multi-agent-orchestration

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Multi-Agent Orchestration

Multi-Agent Orchestration

PM 式多 Agent 本地执行编排。它回答一个问题:多个 Agent 如何在同一仓库里用独立 worktree/session 并行干活,并让当前主会话作为 PM 可巡检、可收口、可控制额度消耗。
PM 是当前负责拆解、派工、验收和收口的主会话,不绑定具体产品。Codex 可以做 PM 调 Claude Code 或 OpenCode worker;Claude Code 也可以做 PM 调 Codex 或 OpenCode worker。Skill 只规定角色、隔离、启动、状态和收口协议。
PM-style multi-agent local execution orchestration. It answers one question: how multiple agents can work in parallel in the same repository using independent worktrees/sessions, with the current main session acting as a PM that can inspect, wrap up, and control quota consumption.
PM is the main session responsible for decomposition, task assignment, acceptance, and wrap-up, not bound to specific products. Codex can act as a PM to coordinate Claude Code or OpenCode workers; Claude Code can also act as a PM to coordinate Codex or OpenCode workers. The Skill only defines protocols for roles, isolation, startup, status, and wrap-up.

1. 边界

1. Boundaries

使用本 Skill:
  • 需要 2 个以上本地 Agent / Codex / Claude session 并行工作。
  • 任务需要独立 worktree、独立分支、独立 PR。
  • PM 会话需要启动、监控、纠偏和收口多个 worker。
  • 需要把简单任务路由给 Claude Code、Codex、OpenCode 或其他 CLI worker,以控制主会话 token 和不同模型额度消耗。
不使用本 Skill:
  • 单个短任务、单文件修改、一次性问答。
  • 任务主状态、负责人、依赖管理:用
    cross-agent-coordination
  • 分支命名、提交格式、PR merge、push、冲突解决:用
    git-workflow
  • 外部 Agent 邮件触发:用对应外部协作/邮件 Skill。
Use this Skill:
  • When 2 or more local Agents/Codex/Claude sessions need to work in parallel.
  • When tasks require independent worktrees, independent branches, and independent PRs.
  • When the PM session needs to start, monitor, correct, and wrap up multiple workers.
  • When simple tasks need to be routed to Claude Code, Codex, OpenCode, or other CLI workers to control token consumption of the main session and quota consumption of different models.
Do not use this Skill:
  • For single short tasks, single-file modifications, or one-time Q&A.
  • For task status management, responsible person tracking, or dependency management: use
    cross-agent-coordination
    .
  • For branch naming, commit formatting, PR merge, push, or conflict resolution: use
    git-workflow
    .
  • For external Agent email triggers: use corresponding external collaboration/email Skills.

2. 执行模式

2. Execution Modes

模式适用默认隔离
PM 直接处理轻量、低风险、无并行价值当前工作区
同宿主 Subagent窄范围分析、审阅、局部修订通常不新建 worktree
Claude Code Agent TeamsClaude Code 做 PM 且需要团队式协作worktree + branch
tmux 独立 CLI session需要跨产品 worker、长上下文、独立额度或独立进程worktree + branch
Claude Code agent view需要使用官方后台会话、peek/reply/attach 和
claude agents
总览
可用 Claude 官方
--worktree
/
--tmux
,或手动 worktree
ACP adapter项目已提供稳定 adapter,且需要结构化事件流adapter 决定,仍建议 worktree + branch
优先级由项目规则决定。若用户或项目明确要求使用 tmux / 独立 session / 开 worker,进入防逃逸门禁。
ModeApplicable ScenariosDefault Isolation
PM Direct ProcessingLightweight, low-risk tasks with no parallel valueCurrent workspace
Same-host SubagentNarrow-range analysis, review, or local revisionsUsually no new worktree
Claude Code Agent TeamsClaude Code acts as PM and requires team-style collaborationworktree + branch
tmux Independent CLI SessionRequires cross-product workers, long context, independent quota, or independent processesworktree + branch
Claude Code agent viewNeeds to use official backend sessions, peek/reply/attach, and
claude agents
overview
Can use Claude official
--worktree
/
--tmux
, or manual worktree
ACP adapterProject provides stable adapter and requires structured event flowDetermined by adapter, still recommends worktree + branch
Priority is determined by project rules. If the user or project explicitly requires tmux/independent session/starting workers, enter the anti-escape gate.

2.1 防逃逸门禁

2.1 Anti-Escape Gate

强制 session 触发条件:
  • 用户明确说
    tmux
    独立 session
    开 worker
    多 Agent 并行
    你做 PM / orchestrator
    不要你直接写
    ,或项目规则要求 tmux / 独立 session。
  • 任务需要独立额度、长上下文、后台持续运行、人工可接管,或同时推进 2 个以上本地 worker。
触发后,PM 在任何业务实现前必须完成启动门禁:
  1. 创建或确认隔离 worktree、语义分支和 Session Context 路径。
  2. 启动 tmux session;Claude 官方
    --worktree --tmux
    可作为 Claude 专用等价入口。
  3. tmux has-session
    /
    tmux list-sessions
    /
    claude agents --json
    验证 session 存活,并确认 pane cwd 或 agent cwd 指向目标 worktree。
  4. 给 worker 发送 Bootstrap-only prompt 或 Full worker prompt,prompt 必须包含 Branch、Worktree、Session Context、Runtime Profile、Allowed files、Forbidden files 和验证命令。
  5. 在 1-2 分钟内确认
    STATUS.json
    出现;若未出现,只能发送 checkpoint-only 纠偏或重启 worker,不得直接接管业务实现。
降级规则:
  • 显式要求 tmux 时,Agent Teams、Subagent、PM 直接处理都不是等价替代;除非用户明确同意降级。
  • 显式要求独立 session 但未指定 tmux 时,默认使用 tmux;Claude 官方
    --worktree --tmux
    可用。Agent view / Agent Teams 只有在能证明独立后台会话、独立 cwd/worktree 和可巡检状态时才可替代。
  • 门禁失败时,PM 必须报告阻塞和失败点;允许直接修改的仅限 worker prompt、Skill 文档、监控脚本或本地协作配置等编排层文件。
  • 若 PM 触发例外直接处理业务代码,最终汇报必须写明例外原因、未使用 session 的具体门禁失败点和用户是否批准降级。
Mandatory session trigger conditions:
  • User explicitly mentions
    tmux
    ,
    independent session
    ,
    start workers
    ,
    multi-agent parallelism
    ,
    you act as PM/orchestrator
    ,
    don't implement directly
    , or project rules require tmux/independent session.
  • Tasks require independent quota, long context, continuous background operation, manual takeover, or simultaneous execution of 2 or more local workers.
After triggering, the PM must complete the startup gate before any business implementation:
  1. Create or confirm the isolated worktree, semantic branch, and Session Context path.
  2. Start the tmux session; Claude official
    --worktree --tmux
    can be used as a dedicated equivalent entry for Claude.
  3. Use
    tmux has-session
    /
    tmux list-sessions
    /
    claude agents --json
    to verify session survival, and confirm that the pane cwd or agent cwd points to the target worktree.
  4. Send a Bootstrap-only prompt or Full worker prompt to the worker, which must include Branch, Worktree, Session Context, Runtime Profile, Allowed files, Forbidden files, and verification commands.
  5. Confirm that
    STATUS.json
    appears within 1-2 minutes; if not, only send checkpoint-only corrections or restart the worker, do not directly take over business implementation.
Downgrade rules:
  • When tmux is explicitly required, Agent Teams, Subagent, or PM Direct Processing are not equivalent substitutes; unless the user explicitly agrees to downgrade.
  • When independent session is explicitly required but tmux is not specified, tmux is used by default; Claude official
    --worktree --tmux
    is available. Agent view/Agent Teams can only be substituted if they can prove independent background sessions, independent cwd/worktree, and inspectable status.
  • When the gate fails, the PM must report the blockage and failure points; only orchestration layer files such as worker prompts, Skill documents, monitoring scripts, or local collaboration configurations can be directly modified.
  • If the PM triggers an exception to directly process business code, the final report must state the exception reason, specific gate failure points for not using the session, and whether the user approved the downgrade.

2.2 角色与后端

2.2 Roles and Backends

先分清角色,再选择后端:
角色职责可由谁担任
PM读取任务源、分组、启动 worker、巡检、验收、合并收口当前 Codex、Claude Code、OpenCode 或其他主会话
Worker在指定 worktree/branch 内完成限定任务Claude Code、Codex、OpenCode、自定义 CLI、shell 脚本、未来 ACP agent
Reviewer检查 diff、测试、范围和风险PM、另一个 worker、code-review subagent
PM 代理纪律:
  • 如果用户明确要求当前会话做 PM / orchestrator / 多 Agent 编排,PM 默认不直接写业务代码;若同时触发 §2.1,必须先通过启动门禁。
  • PM 的核心价值是 token efficiency、模型/额度路由、多线程推进、范围控制和验收收口;实现任务优先派给 worktree worker、独立 CLI session、Agent Teams 或 Subagent。
  • PM 可以直接改代码的例外:任务极小且无并行价值、用户明确要求 PM 直接做、worker 连续纠偏失败且只剩窄范围收口、或需要立即修复 PM 自己生成的 orchestration 文档/配置。显式 tmux / 独立 session 要求下,这些例外必须先取得用户确认或记录门禁失败。
  • PM 如果越过例外直接下场改代码,应在最终汇报说明原因;常规实现应通过 worker 产物、PM 纠偏和 PR review 完成。
后端选择规则:
  • 当前主会话是什么不重要;默认“谁启动编排,谁就是 PM”。
  • 需要通过第三方 Anthropic-compatible API 启动 Claude Code 时,worker backend 选 Claude Code;这是 Claude Code worker 的默认额度模式。
  • 只有用户明确要走 Claude 订阅/OAuth 时,才使用
    claude-oauth-*
    profile,并清理第三方 provider 环境变量。
  • 需要消耗 Codex / OpenAI 额度或使用 Codex 配置时,worker backend 选 Codex。
  • 需要消耗 OpenCode 已配置的 provider/model,或要使用 OpenCode 的
    opencode run
    /
    opencode acp
    能力时,worker backend 选 OpenCode。
  • 需要消耗 WorkBuddy/CodeBuddy 或 QoderWork 平台额度(复用桌面端登录态、零 API Key、含每日免费模型)时,worker backend 选
    codebuddy
    /
    qoderwork-cn
    ;这是跨工具例外(§2.3),适合额度分流或评测 fan-out。两者均由
    render-runtime-profile.sh
    统一生成命令(含 qoder 的 SDK 变量清除、codebuddy 的
    -y
    );外部 CLI backend 的 worker spawn 默认用 snapshot-copy-into-worktree(DEC-037)自包含。
  • 其他 Agent 只要能用一行命令启动,并能在指定 cwd 读写文件,也可作为 custom CLI worker。
  • 需要稳定进程生命周期和人工接管时,优先
    tmux + worktree
    ;触发 §2.1 时,
    tmux + worktree
    是默认执行层,不是可静默跳过的建议。
  • ACP 只在 adapter 已稳定、能输出结构化状态时启用;没有 adapter 时不要为了协议增加不确定性。
Backend → 默认模型速查表(同宿主 worker 仍按 §2.3 优先;以下默认仅在 PM 主动跨工具或用户明确指定该 backend 时生效):
Backend默认 model(首选 → 备选)适用场景备注
Claude Codemodel 见 personal config
main_force.task_routing
(常规/高端 vs 简单+多模态,按任务路由非轮换
默认主力 host;同 provider 并发上限见
concurrency
,溢出到跨平台 backend
详细 provider 映射见
config/claude-provider-registry.example.json
Codex(见 §2.4 codex_policy)用户明确要求时智能高额度贵,默认不主动派
OpenCode
opencode:<provider>/<model>
OpenCode 已有额度按 OpenCode profile
qoderclicn
(QoderWork CN)
model 见 personal config
backend_model_routing.qoderclicn
用户主动要求 / 主力并发打满溢出(跨平台/跨额度避并发)SDK 变量需清理
codebuddy
(WorkBuddy/CodeBuddy)
model 见 personal config
backend_model_routing.codebuddy
用户主动要求 / 主力并发打满溢出(跨平台/跨额度避并发)默认带
-y
本表不列具体模型——模型与框架选型是个人偏好(每人可用的 provider/平台额度不同)。具体 model 全在
config/orchestration-personal.json
(你的)+
.example.json
(通用模板);本表只列 backend 能力 + 模型配置字段位置,缺失时交 PM 按 §2.4 个人偏好读。
环境/profile 纪律:
  • PM 启动 worker 时必须显式写
    Runtime Profile
    、settings/profile 路径、模型来源和关键环境变量处理方式,不假定 Claude Code、Codex、OpenCode 共享同一套 shell 环境。
  • Claude Code 第三方 API provider 推荐使用 provider registry:
    config/claude-provider-registry.example.json
    描述多个 provider 的
    base_url
    auth_token_env
    /
    api_key_env
    auth_type
    models
    ;真实 registry 放 ignored local 文件,真实 key 优先放环境变量。旧的单 provider
    --settings <*.settings.json>
    路径保留兼容。
  • Claude Code 第三方 API provider profile 要保留
    ANTHROPIC_BASE_URL
    /
    ANTHROPIC_AUTH_TOKEN
    / 默认模型映射;不要套用 OAuth 的清理命令。registry 模式由 wrapper 动态生成这些 env,不需要为每个模型维护一个 settings 文件。
  • Claude Code 第三方 API provider 必须显式传
    --model <provider-model>
    ,settings 文件也应包含
    ANTHROPIC_MODEL
    /
    ANTHROPIC_MODEL_NAME
    。只传
    --settings
    不足以隔离用户级
    ~/.claude/settings.json
    或继承环境中的
    ANTHROPIC_MODEL
    ;实测会出现 settings 指向 GLM、界面和实际默认模型仍显示 MiniMax 的混合状态。
  • Claude Code 第三方 API provider 默认由
    scripts/render-runtime-profile.sh
    生成
    scripts/claude-provider-env.sh
    wrapper 命令。wrapper 会先清理继承的 Claude/Anthropic provider 路由变量,再从目标 settings JSON 导入 env,或从 registry 的 provider/model intent 解析 env;补齐
    ANTHROPIC_AUTH_TOKEN
    /
    ANTHROPIC_API_KEY
    ,设置
    CLAUDE_CODE_PROVIDER_MANAGED_BY_HOST=1
    ,并给
    claude
    注入
    --setting-sources project,local
    ,避免用户级
    ~/.claude/settings.json
    的 provider/model 污染本次 worker。
  • 只有排障时才可用
    --no-provider-env-isolation
    绕过 wrapper;PM 必须在 Wave 计划和
    METADATA.json
    runtime.env_isolation
    中记录这个例外,并启动后核对 banner / STATUS provider。
  • Claude Code 订阅/OAuth profile 才清理第三方 provider 环境变量,避免误走外部 API。
  • Codex / OpenAI worker、OpenCode worker 和 custom CLI worker 使用各自 profile;不要把 Anthropic provider 环境变量当作通用 worker 环境。
  • Worker bootstrap 必须把
    which claude/codex/opencode
    、版本号、cwd、关键 profile 名和
    node/npm/python/cargo
    等运行信息写入
    STATUS.json
    ,便于 PM 判断“环境不一样”是否影响任务。
Clarify roles first, then select backends:
RoleResponsibilitiesWho Can Serve
PMReads task sources, groups tasks, starts workers, inspects, accepts, merges, and wraps upCurrent Codex, Claude Code, OpenCode, or other main sessions
WorkerCompletes limited tasks within the specified worktree/branchClaude Code, Codex, OpenCode, custom CLI, shell scripts, future ACP agents
ReviewerChecks diffs, tests, scope, and risksPM, another worker, code-review subagent
PM Proxy Discipline:
  • If the user explicitly requires the current session to act as PM/orchestrator/multi-agent orchestrator, the PM does not directly write business code by default; if §2.1 is triggered simultaneously, the startup gate must be passed first.
  • The core value of PM lies in token efficiency, model/quota routing, multi-threaded execution, scope control, and acceptance wrap-up; task implementation is prioritized to be assigned to worktree workers, independent CLI sessions, Agent Teams, or Subagents.
  • Exceptions where PM can directly modify code: extremely small tasks with no parallel value, user explicitly requires PM to do it directly, worker fails to correct continuously and only narrow-range wrap-up remains, or immediate repair of orchestration documents/configurations generated by PM itself. Under explicit tmux/independent session requirements, these exceptions must first obtain user confirmation or record gate failures.
  • If the PM bypasses exceptions to directly modify code, the reason should be explained in the final report; regular implementation should be completed through worker outputs, PM corrections, and PR reviews.
Backend Selection Rules:
  • It doesn't matter what the current main session is; by default, "who starts the orchestration, who is the PM".
  • When needing to start Claude Code via a third-party Anthropic-compatible API, select Claude Code as the worker backend; this is the default quota mode for Claude Code workers.
  • Only when the user explicitly requires Claude subscription/OAuth, use
    claude-oauth-*
    profiles and clear third-party provider environment variables.
  • When needing to consume Codex/OpenAI quota or use Codex configurations, select Codex as the worker backend.
  • When needing to consume configured providers/models of OpenCode, or use OpenCode's
    opencode run
    /
    opencode acp
    capabilities, select OpenCode as the worker backend.
  • When needing to consume quota from WorkBuddy/CodeBuddy or QoderWork platforms (reuse desktop login state, zero API Key, includes daily free models), select
    codebuddy
    /
    qoderwork-cn
    as the worker backend; this is a cross-tool exception (§2.3), suitable for quota diversion or evaluation fan-out. Both are uniformly generated by
    render-runtime-profile.sh
    (including Qoder's SDK variable clearing, CodeBuddy's
    -y
    ); external CLI backend worker spawn uses snapshot-copy-into-worktree (DEC-037) by default for self-containment.
  • Other Agents can also serve as custom CLI workers as long as they can be started with one command and read/write files in the specified cwd.
  • When stable process lifecycle and manual takeover are required, prioritize
    tmux + worktree
    ; when §2.1 is triggered,
    tmux + worktree
    is the default execution layer, not a suggestion that can be silently skipped.
  • ACP is only enabled when the adapter is stable and can output structured status; do not add uncertainty for the protocol when there is no adapter.
Backend → Default Model Quick Reference (same-host workers still prioritize §2.3; the following defaults only take effect when PM actively cross-tools or the user explicitly specifies the backend):
BackendDefault Model (Preferred → Alternative)Applicable ScenariosNotes
Claude CodeSee personal config
main_force.task_routing
(regular/high-end vs simple+multimodal, route by task not rotation)
Default main host; concurrency limit for the same provider see
concurrency
, overflow to cross-platform backend
Detailed provider mapping see
config/claude-provider-registry.example.json
Codex(See §2.4 codex_policy)When explicitly required by userHigh intelligence but expensive quota, not actively assigned by default
OpenCode
opencode:<provider>/<model>
OpenCode has available quotaFollow OpenCode profile
qoderclicn
(QoderWork CN)
See personal config
backend_model_routing.qoderclicn
User actively requests / main concurrency is full and overflows (cross-platform/cross-quota to avoid concurrency)SDK variables need to be cleared
codebuddy
(WorkBuddy/CodeBuddy)
See personal config
backend_model_routing.codebuddy
User actively requests / main concurrency is full and overflows (cross-platform/cross-quota to avoid concurrency)Default with
-y
This table does not list specific models—model and framework selection is personal preference (each person has different available provider/platform quotas). Specific models are all in
config/orchestration-personal.json
(yours) +
.example.json
(general template); this table only lists backend capabilities + model configuration field locations, and if missing, PM reads according to §2.4 personal preferences.
Environment/Profile Discipline:
  • When starting workers, PM must explicitly write
    Runtime Profile
    , settings/profile path, model source, and key environment variable handling methods, do not assume that Claude Code, Codex, and OpenCode share the same shell environment.
  • For Claude Code third-party API providers, it is recommended to use the provider registry:
    config/claude-provider-registry.example.json
    describes
    base_url
    ,
    auth_token_env
    /
    api_key_env
    ,
    auth_type
    , and
    models
    for multiple providers; the real registry is placed in ignored local files, and real keys are prioritized in environment variables. The old single provider
    --settings <*.settings.json>
    path is retained for compatibility.
  • Claude Code third-party API provider profiles must retain
    ANTHROPIC_BASE_URL
    /
    ANTHROPIC_AUTH_TOKEN
    /default model mapping; do not apply OAuth clearing commands. The registry mode dynamically generates these env via wrapper, eliminating the need to maintain a settings file for each model.
  • Claude Code third-party API providers must explicitly pass
    --model <provider-model>
    , and the settings file should also include
    ANTHROPIC_MODEL
    /
    ANTHROPIC_MODEL_NAME
    . Only passing
    --settings
    is not enough to isolate the user-level
    ~/.claude/settings.json
    or inherit
    ANTHROPIC_MODEL
    in the environment; actual tests show mixed states where settings point to GLM, but the interface and actual default model still display MiniMax.
  • By default, Claude Code third-party API providers generate the
    scripts/claude-provider-env.sh
    wrapper command via
    scripts/render-runtime-profile.sh
    . The wrapper first clears inherited Claude/Anthropic provider routing variables, then imports env from the target settings JSON, or parses env from the provider/model intent in the registry; supplements
    ANTHROPIC_AUTH_TOKEN
    /
    ANTHROPIC_API_KEY
    , sets
    CLAUDE_CODE_PROVIDER_MANAGED_BY_HOST=1
    , and injects
    --setting-sources project,local
    into
    claude
    to avoid provider/model pollution from user-level
    ~/.claude/settings.json
    for this worker.
  • Only use
    --no-provider-env-isolation
    to bypass the wrapper during troubleshooting; PM must record this exception in the Wave plan and
    runtime.env_isolation
    of
    METADATA.json
    , and check the banner/STATUS provider after startup.
  • Only Claude Code subscription/OAuth profiles clear third-party provider environment variables to avoid mistakenly using external APIs.
  • Codex/OpenAI workers, OpenCode workers, and custom CLI workers use their respective profiles; do not treat Anthropic provider environment variables as general worker environments.
  • Worker bootstrap must write
    which claude/codex/opencode
    , version number, cwd, key profile name, and runtime information such as
    node/npm/python/cargo
    into
    STATUS.json
    , making it easier for PM to judge whether "different environments" affect the task.

