by opencroc
AI Agent OS with visible workflow, real execution, and a 3D office shell. From one sentence to full task lifecycle — plan, run, review, replay.
# Add to your Claude Code skills
git clone https://github.com/opencroc/cube-pets-officeGuides for using ai agents skills like cube-pets-office.
Last scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@chevrotain/cst-dts-gen: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@chevrotain/gast: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@mermaid-js/parser: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@protobufjs/utf8: protobufjs has overlong UTF-8 decoding",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@xmldom/xmldom: xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "axios: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"severity": "high"
},
{
"type": "npm-audit",
"message": "body-parser: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "chevrotain: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "dockerode: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "dompurify: DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "engine.io: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "engine.io-client: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "esbuild: esbuild enables any website to send any requests to the development server and read the response",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "express: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "langium: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash-es: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"severity": "high"
},
{
"type": "npm-audit",
"message": "mermaid: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "protobufjs: Arbitrary code execution in protobufjs",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "qs: qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "socket.io-adapter: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "uuid: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "high"
},
{
"type": "npm-audit",
"message": "vite-node: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vitest: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "ws: ws: Uninitialized memory disclosure",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "xlsx: Prototype Pollution in sheetJS",
"severity": "high"
}
],
"status": "FAILED",
"scannedAt": "2026-05-30T15:25:11.531Z",
"npmAuditRan": true,
"pipAuditRan": true
}No comments yet. Be the first to share your thoughts!
You type one sentence. The system rehearses the entire product for you.
Spec documents · System architecture · Route planning · Prompt packages · Effect previews
Everything visible. Everything exportable. Everything evidence-backed.
You spend days writing PRDs, weeks aligning teams, months before knowing if the direction is right.
Type your idea → 5 minutes → complete rehearsal → decide if it's worth building → not worth it? next idea.
╭──────────────────────────────────────────────────────────╮
│ │
│ 💬 "AI comic platform" │
│ │ │
│ ▼ │
│ ① 🔍 Smart Clarification │
│ Goals · Constraints · Personas · Success criteria │
│ │ │
│ ▼ │
│ ② 🗺️ Route Planning │
│ Main route + Alternatives + Risk + Cost │
│ │ │
│ ▼ │
│ ③ 🌳 SPEC Tree │
│ Modular spec node decomposition │
│ │ │
│ ▼ │
│ ④ 📄 Spec Documents (streaming) │
│ Requirements / Design / Tasks — live │
│ │ │
│ ▼ │
│ ⑤ 🎨 Effect Preview │
│ Architecture + Prompts + Next steps │
│ │ │
│ ▼ │
│ 📦 Export → Markdown / ZIP / Online │
│ │
╰──────────────────────────────────────────────────────────╯
💡 The entire process is observable in real time: a 3D office scene shows the agent fleet collaborating, while the right-rail workbench streams generation progress with stage indicators.
Seven specialized AI roles collaborate on every rehearsal:
| Role | Responsibility | |:----:|:--------------| | 🧠 Planner | Breaks the goal into executable routes | | ❓ Clarifier | Fills gaps, resolves ambiguity | | 🔬 Researcher | Gathers context, validates assumptions | | ✍️ Generator | Produces spec documents & artifacts | | ⚙️ Operator | Executes in Docker sandbox when needed | | 👁️ Reviewer | Checks quality, flags issues | | 📋 Auditor | Maintains evidence trail & compliance |
Each role has access to 50+ AIGC capability nodes, Docker sandbox, MCP tools, Skills, and domain knowledge injection.
See every step: active roles, invoked capabilities, ReAct cycle stage, produced artifacts. No black boxes.
Quick / Standard / Deep / Conservative routes with risk, cost, and takeover points. Choose before anything runs.
Clarification, approval, risk, budget, delivery — all explicit pause points. Never silently fails.
Exportable artifacts, audit logs, replay timeline. Inspect any decision at any moment.
Real code execution in isolated containers with HMAC callbacks and live terminal streaming.
Markdown, ZIP, or online preview. Every rehearsal is a shareable document package.
git clone https://github.com/opencroc/cube-pets-office.git && cd cube-pets-office
pnpm install
pnpm run dev:all # Full stack: frontend + server + executor
pnpm run dev:frontend # Opens at localhost:5173
Or visit the Live Demo directly on GitHub Pages.
Every rehearsal is a shareable piece of content. 50 rehearsals = 50 distribution opportunities.
| 💬 Input | 📦 Output | |:---------|:----------| | "AI comic platform" | 6 SPEC modules · content pipeline · monetization · architecture | | "Permission management SaaS" | 8 SPEC modules · RBAC · multi-tenant · API contracts | | "Sentiment analysis tool" | 5 SPEC modules · data pipeline · model selection · alerts | | "Indie dev bookkeeping app" | 4 SPEC modules · local-first · sync · privacy compliance | | "Enterprise knowledge base" | 7 SPEC modules · RAG pipeline · permissions · indexing | | "Cross-border product picker" | 6 SPEC modules · data sources · scoring · competitor analysis |
┌─────────────────────────────────────────────────────────────────┐
│ 🌐 ENTRY Browser · Feishu Relay · Destination Input │
├─────────────────────────────────────────────────────────────────┤
│ 🖥️ FRONTEND 3D Scene · Task Cockpit · Route View │
│ Drive State · Takeover Panel · Replay │
├─────────────────────────────────────────────────────────────────┤
│ 🧠 CUBE BRAIN 10-Stage Workflow · Mission Runtime │
│ Dynamic Roles · Cost Governance · Review │
├─────────────────────────────────────────────────────────────────┤
│ 🔮 PROJECTION Mission→Destination · Workflow→Route │
│ State→DriveState · Decision→Takeover │
├─────────────────────────────────────────────────────────────────┤
│ 💡 INTELLIGENCE 3-Level Memory · Knowledge Graph · RAG │
│ Self-Evolution · LLM Multi-Provider │
├─────────────────────────────────────────────────────────────────┤
│ 🛡️ TRUST Hash-Chain Audit · Lineage DAG · Evidence │
├─────────────────────────────────────────────────────────────────┤
│ ⚙️ EXECUTION Docker Containers · HMAC · Sandbox · Terminal│
├─────────────────────────────────────────────────────────────────┤
│ 🔗 INTEROP A2A Protocol · Swarm · Guest Agent Market │
└─────────────────────────────────────────────────────────────────┘
| Layer | Technology | |:------|:-----------| | Frontend | React 19 · Vite · TypeScript · Zustand · Three.js (R3F) · Framer Motion | | Server | Express · Socket.IO · TypeScript | | AI | OpenAI-compatible API (any provider) | | Execution | Docker (dockerode) · Browser Runtime · Native Runtime | | Testing | Vitest · fast-check (PBT) | | Storage | IndexedDB (browser) · JSON (server) |
| Metric | Count | |:-------|------:| | Project files | 4,707 | | TypeScript/TSX files | 1,837 | | Lines of TypeScript | 486,932 | | Test files | 723 | | Test cases | 7,771 | | Spec directories | 273 | | Spec markdown files | 879 | | Task checkboxes | 7,093 ✅ / 1,072 ⬜ |