TPAN-OPT/CO-WORKER
Language: English | 简体中文
TPAN-OPT/CO-WORKER is the governance layer for AI agent output. It turns your team's delivery method into a versioned, executable workflow that routes work across AI coding agents, gates every stage on real checks, and keeps an audit-ready evidence trail. AI made everyone faster — co-worker makes that speed auditable, reproducible, and trustworthy.
Its sharpest use is OPT — One Person Team: one human lead running a team of specialized AI agents (planner, engineer, reviewer, release lead) through a governed process — shipping what used to take a whole team, while still passing the gates, approvals, and evidence a real team would demand.
New here? Start with Positioning & roadmap for who it's for and where it's going, or run the Hero demo to watch a bad change get caught at a gate.
How it's different
Every framework can run agents. co-worker governs their output — and is harness-neutral, so it sits on top of whatever agent you already use.
| You already have | co-worker adds |
|---|---|
| An agent framework (CrewAI, LangGraph, AutoGen, Claude subagents) that wires up and runs agents | A governance layer on top: versioned workflows, real check gates, human approvals, and an audit-ready evidence trail — on any agent |
Don't take our word for it: browse a real, committed evidence trail (agents run → gates green → stopped at the human gate → approval recorded) with nothing to install.
Why This Exists
AI coding tools make individuals faster, but many teams still run into the same problems:
- Collaboration becomes fragmented across chats, agents, repositories, and tools.
- Output quality varies by prompt, model, person, or local environment.
- Team standards live in documents but are not enforced during execution.
- Agent work is hard to audit, reproduce, or verify.
- Smaller teams are expected to carry the workload of larger teams.
TPAN-OPT/CO-WORKER turns a team's operating method into a versioned, executable workflow.
Current Implementation Scope
The current package is a no-dependency Node.js workflow compiler, local verifier, local runner, stage-gated execution orchestrator, and static workflow console. It validates JSON workflow definitions, generates repository-local harness assets, runs staged verification gates, advances a stage-by-stage state machine that stops at the first unsatisfied gate and emits a work order, records evidence, and syncs local run history into the generated console.
The broader team operating system language in this README describes the product direction. The execution orchestrator routes and gates work along a stage dependency graph — scheduling independent branches across owners in parallel — and can drive a stage's owner agent through an opt-in, harness-neutral --invoke/--agent-command adapter, but it does not yet execute gates concurrently or coordinate agents fully autonomously. Hosted orchestration, marketplace package installation, and YAML authoring are not part of the current package yet.
What TPAN-OPT/CO-WORKER Provides
- Workflow Designer: define standard delivery workflows with stages, roles, gates, artifacts, and approvals.
- Agent Team Builder: create specialized agent roles such as planner, architect, engineer, reviewer, security reviewer, QA, release manager, and documentation owner.
- Skill / MCP / Hook Registry: connect standard or custom skills, MCP servers, hooks, checks, templates, and automation policies.
- Harness Adapter Layer: distribute the same workflow to Codex, Claude Code, Cursor, OpenCode, GitHub Actions, local runners, or custom agent harnesses.
- Verification Gates: require tests, linting, type checks, coverage, E2E validation, security review, documentation review, and human approval before work advances.
- Evidence Trail: keep artifacts, decisions, test results, review findings, screenshots, logs, and approvals attached to each workflow run.
- OPT Runtime: allow one person to manage a virtual team of specialized agents with clear boundaries and explicit approval points.
Quick Start
If you already work inside a code agent (Claude Code, Codex, Cursor, …), the shortest path is to install co-worker as a plugin and never leave your agent. If you want a plain terminal flow or to script it, use the CLI directly (Option B). Either way you need Node.js 22+.
Option A — Install as a plugin (recommended for agent users)
co-worker ships a zero-dependency MCP server that exposes the whole flow as callable tools, so your agent can scaffold, inspect, drive, and approve a governed workflow without you touching a terminal.
Claude Code — install straight from the repo:
/plugin marketplace add https://github.com/TPAN-OPT/co-worker
/plugin install tpan-opt-co-worker@tpan-opt-co-worker
This clones the repo and registers the co-worker MCP server automatically (via .mcp.json) — no npm install, no manual config. Now just talk to your agent; the whole point — one lead running a team of agents through a governed process — shows up in three turns:
- Scaffold and run the team — "Use
co_worker_quickstartto set up a workflow in./my-repo." It scaffoldsopt.workflow.json, compiles every harness asset, and runs a four-role team (planner → engineer → reviewer → lead) end to end. By default this is a bundled offline demo agent: a dry-run preview of the loop whose artifacts are labelled placeholders, not real work — it needs no agent CLI, no network, and no API spend, so you can see the whole governed flow instantly. Add--real(or therealtool arg) to drive an installed agent CLI for genuine output. Either way, each stage writes an artifact and the run stops at a single human-approval gate. - See what the team did — open the printed
./my-repo/.tpan-opt-co-worker/console/index.html. The console shows every stagedone, the populated agent-invocation log, and one open work order: your approval. The artifacts the agents wrote are under./my-repo/.tpan-opt-co-worker/demo/artifacts/. - Approve to ship — "Call
co_worker_approvefor gatehuman_approvalin stageship, approved by me, on./my-repo." It records your approval as evidence, advances the orchestrator, and the run isdone.
That is the OPT loop in miniature: agents do the work, a human approves the gate that matters.
Run the same flow with a real agent. If you have an agent CLI installed (claude, codex, or cursor-agent), add --real — quickstart detects it and drives the real agent instead of the offline demo, so the four stages produce real work at .tpan-opt-co-worker/artifacts/<stage>.md and still stop at the one human gate:
tpan-opt-co-worker quickstart --out . --real --force
tpan-opt-co-worker approve human_approval --stage ship --by you --run-id real
Pick a specific agent with --agent codex. If no supported agent is on PATH, quickstart says so and runs the offline demo instead; the default run always labels its artifacts as an offline placeholder, so you can tell a demo from real work. Under the hood --real is just the orchestrator's agent-neutral --invoke/--agent-command adapter — the stage gates pass once an artifact with real content exists, no matter who wrote it, so you can also drive it by hand:
node scripts/orchestrate-workflow.mjs --run-id real --invoke --loop \
--agent-command 'claude -p "You are the {role}. Do stage {stage} from brief {brief}. Write your result to .tpan-opt-co-worker/artifacts/{stage}.md"'
Swap claude -p for codex exec, cursor-agent, or any agent CLI — the orchestrator substitutes {stage} / {role} / {brief} / {skills} / {mcpServers} / {hooks} and runs it once per ready stage. Commit the command into the workflow under orchestration.agentCommand (the wizard prompts for it) so --invoke needs no flags on later runs.
