name: nanostack description: Use when the user asks about available workflow skills, wants an overview of the engineering workflow, or references "nanostack". Also triggers on /nanostack.

Nanostack — Engineering Workflow Skills

You have access to a set of composable engineering workflow skills. Each skill is a folder with supporting files — read them as needed for context.

Available Skills

Workflow Order

The default workflow is: /think → /nano → build → /review → /security → /qa → /ship

With /conductor, review + security + qa run in parallel — they all depend on build, not on each other:

think → plan → build ─┬─ review  ─┐
                      ├─ qa       ├─ ship
                      └─ security ─┘

Activate /guard at any point when operating near production or sensitive systems.

Zen

Read ZEN.md for the full set of principles. When in doubt about a decision during any skill, consult it. The short version:

• Question the requirement before writing the code.
• Delete what shouldn't exist. Don't optimize what's left until you do.
• Narrow the scope, not the ambition.
• Fix it or ask. Never ignore it.
• Security is not a tradeoff. It is a constraint.
• The output should look better than what was asked for.

Intensity Modes

Skills /review, /security, and /qa support intensity modes:

Skills auto-suggest a mode based on the diff, but the user always decides.

Artifact Persistence

Saving artifacts is not optional. Every skill must save its artifact after completing.

Skills automatically save their output to .nanostack/ after every run:

.nanostack/<phase>/<timestamp>.json

This enables:

• Scope drift detection — /review compares planned vs actual files
• Conflict detection — /review and /security cross-reference each other's findings
• Sprint journals — /ship generates a journal entry from all phase artifacts
• Trend tracking — Are security findings decreasing over time?

Auto-saving is on by default. The user can disable it by setting auto_save: false in .nanostack/config.json.

Artifacts are validated before saving: save-artifact.sh rejects invalid JSON, missing required fields (phase, summary), and phase mismatches.

To discard artifacts from a bad session: bin/discard-sprint.sh (removes artifacts and journal entry for the current project and date).

Conflict Resolution

When skills produce contradictory guidance (e.g., /review says "more error detail" but /security says "minimize error exposure"), the conflict resolution framework applies:

1. Security has default precedence — unless the risk is theoretical or internal-only
2. Context determines final precedence — public-facing app vs internal tool vs startup vs compliance
3. Conflicts are documented, not silenced — every resolution is recorded in the skill artifact

Read reference/conflict-precedents.md for known conflict patterns and pre-defined resolutions.

Project Config

On first use in a project, run bin/init-config.sh --interactive to create .nanostack/config.json. This stores:

• Installed agents — auto-detected (claude, codex, cursor, opencode, gemini)
• Detected stack — node, go, python, docker
• Preferences — default intensity mode, auto-save, conflict precedence

If config exists, read it at the start of any skill to adapt behavior:

bin/init-config.sh  # outputs current config or {} if none

Skills use config for:

• /review, /qa, /security: read preferences.default_intensity instead of always defaulting to standard
• /security: read preferences.conflict_precedence to determine who wins in cross-skill conflicts
• /security: read detected to skip irrelevant checks (don't scan for Python vulns in a Go project)

Per-skill configs (security/config.json, guard/config.json) store skill-specific settings and are read by that skill only.

Universal Rules

• Read before acting. Every skill must read the relevant code/diff/config before producing output. Never analyze blind.
• Boil the lake, not the ocean. When completeness costs minutes more than shortcuts, do the complete thing. When it costs days, don't.
• Log failures, not just successes. When something goes wrong during a skill (script error, wrong approach, unexpected project behavior), capture it:

  ~/.claude/skills/nanostack/bin/capture-failure.sh <skill> "<what went wrong>" "<what was tried>" "<what fixed it>"
  

  Failures compound into knowledge. Next sprint, the same mistake is avoided. This does not require /compound or a successful ship — just log and move on.

Proactive Triggers

Suggest skills when context matches — don't wait for the user to remember:

Usage Rules

• Start with /think for new products or when the "what" is unclear
• Run /nano before building anything that touches more than 3 files
• Run /review on your own code — the adversarial pass catches what you missed
• /security is not optional before shipping to production
• /guard is on-demand — activate it, don't leave it always on
• Skills compose: /qa can invoke /security checks, /ship can invoke /review

Inspired by gstack from Garry Tan. Nanostack gives your agent the working method of a small product team: it questions the scope, plans, reviews the code, audits security, tests, and ships, leaving a paper trail you can inspect at every step. Everything is plain text and local scripts under Apache 2.0, so you can read every rule your agent follows. No Nanostack cloud, no daemon, no app runtime.

