Last updated: 2026-03-15 Document type: Unified Master Plan (PRD + TRD) Version: 3.3 — validated against March 2026 official documentation
This Master Plan is stored in two locations:
docs/master-plan.md in the shabib87/shabib87.github.io repository. Changes to this file are tracked by git and follow the same PR workflow as all repo changes. Major revisions should reference an ADR.[ORCHESTRATION] Agentic Workflow Design. This is a read reference only — the repo copy is authoritative.The plan is NOT stored only in Linear because:
This document is the single source of truth for the agentic operating model for the shabib87/shabib87.github.io repository. It consolidates the current-state audit, constraints, target architecture, Linear operating model, Codex orchestration design, editorial quality system, CI strategy, ADR strategy, Slack setup, and the implementation backlog discussed across the planning sessions.
The goal is to run this repository like a small specialist team:
A new idea should flow like this:
workflow_dispatch is triggered (from ChatGPT web/Mac via Codex sidebar, Perplexity via GitHub connector, or gh CLI). The dispatch workflow prepares a branch, fetches the Linear brief, and writes docs/tasks/CWS-NNN.md.main.The only manual steps in the steady-state workflow are:
Everything between those two steps is automated: dispatch, branch prep, task file creation, Codex notification, agent execution, PR creation, CI validation, and Linear status sync.
Note: Codex execution itself is currently a manual trigger (Shabib opens Codex with the task). This is the one intermediate step that cannot be fully automated yet — there is no public API to programmatically start a Codex task as of March 2026. The dispatch workflow should post a Slack notification and Linear comment so Shabib knows a task is ready for Codex pickup.
A ticket must meet ALL of the following criteria before an agent can pick it up.
Definition of Ready for agent-pickable tickets:
Todo and label = agent-task[DEV], [EDITORIAL-NEW], or [EDITORIAL-UPDATE] prefix[HUMAN-REVIEW])docs/tasks/CWS-NNN.md exists on a prepared branch (created by dispatch workflow)Done.Who enforces DoR:
The repository already has meaningful automation and orchestration foundations:
_config.yml, _posts/, _pages/, _includes/, _sass/, assets/, .github/, .codex/, .agents/, and scripts/._drafts/ folder at the repo root for Jekyll draft posts. This folder is currently gitignored and must be tracked by git for the agentic workflow to function (agents need to create and edit drafts in branches)..codex/..agents/skills/.The blog has a mix of older iOS-era posts and stronger recent principal-level posts. This means the repo needs two editorial tracks:
_drafts/, move to _posts/ on publish)There are already GitHub Actions workflows in place, but they are too coarse and not yet split cleanly into development vs editorial responsibilities.
The Linear workspace already has a team created and the team key is now CWS. There are default onboarding issues in the team that should be archived before the real backlog is created.
These constraints are mandatory and drive every design choice.
openai/codex-action@v1 for lightweight PR review, which uses its own API key scope).| Device | OS | Role in workflow |
|---|---|---|
| Mac (desktop/laptop) | macOS | Primary development, Codex (CLI, App, IDE extension), GitHub, Linear, Graphite CLI, local Jekyll builds |
| iPhone | iOS | Perplexity, ChatGPT (+ Codex Cloud sidebar), Linear, Slack, GitHub — idea capture and task triage on the go |
| Android phone | Android | Perplexity, ChatGPT, Linear, Slack — secondary mobile surface, same capabilities as iOS |
| GitHub-hosted runners | Linux | CI only — runs GitHub Actions workflows. Not a user-facing surface. |
No Windows machines. All tooling, scripts, Makefiles, and documentation must assume macOS for local development and Linux for CI. No PowerShell, no .bat/.cmd files, no Windows path separators.
The repo currently has:
validate-multi-agent-contracts.rb, validate-rollout-governance.rbpublish_draft.rb, publish_draft_core.rb (the publish-draft pipeline)publish_draft_test.rb, rollout_governance_test.rb (Minitest)tooling.shPolicy:
make targets — neither agents nor humans should call scripts directly.ubuntu-latest runners. The setup-dev.sh script should verify both are present._drafts/ folder must be tracked by git (remove from .gitignore). Jekyll ignores _drafts/ in production builds by default; drafts are only rendered with jekyll serve --drafts or show_drafts: true in _config.yml._drafts/ is gitignoredThe _drafts/ folder is currently in .gitignore. Agents cannot create or collaborate on draft posts in branches. Fix: Remove _drafts/ from .gitignore and commit the folder. Jekyll will not publish drafts in production builds unless explicitly configured.
Current workflows are useful but not optimized for cost or clarity. The system needs separate pipelines for:
The correct cost-aware pattern is:
Scripts exist, but not every script has complete test coverage. Tests need to become mandatory for all automation, including editorial validation scripts.
The desired editorial quality system includes:
Only some of that is currently formalized.
The repo already has prompts and agents, but they need a more explicit contract model tied to Linear issues, per-task docs/tasks/CWS-NNN.md input, and test-first behaviour.
The repo is powerful but dense. It needs better top-level organization and a formal ADR structure so architectural choices are recorded and discoverable.
Slack should be used for free visibility, but only with integrations available on free plans. The 10-integration limit must be budgeted carefully.
The current CODEX_TASK.md is a single file at a fixed location. It should be per-task under docs/tasks/ with the Linear issue ID in the filename, persisted as a historical record after merge.
Available surfaces: iOS app, Android app, Mac app (Perplexity Computer), web app (perplexity.ai).
Connected integrations (already active):
Use for:
Available surfaces: iOS app, Android app, Mac desktop app, web app (chatgpt.com).