Codex / Cursor / other MCP agents — clone the repo, then point the agent at the local server. See Install as a plugin (MCP) for the exact config.toml / JSON, then ask the agent to run the same co_worker_quickstart → co_worker_approve chain.
Option B — Use the CLI directly
The quick start is a single command — from an empty directory to a real agent-team run:
node src/cli.js quickstart --out /path/to/target-repo --name my-workflow
It scaffolds opt.workflow.json, compiles every harness asset, bundles an offline demo agent, and drives a four-role team (planner → engineer → reviewer → lead) end to end: each agent does its stage and writes an artifact, and the run stops at one human-approval gate. It opens the console for you (use --no-open to skip), or open the path it prints:
open /path/to/target-repo/.tpan-opt-co-worker/console/index.html
Prefer a live view? Run node src/cli.js serve --out /path/to/target-repo for an interactive console at http://127.0.0.1:4318/ that auto-refreshes as gates pass and lets you approve manual gates right in the browser (same effect as the approve command below).
The console shows every stage done, the populated agent-invocation log, and one open work order — your approval — so you see a team of agents actually deliver work before learning any other command. This default run uses the bundled offline demo agent — its artifacts (under .tpan-opt-co-worker/demo/artifacts/) are labelled placeholders, not real work. Add --real to drive an installed agent CLI (claude/codex/cursor-agent) for real output instead; if the command detects an agent on your PATH it also prints the exact one-flag line to re-run for real. Add --no-demo to scaffold without running the team, or --template production-feature for a delivery workflow with real check gates.
Everything the agents could do is done; one human approval is left. Finish it with a single command (the same core as the co_worker_approve MCP tool, so CLI and in-agent flows behave identically):
node src/cli.js approve human_approval --stage ship --by you@example.com --out /path/to/target-repo
approve records the approver as evidence and advances the orchestrator to done. To inspect a run at any time, node src/cli.js status --out … shows where each stage stands and node src/cli.js next --out … returns the open work order(s) and next action.
To change the workflow, edit it in the console Designer (or opt.workflow.json) and re-apply:
node src/cli.js compile --workflow /path/to/target-repo/opt.workflow.json --out /path/to/target-repo --force
See each capability in action
The quickstart repo already contains a working example of everything in the "What TPAN-OPT/CO-WORKER Provides" list above. Run the node src/cli.js … commands from this tool's directory, and the node scripts/… commands from inside the generated target repo:
- Workflow Designer — edit stages, roles, gates, and approvals in the console Designer panel or
opt.workflow.json, then check it:node src/cli.js validate --workflow /path/to/target-repo/opt.workflow.json. - Agent Team Builder — each role compiles to a per-harness agent file (
.claude/agents/<role>.md,.codex/agents/<role>.toml,.opencode/agents/<role>.md); browse reusable teams withnode src/cli.js teams. - Skill / MCP / Hook registry —
node src/cli.js cataloglists templates, policy packs, and teams; narrow with--kind marketplace(skills, MCP servers, hooks) or--kind presets(gate presets). - Harness adapter layer — one workflow fans out to every harness; see the generated files with
ls .codex .claude .cursor opencode.json .github/workflows scripts. - Quality gates —
node scripts/verify-workflow.mjsruns the stage gates and stops at the first failing or unmet one. - Evidence chain —
node scripts/run-workflow.mjs --run-id localrecords.tpan-opt-co-worker/runs/local/evidence.jsonandsummary.md. - OPT Runtime —
node src/cli.js status/next/approveroute stages across owners, emit the next work order, and advance gates from the command line (this drives the orchestration the quickstart demo seeded;node scripts/orchestrate-workflow.mjs --run-id localis the underlying script).
More commands (reference)
The commands below give finer control over the same pipeline; the full surface is documented under Current CLI. To develop this repository itself, run npm test.
Interactively configure a workflow — template, team, policies, MCP servers, and lifecycle hooks — then write opt.workflow.json and compile every harness asset in one pass:
node src/cli.js wizard --out /path/to/target-repo
The wizard prompts for the starter template, an optional reusable team, organization policy packs, any MCP servers (local command + args + env, or remote url + transport), which roles each server is assigned to, and any lifecycle hooks (pre-tool, post-tool, stop, user-prompt-submit, session-start, with an optional tool matcher). It then compiles .mcp.json, .codex/config.toml MCP wiring, and .claude/settings.json hooks alongside the usual harness assets. See Workflow nodes: MCP servers and hooks for the schema the wizard produces.
Create a starter workflow in a target repository without compiling or running a demo:
node src/cli.js init --out /path/to/target-repo --name production-feature-workflow
Browse the built-in catalog before initializing a workflow. One command is the
discovery surface — --kind narrows it to a single slice:
node src/cli.js catalog # combined summary
node src/cli.js catalog --json # combined, machine-readable
node src/cli.js catalog --out catalog.json # write the combined artifact
node src/cli.js catalog --kind templates # just workflow templates
node src/cli.js catalog --kind policies # organization policy packs
node src/cli.js catalog --kind teams # reusable agent teams
node src/cli.js catalog --kind presets # gate presets
node src/cli.js catalog --kind marketplace # marketplace packages (preview)
The historical templates / policies / teams / presets / marketplace
subcommands still work as aliases for the matching catalog --kind.
