Spec-to-production control plane for AI-assisted software delivery.
Curated skills, templates, schemas, supervised CLI tools, gate scripts, and sandbox controls that give AI coding agents (Codex, Claude Code, Cursor, Antigravity) enterprise-grade planning, verification, security, and release discipline on any stack.
- Founders: Build software with AI without losing control of the architecture.
- Product Owners: Enforce PRDs, scope boundaries, and release readiness.
- Developers: Adopt stricter testing, debugging, and security workflows.
- Engineering Teams: Replace open-ended vibe coding with deterministic, evidence-based delivery.
Restart your AI coding agent after installing.
The installer is designed for fresh machines: it downloads the Buildloop payload if needed, installs the local Buildloop skills, and automatically installs the curated upstream skills for the selected tier at pinned commit SHAs. It requires internet access and git.
OpenAI Codex
curl -fsSL https://raw.githubusercontent.com/mithunyc/buildloop/main/scripts/install.sh | bash -s -- --target codexClaude Code
curl -fsSL https://raw.githubusercontent.com/mithunyc/buildloop/main/scripts/install.sh | bash -s -- --target claudeCursor
curl -fsSL https://raw.githubusercontent.com/mithunyc/buildloop/main/scripts/install.sh | bash -s -- --target cursorGoogle Antigravity
curl -fsSL https://raw.githubusercontent.com/mithunyc/buildloop/main/scripts/install.sh | bash -s -- --target antigravityAll agents at once
curl -fsSL https://raw.githubusercontent.com/mithunyc/buildloop/main/scripts/install.sh | bash -s -- --target allOpenAI Codex
powershell -ExecutionPolicy Bypass -Command "$p=Join-Path $env:TEMP 'install.ps1'; Invoke-WebRequest 'https://raw.githubusercontent.com/mithunyc/buildloop/main/scripts/install.ps1' -OutFile $p; & $p -Target codex"Claude Code
powershell -ExecutionPolicy Bypass -Command "$p=Join-Path $env:TEMP 'install.ps1'; Invoke-WebRequest 'https://raw.githubusercontent.com/mithunyc/buildloop/main/scripts/install.ps1' -OutFile $p; & $p -Target claude"Cursor
powershell -ExecutionPolicy Bypass -Command "$p=Join-Path $env:TEMP 'install.ps1'; Invoke-WebRequest 'https://raw.githubusercontent.com/mithunyc/buildloop/main/scripts/install.ps1' -OutFile $p; & $p -Target cursor"Google Antigravity
powershell -ExecutionPolicy Bypass -Command "$p=Join-Path $env:TEMP 'install.ps1'; Invoke-WebRequest 'https://raw.githubusercontent.com/mithunyc/buildloop/main/scripts/install.ps1' -OutFile $p; & $p -Target antigravity"All agents at once
powershell -ExecutionPolicy Bypass -Command "$p=Join-Path $env:TEMP 'install.ps1'; Invoke-WebRequest 'https://raw.githubusercontent.com/mithunyc/buildloop/main/scripts/install.ps1' -OutFile $p; & $p -Target all"| Target | Install Directory | Confidence |
|---|---|---|
codex |
$CODEX_HOME/skills or ~/.codex/skills |
Proven |
claude |
~/.claude/skills plus /orchestrator and /buildloop aliases in ~/.claude/commands |
Proven |
cursor |
~/.cursor/skills |
Experimental |
antigravity |
~/.gemini/antigravity/skills |
Experimental |
Security note: These are remote one-line installers. Read
scripts/install.*before running on sensitive machines. See SECURITY.md. Existing skills and command aliases are skipped by default so the installer is safe to rerun. Use--forceor-Forceonly when you intentionally want to overwrite installed Buildloop files.
git clone https://github.com/mithunyc/buildloop.git
cd buildloop
bash scripts/install.sh --target codex # macOS / Linuxgit clone https://github.com/mithunyc/buildloop.git
cd buildloop
powershell -ExecutionPolicy Bypass -File .\scripts\install.ps1 -Target codex # WindowsChoose the tier that matches your project complexity. The default install mode is core; pass --mode minimal, --mode core, --mode full, or --mode contributor when you want a different tier.
| Tier | Skills | Best For |
|---|---|---|
| MINIMAL | enterprise-ai-dev, karpathy-guidelines, brainstorming, tdd, diagnose — 5 skills |
Solo developers, small context windows, simple projects |
| CORE | Everything in MINIMAL + awesome-design-md, caveman, writing-plans, executing-plans, grill-with-docs, to-prd, verification-before-completion, security-best-practices — 13 skills |
Default. Covers 80% of projects. |
| FULL | Everything in CORE + grill-me, triage, improve-codebase-architecture, zoom-out, finishing-a-development-branch, requesting-code-review, security-threat-model, setup-matt-pocock-skills — 21 skills |
Teams, complex projects, full review and release discipline |
| CONTRIBUTOR | write-a-skill — for skill authors |
Writing or publishing new skills |
Tier counts are derived from curated-skills.json and validated by CI.
Start a fresh agent session and use this exact prompt:
Use enterprise-ai-dev as my master CTO orchestrator for this repo.
