This is a submission for Weekend Challenge: Passion Edition
π Table of Contents
- What I Built
- Demo
- Code
-
How I Built It
- 1. πΊοΈ Where it fits in the pipeline
- 2. π€ Two core concepts: Track & Wave
- 3. π οΈ The three skills
- 4. π The four flows
- 5. βοΈ The hooks bundle β mechanical guardrails
- 6. πΈ Evidence β proof, not narration
- 7. π Security & scope control
- 8. π Speed β fanout, parallel agents, worktrees
- 9. π Observability β run artifacts & tracing
- 10. π§ Design principles
- 11. π Getting started
- π Companion Reads
- π Sources & further reading
What I Built
Supspec Orchestration is an autonomous agent workflow layer that closes the gap between "I have a task list" and "I have a reviewed, evidenced draft PR waiting for a human."
π Repo: github.com/truongpx396/supspec-orchestration Β· MIT licensed Β· β οΈ under active development β test thoroughly in your own context before production use.
Most AI coding agent demos stop at "look, it wrote code." The hard parts β Did it actually run the tests, or just claim to? Did it stay in scope? Did it leak a secret? Did it burn 500K tokens looping? Is the PR description fact or fiction? β get hand-waved away.
Supspec Orchestration is an opinionated answer to all of those, built by composing rather than reinventing two proven upstream frameworks:
-
SpecKit upstream β produces the
spec β plan β tasksartifacts (the what). - Superpowers downstream β supplies disciplined skills and dispatched subagents (the how: TDD, review, verification).
On top of that, Supspec Orchestration adds the missing middle: reliability, security, speed, and observability β enforced by mechanical hooks, not by trusting the model to behave.
The one rule it never breaks: No self-merge. Ever. Every pipeline terminates at a draft PR. A human owns the merge.
| Dimension | How Supspec Orchestration delivers it |
|---|---|
| Reliable | Phased TDD (RED β freeze β GREEN), two-step verification, separate code review, evidence gate that checks a tree fingerprint |
| Governed | Reviewer subagent cross-checks against SpecKit constitution + Copilot *.instructions.md (security/OWASP, Go, Python, Reactβ¦) |
| Secure | Scope guard (deny out-of-scope writes), frozen/immutable paths, destructive-op block, secrets sentinel, token & tool-call ceilings |
| Fast | In-session fanout, parallel worker agents, one git worktree per track, dependency-aware waves |
| Observable | One RUN_ID threads branch β PR β commit β run record; hooks emit runs/<RUN_ID>.json with tool calls, trace, and evidence |
Demo
The best live signal of Supspec Orchestration in action is aisat-studio/pull/8 β a real draft PR generated end-to-end by the single-branch-development scaffold flow against the aisat-studio monorepo.
What the PR shows:
-
Task scope: T001βT010a β bootstrapping a three-runtime monorepo (Go 1.23 API, Python 3.12 FastAPI/LangGraph service, React 19/Vite SPA) from a
tasks.md. -
Run ID
2026-07-11T10-04_setup2threads the branch name, PR title, commit trailer, and run record β grep any surface to reconstruct the whole run. - Parallel fan-out in action: the run trace shows 7 parallel read-only Explore subagents fired concurrently at 10:05β10:07Z before scaffold writing began.
- Auto block (hook-observed facts, not model claims): 50 tool calls Β· 24 files added, 926 insertions across 5 area groups (Makefile, backend-go/, backend-python/, deploy/, frontend/).
- Evidence: compose config parsed β , Python manifest loaded (22 deps) β , frontend manifest β , tsconfig β , Go module β , Makefile β β all pasted as verified output, not a model summary.
