Case study · AI safety at scale

Making AI safe for 150+ micro-frontends.

AI assistants are trained on standalone React apps — so in a Module-Federation monorepo they confidently write code that ships to a white screen. This is a version-controlled system of rules, auto-synced into every repo, that injects our architecture's invariants into every AI session: fast and production-safe, not fast but dangerous.

Role: Sole author · 0→1 @mindtickle/cursor-rules .mdc rules + agent + commands Auto-synced to every repo
✗  What AI writes without the rules
// trained on standalone React → import { useNavigate } from 'react-router-dom' npm install react // 2nd React instance <BrowserRouter> // provider shell owns new RelayEnvironmentProvider() // shadows env
→ "Invalid hook call" · white screen · 3–8h production outage
✓  What the rules make it write
// react/router are federation singletons import { useHistory } from 'ui_shell/Routing' import { useLocale } from 'ui_shell/Intl' useLazyLoadQuery(query, vars) // shell's env // never `npm install react`
→ aligned to the architecture · production-safe by default
Same prompt, same model — the rules are the difference between an outage and a merge.
150+ MFEs
Federated micro-frontends it governs
0→1 solo
Sole author of the package
Every repo
Auto-synced on every install
0 deps
Zero-dependency sync CLI
01
The problem

AI is trained on the wrong architecture.

Mindtickle runs 150+ independently-deployed micro-frontends loaded at runtime into a shared shell via Webpack Module Federation — tight coupling at the dependency and provider level. But Cursor, Copilot, and Claude are trained on standalone React: latest versions, direct npm deps, its own providers. Without context, AI generates code that works locally, passes CI, and fails in production:

A second React

Installs a shared singleton as a dep → two React instances → "Invalid hook call" → white screen and a 3–8h outage.

Duplicate providers

Re-wraps BrowserRouter, Redux, or Relay that the shell already owns → context shadowing, lost translations, broken auth.

Version drift

Defaults to React 18 / Router 6.4+ / TS 5 when the shell is React 17 / Router v6-beta / TS 4.1 — the most expensive class of bug.

Re-inited observability

Re-initializes Datadog, Snowplow, Mixpanel — which the shell owns → double counts, false alerts, inflated vendor billing.

02
The solution

Encode the architecture's invariants into every AI session.

Modular .mdc rule files — glob-activated so only the relevant ones load, keeping token usage low and precision high. Each injects architecture identity ("you are a federated remote, not a standalone app"), version ceilings, import constraints, singleton rules, and correct-pattern examples with type declarations.

Shell rules — the federation architecture

core, webpack-federation, federation-types, shell-modules, and pattern rules for routing, relay, i18n, tracking, permissions, and MFE loading — each teaching the one correct way (e.g. useHistory from ui_shell/Routing, never a new provider).

Design-Library rules — the design system

A parallel dl/ rule set governs the design system — tokens, buttons, forms, navigation, page templates — plus an agent (mtlayout) and a command that maps Figma to Design-Library components. It governs both the shell and the design system.

03
The distribution

The clever part: every repo, always in sync.

Rules are worthless if they drift. Every frontend repo adds a postinstall that pulls the latest rules on every install — so 150+ repos stay current with zero manual updates. The sync CLI is zero-dependency pure Node, and || true guarantees it never breaks an install.

package.json
// runs on every install — pulls the newest rules into .cursor/
"postinstall": "yarn sync-cursor-rules",
"sync-cursor-rules": "npx @mindtickle/cursor-rules@newest sync || true"
1
Repo installs
yarn / npm
2
postinstall fires
every repo
3
Zero-dep sync
pure Node fs
4
.cursor/rules updated
+ agents, commands
5
Every AI session
always current
04
Governance & impact

"Fast but dangerous" → "fast and production-safe."

Rules are version-controlled; changes need architecture review, and major shell upgrades require a rule update first. After adoption:

Zero
Duplicate-React incidents
No
Router regressions from AI code
No
Observability double-counting
Faster
Team onboarding & AI-assisted work
Aligned
AI output matches the architecture
Reviewed
Version-controlled, arch-gated changes

A 2025/26 frontier problem, framed and shipped: governing how 150+ teams use AI inside a Module-Federation monorepo — encoded once, auto-synced everywhere. Built 0→1 as sole author of the package.

That's the set

Six things I took from zero to production.

Back to
All selected work →