Buildloop currently installs the main orchestrator skill under the canonical skill name enterprise-ai-dev for compatibility with existing agent skill discovery.
| Agent | Best Invocation | Notes |
|---|---|---|
| OpenAI Codex | Use enterprise-ai-dev as my master CTO orchestrator for this repo. |
Codex custom slash-command aliases are not claimed by Buildloop. |
| Claude Code | /orchestrator or /buildloop |
The Claude installer adds these aliases under ~/.claude/commands/. /enterprise-ai-dev may also work because Claude Code can invoke installed skills directly. |
| Cursor | Use enterprise-ai-dev as my master CTO orchestrator for this repo. |
Skill-directory behavior is experimental. |
| Google Antigravity | Use enterprise-ai-dev as my master CTO orchestrator for this repo. |
Skill-directory behavior is experimental. |
If the agent does not see the skill or command, restart the app. If it still does not respond correctly, rerun the installer for that target with --force or -Force.
Two phases. Every project uses both.
Produces PRD, architecture decision, slice contracts, and human approval before any code is written.
| Step | What Happens |
|---|---|
| 0 — Classify | Detects GREENFIELD, BROWNFIELD, GOVERNED, REVIEW_ONLY, or AUTONOMOUS profile |
| 1A — Minimal Audit | git status, branch, runtime, package manager, existing governance files |
| 1B — Full Diagnostic | Brownfield only. Runs lint / test / build. Produces diagnostic_baseline.md. Blocks features if broken. |
| 2 — PRD | Gathers requirements. Asks only questions that affect architecture, risk, or UX. |
| 3 — Adversarial Spec | Stress-tests the PRD. Risk-scaled probes: Low=1–2, Medium=3, High=5–7. |
| 4 — Architecture Checkpoint | Simplest version that works. Karpathy check: not overcomplicated? |
| 7 — Slice Contract | Defines allowed_files, blast_radius, evidence_required per story. |
| 8 — Human Approval | DECISION REQUIRED gate. No execution without approval. |
Deterministic gates with an independent witness. No self-grading.
| Step | What Happens |
|---|---|
| 9 — TDD | Red-green-refactor inside slice boundaries. Characterization tests first for brownfield. |
| 11 — Gate Runner | Reads .buildloop.yml, executes commands, writes gate-results.json. |
| 12 — AI Review | Independent reviewer reads gate-results.json. Produces GO / CONDITIONAL_GO / NO_GO. |
| 14 — PR / Preview | Evidence receipt references gate-results.json. No receipt = no merge. |
skills/ Local skills installed directly (enterprise-ai-dev, awesome-design-md, ...)
commands/ Claude Code slash command aliases for /orchestrator and /buildloop
templates/ Reusable governance artifacts (PRD, slice contracts, receipts, AGENTS template)
schemas/ JSON schemas validating all frontmatter and YAML contracts
reference/ Deep-reference docs for lifecycle, advisory bridges, and sandbox security
playbooks/ System optimization and skill acquisition playbooks
scripts/ buildloop.mjs, detect-capabilities.mjs, gate-runner.mjs, sandbox-run.mjs, validators, installers
examples/ Working greenfield and brownfield fixture walkthroughs
tests/ install, capability, CLI, and sandbox tests run in CI
curated-skills.json Upstream skill registry with pinned commit SHAs
enterprise-ai-devorchestrator — greenfield, brownfield, governed, and autonomous profiles; claim labels (FACT / INFERENCE / JUDGMENT / UNVERIFIED); delegation rules.- Templates — PRD, slice contracts, evidence receipts, adversarial review, diagnostic baseline, handoff, AGENTS.md template.
- Schemas — JSON Schema draft-07 validation for all frontmatter contracts.
- Gate runner — reads
.buildloop.yml, executes quality gates, writesgate-results.jsonas independent witness. - Capability detection -
detect-capabilities.mjsreports package manager, CI, Docker, Graphify, Obsidian, and Buildloop readiness without writing unless--writeis used. - Supervised CLI -
buildloop.mjsexposes read-onlycapabilities,doctor,manifest,gates, andreviewcommands. No deploy, no auto-fix, no overnight autonomy. - Advisory bridges - Obsidian and Graphify references define read-only/advisory integration boundaries; no runtime bridge writes are implemented.
- Docker sandbox foundation -
sandbox-run.mjsprovides dry-run-first Docker command planning, blocked secret mounts, offline default networking, scoped logs, and mocked CI tests. - Brownfield bootstrap compiler —
orchestrator-manifest.jsonschema for machine-readable repo governance. - Supply chain pinning — upstream skills pinned to full SHA commits in
curated-skills.json. - CI — validates templates, schemas, and scripts on every push.
- Reference docs — phase engine, security triggers, architecture boundaries, quality gates, drift control, autonomous execution.
- Examples — greenfield walkthrough and brownfield diagnostic fixture.
- Claude command aliases —
/orchestratorand/buildloopconvenience commands installed for Claude Code.
- Prefer fewer default skills over a huge prompt surface.
- Prefer upstream provenance over vendored copies.
- Prefer boring, proven engineering practices over framework theater.
- Prefer evidence: tests, builds, diffs, logs, reproducible commands.
- Treat autonomous agents as useful only after requirements and verification are clear.
- Read remote installer scripts before running on sensitive machines.
Original skills in this repository are MIT licensed. Upstream skills are installed from their source repositories under their upstream licenses.