2.3 同宿主优先:不默认跨 Agent 工具

2.3 Same-Host Priority: Do Not Default to Cross-Agent Tools

默认让 worker 与 PM 跑在同一个 Agent 工具里:Claude Code 做 PM 就用 Claude Code worker,Codex 做 PM 就用 Codex worker,OpenCode 同理。不要为了"分流额度"默认把 worker 路由到另一种 Agent 工具。 这条优先于 §2.2 的多 backend 路由建议。
为什么默认同宿主:
  • 同宿主 worker 共用一套 auth / settings / 上下文约定,启动和排障成本最低;跨工具会引入不同 profile、不同 env、不同 CLI 行为,编排层不确定性上升。
  • 多 Agent 的核心收益是并行 + 范围隔离(独立 worktree / session)+ PM 收口,不是"跨工具"。并行价值来自独立 worktree / session / 额度 lane,与是否换工具无关。
  • 跨工具只在有明确理由时才用(见下),不是默认。
同宿主 worker 的 auth 约定(重要,避免误判环境):
  • Claude Code PM 启动 Claude Code worker 时,worker
    claude
    进程继承 PM 的 provider env(第三方 API 的
    ANTHROPIC_AUTH_TOKEN
    /
    ANTHROPIC_BASE_URL
    ,或 OAuth 会话)。即使目标 worktree 的
    .claude/settings.json
    为空或缺省,worker 也能用 PM 的 provider 跑起来,不需要额外的
    config/*.settings.json
  • 只有当需要把多个 Claude Code worker 分到不同 provider(例如一部分走 minimax、一部分走 glm)时,才用不同 settings 文件区分 slot;此时仍全部是 Claude Code worker,没有跨工具。
  • 判断"worker 是否拿到 provider env"的标准:worker bootstrap 把可用
    claude
    版本和 provider 来源写进
    STATUS.json
    ;PM 看到 provider 来源为空或报 401/403 时,再决定是补 settings 还是降级,而不是默认先跨工具。
何时可以跨工具(例外,不是默认):
  • 当前宿主 provider 额度 / 限流 / 并发槽位不足以支撑本 Wave,且无法靠"降并发 / 拆下一 Wave"解决。
  • 某个 worker 任务明显更适合另一种工具的模型能力(例如超长上下文研究、特定代码栈)。
  • 用户明确要求混合 worker(例如"Claude Code 做 PM,重写 worker 用 Codex")。
触发跨工具时的硬要求:PM 必须在 Wave 计划里写明为什么跨、每个 worker 的 backend / profile / auth 来源,以及跨工具带来的额外排障点。§3.1 的 provider slot 分配仍适用,但 slot 默认全部落在 PM 宿主工具上;跨工具 slot 是显式例外,需要在 Wave 摘要里标注。
By default, let workers run in the same Agent tool as the PM: if Claude Code acts as PM, use Claude Code workers; if Codex acts as PM, use Codex workers; same for OpenCode. Do not default to routing workers to another Agent tool for "quota diversion". This takes precedence over the multi-backend routing suggestions in §2.2.
Why same-host by default:
  • Same-host workers share a set of auth/settings/context conventions, with the lowest startup and troubleshooting costs; cross-tool introduces different profiles, different env, different CLI behaviors, increasing orchestration layer uncertainty.
  • The core benefits of multi-agent are parallelism + scope isolation (independent worktree/session) + PM wrap-up, not "cross-tool". Parallel value comes from independent worktree/session/quota lane, regardless of whether tools are changed.
  • Cross-tool is only used when there are clear reasons (see below), not by default.
Auth Conventions for Same-Host Workers (important, avoid environment misjudgment):
  • When Claude Code PM starts Claude Code workers, the worker
    claude
    process inherits the PM's provider env (third-party API's
    ANTHROPIC_AUTH_TOKEN
    /
    ANTHROPIC_BASE_URL
    , or OAuth session). Even if the
    .claude/settings.json
    in the target worktree is empty or default, the worker can run using the PM's provider, no additional
    config/*.settings.json
    required
    .
  • Only when multiple Claude Code workers need to be assigned to different providers (e.g., some use minimax, some use glm), use different settings files to distinguish slots; at this time, all are still Claude Code workers, no cross-tool.
  • The standard for judging "whether the worker has obtained the provider env": worker bootstrap writes available
    claude
    version and provider source into
    STATUS.json
    ; PM decides whether to supplement settings or downgrade only when seeing empty provider source or 401/403 errors, instead of defaulting to cross-tool first.
When Cross-Tool is Allowed (exception, not default):
  • The current host provider's quota/rate limit/concurrency slots are insufficient to support this Wave, and cannot be solved by "reducing concurrency/splitting to next Wave".
  • A certain worker task is obviously more suitable for the model capabilities of another tool (e.g., ultra-long context research, specific code stack).
  • The user explicitly requires mixed workers (e.g., "Claude Code acts as PM, rewrite workers use Codex").
Hard Requirements for Triggering Cross-Tool: PM must write in the Wave plan why cross-tool is used, each worker's backend/profile/auth source, and additional troubleshooting points brought by cross-tool. The provider slot allocation in §3.1 still applies, but slots are all in the PM host tool by default; cross-tool slots are explicit exceptions that need to be marked in the Wave summary.

2.4 个人路由偏好(用户级,可被任何人自定义)

2.4 Personal Routing Preferences (User-Level, Customizable by Anyone)

§2.2 / §2.3 给的是 skill 级默认规则,但每个用户的"主力 / 轮换 / 哪个 backend 给哪个模型"是个个人偏好,不应该硬编码进 skill。机制:
  • 配置路径
    config/orchestration-personal.json
    在 skill 目录,但 gitignore 不入库——每人本地放自己的实际偏好;不 commit 进仓库,避免把个人模型/框架固化进通用 skill。
    .example.json
    是入库的通用模板)。
  • 模板路径
    config/orchestration-personal.example.json
    (schema 文档 / 给 fork 用户的干净模板)。
  • 读取时机:PM 派 worker 前先读
    config/orchestration-personal.json
    ;缺失则回落
    .example.json
    默认。
  • 作用域:仅声明"偏好"(host、model 轮换、codex policy、跨工具 backend 的默认 model),不声明真实 token / key / endpoint——那些仍归
    config/claude-provider-registry.*.json
    管。
字段定义(与 example schema 对齐):
字段含义缺省回落
main_force.host
PM 主力宿主工具(你用的 Agent 工具:
claude-code
/
codex
/
opencode
claude-code
main_force.task_routing.high_end
常规/高端任务的 model(你自选)无(必填)
main_force.task_routing.simple_multimodal
简单任务+多模态/图片解读的 model(你自选)
main_force.task_routing.default
任务类型不明时回落(通常 = high_end)
concurrency.max_per_provider
同一 provider 并发上限(尽量更低避限流连累其他任务)用户定(示例 3)
concurrency.overflow_strategy
超上限时溢出到哪些 backend(不同平台/额度避并发)用户定
codex_policy.policy
explicit_only
/
allowed
allowed
(向后兼容)
backend_model_routing.<backend>.default_models
跨平台 backend 的默认 model(首选在前);
<backend>
= 你常用的 CLI 名
留空 → 不启用跨平台溢出
Codex 硬规则(个人偏好中最重要的一条)
  • codex_policy.policy = "explicit_only"
    时,PM 不主动把任何 worker 路由到 Codex;只有用户当轮明确说"用 Codex"才解封,并写到 Wave 计划里。
  • 这条独立于 §2.3 同宿主优先:即使 §2.3 同宿主工具是 Codex host,PM 仍按此政策判断是否派 worker 到 Codex。
  • 想恢复 Codex 默认可用,改
    policy = "allowed"
与 §2.2 / §2.3 / §3.3 的关系
  • §2.2 backend 表 → §2.4 个人偏好 → §3.3 项目级 provider slot 默认 → 最终 backend / model 选择。优先级 §2.3(不主动跨工具)压 §2.2(多 backend),§2.4 个人偏好压 §2.2 默认 model 表,§3.3 项目级 provider slot 计划压 §2.4 通用 host。
  • §2.4 字段命名故意跟 §3.3 项目级 provider slot 不冲突:项目级 slot 写的是"这一 Wave 用哪个 slot 跑哪个 worker"(含 model、max_concurrency);§2.4 写的是"我个人偏好默认用什么 host / 什么 backend 给什么 model"。前者落地到 Wave 计划,后者落地到 PM 派单决策。
TODO(后续增强)
scripts/render-runtime-profile.sh
自动读 personal config(解析
main_force.task_routing
→ 默认
--model
、解析
codex_policy.policy
→ 是否允许 codex backend、解析
backend_model_routing.<backend>.default_models
→ 跨工具 default)当前未实现;本次只做配置 + 文档 + PM 手动遵循,避免无人监督下改脚本引入新不确定性。需要做的时候开新 worker,不要在 PM 任务里顺手改。
§2.2/§2.3 provide skill-level default rules, but each user's "main/rotation/which backend for which model" is a personal preference that should not be hard-coded into the skill. Mechanism:
  • Configuration Path:
    config/orchestration-personal.json
    (in the skill directory, but gitignore and not stored in the repository—each person places their actual preferences locally; do not commit to the repository to avoid solidifying personal models/frameworks into the general skill.
    .example.json
    is the general template stored in the repository).
  • Template Path:
    config/orchestration-personal.example.json
    (schema documentation / clean template for fork users).
  • Reading Timing: PM reads
    config/orchestration-personal.json
    before assigning workers; if missing, falls back to
    .example.json
    defaults.
  • Scope: Only declares "preferences" (host, model rotation, codex policy, default model for cross-tool backends), not real tokens/keys/endpoints—those are still managed by
    config/claude-provider-registry.*.json
    .
Field Definitions (aligned with example schema):
FieldMeaningDefault Fallback
main_force.host
PM's main host tool (the Agent tool you use:
claude-code
/
codex
/
opencode
)
claude-code
main_force.task_routing.high_end
Model for regular/high-end tasks (self-selected)None (required)
main_force.task_routing.simple_multimodal
Model for simple tasks + multimodal/image interpretation (self-selected)None
main_force.task_routing.default
Fallback when task type is unknown (usually = high_end)None
concurrency.max_per_provider
Concurrency limit for the same provider (try to keep low to avoid rate limit affecting other tasks)User-defined (example 3)
concurrency.overflow_strategy
Which backends to overflow to when exceeding the limit (different platforms/quotas to avoid concurrency)User-defined
codex_policy.policy
explicit_only
/
allowed
allowed
(backward compatible)
backend_model_routing.<backend>.default_models
Default models for cross-platform backends (preferred first);
<backend>
= CLI name you commonly use
Empty → cross-platform overflow not enabled
Codex Hard Rule (the most important one in personal preferences):
  • When
    codex_policy.policy = "explicit_only"
    , PM does not actively route any workers to Codex; only when the user explicitly says "use Codex" in the current round is it unlocked, and written into the Wave plan.
  • This is independent of §2.3 same-host priority: even if §2.3 same-host tool is Codex host, PM still judges whether to assign workers to Codex according to this policy.
  • To restore Codex availability by default, change
    policy = "allowed"
    .
Relationship with §2.2/§2.3/§3.3:
  • §2.2 backend table → §2.4 personal preferences → §3.3 project-level provider slot defaults → final backend/model selection. Priority: §2.3 (do not actively cross-tool) overrides §2.2 (multi-backend), §2.4 personal preferences override §2.2 default model table, §3.3 project-level provider slot plan overrides §2.4 general host.
  • §2.4 field naming is deliberately not conflicting with §3.3 project-level provider slots: project-level slots write "which slot to use for which worker in this Wave" (including model, max_concurrency); §2.4 writes "my personal preference for default host/which backend for which model". The former is implemented in the Wave plan, the latter in PM's task assignment decisions.
TODO (Future Enhancement):
scripts/render-runtime-profile.sh
automatically reads personal config (parses
main_force.task_routing
→ default
--model
, parses
codex_policy.policy
→ whether codex backend is allowed, parses
backend_model_routing.<backend>.default_models
→ cross-tool default) is currently not implemented; this time only implements configuration + documentation + manual compliance by PM, avoiding introducing new uncertainty by modifying scripts without supervision. When needed, start a new worker, do not modify it casually in PM tasks.