-
Code review with SpecKit-constitution + OWASP cross-check: the reviewer subagent caught 2
CRITICALhardcoded credentials and 2IMPORTANTunpinned image tags before the PR was opened. All findings resolved in commite12d441. -
Compliance table in the Asserted zone: each SpecKit constitution principle and OWASP control verified or waived with a concrete reference (depguard rule,
${VAR:-fallback}pattern, pinned image SHAs,--cov-fail-under=80). -
Scope discipline: 106 speculative
.gitkeepplaceholders for downstream tasks were automatically trimmed β only the 8 directories declared by T001 remain.
π This is a draft PR β it demonstrates the Supspec Orchestration stop-at-draft principle. No self-merge.
Code
π± Supspec Orchestration π€
β οΈ This repo is under active development. Test it thoroughly in your own context before using in production.
Autonomous agent workflows that turn a SpecKit tasks.md into 1 or N evidenced draft PRs β
gated by mechanical hooks, composed from Superpowers. No self-merge. Ever.
This is an orchestration layer sitting on top of SpecKit artifacts (spec/plan/tasks) and Superpowers skills, automating the gap from "I have a task list" to "I have a reviewed, fingerprint-evidenced draft PR waiting for a human."
-
Feed it a
tasks.mdβ or a spec, or just a list of stories. - It analyzes whether tasks are independent, produces a wave plan, and asks for your confirmation before touching any branch.
- Autonomous agents run in isolated worktrees β scaffold, story, or refactor modes, or a mix.
- Mechanical hooks enforce scope boundaries, evidence freshness, token ceilings, and a secrets scan. Every run is observable andβ¦
How I Built It
1. πΊοΈ Where it fits in the pipeline
SpecKit answers "what should we build?" exceptionally well. Superpowers answers "how should the agent build it?" with real discipline. But neither is designed to be the autonomous conductor that:
- Takes a task list and decides which tasks are independent enough to run in parallel.
- Isolates each unit of work so agents can't step on each other.
- Enforces scope, evidence, and budget mechanically β so compliance doesn't depend on the model "remembering" to comply.
- Produces a traceable, resumable, reviewable artifact at the end.
That conductor role is the gap Supspec Orchestration fills.
π‘ The core insight: the skills are only as strong as the worker's compliance β unless the gates are mechanical. Supspec Orchestration makes the gates mechanical.
SpecKit hands off a tasks.md after the upstream specify β clarify β plan β tasks stages. Supspec Orchestration turns it into 1 or N draft PRs. A human reviews and merges. Supspec Orchestration never crosses that final line.
2. π€ Two core concepts: Track & Wave
Everything in Supspec Orchestration is organized around two primitives:
- Track β a group of related tasks executed as a unit on one isolated branch/worktree, corresponding to one user story or feature slice. A track has an owner (its worker agent), a defined file-ownership scope, and produces exactly one draft PR.
- Wave β a group of tracks that can run in parallel because they have non-overlapping file ownership and no inter-dependencies. Waves are sequential; tracks within a wave are concurrent.
Wave 1: [Track A] [Track B] [Track C] β all parallel, disjoint ownership
β β β
PR-A PR-B PR-C
β merge queue β
Wave 2: [Track D] [Track E] β parallel, depend on Wave 1
This is why Step 0 of the parallel conductor analyzes dependencies and groups tasks into waves before fanning out any workers β and requires your explicit confirmation. A bad plan is infinitely cheaper to fix before workers run than after.
3. π οΈ The three skills
| Skill | Role | What it does |
|---|---|---|
| πΏ single-branch-development (SBD) | Per-branch worker | One feature, bugfix, refactor, or scaffold β end-to-end on a single branch |
| πͺ’ executing-parallel-tracks (EPT) | Conductor | N independent tracks concurrently, each in its own worktree |
| π pr-review-feedback (PRF) | Rework stage | Turn PR review comments into applied, evidenced changes on the existing PR branch |
πΏ single-branch-development
A thin per-branch bracket β isolation before, evidence gate + draft-PR boundary after β wrapped around an execution core with three modes:
| Mode | When | Core sequence |
|---|---|---|
| scaffold | Non-behavioral bootstrap (config, wiring, structure) | dispatch parallel agents β self-review |
| story | Add or change behavior under phased TDD | dispatch RED batch β freeze test API β subagent-driven GREEN |
| refactor | Behavior-preserving keep-green change | pin-green snapshot β freeze baseline β refactor + systematic-debugging on red |
All modes share using-git-worktrees (isolation), verification-before-completion (evidence gate), requesting-code-review (self-review), and the full hooks bundle.
