VibeFlow Master Spec
Contents
- One-Sentence Summary
- What the Tool Does
- Key Design Principles
- Minimal-Footprint and AI-Generated Output
- Engine Support
- Skill System
- Hook System
- Security Posture
- Engine Readiness
- Pre-Flight Quota Gate
- Naming Decision
- Updated Skill Provider Decision
One-sentence summary
A local-first npm CLI tool that opens a web UI and orchestrates Claude Code, Codex CLI, and GitHub Copilot CLI using shared project context, Anthropic-style skills, source/file readers, hooks, multi-agent planning, verification, and continuous skill evolution.
What the tool does
- Starts from npm/npx
- Opens a local web UI
- Collects repo, task, docs, and work management sources
- Finds source connector skills
- Finds file reader skills
- Reads and normalizes project context
- Generates CLAUDE.md, AGENTS.md, and Copilot instructions
- Creates Claude agents and Anthropic-style skills
- Dispatches Claude Code, Codex, or Copilot CLI
- Uses hooks to control risky actions
- Verifies diff, tests, logs, and acceptance criteria
- Proposes skill updates from lessons learned
Key design principles
Main agent is always the orchestrator.
Do not rely on stale model memory for version-sensitive tasks.
Use verified skills when available.
Search trusted external docs/skills when needed.
Do not silently install or enable risky dependencies.
Confidence below threshold triggers bounded investigation, not infinite loops.
If confidence remains low, recommend the next best action with evidence.
Ask for approval only for side effects or high-risk actions.
No evidence, no conclusion.
No verification, no completion.
Generate the fewest files possible.
Everything a tool emits is AI-generated, not hand-maintained boilerplate.
Minimal-footprint and AI-generated output
VibeFlow must keep the number of files it creates in a target repo as small as possible, and every file it does create must be produced by the AI at runtime from canonical context — not copied from static, hand-maintained template files.
- Generate the minimum set of files needed for the selected engine and task.
- Do not scaffold files the current run does not use (lazy, on-demand generation).
- Prefer one canonical source plus on-demand projections over many persisted copies.
- No static template files checked into the tool as the source of generated output;
the orchestrator composes each file from canonical context with the AI.
- Generated files are disposable and reproducible: deleting them and re-running
must reproduce equivalent output from the same canonical context.
- Collapse optional/empty artifacts: only emit per-area files (e.g.
.github/instructions/*.instructions.md, .claude/agents/*) that the task actually needs.
This principle takes precedence over the illustrative “full” file lists elsewhere in
these specs (for example in GENERATED_FILES.md and ARCHITECTURE.md): those lists
describe the maximum surface VibeFlow may generate, not a set it must always create.
Engine support
Claude Code:
- CLAUDE.md
- .claude/agents
- .claude/skills
- .claude/settings.json
Codex CLI:
- AGENTS.md
- .codex/config.toml
- prompt-injected selected skills
GitHub Copilot CLI:
- AGENTS.md
- .github/copilot-instructions.md
- .github/instructions/*.instructions.md
- prompt-injected selected skills
Skill system
External skills = baseline knowledge from trusted sources
Internal skills = verified project/team lessons
Every skill:
- has SKILL.md
- has metadata in SKILL.md YAML frontmatter
- declares capabilities
- declares permissions
- has status: draft / experimental / verified / deprecated
- has changelog when updated
Hook system
Hooks use a universal protocol:
pre-command
post-command
pre-write
post-write
skill-compliance
final-verify
Decisions:
allow
warn
require_approval
block
Security posture
Local-first
Read-only by default
No public tunnel by default
No silent install
No source upload by default
No auto-push
No auto-merge
No auto-deploy
Engine readiness
presence → binary on PATH (or `which`)
auth → whoami / login status, no live run
quota → parse claude / codex / copilot quota output (src/engine-quota.ts)
Engine readiness results are cached in-process (src/probe-cache.ts): stable
results live 60 s, transient probe-failed results live 5 s. vf doctor --refresh
discards the cache and re-probes immediately. The preflight gate
(src/preflight-delegate.ts) layers presence → auth → quota in that order
and auto-falls-back to the next ready engine when the chosen one is exhausted,
returns 429 / 403, or fails auth.
Pre-flight quota gate
exhausted → engine reports 0% quota remaining → fall back to next ready engine
429 → rate-limited response → fall back to next ready engine
403 → forbidden / unauthorised billing region → fall back to next ready engine
auth → CLI present but no valid credentials → fall back to next ready engine
no engine → no engine passes all three layers → block dispatch + surface reason
The gate is evaluated before every dispatch (vf run / vf orchestrate) and
short-circuits cheaply on the cache; on miss it parses a single JSON output per
engine. See WORK_UNIT_ORCHESTRATION.md for how the gate plugs into the
work-unit lifecycle.
Naming decision
The recommended public product name is VibeFlow and the short CLI command is vf.
Recommended package:
npx @magicpro97/vibeflow
Memory recall
VibeFlow ships a built-in recall layer (MemoryProvider seam, two providers):
- builtin (default opt-in): bun:sqlite FTS5 over
.vibeflow/knowledge/decisions.md; zero deps; lazy-indexed on mtime. - claude-mem (external opt-in): shells
claude-mem search; requires separate install.
Recall injects a Relevant past decisions: block into dispatchPrompt (between Skills and Constraints) and buildPlanPrompt (beside §2 Non-negotiables). Off by default; enable via vf config memory builtin.
Updated skill provider decision
The Context7 HTTP API should be the primary external skill and documentation resolver. It is queried over HTTP (https://context7.com/api/v2) via the runtime fetch — no external ctx7 binary is required — with an optional CONTEXT7_API_KEY for higher rate limits. Vercel find-skills remains a supported secondary provider.
Default priority:
1. Local verified skills
2. Context7 HTTP API (skills and docs)
3. Anthropic official skills/plugins
4. Vercel find-skills
5. Official vendor docs
6. Trusted MCP registries
7. Community skills after review
8. npm packages after security verification
Related: Architecture · Security Model Edit this page on GitHub