Capabilities:
Use for:
Important limitation: ChatGPT’s GitHub integration is read-only. To trigger workflow_dispatch, use one of:
gh workflow run from CLIAvailable surfaces as of March 2026:
| Surface | Platform | Status |
|---|---|---|
| Codex CLI | macOS (user), Linux (CI-only) | Stable, open-source, Rust-based |
| Codex Mac App | macOS (Apple Silicon) | Stable since Feb 2026 |
| Codex IDE Extension | VS Code, Cursor, Windsurf, JetBrains (macOS) | Stable |
| Codex Cloud | Web (chatgpt.com/codex), ChatGPT iOS/Android sidebar | Stable |
Key capabilities:
.agents/skills/) for repeatable workflowsAGENTS.md for repo-level policyopenai/codex-action@v1 GitHub Action for CI-based PR reviewgpt-5.3-codexTrigger model: Manual. Shabib starts Codex after the dispatch workflow prepares the branch and task file. No programmatic trigger API exists.
Use only after the issue exists and the branch has been prepared with docs/tasks/CWS-NNN.md.
Codex is not the planner of record. Linear is.
gh workflow run, GitHub API, or GitHub UI.docs/tasks/CWS-NNN.md into a new branch. Posts a Slack notification and Linear comment that the task is ready for Codex.docs/tasks/CWS-NNN.md, verifies a failing test exists or writes it first.docs/tasks/CWS-NNN.md to a prepared branch._drafts/ first, then move through research, drafting, editing, fact-check framing, and publishing prep. When ready, the post is moved from _drafts/ to _posts/ with proper front matter and date.docs/tasks/CWS-NNN.md.A single CODEX_TASK.md creates conflicts when multiple tasks are in flight and loses history after each run. Per-task files solve both problems.
docs/tasks/CWS-NNN.md
Where NNN is the Linear issue number (e.g., docs/tasks/CWS-42.md).
| Phase | State |
|---|---|
| Dispatch workflow runs | File created at docs/tasks/CWS-NNN.md with Linear issue content |
| Codex picks up task | Agent reads from docs/tasks/CWS-NNN.md |
| Task complete, PR merged | File persists as historical record |
# CWS-NNN: [Issue Title]
## Linear Issue
- **ID:** CWS-NNN
- **URL:** https://linear.app/codewithshabib/issue/CWS-NNN
- **Workflow:** [Dev | Editorial-New | Editorial-Update]
- **Executor:** [Agent | Human | Hybrid]
- **Created:** YYYY-MM-DD
## Brief
[Full issue description from Linear]
## Acceptance Criteria
[Extracted from issue body]
## Labels
[Labels from Linear]
## Decomposition
[Sub-issues if any, with their CWS IDs]
The docs/tasks/ directory is tracked by git. Task files are committed on the prepared branch by the dispatch workflow and persist through merge to main.
Every orchestrator prompt must reference the task file by its per-task path:
Read the execution brief from
docs/tasks/CWS-NNN.md(the specific file path is provided when Codex is started).
Archive the default Linear onboarding issues before creating the real backlog:
CWS-1CWS-2CWS-3CWS-4These are onboarding artifacts, not project work.
Use the existing team workflow states:
Exactly one of:
HumanAgentHybridExactly one of:
Waiting-HumanWaiting-AgentReadyExactly one of:
DevEditorial-NewEditorial-UpdateExactly one of:
SpecImplementationReviewMerge-ReadyReusable labels:
EpicTaskChoreADRSlackCIHooksTDDSEOWritingFact-CheckA task requires Shabib to:
A task is safe for Codex to execute with the right prompt and constraints.
An agent can do most of the implementation, but the task includes a human checkpoint or approval step.
Linear’s native GitHub integration (free, included) provides:
feature/CWS-42-short-slug)Configure per-team workflow automations in Linear settings.
feature/CWS-NNN-short-slugfix/CWS-NNN-short-slugeditorial/CWS-NNN-short-slugchore/CWS-NNN-short-slugThe CWS-NNN in the branch name triggers Linear’s GitHub integration to auto-link the PR.
Every PR must include:
Closes CWS-NNNExamples of layers:
Single PR examples:
Stack examples:
On the Hobby (free) tier, Graphite provides:
gt create, gt submit, gt stack)Not available on free tier:
Stack merge on free tier uses standard GitHub merge — Graphite CLI handles rebase ordering.
.codex/ for Codex config, prompts, docs, manifests, rollout evidence.agents/skills/ for repo-local skills.github/workflows/ for CI workflowsscripts/ for automation_posts/ for published content_drafts/ for draft content (must be tracked by git).codex/ as the Codex control plane.agents/skills/ as the repo-local skills directory for current compatibility_drafts/ — remove from .gitignore, track in git. Jekyll ignores this folder in production builds by default.docs/tasks/ — per-task execution briefs, named CWS-NNN.md, persisted as history after merge.docs/adr/ — human-facing decision recordstests/unit/ and tests/integration/scripts/hooks/styles/Codewithshabib/ — Vale rules.codex/docs/templates/ — intake templatesNo automation or validation code ships without tests.
scripts/tests/unit/ for isolated logictests/integration/ for multi-step flow testsThe developer agent instructions must explicitly say:
Before writing any implementation, create a failing test that covers the acceptance criteria from the Linear issue. Do not open a PR without test coverage for every new or modified script.
Purpose: catch fast editorial issues before a commit exists.
