Repo OS — Operator Guide

This is the reference for you, the human operator. It covers how to set up projects, run sessions, and work with AI agents safely. Agents do not read this file — it’s for you.

Short-conversation model. Repo OS is designed to keep token usage low. Structured prompts, spec-first planning, and mandatory gates mean agents do less guessing and more executing — keeping sessions short across creation, initialization, and build.
The 30-Second Version

TL;DR

Repo OS is a governance layer for AI-assisted development. Three things to know:

You (operator)Own architecture, approve plans, accept risk, decide when done. These are non-delegable.
Prompt 0Before any code: guided interview builds your complete project spec (product, architecture, design system, data, features, integrations, boundaries). Baked-in design system defaults. Figma MCP integration.
AI agentsFour teams + specialists: Build Team (Orchestrator plans, Builder codes, QA blocks bad commits, Pragmatist gates over-engineering, Reviewer + Security sign off high-risk, Accessibility advises, Critic checks cohesion + diff-review), Audit/Operations (Auditor health scans, Analytics telemetry, Dev Orchestrator task-group oversight), Advisory Board (9 specialists review specs/briefs before build), and User Review (3-tier persona simulation). Plus PM Advisor (spec-fit + spec-drift) and a UX Design agent.
Repo OSEnforces decisions (mandatory rules), gates (verification before commit/push), and roles (who can do what). Hooks run automatically.
Core principle: You own intent. Agents execute within constraints. If something feels unclear or risky, stop and clarify before proceeding.
Getting Started

Setup — New Project

Step 1 — Create repo from template operator only

Go to the template on GitHub. Click Use this templateCreate a new repository. Set name, owner, visibility. Click create.

Step 2 — Clone

git clone <REPO_URL> && cd <REPO_NAME>
e.g. git clone https://github.com/acme/my-app.git && cd my-app

Step 3 — Build your project spec prompt 0

Start a Claude Code session and paste:

Follow docs/ai/prompts/prompt-0-spec-builder.md.

The AI interviews you to fill out every spec file — product, architecture, design system, data models, features, integrations, and boundaries. No code is written. You define everything. Output goes to a versioned directory under docs/spec/compiled/.

Design system: Defaults are baked into docs/spec/_templates/design-system.md (spacing on 4px base, typography scale, breakpoints, colors, radii, shadows, layout patterns). Accept as-is, override with your brand, or replace via Figma MCP.

When the AI confirms “Spec complete”, move to Step 4.

Step 4 — Initialize Repo OS prompt A

Paste:

Follow docs/ai/prompts/prompt-a-repo-os.md.

Prompt A now runs in three phases: Phase 1 activates the Advisory Board to review your specs (specialists run in parallel). Phase 2 presents a synthesized refinement report for your per-item review. Phase 3 validates the Repo OS (agents, gates, decisions). When it says “Repo OS ready”, move to Step 5.

Step 5 — Start building prompt B

For every development session going forward, paste:

Follow docs/ai/prompts/prompt-b-product-build.md.

Prompt B enforces the development operating model: plan before code, small changes, gates before commits, session log at close. The compiled spec in docs/spec/compiled/ (active version per manifest.json) is the source of truth for what to build.

When do I re-run Prompt A? Only when Repo OS itself changes (agents, gates, decisions) or when agents start drifting. For normal dev work, always use Prompt B.
When to Act

Triggers — What to Run and When

SituationActionWhy
New projectPrompt 0, then Prompt ABuild spec first, then verify Repo OS and align agents
Repo OS changePrompt A + new decisionRe-initialize consistency, document the behavioral change
Normal workPrompt BStandard dev: features, bug fixes, regular coding
Drift / confusionSTOP → re-run Prompt AReset agents, restore enforcement, correct behavior
New featurePrompt T (significant-feature path)Produces a two-brief task group — spec writing (Brief 1), then build (Brief 2)
Spec changesRe-run Prompt 0, then Prompt ARequirements changed, new features, design updates
Template syncAutomatic — Prompt 0 only if spec templates changedGovernance updates auto-merge weekly
Prototype / spikePrompt 0.5Quick test, architecture spike, or proof of concept on an experiment branch
Explore / investigatePrompt TFeasibility check, task planning, or quick Q&A — produces a task brief for Prompt B
Project auditPrompt COn-demand health check — cohesion, governance, security, performance
Visual editingPrompt EEditor-live session — agent responds to file saves, no plan gate (child mode only)
Queue triagePrompt QReview escalations, approve queue entries, manage work orders conversationally
Daemon togglePrompt DQuick on/off toggle for the automation runner (ephemeral session)
Production bugPrompt HHotfix & debug — structured diagnosis, minimal fix, iterative validation on hotfix/* branch
Before Any Code

Spec Builder — Prompt 0

Prompt 0 is a guided interview that builds your complete project specification before any code is written. The AI asks questions. You answer. Every detail is captured in structured spec files.

The spec files

FileWhat it defines
product.mdProduct name, problem, target users, core flows, success metrics, exclusions
architecture.mdTech stack, project structure, API style, patterns, deployment, constraints
design-system.mdSpacing, typography, breakpoints, colors, radii, shadows, layout, component patterns
data-contracts.mdEntities, fields, relationships, API endpoints, state management
features/*.mdPer-feature: user flow, UI states, inputs/outputs, edge cases, acceptance criteria
integrations.mdThird-party services, MCP connections, environment variables
boundaries.mdWhat NOT to build, protected areas, explicit “Assumptions: NONE” enforcement

Design system: three paths

SourceHow it works
DefaultsBaked-in values ready to use: 4px spacing scale, Inter/system fonts, type scale, breakpoints (640–1536px), neutral gray palette, border radii, shadows, layout grid, component patterns. Accept as-is or override per section.
Brand guideYou provide a brand guide (PDF, link, or describe it). AI extracts values into the design system structure. Gaps are flagged — you fill each one. No inference.
Figma MCPConnect Figma MCP server. AI extracts tokens, component specs, and layouts directly from your Figma file. Every extracted value is presented for your approval before writing.
Key rule: The AI never fills in a field itself. Every value comes from you (the operator). If something is unclear, the AI asks — it does not guess. The spec is your design, not the AI’s.

Adding a feature later use Prompt T

Prompt 0 no longer has a Feature mode (Decision 0010). To add a feature to an existing spec, use Prompt T with a significant-feature description — it produces a two-brief task group: Brief 1 writes the feature spec to docs/spec/compiled/{active}/features/brief-{name}.md, Brief 2 builds it. The advisory board (including the conditional specialists triggered by what the feature touches) reviews as part of that flow.

How It Works

Daily Workflow — The Execution Loop

Every unit of work follows a sequence of phases. This applies to every feature, fix, and change. For work planned via Prompt T, the plan and operator approval are sealed in a handoff bundle at task creation; the build session runs a deterministic drift-check and jumps straight to build (Decision 0038). Sessions with no bundle fall through to the legacy plan → approval flow. See Phase Model for full sequences per session type.

Operator
Orchestrator
plans
Builder
implements
Critic
cohesion review
QA/Verifier
checks gates
if high-risk
Reviewer
Security
Commit ✓
Op-Review
review mode
Close
merge & seal
PhaseWhat happensWho
Plan & approveDefine goal, scope, applicable decisions, files, and verification approach, and obtain operator approval. Normally done up front at task creation (Prompt T) and sealed in a handoff bundle; the build session re-checks for drift, then implements. Bundle-absent sessions plan + approve inline.Prompt T + Operator
BuildImplement in small increments (<100 lines, ≤3 files). Follow plan exactly. Run local checks as you go (format, lint, build, tests).Builder
VerifyCohesion review (Critic checks diff for internal coherence). Then gate checks: A1–A6 (when applicable). Record evidence: command, output, pass/fail. Block if any gate fails.Critic + QA/Verifier
CommitOnly after all gates pass. Pre-commit hooks run automatically (secret scan, scope warning). Push gates (B1–B3) checked before push.System + QA
Op-ReviewOperator reviews session results. Accept (proceed to close), give feedback (loop to build), or reject. Skipped in auto mode.Operator
CloseUpdate session log, commit, merge to main (solo mode), seal branch. Task groups: non-final briefs close without merge.Agent

HVST Protocol — when things break

When debugging or instability appears, agents switch from the standard loop to HVST to prevent thrashing:

Hypothesis
form testable theory
Validate
run targeted checks
Solve
minimal fix
Test
verify fix
Record
log in known-issues
Session Lifecycle

Phase Model

Every session follows a declared sequence of phases tracked in .claude/.state/phase-state. Hooks enforce phase-appropriate actions automatically — you don’t manage the state file directly. Each phase has an automation tag indicating who acts:

TagMeaning
agentAgent proceeds autonomously. No pause point.
operatorAgent pauses for operator review or decision before advancing.
bothAgent and operator work concurrently (e.g., interviews, evaluations).

Standard Build

init
branch from main
drift-check
bundle check
plan
fallback
approval
fallback
build
implement
review
cohesion
verify
gates
user-review
optional
commit
trailers
op-review
review mode
close
merge & seal
PhaseTagDescription
initagentCreate branch from main, load spec and governance context
drift-checkagentEvaluate the Prompt T handoff bundle (Decision 0038). Valid + fresh → write plan-approved + pragmatist-signed from the bundle and forward-jump to build (plan + approval skipped). Absent / expired / drifted → fall through to the legacy plan → approval path below.
plan (fallback)agentDefine goal, scope, files, verification steps. Skipped when a valid handoff bundle is present.
approval (fallback)operatorOperator approves the plan and sets auto/review mode. Skipped when a bundle exists — the Prompt T approval is then the single gate.
buildagentImplement changes in small increments
reviewagentCritic cohesion review + PM Advisory (spec-drift, conditional)
verifyagentQA gate verification (A1–A6, B1–B3)
user-reviewagentUser Review persona dispatch (optional — skipped when no User Review in brief; forward-jump to commit)
commitagentCommit with git trailers
op-reviewoperatorOperator reviews before close. Skipped in auto mode.
closeagentUpdate session log, commit, merge to main (solo), seal branch
Loops: review → build (cohesion findings) and verify → build (QA failure). Each loop increments the cycle counter.