Create a starter workflow from a reusable team recommendation:
node src/cli.js init \
--out /path/to/target-repo \
--team product-delivery \
--policy security-baseline \
--name production-feature-workflow
Create a starter workflow with explicit organization policies:
node src/cli.js init \
--out /path/to/target-repo \
--policy quality-standard \
--policy security-baseline \
--name production-feature-workflow
Create a starter workflow from a named template:
node src/cli.js init \
--out /path/to/target-repo \
--template production-feature \
--name production-feature-workflow
Create a language-neutral starter workflow that does not assume npm scripts:
node src/cli.js init \
--out /path/to/target-repo \
--template minimal \
--name minimal-evidence-workflow
Validate a workflow before generating repository assets:
node src/cli.js validate --workflow /path/to/target-repo/opt.workflow.json
Print a machine-readable validation summary:
node src/cli.js validate --workflow /path/to/target-repo/opt.workflow.json --json
Print or write the workflow JSON Schema:
node src/cli.js schema --out /path/to/target-repo/workflow.schema.json
List built-in gate presets before designing an organization workflow:
node src/cli.js catalog --kind presets
node src/cli.js catalog --kind presets --json
Preview generated repository assets:
node src/cli.js compile \
--workflow /path/to/target-repo/opt.workflow.json \
--out /tmp/tpan-opt-co-worker-demo \
--dry-run
Generate assets into a target repository:
node src/cli.js compile \
--workflow /path/to/target-repo/opt.workflow.json \
--out /path/to/target-repo
Generate assets with an external preset registry:
node src/cli.js compile \
--workflow examples/opt.workflow.json \
--preset-file examples/gate-presets.json \
--out /path/to/target-repo
Overwrite previously generated files:
node src/cli.js compile --workflow examples/opt.workflow.json --out /path/to/target-repo --force
The compiler currently reads JSON workflow files. YAML support is planned.
Open the generated static workflow console. It shows the workflow overview and an editable Workflow Designer panel (with in-browser draft validation and JSON export) immediately, then displays run summary, filterable run history with evidence artifact links, and status-filtered gate details with command exit codes and manual evidence metadata after local workflow runs have produced .tpan-opt-co-worker/console/runs.json and .tpan-opt-co-worker/console/runs.js.
open /path/to/target-repo/.tpan-opt-co-worker/console/index.html
Run generated verification checks inside a compiled target repository:
node scripts/verify-workflow.mjs
Write a structured workflow evidence report:
node scripts/verify-workflow.mjs --report .tpan-opt-co-worker/evidence.json
Attach manual approvals or review evidence:
node scripts/verify-workflow.mjs \
--manual-evidence examples/manual-evidence.json \
--report .tpan-opt-co-worker/evidence.json
Create a full workflow run artifact directory:
node scripts/verify-workflow.mjs \
--manual-evidence examples/manual-evidence.json \
--run-dir .tpan-opt-co-worker/runs/feature-001
The run directory contains:
evidence.json: machine-readable gate results.summary.md: human-readable workflow evidence summary.
Install as a plugin (MCP)
co-worker ships a zero-dependency MCP server (tpan-opt-co-worker mcp, newline-delimited JSON-RPC over stdio) that exposes its capabilities as callable tools — co_worker_quickstart, co_worker_compile, co_worker_validate, co_worker_catalog, co_worker_next, and co_worker_approve — so any MCP-capable code agent can scaffold, configure, drive, and approve workflows from inside the agent.
Claude Code — install as a plugin:
/plugin marketplace add https://github.com/TPAN-OPT/co-worker
/plugin install tpan-opt-co-worker@tpan-opt-co-worker
The plugin registers the co-worker MCP server (via .mcp.json) automatically.
Codex — clone the repo first, then point ~/.codex/config.toml at the local server:
[mcp_servers.co-worker]
command = "node"
args = ["/absolute/path/to/co-worker/src/cli.js", "mcp"]
Other MCP-capable agents (Cursor, domestic code agents, custom runners) — point them at the same local server:
{
"mcpServers": {
"co-worker": {
"command": "node",
"args": ["/absolute/path/to/co-worker/src/cli.js", "mcp"]
}
}
}
The package is not published to npm yet. Once it is, the Codex and generic configs above can use
command: "npx",args: ["-y", "tpan-opt-co-worker", "mcp"]instead of an absolute clone path. The Claude Code plugin path needs no npm publish — it installs straight from the repo.
Then, from inside the agent, ask it to run co_worker_quickstart to scaffold a populated console, co_worker_next to see the open work order, and co_worker_approve to sign off a manual gate and advance — no hand-edited evidence files. Agents that only read repository files still work through the generated CLAUDE.md, .codex/, .cursor/, and opencode.json assets.
Core Concept
Most AI tools focus on helping an agent complete a task.
TPAN-OPT/CO-WORKER focuses on helping a team repeatedly produce verified work.
Team Standard
-> Workflow Template
-> Agent Roles + Skills + MCP + Hooks
-> Repository / Harness Distribution
-> Workflow Run
-> Verified Artifacts
-> Review, Approval, Release
Two modes: one workflow, two ways to hand it out
You design one workflow — stages, sub-nodes, gates, and the tools each step uses.
The top-level mode field only changes who you hand it to:
mode: opt(default) — hand it to code agents. Compiling emits every agent harness (Claude Code, Codex, Cursor, OpenCode) plus the playbook. Drive them with the orchestrator:node scripts/orchestrate-workflow.mjs --invoke --loopauto-advances through every stage until a human gate, scoping each agent to that step's skills/MCP/hooks.mode: team— hand it to human teammates. Compiling emitsPLAYBOOK.md(and the core assets) but skips the agent-CLI files no human will open — a copy-paste checklist each person runs on their own product or module. Track everyone side by side withtpan-opt-co-worker dashboard(one labelled run per module).
The definition is identical; only the distribution target — and therefore which files
compile writes — differs. Override the mode default any time with compile --harness.
A stage can hold sub-nodes (for example ai-test → unit, integration,
user-acceptance), and any stage or sub-node can bind its own skills, mcpServers,
and hooks. At --invoke those bindings reach the agent three ways: the work-order
brief JSON, the TPAN_OPT_SKILLS / TPAN_OPT_MCP_SERVERS / TPAN_OPT_HOOKS env vars,
and the {skills} / {mcpServers} / {hooks} agent-command placeholders.