πͺ’ executing-parallel-tracks
The conductor. Owns isolation, gates, traceability, and integration sequencing β and delegates each track's implement/review/verify to SBD. It opens with a dependency-aware wave analysis (Step 0) that derives a plan and requires your sign-off before spawning any worker.
π pr-review-feedback
The rework stage. Turns a batch of PR review comments into applied, evidenced changes on the existing PR branch β no fresh RED, no new isolate. It reuses the hooks bundle in resume mode and closes with a PR update.
βοΈ Governance built in.
requesting-code-reviewdispatches a reviewer subagent that automatically inherits any.github/instructions/*.instructions.mdwhoseapplyToglob matches the changed files β socode-review-generic.instructions.md(applyTo: '**') is always in scope, and language-specific instructions (Go, Python, React, state-management, security/OWASP) apply whenever the diff touches matching paths. This is the Copilot-instruction cross-check and the SpecKit-constitution compliance gate, wired with zero extra effort.
4. π The four flows
Every flow terminates at gh pr create --draft. That's the boundary β a human takes it from there.
Flow 1 β Scaffold (non-behavioral bootstrap)
Step 1: track-preflight.sh --persist π« mint RUN_ID, confirm scope
Step 2: using-git-worktrees πΏ isolate on a branch
Step 3: dispatching-parallel-agents π€ parallel scaffold batches (no TDD)
Step 4: requesting-code-review π self-review quality + governance
Step 5: verification-before-completion π¦ evidence gate (fingerprint match)
Step 8: gh pr create --draft π¬ stop β human reviews
Flow 2 β Single feature/bugfix (story mode, TDD)
Step 1: track-preflight.sh --persist π« mint RUN_ID, confirm scope
Step 2: using-git-worktrees πΏ isolate on a branch
Step 3: dispatching-parallel-agents π€ RED batch β write failing tests
Step 4: requesting-code-review π freeze the test API (maker/checker)
Step 5: subagent-driven-development π€ GREEN β make tests pass
Step 6: verification-before-completion π¦ evidence gate (fingerprint match)
Step 7: requesting-code-review π full self-review
Step 8: gh pr create --draft π¬ stop β human reviews
The two-step verification is visible here: a requesting-code-review gate that freezes the test contract before implementation (Step 4), and a second full requesting-code-review after GREEN (Step 7) β bracketing an verification-before-completion evidence gate in the middle (Step 6).
Flow 3 β Refactor (behavior-preserving, keep-green)
Step 3: dispatching-parallel-agents π€ pin-green (snapshot the passing suite)
Step 5: subagent-driven-development π€ refactor; systematic-debugging on red
Step 6: verification-before-completion π¦ evidence gate
...
Flow 4 β Parallel tracks (N stories at once)
Step 0: Analyze & plan waves π derive dependencies, wave plan, CONFIRM
Step 1: track-precheck.sh π validate manifest + ownership overlap
Step 2: using-git-worktrees (ΓN) πΏ one isolated worktree per track
Step 3: dispatching-parallel-agents πͺ’ fan out N worker agents
each agent runs single-branch-development (full pipeline per track)
Step N+1: observe run records π triage by RUN_ID
Step N+2: integration sequencing π PRs ordered by dependency
β
human reviews N draft PRs β merge queue
5. βοΈ The hooks bundle β mechanical guardrails
This is what makes Supspec Orchestration reliable rather than hopeful. Copilot agent hooks run shell commands at lifecycle points (PreToolUse, PostToolUse, SubagentStart/Stop, Stop, β¦) and can block a tool call before it happens. Each script no-ops until its env is set, so dropping the bundle into any repo is safe before you configure anything.
