Most are still shipping “AI add-ons.” The real shift happens when the whole workflow disappears into one action — that’s when users actually feel the value.

Completely agree, most failures I’ve seen come from poor context management and unclear data flow, not the model itself. State handling also becomes a major issue when workflows scale, especially with multiple tools and agents interacting. In my experience, debugging improves a lot once you treat it as a system design problem rather than just an AI model issue.

API docs get attention. The frontend/API contract usually doesn't. TypeScript helps, but types lie without runtime validation. The API returns an unexpected null, a renamed field, an edge case you never tested and your types had no idea. Zod fixes this. Parse at the boundary. If the API changes shape, you catch it at the schema. Not in a Sentry alert a week later. We do this with Next.js Server Actions too. The server/client boundary is the natural place to validate. Keep the schema next to the call. Documentation problem and type-safety problem are usually the same problem.

You’re definitely not alone that “Step 5 bottleneck” is where most AI-assisted teams hit reality. Right now, most teams aren’t fully automating reviews yet. The common pattern I’m seeing is a hybrid approach, not purely human or purely automated. What others are doing AI generates code → Automated checks (linting, tests, security, architecture rules) → Targeted human review (not full manual review) 👉 The key shift: humans review intent + architecture, not every line.

Nice first deployment walkthrough! One thing worth adding to this stack: set up an OAI (Origin Access Identity) or the newer OAC (Origin Access Control) so your S3 bucket stays fully private and only CloudFront can read from it. Without that, the bucket is publicly accessible even though CloudFront is in front. Also, consider adding a Cache-Control header strategy — setting immutable assets to max-age=31536000 with content hashing in filenames, and your index.html to no-cache so CloudFront always checks for the latest version. WAF is a solid move this early — most people skip it until they get hit with bot traffic.

It all depends how how you use the ai to code If you plan before hand all possible vulnerabilities the chances of breaking will be very low