System Architecture
+--------------------------+
| Workflow Designer |
| roles, stages, gates |
+------------+-------------+
|
v
+--------------------------+
| Workflow Compiler |
| AGENTS.md, configs, CI |
+------------+-------------+
|
v
+--------------------------+
| Execution Orchestrator |
| state, routing, approval |
+------------+-------------+
|
v
+--------------------------+
| Harness Adapters |
| Codex, Claude, CI, MCP |
+------------+-------------+
|
v
+--------------------------+
| Verification Layer |
| tests, review, evidence |
+------------+-------------+
|
v
+--------------------------+
| Knowledge & Governance |
| policies, audit, reuse |
+--------------------------+
Example Workflow
name: production-feature-workflow
version: 1.0.0
gatePresets:
team:review-signoff:
type: manual
description: Engineering owner reviewed the change and signed off.
roles:
planner:
skills:
- product-capability
- api-design
permissions:
- read_repo
- write_docs
engineer:
skills:
- tdd-workflow
- coding-standards
permissions:
- read_repo
- write_code
- run_tests
reviewer:
skills:
- code-review
- security-review
permissions:
- read_diff
- comment
stages:
- id: clarify
owner: planner
output: capability_spec
gates:
- id: open_questions_resolved
type: manual
description: All blocking product questions have an owner or answer.
- id: implement
owner: engineer
required:
- tests_first
- code_changes
gates:
- id: unit_tests_pass
preset: node:test
- id: coverage_above_80
preset: node:coverage
- id: review
owner: reviewer
gates:
- id: no_critical_security_issues
type: manual
- id: no_high_code_quality_issues
preset: team:review-signoff
- id: ship
owner: human
gates:
- id: human_approval
type: manual
- id: release_notes_generated
type: manual
Stages can nest sub-nodes and bind tools per step, and the top-level mode chooses the hand-off target:
mode: team # or opt (default). Same definition either way.
stages:
- id: ai-test
owner: engineer
skills: [test-strategy] # stage-level tools
nodes:
- id: unit
skills: [unit-testing] # node-level tools, delivered at --invoke
gates: [{ id: unit-pass, preset: node:test }]
- id: user-acceptance
gates: [{ id: uat-signoff, type: manual }]
Key Objects
| Object | Purpose |
|---|---|
WorkflowTemplate |
A reusable team delivery process. |
WorkflowRun |
One execution of a workflow against a project or task. |
Stage |
A workflow phase with inputs, outputs, owner, gates, and optional sub-nodes. |
Node |
A sub-step inside a stage (e.g. ai-test → unit/integration), with its own output, gates, and bound skills/MCP/hooks. |
Role |
A human or agent responsibility boundary. |
AgentProfile |
A concrete agent configuration with skills, tools, permissions, and behavior rules. |
Skill |
A reusable instruction package for a specific capability. |
McpServer |
A tool/data connector available to selected roles. |
Hook |
Automation triggered before, during, or after workflow execution. |
Gate |
A required condition before the workflow can move forward. |
Playbook |
PLAYBOOK.md, the human-readable checklist a teammate runs end to end in team mode. |
Artifact |
A durable output such as a plan, spec, patch, test report, review, or release note. |
VerificationResult |
Evidence that a gate passed or failed. |
Approval |
A human decision for sensitive or irreversible actions. |
Workflow nodes: MCP servers and hooks
Skills are configured per role. MCP servers and lifecycle hooks are first-class workflow nodes: declare them once at the top level, then reference servers per role. The wizard command collects all of this interactively, but you can also author it by hand in opt.workflow.json:
{
"name": "my-workflow",
"mcpServers": {
"co-worker": { "command": "node", "args": ["src/cli.js", "mcp"] },
"docs": { "url": "https://mcp.example.com/sse", "transport": "sse" }
},
"roles": {
"lead": { "mcpServers": ["co-worker"] }
},
"hooks": [
{ "id": "preflight", "event": "pre-tool", "command": "node scripts/preflight.mjs", "matcher": "Bash" }
]
}
mcpServersis a map of server id to either a local process (command, optionalargs, optionalenv) or a remote endpoint (url, optionaltransport—stdio/sse/http). A server is local xor remote. Each role may list assigned server ids inroles.<id>.mcpServers, which must reference declared servers.hooksis an array of{ id, event, command }, whereeventis one ofpre-tool,post-tool,stop,user-prompt-submit,session-start. Tool events (pre-tool/post-tool) accept an optionalmatcherto scope by tool name. Eachidmust be a unique identifier.
When a workflow declares either node, compiling emits the additional harness-native assets:
.mcp.json(Claude Code / generic MCP) and[mcp_servers.*]tables in.codex/config.toml, plus per-role MCP listings inAGENTS.mdand the agent files..claude/settings.json(Claude Code native hooks, grouped byPreToolUse/PostToolUse/Stop/UserPromptSubmit/SessionStart) and a harness-neutral.tpan-opt-co-worker/hooks.jsonmanifest, plus a## Hookssection inAGENTS.md.
Workflows that declare neither node compile byte-identically to before, so these files only appear when you opt in.
OPT: One Person Team
OPT mode lets one human lead operate a structured virtual team:
- The human owns goals, product judgment, priority, and approval.
- Agents own specialized execution and review work.
- The system owns workflow state, permission boundaries, evidence, and quality gates.
An OPT team may include:
- Product planner
- System architect
- Frontend engineer
- Backend engineer
- QA engineer
- Security reviewer
- Code reviewer
- Documentation writer
- Release manager
Repository Distribution
A workflow can be compiled into repository-local assets such as:
AGENTS.mdCLAUDE.mdPLAYBOOK.md(human teammate checklist; the team-mode hand-off artifact).codex/config.toml.codex/agents/*.toml.cursor/rules/*.mdc.opencode/agents/*.md.claude/agents/*.md.agents/skills/*- GitHub Actions workflows
- PR templates
- issue templates
- verification scripts
.tpan-opt-co-worker/workflow.manifest.json- project-specific policy files
The goal is to keep team standards close to the codebase while allowing organization-level reuse.