Verified adapters today: Claude Code, Cursor, OpenAI Codex, OpenCode, and Gemini CLI. The skill files are plain text, so other agents may load them, but only those five have a verified adapter and capability declaration in adapters/.

What changed in the latest release (custom workflow stacks, visual artifacts, stronger safety contracts): see RELEASE_NOTES.md.

See it work

You:    I need to add notifications to my app. Users keep missing
        replies on their posts.
You:    /think

Agent:  Before we build anything, how are users coping today?

You:    They open the app 3-4 times a day just to check. Sometimes
        they miss replies for hours. People are frustrated.

Agent:  I'm going to push back on "notifications." You said users open
        the app 3-4 times a day. That's high engagement. They already
        come back. The problem isn't that they can't be reached. The
        problem is that when they arrive, they can't tell what changed.

        That's a freshness problem, not a messaging problem.

        A notification system (email, push, in-app, preferences,
        digest, unsubscribe) is a 3-week project. A red dot on the
        nav icon that says "something new" ships this afternoon.

        One solves the symptom (they're not being told). The other
        solves the cause (they can't see what's new when they look).

        RECOMMENDATION: Reduce. Ship the dot. See if complaints drop.
        If they do, you just saved 3 weeks. If they don't, then build
        push notifications, but now you have data, not a guess.

You:    Makes sense. Let's do the dot.
You:    /nano
        [3 steps, 2 files, product standards: shadcn/ui + Tailwind]

You:    [builds it]

You:    /review
        Review: 2 findings (1 auto-fixed, 1 nit). 2 things done well.

You:    /security
        No secrets, auth changes, or unsafe data flows introduced. Grade A.

You:    /qa
        Opened the app, posted a reply, refreshed, confirmed the dot
        appears and clears. 4 checks pass.

You:    /ship
        PR explains why the change exists, how it was checked, and what
        remains. CI green. Sprint journal saved.

That is the difference: not just code generation, but a delivery loop you can inspect.

What changes after installing Nanostack

Nanostack is right for you if

• ✅ You have an AI agent open all day and still feel like you ship slowly
• ✅ You want reviews that catch scope drift, not just typos
• ✅ You want a security audit before every ship, not once a quarter
• ✅ You want PR descriptions that explain the WHY, not just list files
• ✅ You want a process that works across Claude Code, Cursor, OpenAI Codex, OpenCode, and Gemini CLI
• ✅ You want the skills on disk, inspectable, not locked in a SaaS

Try it safely first

Not sure yet? Start with a disposable sandbox from the Examples Library. It gives you a real sprint without risking your product.

Each example has a copy-paste prompt, expected sprint flow, success criteria, and reset steps. Full Examples Library: examples/.

compliance-release is advanced. It is not a starter app and it is not a compliance certification. It shows how several custom skills can compose into one release workflow.

Quick start

npx create-nanostack

One command. Detects your agents, installs everything, runs setup.

Then run /nano-run in your agent to configure your project through a conversation. On your first sprint, /think shows the full pipeline so you know what comes next.

If you want to see the workflow before installing into a real repo, use one of the sandbox examples above.

Choose your path

What is Nanostack?

Your agent can already edit files and run commands. Nanostack gives it a method: 13 built-in skills, a seven-phase default sprint, and a framework for composing your own workflow stacks.

The default sprint turns a request into a scoped, reviewed, security-checked, tested change with a PR and a sprint journal. Each phase writes a structured artifact: a small local file that records what was decided and what was checked. Later phases read those files instead of depending only on chat history.

The bet is artifact-first delivery:

• Skills are plain text.
• Artifacts are local JSON.
• Gates verify evidence before release.
• Visual artifacts render the same evidence as local HTML.
• Custom workflow stacks extend the same pipeline with your own phases.

On Claude Code, Nanostack can enforce parts of the workflow through PreToolUse hooks. On other agents, the same workflow runs as guided instructions. See What enforces on which agent for the honest per-host table.

The built-in sprint is the default stack: