by garagon
Minimal AI coding agent team skills for the full engineering workflow.
# Add to your Claude Code skills
git clone https://github.com/garagon/nanostackYou have access to a set of composable engineering workflow skills. Each skill is a folder with supporting files — read them as needed for context.
| Skill | When to use | Modes | Key files |
|-------|-------------|-------|-----------|
| /think | Before planning — strategic product thinking, premise validation, scope decisions. | — | think/references/forcing-questions.md, think/references/cognitive-patterns.md |
| /nano | Before starting any non-trivial work. Produces a scoped, actionable plan. | — | plan/templates/plan-template.md |
| /review | After code is written. Two-pass review + scope drift detection + conflict resolution. | --quick --standard --thorough | review/checklist.md, reference/conflict-precedents.md |
| /qa | To verify code works. Browser-based testing with Playwright, plus root-cause debugging. | --quick --standard --thorough | qa/bin/screenshot.sh |
| /security | Before shipping. OWASP Top 10 + STRIDE + variant analysis + conflict detection. | --quick --standard --thorough | security/references/owasp-checklist.md, security/templates/security-report.md |
| /ship | To create PRs, merge, deploy, and verify. Generates sprint journal on success. | — | ship/templates/pr-template.md |
| /guard | When working near production, destructive operations, or sensitive systems. | — | guard/bin/check-dangerous.sh |
| /feature | Add a feature to an existing project. Skips /think, goes straight to plan → build → review → security → qa → ship. | — | feature/SKILL.md |
| /conductor | Orchestrate parallel agent sessions through a sprint. Coordinate task claiming and artifact handoff. | | |
| | First-time setup. Configures stack, permissions, and preferences conversationally. Guides first sprint. | — | |
| | Quick reference for all nanostack commands and how to use them. | — | |
Inspired by gstack from Garry Tan. Nanostack ships 13 built-in skills, a seven-phase default sprint, and a framework for adding your own skills or workflow stacks. No Nanostack cloud. No build step.
Verified adapters today: Claude Code, Cursor, OpenAI Codex, OpenCode, and Gemini CLI. The skill files are plain text, so other agents may load them, but only those five have a verified adapter and capability declaration in adapters/.
Your agent can already write code. Nanostack gives it delivery structure.
The default sprint turns a vague request into a scoped, reviewed, audited, tested change with a PR and a sprint journal. Each phase reads the artifact the previous phase wrote, so context does not vanish between steps. On Claude Code the pipeline is enforced via PreToolUse hooks: git commit is blocked until /review, /security, and /qa produce fresh artifacts. On other agents the same workflow runs as guided instructions; see What enforces on which agent for the per-host capability table.
The framework layer lets you add your own phases. Custom skills write artifacts, read upstream context, appear in journals and analytics, and can be scheduled by the conductor. See Build on Nanostack.
The built-in sprint is the default stack:
| | Step | What the specialist does |
| ------ | ----------------- | ----------------------------------------------------------------------- |
| 01 | /think | Challenges scope. Finds the smallest thing worth building. |
| | | Plans the implementation. Names every file and every risk. |
| | build | You or the agent writes the code. |
| | | Two-pass code review. Scope drift detection. Auto-fixes the mechanical. |
| | | OWASP A01-A10 audit + STRIDE threat modeling. Graded A-F. |
| | | Tests the thing. Browser, API, CLI, or root-cause debug. |
| | | PR creation, CI verification, release notes, sprint journal. Production deployment stays explicit and user-controlled. |
No comments yet. Be the first to share your thoughts!
startclaimcompletestatusconductor/bin/sprint.sh/nano-runstart/SKILL.md/nano-helphelp/SKILL.mdThe default workflow is: /think → /nano → build → /review → /qa → /security → /ship
With /conductor, review + qa + security run in parallel — they all depend on build, not on each other:
think → plan → build ─┬─ review ─┐
├─ qa ├─ ship
└─ security ─┘
Activate /guard at any point when operating near production or sensitive systems.
Read ZEN.md for the full set of principles. When in doubt about a decision during any skill, consult it. The short version:
Skills /review, /security, and /qa support intensity modes:
| Mode | Flag | When | Confidence |
|------|------|------|-----------|
| Quick | --quick | Trivial changes (typos, config, docs) | 9/10 — only the obvious |
| Standard | (default) | Normal changes | 7/10 — anything reasonable |
| Thorough | --thorough | Critical changes (auth, payments, infra) | 3/10 — flag everything suspicious |
Skills auto-suggest a mode based on the diff, but the user always decides.
Saving artifacts is not optional. Every skill must save its artifact after completing.
Skills automatically save their output to .nanostack/ after every run:
.nanostack/<phase>/<timestamp>.json
This enables:
/review compares planned vs actual files/review and /security cross-reference each other's findings/ship generates a journal entry from all phase artifactsAuto-saving is on by default. The user can disable it by setting auto_save: false in .nanostack/config.json.
Artifacts are validated before saving: save-artifact.sh rejects invalid JSON, missing required fields (phase, summary), and phase mismatches.
To discard artifacts from a bad session: bin/discard-sprint.sh (removes artifacts and journal entry for the current project and date).
When skills produce contradictory guidance (e.g., /review says "more error detail" but /security says "minimize error exposure"), the conflict resolution framework applies:
Read reference/conflict-precedents.md for known conflict patterns and pre-defined resolutions.