Task Group (Brief N of M)

PhaseTagDescription
initagentCreate branch (brief 1) or check out existing branch (briefs 2+)
contract-initagentCreate contract (brief 1) or sync from contract (briefs 2+)
drift-checkagentEvaluate the per-brief handoff bundle against the synced contract (Decision 0038). Valid → forward-jump to build; absent / drifted → fall through to plan → approval.
plan (fallback)agentDefine goal, scope, files, verification steps
approval (fallback)operatorOperator reviews plan (skipped when the per-brief bundle is valid)
buildagentImplement changes in small increments
reviewagentCritic cohesion review of diff
verifyagentQA gate verification (A1–A6, B1–B3)
user-reviewagentUser Review persona dispatch (optional — forward-jump when skipped)
commitagentCommit with git trailers
contract-updateagentUpdate contract — brief status, session decisions, governance evidence
op-reviewoperatorOperator reviews (skipped in auto mode)
closeagentNon-final: close without merge. Final: merge to main, seal branch

Hotfix

PhaseTagDescription
initagentCreate branch from main (hotfix/<description>)
planagentDefine goal, scope, files, verification steps
approvaloperatorOperator reviews and approves the plan
buildagentImplement the fix
verifyagentQA gate verification (A2 scope relaxed, A5 skipped)
commitagentCommit with git trailers
closeagentMerge branch to main, seal branch

Loops: verify → build only. No review phase — A5 cohesion skipped for speed.

Editor-Live Decision 0023

Continuous visual-development session type for operator-driven editing workflows. The operator edits files in an external editor; the agent responds to each saved change. No plan gate — the operator’s live edits are the plan. Child mode only.

init
branch from main
build
implement
commit
A4 safety
review
cohesion
verify
full gates
op-review
review mode
close
merge & seal
PhaseTagDescription
initagentCreate branch from main, start editor-watch.sh file watcher
buildagentRespond to operator file saves — each save triggers an agent build pass
commitagentA4 safety per-loop commit
reviewagentCohesion review at final pass
verifyagentFull gate verification at final pass
op-reviewoperatorOperator reviews before close (skipped in auto mode)
closeagentMerge to main, seal branch
Loops: commit → build (next change iteration) and verify → build (QA failure). Cycle advisory at 50 iterations. The editor-watch.sh watcher detects file saves and triggers each cycle.

Experiment

PhaseTagDescription
initagentCreate or check out experiment branch
buildagentBuild directly — no plan required
commitagentCommit (A4 safety only)
closeagentClose session, no merge to main

Auto vs Review Mode

The operator chooses a session mode when the work is approved — at the Prompt T brief approval (recorded in the handoff bundle and read by drift-check), or at the legacy plan-approval gate when no bundle exists:

ModeBehavior
Review defaultAgent pauses at op-review for operator acceptance before close. Operator may accept, give feedback (loops to build), or reject.
AutoAgent completes through merge autonomously after all gates pass. The op-review phase is skipped.

Solo Mode

Solo mode enables direct merge to main at session close. Set per-session in the phase-state file.

  • At close (auto): merge branch to main directly, then seal branch
  • At close (review): agent pauses at op-review for operator acceptance, then merges
  • Merge failure: git merge --abort, operator notified with conflict details
  • Excluded: experiment/* (never merge) and release/* (excluded from solo merge)
Task group branch strategy: One branch per group. Brief 1 creates the branch. Briefs 2 through N−1 commit and close without merge. Brief N (final) merges to main and seals the branch.
The Team

Agent Roles

Agents across four teams: Build Team (implementation — 8 agents, incl. the Pragmatist plan-gating reviewer), Audit/Operations (health checks, telemetry — 3 agents), Advisory Board (spec & task review — 9 specialists, see next section), and User Review (persona simulation — 3 tiers). Plus the PM Advisor (spec-fit + build-phase spec-drift) and the UX Design Agent (design, UX review, design-health). All read shared files (_agent-glossary.md, _agent-workflow.md) before operating. Click to expand details.

🎯

Orchestrator

Plans, coordinates, ensures human-led architecture
advisory

Authority

Can: Task breakdown, agent delegation, session pacing. Requires operator: Architecture decisions, solution approach, scope changes, risk acceptance. Cannot: Implement directly (except <10 lines), skip gates, finalize architecture alone.

Key Rules

Read all Repo OS docs before planning. Identify applicable decisions. Stop on ambiguity and ask you. Produce clear plans (goal, decisions, steps, files, verification). When a plan phase runs, dispatch the Pragmatist (plan-gating) before presenting the plan. Delegate implementation to Builder. After Builder completes, invoke Critic (combined mode — cohesion + diff-review) to review the diff, alongside PM Advisory. Require QA before commits. Require Reviewer + Security for high-risk.

Tools

Behavioral reference only (no YAML frontmatter, not invocable as subagent). The Orchestrator is the main Claude Code session itself, operating under orchestrator.md behavioral guidance.

🔨

Builder

Implements scoped changes exactly per plan
advisory

Authority

Can: Implementation details within scope, code style, local refactoring for clarity. Requires Orchestrator: Out-of-scope changes, plan gaps, architectural decisions. Cannot: Commit/push, change scope, make architecture decisions, spawn subagents.

Tools

ReadEditWriteGlobGrepBashTask

Scope

Follow plan exactly. Small reviewable changes. Prefer minimal diffs. Run local checks (format, lint, build, typecheck, tests). Surface uncertainty early. Signal completion clearly with a structured summary.

QA / Verifier

Verifies all gates before commits
blocks commits

What It Checks

A1 Decision compliance — all decisions followed. A2 Process — plan exists, scope small, changes explainable. A3 Quality — format, lint, build. A4 Safety — secret scan, PII check. A5 Cohesion — diff coherence review. A6 Task Group — contract compliance (when applicable). For pushes: B1–B3 naming convention, tests, typecheck, dependency audit.

Tools

ReadGlobGrepBashEditWriteTask

Rule

Any gate fails → BLOCK. All pass → APPROVE with evidence (command, output, pass/fail, timestamp).

🔍

Reviewer

Code quality for high-risk / structural changes
conditional

When Required

Structural changes (new modules, APIs, schemas), high-risk domains (auth, payments, data, PII, external integrations), cross-cutting changes (logging, error handling, shared utils), or push gates specify sign-off.

Checks

Clarity, simplicity, correctness, risky patterns (race conditions, resource leaks, silent failures, N+1 queries, unbounded operations). Verdicts: Approve, Approve with Notes, Request Changes, Block.

Tools

ReadGlobGrepEditWriteBashTask
🔒

Security / Privacy

Secrets, auth risks, vulnerabilities
conditional

When Required

Auth/security boundaries touched, sensitive data/PII, dependencies changed, cryptography, external integrations, untrusted input handling.

Checks

Secret scan (BLOCK immediately if found), OWASP Top 10, auth review, data handling, dependency audit (CVEs). Severity: Critical (block) → High → Medium → Low.

Tools

ReadGlobGrepBashEditWriteTask

Accessibility

WCAG 2.1 AA compliance review
advisory

When Recommended

New/modified UI, forms, interactive elements, navigation, images/media. Required for public-facing UI, user input forms, interactive widgets, landing pages.

Checks

WCAG 2.1 AA (perceivable, operable, understandable, robust). Semantic HTML, keyboard access, focus management, ARIA, color contrast (≥4.5:1 text, ≥3:1 large). Advisory only — major barriers escalated to Orchestrator.

Tools

ReadGlobGrepEditWriteBashTask
🧠

Critic

Combined cohesion + diff-review — 5 modes
advisory

Five Modes

Spec mode (advisory board): Finds gaps, contradictions, and unstated assumptions in compiled specs. Cohesion mode (post-build): Reviews the diff and surrounding code for internal codebase coherence — broken references, dangling imports, inconsistent naming, incomplete integrations. Diff-review mode (pre-verify): Finds mechanical bugs in staged changes — broken imports, missing exports, type-contract violations, null/undefined access, logic errors. Combined mode (default for the Prompt B review phase, Decision 0039): Runs cohesion + diff-review in a single dispatch, emitting two briefs each with its own GATE_RESULT; writes cohesion-reviewed and diff-review-complete state (Gate A5). Hypothesis mode (HVST Review Board): Evaluates debugging hypotheses for logical soundness when debugging stalls.

Tools

ReadGlobGrepEditWriteBashTask

Pragmatist

Over-engineering / proportionality reviewer
blocks commits

Two Modes

Brief-Advisory (Prompt T): 4th core specialist alongside Architect, Exploration, and Critic — flags disproportionate approaches in the task brief. Plan-Gating (Prompt B): reviews the implementation plan before operator approval and emits a GATE_RESULT sentinel. FUNDAMENTAL-MISMATCH blocks; OVER-ENGINEERED is advisory. Writes the pragmatist-signed state file (verified at commit). Decision 0025.

Anchoring

Anchored to a YAGNI cost taxonomy with a falsifiable anti-pattern checklist — findings must be concrete, not stylistic.

Tools

ReadGlobGrepEditWriteBashTask
📋

Auditor

Six-mode project health analyst
advisory

Six Modes

drift — Does the code match the spec? compliance — Are decisions being followed? cohesion-drift — Has internal coherence degraded over time? governance — Are session logs, decisions, and governance files healthy? tech-debt — Has accumulated compromise created maintenance risk? graph-health — Are the knowledge-graph nodes and edges complete and consistent with the codebase? (Decision 0034)

When Invoked

Operator runs Prompt C. Each mode is dispatched as a separate Task. Read-only — produces findings in advisory board brief format. Capped at ~10 findings per dimension, CRITICAL first.

Tools

ReadGlobGrepEditWriteBashTask
📊

Analytics

Hook telemetry analysis & cross-repo reporting
advisory

What It Does

Reads NDJSON event data from ~/.local/share/repo-os-analytics/ (centralized, per-repo). Generates reports on hook performance, override patterns, gate outcomes, and session telemetry. Cross-repo analysis via the central registry.

When Invoked

Operator-invoked only — never automatic. Standalone Operations agent, not part of the build or advisory flow.

Tools

ReadGlobGrepBashEditWriteTask
🛠

Dev Orchestrator

Task group oversight & cross-brief coherence
advisory

What It Does

Reviews cross-brief coherence within task groups, validates contract compliance, detects boundary drift, and produces health reports. Invoked by the automation runner between content briefs and before merge briefs.

Tools

ReadGlobGrepBashEditWriteTask
📊

PM Advisor

Standard+ advisory specialist + build-phase spec-drift
conditional

When Invoked

Two roles: (1) a Standard+ advisory-board specialist during Prompt A / Prompt T spec review (product-goal fit, MVP scope, spec cohesion; may emit spec-edit proposals the operator accepts / rejects / defers), and (2) build-phase spec-drift review during the review phase in parallel with the Critic. Conditional — requires compiled spec or mvp-scope.yaml; skipped silently otherwise. Findings are advisory (not gating).

PM Scope Labels

Three labels orthogonal to severity: IN-SCOPE (within defined MVP scope), OUT-OF-SCOPE (outside MVP scope), DEFER (defer to later phase). Labels are informational context; findings route by severity as normal.

Reference

Defined in .claude/agents/_pm-advisor.md (on-demand, loaded when PM Advisory dispatched).

