agent-conveyor 0.1.13 → 0.1.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -24,6 +24,7 @@ Tools: verification.run_tests, context.fetch_prs
24
24
  Epilogues: draft-pr, record-handoff
25
25
  Cleanup: compact between child boards after saved handoff
26
26
  Evidence gates: child receipt, focused verification, adversarial review, PR/CI/merge or satisfied_on_main
27
+ Final report: record manager closeout proof separately from accepted worker criteria
27
28
  Not allowed: merge without green CI; compact/clear before handoff; run two child boards at once
28
29
  User confirmed: yes
29
30
  ```
@@ -48,6 +49,8 @@ inspection while Dispatch is writing to the same `--path` database.
48
49
  | UX Polish Loop | Worker should iterate on visible UI quality | guided or strict | screenshots, visual diff, browser evidence, `adversarial_check` | compact by default |
49
50
  | Nudge / What's Next Manager | Manager should observe, ask status, and negotiate criteria | guided | manager decision, worker receipt, accepted criteria | off by default |
50
51
  | PR/CI/Merge Ralph Loop | Manager should drive delivery through PR, CI, merge, handoff | strict | PR URL, green CI, merge receipt, adversarial proof | clear after handoff |
52
+ | Autonomous Ship-It Loop | Manager may push, open PRs, monitor CI, fix bounded conflicts, and merge | strict | branch, PR, CI, mergeability, manager decision, merge, post-merge, adversarial proof | clear after handoff |
53
+ | Creative Ops Campaign | One manager should supervise multiple Codex app worker slots for channel-specific creative assets | strict | campaign dashboard, slot lifecycle, assignment receipts, asset review receipts, human publish gate | rotate owned stale workers only |
51
54
 
52
55
  Two support patterns apply across recipes:
53
56
 
@@ -56,6 +59,12 @@ Two support patterns apply across recipes:
56
59
  - **Recovery / Resume / Handoff**: use saved config, handoff, replay, audit,
57
60
  telemetry, and inbox state to resume a managed task safely.
58
61
 
62
+ Across all recipes, accepted criteria should describe worker/task deliverables.
63
+ Manager closeout mechanics such as `finish-task`, `--require-criteria-audit`,
64
+ final task state, heartbeat teardown, and final manager reporting are final
65
+ report or audit evidence. Do not seed them as accepted worker criteria unless
66
+ the task is explicitly Conveyor closeout QA.
67
+
59
68
  ## GoalBuddy Conveyor
60
69
 
61
70
  Use this when the user says things like "make GoalBuddy boards", "run the
@@ -248,6 +257,150 @@ sequenceDiagram
248
257
  M->>W: Clear after saved handoff and worker_compact_clear permission
249
258
  ```
250
259
 