3. 标准流程

3. Standard Process

  1. 读任务源与项目配置:若项目提供
    .claude/orchestration.config.json
    或等价配置,先读取 trunk、任务源、验证命令、可复制配置和 hook 边界;再用
    cross-agent-coordination
    判断可执行项、依赖和归属。
  2. 先分组:不要默认一个 Issue 一个 worker。文件范围重叠、同一章节/模块、存在依赖链的任务应同组顺序执行。
  3. 判定并行安全:只有文件范围清晰、无共享迁移/锁文件/schema、验收标准独立时才拆成多个 worktree 并行。
  4. 判定是否触发防逃逸门禁:只要用户或项目明确要求 tmux / 独立 session / 开 worker,按 §2.1 执行;门禁未通过前不写业务代码。
  5. 选择 worker backend 和 runtime profile:按任务复杂度、当前额度、模型偏好和是否需要独立进程,选择 Claude Code / Codex / OpenCode / custom CLI / shell / ACP。
  6. PM 创建隔离环境:默认由 PM 创建 worktree、分支和 session context 目录,再把路径交给 worker;只有 Claude Code 官方 Agent Teams / agent view 明确使用自身
    --worktree
    能力时,才允许由 Claude Code 创建,但 PM 仍要验收分支、路径和隔离状态。
  7. 启动 worker 并验证门禁:给每个 worker 明确目标文件、允许修改范围、验证命令、session context 目录、提交和 PR 要求;确认 session 存活、cwd/branch 正确、
    STATUS.json
    出现或已发送 bootstrap correction。
  8. PM 巡检:优先查看
    .claude/agent-sessions/<session-id>/STATUS.json
    RESULT.md
    PATCH_SUMMARY.md
    、git status、commit/PR 状态;Claude 官方 Agent Teams 则优先读取
    ~/.claude/teams/<team>/
    ~/.claude/tasks/<team>/
    claude agents --json
    、tmux pane 或 agent view 作为兜底观察。发现偏题、阻塞、范围扩大或无阶段性提交时介入。
  9. PM 验收而非代写:PM 对 worker 结果做范围检查、测试复核和 review;发现问题优先发纠偏指令或派给 reviewer/另一个 worker,不默认自己改业务代码。
  10. 收口:worker 提交并开 PR 后,PM 做范围检查、触发 review、按
    git-workflow
    合并和清理。
  11. PM 必做实操验证:任何软件功能修改(不论 L1/L2/L3)worker 声称"完成"前,PM 必须真正启动 dev server(Vite dev / Tauri dev / 对应入口),用 Playwright MCP 或截图实际打开应用、点击按钮、切换 tab、调整窗口、输入文本,把验证证据(DOM 测量、关键断言、截图)写入
    goal-contract.md
    或对应
    RESULT.md
    。仅靠 typecheck / 单测 / lint / build 全部通过就宣称"完成"是不充分的——这些只证明"代码能编译",不证明"功能真的能用"。
  1. Read Task Sources and Project Configurations: If the project provides
    .claude/orchestration.config.json
    or equivalent configuration, first read trunk, task sources, verification commands, copyable configurations, and hook boundaries; then use
    cross-agent-coordination
    to judge executable items, dependencies, and ownership.
  2. Group Tasks First: Do not default to one worker per Issue. Tasks with overlapping file scopes, belonging to the same chapter/module, or having dependency chains should be grouped and executed sequentially.
  3. Judge Parallel Safety: Only split into multiple worktrees for parallel execution when file scopes are clear, no shared migration/lock files/schema, and acceptance criteria are independent.
  4. Judge Whether to Trigger Anti-Escape Gate: As long as the user or project explicitly requires tmux/independent session/starting workers, execute according to §2.1; do not write business code before the gate is passed.
  5. Select Worker Backend and Runtime Profile: Select Claude Code/Codex/OpenCode/custom CLI/shell/ACP according to task complexity, current quota, model preferences, and whether independent processes are needed.
  6. PM Creates Isolated Environment: By default, PM creates worktree, branch, and session context directory, then passes the path to the worker; only when Claude Code official Agent Teams/agent view explicitly uses its own
    --worktree
    capability is Claude Code allowed to create, but PM still needs to verify the branch, path, and isolation status.
  7. Start Worker and Verify Gate: Give each worker clear target files, allowed modification scope, verification commands, session context directory, commit and PR requirements; confirm session survival, correct cwd/branch,
    STATUS.json
    appears, or bootstrap correction has been sent.
  8. PM Inspection: Prioritize viewing
    .claude/agent-sessions/<session-id>/STATUS.json
    ,
    RESULT.md
    ,
    PATCH_SUMMARY.md
    , git status, commit/PR status; for Claude official Agent Teams, prioritize reading
    ~/.claude/teams/<team>/
    and
    ~/.claude/tasks/<team>/
    , with
    claude agents --json
    , tmux pane, or agent view as fallback observation. Intervene when off-topic, blocked, scope expanded, or no phased commits.
  9. PM Accepts Instead of Writing: PM performs scope check, test review, and review on worker results; when problems are found, prioritize sending correction instructions or assigning to reviewer/another worker, do not default to modifying business code by yourself.
  10. Wrap-Up: After the worker commits and opens a PR, PM performs scope check, triggers review, merges and cleans up according to
    git-workflow
    .
  11. PM Must Perform Practical Verification: Before the worker claims "completion" for any software function modification (regardless of L1/L2/L3), PM must actually start the dev server (Vite dev/Tauri dev/corresponding entry), use Playwright MCP or screenshots to actually open the application, click buttons, switch tabs, adjust windows, input text, and write verification evidence (DOM measurement, key assertions, screenshots) into
    goal-contract.md
    or corresponding
    RESULT.md
    . Claiming "completion" only because typecheck/unit test/lint/build all pass is insufficient—these only prove "code can compile", not "function really works".

3.1 Wave-Based Orchestration

3.1 Wave-Based Orchestration

Wave 是在同一 base ref、同一批冲突假设下启动的一组并行 worker。它用来记录“本项目已经并行推进过几轮”、控制并发风险,并让 PM 在每轮结束后复盘 provider/model 表现。
Wave 启动前,PM 必须写清:
  • wave_id
    、base ref、目标、worker 清单、每个 worker 的分支/worktree/session。
  • 每个 worker 的类型:
    ui-wiring
    (低风险 UI 接线)、
    contract-extension
    (共享契约/依赖变更)、
    tauri-command
    (Rust/Tauri/本机依赖)、
    docs/research
    custom
  • runtime profile / provider / model / registry 或 settings/profile 路径 / 额度来源 / 并发槽位。超过 3-4 个 worker 时,不要压在单一 API provider 或同一个 provider key 上;应跨 Claude provider、Codex/OpenAI、OpenCode、local/OSS 等 profile 分流。
  • 共享风险:
    package.json
    、锁文件、
    src-tauri/
    src/shared/
    、全局布局、DEC 编号或同一模块入口。
  • 预期 PR 数、收口顺序、下一 Wave 进入条件。
并发数量不是固定 3 个。文件范围独立、验证命令独立、无共享契约冲突时,默认目标可提高到 4-6 个 worker;纯文档、翻译、i18n、互不重叠 UI 接线可以更多。涉及共享依赖、锁文件、Tauri command、全局布局、DEC race 或同一模块入口时,降到 1-3 个并按依赖顺序推进。
Provider slot 分配是 PM 的显式规划,不是脚本自动猜测:
  • 一个 slot 表示一条可并发额度 lane:
    backend + settings/profile path + provider + model + max_concurrency
  • Claude Code 第三方 provider 推荐用 registry + provider id + model alias 区分,例如
    config/claude-providers.local.json
    +
    <provider>/<model-alias>
    ;旧路径也可用具体 settings 文件区分,例如
    config/<your-provider>.settings.json
    。真实 registry/settings 文件保持本地 ignored,不提交;具体用哪个 provider/model 见 personal config。
  • Codex 用 Codex profile / model 区分;OpenCode 用
    provider/model
    profile 区分;custom worker 写明实际命令来源。
  • 默认同一 provider/settings 文件最多放 3 个 worker;只有低风险任务且上一 Wave 表现稳定时才放到 4 个。需要 5-6 个 worker 时,优先拆到第二 provider 或 Codex/OpenCode/local profile。
  • 高风险任务(共享契约、Tauri/Rust、本机依赖、锁文件)优先给上一 Wave 指令遵循和验证表现最好的 profile,且每个高风险共享域通常只开 1 个 worker。
  • 如果本机只有一个可用 settings/profile,不要为了凑人数启动 5-6 个 worker;把并发 cap 降到 3-4,剩余任务进入下一 Wave。
6-worker 示例:
Worker任务风险BackendSettings/ProfileSlot
W1Claude Code
config/<provider-a>.settings.json
<provider-a>-1
W2Claude Code
config/<provider-a>.settings.json
<provider-a>-2
W3Claude Code
config/<provider-b>.settings.json
<provider-b>-1
W4Claude Code
config/<provider-b>.settings.json
<provider-b>-2
W5文档/研究Codex
codex:<profile>
codex-1
W6重复性低风险OpenCode/custom
<provider/model or command label>
opencode-1
Wave 收口时,PM 记录每个 worker 的
merged
/
done-unmerged
/
blocked
/
deferred
/
restarted
,并评估模型/provider 表现:Isolation Gate、STATUS 心跳、commit 节奏、范围遵循、验证通过率、review 修复次数、diff 质量、阻塞/幻觉/环境误判。下一 Wave 根据该评估调整任务分配:高风险任务给指令遵循和工程可靠性更好的 profile,低风险重复任务给成本或吞吐更优的 profile。
Wave is a group of parallel workers started under the same base ref and same batch of conflict assumptions. It is used to record "how many rounds of parallel execution have been carried out in this project", control concurrency risks, and allow PM to review provider/model performance after each round.
Before starting a Wave, PM must clearly write:
  • wave_id
    , base ref, goal, worker list, branch/worktree/session for each worker.
  • Type of each worker:
    ui-wiring
    (low-risk UI wiring),
    contract-extension
    (shared contract/dependency change),
    tauri-command
    (Rust/Tauri/native dependency),
    docs/research
    ,
    custom
    .
  • Runtime profile/provider/model/registry or settings/profile path/quota source/concurrency slot. When there are more than 3-4 workers, do not press them on a single API provider or the same provider key; should divert across Claude providers, Codex/OpenAI, OpenCode, local/OSS profiles.
  • Shared risks:
    package.json
    , lock files,
    src-tauri/
    ,
    src/shared/
    , global layout, DEC number, or the same module entry.
  • Expected number of PRs, wrap-up order, entry conditions for next Wave.
The number of concurrent workers is not fixed at 3. When file scopes are independent, verification commands are independent, and no shared contract conflicts, the default target can be increased to 4-6 workers; pure documents, translation, i18n, non-overlapping UI wiring can have more. When involving shared dependencies, lock files, Tauri command, global layout, DEC race, or the same module entry, reduce to 1-3 workers and execute in dependency order.
Provider slot allocation is an explicit plan by PM, not automatically guessed by scripts:
  • A slot represents a concurrent quota lane:
    backend + settings/profile path + provider + model + max_concurrency
    .
  • For Claude Code third-party providers, it is recommended to distinguish by registry + provider id + model alias, e.g.,
    config/claude-providers.local.json
    +
    <provider>/<model-alias>
    ; old paths can also be distinguished by specific settings files, e.g.,
    config/<your-provider>.settings.json
    . Real registry/settings files remain locally ignored and not submitted; specific provider/model used see personal config.
  • Codex is distinguished by Codex profile/model; OpenCode is distinguished by
    provider/model
    profile; custom workers specify the actual command source.
  • By default, a maximum of 3 workers are placed in the same provider/settings file; only when tasks are low-risk and the previous Wave performed stably can it be increased to 4. When 5-6 workers are needed, prioritize splitting to the second provider or Codex/OpenCode/local profile.
  • High-risk tasks (shared contracts, Tauri/Rust, native dependencies, lock files) are prioritized to profiles with the best instruction compliance and verification performance in the previous Wave, and usually only 1 worker is opened per high-risk shared domain.
  • If there is only one available settings/profile locally, do not start 5-6 workers to凑 numbers; reduce the concurrency cap to 3-4, and remaining tasks enter the next Wave.
6-Worker Example:
WorkerTask RiskBackendSettings/ProfileSlot
W1HighClaude Code
config/<provider-a>.settings.json
<provider-a>-1
W2MediumClaude Code
config/<provider-a>.settings.json
<provider-a>-2
W3LowClaude Code
config/<provider-b>.settings.json
<provider-b>-1
W4LowClaude Code
config/<provider-b>.settings.json
<provider-b>-2
W5Docs/ResearchCodex
codex:<profile>
codex-1
W6Repetitive Low-RiskOpenCode/custom
<provider/model or command label>
opencode-1
When wrapping up a Wave, PM records each worker's
merged
/
done-unmerged
/
blocked
/
deferred
/
restarted
, and evaluates model/provider performance: Isolation Gate, STATUS heartbeat, commit rhythm, scope compliance, verification pass rate, number of review fixes, diff quality, blockage/hallucination/environment misjudgment. Adjust task allocation in the next Wave based on this evaluation: assign high-risk tasks to profiles with better instruction compliance and engineering reliability, assign low-risk repetitive tasks to profiles with better cost or throughput.

3.2 Goal-Driven Multi-Wave Loop

3.2 Goal-Driven Multi-Wave Loop

Orchestration Goal 是 PM 层目标循环,用来让多轮 Wave 在条件满足前持续推进。它不把所有任务交给单个 worker;PM 仍按 Wave 从任务源取下一批安全可并行项,worker 仍只执行自己的窄范围任务。
启动 Goal Loop 前,PM 必须写清 Goal Contract,模板见
templates/orchestration-goal.md
  • 任务源:如
    docs/TASKS.md
    、GitHub Issues、项目配置中的 issue file。
  • 成功条件:例如目标范围内没有可执行 pending task、所有已启动 worker 都进入
    merged
    /
    done-unmerged
    /
    blocked
    /
    deferred
    ,主干验证通过,文档已同步。
  • 自主级别:
    plan-only
    (只规划下一 Wave)、
    auto-launch
    (可自动开下一 Wave)、
    auto-review
    (可自动复核 worker 结果)、
    auto-merge
    (在项目规则允许时按
    git-workflow
    合并)。
  • 上限:最大 wave 数、每轮最大 worker、总 worker、预算/时间、provider 并发槽位。
  • 继续条件和停止条件。
PM 可在支持的宿主中使用 Claude Code / Codex 的
/goal
来包住 PM loop,但
/goal
只负责让 PM 持续执行循环,不替代本 Skill 的 worktree、tmux、checkpoint、review 和 merge 门禁。Goal prompt 必须写明“PM 不直接实现业务代码;实现仍由 worker 完成”。
每轮 Wave 收口后,PM 按以下顺序决定是否自动继续:
  1. 读取任务源,关闭已完成项,识别可执行 pending task、依赖、文件范围和共享风险。
  2. 确认当前 Wave 没有未处理的 failed/blocked worker、未验收 PR、base drift、冲突、主干验证失败或敏感/破坏性操作。
  3. 根据上一 Wave 的 provider/model 评估调整并发:干净通过可维持或小幅增加,出现冲突、范围越界、验证失败或限流则降并发。
  4. 若仍有可安全并行的任务,创建下一 Wave;若只剩高冲突/高风险任务,降为 1-2 个 worker 或停下请求用户确认。
  5. 若成功条件满足,写 final goal summary 并停止。
自动继续条件:
  • 上一 Wave 的 worker 均为
    merged
    done-unmerged
    deferred
    或明确
    blocked
    且不会影响下一 Wave。
  • 所有合并动作已按
    git-workflow
    处理,base ref、本地主干和远端主干一致或已明确记录差异。
  • 必需验证通过;跳过的验证有清楚原因且不影响下一 Wave。
  • 下一批任务的 allowed/forbidden files 清晰,且没有共享锁文件、schema、全局布局或 DEC 编号 race 未解决。
  • provider 并发槽位足够,且没有连续限流、长延迟或 worker 指令遵循退化。
必须停止并汇报的条件:
  • 任一 worker
    failed
    blocked
    且影响下一 Wave,或连续两次纠偏无效。
  • PR 冲突、base drift、主干验证失败、测试不稳定、merge 权限不足或 GitHub/CI 状态不明。
  • 下一批任务需要用户产品判断、破坏性文件操作、联网敏感处理、密钥/隐私处理或项目规则未授权的自动合并。
  • 任务源含糊、依赖未满足、文件范围高度重叠,或只剩共享契约/锁文件/Tauri command 等高风险任务。
  • 达到 Goal Contract 的 wave、worker、时间、预算或 provider 上限。
Orchestration Goal is the PM-level goal loop, used to make multiple rounds of Waves continue to advance until conditions are met. It does not hand all tasks to a single worker; PM still takes the next batch of safely parallelizable items from the task source according to Waves, and workers still only execute their narrow-scope tasks.
Before starting the Goal Loop, PM must clearly write the Goal Contract, template see
templates/orchestration-goal.md
:
  • Task source: e.g.,
    docs/TASKS.md
    , GitHub Issues, issue file in project configuration.
  • Success criteria: e.g., no executable pending tasks within the target scope, all started workers enter
    merged
    /
    done-unmerged
    /
    blocked
    /
    deferred
    , trunk verification passes, documents are synchronized.
  • Autonomy level:
    plan-only
    (only plan the next Wave),
    auto-launch
    (can automatically start the next Wave),
    auto-review
    (can automatically review worker results),
    auto-merge
    (merge according to
    git-workflow
    when project rules allow).
  • Upper limits: maximum number of waves, maximum workers per round, total workers, budget/time, provider concurrency slots.
  • Continue conditions and stop conditions.
PM can use Claude Code/Codex's
/goal
in supported hosts to wrap the PM loop, but
/goal
only responsible for making PM continue to execute the loop, not replacing the worktree, tmux, checkpoint, review, and merge gates of this Skill. The Goal prompt must clearly state "PM does not directly implement business code; implementation is still completed by workers".
After wrapping up each Wave, PM decides whether to continue automatically in the following order:
  1. Read the task source, close completed items, identify executable pending tasks, dependencies, file scopes, and shared risks.
  2. Confirm that the current Wave has no unprocessed failed/blocked workers, unaccepted PRs, base drift, conflicts, trunk verification failures, or sensitive/destructive operations.
  3. Adjust concurrency based on the provider/model evaluation of the previous Wave: maintain or slightly increase if cleanly passed, reduce concurrency if conflicts, scope overstepping, verification failures, or rate limits occur.
  4. If there are still safely parallelizable tasks, create the next Wave; if only high-conflict/high-risk tasks remain, reduce to 1-2 workers or stop to request user confirmation.
  5. If success criteria are met, write final goal summary and stop.
Automatic Continue Conditions:
  • All workers in the previous Wave are
    merged
    ,
    done-unmerged
    ,
    deferred
    , or clearly
    blocked
    and will not affect the next Wave.
  • All merge actions have been processed according to
    git-workflow
    , base ref, local trunk, and remote trunk are consistent or differences have been clearly recorded.
  • Required verifications pass; skipped verifications have clear reasons and do not affect the next Wave.
  • Allowed/forbidden files for the next batch of tasks are clear, and there are no unresolved shared lock files, schema, global layout, or DEC number race.
  • Provider concurrency slots are sufficient, and there is no continuous rate limit, long delay, or degradation of worker instruction compliance.
Conditions to Stop and Report:
  • Any worker is
    failed
    ,
    blocked
    and affects the next Wave, or continuous correction fails twice.
  • PR conflicts, base drift, trunk verification failure, unstable tests, insufficient merge permissions, or unclear GitHub/CI status.
  • The next batch of tasks requires user product judgment, destructive file operations, sensitive network processing, key/privacy processing, or automatic merge not authorized by project rules.
  • Task source is ambiguous, dependencies are not met, file scopes are highly overlapping, or only high-risk tasks such as shared contracts/lock files/Tauri command remain.
  • Reach the wave, worker, time, budget, or provider upper limits in the Goal Contract.