🎨

UX Design Agent

Design, UX review & design-health enforcement — 3 modes
advisory

Three Modes

Mode 1 — Generative design (Prompt T): produces design briefs for UI tasks. Mode 2 — UX review (Prompt A / B): advisory UX findings (CRITICAL / RECOMMENDATION / IDEA). Mode 3 — Design health (Prompt B post-build): design-system compliance with TOKEN-VIOLATION / COMPONENT-BYPASS / SYSTEM-DRIFT labels; auto-detects whether a design system exists. Advisory — does not block commit. Distinct from the spec-time UX Strategist.

Tools

ReadGlobGrepWebSearchEditWriteBashTask
👤

User Review

LLM persona simulation — 3 tiers
conditional

When Invoked

Dispatched in the user-review phase (after verify, before commit). Skipped when no User Review defined in the task brief or contract (forward-jump to commit). Child mode only. Advisory only — no gate, no state file.

Three Tiers

TierPersonaMental ModelConfusion Threshold
Tier 1Power UserStrong — infers from experienceLow
Tier 2Everyday UserPartial — common patternsModerate
Tier 3Novice UserNone — every interaction newHigh

Dispatch

Selected tiers dispatched in parallel. Each receives persona profile, scenario YAML, and modified files list. Results deduplicated across tiers, severity escalated to highest when tiers conflict. Single User Review Report produced.

Reference

Decision 0021. Agent files: _user-review-shared.md, _user-review-tier-{1,2,3}.md.

Spec Review

Advisory Board

Before any code is written, up to 9 specialist agents review your compiled spec (or task brief) for gaps, risks, and opportunities. They run in parallel during Prompt A Phase 1 (and a task-scoped subset runs in Prompt T Brief mode). All findings are advisory — you decide what to act on.

How it works

Spec Complete
Orchestrator
scans & activates
Parallel Specialists
Architect
Critic
Pragmatist
Exploration
PM
Security
UX
Perf
Data
Refinement
Report
Operator
Review
Build ✓

Activation

Three specialists always run (Lite+ tier — the core group: Architect, Critic, Pragmatist). Exploration and PM Advisory join at Standard+. Four conditional specialists activate at Full tier when trigger keywords are found in the spec or task brief.

SpecialistTierTrigger
ArchitectLite+ (always)
Critic (spec mode)Lite+ (always)
Pragmatist (brief-advisory)Lite+ (always)
ExplorationStandard+
PM AdvisoryStandard+Requires compiled spec or mvp-scope.yaml (skipped silently otherwise)
Security AnalystFull (conditional)Auth, sessions, OAuth, PII, payments, external APIs
UX StrategistFull (conditional)UI, design system, user flows, forms, responsive
Performance EngineerFull (conditional)Real-time, websockets, large data, media, CDN
Data StrategistFull (conditional)Database, data contracts, migrations, schema, GDPR

The specialists

All advisory agents are read-only. They cannot modify files, run commands, or spawn sub-agents. Click to expand details.

📚

Exploration

Research, best practices, creative alternatives
Standard+

What It Does

Combines research and creative exploration in a single pass. Grounds recommendations in real-world evidence while surfacing unconventional alternatives. Every research claim must cite a source. Every idea must include a tradeoff.

Review Scope

Tech stack currency, dependency risks, integration patterns, alternative architectures, emerging technologies, build-vs-buy, DX improvements, cross-feature synergies.

Tools

ReadGlobGrepWebSearchWebFetchEditWriteBashTask
🏗

Architect

Structural integrity, scalability, patterns
always

What It Does

Reviews spec for structural integrity, scalability, separation of concerns, and pattern consistency. Validates that the architecture supports all specified features.

Review Scope

Coupling and dependencies, boundary clarity, data model ↔ feature alignment, API contract consistency, scaling concerns.

Tools

ReadGlobGrepEditWriteBashTask
🧠

Critic

Gaps, contradictions, unstated assumptions
always

What It Does

Adversarial review — specifically finds what is missing, contradictory, or ambiguous. Identifies problems only; does not propose solutions (other specialists solve).

Review Scope

Cross-reference failures, unstated assumptions, missing edge cases (empty/error states), contradictions between spec files, completeness gaps.

Tools

ReadGlobGrepEditWriteBashTask

Pragmatist

Over-engineering / proportionality (brief-advisory)
always

What It Does

Reviews the spec or task brief for disproportionate approaches — speculative generality, premature abstraction, scope inflation. Anchored to a YAGNI cost taxonomy with a falsifiable anti-pattern checklist. (In Prompt B it runs as a Plan-Gating gate — see the build-team roster.)

Tools

ReadGlobGrepEditWriteBashTask
📊

PM Advisory

Product-goal fit, MVP scope, spec cohesion
Standard+

When Activated

Standard+ tier when a compiled spec or mvp-scope.yaml exists (skipped silently otherwise).

Review Scope

Product-goal alignment, MVP scope sizing, sequencing, and spec cohesion. May emit spec-edit proposals (current value → proposed value + rationale) that the operator accepts, rejects, or defers. Also runs in the build review phase for spec-drift.

Tools

ReadGlobGrepWebSearchEditWriteBashTask
🛡

Security Analyst

Threat surface, auth patterns, data protection
conditional

When Activated

Auth, sessions, OAuth, PII, external APIs, payments, file uploads, multi-tenancy, role-based access.

Review Scope

Auth architecture, data classification, API security, third-party trust boundaries, compliance signals (GDPR, CCPA, PCI). References OWASP Top 10 and ASVS.

Tools

ReadGlobGrepWebSearchEditWriteBashTask
🎨

UX Strategist

Interaction patterns, accessibility, responsive design
conditional

When Activated

UI or design system specified, user flows with UI states, forms, interactive components, responsive strategy.

Review Scope

User flow completeness (loading/error/empty states), information architecture, accessibility foundations (contrast, keyboard, ARIA), responsive strategy, form UX, design system consistency. References WCAG 2.1 AA and Nielsen’s Heuristics.

Tools

ReadGlobGrepWebSearchEditWriteBashTask

Performance Engineer

Caching, bundle size, rendering, data fetching
conditional

When Activated

Real-time features, large datasets, media processing, performance-critical flows, CDN, SSR/SSG/ISR decisions.

Review Scope

Data fetching patterns (N+1, unbounded queries, pagination), rendering strategy per route, caching and invalidation, bundle splitting, real-time connection management, media optimization.

Tools

ReadGlobGrepWebSearchEditWriteBashTask
🗃

Data Strategist

Schema design, migration safety, contract consistency
conditional

When Activated

Database schema, data contracts, migration strategy, GDPR/retention requirements, multi-entity relationships.

Review Scope

Schema design and normalization, migration safety and rollback, data lifecycle (CRUD completeness), contract ↔ feature consistency, validation rules, compliance requirements.

Tools

ReadGlobGrepEditWriteBashTask

Refinement report

The Orchestrator synthesizes all specialist briefs into a single report, organized by severity:

  • Critical Findings — must address before build begins
  • Recommendations — you decide, grouped by specialist
  • Ideas — from Exploration + nice-to-haves from others
  • Activation Summary — which specialists ran and why

You review each item: Accept (integrate into spec), Reject (document reason), or Defer (revisit later). All Critical findings must be addressed before proceeding to build.

Advisory, not mandatory: The advisory board produces recommendations. You are the final arbiter. Every accept/reject decision is yours. The system does not block commits based on advisory findings.
Verification

Quality Gates

Gates must pass before code moves forward. Three tiers — click to switch:

A — Commit
B — Push
C — Conditional + Release
A1

Decision Compliance

All decisions from docs/ai/decisions/ identified and followed.

Violation → commit blocked. No exceptions.
A2

Process

Plan exists before code. Changes explainable (what + why). Session log updated at close. Scope is small/reviewable — scope >100 lines blocks commit unless plan-approved state file contains large-scope: true. Hotfix branches: scope check skipped.

Large scope requires documented operator approval.
A3

Quality

Formatting, linting, and build pass. Each check documented with command and result.

Applies when tooling exists in repo.
A4

Safety

No secrets (API keys, tokens, passwords, private keys). No PII in logs/fixtures.

Enforced automatically by pre-commit hook.
A5

Cohesion

Critic (cohesion mode) reviewed the diff for internal codebase coherence: broken references, dangling imports, naming inconsistencies, incomplete integrations. All critical findings resolved.

Applies to standard+ branches (not experiment or hotfix).
A6

Task Group Compliance

Task group contract exists and is current. Conventions followed. Contract updated at session close. Modified contract must be staged.

Applies when task brief contains ### Task Group. Override: SKIP_CONTRACT_CHECK=1.
B1

Process (Push)

Branch name must match naming convention (<category>/<description>). Meaningful commit message.

Enforced by pre-push hook. Unrecognized branch names block push.
B2

Quality (Push)

Tests pass. Typecheck passes. All commit gates (A1–A6) also satisfied.

B3

Safety (Push)

Dependency audit if dependencies changed. No debug flags left enabled.

C

Conditional Gates

Project-specific gates defined in decision records or project docs. When trigger conditions are met, they block commits or pushes. Examples: GPS testing with mock coordinates, auth flow verification, payments sandbox, data migration rollback plans.

C1

Release Checklist

Version bumped. Changelog updated. Release notes drafted.

Applies to release/* branches before merge to main.
C2

Full Verification

All A + B gates pass. Full test suite (not just related tests).

C3

Release Sign-offs

Reviewer + Security sign-off required on every release merge.