260
+ ## Autonomous Ship-It Loop
261
+
262
+ Use this when the operator explicitly wants a manager-worker pair to ship a
263
+ bounded repo task through branch push, PR creation, CI monitoring, conflict
264
+ repair, and merge. This recipe is stricter than a PR/CI/Merge Ralph loop:
265
+ green CI is necessary, but never sufficient. The manager must also record a
266
+ fresh mergeability check, an explicit manager merge decision, the merge receipt,
267
+ post-merge verification, and structured adversarial proof.
268
+
269
+ Suggested setup:
270
+
271
+ ```bash
272
+ conveyor loop-templates --create-run "$TASK" \
273
+ --template ship_it_loop \
274
+ --max-iterations 2 \
275
+ --current-iteration 1 \
276
+ --json
277
+
278
+ conveyor manager-config "$TASK" \
279
+ --mode strict \
280
+ --objective "Ship the bounded repo task through branch, PR, CI, conflict handling, manager merge decision, merge, and post-merge verification." \
281
+ --acceptance "Branch, PR URL, green CI, clean mergeability, manager merge decision, merge receipt, post-merge verification, and adversarial proof are recorded before closeout." \
282
+ --acceptance "Blocked conflict loops stop with retry count, last sanitized evidence, and next exact operator action." \
283
+ --permit repo.push_branch \
284
+ --permit repo.open_pr \
285
+ --permit repo.monitor_ci \
286
+ --permit repo.resolve_conflicts \
287
+ --permit repo.merge_green_pr \
288
+ --allow-worker-compact-clear \
289
+ --tool verification.run_tests \
290
+ --tool context.fetch_prs
291
+ ```
292
+
293
+ Conversation storyboard:
294
+
295
+ ```mermaid
296
+ sequenceDiagram
297
+ participant M as Manager
298
+ participant D as Dispatch
299
+ participant W as Worker
300
+ M->>W: Ask for bounded implementation and local proof
301
+ W->>D: completion event with branch/test receipt
302
+ D->>M: worker_task_complete notification
303
+ M->>M: Verify diff, branch receipt, and push authority
304
+ M->>M: Open PR only with repo.open_pr permission
305
+ M->>M: Monitor CI and mergeability; request conflict fixes only within policy
306
+ M->>M: Record explicit manager_merge_decision
307
+ M->>M: Merge only with repo.merge_green_pr plus post-merge/adversarial proof
308
+ ```
309
+
310
+ Fail closed on these conditions:
311
+
312
+ - no explicit permission for the requested repo side effect;
313
+ - CI green but mergeability, manager decision, or post-merge proof is missing;
314
+ - conflict retries reach the configured limit;
315
+ - a worker proposes merge based only on its own completion claim;
316
+ - the live manager/worker transcript is not reviewable through the app or tmux
317
+ session.
318
+
319
+ Local proof:
320
+
321
+ ```bash
322
+ conveyor qa-plan ship-it-loop
323
+ conveyor qa-run ship-it-loop --receipt-output /tmp/ship-it-loop-receipt.json --json
324
+ ```
325
+
326
+ ## Creative Ops Campaign
327
+
328
+ Use this when one manager should coordinate multiple Codex app worker sessions
329
+ for channel-specific creative work such as YouTube, TikTok, LinkedIn, Facebook,
330
+ image generation prompts, HyperFrames scripts, or reviewable copy drafts.
331
+ This recipe layers campaign state on top of ordinary manager/worker sessions:
332
+ workers remain visible app or tmux sessions, while the campaign record tracks
333
+ slots, channel briefs, assignments, asset receipts, blockers, and review state.
334
+
335
+ Suggested setup:
336
+
337
+ ```bash
338
+ conveyor campaign create \
339
+ --name "$CAMPAIGN" \
340
+ --objective "Produce reviewable creative assets across named channels." \
341
+ --json
342
+
343
+ conveyor campaign add-slot \
344
+ --name "$CAMPAIGN" \
345
+ --slot-key tiktok \
346
+ --role-label "TikTok worker" \
347
+ --channel tiktok \
348
+ --thread-id "$TIKTOK_THREAD_ID" \
349
+ --thread-title "TikTok Campaign Worker" \
350
+ --state active \
351
+ --json
352
+
353
+ conveyor campaign brief \
354
+ --name "$CAMPAIGN" \
355
+ --channel tiktok \
356
+ --brief-json '{"format":"9:16","review_gate":"human approval before publish"}' \
357
+ --json
358
+
359
+ conveyor dashboard --campaign "$CAMPAIGN" --ensure-dispatch
360
+ ```
361
+
362
+ Manager operating loop:
363
+
364
+ ```bash
365
+ conveyor campaign dashboard --name "$CAMPAIGN" --json
366
+ conveyor campaign assign --name "$CAMPAIGN" --slot "$SLOT_ID" \
367
+ --title "Draft first-pass TikTok hooks" \
368
+ --instructions "Create reviewable draft copy only; do not publish." \
369
+ --status active --json
370
+ conveyor campaign asset --name "$CAMPAIGN" --slot "$SLOT_ID" \
371
+ --assignment "$ASSIGNMENT_ID" --asset-type copy \
372
+ --title "TikTok hooks v1" --status needs_review \
373
+ --prompt-summary "Sanitized prompt summary only." --json
374
+ ```
375
+
376
+ Evidence gates:
377
+
378
+ - `campaign dashboard --name "$CAMPAIGN" --json` shows every active worker
379
+ slot, lifecycle state, blockers, approval counts, and `next_manager_action`.
380
+ - Each worker task has a slot-scoped `campaign assign` receipt before work
381
+ starts and at least one `campaign asset` receipt before it can be reviewed.
382
+ - Human approval is required before public publishing, scheduling, or posting.
383
+ Use `approved` or `published` asset receipt statuses only to record actual
384
+ review outcomes; they are not permission to publish by themselves.
385
+ - Stale or context-heavy Codex app workers are rotated only through
386
+ `campaign rotate-slot` with the exact current `--expected-thread-id`.
387
+ - Finished or replaced workers are archived only through `campaign archive-slot`
388
+ with the exact current `--expected-thread-id`.
389
+
390
+ Fail closed on these conditions:
391
+
392
+ - the manager cannot see the worker slot in `campaign dashboard`;
393
+ - a worker thread id does not match the slot before rotate/archive;
394
+ - a worker asks to publish or schedule without explicit human approval;
395
+ - raw screenshots, private phone content, tokens, JWTs, keys, audio, or
396
+ unsanitized transcripts would be committed as receipts;
397
+ - dogfood proof is missing but the manager tries to claim the campaign system
398
+ is fully validated.
399
+
400
+ This recipe is ready for local dry runs and controlled dogfood. Treat final
401
+ dogfood success as a separate evidence task: the recipe can configure the loop,
402
+ but it does not by itself prove that a real campaign finished.
403
+
251
404
  ## Inbox / No-Tmux App Loop
252
405
 
