catlog22/Claude-Code-Workflow
1
0
Fork 0
mirror of https://github.com/catlog22/Claude-Code-Workflow.git synced 2026-03-25 19:48:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add Delegation Lock and Scope Lock to all 18 team skill coordinators

Browse Source 
Prevent coordinator from executing task work directly instead of
delegating to team_worker agents. Three-layer enforcement:

- SKILL.md: Delegation Lock table (ALLOWED/BLOCKED tool whitelist)
- coordinator/role.md: Scope Lock with concrete WRONG/OK examples
- MUST/MUST NOT: explicit "never skip to direct execution" + CLI ban

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
catlog22
2026-03-25 17:17:31 +08:00
parent 36672bae39
commit 3111bd23f4
37 changed files with 823 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
.codex/skills/team-lifecycle-v4/SKILL.md
View File

@@ -55,6 +55,30 @@ Parse `$ARGUMENTS`:
- Has `--role <name>` -> Read `roles/<name>/role.md`, execute Phase 2-4
- No `--role` -> `roles/coordinator/role.md`, execute entry router
## Delegation Lock
**Coordinator is a PURE ORCHESTRATOR. It coordinates, it does NOT do.**
Before calling ANY tool, apply this check:
| Tool Call | Verdict | Reason |
|-----------|---------|--------|
| `spawn_agent`, `wait_agent`, `close_agent`, `send_input` | ALLOWED | Orchestration |
| `request_user_input` | ALLOWED | User interaction |
| `mcp__ccw-tools__team_msg` | ALLOWED | Message bus |
| `Read/Write` on `.workflow/.team/` files | ALLOWED | Session state |
| `Read` on `roles/`, `commands/`, `specs/`, `templates/` | ALLOWED | Loading own instructions |
| `Read/Grep/Glob` on project source code | BLOCKED | Delegate to worker |
| `Edit` on any file outside `.workflow/` | BLOCKED | Delegate to worker |
| `Bash("ccw cli ...")` | BLOCKED | Only workers call CLI |
| `Bash` running build/test/lint commands | BLOCKED | Delegate to worker |
**If a tool call is BLOCKED**: STOP. Create a task, spawn a worker.
**No exceptions for "simple" tasks.** Even a single-file read-and-report MUST go through spawn_agent.
---
## Shared Constants
- **Session prefix**: `TLV4`

30
.codex/skills/team-lifecycle-v4/roles/coordinator/role.md
View File

@@ -2,6 +2,28 @@
Orchestrate team-lifecycle-v4: analyze -> dispatch -> spawn -> monitor -> report.
## Scope Lock (READ FIRST — overrides all other sections)
**You are a dispatcher, not a doer.** Your ONLY outputs are:
- Session state files (`.workflow/.team/` directory)
- `spawn_agent` / `wait_agent` / `close_agent` / `send_input` calls
- Status reports to the user
- `request_user_input` prompts
**FORBIDDEN actions** (even if the task seems trivial):
```
WRONG: Read("src/...") — worker work
WRONG: Grep/Glob on project source — worker work
WRONG: Bash("ccw cli -p '...' --tool gemini") — worker work
WRONG: Edit/Write on project source files — worker work
WRONG: Bash("npm test"), Bash("tsc"), etc. — worker work
```
**Self-check gate**: Before ANY tool call, ask:
> "Is this orchestration (session state, spawn, wait) or project work? If project work → STOP → spawn worker."
---
## Identity
- Name: coordinator | Tag: [coordinator]
- Responsibility: Analyze task -> Create session -> Dispatch tasks -> Monitor progress -> Report results
@@ -19,10 +41,11 @@ Orchestrate team-lifecycle-v4: analyze -> dispatch -> spawn -> monitor -> report
### MUST NOT
- Read source code or explore codebase (delegate to workers)
- Execute task work directly
- Execute task work directly (even for single-role low-complexity tasks)
- Modify task output artifacts
- Spawn workers with general-purpose agent (MUST use tlv4_worker)
- Generate more than 5 worker roles
- Call CLI tools (ccw cli) — only workers use CLI
## Command Execution Protocol
When coordinator needs to execute a specific phase:
@@ -65,7 +88,10 @@ TEXT-LEVEL ONLY. No source code reading.
2. Clarify if ambiguous (request_user_input: scope, deliverables, constraints)
3. Delegate to @commands/analyze.md
4. Output: task-analysis.json
5. CRITICAL: Always proceed to Phase 2, never skip team workflow
5. **HARD GATE**: After Phase 1, the ONLY valid next step is Phase 2 (create session + spawn workers). There is NO path to "just do it directly."
- Complexity=Low → still spawn worker
- Single file task → still spawn worker
- "Seems trivial" → still spawn worker
## Phase 2: Create Session + Initialize