Engineering Quality
Commercial use starts with repeatable local checks. This repository ships no-dependency quality scripts:
npm run verify
npm run lint
npm run typecheck
npm run repo:health
npm run test:coverage
npm run build
npm run pack:check
npm audit --audit-level=high
verifyruns the complete local quality gate used before release.lintandtypechecksyntax-check all JavaScript and MJS files with the active Node runtime;typecheckis kept as a compatibility gate name for generated npm workflows in this plain JavaScript package.repo:healthchecks unresolved conflict markers, focused/skipped tests, naming drift, and source file size.test:coverageruns the full Node test suite and enforces 80%+ line, branch, and function coverage for product code undersrc/**andscripts/**.buildcompiles the example workflow into a temporary repository and verifies generated assets can be written.pack:checkruns an npm package dry run with an isolated cache and verifies required release files.npm audit --audit-level=highverifies dependency security posture; the package currently has no runtime dependencies. GitHub Actions runs the same quality gates onmainpushes and pull requests for Node.js 22.
Current CLI
tpan-opt-co-worker quickstart --out . [--template opt-demo] [--team product-delivery] [--name my-workflow] [--no-demo] [--no-open] [--force]
tpan-opt-co-worker wizard --out . [--force]
tpan-opt-co-worker init --out . [--template production-feature] [--team product-delivery] [--policy quality-standard] [--name production-feature-workflow] [--force]
tpan-opt-co-worker validate --workflow opt.workflow.json [--preset-file gate-presets.json] [--json]
tpan-opt-co-worker schema [--out workflow.schema.json] [--force]
tpan-opt-co-worker catalog [--kind presets|templates|policies|teams|marketplace] [--json] [--out catalog.json] [--force]
tpan-opt-co-worker compile --workflow opt.workflow.json --out . [--harness claude|codex|cursor|opencode|team] [--preset-file gate-presets.json] [--force] [--dry-run]
tpan-opt-co-worker status [--out .] [--run-id <id>]
tpan-opt-co-worker next [--out .] [--run-id <id>]
tpan-opt-co-worker dashboard [--out .]
tpan-opt-co-worker approve <gate> --by <approver> [--stage <stage>] [--note <text>] [--out .] [--run-id local]
tpan-opt-co-worker serve [--out .] [--port 4318] [--host 127.0.0.1] [--no-open]
tpan-opt-co-worker mcp
serve turns the static console into a live, interactive dashboard: a zero-dependency node:http server (bound to 127.0.0.1 only) puts the same console behind http://127.0.0.1:4318/, streams orchestration and run state changes to the browser over Server-Sent Events (so the page refreshes itself as gates pass), and adds a Live Approvals panel that approves manual gates in place — calling the exact same approveGate core as the CLI approve command, then advancing the orchestrator and surfacing the next pending gate. It is optional: the compiled console remains a portable static artifact you can open directly. Press Ctrl+C to stop; pass --no-open to skip auto-opening the browser.
status, next, dashboard, and approve drive a compiled repository from the command line. status prints the workflow and each stage's orchestration status (and, in team mode, points to PLAYBOOK.md); next prints the open work order(s) and the next action; both default to the latest run and accept --run-id <id> to inspect a specific orchestration run (for example the real run from a real-agent invocation); dashboard aggregates the latest verification run per product/module into one side-by-side table — the team-mode view where each teammate runs the whole pipeline on a different module (label a run with node scripts/run-workflow.mjs --module <name>); approve <gate> --by <approver> records approver evidence for a manual gate and advances the orchestrator — so you never hand-edit manual-evidence.json. Pass --stage when a gate id is reused across stages. These share their core with the MCP co_worker_next / co_worker_approve tools, so the CLI and in-agent flows behave identically. mcp runs the MCP server (see Install as a plugin (MCP)).
quickstart is the one-command onboarding path: it runs the same scaffolding as init, compiles every harness asset, bundles an offline demo agent, and (unless --no-demo) drives a four-role agent team end to end with --invoke so the generated console shows a real, populated run that stops at one human-approval gate. It defaults to the opt-demo template (a runnable agent team) and opens the console for you unless you pass --no-open. Finish the seeded run with approve human_approval --stage ship --by you. The CLI compile step remains the authoritative path for applying edited workflows.
wizard is the interactive authoring path: it prompts for the template, optional reusable team, policy packs, MCP servers, per-role MCP assignments, lifecycle hooks, and an optional orchestrator agent command (committed as orchestration.agentCommand so orchestrate --invoke drives each stage's owner agent with no flags), then writes opt.workflow.json and compiles every harness asset (including .mcp.json, .codex/config.toml MCP wiring, and .claude/settings.json hooks) into --out. Press Enter to accept each [default]; answer prompts by number or id. See Workflow nodes: MCP servers and hooks for the schema it produces. It refuses to overwrite existing files unless --force is provided.
init writes a starter opt.workflow.json from a named workflow template. The default production-feature template includes planner, engineer, reviewer, and release-manager roles plus a production delivery flow. Passing --team <id> uses the reusable team's recommended template unless --template is also set, and records organization.team plus recommended policy ids in the generated workflow. Passing --policy <id> appends validated organization policy packs; repeated policies are deduplicated while preserving order. When a selected policy contributes an automatable rule (currently dependency_audit from security-baseline), init injects a dedicated policy_compliance stage with the matching command gate (for example npm:audit-high) ahead of the final stage, so the rule is enforced during verification rather than only documented. Non-automatable rules stay advisory prompt text in the generated instructions. It refuses to overwrite an existing workflow unless --force is provided.