_posts/** and _drafts/** files onlyPurpose: catch expensive failures before remote CI.
make checkmake setup installs/symlinks both hooksopenai/codex-action@v1 for lightweight PR review (requires OPENAI_API_KEY secret scoped to that workflow only)Trigger paths:
scripts/**.codex/**.agents/**_config.yml_includes/**_layouts/**_sass/**assets/**.github/workflows/**testlintsecuritygovernancejekyll-buildTrigger paths:
_posts/**_drafts/**testspell-checkgrammar-and-stylemarkdown-lintseo-auditSecurity scanning strategy:
Layer 1: Semgrep CE (local + CI)
--config auto for Ruby, JavaScript, HTML, YAMLmake security (already exists as run-security-checks.sh, now covers Semgrep CE)semgrep.yml workflow triggered on PRs. Uses the free semgrep/semgrep Docker image. No SEMGREP_APP_TOKEN needed for CE mode — just semgrep scan --config auto.Layer 2: CodeQL (CI only)
codeql.yml workflow triggered on PRs and push to main.github/codeql-action/init@v3 + github/codeql-action/analyze@v3ruby, javascript (covers the Jekyll repo’s stack)Layer 3: Dependabot (already available)
Gemfile.lock and package-lock.json are committed.Security = first-class guardrail rule:
make security to the Definition of Done alongside make check.Trigger: workflow_dispatch with inputs issue_id and workflow_type.
See Dispatch Workflow Design section for full spec.
A lightweight merge notification workflow posts to Slack when commits land on main.
Use openai/codex-action@v1 for automated PR review comments. This is the only CI workflow that should use an OpenAI API key. Scoped to pull_request events only. Runs Codex in a sandboxed read-only mode to post review feedback, not execute tasks.
These are the baseline editorial tests:
The original discussion grouped six automated checks, but storytelling, tone/style, and SEO were all important enough that the implemented system should treat them as distinct validation concerns even if some share the same Vale engine.
These are required before editorial merge:
Because these require judgment, not just rule matching. They should be run as manual Codex prompts and reviewed by Shabib before merge.
New posts follow the Jekyll _drafts/ convention:
_drafts/ (no date prefix required per Jekyll convention)._posts/ with the proper YYYY-MM-DD- date prefix.A new file is required:
.codex/docs/editorial-voice-profile.mdIt should define:
A new file is required:
.codex/docs/editorial-voice-eval-rubric.mdIt should score:
Create a style pack in:
styles/Codewithshabib/Rules to include:
NoPassiveVoice / ActiveVoicePreferenceNoFillerOpenersNoPrincipalHedgingStoryStructureThe repo already has agent definitions for:
Each agent has a One Piece character identity that maps to their role. These identities are used in Codex config.toml agent definitions, skill descriptions, prompt headers, and Slack notifications for personality and quick identification.
| Agent Name | One Piece Character | Role | Rationale |
|---|---|---|---|
| Luffy the Captain | Monkey D. Luffy | team-lead / orchestrator | Captain who sets direction and delegates to the crew |
| Zoro the Swordsman | Roronoa Zoro | developer | First mate — cuts through problems with raw skill and discipline |
| Nami the Navigator | Nami | researcher | Charts the course — finds information, maps the territory |
| Sanji the Cook | Sanji | writer | Crafts something nourishing from raw ingredients — turns research into prose |
| Chopper the Doctor | Tony Tony Chopper | editor | Diagnoses problems and heals the content — fixes what’s broken |
| Robin the Scholar | Nico Robin | fact-checker | Archaeologist who deciphers truth from history and sources |
| Franky the Shipwright | Franky | publisher-release | Builds and maintains the ship — packaging, deployment, CI |
| Brook the Musician | Brook | seo-expert | Brings life and rhythm to content — SEO, discoverability, audience reach |
| Jinbe the Helmsman | Jinbe | historical-post-editor | Steady hand that steers legacy content through safe waters without capsizing |
Agent names follow the format <Name> the <Role>. These names are used in Codex config.toml agent definitions, skill descriptions, prompt headers, and Slack notifications for personality and quick identification.
The naming convention is extensible. New agents (including reasoning agents) follow the same pattern using One Piece characters whose traits match the role.
If an agent attempts the same action 3 times with the same inputs and gets the same result, it MUST stop immediately. The agent MUST:
Blocked.For scripts: All retry-capable scripts in scripts/ MUST include a retry counter (max 2 retries). After exhausting retries, the script MUST exit with a non-zero code and a human-readable error message. Silent infinite retries are prohibited.
If an agent cannot make progress for any reason (missing file, permission error, ambiguous requirement), it MUST:
#codex-runs via Slack webhook.Set explicit limits in config.toml:
[agents]
max_threads = 3
max_depth = 1
The orchestrator skill MUST include:
CONCURRENCY LIMIT: Never delegate more than 3 parallel agents.
If the plan has more than 3 parallel lanes, batch them:
- Turn 1: Launch lanes 1-3, wait for results.
- Turn 2: Launch remaining lanes.
- Final: Synthesize all results.
Each agent is defined by three layers, separating identity, behavior, and function:
.codex/agents/<agent-name>/
├── config.toml # Functional: tools, permissions, model assignment
├── soul.md # Behavioral: identity, values, guardrails, personality
└── instructions.md # Operational: what to do, how to do it, boundaries
soul.md defines who the agent IS — personality, values, and behavioral guardrails. Inspired by DeerFlow’s SOUL.md pattern. This is separate from functional instructions.
Example soul.md for Zoro the Swordsman (developer):
# Zoro the Swordsman — Developer
You are Zoro the Swordsman — disciplined, direct, and relentless.
## Values
- Precision over speed. Measure twice, cut once.
- Tests come before code. Always.
- Your scope is your boundary. Stay in your lane.
## Guardrails
- You MUST NOT start coding until tests are written.