3.3 Optional Project Config

3.3 Optional Project Config

项目可放置
.claude/orchestration.config.json
,模板见
templates/project-config.json
。该配置只声明项目默认值,不替代 PM 判断,也不允许静默执行破坏性动作。
配置可声明:
  • trunk/base ref、任务源、默认 worktree/session context 路径。
  • 按 worker type 拆分的验证命令。
  • provider slot 默认计划,供 Goal/Wave 启动清单引用。
  • 可复制到 worktree 的非敏感配置文件,例如
    .npmrc.example
    或只读模板。
  • post-create / pre-merge hook 命令。
与 §2.4 个人偏好叠加(用户级 vs 项目级)
维度用户级(§2.4)项目级(§3.3)
路径
config/orchestration-personal.json
.claude/orchestration.config.json
内容个人主力 host、默认 model 轮换、Codex policy、跨工具 backend 默认 modeltrunk / 任务源 / 验证命令 / 本项目 provider slot 默认计划 / hook
谁写用户自己项目维护者
谁读PM 派 worker 前PM 启动 Wave 前
优先级低(个人通用偏好)高(项目覆盖个人)
例:个人偏好 host=claude-code + model=<你的模型>;项目级 provider slot 计划写"本 Wave 的 W3/W4 走 <某 provider>"——则 W3/W4 用该 provider,其他 worker 仍按个人偏好。两者不冲突,也不应互相复制;项目级不写个人偏好字段(避免把 dotfile 化进仓库)。
配置安全规则:
  • 永远不要默认复制
    .env
    、真实 settings、token、key、cookie、证书或账号凭证。
  • allowed_config_copy
    只允许非敏感文件;
    forbidden_config_copy
    命中时必须停止并报告。
  • hook 默认只是声明。PM 只有在项目规则或用户明确授权时才运行;运行前应展示命令,必要时先 dry-run。
  • spawn-worker.sh
    不自动读取项目配置、不自动复制配置、不自动执行 hook,避免把可选约定升级成隐式副作用。
  • 若配置缺失或字段不清楚,PM 回到 Skill 默认值:trunk=
    main
    、不复制配置、不跑 hook、只使用 worker prompt 明确列出的验证命令。
Projects can place
.claude/orchestration.config.json
, template see
templates/project-config.json
. This configuration only declares project defaults, does not replace PM judgment, and does not allow silent execution of destructive actions.
Configuration can declare:
  • Trunk/base ref, task source, default worktree/session context path.
  • Verification commands split by worker type.
  • Default provider slot plan, referenced by Goal/Wave startup list.
  • Non-sensitive configuration files that can be copied to worktree, e.g.,
    .npmrc.example
    or read-only templates.
  • Post-create/pre-merge hook commands.
叠加 with §2.4 Personal Preferences (User-Level vs Project-Level):
DimensionUser-Level (§2.4)Project-Level (§3.3)
Path
config/orchestration-personal.json
.claude/orchestration.config.json
ContentPersonal main host, default model rotation, Codex policy, default model for cross-tool backendsTrunk/task source/verification commands/default provider slot plan for this project/hooks
Who WritesUser themselvesProject maintainers
Who ReadsPM before assigning workersPM before starting Wave
PriorityLow (personal general preferences)High (project overrides personal)
Example: Personal preference host=claude-code + model=<your model>; project-level provider slot plan writes "W3/W4 of this Wave use <a certain provider>"—then W3/W4 use this provider, other workers still follow personal preferences. The two do not conflict and should not copy each other; project-level does not write personal preference fields (avoid dotfile into repository).
Configuration Security Rules:
  • Never copy
    .env
    , real settings, tokens, keys, cookies, certificates, or account credentials by default.
  • allowed_config_copy
    only allows non-sensitive files; must stop and report when
    forbidden_config_copy
    is hit.
  • Hooks are only declarations by default. PM only runs them when authorized by project rules or user explicitly; should display the command before running, and dry-run if necessary.
  • spawn-worker.sh
    does not automatically read project configuration, copy configuration, or execute hooks, avoiding upgrading optional conventions into implicit side effects.
  • If configuration is missing or fields are unclear, PM returns to Skill defaults: trunk=
    main
    , no configuration copied, no hooks run, only use verification commands explicitly listed in worker prompts.

4. 命名规则

4. Naming Rules

一处定义、各处引用一致(硬约束,实测踩坑)。 branch / worktree / session / run-dir / spec 必须从同一个 source 派生,在各处(PM Wave 计划、
spawn-worker.sh
参数、worker prompt 里写的 Branch/Worktree/Session Context、METADATA.json、回归库
runs/<variant>/
)引用完全一致。实测中 PM 手抖把
wr-v0107-<model-id>-ch08
wr-
前缀剥掉、或 branch 与 session 名对不上,直接导致 worker 的 Isolation Gate(
pwd
/
git branch --show-current
自检)拦截、sentinel 找不到
STATUS.json
、收口
git diff
验空 diff。规避:
  • PM 在 Wave 计划里一次写下
    {branch, worktree, session, run-dir}
    四元组,后续所有
    tmux send-keys
    / 纠偏 / 收口命令都从该四元组复制,不在中途重新键入或简化。
  • scripts/spawn-worker.sh
    内部已从单一 source 派生:
    BRANCH
    safe_branch
    (worktree-safe)→ 默认
    WORKTREE=.claude/worktrees/tmux-<safe_branch>
    SESSION_CONTEXT=<worktree>/.claude/agent-sessions/<session>
    。PM 只需保证传入的
    --branch
    --session
    本身一致且完整,helper 不会再让 worktree 与 branch 脱钩。
  • cross-model / 评测场景的命名四元组带模型标识(见
    agent-eval-lab
    的 model-aware 命名约定),整条链路用同一个
    variant_slug
    ,避免 PM 在不同环节用不同简称。
分支名面向远端协作和 PR,必须体现任务语义,不写执行来源。
text
docs/ch01-agent-intro
research/issue-13-ch08-materials
fix/agent-session-shell
worktree 路径只用于本地隔离,应加执行来源前缀:
text
.claude/worktrees/tmux-ch01-agent-intro
.claude/worktrees/team-agent-session-shell
.claude/worktrees/subagent-copyedit-ch02
不要把
tmux-
subagent-
team-
agentteam-
写进分支名。分支类型前缀和提交/PR 格式以
git-workflow
为准。
创建示例:
bash
git worktree add .claude/worktrees/tmux-ch01-agent-intro -b docs/ch01-agent-intro
git worktree add .claude/worktrees/team-agent-shell -b fix/agent-session-shell
Define once, reference consistently everywhere (hard constraint, tested pitfalls). branch/worktree/session/run-dir/spec must be derived from the same source, and referenced exactly consistently everywhere (PM Wave plan,
spawn-worker.sh
parameters, Branch/Worktree/Session Context written in worker prompt, METADATA.json, regression library
runs/<variant>/
). In actual tests, PM accidentally stripped the
wr-
prefix from
wr-v0107-<model-id>-ch08
, or branch and session name did not match, directly causing worker's Isolation Gate (self-check of
pwd
/
git branch --show-current
) to intercept, sentinel to fail to find
STATUS.json
, and wrap-up
git diff
to verify empty diff. Avoidance:
  • PM writes the
    {branch, worktree, session, run-dir}
    quadruple once in the Wave plan, and all subsequent
    tmux send-keys
    /correction/wrap-up commands are copied from this quadruple, not re-typed or simplified midway.
  • scripts/spawn-worker.sh
    internally derives from a single source:
    BRANCH
    safe_branch
    (worktree-safe) → default
    WORKTREE=.claude/worktrees/tmux-<safe_branch>
    SESSION_CONTEXT=<worktree>/.claude/agent-sessions/<session>
    . PM only needs to ensure that the passed
    --branch
    and
    --session
    are consistent and complete, and the helper will not decouple worktree from branch.
  • The naming quadruple for cross-model/evaluation scenarios includes model identification (see model-aware naming convention of
    agent-eval-lab
    ), and the entire link uses the same
    variant_slug
    , avoiding PM using different abbreviations in different links.
Branch names are for remote collaboration and PRs, must reflect task semantics, do not write execution sources.
text
docs/ch01-agent-intro
research/issue-13-ch08-materials
fix/agent-session-shell
Worktree paths are only for local isolation, should add execution source prefix:
text
.claude/worktrees/tmux-ch01-agent-intro
.claude/worktrees/team-agent-session-shell
.claude/worktrees/subagent-copyedit-ch02
Do not write
tmux-
,
subagent-
,
team-
,
agentteam-
into branch names. Branch type prefixes and commit/PR formats follow
git-workflow
.
Creation Example:
bash
git worktree add .claude/worktrees/tmux-ch01-agent-intro -b docs/ch01-agent-intro
git worktree add .claude/worktrees/team-agent-shell -b fix/agent-session-shell

4.1 Session Context 目录

4.1 Session Context Directory

Worker 的本地状态统一写到当前 worktree 的
.claude/agent-sessions/<session-id>/
(下文简称 Session Context),复用项目既有
.claude/
协作空间,与 Claude Code 官方 Agent Teams 状态源明确区分。
text
.claude/agent-sessions/legal-ch01/METADATA.json
.claude/agent-sessions/legal-ch01/STATUS.json
.claude/agent-sessions/legal-ch01/RESULT.md
.claude/agent-sessions/legal-ch01/PATCH_SUMMARY.md
Claude Code 官方 Agent Teams 是另一套机制:团队配置在用户目录
~/.claude/teams/<team-name>/config.json
,任务状态在
~/.claude/tasks/<team-name>/
,inbox 在
~/.claude/teams/<team-name>/inboxes/
。使用官方 Agent Teams 时优先读写这些官方状态源;不要在项目里自造
.claude/teams/
来冒充官方 team。
.claude/agent-sessions/
是 PM 巡检状态,不属于业务 diff。PM 和 worker 都必须确认它不进入 commit / push / PR;需要时由 PM 在对应 worktree 的本地 exclude 中忽略。
Worker's local status is uniformly written to
.claude/agent-sessions/<session-id>/
in the current worktree (hereinafter referred to as Session Context), reusing the project's existing
.claude/
collaboration space, clearly distinguished from Claude Code official Agent Teams status sources.
text
.claude/agent-sessions/legal-ch01/METADATA.json
.claude/agent-sessions/legal-ch01/STATUS.json
.claude/agent-sessions/legal-ch01/RESULT.md
.claude/agent-sessions/legal-ch01/PATCH_SUMMARY.md
Claude Code official Agent Teams is another set of mechanisms: team configuration is in user directory
~/.claude/teams/<team-name>/config.json
, task status is in
~/.claude/tasks/<team-name>/
, inbox is in
~/.claude/teams/<team-name>/inboxes/
. When using official Agent Teams, prioritize reading and writing these official status sources; do not create
.claude/teams/
in the project to impersonate official teams.
.claude/agent-sessions/
is for PM inspection status, not part of business diff. Both PM and worker must confirm that it does not enter commit/push/PR; if needed, PM ignores it in the local exclude of the corresponding worktree.

5. Worker Prompt 模板

5. Worker Prompt Template

Worker prompt 应像启动 subagent 一样给足上下文:任务来源、验收标准、允许文件、禁止文件、验证命令、checkpoint 协议、隔离自检和 PM 纠偏协议都要写清。不要只给一句“实现某功能”,否则 worker 容易把环境、依赖或相关技术债扩展成自己的任务。
模板放在
templates/worker-prompt.md
,包含两个可复制段落:
  • Bootstrap-only prompt:只创建
    STATUS.json
    ,适合高延迟 provider 或 high-effort 模型的第一条消息。
  • Full worker prompt:按 Context / Background / Mission / Scope / Deliverables / Process / Verification / Autonomy / Out of Scope / PM Correction 组织,接近派发 subagent 时的写法。
对高延迟 provider 或 high-effort 模型,优先用两段式启动:第一条消息使用 Bootstrap-only prompt 创建
Session Context/STATUS.json
并回报 runtime;PM 确认 checkpoint 后,再发送 Full worker prompt。这样能避免 worker 在长思考前没有可观测状态。
Worker prompts should provide sufficient context like starting a subagent: task source, acceptance criteria, allowed files, forbidden files, verification commands, checkpoint protocol, isolation self-check, and PM correction protocol must be clearly written. Do not only give a sentence like "implement a certain function", otherwise workers may expand environment, dependencies, or related technical debts into their own tasks.
The template is placed in
templates/worker-prompt.md
, containing two copyable paragraphs:
  • Bootstrap-only prompt: only creates
    STATUS.json
    , suitable for the first message of high-latency providers or high-effort models.
  • Full worker prompt: organized by Context/Background/Mission/Scope/Deliverables/Process/Verification/Autonomy/Out of Scope/PM Correction, close to the writing style when assigning subagents.
For high-latency providers or high-effort models, prioritize two-stage startup: the first message uses Bootstrap-only prompt to create
Session Context/STATUS.json
and report runtime; after PM confirms the checkpoint, send the Full worker prompt. This avoids workers having no observable status before long thinking.