The default production-feature template uses the built-in node:test and node:coverage presets, so generated local runs expect the target repository to provide npm test and npm run test:coverage. When the template defines npm-based command gates and the target has no package.json, init scaffolds a placeholder package.json whose test and test:coverage scripts exit non-zero with a "configure me" message. This keeps the command gates anchored to the target repository instead of an unrelated parent package.json, and makes them fail honestly until you wire in real checks. An existing package.json is never modified. For non-Node projects or empty starter directories, start with --template minimal, or override command gates with workflow-defined gatePresets or --preset-file.
validate checks workflow shape, stage owners, gate presets, duplicate ids, and external preset registries without writing generated assets. Add --json to emit a machine-readable summary with workflow identity, role/stage/gate counts, gate type counts, roles, and stage gate ids.
schema prints the workflow JSON Schema to stdout by default, or writes it to --out with the same overwrite protection used by generated assets.
catalog is the single discovery surface. With no arguments it prints a combined summary (gate presets, workflow templates, organization policy packs, reusable agent teams, and marketplace packages) as text or JSON. --kind <presets|templates|policies|teams|marketplace> narrows the output to one slice. Use --out to write a stable combined JSON artifact for Web Console or organization registry tooling; existing files require --force (not valid with --kind). The standalone presets / templates / policies / teams / marketplace commands remain as thin aliases for the matching catalog --kind.
The marketplace slice is a metadata preview only: package installation is not yet implemented, and the referenced install.files are descriptive targets rather than shipped assets (see the Roadmap).
Generated files:
AGENTS.mdCLAUDE.mdPLAYBOOK.md(human teammate checklist; the team-mode hand-off artifact).codex/config.toml.codex/agents/<role>.toml.claude/agents/<role>.md.cursor/rules/tpan-opt-co-worker.mdc.opencode/agents/<role>.md.github/pull_request_template.md.github/workflows/tpan-opt-co-worker-verify.yml.gitlab-ci.yml.tpan-opt-co-worker/catalog.json.tpan-opt-co-worker/console/index.html.tpan-opt-co-worker/console/catalog.js.tpan-opt-co-worker/console/orchestration.js.tpan-opt-co-worker/console/orchestration.json.tpan-opt-co-worker/marketplace.json.tpan-opt-co-worker/workflow.manifest.json.tpan-opt-co-worker/workflow.schema.jsonopencode.jsonscripts/list-runs.mjsscripts/orchestrate-workflow.mjsscripts/run-workflow.mjsscripts/verify-workflow.mjs
By default compile emits every harness in opt mode, or just the team playbook in team mode (see Two modes). Pass --harness <claude|codex|cursor|opencode|team> (comma-separated, repeatable) to write only the files for the harnesses you use — the core assets (workflow manifest, schema, static console, scripts, and CI) are always written regardless. This keeps a repo from filling with ~30 files it will never open.
The compiler validates workflow shape, rejects unknown stage owners, rejects duplicate stage ids, blocks path traversal, and refuses to overwrite existing files unless --force is provided.
Generated harness instruction files include an Organization Standards section when the workflow defines organization.team or organization.policies, so Codex, Claude Code, Cursor, and OpenCode receive the same team and policy context. Built-in policy packs are expanded into their descriptions and rule ids inside the generated instructions; custom organization policy ids are preserved as policy references.
The generated Claude Code assets include a root CLAUDE.md workflow context and one .claude/agents/<role>.md file per workflow role, so Claude Code can follow the same role boundaries, stages, gates, and evidence requirements as Codex.
The generated Cursor rule at .cursor/rules/tpan-opt-co-worker.mdc keeps workflow boundaries, gates, and verification behavior in Cursor's project rules context.
The generated OpenCode assets include opencode.json plus one .opencode/agents/<role>.md subagent file per workflow role.
The generated .tpan-opt-co-worker/workflow.manifest.json is the harness-neutral manifest for local runners, the execution orchestrator, and future adapters. It records organization metadata, normalized roles, stages, catalog and marketplace artifact paths, harness asset paths (including the orchestrator script and its state directory under harnesses.orchestrator), and the standard verification command.
The generated .tpan-opt-co-worker/workflow.schema.json is a JSON Schema for workflow authoring tools, editors, and future web-console form generation.
The generated .tpan-opt-co-worker/catalog.json, .tpan-opt-co-worker/marketplace.json, and .tpan-opt-co-worker/console/catalog.js expose organization-level workflow templates, policy packs, reusable teams, and marketplace packages for skills, MCP servers, and hooks.
The generated .tpan-opt-co-worker/console/index.html is a static workflow console that can be opened directly in a browser. It shows workflow identity, organization team/policy metadata, role ownership, stage sequence, manual/command gate distribution, an editable Workflow Designer panel that validates a workflow draft in the browser against the same structural rules the compiler enforces (names, roles, owners, stage dependencies, gates) and offers copy/download of the edited JSON — with the CLI compile remaining the authoritative validator that writes assets — alongside the schema path, organization catalog panels for reusable templates/policies/teams, marketplace package discovery, run summary status counts, filterable run history with direct links to each run's evidence.json and summary.md, and matching per-run gate details from .tpan-opt-co-worker/console/runs.js with .tpan-opt-co-worker/console/runs.json as a data fallback. Gate details include command text, exit codes, approver, notes, and safe evidence links where available.
For a live, interactive version of this same console, run tpan-opt-co-worker serve (see the serve command in More commands): it serves the file over http://127.0.0.1:4318/, auto-refreshes as orchestration and run state change, and adds a Live Approvals panel that approves manual gates in the browser. Opening the file directly stays fully supported — serve is optional.