- You MUST NOT touch files outside your assigned scope.
- You MUST NOT merge or approve PRs — only create them.
- You MUST NOT modify editorial content (\_posts/, \_drafts/, \_pages/).
- If you're stuck, you report the obstacle — you MUST NOT hack around it.
instructions.md defines the operational boundaries using MUST NOT language:
## Boundaries
- MUST NOT modify: \_posts/, \_drafts/, \_pages/, docs/editorial/
- MUST NOT run: make publish-draft, make qa-publish, make finalize-merge
- MUST NOT merge, approve, or close PRs
- MUST NOT modify AGENTS.md, config.toml, or other agent configs
- MUST report and STOP if a task requires changes outside these boundaries
Each agent role gets its own boundary set. See the full boundary matrix below.
| Agent | MUST NOT modify | MUST NOT run | Special restrictions |
|---|---|---|---|
| Zoro (developer) | _posts/, _drafts/, _pages/, docs/editorial/ | make publish-draft, make qa-publish | MUST NOT touch editorial content |
| Sanji (writer) | scripts/, .github/, Makefile, config files | make setup, make ci-setup | MUST NOT touch infrastructure |
| Chopper (editor) | scripts/, .github/, Makefile, config files | make setup, make ci-setup | MUST NOT touch infrastructure |
| Robin (fact-checker) | ALL files (read-only) | Any write commands | MUST NOT modify any file — only report findings |
| Nami (researcher) | ALL files (read-only) | Any write commands | MUST NOT modify any file — only report findings |
| Franky (publisher) | _posts/ content, _drafts/ content | N/A | MUST NOT change post body prose — only packaging/CI |
| Brook (SEO) | scripts/, .github/, Makefile | make setup | MUST NOT touch infrastructure |
| Jinbe (historical editor) | scripts/, .github/, Makefile, config files | make setup, make ci-setup | MUST NOT change original publish dates |
| Luffy (orchestrator) | Direct file modifications | Direct implementation commands | MUST delegate, MUST NOT execute directly |
.codex/prompts/dev-workflow.md.codex/prompts/editorial-new.md.codex/prompts/editorial-update.mdCreate:
.codex/prompts/editorial-checks/audience-check.md.codex/prompts/editorial-checks/fact-check.md.codex/prompts/editorial-checks/authority-check.md.codex/prompts/editorial-checks/final-sign-off.mdThe orchestrator skill (Luffy the Captain) separates planning from execution. This is inspired by DeerFlow’s Coordinator/Planner/Executor separation.
docs/tasks/CWS-NNN.md).docs/agent-context.md for project context.#codex-runs via Slack webhook: “Plan ready for CWS-NNN: [Linear link]”.This is the Option C plan review gate: Linear is the record, Slack is the notification. Shabib reviews the plan in Linear (any device), replies with approval or edits.
Once the plan is approved (Shabib re-invokes Codex with “Plan approved, proceed” or provides edits):
Every orchestrator prompt MUST:
docs/tasks/CWS-NNN.md (path provided at Codex start)docs/agent-context.md for project stateBefore starting work, the orchestrator MUST verify:
Ask ONE question at a time. Wait for the answer before proceeding. Do NOT ask clarifying questions for routine tasks fully covered by existing AGENTS.md rules.
New posts MUST be created in _drafts/ first and only moved to _posts/ after all automated checks pass.
The agent MUST NOT:
Before creating the PR, the orchestrator MUST verify all of the following. If any item fails, the agent MUST fix it or report the failure — MUST NOT create the PR with known failures.
docs/tasks/CWS-NNN.md are metgit diff --name-only)make check)make security)make lint)docs/agent-context.md updated if project state changedCWS-NNNCodex agents have no cross-session memory. Each task starts from scratch. To provide project continuity, agents read and update a persistent context file.
docs/agent-context.mdFormat: Markdown (not JSON/JSONL). Rationale:
# Agent Context — CodeWithShabib
_Last updated: YYYY-MM-DD by [agent-name] during CWS-NNN_
## Current Focus
- [3-5 bullet points of active workstreams]
## Recent Decisions
- [ADR references, recent architectural choices with brief rationale]
## Known Constraints
- [Free tier limits, tooling quirks, unresolved issues, blockers]
## Editorial State
- Posts in draft: [list]
- Recently published: [list]
- Scheduled: [list]
## Open Questions
- [Anything unresolved that the next agent should be aware of]
docs/agent-context.md before starting work.AGENTS.md:
Before starting any task, read docs/agent-context.md for project context.
After completing a task, update the relevant section if anything changed.
Reasoning agents apply structured mental models to improve decision quality across all workflows. They can be invoked:
$skill-name in the Codex app/CLI)| Skill Name | Mental Model | When to Use | One Piece Name |
|---|---|---|---|
$first-principles |
First Principles Thinking | Decompose a problem to its fundamental truths before building up | Vegapunk the Scientist |
$second-order |
Second-Order Thinking | Evaluate consequences of consequences before committing | Shanks the Strategist |
$socratic |
Socratic Questioning | Challenge assumptions through systematic questioning | Rayleigh the Mentor |
$red-team |
Red Teaming / Devil’s Advocate | Actively find flaws, attack the plan, stress-test assumptions | Mihawk the Rival |
$inversion |
Inversion | Work backward from failure — what would make this fail? | Crocodile the Schemer |
$pareto |
80/20 (Pareto Principle) | Identify the 20% of effort that delivers 80% of value | Doflamingo the Puppeteer |
$opportunity-cost |
Opportunity Cost | What are we giving up by choosing this path? | Garp the Veteran |
$circle-of-competence |
Circle of Competence | Stay within what we know; identify when we’re outside it | Whitebeard the Elder |
$margin-of-safety |
Margin of Safety | Build buffers against what can go wrong | Kuma the Protector |
$feedback-loop |
Feedback Loops | Identify reinforcing and balancing loops in the system | Katakuri the Predictor |
$bayesian |
Bayesian Updating | Update beliefs based on new evidence; avoid anchoring | Dragon the Revolutionary |
$red-team in Codex thread composer, or paste the portable prompt template into Perplexity/ChatGPT$first-principles + $second-order + $red-team$socratic + $red-team + $circle-of-competence$pareto + $opportunity-cost$inversion + $margin-of-safety$feedback-loop + $bayesianEach reasoning skill lives at .agents/skills/<skill-name>/SKILL.md with:
Each mental model also has a companion prompt template at .codex/docs/reasoning-prompts/<model-name>.md that can be copy-pasted into Perplexity or ChatGPT for use outside the repo.
