codex CLI (OpenAI's coding agent).
We started writing these down after a connector audit that was supposed to take an hour. We found one MCP call that looked harmless until credentials showed up in the transcript, and every merge that touched that session went back into the review queue. The fix was never a smarter agent. It was four files.
Write a precedence clause so sessions stop inventing policy
Bash approvals turn into muscle memory within a week of adopting Claude Code. You click yes, then yes again, and soon each session is making up its own rules about what it may touch.
Hooks help, but the real fix is a precedence clause at the top of CLAUDE.md. State which hooks win, which folders need a human, and where temporary overrides live. Once that is written down, sessions stop improvising mid-run, because the policy is on disk instead of in the last thing someone approved.
Make Codex runs replay without standing behind a terminal
Teams on Codex CLI often merge a green run that no reviewer ever watched execute. The commands ran. The story of why just did not survive the trip to the pull request.
The fix is a replay sandwich. Your AGENTS.md requires three things before any PR opens: one intent line, the command transcript, and a diff summary. Now review is reproducible from the PR body alone. Nobody has to lean over a colleague's keyboard to trust the result.
Give every MCP connector a one-card boundary
Wire up MCP quickly and a connector ends up touching data nobody put on the diagram. Connectors ship as capability demos by default, so least privilege only happens if you write the trust boundary down.
One markdown card per MCP server does it: allowed actions, forbidden actions, owner, rollback. Incidents get smaller because operators know what "off" looks like before anything goes wrong.
Demand a receipt from every child agent
Chained agents return summaries that quietly drop the paths a child owned, and the parent green-lights a diff it never read. The mystery diff is a category of bug, not bad luck.
A child receipt block closes it. Every child returns the paths it touched, the commands it ran, and the tests that prove the regression guards hold. Here is a delegation snapshot you can drop in and adapt to your repo:
---
description: Delegation boundary snapshot (adapt globs to your repo)
globs:
- "**/*"
alwaysApply: false
---
- Cursor: keep scopes explicit in `.mdc`; forbid undeclared MCP domains.
- Claude Code: cite `CLAUDE.md` precedence before expanding bash scope.
- Codex: ensure `AGENTS.md` carries replay-friendly verification notes for CLI runs.
Check the work in two minutes from the PR
A pattern only counts if a reviewer can test it from the PR body without replaying a chat. These four questions do that:
| Gate | Question |
|---|---|
| Receipt match | Does the PR body list scopes plus a verification transcript? |
| Rules precedence | Which .mdc, SKILL.md, or CLAUDE.md governed behavior? |
| Connector truth | Which MCP servers fired, and were they expected? |
| Reviewer path | Can someone unfamiliar trace intent without chat replay? |
None of this replaces architecture judgment. Agents speed up execution, not ownership. They amplify whatever clarity already exists in your files, hooks, and scopes, and they amplify the ambiguity just as faithfully. The agentic coding governance topic collects the sibling patterns if you want the full set.
The vendor docs are worth a read while you set these up: the Claude Code getting-started guide and the Codex CLI quickstart both cover the config files these patterns lean on. For the connector card, the OWASP Top 10 for LLM Applications is a good checklist of what an MCP boundary should keep out.
Common questions
What are AI coding workflow patterns? They are repeatable contracts for agent-assisted development: written scope, permission precedence, verification commands, and receipts that travel with the PR. A good pattern passes one test. A reviewer who never saw the session can still defend the merge from the artifacts alone, no chat replay required.
How do we stop a coding agent from inventing policy mid-run? Write the precedence into the repo. A clause at the top of CLAUDE.md says which hooks win, which folders need human eyes, and where overrides live. Once that lives on disk, sessions stop improvising and bash approvals stop drifting into reflexive yes-clicking after the first busy week.
Why do agent PRs pass CI but still fail review? Because CI checks behavior while review checks the story. A green run with no intent line, no command transcript, and no diff summary forces reviewers to reconstruct what happened from scratch. The replay sandwich fixes this by making the transcript part of the PR itself, so the narrative arrives with the code.
Start with one pattern, not four
Pick the pattern that matches your loudest recent surprise and turn it into a real file before the next agent run. The fastest way to make these stick is to rehearse them on a live repo with the people who review the merges: team training.
Related training topics
Related research

Async subagents that speed up AI coding workflows
Async subagents speed up AI coding workflows when every fork returns receipts: paths touched, commands run, and tests that prove regression guards.

AI coding wrappers that hold up under review
A governance guide to AI coding wrappers: the repo contracts Cursor, Claude Code, and Codex need so agent work stays reviewable.

Subagent prompts: why every fork needs its own brief
Why subagent prompts need their own scope, paths, and verification: four named fixes that keep forked agent work explainable in review.