One engineer made a production SaaS product in an hour: here's the governance system that made it possible

3 hours ago CryptoExpert
One engineer made a production SaaS product in an hour: here's the governance system that made it possible



Every engineering leader watching the agentic coding wave is eventually going to face the same question: if AI can generate production-quality code faster than any team, what does governance look like when the human isn't writing the code anymore?

Most teams don't have a good answer yet. Treasure Data, a SoftBank-backed customer data platform serving more than 450 global brands, now has one, though they learned parts of it the hard way.

The company today officially announced Treasure Code, a new AI-native command-line interface that lets data engineers and platform teams operate its full CDP through natural language, with Claude Code handling creation and iteration underneath. It was built by a single engineer.

The company says the coding itself took roughly 60 minutes. But that number is almost beside the point. The more important story is what had to be true before those 60 minutes were possible, and what broke after.

"From a planning standpoint, we still have to plan to derisk the business, and that did take a couple of weeks," Rafa Flores, Chief Product Officer at Treasure Data, told VentureBeat. "From an ideation and execution standpoint, that's where you kind of just blend the two and you just go, go, go. And it's not just prototyping, it's rolling things out in production in a safe way."

Build the governance layer first

Before even a single line of code was written, Treasure Data had to answer a harder question: what does the system need to be prohibited from doing, and how do you enforce that at the platform level rather than hoping the code respects it?

The guardrails Treasure Data built live upstream of the code itself. When any user connects to the CDP through Treasure Code, access control and permission management are inherited directly from the platform. Users can only reach resources they already have permission for. PII cannot be exposed. API keys cannot be surfaced. The system cannot speak disparagingly about a brand or competitor.

"We had to get CISOs involved. I was involved. Our CTO, heads of engineering, just to make sure that this thing didn't just go rogue," Flores said.

This foundation made the next step possible: letting AI generate 100% of the codebase, with a three-tier quality pipeline enforcing production standards throughout.

The three-tier pipeline for AI code generation 

The first tier is an AI-based code reviewer also using Claude Code.

The code reviewer sits at the pull request stage and runs a structured review checklist against every proposed merge, checking for architectural alignment, security compliance, proper error handling, test coverage and documentation quality. When all criteria are satisfied it can merge automatically. When they aren't, it flags for human intervention.

The fact that Treasure Data built the code reviewer in Claude Code is not incidental. It means the tool validating AI-generated code was itself AI-generated, a proof point that the workflow is self-reinforcing rather than dependent on a separate human-written quality layer.

The second tier is a standard CI/CD pipeline running automated unit, integration and end-to-end tests, static analysis, linting and security checks against every change. The third is human review, required wherever automated systems flag risk or enterprise policy demands sign-off.

The internal principle Treasure Data operates under: AI writes code, but AI does not ship code.

Why this isn't just Cursor pointed at a database

The obvious question for any engineering team is why not just point an existing tool like Cursor at your data platform, or expose it as an MCP server and let Claude Code query it directly.

Flores argued the difference is governance depth. A generic connection gives you natural language access to data but inherits none of the platform's existing permission structures, meaning every query runs with whatever access the API key allows. 

Treasure Code inherits Treasure Data's full access control and permissioning layer, so what a user can do through natural language is bounded by what they're already authorized to do in the platform. 

The second distinction is orchestration. Because Treasure Code connects directly to Treasure Data's AI Agent Foundry, it can coordinate sub-agents and skills across the platform rather than executing single tasks in isolation: the difference between telling an AI to run an analysis and having it orchestrate that analysis across omni-channel activation, segmentation and reporting simultaneously.

What broke anyway

Even with the governance architecture in place, the launch didn't go cleanly, and Flores was candid about it.

Treasure Data initially made Treasure Code available to customers without a go-to-market plan. The assumption was that it would stay quiet while the team figured out next steps. Customers found it anyway. More than 100 customers and close to 1,000 users adopted it within two weeks, entirely through organic discovery.

"We didn't put any go-to-market motions behind it. We didn't think people were going to find it. Well, they did," Flores said. "We were left scrambling with, how do we actually do the go-to-market motions? Do we even do a beta, since technically it's live?"

The unplanned adoption also created a compliance gap. Treasure Data is still in the process of formally certifying Treasure Code under its Trust AI compliance program, a certification it had not completed before the product reached customers.

A second problem emerged when Treasure Data opened skill development to non-engineering teams. CSMs and account directors began building and submitting skills without understanding what would get approved and merged, creating significant wasted effort and a backlog of submissions that couldn't clear the repository's access policies.

Enterprise validation and what's still missing

Thomson Reuters is among the early adopters. Flores said that the company had been attempting to build an in-house AI agent platform and struggling to move fast enough. It connected with Treasure Data's AI Agent Foundry to accelerate audience segmentation work, then extended into Treasure Code to customize and iterate more rapidly.

The feedback, Flores said, has centered on extensibility and flexibility, and the fact that procurement was already done, removing a significant enterprise barrier to adoption.