Under .agents/skills/:
first-principles/SKILL.mdsecond-order/SKILL.mdsocratic/SKILL.mdred-team/SKILL.mdinversion/SKILL.mdpareto/SKILL.mdopportunity-cost/SKILL.mdcircle-of-competence/SKILL.mdmargin-of-safety/SKILL.mdfeedback-loop/SKILL.mdbayesian/SKILL.mdUnder .codex/docs/reasoning-prompts/:
first-principles.mdsecond-order.mdsocratic.mdred-team.mdinversion.mdpareto.mdopportunity-cost.mdcircle-of-competence.mdmargin-of-safety.mdfeedback-loop.mdbayesian.mdThe dispatch workflow is a cheap prep step, not an execution engine. It automates everything between “Linear issue exists” and “Codex is ready to pick up the task.”
issue_id (Linear issue identifier, e.g., CWS-42) and workflow_type (dev, editorial-new, editorial-update) as workflow_dispatch inputs.scripts/fetch-linear-issue.sh to fetch issue content from Linear API.docs/tasks/CWS-NNN.md with the structured task file template.feature/CWS-NNN-slug, editorial/CWS-NNN-slug, etc.).#codex-runs) that a task is ready.| Surface | Method |
|---|---|
| Perplexity (iOS/Android/Mac/web) | GitHub connector → trigger workflow_dispatch |
| ChatGPT (iOS/Android/Mac/web) | Not directly supported for workflow_dispatch; use Codex Cloud to create a task that calls gh workflow run, or ask Shabib to trigger via CLI |
| CLI (terminal) | gh workflow run codex-dispatch.yml -f issue_id=CWS-42 -f workflow_type=dev |
| GitHub UI | Actions tab → codex-dispatch → Run workflow |
| GitHub REST API | POST /repos/{owner}/{repo}/actions/workflows/codex-dispatch.yml/dispatches |
March 2026 update: The GitHub workflow_dispatch API now returns
run_idin the response whenreturn_run_details=trueis passed, making it possible to track the dispatch run programmatically.
LINEAR_API_KEY from environmenthttps://api.linear.app/graphqldocs/tasks/CWS-NNN.mdDocument required secrets in:
.codex/docs/secrets.mdRequired secrets:
LINEAR_API_KEY — for fetching issue content in dispatch workflowSLACK_WEBHOOK_URL — for CI and dispatch Slack notificationsOPENAI_API_KEY — only if using openai/codex-action@v1 for PR review; scoped to that workflowNo OpenAI secrets are used for task execution in CI.
Why
LINEAR_API_KEYis needed despite native integrations: Linear’s GitHub integration only syncs issues ↔ PRs via branch naming and magic words — it does NOT provide an API to fetch issue content from within a GitHub Actions workflow. Linear’s Perplexity/ChatGPT connectors work in conversation context only and cannot be called from CI. The dispatch workflow (codex-dispatch.yml) runs in GitHub Actions and needs to fetch the Linear issue body to writedocs/tasks/CWS-NNN.md. The only way to do this from CI is Linear’s GraphQL API, which requires aLINEAR_API_KEY. The key is a personal API key (free, generated from Linear Settings → API → Personal API Keys). No paid plan required. The native integrations (GitHub ↔ Linear, Perplexity ↔ Linear, ChatGPT ↔ Linear) handle everything else.
Three setup targets, all driven through the Makefile:
make setup — New Mac bootstrapMust handle:
bundle install for Jekyll + gemsgh CLI auth checkgt (Graphite CLI) auth checkmake hooks-install).env scaffold with placeholder secrets (LINEAR_API_KEY, SLACK_WEBHOOK_URL)make ci-setup — GitHub Actions runner bootstrapRuns in CI workflows as a first step. Must handle:
bundle install --jobs 4 --retry 3make codex-setup — Codex environment verificationRun at the start of a Codex session to verify the agent has what it needs:
AGENTS.md exists and is under 32 KiBdocs/tasks/CWS-NNN.md exists for the current branch (if on a task branch)| # | Integration | Purpose |
|---|---|---|
| 1 | Linear | Issue creation from Slack, status updates, bidirectional comment sync |
| 2 | GitHub | PR notifications, merge alerts, CI status |
| 3 | Incoming Webhooks | Custom notifications from CI workflows (dispatch ready, merge, failures) |
| 4 | Perplexity Computer | AI agent tasks from Slack (already connected) |
| 5-10 | Reserved | Future integrations as needed |
Important: Graphite → Slack integration requires the Starter tier ($20/user/month) and is not available on the free plan. All PR/stack notifications should go through GitHub Actions → Slack webhooks instead.