| Script | Fires at | Category | What it does |
|---|---|---|---|
install-hooks.sh |
manual | Lifecycle | π¦ Idempotent, consent-gated, drift-aware installer |
track-preflight.sh |
Step 1 | Lifecycle | π« Mint/recover a stable RUN_ID; check prereqs; persist a resume breadcrumb |
track-reconcile.sh |
SessionStart | Lifecycle | β»οΈ Recover state from history + run record; stash untrusted work |
track-guard.sh |
PreToolUse | Scope & guard | π‘οΈ Deny edits outside scope, frozen paths, artifacts, or destructive ops |
track-evidence.sh |
PostToolUse | Evidence | πΈ Capture test output + a code fingerprint β what the tool saw, not a claim |
track-meter.sh |
PostToolUse | Governance | π’ Count tool calls + heartbeat; hard-stop at TRACK_MAX_TOOL_CALLS
|
track-trace.sh |
SubagentStart/Stop | Observability | π Record why each subagent was spawned + its stop reason |
track-note.sh |
manual | Observability | π Self-report ordered skill activations + loop counts (provenance-tagged) |
track-sentinel.sh |
Stop | Scope & guard | π Scan the staged diff for likely secrets / debug leftovers |
track-evidence-gate.sh |
Stop | Evidence | π¦ Block stop unless evidence is present, fresh, and passing |
track-tokens.sh |
Stop | Governance | πͺ Estimate token usage; enforce TRACK_MAX_TOKEN_ESTIMATE
|
track-notify.sh |
Stop | Lifecycle | π£ Best-effort completion webhook |
track-report.sh |
Step 8 | Observability | π Render the deterministic PR-body Auto block from the run record |
π§ͺ The bundle is regression-tested: 122 SBD tests + 195 EPT tests cover guard allow/deny decisions, evidence freshness, meter hard-stop, trace schema, sentinel matching, token ceilings, and structural checks on the SKILL/hooks docs. The canonical scripts live under
single-branch-development/scripts/;install-hooks.sh --checkdetects drift between source and the installed.github/hooks/copies.
6. πΈ Evidence β proof, not narration
Evidence is what separates "the agent claimed it worked" from "the agent proved it worked." Every run must pass the evidence gate before it can open a PR.
-
track-evidence.shcaptures the test command output plus a SHA fingerprint of the working tree at capture time. -
track-evidence-gate.shatStopchecks: evidence present? fingerprint matches the current tree? all kinds passing? - If the tree changed after capture (stale fingerprint) or evidence is missing β the gate blocks the agent from stopping.
The installer detects repo signals and seeds sensible stack-aware defaults (fully editable):
| Signal | Evidence kind | Example command |
|---|---|---|
go.mod present (auto) |
go-test |
go test -race ./... |
pyproject.toml / uv.lock (auto) |
py |
uv run pytest |
package.json present (auto) |
ts |
tsc --noEmit && npm test |
migrations/ directory (auto) |
pg-explain |
psql -c 'EXPLAIN (ANALYZE, FORMAT JSON) β¦' |
| NATS producers/consumers (manual) | nats |
nats consumer info <stream> <consumer> |
| Redis interactions (manual) | redis |
redis-cli TTL <key> |
| REST / gRPC contracts (manual) | contract |
buf lint && buf breaking |
| E2E browser tests (manual) | e2e |
npx playwright test |
7. π Security & scope control
Supspec Orchestration treats the worker agent as an untrusted actor and constrains it at the tool boundary:
-
Controllable scope β
TRACK_ALLOWED_PREFIXES(required; empty = deny all edits) lists exactly which path prefixes a worker may write.track-guard.shdenies everything else atPreToolUse, fail-closed. -
Frozen & immutable paths β
TRACK_FROZEN_PATHS(no worker may edit) andTRACK_IMMUTABLE_PREFIXES(e.g.migrations/β committed files are append-only, never rewritten). -
Destructive-op block β
TRACK_GUARD_DESTRUCTIVE=1denies irreversible shell/DB ops (rm -rf, data-wipe commands). -
Secrets sentinel β
track-sentinel.shscans the staged diff for likely secrets and debug leftovers before handoff. -
Token guard β
TRACK_MAX_TOKEN_ESTIMATEblocks stop and writesstatus=budget-exceededwhen the ceiling is hit. -
Tool-call ceiling β
TRACK_MAX_TOOL_CALLShard-stops a run that loops without progress (status=no-progress). -
No forced pushes by default β
TRACK_ALLOW_FF_PUSHis empty except in thepr-review-feedbackflow that intentionally updates an existing PR branch.
