Go modules, private repos and gopath

We are converting our internal codebase from the dep dependency manager to go modules (vgo or built in with go1.11.2). Imagine we have code like this:

$GOPATH/src/mycompany/myprogram/main.go:

package main

import (
        "fmt"
        lib "mycompany/mylib" )

func main() {
        fmt.Println("2+3=", lib.add(2, 3)) 
}

$GOPATH/src/mycompany/myprogram/go.mod:

module mycompany/myprogram

(it doesn't have any dependencies; our real-world code does).

$GOPATH/src/mycompany/mylib/lib.go:

package mylib

func Add(x int, y int) int {
        return x + y
}

I didn't module-ize this code; it doesn't seem to matter whether I do or don't.

These are trivial examples but our internal code follows a similar structure as this worked historically.

Since these directories are on the Gopath, export GO111MODULE=auto still builds as before and this works fine (modules not used because we are on the gopath). However, when I set export GO111MODULE=on I immediately get the error:

build mycompany/myprogram: cannot find module for path mycompany/mylib

So I did some research and I would like to validate my understanding. First let me say our old approach worked, but I am more interested in changing to use go modules as it appears to be where the go project itself is headed. So.

1. It seems the intention of the golang authors was that "dotless" paths belong to the standard repository only; that is there should be a binding between domain name and project. We don't use go get on our internal project, unsurprisingly. Here is the source specifically:

   Dotless paths in general are reserved for the standard library; go get has (to my knowledge) never worked with them, but go get is also the main entry point for working with versioned modules.

   Can anyone with more knowledge of golang than me confirm this?

2. My key assumption is that once go decides to use modules, all dependencies must be modules and the gopath becomes somewhat irrelevant, except as a cache (for downloaded modules). Is this correct?

3. If this is true, we need to use a private gitlab (in our case) repository on the path. There's an open issue on handling this that I'm aware of so we can implement this if necessary. I'm more interested in the consequences, specifically for iterating in the private repositories. Previously we could develop these libraries locally before committing any changes; now it seems we have a choice:

   1. Accept this remote dependency and iterate. I was hoping to avoid needing to push and pull remotely like this. There are workarounds to needing an internet connection if strictly necessary.
   2. Merge everything into one big git repository.

If it matters, I'm using go version go1.11.2 linux/amd64 and my colleagues are using darwin/amd64. If it helps, my golang is exactly as installed by Fedora's repositories.

So, tl;dr, my question is: are go modules all-or-nothing, in that any dependency must be resolved using the module system (go get, it seems) and the gopath has become redundant? Or is there something about my setup that might trigger this to fail? Is there some way to indicate a dependency should be resolved explicitly from the gopath?

Updates since asking the question:

1. I can move myprogram out of the gopath. The same issue occurs (mylib has been left in the gopath).
2. I can run, or not run, go mod init mycompany/mylib in the mylib directory; it makes no difference at all.
3. I came across Russ Cox's blog post on vgo. My concerns about offline development that I tried not to dive into too far are resolved by $GOPROXY.