Sprint 8: The Sprint Where Our Monolith Finally Broke

What Went Wrong We had a 3,879-line Express server file. One file. 224 routes. Every time someone touched it, merge conflicts erupted. Cognitive load was through the roof. Sprint 7's retro called it out explicitly: "Extract before Sprint 8 UI work adds frontend route dependencies." We also had zero authentication on any API endpoint. The platform was about to get a React dashboard — exposing an unauthenticated API to a browser is a security hole you can drive a truck through. And our migration runner existed but was never wired to server startup. Migrations from Sprints 2-6 were sitting in SQL files, never applied to production. Voice profiles? Source registry? All silently missing. What We Actually Did Auth from scratch, no dependencies. We built JWT authentication using nothing but Node.js . HS256 signing with and . No jsonwebtoken package. The attack surface shrinks when you don't add dependencies you don't need. The monolith split. We wrote a Node.js extraction script that mechanic