Config precedence is explicit: exported env > per-worktree track-env.sh > repo-wide track-env.base.sh > script default.
8. π Speed β fanout, parallel agents, worktrees
Reliability without speed is just a slow, careful bottleneck. Supspec Orchestration pulls three levers:
-
In-session fanout β
dispatching-parallel-agentsspawns multiple subagents within a single session to work disjoint file clusters concurrently (e.g. a scaffold's config vs. wiring vs. structure batches). - Parallel tracks β the conductor runs an entire wave of tracks at once, each an independent SBD pipeline, because Step 0 guaranteed their file ownership doesn't overlap.
-
Git worktrees β
using-git-worktreesgives each track its own physical checkout, so parallel agents never race on the working tree, the index, or branch state. Isolation means a real worktree, not just a branch.
The result: N user stories can be in-flight simultaneously, each producing its own evidenced draft PR, then integrated in dependency order.
9. π Observability β run artifacts & tracing
Every run is independently traceable through one RUN_ID threaded across four surfaces:
| Surface | Example |
|---|---|
| Branch name | track/us1 |
| Draft PR title | track/us1 [run 2026-06-26T14-03_us1] |
| Commit trailer | Run-Id: 2026-06-26T14-03_us1 |
| Run record file | runs/2026-06-26T14-03_us1.json |
Grep any one surface β reconstruct the whole run. runs/summary.md aggregates all tracks for a wave.
The run record (runs/<RUN_ID>.json, gitignored) is populated by hooks β never re-typed by the model:
{
"run_id": "2026-06-26T14-03_us1",
"track": "us1",
"status": "success",
"evidence": { "go-test": "42 passed", "ts": "0 errors" },
"tool_calls": 137,
"token_estimate": 48000,
"trace": [ { "kind": "subagent", "event": "start", "agent_type": "implementer", "reason": "green T038 impl" } ],
"skills": [ { "skill": "subagent-driven-development", "step": "4-green", "self_reported": true } ]
}
A crucial distinction the design never blurs:
-
trace[]= hook-observed subagent events β mechanical facts. -
skills[]= the model's self-reported activations β provenance-tagged claims (self_reported: true).
Statuses (success, blocked, no-progress, budget-exceeded) are all written by hooks, never by the model. The PR body is a two-zone template: an Auto block rendered deterministically by track-report.sh from the run record, and an Asserted block that's the only place the model writes prose.
10. π§ Design principles
- Mechanical over prompt-trusted. If a gate can be enforced by a hook, it is. The model complying is secondary.
- Hooks are no-ops until configured. Drop the bundle into any repo β nothing changes until you set env vars.
- Evidence is fingerprinted, not narrated. The gate checks the tree hash, not the agent's summary.
- No self-merge. Every pipeline terminates at a draft PR. A human decides what merges.
-
Observable by
RUN_ID. One stable ID threads branch, PR, commit, and run record. - Confirm before fan-out. Step 0 requires explicit human sign-off on the wave plan before any worker spawns.