#ci-dev — dev pipeline success/failure, governance failures, security alerts#ci-editorial — editorial pipeline success/failure, content validation failures#linear-updates — issue created, status changed, issue linked to PR, project updates#merges — merge-to-main notifications#codex-runs — dispatch-ready notifications, manual log of Codex runs, start/stop/outcome notes#ci-dev#ci-editorial#linear-updates#merges#codex-runsfeature/CWS-42-slug”)Add:
.codex/docs/tools.md.codex/docs/slack-setup.md.codex/docs/secrets.mdThis system is intentionally architectural: agent workflows, CI design, cost constraints, publishing process, branching model, and Linear conventions are all decisions that should be preserved.
Create:
docs/adr/README.mddocs/adr/template.mddocs/adr/0001-use-jekyll-github-pages.mdCreate:
scripts/new-adr.shExpose via:
make new-adr TITLE="..."If a PR touches:
.codex/**.agents/**.github/workflows/**_config.ymlthen it should create or reference an ADR.
Create these projects:
[INFRA] Repo Process & ToolingPurpose:
_drafts/ git tracking fix[ORCHESTRATION] Agentic Workflow DesignPurpose:
docs/tasks/CWS-NNN.md)[EDITORIAL] Content Quality SystemPurpose:
_drafts/ → _posts/ workflowHow to break the Master Plan into Linear work:
Epic structure (3 projects, each with epics):
Project: [INFRA] Repo Process & Tooling
Project: [ORCHESTRATION] Agentic Workflow Design
Project: [EDITORIAL] Content Quality System
Breakdown rules:
agent-task or human-task.make targets or test commands.I (Computer/Perplexity) can create these Linear issues for you once you approve the final scope. Each issue will have a high-quality description with the structured execution brief format.
This section summarizes the implementation backlog at epic level.
_drafts/ from .gitignore and track in gitworkflow_dispatch branch-prep flow with per-task docs/tasks/CWS-NNN.mdfetch-linear-issue.shconfig.toml and prompts.agents/skills/).codex/docs/reasoning-prompts/)_posts/ and _drafts/)_posts/** and _drafts/**).gitignore — remove _drafts/ entry so the folder is tracked by git.codex/docs/templates/dev-prd-template.md.codex/docs/templates/editorial-new-template.md.codex/docs/templates/editorial-update-template.md.codex/docs/trigger-surface-guide.md (replaces ios-intake-guide.md — covers all surfaces).codex/docs/codex-usage.md (covers CLI, Mac app, IDE extension, Cloud).codex/docs/decomposition-rules.md.codex/docs/editorial-voice-profile.md.codex/docs/editorial-voice-eval-rubric.md.codex/docs/tools.md.codex/docs/slack-setup.md.codex/docs/secrets.mddocs/adr/README.mddocs/adr/template.mddocs/adr/0001-use-jekyll-github-pages.mddocs/tasks/.gitkeep (ensures the directory exists in git)docs/agent-context.md (persistent agent memory / project context)For each agent (zoro, sanji, chopper, robin, nami, franky, brook, jinbe, luffy):
.codex/agents/<agent-name>/config.toml.codex/agents/<agent-name>/soul.md.codex/agents/<agent-name>/instructions.md.codex/docs/reasoning-prompts/first-principles.md.codex/docs/reasoning-prompts/second-order.md.codex/docs/reasoning-prompts/socratic.md.codex/docs/reasoning-prompts/red-team.md.codex/docs/reasoning-prompts/inversion.md.codex/docs/reasoning-prompts/pareto.md.codex/docs/reasoning-prompts/opportunity-cost.md.codex/docs/reasoning-prompts/circle-of-competence.md.codex/docs/reasoning-prompts/margin-of-safety.md.codex/docs/reasoning-prompts/feedback-loop.md.codex/docs/reasoning-prompts/bayesian.md.codex/prompts/dev-workflow.md.codex/prompts/editorial-new.md.codex/prompts/editorial-update.md.codex/prompts/editorial-checks/audience-check.md.codex/prompts/editorial-checks/fact-check.md.codex/prompts/editorial-checks/authority-check.md.codex/prompts/editorial-checks/final-sign-off.md.agents/skills/first-principles/SKILL.md.agents/skills/second-order/SKILL.md.agents/skills/socratic/SKILL.md.agents/skills/red-team/SKILL.md.agents/skills/inversion/SKILL.md.agents/skills/pareto/SKILL.md.agents/skills/opportunity-cost/SKILL.md.agents/skills/circle-of-competence/SKILL.md.agents/skills/margin-of-safety/SKILL.md.agents/skills/feedback-loop/SKILL.md.agents/skills/bayesian/SKILL.mdscripts/hooks/pre-commitscripts/hooks/pre-pushscripts/fetch-linear-issue.shscripts/new-adr.shscripts/validate-front-matter.rbscripts/audit-seo.rb (new or refactored)tests/unit/test_pre_commit_hook.rbtests/unit/test_pre_push_hook.rbtests/unit/test_validate_front_matter.rbtests/unit/test_audit_seo.rbtests/unit/test_new_adr.rbtests/integration/test_fetch_linear_issue.rbscripts/.github/workflows/dev-pipeline.yml.github/workflows/editorial-pipeline.yml.github/workflows/codex-dispatch.yml.github/workflows/notify-merge.yml.github/workflows/codex-pr-review.yml (optional, uses openai/codex-action@v1).markdownlint.yml.vale.inicspell.jsonstyles/Codewithshabib/*.yml| Area | Human | Agent | Notes |
|---|---|---|---|
| Linear project setup | Yes | No | Workspace/admin task |
| Label taxonomy | Yes | No | Best created deliberately |
| Slack workspace creation | Yes | No | Human account creation required |
| Slack integration wiring docs | Yes | Yes | Human does setup, agent can document |
.gitignore fix for _drafts/ |
Review | Yes | Agent-friendly, human verifies |
| Prompt writing | Hybrid | Yes | Human sets policy, agent drafts structure |
| Hook implementation | Review | Yes | Agent-friendly |
| Test writing | Review | Yes | Must be test-first |
| Editorial voice policy | Yes | Assist only | Human source of truth |
