THE PROTOCOL
13 phases. 13 gates. One sequence from PRD to production.
Every phase has a verification gate. You do not advance until the gate passes. This is not bureaucracy — it is discipline. The difference between a ship that launches and a ship that explodes is whether someone checked the seals.
PicardTHE GATE
The protocol is now governed by a stack of mechanically-enforced ADRs. Skipping the pre-scan is no longer an act of will — it is physically blocked at the runtime boundary.
- ADR-048 — Silver Surfer pre-scan: Haiku selects the optimal roster before every gated command, based on the actual code changed in this session.
- ADR-050 — Native Claude Code coexistence:
/reviewalias for/engage,/securityalias for/sentinel. - ADR-051 — Silver Surfer Gate hook: a PreToolUse hook on the Agent tool blocks any non-Surfer sub-agent launch until a roster has been recorded. Enforcement is mechanical, not prose-only.
- ADR-060 — Gate state relocation: per-user state at
$XDG_RUNTIME_DIR/voidforge-gate/(Linux) or$HOME/.voidforge/gate/(macOS), 0700. No more world-writable /tmp. - ADR-061 — npm rename to
voidforge-build(the @voidforge org was unavailable). Bin name unchanged; post-install UX identical.
The gate fails closed on unknown bypass flags — passing anything other than --light or --solo exits 2 with an error. No silent bypass. (SEC-003 hardening.)
THE LONG MEMORY
Before Phase 0 begins, Wong loads two files: docs/LESSONS.md (cross-project patterns) and docs/LEARNINGS.md (project-scoped operational knowledge). LEARNINGS.md contains API quirks, decision rationale, and root causes discovered in prior sessions. Every agent starts informed — your next build begins where the last one left off.
- 0
Read the PRD. Validate frontmatter. Extract architecture. Wong loads LESSONS.md and project-scoped LEARNINGS.md. Troi verifies extraction. Phase 0.5: Picard's Conflict Scan.
AGENTS ON DECK
Picard (lead)Make it architecture.
All agents read PRD
Wong (loads lessons + operational learnings)Lessons and patterns.
Troi (PRD verification)PRD compliance.
- 1
Initialize framework, configs, directory structure, types. Set up the test runner. Every placeholder references the PRD.
AGENTS ON DECK
Stark (lead)Build the engine.
KusanagiTarget acquired.
- 2
Database, Redis, environment config. Verify: dev server starts, DB connects, tests pass.
AGENTS ON DECK
Kusanagi (lead)Target acquired.
Banner (DB)Database administration.
- 3
Login, signup, password reset, sessions, middleware, roles. Kenobi reviews every security surface.
AGENTS ON DECK
Stark (lead)Build the engine.
GaladrielThe light of the Forge.
Kenobi (review)The high ground is security.
- 4
The single most important user journey, built end-to-end as a vertical slice. Schema → API → UI → wire up.
AGENTS ON DECK
Stark (lead)Build the engine.
GaladrielThe light of the Forge.
Troi (PRD compliance)PRD compliance.
Padmé (functional verification)Compliance review.
- 5
Build remaining features in dependency order, one batch at a time. Each batch: build, test, verify, proceed.
AGENTS ON DECK
Stark (lead)Build the engine.
GaladrielThe light of the Forge.
Batman (regression)Every edge case.
- 6
External services: payments, email, file storage, APIs. Each gets a client wrapper, test mode, and error handling.
AGENTS ON DECK
Stark (lead)Build the engine.
RomanoffExternal API integrations.
Kenobi (review)The high ground is security.
- 7
Dashboard, user management, analytics views, audit logging. The control center for operators.
AGENTS ON DECK
Stark (lead)Build the engine.
GaladrielThe light of the Forge.
Picard (review)Make it architecture.
- 8
Homepage, features, pricing, legal pages. SEO meta on every page. Bilbo writes copy. Éowyn adds delight. Celebrimbor forges visual assets. Mobile responsive.
AGENTS ON DECK
Galadriel (lead)The light of the Forge.
Bilbo (copy)Narrative copy, brand voice.
Éowyn (enchantment)Enchantment and delight.
Celebrimbor (assets)The greatest craftsman.
Legolas (performance)Performance optimization.
- 9
Full QA pass: test coverage, error handling, edge cases, boundary testing, config review. Double-pass: find → fix → re-verify.
AGENTS ON DECK
Batman (lead)Every edge case.
OracleTest coverage analysis.
Red HoodError path testing.
AlfredCode quality, linting.
DeathstrokeAuthorization boundary testing.
ConstantineConfig and environment testing.
CyborgSystem integration testing.
RavenDark-path analysis.
Wonder WomanFunctional verification.
- 10
Accessibility, responsive design, loading states, error states, keyboard navigation, focus management. Éowyn reviews delight and micro-interactions. WCAG 2.1 AA compliance.
AGENTS ON DECK
Galadriel (lead)The light of the Forge.
Éowyn (enchantment)Enchantment and delight.
ElrondDesign system architecture.
ArwenVisual design, theming.
SamwiseAccessibility audit.
BilboNarrative copy, brand voice.
LegolasPerformance optimization.
GimliBuild tooling, bundling.
GandalfThe journey begins here.
CelebornDesign system consistency.
- 11
OWASP Top 10 scan, auth review, injection testing, secrets audit, dependency audit, CSP review, red-team verification.
AGENTS ON DECK
Kenobi (lead)The high ground is security.
LeiaAuth flow audit.
ChewieDependency audit.
RexInput validation audit.
MaulRed-team penetration testing.
YodaThreat modeling.
WinduCSP and header review.
AhsokaSecrets management audit.
PadméCompliance review.
- 12
Provision infrastructure, configure DNS/SSL, deploy pipeline, monitoring, backups. Coulson tags the release. Health check must pass.
AGENTS ON DECK
Kusanagi (lead)Target acquired.
Coulson (release tag)The paperwork is handled.
Batman (smoke test)Every edge case.
- 13
Final checklist: SSL, email, payments, analytics, monitoring, backups, security headers, legal, performance, mobile, a11y. Coulson versions. Batman smokes. Bashir debriefs. Sisko signs off.
AGENTS ON DECK
Sisko (lead)One mission at a time.
Coulson (version)The paperwork is handled.
Batman (final smoke)Every edge case.
Bashir (debrief)The diagnosis is in.
Fury (council vote)I didn't ask.
Troi (PRD compliance)PRD compliance.