11. π Getting started
Prerequisites: SpecKit installed with a tasks.md; the Superpowers catalog under .github/skills/; git with worktree support; authenticated gh CLI; jq; Docker if any track runs integration suites; Copilot agent hooks enabled (recommended).
# 1οΈβ£ Copy the .github/skills/ directories into your repo, then install the hooks:
bash .github/skills/single-branch-development/scripts/install-hooks.sh # dry-run
bash .github/skills/single-branch-development/scripts/install-hooks.sh --check # probe for drift
bash .github/skills/single-branch-development/scripts/install-hooks.sh --apply # sync + gitignore runs/ + seed config
# 2οΈβ£ Configure repo-wide policy defaults
$EDITOR .github/hooks/track-env.base.sh # set TRACK_ALLOWED_PREFIXES, evidence rules, ceilingsβ¦
# 4οΈβ£ Self-test the bundle
bash .github/skills/single-branch-development/tests/test-skill.sh
bash .github/skills/executing-parallel-tracks/tests/test-skill.sh
3οΈβ£ Invoke a skill β point Copilot at the task and let the skill drive:
- "implement Phase 1 Setup β shared infrastructure (T001βT010a)" β Flow 1 (scaffold)
- "implement Phase 3 User Story 1: ingest knowledge into a searchable library (T035βT056)" β Flow 2 (story/TDD)
- "refactor Phase 2 Foundational β frontend API client (T031) using single-branch-development" β Flow 3 (refactor)
- "execute Phase 3 US1, Phase 4 US2, Phase 5 US3 in parallel using executing-parallel-tracks" β Flow 4 (parallel)
The worker stops at gh pr create --draft. A human owns the merge.
Supspec Orchestration is an opinionated answer to the trust question in agentic coding, built by composing rather than reinventing:
- SpecKit gives it a clear contract to build against.
- Superpowers gives it disciplined skills and subagents to build with.
- Mechanical hooks give it guarantees the model can't talk its way out of.
- A human always owns the merge.
That combination β reliable, governed, secure, fast, observable, and never self-merging β is what turns "I have a task list" into "I have a reviewed, evidenced draft PR" without a human babysitting every step.
π Companion Reads
| Document | Why it pairs with this project |
|---|---|
| π Spec Kit vs. Superpowers β‘ β A Comprehensive Comparison & Practical Guide to Combining Both π | The two frameworks Supspec Orchestration composes β read this to understand the upstream/downstream split it builds on. |
| ποΈ Building Production-Grade Fullstack Products with AI Coding Agents | The end-to-end shipping discipline (migrations, PR gates, deploy, monitoring) that Supspec automates. |
| ποΈ Building High-Quality AI Agents β A Field Guide | The agent-design principles β tool ergonomics, failure modes, guardrails β behind the hooks bundle. |
| π€ SWE-agent β Deep Dive & Build-Your-Own Guide | The agent loop (observe β act β check) that each worker track runs. |
| π― The AI Engineer π€ Interview Playbook π | Evaluation, verification, and trade-off reasoning β the same rigor Supspec enforces mechanically. |
π Sources & further reading
- Supspec Orchestration β github.com/truongpx396/supspec-orchestration (README, SKILL docs, hooks reference).
- SpecKit β github.com/github/spec-kit β GitHub's toolkit for Spec-Driven Development (spec β plan β tasks).
- Superpowers β github.com/obra/superpowers β Jesse Vincent's agentic skills framework (brainstorm β TDD β review β ship).
- Copilot agent hooks β docs.github.com/copilot/concepts/agents/hooks β lifecycle events that make the gates mechanical.
This project is under active development; verify specific flags, env vars, and behavior against the current repo before relying on them.
If you found this helpful, let me know by leaving a π or a comment!, or if you think this post could help someone, feel free to share it! Thank you very much! π

Top comments (0)