Governance

Decisions

Version-controlled constraints in docs/ai/decisions/. They are laws, not notes. Violations block commits. If one no longer fits, create a new decision — never silently ignore the old one.

t-0001

Repo OS Baseline

Establishes authority model (operator vs agent), prompt system (Prompt 0 for spec, A for init, B for dev; extended by 0.5 and T), mandatory gates, session-based work, GitHub template as source of truth. Baseline must exist (Commit 0) before any product code.

t-0002

Decisions Are Mandatory

Decisions are binding constraints. Applicable decisions must be identified and followed for every change. Conflicts require a new decision before proceeding. Violations block commits.

t-0003

Agent Structure Standard

Agent definitions use YAML frontmatter for tool boundaries. Shared files (_agent-glossary.md, _agent-workflow.md) are mandatory reading. Orchestrator is behavioral guidance only (no frontmatter, not invocable as subagent).

t-0004

Mechanical Enforcement

Multi-point enforcement via Claude Code native features: subagent YAML frontmatter for tool boundaries, team settings for permissions and hooks. Hook scripts cover edit guards (write-guard.sh), Bash guards (bash-guard.sh), file restrictions (write-guard.sh mode guard), commit/push gates (pre-commit-gates.sh, pre-push-gates.sh), agent controls (agent-git-guard.sh), state capture (plan-approval.sh, state-writer.sh), debugging (hvst-failure-tracker.sh), permission management (permission-request.sh, ask-user-deny.sh), and session lifecycle (session-close-check.sh). Session-scoped state files in .claude/.state/ verify governance steps. Sentinel protocol: agents emit GATE_RESULT: for machine-parsed verdicts. Three governance layers: inter-session pipeline, phase chain, and override audit.

t-0005

Companion Tool Pattern

Companion tools extend the dev workflow without modifying Repo OS core governance. They integrate via MCP servers in .claude/settings.json. The template ships clean — no companion tools pre-configured.

t-0006

Prototyping Tiers

Three-tier prototyping system (Napkin / Spike / PoC) on experiment/* branches. Operator self-selects tier based on complexity. Prompt 0.5 facilitates. Only learnings are promoted — code is disposable. Experiment briefs stored in docs/spec/prototypes/.

t-0007

Advisory Board

9 read-only specialist agents review compiled specs (or task briefs) before build. Core (Lite+): Architect, Critic, Pragmatist (always). Standard+: adds Exploration and PM Advisory. Full (conditional): Security Analyst, UX Strategist, Performance Engineer, Data Strategist. Prompt A orchestrates in 3 phases; a task-scoped subset also runs in Prompt T Brief mode.

t-0008

Cohesion Review Gate

Post-build coherence review via Critic (cohesion mode). Checks diff + neighbors for broken references, dangling imports, naming inconsistencies, incomplete integrations. Gate A5 verified by QA. Applies to standard+ branches. Critic stays read-only — Orchestrator passes diff context.

t-0009

Analytics & Observability Layer

Hook telemetry via NDJSON events to centralized external storage at ~/.local/share/repo-os-analytics/<repo>/events/ (outside repo tree). Analytics agent is the sole consumer (operator-invoked). All hooks emit v2 events via _analytics-helper.sh with mode, branch, and optional detail/path fields. Override audit trail via overrides.log. Data lifecycle: 90-day retention, session-scoped IDs, fail-silent writes. Legacy data may remain in .claude/analytics/ (read-only).

t-0010

Task Definition Prompt

Prompt T for task exploration and planning. Two modes: Query (conversational Q&A, ephemeral) and Brief (4 core specialists produce a structured task brief). On approval, Brief mode writes a sealed handoff bundle (Decision 0038) carrying the plan, contract, and chosen mode; that approval is the single gate, and Prompt B’s drift-check consumes the bundle. No session log entries.

t-0011

Task Group Contracts

Multi-brief coordination via YAML contracts at docs/ai/task-groups/. Gate A6 enforcement: contract exists, conventions followed, contract updated at session close, modified contract staged. Sequential brief execution with next_brief chaining. Override: SKIP_CONTRACT_CHECK=1.

t-0012

File Edit Restrictions (Mode Guard)

Three operating modes — template (governance only), child (product + limited governance), autonomous (product + minimal governance) — controlling which files agents can modify. Declared in .claude/repo-mode. Default-deny on governance prefixes with per-mode carve-outs. Immune paths (write-guard.sh, repo-mode). Bash command scanning for write patterns.

t-0013

Session Branch Isolation

One session per branch. When a session closes, the branch is sealed via .claude/local/closed-branches ledger — no future session may edit files on it. Enforced by bash-guard.sh and write-guard.sh. Task group exemption: branches with pending briefs stay open for multi-brief workflows. Zero-change sessions do not seal. Override: REPO_OS_SKIP_BRANCH_REUSE=1.

t-0014

Phase-Aware Flow Model

Phase-state file (.claude/.state/phase-state) tracks session lifecycle progress. 14 session types across 6 prompt archetypes, each with a fixed phase sequence and automation tags (agent/operator/both). Forward-only transitions with defined loops (review→build, verify→build). Auto mode skips op-review; review mode (default) pauses for operator acceptance. Session ID binding prevents stale state from prior sessions. Amended by Decision 0038: standard / taskgroup sequences add a drift-check phase that consumes the Prompt T handoff bundle and forward-jumps to build when valid.

t-0015

Solo Mode

Direct merge to main at session close for solo operators. One branch per task group — final brief merges, intermediates commit without merge. Merge failure triggers git merge --abort and operator notification. Excluded for experiment/* (never merge) and release/* (excluded from solo merge) branches.

t-0016

Auditor Agent & Prompt C

Establishes the Auditor as a dedicated read-only project health analyst with six scan modes (drift, compliance, cohesion-drift, governance, tech-debt, graph-health). Prompt C serves as the multi-mode dispatch framework with advisory board brief format output.

t-0017

Operator Automation Layer

Adds an optional headless runner infrastructure for automated claude -p sessions with full governance parity. Ships disabled. Includes queue lifecycle, escalation types (9), permission auto-approve (permission-request.sh), headless AskUser deny (ask-user-deny.sh), decision cache, scope classification, and runner/stop-hook parity contract.

t-0018

Mechanical Task Group Enforcement

Upgrades task group contract existence and staging validation from REQUIRE to BLOCK. pre-commit-gates.sh mechanically prevents commits that violate task group contract requirements (gate A6). bash-guard.sh adds task group merge protection.

t-0019

Fail-Closed Phase Enforcement

Changes bash-guard.sh phase gate logic from fail-open to fail-closed when phase-state is absent on governed branches. Opt-in sentinel file controls rollout. Advisory mode when sentinel absent.

t-0020

Task Contract System

Introduces task contracts (.claude/.state/task-contract.yaml) defining task intent and verification criteria. Extracted from brief text at session init. Serves as the cohesion review reference — Critic uses verification: to evaluate whether implementation achieves stated intent.

t-0021

User Review System

Advisory-only LLM persona simulation providing synthetic user perspective on implementation. Three tiers (Power User, Everyday User, Novice). Dispatched in user-review phase after verify. Skipped when no User Review defined. Child mode only.

t-0022

Template Decision Naming (t- Prefix)

Template decisions use t-NNNN-*.md naming, synced from upstream and locked in child/autonomous modes. Child decisions use plain 0100-*.md+. Mode-guard enforces via prefix check. t-manifest.txt lists all template decisions for orphan cleanup.

t-0023

Editor-Live Session Type

Continuous visual-development session type: init → build → commit → review → verify → op-review → close. No plan gate — operator edits are the plan. Loops: commit→build (next iteration), verify→build (QA failure). editor-watch.sh file watcher. 50-iteration cycle advisory. Child mode only.

t-0024

Child Repo Default Mode

Child repos default to child mode via committed .claude/repo-mode file, eliminating manual setup and preventing accidental template restrictions in product repositories.

t-0025

Pragmatist Agent

Dual-mode over-engineering review agent. Brief-Advisory mode (Prompt T): 4th core specialist alongside Architect, Exploration, Critic. Plan-Gating mode (Prompt B): reviews implementation plans before operator approval with GATE_RESULT sentinel (BLOCKED or APPROVED). Anchored to YAGNI cost taxonomy with falsifiable anti-pattern checklist.

t-0026

Session-Type Validation

Mechanical check detecting when a brief contains ### Task Group metadata but the session was initialized with a non-taskgroup type. Blocked at first governed Bash write (bash-guard.sh Gate 2b) and first governed Edit/Write (write-guard.sh Gate 2b). Fingerprint file: .claude/.state/brief-has-taskgroup.

t-0027

Agent Tool Governance Gate

Closes the Agent tool bypass that allowed write-capable subagents in no-write sessions (Prompt T, A, C, D, ephemeral). pretooluse-permission.sh checks subagent_type against a read-only allowlist. Fail-closed when phase-state is missing. Also blocks claude subprocess invocation via Bash deny pattern.

t-0028

Worktree State Isolation

Hardens governance state boundary for worktree-isolated subagents. When a governance agent runs inside a git worktree (spawned via isolation: “worktree”), state-writer.sh refuses to write state files, preventing subagent verdicts from contaminating parent session state.

t-0029

Operator Acknowledgment Enforcement

Generalizes operator-acknowledgment enforcement by renaming taskdef-brief’s op-review phase to approval. Activates existing has_plan_gate / advance_phase substance check requiring plan-approved state file before advancing to the post-approval phase.

t-0030

Worktree Session Isolation

Enables full independent Claude Code sessions in git worktrees (claude --worktree) with per-session governance isolation and sequential merge coordination back to main. Supersedes Decision 0028 for full worktree sessions only — subagent worktree writes remain blocked.

t-0031

REPO_OS_RECOVER Risk Posture

Documents and accepts the risk posture of the REPO_OS_RECOVER emergency recovery mechanism. Recovery mode bypasses all state-dependent governance checks to unblock stuck sessions. File-based signal: .claude/.state/.recover-signal (single-use, consumed by first hook).

t-0032

Parallel Task Group Worktree Isolation

Parallel task group content briefs MUST run as full worktree sessions (claude --worktree with REPO_OS_SESSION_ID), each committing to its own isolated branch. The merge brief combines per-brief branches before cross-session cohesion review. REQUIRE-level constraint.

t-0033

Session Worktree Default

Makes worktree isolation the default for all sessions — interactive (claude --worktree), headless, and daemon-spawned (runner.sh passes --worktree to every claude -p). The main working tree stays on main with no branch switching. Builds on Decisions 0030/0032 (per-session state dirs, merge coordination); .worktrees/ is gitignored. Opt-out: REPO_OS_WORKTREE_ISOLATE=0.

t-0034

Knowledge Graph Data Layer

Persistent knowledge graph mapping semantic connections between codebase entities (files, decisions, hooks, prompts, contracts, conventions) at docs/ai/knowledge-graph/graph.yaml (schema in schema.yaml). 7 node types, 8 edge types (governs, constrains, implements, depends-on, etc.). Agent-maintained, operator-curated, self-correcting via active/stale/unverified staleness signals. Loaded on demand for relevance scoring (.claude/tools/kg-relevance.sh).

t-0035

Selective Spec Loading

Reduces compiled-spec token consumption via deterministic spec digests (spec-digest.sh, awk/sed extraction — no LLM), a manifest-based feature index, and task-scoped selective loading. Full-load reading drops from ~153K tokens to ~5–10K per specialist. Compiled specs stay authoritative — DIGEST.md is derived; spec wins on conflict. Absent ### Spec References falls back to full loading.

t-0036

Daemon-Safe Branching

The main working tree MUST NOT change branches while the automation daemon is running — mid-execution branch switches replace governance files the daemon sources and crash in-flight sessions. bash-guard.sh (Phase 1c) blocks git checkout/git switch/git reset --hard when a daemon is active (detected via runner.pid or pgrep). Exempt: file restores and commands run inside a worktree.

t-0037

Governance Runtime Packaging

Splits the Template Standalone Guarantee into two tiers: content standalone (unconditional — prompts, agents, decisions, specs stay local plaintext) and enforcement standalone (platform-dependent — hooks, runner, state machine). Classifies template directories into content/runtime/hybrid tiers and defines three hook lifecycle states: local (full shell logic), stub (thin IPC client), and frozen (immutable after migration). Migration is hook-by-hook with pass-through fallback.

t-0038

Handoff Bundle (Prompt T → Prompt B)

Collapses redundant plan re-derivation between Prompt T and Prompt B. Prompt T writes a sealed handoff bundle (.claude/local/handoff-bundle.yaml) with the inlined task contract on approval; its approval becomes the single approval gate. Prompt B replaces its plan → approval phases with a deterministic drift-check (_phase-helper.sh::drift_check) that writes plan-approved from a valid bundle. Saves ~5–15K tokens and one operator interaction per session.

t-0039

Critic Single-Dispatch Consolidation

Adds a combined mode to the Critic that merges cohesion review and diff-review into one dispatch with two fixed sections (## Cohesion Brief, ## Diff-Review Brief), each ending in its own GATE_RESULT:. Eliminates duplicate prompt-assembly cost in the Prompt B review phase; both verdicts must be APPROVED to advance. state-writer.sh routes the sections to separate state files. Single-mode dispatches remain valid for targeted re-runs.

t-0040

Finish-Loop Dimension Verdict Cache

Caches per-dimension PASS verdicts in Prompt F (finish-loop) keyed by an input-set hash, in a session-scoped finish-loop-cache.yaml. When a dimension’s input hash is unchanged since its prior PASS, the verdict is inherited instead of re-assessed, avoiding redundant regression-checks of stable dimensions. Append-only; only PASS is cached (FAIL re-runs); cleaned at session close.