5.1 模板使用纪律(必读,实测踩坑)

5.1 Template Usage Discipline (Must Read, Tested Pitfalls)

PM 派 worker 时必须以
templates/worker-prompt.md
的 Full Worker Prompt 为骨架
,把业务任务(Issue / 任务卡 /
.task-issueN.md
内容)填进 Background / Mission / Scope / Deliverables / Verification 字段。不要用自定义简化 prompt(例如只写一个 BOOTSTRAP.md 指向业务
.task
文件)替代模板骨架
——即便业务
.task
文件写得很细,没有模板骨架的编排层硬约束,worker 仍会在流程层失守。
模板里这些段落是 worker 可观测性和收口正确性的硬约束,省略会直接导致收口失败(以下后果均有实测对应):
  • Isolation Gate:worker 先确认
    pwd
    /
    git branch
    ,否则可能在 main 或错误 worktree 误改。
  • Heartbeat cadence(每 10 分钟强制更 STATUS,即使无进展也写
    phase=thinking-deep
    :PM 靠
    STATUS.updated_at
    检测 silent worker。省略则 worker 写一次初始 STATUS 后再也不更新,PM 巡检信号失真、无法判断卡点。
  • Commit Cadence + "commit 是强制收尾步骤":即使任务要求"不 push / 不开 PR",worker 也必须先
    git add
    +
    git commit
    自己的产出。省略则 worker 改完文件不 commit,PM 收口时
    git diff --check main...HEAD
    验的是空 diff(HEAD 仍在 base,假通过),PM 只能替 worker commit。rebase / reset 后尤其要重新确认改动已 commit。
  • Canonical terminal status(
    status="done"
    字面值)
    :sentinel 状态机按字面
    done
    匹配。省略则 worker 可能写
    completed
    /
    finished
    同义词,sentinel 不退出、PM 不被 harness 唤醒、worker 孤儿到
    --max-wait
    超时。
业务任务文件(
.task-issueN.md
等)可作为 Mission / Scope 的附件让 worker 读取,但编排层骨架(Isolation Gate / Heartbeat / Commit / done 字面值)必须来自模板,不能靠业务文件或自定义 BOOTSTRAP 兜底。PM 若发现自己在手写 BOOTSTRAP 替代模板,应停下,改为套用
templates/worker-prompt.md
再派发。
When assigning workers, PM must use the Full Worker Prompt skeleton from
templates/worker-prompt.md
, and fill business tasks (Issue/task card/
.task-issueN.md
content) into Background/Mission/Scope/Deliverables/Verification fields. Do not use custom simplified prompts (e.g., only write a BOOTSTRAP.md pointing to business
.task
files) to replace the template skeleton
—even if the business
.task
file is written in detail, without the hard constraints of the orchestration layer skeleton, workers will still lose control at the process layer.
These paragraphs in the template are hard constraints for worker observability and wrap-up correctness, and omitting them will directly lead to wrap-up failure (the following consequences have corresponding actual tests):
  • Isolation Gate: Worker first confirms
    pwd
    /
    git branch
    , otherwise may modify by mistake in main or wrong worktree.
  • Heartbeat cadence (force update STATUS every 10 minutes, even write
    phase=thinking-deep
    if no progress)
    : PM relies on
    STATUS.updated_at
    to detect silent workers. Omitting it causes workers to write initial STATUS once and never update again, distorting PM inspection signals and making it impossible to judge stuck points.
  • Commit Cadence + "commit is a mandatory wrap-up step": Even if the task requires "no push/no PR", workers must first
    git add
    +
    git commit
    their outputs. Omitting it causes workers to modify files without committing, and PM verifies empty diff when wrapping up with
    git diff --check main...HEAD
    (HEAD is still at base, false pass), and PM has to commit for workers. Especially after rebase/reset, reconfirm that changes have been committed.
  • Canonical terminal status (literal
    status="done"
    )
    : The sentinel state machine matches literal
    done
    . Omitting it causes workers to write synonyms like
    completed
    /
    finished
    , sentinel does not exit, PM is not woken up by harness, and worker becomes orphan until
    --max-wait
    timeout.
Business task files (
.task-issueN.md
, etc.) can be attached to Mission/Scope for workers to read, but the orchestration layer skeleton (Isolation Gate/Heartbeat/Commit/done literal) must come from the template, cannot rely on business files or custom BOOTSTRAP for fallback. If PM finds himself writing BOOTSTRAP instead of using the template, he should stop and instead apply
templates/worker-prompt.md
before assigning.

6. 启动方式

6. Startup Methods

默认工具面保持收敛:
  • check-dependencies.sh
    :新机器或启动 Wave 前做一次 preflight。
  • claude-provider-env.sh
    :Claude Code 第三方 provider worker 的 registry/settings-derived env 隔离 wrapper。
  • render-runtime-profile.sh
    :为每个 worker 渲染 backend/settings/profile/model/slot 和启动命令。
  • spawn-worker.sh
    :创建 worktree、Session Context 和 tmux session。
  • sentinel.sh
    :每个 worker 一个,PM 用
    run_in_background=true
    启,worker 终态时唤起 PM(见 §7.2)。
  • pm-monitor.sh
    :多 worker/Wave 巡检;单 worker 或宿主唤醒才用
    wait-worker.sh
项目配置模板见
templates/project-config.json
。PM 可以把其中的 trunk、验证命令和 provider slot 复制到本轮 Goal/Wave 计划,但脚本不会自动套用该配置。
其余脚本只在对应场景使用:
worktree-status.sh
做只读总览,
clean-worktree.sh
做 dry-run 清理,
smoke-tmux-worker.sh
/
lint-wait-script.sh
只做 Skill 自测,
terminal-split.sh
只是可选可视化辅助,不属于默认启动路径。
默认用
scripts/spawn-worker.sh
创建 worktree、Session Context 和 tmux session;它只负责隔离和启动,PM 仍必须发送
templates/worker-prompt.md
并确认
STATUS.json
。不同 backend/profile 的启动命令可先用
scripts/render-runtime-profile.sh
生成,减少手写环境差异。
bash
eval "$(bash scripts/render-runtime-profile.sh \
  --backend claude-code \
  --runtime-profile minimax \
  --api-provider minimax \
  --model m3 \
  --provider-slot minimax-1 \
  --provider-registry config/claude-providers.local.json)"

bash scripts/spawn-worker.sh \
  --project /path/to/repo \
  --branch docs/ch01-agent-intro \
  --session legal-ch01 \
  --worker-backend "$WORKER_BACKEND" \
  --runtime-profile "$RUNTIME_PROFILE" \
  --api-provider "$API_PROVIDER" \
  --model "$MODEL" \
  --provider-slot "$PROVIDER_SLOT" \
  --env-isolation "$PROVIDER_ENV_ISOLATION" \
  --verify-cmd 'npm run typecheck' \
  --command "$WORKER_COMMAND"
启动后必须通过最小门禁:
tmux has-session
存活、pane cwd 指向 worktree、
git branch --show-current
等于目标分支、
Session Context/METADATA.json
已记录 base/runtime/verification、
Session Context/STATUS.json
在 1-2 分钟内出现。失败时停止 session 或发送 bootstrap correction,不要在 PM 主目录继续实现。
常用 worker command:
  • Claude Code 第三方 provider(推荐 registry):用
    render-runtime-profile.sh --backend claude-code --provider-registry <local-registry.json> --api-provider <provider-id> --model <model-alias>
    生成命令;默认会包
    scripts/claude-provider-env.sh
    ,并把模型别名解析成真实
    claude --model <provider-model>
    。真实 registry 不提交;模板见
    config/claude-provider-registry.example.json
  • Claude Code 第三方 provider(兼容 settings):也可用
    render-runtime-profile.sh --backend claude-code --settings <local-provider.settings.json> --model <provider-model>
    生成命令;真实 settings 不提交;模板见
    config/claude-provider-settings.example.json
    。启动后必须检查 banner 模型名;若仍显示用户默认 provider,先停 worker 排查 registry/settings / wrapper / 环境继承。
  • Claude Code 订阅/OAuth:
    env -u ANTHROPIC_API_KEY -u ANTHROPIC_AUTH_TOKEN -u ANTHROPIC_BASE_URL claude --permission-mode auto
  • Claude Code 批处理:用
    render-runtime-profile.sh --backend claude-code --mode batch --settings <settings> --model <provider-model> --prompt-file /tmp/task.prompt.md
    生成;第三方 provider 同样默认包
    claude-provider-env.sh
    ,batch 输出会自动包
    bash -lc
    处理重定向。
  • Codex:
    codex exec -a never -s danger-full-access - < /tmp/task.prompt.md
  • OpenCode:
    opencode run --format json --model <provider/model> "$(cat /tmp/task.prompt.md)"
    ,或交互式
    opencode --model <provider/model>
  • WorkBuddy / CodeBuddy(
    codebuddy
    ):用
    render-runtime-profile.sh --backend codebuddy --model <平台模型> [--no-mcp] [--dangerously-skip-permissions]
    生成;吃 WorkBuddy 桌面端登录态和平台额度,无需 API Key。详见
    references/08-workbuddy-cli-worker.md
  • QoderWork CN(
    qoderclicn
    ):用
    render-runtime-profile.sh --backend qoderwork-cn --model <平台模型> [--no-mcp] [--dangerously-skip-permissions]
    生成;脚本自动前置
    env -u
    清除 SDK 变量、处理含空格的二进制路径。详见
    references/07-qoderwork-cli-worker.md
  • 自定义 CLI:任何能在指定 cwd 运行、接收 prompt、落盘 checkpoint 的命令。
<
redirect 必须用
bash -lc
(FaroPDF Wave 1 实战,见 [DEC-033]):
spawn-worker.sh:305
内部
tmux new-session -d -s "$SESSION" -c "$WORKTREE" "$COMMAND"
直接 exec command(不通过 shell),
<
/
>
/
|
/
&&
等 shell metachar 不展开。如果
--command
<
重定向,必须包
bash -lc 'real-command < /tmp/prompt.md'
,否则 worker 进程拿不到 stdin 立即退出,sentinel 等
--max-wait
才 timeout。错误:
--command 'claude -p < /tmp/x.md'
;正确:
--command "bash -lc 'claude -p < /tmp/x.md'"
claude
-p
batch 模式有 autocompact thrash 风险
(FaroPDF Wave 1 实战,见 [DEC-033]):
-p
是 print-and-exit 一发跑完模式,PM 无法中途纠偏。大 prompt(> 5KB)+ 大项目 codebase 会触发 claude 内部
Autocompact is thrashing
3 次后自动终止,worker 永远不到达终态,sentinel 等到
--max-wait
。规避:(a)拆小 prompt < 3KB;(b)改用交互式
claude
+
tmux send-keys
投递 prompt(可纠偏);(c)窄 scope worker(避免 claude 加载整个 codebase context)。
不要设
--max-turns
:PM 重点是检测 worker 是否真在推进,而不是限制 turn 数。长任务通过
STATUS.json.updated_at
、阶段性 commit、
pm-monitor.sh
stale 事件和 PM 纠偏控制。
Claude Code agent view / 官方后台会话可作为 Claude 专用后端:
claude agents
claude agents --json
、版本支持时的
--worktree --tmux
--bg
/bg
。使用前以本机
claude --help
/
claude agents --help
为准;只有能证明独立 cwd/worktree、可巡检状态和可接管会话时,才可替代 tmux。
Agent Teams 适合 Claude Code 团队式协作;仍要使用 worktree 隔离并把
workdir
指向带来源前缀的 worktree。ACP 只在 adapter 已稳定、能输出结构化状态时启用。Subagent 仅用于轻量、边界窄、输入少的任务;需要长时间写作、独立提交 PR 或跨大量材料整合时升级为 tmux / agent view / Agent Teams。
Default tool surface remains convergent:
  • check-dependencies.sh
    : Perform preflight once before starting Wave on a new machine.
  • claude-provider-env.sh
    : Registry/settings-derived env isolation wrapper for Claude Code third-party provider workers.
  • render-runtime-profile.sh
    : Render backend/settings/profile/model/slot and startup command for each worker.
  • spawn-worker.sh
    : Create worktree, Session Context, and tmux session.
  • sentinel.sh
    : One per worker, PM starts with
    run_in_background=true
    , wakes up PM when worker reaches terminal state (see §7.2).
  • pm-monitor.sh
    : Inspection for multiple workers/Waves; use
    wait-worker.sh
    only for single worker or host wake-up.
Project configuration template see
templates/project-config.json
. PM can copy trunk, verification commands, and provider slots from it to the current Goal/Wave plan, but scripts will not automatically apply this configuration.
Other scripts are only used in corresponding scenarios:
worktree-status.sh
for read-only overview,
clean-worktree.sh
for dry-run cleanup,
smoke-tmux-worker.sh
/
lint-wait-script.sh
only for Skill self-test,
terminal-split.sh
is only optional visualization aid, not part of the default startup path.
By default, use
scripts/spawn-worker.sh
to create worktree, Session Context, and tmux session; it only responsible for isolation and startup, PM still must send
templates/worker-prompt.md
and confirm
STATUS.json
. Startup commands for different backends/profiles can be generated first with
scripts/render-runtime-profile.sh
to reduce manual environment differences.
bash
eval "$(bash scripts/render-runtime-profile.sh \
  --backend claude-code \
  --runtime-profile minimax \
  --api-provider minimax \
  --model m3 \
  --provider-slot minimax-1 \
  --provider-registry config/claude-providers.local.json)"

bash scripts/spawn-worker.sh \
  --project /path/to/repo \
  --branch docs/ch01-agent-intro \
  --session legal-ch01 \
  --worker-backend "$WORKER_BACKEND" \
  --runtime-profile "$RUNTIME_PROFILE" \
  --api-provider "$API_PROVIDER" \
  --model "$MODEL" \
  --provider-slot "$PROVIDER_SLOT" \
  --env-isolation "$PROVIDER_ENV_ISOLATION" \
  --verify-cmd 'npm run typecheck' \
  --command "$WORKER_COMMAND"
After startup, must pass the minimum gate:
tmux has-session
is alive, pane cwd points to worktree,
git branch --show-current
equals target branch,
Session Context/METADATA.json
has recorded base/runtime/verification,
Session Context/STATUS.json
appears within 1-2 minutes. If failed, stop session or send bootstrap correction, do not continue implementation in PM main directory.
Common Worker Commands:
  • Claude Code third-party provider (recommended registry): Use
    render-runtime-profile.sh --backend claude-code --provider-registry <local-registry.json> --api-provider <provider-id> --model <model-alias>
    to generate command; by default wraps
    scripts/claude-provider-env.sh
    , and parses model alias into real
    claude --model <provider-model>
    . Real registry is not submitted; template see
    config/claude-provider-registry.example.json
    .
  • Claude Code third-party provider (compatible settings): Can also use
    render-runtime-profile.sh --backend claude-code --settings <local-provider.settings.json> --model <provider-model>
    to generate command; real settings are not submitted; template see
    config/claude-provider-settings.example.json
    . After startup, must check banner model name; if still displays user default provider, stop worker first to troubleshoot registry/settings/wrapper/environment inheritance.
  • Claude Code subscription/OAuth:
    env -u ANTHROPIC_API_KEY -u ANTHROPIC_AUTH_TOKEN -u ANTHROPIC_BASE_URL claude --permission-mode auto
    .
  • Claude Code batch processing: Use
    render-runtime-profile.sh --backend claude-code --mode batch --settings <settings> --model <provider-model> --prompt-file /tmp/task.prompt.md
    to generate; third-party providers also wrap
    claude-provider-env.sh
    by default, and batch output is automatically wrapped with
    bash -lc
    to handle redirection.
  • Codex:
    codex exec -a never -s danger-full-access - < /tmp/task.prompt.md
    .
  • OpenCode:
    opencode run --format json --model <provider/model> "$(cat /tmp/task.prompt.md)"
    , or interactive
    opencode --model <provider/model>
    .
  • WorkBuddy/CodeBuddy (
    codebuddy
    ): Use
    render-runtime-profile.sh --backend codebuddy --model <platform model> [--no-mcp] [--dangerously-skip-permissions]
    to generate; uses WorkBuddy desktop login state and platform quota, no API Key required. See
    references/08-workbuddy-cli-worker.md
    for details.
  • QoderWork CN (
    qoderclicn
    ): Use
    render-runtime-profile.sh --backend qoderwork-cn --model <platform model> [--no-mcp] [--dangerously-skip-permissions]
    to generate; script automatically prepends
    env -u
    to clear SDK variables and handles binary paths with spaces. See
    references/07-qoderwork-cli-worker.md
    for details.
  • Custom CLI: Any command that can run in specified cwd, receive prompt, and save checkpoint to disk.
<
redirect must be wrapped with
bash -lc
(FaroPDF Wave 1 practice, see [DEC-033]):
spawn-worker.sh:305
internally
tmux new-session -d -s "$SESSION" -c "$WORKTREE" "$COMMAND"
directly exec command (not via shell), so shell metachar like
<
/
>
/
|
/
&&
are not expanded. If
--command
contains
<
redirect, must wrap with
bash -lc 'real-command < /tmp/prompt.md'
, otherwise worker process gets no stdin and exits immediately, sentinel waits until
--max-wait
timeout. Wrong:
--command 'claude -p < /tmp/x.md'
; Correct:
--command "bash -lc 'claude -p < /tmp/x.md'"
.
claude
-p
batch mode has autocompact thrash risk
(FaroPDF Wave 1 practice, see [DEC-033]):
-p
is print-and-exit one-time run mode, PM cannot correct midway. Large prompt (>5KB) + large project codebase will trigger claude internal
Autocompact is thrashing
3 times and then automatically terminate, worker never reaches terminal state, sentinel waits until
--max-wait
. Avoidance: (a) split prompt to <3KB; (b) use interactive
claude
+
tmux send-keys
to deliver prompt (correctable); (c) narrow scope worker (avoid claude loading entire codebase context).
Do not set
--max-turns
: PM focuses on detecting whether workers are really advancing, not limiting the number of turns. Long tasks are controlled via
STATUS.json.updated_at
, phased commits,
pm-monitor.sh
stale events, and PM corrections.
Claude Code agent view/official backend sessions can be used as Claude-specific backends:
claude agents
,
claude agents --json
,
--worktree --tmux
,
--bg
or
/bg
when version supports. Use local
claude --help
/
claude agents --help
as standard before use; only can replace tmux if it can prove independent cwd/worktree, inspectable status, and takable sessions.
Agent Teams is suitable for Claude Code team-style collaboration; still need to use worktree isolation and point
workdir
to worktree with source prefix. ACP is only enabled when adapter is stable and can output structured status. Subagent is only used for lightweight, narrow-boundary, low-input tasks; upgrade to tmux/agent view/Agent Teams when long-time writing, independent PR submission, or integration across large amounts of materials is needed.

