Four releases in one day is what happens when a security audit turns productive. claude-code-slack-channel — the MCP server that lets Claude Code operate inside a Slack thread without leaking outside of it — cut v0.5.0 , v0.5.1 , v0.6.0 , and v0.7.0 on April 19. Four tagged releases, 62 merged PRs, four named epics. No all-nighter. No heroics. Just a sequence where each release unblocked the next and the scope was strictly bounded. This post is about the order those four epics landed in, and why shipping them together mattered more than shipping any of them alone. The thesis An audit journal that can be retroactively rewritten is worse than no journal. A supervisor that tracks in-memory session state but loses it on restart is worse than a stateless server. A policy engine that reads manifests its callers control is worse than no policy at all. And a release candidate whose audit finds six S-class bugs should ship those six bugs fixed before the next feature epic opens.…