| Authority rubric | Yes | Assist only | Human judgment framework |
| ADR policy | Yes | Assist only | Human-owned architecture decisions |
| CI YAML implementation | Review | Yes | Agent-friendly |
| Dispatch workflow | Review | Yes | Agent implements, human reviews |
| Per-task file template | Hybrid | Yes | Human defines structure, agent implements |
| Trigger surface guide | Yes | Assist only | Human documents actual usage patterns |
| Final editorial merge decision | Yes | No | Human-only |
| Final architecture merge decision | Yes | No | Human-only |
_drafts/ from .gitignore and commit.docs/tasks/.gitkeep and commit._posts/** and _drafts/**)._posts/** and _drafts/**).docs/tasks/CWS-NNN.md files).fetch-linear-issue.sh (writes to docs/tasks/).This plan is complete when all of the following are true:
_drafts/ is tracked by git and agents can create/edit drafts in branches.PR_REQUIRED or EVIDENCE_REQUIRED.PR_REQUIRED issues cannot move to Done until the linked PR is merged to main.EVIDENCE_REQUIRED issues cannot move to Done without explicit evidence artifacts and human sign-off.CWS-* identifiers.docs/tasks/CWS-NNN.md and persist after merge._drafts/**).docs/tasks/CWS-NNN.md ready for Codex pickup.$skill-name.config.toml.make security passes alongside make check — security scanning is a first-class guardrail.soul.md and instructions.md with MUST NOT boundaries.docs/agent-context.md exists and agents read/update it.config.toml (max_threads=3, max_depth=1).| Tool | Surfaces | Key Capabilities | Free Tier Limits |
|---|---|---|---|
| Perplexity | iOS, Android, Mac, Web | Research, Linear connector, GitHub connector, Slack connector | Pro Search limits on free; connectors require Pro/Max |
| ChatGPT | iOS, Android, Mac, Web | Conversation, Codex Cloud sidebar, GitHub read-only app | Codex included with Plus+ |
| Codex CLI | macOS (user), Linux (CI-only) | Local agent, multi-agent (experimental), MCP server, open-source | Included with ChatGPT subscription |
| Codex App | macOS | Multi-agent management, worktrees, automations, skills | Included with ChatGPT subscription |
| Codex IDE Extension | VS Code, Cursor, Windsurf, JetBrains | In-IDE agent, Cloud delegation | Included with ChatGPT subscription |
| Codex Cloud | Web (chatgpt.com/codex), ChatGPT iOS/Android | Remote sandboxed execution, PR creation | Included with ChatGPT subscription |
| Codex GitHub Action | CI | openai/codex-action@v1, PR review, patch application |
Requires API key |
| Linear | Web, iOS, Android, Mac | GraphQL API, GitHub integration (free), Slack integration (free) | Free plan: unlimited issues |
| Graphite | CLI, VS Code, Web | Stacked PRs, PR inbox, limited AI reviews | Hobby: personal repos, CLI, no Slack, no merge queue |
| GitHub Actions | CI | workflow_dispatch (API returns run_id since Feb 2026), path filtering |
Free for public repos; 2000 min/month private |
| Slack | iOS, Android, Mac, Web | Channels, webhooks, app integrations | Free: 90-day history, 10 integrations, 5 GB storage |
| Jekyll | Build tool | _drafts/ ignored in prod by default, --drafts flag for local preview |
N/A |
| # | Change | Reason |
|---|---|---|
| 1 | _drafts/ must be tracked by git |
Agents need to create/edit drafts in branches; currently gitignored |
| 2 | All trigger surfaces expanded to iOS + Android + Mac + Web | Perplexity and ChatGPT available on all four surfaces |
| 3 | Codex surfaces documented (CLI, Mac App, IDE Extension, Cloud) | All surfaces are available as of March 2026 |
| 4 | CODEX_TASK.md replaced with per-task docs/tasks/CWS-NNN.md |
Per-task files avoid conflicts, provide history, map to Linear issues |
| 5 | Human-in-the-loop reduced to two touchpoints | Idea creation and final review; everything else automated |
| 6 | Codex start remains manual (no API) | No programmatic trigger API exists as of March 2026 |
| 7 | Slack 10-integration budget documented | Free plan hard limit; integration slots must be planned |
| 8 | Graphite free tier constraints documented | Slack integration, merge queue, and org repos require paid tiers |
| 9 | ChatGPT GitHub integration clarified as read-only | Cannot trigger workflow_dispatch; Codex or CLI needed for writes |
| 10 | GitHub workflow_dispatch API return_run_details noted |
Feb 2026 change enables tracking dispatch runs |
| 11 | Codex GitHub Action (openai/codex-action@v1) added as optional CI tool |
Available for PR review without running full agent tasks |
| 12 | Editorial pipeline triggers expanded to include _drafts/** |
Drafts need the same validation as published posts |
| 13 | iOS-intake-guide replaced with multi-surface trigger guide | Covers all surfaces, not just iOS |
| 14 | Codex usage doc scoped to macOS surfaces (Linux = CI-only) | CLI, Mac app, IDE extension, Cloud |
| 15 | Tool capabilities matrix added as Appendix A | Quick reference for all tool constraints validated against March 2026 docs |
| 16 | Windows references removed | User does not use Windows; reduces noise |
| 17 | One Piece agent naming system added | Agents get memorable identities matching their roles |
| 18 | Mental model reasoning agents added | 11 structured thinking skills as Codex skills + portable prompts |
| 19 | Master Plan storage location defined | docs/master-plan.md in repo (authoritative) + Linear reference copy |