7. 巡检与介入

7. Inspection and Intervention

PM 巡检信号:
  • worktree 是否有文件落盘、commit、PR。
  • .claude/agent-sessions/<session-id>/METADATA.json
    是否记录 base ref、runtime profile、provider slot、验证命令和 PR 占位。
  • .claude/agent-sessions/<session-id>/STATUS.json
    是否更新,是否报告 blocked / needs_input / done。
  • .claude/agent-sessions/<session-id>/RESULT.md
    PATCH_SUMMARY.md
    是否存在,摘要是否足够 PM 不读完整日志也能验收。
  • tmux pane 是否长时间只读材料、等待确认、偏题联网、反复规划不执行。
  • worker 是否扩大改动范围或触碰共享文件。
  • PR diff 是否只覆盖声明范围。
介入规则:
  • 有持续输出、checkpoint 更新或文件在增长时继续等待。
  • 启动后 1-2 分钟仍没有
    Session Context/STATUS.json
    时,先发送 checkpoint-only 纠偏;仍无响应时中断当前思考并重发 bootstrap 指令,不直接接管实现。
  • 长时间无落盘但仍在规划时,先发送更窄的“先写目标文件”命令。
  • worker 跳过 10-15 分钟 STATUS 心跳或 30-60 分钟阶段性 commit 时,PM 主动发送纠偏,要求立刻更新 STATUS 或提交当前已验证阶段;5 分钟内仍无 STATUS/commit/文件进展变化时,升级为重启 worker、派 reviewer 或 PM 窄范围收口。
  • 发现轻度偏题、范围扩大、开始修环境/依赖、等待确认或验证方式偏离时,优先通过 tmux / agent view / inbox 发送纠偏指令,让 worker 自己回到范围内执行。
  • 只有连续两次纠偏无效、worker 继续触碰禁止范围、准备执行破坏性 Git/文件操作、泄露敏感信息、或已无法在原 session 内恢复时,才停止 session 并由 PM 接管。
  • 失败、重启或停止前先保留 worktree 和
    Session Context
    ,避免丢失已落盘产物。
tmux 纠偏示例:
bash
tmux send-keys -t legal-ch01 -l -- "PM correction: stop dependency/runtime changes now. Return to ISS-017 only. Do not modify package files or environment config. Update .claude/agent-sessions/legal-ch01/STATUS.json with needs_input=false and continue with the OCR quality report scope."
sleep 0.1
tmux send-keys -t legal-ch01 Enter
纠偏 prompt 应包含四件事:停止什么、回到哪个任务、哪些文件/动作仍然禁止、下一步最小可执行动作。不要只写“你偏题了”。
完整字段见
references/03-checkpoint-files.md
,可复制模板见
templates/checkpoint-status.json
templates/checkpoint-result.md
templates/checkpoint-patch-summary.md
。PM 默认只读这些 checkpoint 和最终 diff,不定时拉完整日志。
可选自动 PM 监控脚本(保留 Agent Teams inbox、任务状态、Git SHA、PR 状态和 tmux session 多维巡检能力):
bash
bash scripts/pm-monitor.sh \
  --project /path/to/repo \
  --team-dir ~/.claude/teams/team-name \
  --tasks-dir ~/.claude/tasks/tasks-uuid \
  --claude-agents-cwd /path/to/repo \
  --wave-id wave-5 \
  --commit-stale-threshold 1800 \
  --progress-stale-threshold 1800 \
  --interval 60 \
  --log-file .claude/agent-sessions/pm-monitor/events.log \
  --branch docs/ch01-agent-intro:legal-ch01
经济型巡检规则:
  • 不要让 PM 主会话每隔几分钟手动读取 worker 日志;那会抵消多 Agent 的 token efficiency。
  • 轻量检查用
    pm-monitor.sh --once
    ,由 PM 在需要判断是否介入时运行一次,只读取事件行。
  • 长任务用独立 shell/tmux/background job 运行
    pm-monitor.sh --log-file ...
    ,脚本持续写事件日志;PM 只在状态变化、用户询问、PR 收口或日志出现
    AGENT_NEEDS_INPUT
    /
    CHECKPOINT_STALE
    /
    CHECKPOINT_TEST_FAILURE
    时读取少量日志。
  • 当前脚本只负责输出事件和写日志;是否自动唤起 PM 取决于宿主环境是否提供 automation / monitor / webhook。没有宿主唤醒能力时,默认用
    --once
    或低频读取 log tail,仍比前台反复巡检节省上下文。
  • STATUS.json
    只记录 PM 决策必需的结构化信号,详细实现说明继续写
    RESULT.md
    PATCH_SUMMARY.md
  • 单个 worker 的只读总览用
    scripts/worktree-status.sh
    ;清理用
    scripts/clean-worktree.sh
    ,默认 dry-run,真正删除必须显式
    --execute
PM Inspection Signals:
  • Whether worktree has files saved to disk, commits, PRs.
  • Whether
    .claude/agent-sessions/<session-id>/METADATA.json
    records base ref, runtime profile, provider slot, verification commands, and PR placeholder.
  • Whether
    .claude/agent-sessions/<session-id>/STATUS.json
    is updated, whether it reports blocked/needs_input/done.
  • Whether
    .claude/agent-sessions/<session-id>/RESULT.md
    and
    PATCH_SUMMARY.md
    exist, whether the summary is sufficient for PM to accept without reading full logs.
  • Whether tmux pane reads materials for a long time, waits for confirmation, goes off-topic online, repeatedly plans without execution.
  • Whether workers expand modification scope or touch shared files.
  • Whether PR diff only covers declared scope.
Intervention Rules:
  • Continue waiting when there is continuous output, checkpoint update, or file growth.
  • When
    Session Context/STATUS.json
    still does not appear 1-2 minutes after startup, first send checkpoint-only correction; if still no response, interrupt current thinking and resend bootstrap instruction, do not directly take over implementation.
  • When no files are saved for a long time but still planning, first send a narrower command "write target file first".
  • When workers skip 10-15 minutes STATUS heartbeat or 30-60 minutes phased commit, PM actively sends correction, requiring immediate STATUS update or submission of current verified phase; if no STATUS/commit/file progress change within 5 minutes, upgrade to restart worker, assign reviewer, or PM narrow-range wrap-up.
  • When mild off-topic, scope expansion, starting to fix environment/dependencies, waiting for confirmation, or verification method deviation is found, prioritize sending correction instructions via tmux/agent view/inbox, let workers return to scope execution by themselves.
  • Only stop the session and take over by PM when continuous correction fails twice, workers continue to touch forbidden scope, prepare to execute destructive Git/file operations, leak sensitive information, or cannot recover in the original session.
  • Retain worktree and
    Session Context
    before failure, restart, or stop, avoid losing saved outputs.
tmux Correction Example:
bash
tmux send-keys -t legal-ch01 -l -- "PM correction: stop dependency/runtime changes now. Return to ISS-017 only. Do not modify package files or environment config. Update .claude/agent-sessions/legal-ch01/STATUS.json with needs_input=false and continue with the OCR quality report scope."
sleep 0.1
tmux send-keys -t legal-ch01 Enter
Correction prompt should include four things: what to stop, which task to return to, which files/actions are still forbidden, next minimal executable action. Do not only write "you are off-topic".
Complete fields see
references/03-checkpoint-files.md
, copyable templates see
templates/checkpoint-status.json
,
templates/checkpoint-result.md
, and
templates/checkpoint-patch-summary.md
. PM defaults to reading only these checkpoints and final diff, does not pull full logs regularly.
Optional Automatic PM Monitoring Script (retains multi-dimensional inspection capabilities for Agent Teams inbox, task status, Git SHA, PR status, and tmux session):
bash
bash scripts/pm-monitor.sh \
  --project /path/to/repo \
  --team-dir ~/.claude/teams/team-name \
  --tasks-dir ~/.claude/tasks/tasks-uuid \
  --claude-agents-cwd /path/to/repo \
  --wave-id wave-5 \
  --commit-stale-threshold 1800 \
  --progress-stale-threshold 1800 \
  --interval 60 \
  --log-file .claude/agent-sessions/pm-monitor/events.log \
  --branch docs/ch01-agent-intro:legal-ch01
Economical Inspection Rules:
  • Do not let PM main session manually read worker logs every few minutes; this will offset token efficiency of multi-agent.
  • Use
    pm-monitor.sh --once
    for lightweight check, run once by PM when needing to judge whether to intervene, only read event lines.
  • For long tasks, run
    pm-monitor.sh --log-file ...
    in independent shell/tmux/background job, script continuously writes event logs; PM only reads a small amount of logs when status changes, user asks, PR wraps up, or logs show
    AGENT_NEEDS_INPUT
    /
    CHECKPOINT_STALE
    /
    CHECKPOINT_TEST_FAILURE
    .
  • Current script only responsible for outputting events and writing logs; whether to automatically wake up PM depends on whether the host environment provides automation/monitor/webhook. When no host wake-up capability, default to
    --once
    or low-frequency reading of log tail, still saves context compared to repeated foreground inspection.
  • STATUS.json
    only records structured signals necessary for PM decision-making, detailed implementation instructions continue to be written in
    RESULT.md
    and
    PATCH_SUMMARY.md
    .
  • Use
    scripts/worktree-status.sh
    for read-only overview of single worker; use
    scripts/clean-worktree.sh
    for cleanup, default dry-run, explicit
    --execute
    required for real deletion.

7.1 主动等待与宿主唤醒

7.1 Active Waiting and Host Wake-Up

scripts/wait-worker.sh
是单 worker 等待器,不替代
pm-monitor.sh
。它主读一个
STATUS.json
,在
done
failed
blocked
stopped
时退出并输出
RESULT.md
/
PATCH_SUMMARY.md
路径。适合把“worker 完成时通知 PM”接到不同宿主。
状态源分层:
  • METADATA.json
    是 PM 启动时写入的静态上下文,记录 base/runtime/provider/verification,不作为完成判定。
  • STATUS.json
    /
    RESULT.md
    /
    PATCH_SUMMARY.md
    是完成、阻塞、验证和收口的主协议。
  • tmux capture-pane
    是诊断窗口,只在 checkpoint 缺失、过期、终态或显式要求时读取尾部输出。
  • 不用 tmux pane 文本判断任务完成;完成标准仍是 checkpoint、git diff、验证和 PR 状态。
Claude Code PM:
  • Bash background/run-in-background 只能让等待器在后台运行,不保证触发或唤醒当前 PM / agent session;多 worker 同时等待时尤其可能没有任何完成消息返回。
  • 不要把 background Bash 当作可靠完成通知机制。它最多作为日志写入器或人工可查看的后台 job;PM 仍必须靠
    STATUS.json
    pm-monitor.sh --log-file
    wait-worker.sh --once
    、tmux/agent view 显式巡检来收口。
  • 单 worker 可临时用 background Bash 跑
    wait-worker.sh
    ,但启动时必须同时记录 log 文件或保留可查询命令;多 worker / Wave 默认使用
    pm-monitor.sh --log-file
    ,不要为每个 worker 启一个 background wait 并期待宿主逐个回调。
  • 限定条件例外:§7.2 描述的 Sentinel 模式是本规则的"限定条件下可工作变体"——单 worker 单 sentinel、
    run_in_background=true
    启、harness 100% re-invoke 可工作。Wave 6 启用 sentinel 之前仍按上述保守判断走。
    bash
    bash scripts/wait-worker.sh \
      --worktree .claude/worktrees/tmux-ch01-agent-intro \
      --session legal-ch01 \
      --tmux-session legal-ch01 \
      --interval 30
Codex PM:
  • Codex CLI 的后台 shell 不会自动把完成事件推回当前对话;不要假定它等价于 Claude Code
    run_in_background
  • 在 Codex App 中,优先把
    wait-worker.sh --once
    接到当前 thread 的 heartbeat automation;完整 prompt 见
    templates/codex-heartbeat-wait.md
    。创建、修改或删除 automation 时必须先查找并使用
    automation_update
    工具,不手写 raw RRULE。
  • 没有 heartbeat/automation 能力时,Codex PM 使用
    pm-monitor.sh --once
    wait-worker.sh --once
    低频手动巡检;长任务仍用
    pm-monitor.sh --log-file
    持续记录事件。
wait-worker.sh
的职责是等一个 worker 到终态;它输出终态,不负责唤醒宿主。多 worker、PR 状态、git SHA、gate 和 stale 事件仍由
pm-monitor.sh
负责。
scripts/wait-worker.sh
is a single worker waiter, not a substitute for
pm-monitor.sh
. It mainly reads one
STATUS.json
, exits and outputs paths of
RESULT.md
/
PATCH_SUMMARY.md
when
done
,
failed
,
blocked
, or
stopped
. Suitable for connecting "notify PM when worker completes" to different hosts.
Status Source Hierarchy:
  • METADATA.json
    is static context written by PM at startup, records base/runtime/provider/verification, not used as completion judgment.
  • STATUS.json
    /
    RESULT.md
    /
    PATCH_SUMMARY.md
    are main protocols for completion, blockage, verification, and wrap-up.
  • tmux capture-pane
    is diagnostic window, only read tail output when checkpoint is missing, expired, terminal, or explicitly requested.
  • Do not use tmux pane text to judge task completion; completion criteria are still checkpoint, git diff, verification, and PR status.
Claude Code PM:
  • Bash background/run-in-background can only let the waiter run in the background, does not guarantee triggering or waking up current PM/agent session; especially when multiple workers are waiting simultaneously, no completion message may be returned.
  • Do not treat background Bash as a reliable completion notification mechanism. At most, it serves as a log writer or manually viewable background job; PM still must rely on
    STATUS.json
    ,
    pm-monitor.sh --log-file
    ,
    wait-worker.sh --once
    , tmux/agent view explicit inspection to wrap up.
  • Single worker can temporarily use background Bash to run
    wait-worker.sh
    , but must record log file or retain queryable command when starting; default to
    pm-monitor.sh --log-file
    for multiple workers/Waves, do not start a background wait for each worker and expect host to callback one by one.
  • Limited Condition Exception: The Sentinel mode described in §7.2 is a "limited condition working variant" of this rule—single worker single sentinel, started with
    run_in_background=true
    , harness 100% re-invoke works. Before Wave 6 enables sentinel, still follow the above conservative judgment.
    bash
    bash scripts/wait-worker.sh \
      --worktree .claude/worktrees/tmux-ch01-agent-intro \
      --session legal-ch01 \
      --tmux-session legal-ch01 \
      --interval 30
Codex PM:
  • Codex CLI's background shell will not automatically push completion events back to current conversation; do not assume it is equivalent to Claude Code
    run_in_background
    .
  • In Codex App, prioritize connecting
    wait-worker.sh --once
    to heartbeat automation of current thread; complete prompt see
    templates/codex-heartbeat-wait.md
    . Must use
    automation_update
    tool first when creating, modifying, or deleting automation, do not write raw RRULE manually.
  • When no heartbeat/automation capability, Codex PM uses
    pm-monitor.sh --once
    or
    wait-worker.sh --once
    for low-frequency manual inspection; still use
    pm-monitor.sh --log-file
    for long tasks to continuously record events.
wait-worker.sh
is responsible for waiting one worker to terminal state; it outputs terminal state, not responsible for waking up host. Multiple workers, PR status, git SHA, gate, and stale events are still handled by
pm-monitor.sh
.