Automation & Structure

Hooks & File Map

What runs automatically

HookWhenWhat it doesBlocks?
pretooluse-permission.shBefore every Agent and BashAgent: session-type-aware subagent allowlist — blocks write-capable subagents in no-write sessions (Prompt T/A/C/D, ephemeral), fail-closed when phase-state is missing (Decision 0027). Bash: deny list blocks dangerous commands incl. claude subprocess; allow list passes safe patterns; headless fail-closed for unknown commands. Audit: .claude/.automation/logs/permission-audit.log.yes (deny)
bash-guard.shBefore every BashConsolidated Bash PreToolUse guard (Phase 3a). State-guard, mode guard, plan-approval gate, fail-closed phase enforcement (Decision 0019), task group merge protection (Decision 0018), session overlap, session branch isolation. Daemon-safe branching (Phase 1c): blocks git checkout/git switch/git reset --hard on the main tree while the automation daemon is active (Decision 0036). Ephemeral session fast-exit (Phase 3b). Override: REPO_OS_ALLOW_MAIN=1, REPO_OS_SKIP_PLAN_GATE=1, REPO_OS_SKIP_BRANCH_REUSE=1, REPO_OS_RECOVER=1.yes (exit 2; ephemeral: pass-through)
write-guard.shBefore every Edit or WriteUnified state + mode + branch enforcement. Blocks model writes to .claude/.state/; mode guard (template/child/autonomous per .claude/repo-mode); main-branch protection; phase-aware edit gate (blocks edits during init/plan); session overlap and branch isolation (Decision 0013; closed-branch ledger, task groups exempt). Override: REPO_OS_SKIP_STATE_GUARD=1, REPO_OS_SKIP_MODE_GUARD=1, REPO_OS_UNLOCK_PATH=<path>, REPO_OS_ALLOW_MAIN=1, REPO_OS_SKIP_BRANCH_REUSE=1, REPO_OS_RECOVER=1.yes (exit 2)
pre-commit-gates.shBefore every git commitA4: Secret scanning (blocks). State file verification (blocks — requires plan-approved, pragmatist-signed, cohesion-reviewed, diff-review-complete, qa-verified). A5: Cohesion + diff-review APPROVED (Decision 0039). Gate 3: Inter-session governance check (advisory, first-fire). A2: Scope >100 lines (blocks unless large-scope approved). A6: Task group contract staging (blocks). High-risk pattern detection (blocks — requires reviewer-signed + security-signed). A1: Decision trigger parser (blocking). Override: REPO_OS_SKIP_PLAN_GATE=1, SKIP_CONTRACT_CHECK=1, REPO_OS_RECOVER=1.yes (exit 1)
pre-push-gates.shBefore every git pushB1: Branch naming convention (blocks). Stubs for B2 tests/typecheck and B3 dependency audit — activate per project. Override: REPO_OS_RECOVER=1.yes (exit 1)
plan-approval.shAfter AskUserQuestionCaptures operator plan approvals. Writes .claude/.state/plan-approved when operator confirms a plan (legacy provenance — the bundle path _phase-helper.sh::drift_check also writes plan-approved from a valid handoff bundle, Decision 0038). Never blocks (PostToolUse).no (post-tool)
state-writer.shAfter subagent completesCaptures governance agent verdicts as state files in .claude/.state/cohesion-reviewed, diff-review-complete (routed by the MODE: diff-review sentinel, Decision 0039), qa-verified, reviewer-signed, security-signed, pragmatist-signed. Extracts GATE_RESULT: sentinel. Subagent worktree writes skipped (Decision 0028); full worktree sessions allowed (Decision 0030). Never blocks.no (post-agent)
agent-git-guard.shBuilder/QA/Security Bash callsBlocks git commit and git push commands in subagents. Only the Orchestrator can commit/push.yes (exit 2)
ask-user-deny.shBefore AskUserQuestionBlocks AskUserQuestion when CLAUDE_HEADLESS=1 (Decision 0017). Defense-in-depth for headless automation — prevents interactive prompts in automated sessions.yes (headless; interactive pass-through)
permission-request.shOn PermissionRequestAuto-approves curated tools and safe Bash patterns (_permission-allowlist.sh), denies dangerous patterns, falls through to VS Code dialog. Audit log: .claude/.automation/logs/permission-audit.log (Decision 0017).yes (deny) / allow / fallthrough
hvst-failure-tracker.shAfter every Bash commandTracks consecutive failures. After 2+ failures, reminds agent to check known-issues.md and follow HVST protocol.no (advisory)
session-close-check.shWhen Claude stops respondingSession log check (blocking; zero-change sessions downgrade to advisory). Uncommitted changes check (blocking). HVST known-issues check (blocking when hvst-fail-count ≥ 2). Deferrals known-issues check (blocking when .deferrals-pending exists). Override audit summary (advisory). Governance evidence verification for task groups (advisory). Next-brief reminder for task groups (advisory). Session-scoped state cleanup. Override: SKIP_SESSION_LOG=1, SKIP_UNCOMMITTED_CHECK=1, SKIP_KNOWN_ISSUES_CHECK=1, SKIP_CONTRACT_CHECK=1.yes (multiple)
YAML frontmatterAgent invocationRestricts tools per agent (e.g., Builder can’t use Task, QA can’t use Edit/Write). Frontmatter hooks wire agent-git-guard.sh.yes (runtime)

Customizing hooks

Add your project’s lint, format, and build commands to .claude/hooks/pre-commit-gates.sh (A3 stubs). Add test, typecheck, and dependency audit commands to .claude/hooks/pre-push-gates.sh (B2/B3 stubs). Adjust permissions in .claude/settings.json (team-shared, committed) or .claude/settings.local.json (personal, gitignored).

Repository structure

your-repo/ ├── AI.md — root contract, authority model, source of truth index ├── repo-os-explainer.html — this guide (operator-facing, open in browser) ├── .templatesyncignore — protects compiled specs, logs, decisions from sync ├── .github/ │ └── workflows/ │ └── auto-version-tag.yml — CalVer tags on merge to main ├── .claude/ │ ├── settings.json — team hooks & permissions (committed) │ ├── settings.local.json — personal overrides (gitignored) │ ├── .state/ — session-scoped governance state files (gitignored except .gitkeep) │ ├── hooks/ │ │ ├── _analytics-helper.sh — shared helper (log_hook_event, log_override) │ │ ├── bash-guard.sh — consolidated Bash PreToolUse guard (state, mode, plan, phase enforcement, task group, overlap, isolation, daemon-safe branching) │ │ ├── pretooluse-permission.sh — agent allowlist + Bash deny/allow guard (Decision 0027) │ │ ├── write-guard.sh — unified state + mode enforcement (blocks .state/ writes + mode restrictions) │ │ ├── state-writer.sh — captures agent verdicts as state files │ │ ├── plan-approval.sh — captures operator plan approvals as state │ │ ├── pre-commit-gates.sh — A-gates: secrets, state, scope, contracts, risk, decisions │ │ ├── pre-push-gates.sh — B-gates: naming, test/typecheck/audit stubs │ │ ├── agent-git-guard.sh — blocks git commit/push in subagents │ │ ├── hvst-failure-tracker.sh — consecutive failure tracking │ │ ├── ask-user-deny.sh — blocks AskUserQuestion in headless mode (Decision 0017) │ │ ├── permission-request.sh — auto-approve/deny/fallthrough for permission requests (Decision 0017) │ │ ├── editor-watch.sh — file watcher for Editor-Live sessions (Decision 0023) │ │ ├── next-live-editor-branch.sh — editor-live branch continuity between cycles (Decision 0023) │ │ ├── _phase-helper.sh — phase model library (init, advance, assert) │ │ ├── _permission-allowlist.sh — curated safe-tool patterns for permission-request.sh │ │ ├── _cleanup-helper.sh — session cleanup utilities │ │ ├── _automation-bridge.sh — automation layer integration helper │ │ └── session-close-check.sh — session log, override audit, state cleanup (blocking; zero-change exempt) │ ├── tools/ — KG + spec utilities (kg-seed, kg-relevance, kg-query, spec-digest) (Decisions 0034/0035) │ └── agents/ │ ├── _agent-glossary.md — shared terms (all agents read) │ ├── _agent-workflow.md — handoff flow (all agents read) │ ├── orchestrator.md — behavioral, no frontmatter │ ├── builder.md — executable, YAML frontmatter │ ├── qa-verifier.md — executable, commit blocker │ ├── reviewer.md — executable, read-only │ ├── security-privacy.md — executable │ ├── accessibility.md — executable, advisory │ ├── _advisory-board.md — orchestrator reference for advisory review (on-demand) │ ├── _advisory-board-lite.md — compressed shared context for advisory agents │ ├── _cohesion-review.md — cohesion review procedure (on-demand) │ ├── architect.md — structural review, always-on │ ├── critic.md — gap analysis + cohesion + diff-review (5 modes) │ ├── pragmatist.md — over-engineering review: brief-advisory + plan-gating (Decision 0025) │ ├── exploration.md — research + creative alternatives, Standard+ │ ├── security-analyst.md — threat review, conditional │ ├── ux-strategist.md — spec-time UX review (advisory board), conditional │ ├── ux-designer.md — UX Design Agent (3 modes: design brief, UX review, design health) │ ├── performance-engineer.md — performance review, conditional │ ├── data-strategist.md — schema review, conditional │ ├── auditor.md — project health audit, six modes (drift, compliance, cohesion-drift, governance, tech-debt, graph-health) │ ├── analytics.md — hook telemetry analysis, operator-invoked │ ├── dev-orchestrator.md — task group oversight, cross-brief coherence (automation layer) │ ├── _pm-advisor.md — PM advisory review procedure (on-demand, build review phase) │ ├── _user-review-shared.md — shared User Review definitions │ ├── _user-review-tier-1.md — Power User persona (User Review) │ ├── _user-review-tier-2.md — Everyday User persona (User Review) │ ├── _user-review-tier-3.md — Novice User persona (User Review) │ └── _hvst-review.md — HVST review board procedure (on-demand) ├── docs/ │ ├── spec/ │ │ ├── _templates/ — blank spec templates (synced from upstream) │ │ │ ├── product.md — what, who, why │ │ │ ├── architecture.md — tech stack, structure │ │ │ ├── design-system.md — visual language (defaults baked in) │ │ │ ├── data-contracts.md — entities, APIs, state │ │ │ ├── features/ │ │ │ │ └── _feature-template.md — copyable template │ │ │ ├── _experiment-brief.md — prototype brief template │ │ │ ├── feature-brief.md — lightweight feature addition template │ │ │ ├── integrations.md — services, MCP, env vars │ │ │ └── boundaries.md — exclusions, protected areas │ │ ├── compiled/ — operator-filled specs, versioned (never synced) │ │ │ ├── manifest.json — tracks active version │ │ │ └── v1/ — first Prompt 0 run (v2, v3… after re-runs) │ │ └── prototypes/ — experiment briefs and learnings (never synced) │ └── ai/ │ ├── workflow.md — execution model, HVST protocol │ ├── quality-gates.md — gate definitions (A/B/C) │ ├── decisions/ — t-0001–t-0040 template decisions + DIGEST.md (t- prefix, synced from upstream) │ ├── governance/ — inter-session governance evidence (spec-compiled, advisory-reviewed) │ ├── knowledge-graph/ — semantic codebase graph (graph.yaml, product-graph.yaml, schema.yaml) (Decision 0034) │ ├── task-groups/ — task group contracts (YAML) │ ├── logs/ │ │ ├── sessions/ │ │ │ └── session-{id}.md — per-session audit trail │ │ └── known-issues.md — HVST failure log │ └── prompts/ │ ├── prompt-0-spec-builder.md — project spec interview │ ├── prompt-0.5-prototype.md — rapid prototype session │ ├── prompt-a-repo-os.md — initialization prompt │ ├── prompt-b-product-build.md — development prompt │ ├── prompt-t-task-definition.md — task exploration & planning │ ├── prompt-c-project-audit.md — project audit prompt │ ├── prompt-d-daemon-toggle.md — automation runner toggle (ephemeral) │ ├── prompt-e-editor-live.md — editor-live session prompt (Decision 0023) │ ├── prompt-f-finish-loop.md — finish-loop convergence session (Decision 0040) │ ├── prompt-h-hotfix-debug.md — hotfix & debug session prompt │ └── prompt-q-queue-triage.md — queue triage session prompt └── src/ — your product code
File Access Control