On first use in a project, run bin/init-config.sh --interactive to create .nanostack/config.json. This stores:
If config exists, read it at the start of any skill to adapt behavior:
bin/init-config.sh # outputs current config or {} if none
Skills use config for:
/review, /qa, /security: read preferences.default_intensity instead of always defaulting to standard/security: read preferences.conflict_precedence to determine who wins in cross-skill conflicts/security: read detected to skip irrelevant checks (don't scan for Python vulns in a Go project)Per-skill configs (security/config.json, guard/config.json) store skill-specific settings and are read by that skill only.
~/.claude/skills/nanostack/bin/capture-failure.sh <skill> "<what went wrong>" "<what was tried>" "<what fixed it>"
Suggest skills when context matches — don't wait for the user to remember:
| Trigger | Suggest |
|---------|---------|
| User says "what should I build" / unclear on direction | /think |
| Task touches 3+ files or user says "how should I approach this" | /nano |
| User says "done", "finished", "ready for review" | /review |
| User says "does this work", "test this", bug report | /qa |
| Pre-ship, user says "ready to deploy", or diff touches auth/env/infra | /security |
| User says "create PR", "merge", "ship it" | /ship |
| Destructive commands, production access, or sensitive operations detected | /guard |
/think for new products or when the "what" is unclear/nano before building anything that touches more than 3 files/review on your own code — the adversarial pass catches what you missed/security is not optional before shipping to production/guard is on-demand — activate it, don't leave it always on/qa can invoke /security checks, /ship can invoke /review/nano/review/security/qa/shipNanostack adapts the explanation, not the standard.
| Profile | What changes | |---------|--------------| | Guided | Plain language, one next action, safer defaults, no hidden jargon. | | Professional | Denser output, deeper tradeoffs, explicit files, commands, and risks. |
Local mode uses Guided language by default. A git project can still use Guided if the user wants simpler explanations.
The wording rules live in reference/plain-language-contract.md. The session fields that select the profile live in reference/session-state-contract.md.
Nanostack is agent-agnostic, but agent hosts do not expose the same control points. The adapter files in adapters/ are the source of truth for each host.
| Level | Meaning | |-------|---------| | L0 Unsupported | Nanostack cannot provide this capability on that host. | | L1 Instructions only | The skill tells the agent what to do, but cannot block it. | | L2 Reported | Nanostack can detect and report the issue. | | L3 Enforced | Nanostack can block the action through host hooks or guard scripts. |
A detailed per-host matrix (Bash guard, Write/Edit guard, phase gate) lives further down in What enforces on which agent.
| Without Nanostack | With Nanostack |
| --- | --- |
| ❌ A vague prompt turns into code immediately. | ✅ /think turns the idea into a brief, risk, and smallest useful starting point. |
| ❌ The plan disappears in chat. | ✅ /nano saves a plan with files, risks, checks, and out-of-scope items. |
| ❌ The agent quietly refactors three things you did not ask for. | ✅ /review compares the code against the plan. Scope drift is visible before merge. |
| ❌ QA and security happen only if someone remembers. | ✅ /qa opens your app and exercises it. /security runs on every ship and catches the mistakes that make headlines. |
| ❌ Your PR says "add notifications" and nobody knows what actually changed or why. | ✅ /ship explains why the change exists, how it was checked, and what remains. |
| ❌ You rush-commit Friday 5pm and Monday find out it broke something unrelated. | ✅ The sprint blocks git commit until /review, /security, and /qa pass. (Enforcement varies by agent; see honesty matrix below.) |
| ❌ Every session re-pastes the same context: what we use, what is fragile. | ✅ Every skill reads the artifact the previous skill wrote. Sprint journals preserve decisions in .nanostack/. |
| If you are... | Start here |
|---|---|
| New to agent workflows | Try starter-todo, then run /nano-run |
| Already shipping with AI agents | Install Nanostack, then start with /think or /feature |
| Evaluating safety | Read Guard and the host enforcement matrix |
| Building your own workflow | Start with EXTENDING.md and compliance-release |
Not sure yet? Start with a disposable sandbox from the Examples Library. It gives you a real sprint without risking your product.
| Example | Best for | Stack | Time |
|---|---|---|---|
| starter-todo | new and non-technical users | one HTML file | 5-10 min |
| cli-notes | CLI workflows | Bash | 5-15 min |
| api-healthcheck | backend flows | Node stdlib HTTP | 10-15 min |
| static-landing | founders and designers | static HTML/CSS | 10-15 min |
| compliance-release | teams building a custom workflow stack | license + privacy + release gate | 15-30 min |
Each example has a copy-paste prompt, expected sprint flow, success criteria, and reset steps. Full Examples Library: examples/.
compliance-release is advanced. It is not a starter app and it is not a compliance certification. It shows how several custom skills can compose into one release workflow.
npx create-nanostack
One command. Detects your agents, installs everything, runs setup.
Then run /nano-run in your agent to configure your project through a conversation. On your first sprint, /think shows the full pipeline so you know what comes next.
If you want to see the workflow before installing into a real repo, use one of the sandbox examples above.
You: I need to add notifications to my app. Users keep missing
replies on their posts.
You: /think
Agent: Before we build anything, how are users coping today?
You: They open the app 3-4 times a day just to check. Sometimes
they miss replies for hours. People are frustrated.
Agent: I'm going to push back on "notifications." You said users open
the app 3-4 times a day. That's high engagement. They already
come back. The problem isn't that they can't be reached. The
problem is that when they arrive, they can't tell what changed.
That's a freshness problem, not a messaging problem.
A notification system (email, push, in-app, preferences,
digest, unsubscribe) is a 3-week project. A red dot on the
nav icon that says "something new" ships this afternoon.
One solves the symptom (they're not being told). The other
solves the cause (they can't see what's new when they look).
RECOMMENDATION: Reduce. Ship the dot. See if complaints drop.