7.2 Sentinel bash 模式(事件驱动 PM 唤醒)

7.2 Sentinel bash Mode (Event-Driven PM Wake-Up)

适用:Wave 6 之后,每个 worker 配套启一个 sentinel,PM 由 harness task-notification 事件驱动地唤醒,零 idle token 消耗,保留多轮纠偏能力。设计依据见
references/04-sentinel-design.md
;DEC-031 supersede DEC-030 的限定条件判断。
模式:每个 worker 配一个
scripts/sentinel.sh
进程。Sentinel 轮询
STATUS.json
, 读到
done | failed | blocked | stopped
时 capture tmux pane tail、
tmux kill-session
exit
。Sentinel 由 PM 用
run_in_background=true
启,exit 触发 harness task-notification → PM 被 re-invoke。
PM 端调用模式:每 worker 两次 Bash 调用:
bash
undefined
Applicable: After Wave 6, each worker is matched with a sentinel, PM is woken up by harness task-notification event-driven, zero idle token consumption, retains multi-round correction capability. Design basis see
references/04-sentinel-design.md
; DEC-031 supersede DEC-030 limited condition judgment.
Mode: Each worker is matched with a
scripts/sentinel.sh
process. Sentinel polls
STATUS.json
, when reading
done | failed | blocked | stopped
, captures tmux pane tail,
tmux kill-session
,
exit
. Sentinel is started by PM with
run_in_background=true
, exit triggers harness task-notification → PM is re-invoke.
PM-Side Calling Mode: Two Bash calls per worker:
bash
undefined

1) Foreground: 创建 worktree + 启动 worker + 拿 gate 验证

1) Foreground: create worktree + start worker + verify gate

bash scripts/spawn-worker.sh
--project /path/to/repo
--branch docs/ch01-agent-intro
--session legal-ch01
--with-sentinel \ # 仅打印 SPAWN_WORKER_SENTINEL_CMD,不在内部启 --command "$WORKER_COMMAND"
bash scripts/spawn-worker.sh
--project /path/to/repo
--branch docs/ch01-agent-intro
--session legal-ch01
--with-sentinel \ # Only print SPAWN_WORKER_SENTINEL_CMD, not start internally --command "$WORKER_COMMAND"

2) Background: sentinel 事件驱动 wake

2) Background: sentinel event-driven wake

从 spawn-worker.sh 输出里复制 SPAWN_WORKER_SENTINEL_CMD 那行

Copy the SPAWN_WORKER_SENTINEL_CMD line from spawn-worker.sh output

bash scripts/sentinel.sh
--status-file .claude/worktrees/tmux-docs-ch01-agent-intro/.claude/agent-sessions/legal-ch01/STATUS.json
--tmux-session legal-ch01
--poll-interval 5
--max-wait 7200
bash scripts/sentinel.sh
--status-file .claude/worktrees/tmux-docs-ch01-agent-intro/.claude/agent-sessions/legal-ch01/STATUS.json
--tmux-session legal-ch01
--poll-interval 5
--max-wait 7200

↑ 用 Bash run_in_background=true 启

↑ Start with Bash run_in_background=true


**为什么不在 spawn-worker.sh 内部启 sentinel**:
- `spawn-worker.sh` 是 fg 工具,sentinel 是 bg 工具,职责分离
- 避免单 Bash 调用内 fork 多个 background(auto mode 拒率更高)
- PM 显式 opt-in 收 sentinel 通知(`run_in_background=true`)是 harness re-invoke 的前提

**Sentinel 事件命名空间**(独立于 `WAIT_WORKER_*`):

| 事件 | 触发 |
|------|------|
| `SENTINEL_START` | 启动时 |
| `SENTINEL_PENDING` | STATUS.json 缺失 |
| `SENTINEL_PANE_TAIL` | capture pane 前(best-effort)|
| `SENTINEL_TERMINAL` | 检测到 `done` / `failed` / `blocked` / `stopped` |
| `SENTINEL_TMUX_KILLED` / `SENTINEL_TMUX_GONE` | kill tmux 之后 |
| `SENTINEL_TIMEOUT` | `--max-wait` 到了还没看到终态 |

**PM 收到 notification 后的标准动作**见 `templates/pm-sentinel-response.md`:
- Exit 0 = done:读 RESULT/PATCH_SUMMARY,跑 verify,review,merge
- Exit 2 = failed/blocked/stopped:读 STATUS.issues 决定 restart / block / defer
- Exit 124 = timeout:检查 worker tmux + STATUS 状态,纠偏或重启
- Exit 64 = usage error:检查 `--status-file` / `--tmux-session` 与 spawn-worker 一致性

**降级路径**:如果 sentinel 没启起来(auto mode 拒 / SIGKILL / 参数错),PM 回到 §7.1
行为:单 worker 用 `wait-worker.sh --once`,多 worker 用 `pm-monitor.sh --log-file`。
降级是 graceful 的,不是失败。

**调优建议**:
- `--poll-interval`:默认 5s。worker 单次 thinking 短时降到 1s,长时保持 5s
- `--max-wait`:默认 7200s(2h)。长 worker 拆 sub-task,每个 sub-task 自己的 max-wait
- `--keep-tmux-on-terminal`:review 阶段不杀 tmux,便于 PM tmux capture-pane 看 worker 收尾
- `--pane-tail-lines 0`:不需要 pane 快照时关掉,少 1 个 tmux capture-pane 调用

**已知不覆盖**:
- 多 sentinel 对单 worker 去重:PM 行为层保证 1:1
- Codex / OpenCode 路径:暂未实测,Codex 走 `templates/codex-heartbeat-wait.md`
- 高频 polling 风暴:worker 集群大、polling 间隔 < 2s 时单 worker CPU 可能略高,按需调

**Why not start sentinel inside spawn-worker.sh**:
- `spawn-worker.sh` is fg tool, sentinel is bg tool, separate responsibilities
- Avoid forking multiple backgrounds in single Bash call (higher rejection rate in auto mode)
- PM explicit opt-in to receive sentinel notifications (`run_in_background=true`) is prerequisite for harness re-invoke

**Sentinel Event Namespace** (independent of `WAIT_WORKER_*`):

| Event | Trigger |
|-------|---------|
| `SENTINEL_START` | On startup |
| `SENTINEL_PENDING` | STATUS.json missing |
| `SENTINEL_PANE_TAIL` | Before capturing pane (best-effort) |
| `SENTINEL_TERMINAL` | Detect `done`/`failed`/`blocked`/`stopped` |
| `SENTINEL_TMUX_KILLED`/`SENTINEL_TMUX_GONE` | After killing tmux |
| `SENTINEL_TIMEOUT` | Terminal state not seen when `--max-wait` reached |

**Standard Actions After PM Receives Notification** see `templates/pm-sentinel-response.md`:
- Exit 0 = done: read RESULT/PATCH_SUMMARY, run verify, review, merge
- Exit 2 = failed/blocked/stopped: read STATUS.issues to decide restart/block/defer
- Exit 124 = timeout: check worker tmux + STATUS status, correct or restart
- Exit 64 = usage error: check consistency of `--status-file`/`--tmux-session` with spawn-worker

**Downgrade Path**: If sentinel fails to start (auto mode rejection/SIGKILL/parameter error), PM returns to §7.1
behavior: use `wait-worker.sh --once` for single worker, use `pm-monitor.sh --log-file` for multiple workers.
Downgrade is graceful, not a failure.

**Tuning Suggestions**:
- `--poll-interval`: default 5s. Reduce to 1s when worker's single thinking is short, keep 5s when long
- `--max-wait`: default 7200s (2h). Split long workers into sub-tasks, each sub-task has its own max-wait
- `--keep-tmux-on-terminal`: do not kill tmux during review phase,便于 PM tmux capture-pane to see worker wrap-up
- `--pane-tail-lines 0`: turn off when pane snapshot is not needed, reduce 1 tmux capture-pane call

**Known Uncovered Scenarios**:
- Deduplication of multiple sentinels for single worker: guaranteed 1:1 by PM behavior layer
- Codex/OpenCode path: not tested yet, Codex follows `templates/codex-heartbeat-wait.md`
- High-frequency polling storm: single worker CPU may be slightly high when worker cluster is large and polling interval <2s, adjust as needed

7.3 cron + sentinel 标准组合(兜底监测,必挂两层)

7.3 cron + sentinel Standard Combination (Fallback Monitoring, Must Hang Two Layers)

sentinel(§7.2)是主监测:事件驱动、秒级抓 worker 终态
done
、零 idle token。但 sentinel 单独有 3 个盲区,必须再挂一个 cron 兜底(周期巡检),两层组合才是标准模式,而非二选一:
sentinel 盲区表现cron 兜底如何抓到
(a) worker 硬卡死不写 STATUSsentinel 轮询到
--max-wait
超时(exit 124),最长等 2h
cron 周期读 STATUS + pane,发现 stale 主动介入
(b) worker 用非标准 STATUS 文件名sentinel 监听
STATUS.json
,worker 写
issue-XXX-status.json
,sentinel 轮询空文件到超时
cron 直接
cat
/
grep
多个候选文件名,命中即识别
(c) sentinel 自身被 SIGKILL/SIGTERM 或 harness 未 re-invokesentinel 静默消失,PM 永不被唤醒cron 是独立 job,不依赖 sentinel 存活
频次(硬推荐,按任务粒度)
  • 短任务(单 worker、预计 < 1h):~22 分钟
  • 长流水线(多 worker / Wave / 预计 1-4h):10-15 分钟
  • 避免
    :00
    /
    :30
    整点
    :所有用户挤在整点会 API 拥堵 + 触发速率限制;用错峰表达式如
    3,13,23,33,43,53 * * * *
    (每 10 分钟错峰)或
    7,29,51 * * * *
    (每 22 分钟错峰)。
  • 不要低于 10 分钟:cron 每次 fire 都 re-invoke PM(读 STATUS + git + pane),过频会抵消多 Agent 的 token efficiency。
双信号卡死检测(避免误判 long thinking): 判 worker 卡死必须同时满足两条,缺一不可:
  1. STATUS 信号
    STATUS.json.updated_at
    文件 mtime 都 > 阈值(长流水线 20min、短任务 15min)未变。
  2. pane 信号
    tmux capture-pane
    尾部出现死循环证据(连续重复行 / "Levitating… Nmin" 持续上涨但无新工具调用 / 报错堆栈不退出)。
只满足 (1) 不满足 (2):worker 可能在 long thinking,发一条
tmux send-keys
心跳探针("更新 STATUS heartbeat"),等下一轮 cron 再判,不立即重启。
cron prompt 用模板
templates/cron-monitor-prompt.md
。模板含:worker session + STATUS 路径 + git 分支 + sentinel id + stale 阈值 + 收尾自删(worker 全部合入后
CronDelete
)+ 无动作时一句话汇报(不膨胀上下文)。
与 §7.1 / §7.2 的关系
  • §7.1
    pm-monitor.sh
    /
    wait-worker.sh
    :PM 主动调用的只读巡检工具(一次性或低频 log)。
  • §7.2 sentinel:worker 终态事件驱动唤醒(秒级抓 done),主监测。
  • §7.3 cron:时间驱动兜底(抓 sentinel 盲区 + 卡死双信号 + sentinel 失效)。
  • 三者叠加,不是替代。PM 派 worker 后必挂两层(sentinel + cron);sentinel 是主,cron 是兜底,cron 触发后若发现 worker 仍在推进,只回一句话、不做大动作。
sentinel (§7.2) is main monitoring: event-driven, captures worker terminal state
done
in seconds, zero idle token. But sentinel alone has 3 blind spots, must hang another cron fallback (periodic inspection), two-layer combination is standard mode, not either-or:
Sentinel Blind SpotPerformanceHow cron fallback catches it
(a) Worker hard freezes and does not write STATUSSentinel polls until
--max-wait
timeout (exit 124), maximum wait 2h
cron periodically reads STATUS + pane, finds stale and actively intervenes
(b) Worker uses non-standard STATUS file nameSentinel listens to
STATUS.json
, worker writes
issue-XXX-status.json
, Sentinel polls empty file until timeout
cron directly
cat
/
grep
multiple candidate file names, recognizes when hit
(c) Sentinel itself is SIGKILL/SIGTERM or harness does not re-invokeSentinel silently disappears, PM is never woken upcron is independent job, does not depend on sentinel survival
Frequency (Hard Recommendation, by Task Granularity):
  • Short Tasks (single worker, expected <1h): ~22 minutes
  • Long Pipelines (multiple workers/Wave/expected 1-4h): 10-15 minutes
  • Avoid
    :00
    /
    :30
    on the hour
    : All users crowding on the hour will cause API congestion + trigger rate limits; use off-peak expressions such as
    3,13,23,33,43,53 * * * *
    (off-peak every 10 minutes) or
    7,29,51 * * * *
    (off-peak every 22 minutes).
  • Do not be less than 10 minutes: cron re-invokes PM every time it fires (reads STATUS + git + pane), too frequent will offset token efficiency of multi-agent.
Dual-Signal Freeze Detection (Avoid Misjudging Long Thinking): To judge worker freeze, both conditions must be met, neither is dispensable:
  1. STATUS Signal: Both
    STATUS.json.updated_at
    and file mtime have not changed for > threshold (20min for long pipelines, 15min for short tasks).
  2. Pane Signal:
    tmux capture-pane
    tail shows evidence of infinite loop (continuous repeated lines / "Levitating… Nmin" keeps rising but no new tool calls / error stack does not exit).
Only meet (1) but not (2): Worker may be in long thinking, send a
tmux send-keys
heartbeat probe ("update STATUS heartbeat"), wait for next cron round to judge, do not restart immediately.
Use Template for cron Prompt:
templates/cron-monitor-prompt.md
. Template includes: worker session + STATUS path + git branch + sentinel id + stale threshold + wrap-up self-delete (
CronDelete
after all workers merged) + one-sentence report when no action (does not expand context).
Relationship with §7.1/§7.2:
  • §7.1
    pm-monitor.sh
    /
    wait-worker.sh
    : Read-only inspection tools actively called by PM (one-time or low-frequency log).
  • §7.2 sentinel: Event-driven wake-up when worker reaches terminal state (captures done in seconds), main monitoring.
  • §7.3 cron: Time-driven fallback (captures sentinel blind spots + freeze dual signals + sentinel failure).
  • The three superimpose, not replace. After PM assigns workers, must hang two layers (sentinel + cron); sentinel is main, cron is fallback, if cron triggers and finds worker still advancing, only return one sentence, no big actions.

8. 收口

8. Wrap-Up

8.0 PM 在 Worker 提 PR 后的持续同步

8.0 PM Continuous Synchronization After Worker Raises PR

worker 提 PR 不是 PM 收口完成的信号。从提 PR 到合并之间,PM 必须做两件事避免外部抢跑:
  1. 提 PR 之后立即跑 mergeable 检查
    bash
    gh pr view <N> --json state,mergeable,mergeStateStatus,baseRefName,headRefName
    • mergeable=CONFLICTING
      /
      mergeStateStatus=DIRTY
      /
      baseRefName
      落后:base 已被 doc-curator 或其他 PR 抢跑。立即按
      git-workflow
      的「base 落后 / 冲突处理」决策表(update branch vs rebase vs close-and-reopen)处理。
    • mergeable=MERGEABLE
      且 base 是最新:进入 review 流程。
  2. PM 本地 main 立即 push
    • PM 在主目录 commit docs / DEC 之后立即
      git push origin main
      ,避免本地与 origin/main drift。
    • drift 后 push 报 non-fast-forward,squash merge 引入的"内容相同但 history 不同"会让 git 误判冲突,恢复成本高。
    • 看到 origin/main 领先本地时,先
      git fetch origin
      +
      git switch -C main origin/main
      (不是
      git pull
      ,squash commit 不会自动 ff),再继续 PM 工作。
worker backend 选择(subagent / tmux / Agent Teams)见 §2.1。
Worker raising PR is not a signal that PM wrap-up is completed. Between raising PR and merging, PM must do two things to avoid external preemption:
  1. Immediately run mergeable check after raising PR:
    bash
    gh pr view <N> --json state,mergeable,mergeStateStatus,baseRefName,headRefName
    • mergeable=CONFLICTING
      /
      mergeStateStatus=DIRTY
      /
      baseRefName
      is behind: base has been preempted by doc-curator or other PRs. Immediately handle according to
      git-workflow
      's "base behind/conflict handling" decision table (update branch vs rebase vs close-and-reopen).
    • mergeable=MERGEABLE
      and base is latest: enter review process.
  2. PM local main push immediately:
    • After PM commits docs/DEC in main directory, immediately
      git push origin main
      , avoid drift between local and origin/main.
    • After drift, push reports non-fast-forward, "same content but different history" introduced by squash merge will make git misjudge conflict, high recovery cost.
    • When seeing origin/main is ahead of local, first
      git fetch origin
      +
      git switch -C main origin/main
      (not
      git pull
      , squash commit will not automatically ff), then continue PM work.
Worker backend selection (subagent/tmux/Agent Teams) see §2.1.