Operating Modes

Three modes control which files an agent can modify. Enforced by write-guard.sh (Decision 0012). The mode is declared in .claude/repo-mode — a single word: template, child, or autonomous.

Mode summary

ModeProduct codeGovernance accessWhen to use
templateblockedFull governance: agents, hooks, settings, prompts, decisions, logs, workflow, gates, spec templates, AI.md, CLAUDE.md, repo-os-explainer.html, .github/Upstream template repo development
childallowedLimited carve-outs: project decisions (0100+), logs, governance evidence, task group contracts, compiled specs, prototypes, settings.local.jsonProject repos created from template (default)
autonomousallowedMinimal carve-outs: logs, task group contracts onlyHeadless operation with maximum governance protection

Mode resolution

Priority (highest first):

  1. REPO_OS_MODE environment variable (force any mode)
  2. .claude/repo-mode file (committed, single word)
  3. Default: child (when file is missing)

Immune paths

write-guard.sh and repo-mode cannot be modified in any mode — no override accepted. This is self-protection against circumvention. To maintain these files: set REPO_OS_SKIP_MODE_GUARD=1 (disables the entire guard, logged in overrides.log).

Overrides

OverrideWhat it doesScope
REPO_OS_UNLOCK_PATH=<path>Unlocks a single governance file for editingOne file per invocation. Immune paths rejected.
REPO_OS_MODE=<mode>Forces a specific mode (e.g., template access in a child repo)Emergency use. Logged via overrides.log.
REPO_OS_SKIP_MODE_GUARD=1Disables write-guard mode checks entirelyRecovery/debugging. Logged via overrides.log.

Decision naming convention

Template decisions use the t- prefix (t-0001-*.md through t-NNNN-*.md) and are synced from upstream, locked in child/autonomous modes. Child decisions use plain numeric names (0100-*.md+) and are editable in child mode. A t-manifest.txt file lists all template decisions for orphan cleanup. This preserves governance consistency while allowing project-level customization.
Rapid Exploration

Prototyping

Not everything needs a full spec. When you want to test an idea, validate architecture, or explore a feature before committing to it, use Prompt 0.5 on an experiment/* branch. Only the A4 safety gate applies — no process gates, no review chain, no scope warnings.

Prototyping tiers

You choose the tier. The tiers are a menu, not a gate — they determine how much documentation overhead the session carries.

TierWhen to useArtifact
NapkinQuick question, < 1 hour. “Does X even work?”None — verbal conclusion only
SpikeFocused hypothesis, single session. “Can we build Y this way?”Experiment brief
Proof of ConceptMulti-session exploration. “Is this entire approach viable?”Experiment brief + mini-spec notes

What to say to the Orchestrator

The system maps your natural language to tiers. You don’t need to memorize tier names — just describe what you want to do.

You say…Maps to
“Quick test”, “try this”, “does X work?”, “napkin test”Napkin
“Spike on X”, “prototype this”, “test this architecture”, “validate this approach”Spike
“Proof of concept”, “PoC”, “multi-day exploration”, “I need to explore this across sessions”Proof of Concept
Scope escalation: If a napkin test turns into a half-day exploration, the system suggests upgrading: “This is growing past napkin scope — want to create an experiment brief?” You decide.

How to start

Follow docs/ai/prompts/prompt-0.5-prototype.md.

The system helps you create an experiment/* branch (if needed), fill out a brief (Spike/PoC), and start building immediately. No full spec interview. No plan-before-code requirement.

What happens to the code?

Experiment branches never merge to main. The code is disposable. When you’re done:

  • Discard — question answered, delete the branch
  • Promote — capture learnings, then rewrite the validated approach into a feature/* branch
  • Pivot — start a new experiment with a different hypothesis

Experiment briefs are stored in docs/spec/prototypes/ and survive branch deletion. Prompt B checks this directory for validated learnings before planning new work.

Exploration & Planning

Task Definition — Prompt T

Prompt T facilitates exploration and task planning. Two modes, selected based on operator language — Query mode is conversational and ephemeral; Brief mode produces a copy-paste brief plus a sealed handoff bundle:

Query mode

Conversational Q&A grounded in specs and codebase. No agent dispatch, no structured output. The conversation is the output. If it evolves toward task definition, the system offers to switch to Brief mode.

Brief mode

Four core specialists (Architect, Exploration, Critic, Pragmatist) are dispatched in parallel — plus a conditional PM Advisory (when compiled specs or mvp-scope.yaml exist) and a conditional UX Design agent (for UI work) — to produce a structured task brief:

Operator
describes task
Parallel Specialists
Architect
Exploration
Critic
Pragmatist
Synthesize
draft brief
Operator
review
Brief + bundle ✓

The operator approves via a structured AskUserQuestion that merges brief approval with auto/review mode selection (Decision 0038). Options: Approve — review (Prompt B pauses at op-review before commit), Approve — auto (Prompt B runs autonomously through merge), Approve & queue (review/auto) (writes the brief + bundle to the automation queue for headless execution), Revise, or Abandon. Splitting into multiple briefs (Narrow) is available via “Other”. The finalized brief is displayed for copy-pasting, and the chosen mode is written into the bundle so the downstream session never re-prompts.

Query mode is ephemeral; Brief mode writes a handoff bundle. Query mode produces no files. Brief mode, on approval, writes a sealed handoff bundle to .claude/local/handoff-bundle.yaml (or per-brief under .claude/local/task-groups/{group}/briefs/{seq}.bundle.yaml) carrying the approved plan, task contract, spec snapshot, Pragmatist verdict, and chosen mode. The downstream Prompt B session reads the bundle at drift-check and skips re-planning — the Prompt T approval is the single operator approval gate. No session log entries are written either way.

How to start

Follow docs/ai/prompts/prompt-t-task-definition.md.
Multi-Brief Coordination

Task Group Contracts

When Prompt T splits a task into multiple briefs (Narrow path), each brief includes a ### Task Group section. The briefs share a task group contract — a YAML file that coordinates naming, patterns, decisions, and integration points across sessions.

Contract lifecycle

WhenWhat happens
First Prompt B sessionCreates the contract from brief metadata (identity, brief roster, conventions, integration points)
Subsequent sessionsReads the contract. Conventions are REQUIRE-level — follow all naming patterns, architectural patterns, decisions, and module boundaries
At session closeUpdates the contract: marks brief status, appends session decisions, writes governance evidence (gate results, overrides, timestamp)

Contract path depends on repo mode: template mode uses .claude/local/task-groups/, child/product mode uses docs/ai/task-groups/. Gate A6 verifies contract compliance when a task group is present. Override: SKIP_CONTRACT_CHECK=1.

Sequential or parallel. Sequential groups share one branch and run in order — the contract tracks next_brief, and phase-chain governance lets Brief N+1 confirm Brief N passed its gates. Parallel groups (Execution: parallel, Decision 0032) run each content brief in its own worktree branch ({group}/brief-{seq}), write completion markers, and finish with an auto-generated merge brief (taskgroup-merge session) that combines the branches and runs cross-session cohesion review before merging to main.
Health Checks

Project Audit — Prompt C

On-demand health check that scans for drift, compliance issues, and accumulated problems. Read-only — no file modifications (except when the operator defers findings, which writes to known-issues.md).

Dimension menu

DimensionAgentWhat it checks
Spec driftAuditor (drift)Does the code match the spec?
Decision complianceAuditor (compliance)Are decisions being followed?
Cohesion driftAuditor (cohesion-drift)Has internal coherence degraded?
GovernanceAuditor (governance)Are session logs, decisions, governance files healthy?
Tech debtAuditor (tech-debt)Accumulated compromises and maintenance risk
SecuritySecurity/PrivacyFull-codebase vulnerability scan
PerformancePerformance EngineerFull-codebase performance review
Dependency healthSecurity/PrivacyCVEs, outdated packages, supply chain risks

Depth tiers

TierWhenDimensions
QuickRoutine check-inGovernance + Security
StandardMilestone or pre-releaseOperator-selected (tech-debt available)
DeepFull health auditAll dimensions

How it works

Operator
selects dimensions
Orchestrator
dispatches
Parallel Auditors
Auditor ×N
Security
Perf
Audit
Report
Operator
accept/reject/defer

Specialist collaboration: Escalation (Auditor tags a finding → specialist follows up), Co-audit (both run in parallel), Workshop (iterative loop, capped at 2 rounds).