The gap Thomson Reuters has flagged, and that Flores acknowledges the product doesn't yet address, is guidance on AI maturity. Treasure Code doesn't tell users who should use it, what to tackle first, or how to structure access across different skill levels within an organization.

"AI that allows you to be leveraged, but also tells you how to leverage it, I think that's very differentiated," Flores said. He sees it as the next meaningful layer to build.

What engineering leaders should take from this

Flores has had time to reflect on what the experience actually taught him, and he was direct about what he'd change. Next time, he said, the release would stay internal first.

"We will release it internally only. I will not release it to anyone outside of the organization," he said. "It will be more of a controlled release so we can actually learn what we're actually being exposed to at lower risk."

On skill development, the lesson was to establish clear criteria for what gets approved and merged before opening the process to teams outside engineering, not after.

The common thread in both lessons is the same one that shaped the governance architecture and the three-tier pipeline: speed is only an advantage if the structure around it holds. For engineering leaders evaluating whether agentic coding is ready for production, the Treasure Data experience translates into three practical conclusions.

Governance infrastructure has to precede the code, not follow it. The platform-level access controls and permission inheritance were what made it safe to let AI generate freely. Without that foundation, the speed advantage disappears because every output requires exhaustive manual review.

A quality gate that doesn't depend entirely on humans is not optional at scale.
Build a quality gate that doesn't depend entirely on humans. AI can review every pull request consistently, without fatigue, and check policy compliance systematically across the entire codebase. Human review remains essential, but as a final check rather than the primary quality mechanism.

Plan for organic adoption. If the product works, people will find it before you're ready. The compliance and go-to-market gaps Treasure Data is still closing are a direct result of underestimating that.

"Yes, vibe coding can work if done in a safe way and proper guardrails are in place," Flores said. "Embrace it in a way to find means of not replacing the good work you do, but the tedious work that you can probably automate."



Source link

More Stories

Composio Open Sources Agent Orchestrator to Help AI Developers Build Scalable Multi-Agent Workflows Beyond the Traditional ReAct Loops

Composio Open Sources Agent Orchestrator to Help AI Developers Build Scalable Multi-Agent Workflows Beyond the Traditional ReAct Loops

48 mins ago CryptoExpert
How to Build a Production-Grade Customer Support Automation Pipeline with Griptape Using Deterministic Tools and Agentic Reasoning

How to Build a Production-Grade Customer Support Automation Pipeline with Griptape Using Deterministic Tools and Agentic Reasoning

5 hours ago CryptoExpert
Google clamps down on Antigravity 'malicious usage', cutting off OpenClaw users in sweeping ToS enforcement move

Google clamps down on Antigravity 'malicious usage', cutting off OpenClaw users in sweeping ToS enforcement move

6 hours ago CryptoExpert
Beyond Simple API Requests: How OpenAI’s WebSocket Mode Changes the Game for Low Latency Voice Powered AI Experiences

Beyond Simple API Requests: How OpenAI’s WebSocket Mode Changes the Game for Low Latency Voice Powered AI Experiences

8 hours ago CryptoExpert
Anthropic says DeepSeek, Moonshot, and MiniMax used 24,000 fake accounts to rip off Claude

Anthropic says DeepSeek, Moonshot, and MiniMax used 24,000 fake accounts to rip off Claude

10 hours ago CryptoExpert
Anthropic's Claude Code Security is available now after finding 500+ vulnerabilities: how security leaders should respond

Anthropic's Claude Code Security is available now after finding 500+ vulnerabilities: how security leaders should respond

12 hours ago CryptoExpert

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Crypto update: Bitcoin and Ethereum are stable as market

Bitcoin drops to $62,800 as tariffs, ETF outflows pressure crypto market

5 mins ago CryptoExpert
Tom Lee and On-Chain Data Hints Big December Move for Bitcoin

Bitcoin Price Loses $63,000 Support, Experts Eye $60,000 Next

8 mins ago CryptoExpert
Korean Investors Cashed Out This Year, BOK Says: Global Implications

Upbit Will List 2 Altcoins Today: Here’s How Prices Reacted

16 mins ago CryptoExpert

. #XRP #xrpnews #Crypto #CryptoNews #CryptoInvesting #XRPArmy #Bitcoin2025#fypシ゚viral

23 mins ago CryptoExpert
bitcoin
Bitcoin (BTC) $ 63,347.00
ethereum
Ethereum (ETH) $ 1,833.38
tether
Tether (USDT) $ 0.999716
xrp
XRP (XRP) $ 1.33
bnb
BNB (BNB) $ 591.65
usd-coin
USDC (USDC) $ 0.999885
solana
Solana (SOL) $ 76.97
tron
TRON (TRX) $ 0.281003
figure-heloc
Figure Heloc (FIGR_HELOC) $ 1.03
staked-ether
Lido Staked Ether (STETH) $ 2,265.05

Pin It on Pinterest