The generated local runner reads the manifest, invokes verification, writes a standard run directory, updates .tpan-opt-co-worker/runs/index.json, and mirrors the run index plus gate details to .tpan-opt-co-worker/console/runs.json and .tpan-opt-co-worker/console/runs.js for the static console:
node scripts/run-workflow.mjs \
--run-id feature-001 \
--module payments \
--manual-evidence examples/manual-evidence.json
--module <name> labels the run with the product or module it covers, so tpan-opt-co-worker dashboard (and the console) can group runs per module — the team-mode pattern where each teammate runs the same pipeline on their own slice. The runner also maintains .tpan-opt-co-worker/runs/index.json. List local run history with:
node scripts/list-runs.mjs
node scripts/list-runs.mjs --json
The generated execution orchestrator is a dependency-gated state machine. Unlike the verifier, which evaluates every command gate globally, the orchestrator only starts a stage once all of its dependencies are done, and it emits a work order for every stage whose dependencies are satisfied: the role's skills and permissions, the per-harness agent file to drive (.claude/agents/<role>.md, .codex/agents/<role>.toml, .opencode/agents/<role>.md), the stage's required work, the pending gates, and the next action. State is written to .tpan-opt-co-worker/orchestrations/<run-id>/state.json and a human-readable state.md. The script exits non-zero while the workflow is blocked and exits zero only when every stage is complete, so it can gate CI:
node scripts/orchestrate-workflow.mjs \
--run-id feature-001 \
--manual-evidence examples/manual-evidence.json
Add --invoke to drive each ready stage's owner agent (with --agent-command "<cmd>", or a persisted orchestration.agentCommand), and --loop to repeat the scheduling pass until the run completes, stalls at a pending manual gate, or hits --max-iterations (default 25). This is the OPT autopilot: agents advance the flow and only stop for a human gate. Each invocation is scoped to its stage+sub-node tooling via the brief JSON, the TPAN_OPT_SKILLS / TPAN_OPT_MCP_SERVERS / TPAN_OPT_HOOKS env vars, and {skills} / {mcpServers} / {hooks} command placeholders. Agents can never self-approve a manual gate.
Stages declare dependencies with an optional dependsOn array of earlier stage ids; the array stays a valid topological order because a stage may only depend on stages declared before it (cycles are impossible). When dependsOn is omitted a stage defaults to depending on the immediately preceding stage, so a plain list of stages stays strictly sequential — the routing and approval boundary then sits at the first unsatisfied stage, exactly as before. Declaring dependencies turns the list into a DAG: stages that fan out from a shared prerequisite are scheduled in parallel, so several owners can hold open work orders at once (state.currentStages / state.workOrders carry the full set, with currentStage / workOrder kept as the first frontier for compatibility). A stage with any unfinished dependency stays pending and its command gates never run. Use an explicit empty dependsOn: [] to opt a stage out of the sequential default and start it as an independent branch.
{
"stages": [
{ "id": "plan", "owner": "planner", "gates": ["scope_confirmed"] },
{ "id": "backend", "owner": "backend-eng", "dependsOn": ["plan"], "gates": ["api_tests"] },
{ "id": "frontend", "owner": "frontend-eng", "dependsOn": ["plan"], "gates": ["ui_tests"] },
{ "id": "integrate", "owner": "release", "dependsOn": ["backend", "frontend"], "gates": ["human_approval"] }
]
}
Command gates still run sequentially within a single process (the orchestrator does not yet execute gates concurrently); parallelism here means independent branches are routed and surfaced together rather than artificially serialized behind the first incomplete stage.
The orchestrator can also drive the current stage's owner agent. Pass --invoke with a harness-neutral --agent-command template and the orchestrator, when it reaches an unsatisfied stage, writes a work-order brief to brief-<stage>.json, runs the command once for that stage's owner, then re-evaluates the stage's gates and advances if they now pass. The command template substitutes {stage}, {role}, and {brief}, and the same values are exported as TPAN_OPT_STAGE, TPAN_OPT_ROLE, and TPAN_OPT_BRIEF environment variables, so any agent CLI (Claude Code, Codex, OpenCode, or a custom runner) can be wired in without locking the workflow to one harness:
node scripts/orchestrate-workflow.mjs \
--run-id feature-001 \
--manual-evidence examples/manual-evidence.json \
--invoke \
--agent-command 'claude -p "Complete stage {role} using brief {brief}"'
Agent invocation is opt-in because it can change the repository and incur cost, is bounded to one invocation per stage per run, and never satisfies manual gates: agents cannot self-approve, so human approval gates still block until evidence is attached. Each invocation is recorded in invocation-<stage>.json and the run state.json.
The agent command can also be persisted into the workflow so operators do not retype it on every run. Add an orchestration block with a default agentCommand template and optional per-role agents overrides; the compiler validates it and writes it into the manifest under harnesses.orchestrator. The orchestrator then resolves the command for each stage owner with the precedence CLI --agent-command → per-role agents[owner] → default agentCommand, so --invoke works with no flags when a command is committed, while a CLI flag still overrides for one-off runs:
{
"orchestration": {
"agentCommand": "claude -p \"Complete stage {role} using brief {brief}\"",
"agents": {
"engineer": "codex exec --brief {brief}"
}
}
}
The orchestrator also mirrors its latest state into the static console at .tpan-opt-co-worker/console/orchestration.json and .tpan-opt-co-worker/console/orchestration.js. The console's Orchestration panel renders the run status, current stage, per-stage progress, the open work order (owner, pending gates, next action), and recent agent invocations, with orchestration.js as the default data source and orchestration.json as a fetch fallback.
The generated GitHub Actions workflow runs scripts/verify-workflow.mjs --run-dir .tpan-opt-co-worker/runs/ci on pull requests and main pushes, then uploads .tpan-opt-co-worker/runs as a CI artifact for audit and review.
The generated GitLab CI job runs the same verifier with --run-dir .tpan-opt-co-worker/runs/gitlab and preserves .tpan-opt-co-worker/runs as a pipeline artifact.
Evidence report shape:
{
"workflow": {
"name": "production-feature-workflow",
"version": "1.0.0"
},
"passed": true,
"commandPassed": true,
"allGatesPassed": false,
"startedAt": "2026-06-24T00:00:00.000Z",
"finishedAt": "2026-06-24T00:00:01.000Z",
"commandGates": [
{
"stageId": "implement",
"id": "unit_tests_pass",
"preset": "node:test",
"command": "npm test",
"status": "passed",
"exitCode": 0
}
],
"manualGates": [
{
"stageId": "ship",
"id": "human_approval",
"status": "pending"
}
]
}
Manual evidence file shape:
{
"gates": {
"human_approval": {
"approvedBy": "team-lead@example.com",
"note": "Release approved by the human lead.",
"links": ["https://example.com/release-review"]
}
}
}
Workflow verification runs stages in order. If a command gate fails or a manual gate is still pending in an earlier stage, command gates in later stages are recorded as skipped and are not executed.
When all command gates pass and every manual gate has evidence, allGatesPassed becomes true.