Read-only. No auto-remediation. The operator decides what action to take. Deferred findings are written to known-issues.md (Known Limitations table).

How to start

Follow docs/ai/prompts/prompt-c-project-audit.md.
Reactive Debugging

Hotfix & Debug — Prompt H

Reactive debugging and fix session for runtime errors, integration failures, and production incidents. Operates on hotfix/* branches with expedited gates (A2 scope relaxed, A5 cohesion skipped). Structured workflow: diagnose root cause, apply minimal fix, iterate when fixes fail, escalate when diagnosis stalls.

Workflow

Symptoms
error + context
Parallel Investigation
Explore
Architect
Exploration
Diagnosis
root cause
Fix
minimal change
Verify
repro test

Loop: verify → build when the fix doesn’t work. Maximum 3 fix cycles before escalation.

Agent dispatch

PhaseAgentNotes
plan (investigation)Explore + Architect + ExplorationParallel root cause investigation
plan (review)PragmatistPlan-gating on fix strategy
buildBuilderImplements the fix
verifyQA VerifierExpedited gates (A2 relaxed, A5 skipped)
commitOrchestratorCommit with trailers

Escalation protocol

After 3 failed fix cycles, Prompt H produces a structured Debug Report containing: symptoms observed, hypotheses tested (with results), root causes eliminated (with evidence), remaining candidates, and recommended next steps. The operator may provide new evidence, accept a partial fix, or redirect entirely.

Known patterns

PatternSymptomsFix approach
Plugin scope issuesPermission denied, command not found at runtimeBypass plugin, use custom IPC
OAuth flow failuresAuth callback errors, token exchange failuresDebug logging, check verification status values
Stale closure bugsState appears stale, race conditionsReload state before checking captured values
Dev vs production divergenceWorks locally, fails in CI/productionGate workarounds behind dev-mode guard
Build system stale cacheConfig changes not taking effectClean rebuild
HVST integration. If diagnosis is ambiguous after agent investigation, Prompt H uses the HVST protocol to form and test hypotheses structurally.

How to start

Follow docs/ai/prompts/prompt-h-hotfix-debug.md.
Debug Escalation

HVST Review Board

When HVST debugging stalls (2+ consecutive failures) or the operator proactively requests a debug review, the Orchestrator dispatches a 3-agent review board for multi-agent hypothesis analysis.

Builder stalls
2+ failures
Orchestrator
dispatches board
Review Board
Architect
Exploration
Critic
Ranked
hypotheses
Builder resumes
with best hypothesis

The board produces ranked hypotheses (not consensus) ordered by evidence strength, falsifiability, and implementation risk. The operator or Builder selects which to validate first. Capped at 1 review board round — if still stuck, escalate to operator.

Branching Model

Branch Categories

Every branch has a category that determines which gates apply and at what strictness. Use the naming convention <category>/<short-description>.

PatternPurposeGate Profile
mainProduction-ready codeAll gates (A + B). Protected — no direct commits. Merge at session close (solo mode).
release/*Release candidatesAll gates (A + B) + release checklist (C). Reviewer + Security required on every merge.
feature/*New functionalityStandard gates (A + B). Normal workflow.
fix/*Bug fixesStandard gates (A + B). Normal workflow.
hotfix/*Urgent production fixesExpedited: A2 scope limit relaxed, A5 skipped (operator discretion). A1, A3, A4 still enforced.
experiment/*Spikes & prototypesA4 (safety) only. Never merge to main — rewrite into feature/*. Use Prompt 0.5 with prototyping tiers.
Default: Branches not matching a category are treated as feature/*. Never commit directly to main — all work flows through a categorized branch.

Examples

feature/user-auth fix/stripe-webhook-timeout hotfix/payment-double-charge release/v1.2.0 experiment/new-caching-strategy
Scaling

Multi-Agent Teams

Repo OS is designed for one operator, one session, one branch at a time. But you can scale to parallel agent teams working on separate branches. Here’s how.

When to use parallel teams

  • Multiple independent features in flight simultaneously
  • Time-sensitive delivery where sequential work is too slow
  • Large projects where features have clear ownership boundaries

How it works

Each team is a separate Claude Code session on a separate branch. The Repo OS governance model runs independently in each session — same gates, same agents, same enforcement. No special configuration needed to start.

Worktree isolation is the default (Decision 0033). Each session runs in its own git worktree — claude --worktree for interactive sessions, automatic for the runner — so the main working tree stays on main with no branch switching. Per-session state is isolated (get_session_state_dir, Decision 0030) and concurrent merges to main are serialized via a merge lock. Opt out with REPO_OS_WORKTREE_ISOLATE=0.
Operator
Parallel Sessions
feature/auth
feature/dashboard
fix/api-timeout
merge → main

What you must set up

ConcernWhat to do
Session logsUse per-branch session logs to avoid collisions: docs/ai/logs/session-log-<branch-name>.md. Each session writes to its own file.
Branch scopeDefine clear ownership boundaries upfront. Each branch should own distinct files/modules. Overlapping file ownership across branches creates merge pain.
Merge governanceMerges into main require full gate verification (B-series). Solo sessions merge at close. The operator reviews cross-branch integration — agents only see their own branch.
Shared model changesIf two branches need to change the same schema, API contract, or shared module — stop. Do those changes first on one branch, merge to main, then rebase the others.

What Repo OS handles

  • Each session independently enforces all gates (A1–A6, B1–B3)
  • Secret scanning runs per-session before every commit
  • Agent tool boundaries apply identically across all sessions
  • Decision compliance is checked per-session

What Repo OS does NOT handle

Cross-branch coordination is the operator’s job. The system has no mechanism for:
  • Signaling between branches (“team A changed the user model”)
  • Automatic conflict detection before merge time
  • Merge-time gate escalation (you define this per project)
  • Shared state or progress tracking across sessions

Practical setup checklist

1
Create branches
One feature/* or fix/* branch per workstream
2
Define ownership
Document which files/modules each branch owns
3
Separate sessions
One worktree-isolated session per workstream (claude --worktree), each runs Prompt B independently
4
Per-branch logs
Each session writes to its own session log file
5
Merge to main
Full gate verification on every merge to main
6
Rebase regularly
Keep branches current with main to minimize merge conflicts
Governance Updates

Template Sync

If your repo was created from a template, you can pull governance updates (workflow rules, agent definitions, gates, prompts) without losing your project-specific specs or decisions.

One-way sync: template → your repo. The template repo is the upstream authority for governance. Your project repo receives updates from it but never pushes changes back. To improve the template itself, edit the template repo directly — not from a project instance.

How it works

Template repo
governance updated
Weekly sync
detects changes
PR created
for audit trail
Auto-merged ✓

A GitHub Actions workflow runs daily (06:00 UTC) and compares your repo against the template. When differences are found, it creates a PR and auto-merges it. Your compiled specs and logs are never touched — protected by .templatesyncignore. Template decisions (t-*) sync from upstream; child decisions (0100+) are untouched. Every sync is recorded as a merged PR for audit.

Operator deployment required. The template ships a workflow template at .claude/.automation/templates/template-sync-with-cleanup.yml. Copy it to .github/workflows/template-sync.yml in your child repo and configure the source repo path.

One-time setup

  1. Copy .claude/.automation/templates/template-sync-with-cleanup.yml to .github/workflows/template-sync.yml
  2. Replace OWNER/repo-OS-template with your actual template repo path
  3. If the template repo is private (required):
    1. Create a Classic PAT on GitHub: Settings → Developer settings → Personal access tokens → Tokens (classic)
    2. Scopes required: repo and read:org (fine-grained PATs are not compatible with git clone in Actions)
    3. Add the PAT as a repository secret named SOURCE_REPO_TOKEN in each child repo (Settings → Secrets and variables → Actions)
    4. In each child repo: Settings → Actions → General → Workflow permissions → enable "Allow GitHub Actions to create and approve pull requests"

    The workflow already references SOURCE_REPO_TOKEN via source_gh_token. If the template repo is public, you can remove that line — the default GITHUB_TOKEN works without extra setup.

Note: The template repo itself should not have this workflow. Only project repos created from the template need it.

Want to review before merge?

Remove the Auto-merge sync PR step from the workflow. Sync PRs will stay open until you merge them from the Pull requests tab on GitHub.

What syncs vs what stays

Syncs from templateProtected (never overwritten)
AI.mddocs/spec/compiled/
docs/ai/prompts/docs/ai/logs/
docs/ai/workflow.mddocs/spec/prototypes/
docs/ai/quality-gates.md.claude/settings.local.json
docs/ai/decisions/
.claude/agents/
.claude/hooks/
docs/spec/_templates/

GitHub prerequisites

The sync workflow uses GitHub Actions. Before setup, confirm these settings on your project repo (not the template):

  1. Actions enabled — On by default. Check at Settings → Actions → General.
  2. Workflow permissions — Go to Settings → Actions → General → Workflow permissions and select Read and write permissions. The workflow declares its own permissions, but the repo-level setting must allow it.
  3. Branch protection (if used) — If main has branch protection requiring PR reviews or status checks, the auto-merge step cannot bypass them. Either allow the github-actions bot to bypass protection rules, or use manual merge mode.

Merge conflicts

If your project has locally modified a governance file that the template also updated (e.g., you customized .claude/hooks/pre-commit-gates.sh and the template changed it too), the auto-merge will fail. The sync PR stays open and you resolve the conflict manually — same as any git merge conflict.

To avoid this for files you always want to customize, add them to .templatesyncignore. The template sync will skip them entirely.

When you need to act

Syncs are automatic. The only time you need to act is if spec templates were updated with new fields:

  1. Check the merged PR diff — look for changes in docs/spec/_templates/
  2. If templates changed, re-run Prompt 0:
    • It detects existing compiled versions and enters update mode
    • Copies your latest version, highlights new/changed fields, asks what to fill in
    • Output goes to a new version (e.g., v2) — previous version preserved
  3. If only governance files changed (agents, gates, prompts) — no action needed, already live
Spec versioning: Compiled specs live in docs/spec/compiled/v1/, v2/, etc. A manifest.json tracks the active version. Prompt B always reads from the active version. Previous versions are kept for reference and rollback.