8.1 收口标准步骤

8.1 Standard Wrap-Up Steps

worker 完成后:
  1. 检查
    git status --short
    git diff --check main...HEAD
    、PR diff 范围。
  2. 需要 review 时交叉审阅,分支作者不审自己的 PR。review 工具按项目类型选,不要默认 code-review:代码项目用 code-review subagent;书稿 / 文档 / 写作项目用
    writing-reviewer
    (或项目领域审稿 skill);研究 / 配置类 PR 用对应内容审查。项目应在自己的
    AGENTS.md
    里写明用哪个 review skill;没写时 PM 按项目性质判断,不假定 code-review。
  3. 合并、push、PR 编号写入 commit、Issue 关闭等动作遵循
    git-workflow
  4. 若 PM review 发现问题,优先通过 tmux / agent view / inbox 给原 worker 发送 review correction;worker 应追加修复 commit、重新运行验证并更新 PR,不由 PM 默认代写。
  5. PM 复核 correction commit、验证结果和 PR diff 后,再决定是否进入 merge。
  6. 合并后清理 worktree/session,先 dry-run 再显式执行:
bash
bash scripts/clean-worktree.sh --project /path/to/repo --branch docs/ch01-agent-intro --session legal-ch01
bash scripts/clean-worktree.sh --project /path/to/repo --branch docs/ch01-agent-intro --session legal-ch01 --execute
After worker completes:
  1. Check
    git status --short
    ,
    git diff --check main...HEAD
    , PR diff scope.
  2. When review is needed, cross-review, branch author does not review their own PR. Select review tool according to project type, do not default to code-review: use code-review subagent for code projects; use
    writing-reviewer
    (or project-specific review skill) for manuscripts/docs/writing projects; use corresponding content review for research/configuration PRs. Projects should specify which review skill to use in their
    AGENTS.md
    ; if not written, PM judges according to project nature, do not assume code-review.
  3. Merge, push, write PR number into commit, close Issue, etc., follow
    git-workflow
    .
  4. If PM review finds problems, prioritize sending review correction to original worker via tmux/agent view/inbox; worker should add fix commit, re-run verification, and update PR, do not default to PM writing instead.
  5. After PM reviews correction commit, verification results, and PR diff, decide whether to enter merge.
  6. After merging, clean up worktree/session, dry-run first then execute explicitly:
bash
bash scripts/clean-worktree.sh --project /path/to/repo --branch docs/ch01-agent-intro --session legal-ch01
bash scripts/clean-worktree.sh --project /path/to/repo --branch docs/ch01-agent-intro --session legal-ch01 --execute

9. 依赖

9. Dependencies

依赖按模式分层;只读文档不需要安装任何工具。首次在新机器上启动 worker 前,先运行:
bash
bash scripts/check-dependencies.sh
bash scripts/check-dependencies.sh --backend claude-code --backend codex --check-gh
Dependencies are layered by mode; read-only documents do not require any tool installation. Before starting workers on a new machine for the first time, run:
bash
bash scripts/check-dependencies.sh
bash scripts/check-dependencies.sh --backend claude-code --backend codex --check-gh

最小本地执行依赖

Minimum Local Execution Dependencies

依赖安装方式
git
通常随开发环境提供
bash
常规脚本需要 bash;
pm-monitor.sh
需要 bash 4+
jq
macOS:
brew install jq
<br>Linux:
sudo apt-get install jq
tmux
macOS:
brew install tmux
<br>Linux:
sudo apt-get install tmux
常见 Unix 工具如
awk
sed
grep
find
stat
date
mktemp
通常由系统提供;日期解析已兼容 macOS/Linux。
DependencyInstallation Method
git
Usually provided with development environment
bash
Regular scripts require bash;
pm-monitor.sh
requires bash 4+
jq
macOS:
brew install jq
<br>Linux:
sudo apt-get install jq
tmux
macOS:
brew install tmux
<br>Linux:
sudo apt-get install tmux
Common Unix tools such as
awk
,
sed
,
grep
,
find
,
stat
,
date
,
mktemp
are usually provided by the system; date parsing is compatible with macOS/Linux.

按模式启用的依赖

Dependencies Enabled by Mode

模式依赖
PR / mergeability 巡检
gh
,且需要已登录
Claude Code worker
claude
;第三方 provider 需要本地 settings 文件
Codex worker
codex
OpenCode worker
opencode
Codex heartbeatCodex App automation 能力;创建/修改 automation 必须使用
automation_update
Claude 官方 agent view /
--worktree --tmux
claude
,必要时还需要
tmux
ModeDependency
PR/mergeability inspection
gh
, and requires login
Claude Code worker
claude
; third-party providers require local settings files
Codex worker
codex
OpenCode worker
opencode
Codex heartbeatCodex App automation capability; must use
automation_update
to create/modify automation
Claude official agent view/
--worktree --tmux
claude
, may also need
tmux
if necessary

可选终端依赖

Optional Terminal Dependencies

scripts/terminal-split.sh
只在对应终端场景下需要额外工具:Kitty 需要
kitty @
,WezTerm 需要
wezterm cli
,macOS GUI 终端自动化依赖
osascript
,Warp/Ghostty/Zed/Terminal.app 分屏或新标签能力取决于本机应用和辅助功能授权。
完整依赖矩阵见
references/02-runtime-dependencies.md
。依赖检查脚本只报告状态,不安装软件、不启动 worker、不改配置。
scripts/terminal-split.sh
requires additional tools only in corresponding terminal scenarios: Kitty requires
kitty @
, WezTerm requires
wezterm cli
, macOS GUI terminal automation depends on
osascript
, split screen or new tab capabilities of Warp/Ghostty/Zed/Terminal.app depend on local applications and accessibility authorization.
Complete dependency matrix see
references/02-runtime-dependencies.md
. Dependency check script only reports status, does not install software, start workers, or modify configurations.

10. 参考

10. References

只在需要细节时读取:
核心编排参考(机制 / 依赖 / 收口):
  • references/01-model-selection-matrix.md
    :模型与执行模式选择。
  • references/02-runtime-dependencies.md
    :按模式拆分的本地依赖矩阵和安装建议。
  • references/03-checkpoint-files.md
    STATUS.json
    RESULT.md
    PATCH_SUMMARY.md
    的字段和模板。
  • references/04-sentinel-design.md
    :PM 巡检(sentinel)bash 模式设计与信号。
  • references/05-legal-domain-patterns.md
    :法律项目拆解样例(诉讼/非诉阶段模型、任务字段、Agent 路由)。
  • config/claude-provider-registry.example.json
    :Claude Code 第三方 API provider/model registry 模板。
  • config/claude-provider-settings.example.json
    :Claude Code 第三方 API provider settings 兼容模板。
Agent CLI worker backend(先看总览,再查具体工具):
  • references/06-agent-cli-reference.md
    :本机所有 Agent CLI 完整参考手册(Claude Code / Codex / OpenCode / Hermes / Kimi / Gemini / QoderWork),含参数速查、tmux worker 模板、跨 CLI 对比矩阵和选用建议。
  • references/07-qoderwork-cli-worker.md
    :QoderWork CLI(
    qoderclicn
    )作为 worker backend 的可行性研究,含 CLI 参数、模型列表、SDK 环境冲突、tmux 启动示例和适用场景。
  • references/08-workbuddy-cli-worker.md
    :WorkBuddy / CodeBuddy CLI(
    codebuddy
    )作为 worker backend 的可行性研究,含 Kimi K2.6 书稿 worker 实测、权限模式、checkpoint/path 偏差和收口规则。
实战经验与排障:
  • references/09-parallel-lessons.md
    :tmux/Agent Teams 实战坑点。
  • references/10-agent-teams-troubleshooting.md
    :Agent Teams / agent view / Claude 原生
    --worktree --tmux
    后端排障。
官方文档:
  • Claude Code agent view:
    https://code.claude.com/docs/en/agent-view
  • Claude Code worktrees:
    https://code.claude.com/docs/en/worktrees
  • Claude Code CLI usage:
    https://code.claude.com/docs/en/cli-usage
  • Claude Code checkpointing:
    https://code.claude.com/docs/en/checkpointing
脚本:
  • scripts/check-dependencies.sh
    :检查核心依赖、backend CLI、GitHub CLI 和终端分屏工具。
  • scripts/claude-provider-env.sh
    :从 Claude provider registry 或 settings JSON 构造本次 worker 的隔离 env,屏蔽用户级 provider/model 污染。
  • scripts/render-runtime-profile.sh
    :按 backend/profile 生成 worker command、prompt context 和 spawn metadata。
  • scripts/spawn-worker.sh
    :创建隔离 worktree、Session Context 和 tmux session,并输出启动 gate。
  • scripts/pm-monitor.sh
    :自动 PM 巡检脚本,保留 checkpoint 文件、Agent Teams inbox、tasks、Git SHA、PR 状态、tmux session、Wave 和多信号进展监控。
  • scripts/wait-worker.sh
    :单 worker 等待器,可接 Claude Code background Bash 或 Codex heartbeat automation。
  • scripts/worktree-status.sh
    :单 worker 只读总览,展示 metadata、checkpoint、tmux 和 git 状态。
  • scripts/clean-worktree.sh
    :worker session/worktree 安全清理,默认 dry-run,清理前展示 metadata 摘要。
  • scripts/smoke-tmux-worker.sh
    :临时 repo 端到端 smoke test;只在修改 Skill 脚本后运行。
  • scripts/smoke-provider-settings.sh
    :逐个验证
    config/*.settings.json
    能启动 Claude Code 并返回响应;新增或改 provider 后运行。
  • scripts/lint-wait-script.sh
    :wait/monitor/custom wait 脚本 lint;只在修改 wait/monitor 脚本后运行。
  • scripts/terminal-split.sh
    :可选可视化辅助,保留 iTerm2、Kitty、WezTerm、Warp、Ghostty、Zed、Terminal.app 支持;默认编排不依赖它。
模板:
  • templates/worker-prompt.md
    :worker bootstrap 和完整派发 prompt 模板。
  • templates/orchestration-goal.md
    :PM 级连续多 Wave Goal Contract 模板。
  • templates/project-config.json
    :可选项目级编排配置模板,声明 trunk、任务源、验证命令、provider slot、非敏感配置复制和 hook 边界。
  • templates/codex-heartbeat-wait.md
    :Codex App heartbeat 巡检 prompt。
  • templates/wave-summary.md
    :每轮 Wave 收口和 provider/model 评估模板。
  • templates/checkpoint-status.json
    STATUS.json
    模板。
  • templates/checkpoint-result.md
    :完成/失败结果摘要模板。
  • templates/checkpoint-patch-summary.md
    :PR review 用 diff 摘要模板。
Read only when details are needed:
Core Orchestration References (Mechanism/Dependency/Wrap-Up):
  • references/01-model-selection-matrix.md
    : Model and execution mode selection.
  • references/02-runtime-dependencies.md
    : Local dependency matrix split by mode and installation suggestions.
  • references/03-checkpoint-files.md
    : Fields and templates of
    STATUS.json
    ,
    RESULT.md
    ,
    PATCH_SUMMARY.md
    .
  • references/04-sentinel-design.md
    : Design and signals of PM inspection (sentinel) bash mode.
  • references/05-legal-domain-patterns.md
    : Legal project decomposition examples (litigation/non-litigation phase models, task fields, Agent routing).
  • config/claude-provider-registry.example.json
    : Claude Code third-party API provider/model registry template.
  • config/claude-provider-settings.example.json
    : Claude Code third-party API provider settings compatibility template.
Agent CLI Worker Backend (Read Overview First, Then Check Specific Tools):
  • references/06-agent-cli-reference.md
    : Complete reference manual for all local Agent CLIs (Claude Code/Codex/OpenCode/Hermes/Kimi/Gemini/QoderWork), including parameter quick reference, tmux worker template, cross-CLI comparison matrix, and selection suggestions.
  • references/07-qoderwork-cli-worker.md
    : Feasibility study of QoderWork CLI (
    qoderclicn
    ) as worker backend, including CLI parameters, model list, SDK environment conflicts, tmux startup examples, and applicable scenarios.
  • references/08-workbuddy-cli-worker.md
    : Feasibility study of WorkBuddy/CodeBuddy CLI (
    codebuddy
    ) as worker backend, including Kimi K2.6 manuscript worker actual test, permission mode, checkpoint/path deviation, and wrap-up rules.
Practical Experience and Troubleshooting:
  • references/09-parallel-lessons.md
    : Practical pitfalls of tmux/Agent Teams.
  • references/10-agent-teams-troubleshooting.md
    : Troubleshooting for Agent Teams/agent view/Claude native
    --worktree --tmux
    backend.
Official Documentation:
  • Claude Code agent view:
    https://code.claude.com/docs/en/agent-view
  • Claude Code worktrees:
    https://code.claude.com/docs/en/worktrees
  • Claude Code CLI usage:
    https://code.claude.com/docs/en/cli-usage
  • Claude Code checkpointing:
    https://code.claude.com/docs/en/checkpointing
Scripts:
  • scripts/check-dependencies.sh
    : Checks core dependencies, backend CLI, GitHub CLI, and terminal split tools.
  • scripts/claude-provider-env.sh
    : Constructs isolated env for this worker from Claude provider registry or settings JSON, shields user-level provider/model pollution.
  • scripts/render-runtime-profile.sh
    : Generates worker command, prompt context, and spawn metadata according to backend/profile.
  • scripts/spawn-worker.sh
    : Creates isolated worktree, Session Context, and tmux session, and outputs startup gate.
  • scripts/pm-monitor.sh
    : Automatic PM inspection script, retains checkpoint files, Agent Teams inbox, tasks, Git SHA, PR status, tmux session, Wave, and multi-signal progress monitoring.
  • scripts/wait-worker.sh
    : Single worker waiter, can connect to Claude Code background Bash or Codex heartbeat automation.
  • scripts/worktree-status.sh
    : Single worker read-only overview, displays metadata, checkpoint, tmux, and git status.
  • scripts/clean-worktree.sh
    : Safe cleanup of worker session/worktree, default dry-run, displays metadata summary before cleanup.
  • scripts/smoke-tmux-worker.sh
    : Temporary repo end-to-end smoke test; only run after modifying Skill scripts.
  • scripts/smoke-provider-settings.sh
    : Verifies one by one that
    config/*.settings.json
    can start Claude Code and return response; run after adding or modifying providers.
  • scripts/lint-wait-script.sh
    : Lint for wait/monitor/custom wait scripts; only run after modifying wait/monitor scripts.
  • scripts/terminal-split.sh
    : Optional visualization aid, retains support for iTerm2, Kitty, WezTerm, Warp, Ghostty, Zed, Terminal.app; default orchestration does not depend on it.
Templates:
  • templates/worker-prompt.md
    : Worker bootstrap and complete assignment prompt template.
  • templates/orchestration-goal.md
    : PM-level continuous multi-Wave Goal Contract template.
  • templates/project-config.json
    : Optional project-level orchestration configuration template, declares trunk, task source, verification commands, provider slot, non-sensitive configuration copy, and hook boundaries.
  • templates/codex-heartbeat-wait.md
    : Codex App heartbeat inspection prompt.
  • templates/wave-summary.md
    : Template for each Wave wrap-up and provider/model evaluation.
  • templates/checkpoint-status.json
    :
    STATUS.json
    template.
  • templates/checkpoint-result.md
    : Completion/failure result summary template.
  • templates/checkpoint-patch-summary.md
    : Diff summary template for PR review.

11. 评估与验收

11. Evaluation and Acceptance

评估范围

Evaluation Scope

本 skill 评估对象 = spawn-worker + sentinel + pm-monitor + render-runtime-profile + clean-worktree 的协同行为;不评估具体 worker backend(claude / codex / opencode)本身的能力。
Evaluation object of this skill = collaborative behavior of spawn-worker + sentinel + pm-monitor + render-runtime-profile + clean-worktree; does not evaluate capabilities of specific worker backends (claude/codex/opencode) themselves.

Hard Fail(出现即不通过)

Hard Fail(Fail Immediately If Occurs)

  1. 防逃逸门禁未过(§2.1),PM 直接写业务代码。
  2. spawn-worker.sh 启动后 pane cwd ≠ worktree 或 branch ≠ 目标分支(gate 失败)。
  3. worker 写 STATUS 同义词(completed / finished)而非字面
    done
    ,sentinel 不退出。
  4. worker 改完文件不 commit,PM 收口验到空 diff。
  5. 真实 settings(config/*.settings.json)进入 git 追踪或打包件。
  1. Anti-escape gate not passed (§2.1), PM directly writes business code.
  2. After spawn-worker.sh starts, pane cwd ≠ worktree or branch ≠ target branch (gate failure).
  3. Worker writes STATUS synonyms (completed/finished) instead of literal
    done
    , sentinel does not exit.
  4. Worker modifies files without committing, PM verifies empty diff when wrapping up.
  5. Real settings (config/*.settings.json) enter git tracking or package.

Benchmark case

Benchmark Case

  • smoke-tmux-worker.sh
    :临时 repo e2e(spawn 1 worker 跑完,STATUS=done,diff 非空,clean 无残留)。
  • 建议补
    smoke-e2e-wave.sh
    :spawn 2 worker 并行改不重叠文件,sentinel 等终态,验证两个 PR diff 范围独立、STATUS 均 done、clean 无残留。
  • smoke-tmux-worker.sh
    : Temporary repo e2e (spawn 1 worker to complete, STATUS=done, diff non-empty, clean no residue).
  • It is recommended to add
    smoke-e2e-wave.sh
    : spawn 2 workers to modify non-overlapping files in parallel, sentinel waits for terminal state, verify that two PR diff scopes are independent, STATUS are all done, clean no residue.

静态检查 vs 动态评估

Static Check vs Dynamic Evaluation

  • 静态:
    lint-wait-script.sh
    (wait / monitor 脚本 lint)+
    check-dependencies.sh
    (preflight 依赖检查)。
  • 动态:
    smoke-tmux-worker.sh
    (e2e 端到端)+
    smoke-provider-settings.sh
    (provider 验证,需真实 key,optional)。
  • Static:
    lint-wait-script.sh
    (lint for wait/monitor scripts) +
    check-dependencies.sh
    (preflight dependency check).
  • Dynamic:
    smoke-tmux-worker.sh
    (e2e end-to-end) +
    smoke-provider-settings.sh
    (provider verification, requires real key, optional).