| 20 | Reasoning agent auto-invocation rules added | Orchestrator can intelligently apply mental models based on task context |
| 21 | Explicit device profile added (v3.1) | Mac + iPhone + Android phone + Linux (CI-only). No Windows. |
| 22 | Android added to all mobile surface references | Perplexity, ChatGPT, Linear, Slack, Codex Cloud sidebar |
| 23 | Codex CLI/IDE Linux clarified as CI-only | User runs Codex CLI on macOS; Linux only appears in GitHub-hosted runners |
| 24 | Trigger surfaces expanded to iOS + Android + Mac + Web | Both mobile OSes Shabib uses are now represented |
| 25 | Scripting language policy documented | Bash default, Ruby for Jekyll/YAML; Makefile is single entry point |
| 26 | One-shot DX setup targets defined | make setup, make ci-setup, make codex-setup |
| 27 | Definition of Ready added | 8-point checklist gating agent task pickup |
| 28 | Linear API key necessity clarified | Needed only for dispatch workflow CI; free personal API key |
| 29 | Semgrep CE + CodeQL added as first-class security guardrails | Free SAST tools, blocking on PRs |
| 30 | Linear task breakdown strategy added | Epic structure, breakdown rules, execution order |
| 31 | Known gaps and risks section added | 9 blind spots documented with mitigations |
| 32 | Definition of Done updated | make security added alongside make check |
| 33 | DeerFlow-inspired agent safety rules added | Loop prevention, stuck-agent escalation, retry limits in scripts |
| 34 | soul.md + instructions.md per agent | Separates identity/personality from operational boundaries |
| 35 | MUST NOT language adopted for agent boundaries | Stronger than MAY NOT — unambiguous prohibition |
| 36 | Agent boundary matrix added | Explicit per-role file and command restrictions |
| 37 | Persistent agent context file (docs/agent-context.md) | Markdown-based cross-session memory for agents |
| 38 | Two-phase orchestrator design | Plan phase (post to Linear, notify Slack) → approval → execute phase |
| 39 | Option C plan review gate | Linear comment = permanent record, Slack notification = doorbell |
| 40 | Structured clarification protocol | SCOPE/APPROACH/RISK/MISSING taxonomy for agent questions |
| 41 | Self-audit checklist before PR creation | 10-point verification before any PR is opened |
| 42 | Concurrency limits set (max_threads=3, max_depth=1) | Prevents coordination chaos in multi-agent execution |
| 43 | Agent context system added to backlog | New epic under INFRA and ORCHESTRATION |
Blind spots identified:
No rollback strategy. If a Codex agent produces a bad PR that gets merged, there’s no documented rollback procedure. GitHub Pages auto-deploys on merge — a bad merge means a bad deploy. Add: “Revert PR template” and “rollback Makefile target” to backlog.
No agent output size budget. Codex agents could produce enormous PRs that are hard to review. Add: max diff size guideline per task (e.g., ≤ 500 lines changed). If larger, decompose.
No monitoring for the live site. After deploy, there’s no health check. A bad Jekyll build could produce a broken site. Add: post-deploy smoke test (curl the homepage, check for 200 + expected content).
Secrets rotation. LINEAR_API_KEY and SLACK_WEBHOOK_URL have no rotation schedule documented.
No cost monitoring for GitHub Actions. Starting March 2026, self-hosted runners have a $0.002/min charge. Your public repo uses GitHub-hosted runners (free for public repos), but if the repo ever goes private, costs would start. Document this constraint.
Skill versioning. Skills are in the repo and versioned by git, but there’s no semantic versioning or changelog per skill. When a skill changes behavior, agents using it won’t know. Add: metadata.version in SKILL.md frontmatter + CHANGELOG.md per skill.
No branch cleanup automation. After merging, stale branches from completed tasks may accumulate. Add: branch auto-delete on merge (GitHub repo setting) + periodic cleanup of orphaned docs/tasks/ files.
Draft post collision. If two agents work on drafts simultaneously (unlikely with current manual trigger, but possible with future automation), _drafts/ could have conflicts. The multi-agent “one writer per file” rule covers this but isn’t enforced by CI.
No emergency bypass. If CI or hooks break, there’s no documented way to force-push an urgent fix. Add: emergency bypass procedure (admin merge with [EMERGENCY] label, post-incident ADR required).
Agent boundary enforcement is instruction-based only. Codex has no programmatic way to restrict file access or command execution per agent. The MUST NOT rules in instructions.md rely on the LLM following instructions. A misbehaving agent could still modify restricted files. Mitigation: the self-audit checklist catches scope violations before PR creation, and PR review is mandatory. Consider adding a CI check that validates diff scope against the agent role specified in the task file.
This system is intentionally designed as a solo-human / multi-agent operating model.
Shabib is not trying to automate away judgment. He is trying to automate away repetitive coordination, setup, validation, and mechanical execution so that his time is spent on:
That is the correct role split.
The two human touchpoints — idea creation and final review — are non-negotiable. Everything between them should require zero manual intervention except the current limitation of manually starting Codex (which may be resolved when OpenAI ships a programmatic trigger API).