Template version tags

The template repo uses CalVer git tags (format: v2026.02.1 — YYYY.0M.MICRO) to mark meaningful milestones. Tags are applied on main after changes to decisions, agents, hooks, or prompts. Not every commit is tagged. Each tag has a corresponding GitHub Release with a summary of what changed.

To check which template version your child repo synced from, look at the sync PR — git log --oneline in the PR diff shows the tagged commit. You can also compare against the template repo's Releases page to see what's included.

Extending the Workflow

Companion Tools

Repo OS is a governance framework. Companion tools extend the development workflow without modifying the core system. They integrate via MCP servers registered in .claude/settings.json.

The template ships clean — no companion tools pre-configured. These are opt-in per project. Installing or removing a companion tool has zero impact on Repo OS governance.

Visual Bridge optional

A Chrome extension + MCP server for visually editing live front-end UI and feeding precise change requests back to Claude Code.

What it does

  • Operator selects and adjusts elements in the browser (spacing, typography, colors, sizing)
  • Edits snap to the project’s design system tokens
  • Structured diffs with exact source file and line number are sent to Claude Code
  • Claude Code applies the precise edit — no fuzzy matching, no guessing

Setup (per project)

  1. Install the dev plugin: npm install -D @visual-bridge/dev-plugin
  2. Add to your build config (e.g., import { visualBridge } from '@visual-bridge/dev-plugin' in vite.config.ts)
  3. Add the MCP server to .claude/settings.json: "visual-bridge": {"command": "npx", "args": ["@visual-bridge/mcp-server"]}
  4. Install the Chrome extension from the Chrome Web Store

Design token discovery: The MCP server auto-reads tokens from your project’s Tailwind config, tokens.json, or docs/spec/compiled/{active}/design-system.md. No additional configuration needed.

Extending the Workflow

Automation Layer

An optional headless runner infrastructure for automated claude -p sessions with full governance parity. Decision 0017. Ships disabled by default — no behavioral change until the operator explicitly opts in.

Same governance, no shortcuts. Automated sessions run the same hooks, same gates, same phase model as interactive sessions. The only difference: the Stop hook does not fire in headless mode, so the runner handles post-session cleanup externally.

Runner lifecycle

Queue
approved entry
Pre-launch
branch, state, prompt
claude -p
headless session
Post-session
cleanup, merge
Outcome
Complete
Escalate
Fail/Retry

Queue lifecycle

StatusDescriptionTransitions to
pending-reviewNew entry awaiting operator approvalapproved
approvedReady for runner to dequeuerunning
runningActive headless session in progresscompleted, failed, review, blocked
completedSession finished successfully
failedRetries exhausted
reviewEscalated to operator
blockedUnrecoverable error (invalid config, missing dependency)

Enabling and disabling

MethodEffect
Set runner.enabled: true in config.yamlDaemon processes queue entries normally
Set runner.enabled: false in config.yamlDaemon sleeps (30s between checks). Queue entries preserved
Create .claude/.automation/HALT fileDaemon exits immediately. Emergency stop
Remove HALT fileDaemon resumes on next start

Prompt D provides a conversational alternative to manual config edits. It runs as a single-purpose ephemeral session that toggles runner.enabled in config.yaml and manages the HALT file — two files only, then closes automatically. Use the Navigator to find it, or paste the Prompt D starter directly.

Phase model integration

Automated sessions use the same phase sequences as interactive sessions (Decision 0014) and run worktree-isolated by default (Decision 0033). When a brief was queued from Prompt T with a handoff bundle (Decision 0038), the session’s drift-check phase reads the bundle and derives plan-approved + pragmatist-signed directly; the runner’s pre-write of plan-approved is the fallback for bundle-absent (legacy) briefs. All hooks fire normally except the Stop hook — the runner replicates Stop hook cleanup (solo merge, registry cleanup, branch sealing) as part of the post-session phase.

Dev Orchestrator

For task groups, the runner invokes a Dev Orchestrator agent between content briefs and before merge briefs. The orchestrator reviews cross-brief coherence, validates contract compliance, detects boundary drift, and produces health reports. Reports are written to .claude/.automation/reports/ (gitignored). All findings are advisory — the runner or operator decides what to act on.

Key files

PathPurpose
.claude/.automation/config.yamlRunner configuration. Master toggle, retry limits, retention
.claude/.automation/runner.shEntry point. Single-shot and daemon modes
.claude/.automation/schemas/YAML schema contracts (queue-entry, escalation, blocker-report, runner-config)
.claude/.automation/templates/Prompt templates for automated brief assembly
.claude/.automation/lib/Runner libraries (queue, state, branches, validation, locking)
.claude/.automation/decision-cache.yamlProject-level decision cache for prompt prepending
.claude/.automation/queue/Runtime queue entries by status (gitignored)
.claude/.automation/reports/Blocker reports and health reports (gitignored)
.claude/.automation/escalations/Operator-directed escalation files (gitignored)
Closing a Session

Session Hygiene

Every session must end with all five satisfied. If they’re not, you’re not done.

Commits are clean
No uncommitted work left behind
Gates satisfied
A1–A6, B1–B3 passed with evidence
Session log updated
Goal, changes, evidence, follow-ups
Next steps clear
Follow-ups documented for next session
Merge to main at close
Branch merges to main directly at session close. Not for experiment/* branches.

Session log format

## Session N — Date — Short Goal Status: complete | incomplete Decisions applied: 0001, 0002, ... Commits: abc1234 — message Goal: What we were trying to achieve Plan Summary: Bullets of chosen approach Changes Made: Bullets of what changed Verification: Commit gates: A1 ✓ A2 ✓ A3 ✓ A4 ✓ A5 ✓ A6 ✓ Push gates: B1 ✓ B2 ✓ B3 ✓ Evidence: [cmd] → [output] → [pass/fail] Failed Attempts: What tried + why failed Follow-ups: Next tasks, known issues
Rule overrides: Rules may be overridden only when you explicitly decide to and document why. Conscious override beats silent drift. If a gate can’t be met, log it and create a follow-up — never silently skip.
Quick Reference

Glossary

Small Scope
<100 lines, ≤3 files, single concern, reviewable in <10 min. Larger needs operator approval.
Gate
Blocking verification checkpoint. Types: Process, Quality, Safety, Conditional. Must pass before commit/push.
Decision
Version-controlled constraint in docs/ai/decisions/. Mandatory. Violations block commits.
Evidence
Proof a gate was checked: command, output excerpt, pass/fail, timestamp.
High-Risk
Auth, payments, data persistence, security, PII, external integrations. Requires Reviewer + Security sign-off.
Plan
Pre-coding roadmap: goal, decisions, steps, files, verification, risks. Required before implementation.
Session
Bounded work unit. Clear start/end, scope, verification evidence, clean commits at close. Branch merges to main at close (solo mode). Phase model tracks progress.
Escalation
Routing to higher authority. Triggered when agent lacks authority, requirements ambiguous, constraints conflict.
Hook
Automated script at lifecycle events (pre-commit, session stop). Runs regardless of agent behavior.
Handoff
Formal work transition between agents. Includes summary, status, verification items.
Structural Change
New modules, API contracts, schemas, build system changes. Requires Reviewer sign-off.
HVST
Hypothesis → Validate → Solve → Test → Record. 5-step debugging protocol. Prevents random-fix loops.
Experiment Brief
Lightweight document capturing hypothesis, method, success criteria, and learnings for a prototype session. Template at docs/spec/_templates/_experiment-brief.md.
Prototype Tier
Operator-selected documentation level for experiments: Napkin (no artifact), Spike (experiment brief), Proof of Concept (brief + mini-spec notes). See Prototyping.
Advisory Board
Up to 9 specialist agents that review compiled specs (or task briefs) before build. Core always-on: Architect, Critic, Pragmatist; Standard+: Exploration, PM Advisory; Full (signal-triggered): Security, UX, Performance, Data. Runs during Prompt A Phase 1. All findings are advisory — operator decides.
Refinement Report
Synthesized output of advisory board review. Contains critical findings, recommendations, and ideas. Operator reviews per-item.
Feature Brief
Lightweight spec template for individual feature additions. Created via Prompt T’s significant-feature path (Decision 0010). Drives advisory board activation via the “What It Touches” field.
Cohesion Review
Post-build review by Critic (cohesion mode) checking the diff and surrounding code for internal codebase coherence: broken references, dangling imports, inconsistent naming, incomplete integrations. Gate A5. Distinct from spec review (advisory board).
Phase
Declared step in a session’s lifecycle sequence. Each phase has an automation tag (agent/operator/both) indicating who acts. Tracked in .claude/.state/phase-state. See Phase Model.
Solo Mode
Merge strategy where branches merge directly to main at session close. Set per-session. Excluded for experiment/* and release/* branches.
Auto Mode
Session mode where the agent closes autonomously after all gates pass, skipping the op-review phase. Selected at the Prompt T brief approval (recorded in the handoff bundle’s mode field) and read by drift-check; chosen at plan approval for bundle-absent legacy sessions. Contrast with review mode (default), which pauses for operator acceptance.
Automation Layer
Optional headless runner infrastructure for automated claude -p sessions with full governance parity. Ships disabled. Decision 0017. See Automation Layer.
Dev Orchestrator
Task-group-scoped oversight agent for cross-brief coherence review, contract compliance, drift detection, and health reports. Read-only. Invoked by the automation runner between briefs and before merge briefs.
Handoff Bundle
Sealed YAML artifact written by Prompt T Brief mode on approval (.claude/local/handoff-bundle.yaml, or per-brief for task groups). Carries the approved plan, task contract, spec snapshot, Pragmatist verdict, chosen mode, and expiry. Prompt B’s drift-check reads it to skip re-planning — the Prompt T approval becomes the single approval gate. Decision 0038.
Drift-Check
Prompt B phase (Decision 0038) that evaluates the handoff bundle. When the bundle is valid, fresh, its spec snapshot matches, and no scope-file drift is detected, the session writes derived state and forward-jumps to build, skipping plan and approval. Otherwise it falls through to the legacy plan→approval flow.
Worktree Isolation
Default for all sessions (Decision 0033): each session runs in its own git worktree (claude --worktree; automatic in the runner), keeping the main tree on main and isolating per-session state. Opt out with REPO_OS_WORKTREE_ISOLATE=0.
Knowledge Graph
Persistent semantic map of codebase entities (files, decisions, hooks, prompts, contracts, conventions) at docs/ai/knowledge-graph/graph.yaml (template) and product-graph.yaml (child). 7 node types, 8 edge types; operator-curated edges are immutable by agents. Decision 0034.
Pragmatist
Over-engineering / YAGNI review agent (Decision 0025). Brief-Advisory mode in Prompt T (4th core specialist); Plan-Gating mode in Prompt B (gates plans via GATE_RESULTFUNDAMENTAL-MISMATCH blocks, OVER-ENGINEERED is advisory). State file: pragmatist-signed.