Manual evidence can be keyed by gate id when that manual gate id is unique across the workflow. If multiple stages use the same manual gate id, key evidence as <stageId>.<gateId> so approvals do not accidentally apply to more than one stage.
External preset registry files use the same gatePresets shape:
{
"gatePresets": {
"org:security-review": {
"type": "manual",
"description": "Security reviewer confirmed there are no unresolved critical or high findings."
},
"org:docs-check": {
"type": "command",
"description": "Run organization-standard documentation checks.",
"command": "npm run docs:check"
}
}
}
--preset-file can be repeated. Duplicate custom preset names across files or between a file and the workflow are rejected.
Gate types:
manual: records a required approval, review, or evidence item.command: runs a shell command fromscripts/verify-workflow.mjsand fails the verification script if the command exits non-zero.
Built-in gate presets:
| Preset | Type | Command |
|---|---|---|
node:test |
command |
npm test |
node:coverage |
command |
npm run test:coverage |
npm:lint |
command |
npm run lint |
npm:typecheck |
command |
npm run typecheck |
npm:audit-high |
command |
npm audit --audit-level=high |
Preset commands can be overridden by setting command explicitly on the gate.
Workflow-defined presets:
{
"gatePresets": {
"team:docs-check": {
"type": "command",
"description": "Verify project documentation.",
"command": "npm run docs:check"
},
"team:review-signoff": {
"type": "manual",
"description": "Engineering owner reviewed and signed off."
}
}
}
Custom preset names cannot override built-in preset names.
Roadmap
- Define the first workflow schema.
- Build a local workflow compiler.
- Generate
AGENTS.md, harness configs, and PR templates. - Add executable command gates and manual evidence gates.
- Add built-in gate presets for tests, lint, typecheck, and audit.
- Add CLI built-in gate preset discovery.
- Add workflow-defined custom gate presets.
- Add external organization-level preset registry files.
- Add generated workflow run evidence reports.
- Add manual gate evidence input.
- Add workflow run artifact directory management.
- Add Codex harness adapter generation.
- Add Claude Code harness adapter generation.
- Add Cursor harness adapter generation.
- Add OpenCode harness adapter generation.
- Add harness-neutral workflow manifest generation.
- Add organization metadata to manifest and web console outputs.
- Add organization standards to generated harness instructions.
- Expand built-in organization policy pack rules into generated harness instructions.
- Add local runner harness adapter generation.
- Add a stage-gated execution orchestrator that routes work and emits per-stage work orders.
- Add opt-in, harness-neutral agent invocation that drives the current stage's owner agent and re-gates.
- Persist the orchestrator agent command (default and per-role) into the workflow and manifest.
- Schedule independent stages in parallel via a stage dependency graph with multi-owner work orders.
- Surface orchestration state, work orders, and agent invocations in the static web console.
- Add GitHub Actions template generation.
- Add GitLab CI template generation.
- Add starter workflow template generation.
- Add CLI workflow template catalog discovery.
- Add CLI organization policy pack discovery.
- Add CLI reusable agent team catalog discovery.
- Add team-backed workflow initialization.
- Add policy-backed workflow initialization.
- Add CLI combined catalog discovery.
- Add CLI combined catalog artifact export.
- Add CLI workflow validation without asset generation.
- Add CLI workflow JSON Schema export.
- Add generated static web console for workflow overview.
- Add generated web console run history sync.
- Add generated web console workflow definition panel.
- Add generated web console run summary tracking.
- Add generated web console run status filters.
- Add generated web console status-filtered gate details.
- Add generated web console gate evidence metadata.
- Add generated web console run artifact links.
- Make the web console Workflow Designer editable with in-browser draft validation and JSON export.
- Add a one-command quickstart that scaffolds, compiles, and seeds a demo run for an immediately populated console.
- Ship a zero-dependency MCP server (quickstart, compile, validate, catalog, next, approve) so co-worker installs as a plugin in Codex, Claude Code, and MCP-capable agents.
- Add first-class
status,next, andapproveCLI subcommands that drive and approve workflows without hand-editing evidence files. - Add marketplace catalog discovery for skills, MCP servers, and hooks.
- Add a web console for workflow design and run tracking.
- Add organization-level templates, policies, and reusable agent teams.
- Add marketplace-style distribution for skills, MCP servers, and hooks.
- Collapse the standalone discovery commands into
catalog --kind(with backward-compatible aliases). - Add
compile --harnessso a repo can generate only the harness files it uses. - Fork generated output by
mode:teamcompiles the human playbook,optcompiles the agent harnesses.
Planned (not in the current package)
These are described in this README as direction, but are not shipped yet:
- Marketplace package installation — the
catalog --kind marketplaceslice is a metadata preview;install.filesare descriptive targets, not shipped assets. - YAML workflow authoring — the compiler currently reads JSON workflow files only.
- Hosted orchestration — running the orchestrator as a managed service rather than a local script, and fully autonomous multi-agent coordination.
Design Principles
- Workflow-first: process should be explicit, reusable, and versioned.
- Verification-first: no artifact is trusted without evidence.
- Human-controlled: humans approve sensitive, external, costly, or irreversible actions.
- Harness-neutral: workflows should not be locked to one AI coding tool.
- Repository-native: project rules should be exportable into the repo.
- Composable: roles, skills, hooks, MCP servers, and gates should be reusable building blocks.
- Auditable: every important decision and quality result should be traceable.
Inspired By
TPAN-OPT/CO-WORKER is inspired by proven patterns from:
- AI coding harnesses and agent frameworks
- workflow engines and CI/CD systems
- open-source repository governance
- platform engineering and internal developer portals
- ECC-style agent, skill, command, hook, and MCP organization
Project Status
This project is in active early implementation. The current CLI can create starter workflows, compile repository-local harness assets, run verification gates, and persist workflow evidence.
Contributing
Contributions are welcome once the initial schema and runtime boundaries are published.
Useful contribution areas will include:
- workflow schema design
- harness adapter design
- agent role templates
- verification gates
- security policy templates
- documentation and examples
- UI/UX for workflow design and run tracking
License
This project is licensed under the MIT License.