253
406
  When a manager or worker is a Codex app session without a tmux pane, Dispatch
@@ -271,6 +424,14 @@ there is no next worker task, the manager should record the terminal decision,
271
424
  run `conveyor finish-task "$TASK" --require-criteria-audit`, and explicitly
272
425
  report heartbeat teardown status. If the task or binding still appears active,
273
426
  report that as a control-plane blocker instead of calling the loop complete.
427
+ That closeout proof belongs in the manager final report or audit receipts, not
428
+ as a blocking accepted criterion for the worker.
429
+
430
+ For operator review, the live app or tmux session is the primary transcript.
431
+ Any consumed inbox item must be visible in that same session while the turn is
432
+ running: print `CONVEYOR POLL`, `CONVEYOR RECEIVED`, `WORK`, `CONVEYOR SEND`,
433
+ and `DISPATCH` sections. A one-line idle receipt is acceptable only when no
434
+ item is consumed.
274
435
 
275
436
  When the manager is running in the Codex app and thread tools are available,
276
437
  create fresh same-project manager and worker threads with `create_thread`, set
@@ -315,6 +476,9 @@ heartbeat policy and emit the exact Codex app heartbeat automation specs plus a
315
476
  bounded Dispatch watch command. `app-autopilot stop` records the teardown policy
316
477
  decision; it does not itself delete Codex app automations because that action
317
478
  belongs to the Codex app automation layer.
479
+ The emitted heartbeat prompts include the visible-session protocol; do not
480
+ replace them with compact prompts that hide consumed work behind SQLite or
481
+ replay.
318
482
  Each operator pulse should inspect `app-autopilot status --json`; if
319
483
  `plan.quiescence.recommended_action` is `stop_autopilot`, record
320
484
  `app-autopilot stop`, pause/delete the app heartbeat automations, and report the
@@ -334,6 +498,24 @@ record each outcome with `app-wakeup-record-delivery` linked to the dispatch
334
498
  receipt. Record healthy roles as `skipped` and missing-thread roles as
335
499
  `blocked`; do not treat the app-thread send as task completion.
336
500
 
501
+ For worker context cleanup in Codex app sessions, prefer fresh-worker rotation
502
+ over remote slash commands. Run:
503
+
504
+ ```bash
505
+ conveyor app-worker-rotation-plan "$TASK" \
506
+ --old-worker-thread-id "$OLD_WORKER_THREAD_ID" \
507
+ --require-handoff \
508
+ --json
509
+ ```
510
+
511
+ Only act on plans where `eligible=true`. First create the replacement worker
512
+ thread with the emitted prompt, then archive exactly the
513
+ `archive_old_worker_thread.thread.id` from the plan, and finally record the
514
+ result with the emitted `record_command`. Conveyor re-checks that the old thread
515
+ still belongs to the active bound worker before updating the worker session to
516
+ the new thread id. Never archive a manager thread, an unrelated worker thread,
517
+ or any thread id that did not come from the current rotation plan.
518
+
337
519
  The saved dogfood example is
338
520
  `docs/goals/live-codex-app-inbox-drill/notes/T001-live-drill.md`. It proves
339
521
  manager-to-worker `nudge_worker` delivery and worker-to-manager
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "agent-conveyor",
3
- "version": "0.1.13",
3
+ "version": "0.1.15",
4
4
  "description": "Local agent manager/worker conveyor control plane for Codex sessions.",
5
5
  "license": "MIT",
6
6
  "type": "module",
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: manage-codex-workers
3
- description: Use when the user asks to set up an Agent Conveyor Ralph loop, register an existing Codex session as a worker or manager, create a supervised task, bind a pair, run observation cycles, send nudges, interrupt busy-waits, finish a task, or audit/replay supervision history.
3
+ description: Use when the user asks to set up an Agent Conveyor Ralph loop or autonomous ship-it loop, register an existing Codex session as a worker or manager, create a supervised task, bind a pair, run observation cycles, send nudges, interrupt busy-waits, finish a task, or audit/replay supervision history.
4
4
  ---
5
5
 
6
6
  # Manage Codex Workers
@@ -28,6 +28,26 @@ Max iterations: <number, default 3>
28
28
  Require adversarial proof before another worker iteration.
29
29
  ```
30
30
 
31
+ For repo delivery where the user explicitly grants branch, PR, CI, conflict,
32
+ and merge authority, use the `ship-it-loop` recipe and `ship_it_loop` template
33
+ instead of a generic Ralph loop:
34
+
35
+ ```text
36
+ Use the manage-codex-workers skill.
37
+
38
+ Set up a Codex app autonomous ship-it loop for <bounded repo task>.
39
+ Manager may push a branch, open a PR, monitor CI, resolve bounded conflicts,
40
+ and merge only after explicit manager merge evidence.
41
+ Max iterations: <number, default 2>
42
+ ```
43
+
44
+ For creative-ops work where the user wants one manager to supervise multiple
45
+ Codex app workers across channels such as YouTube, TikTok, LinkedIn, Facebook,
46
+ image generation, HyperFrames, or copy drafts, use the Creative Ops Campaign
47
+ recipe. It should create campaign records, worker slots, channel briefs,
48
+ slot-scoped assignments, asset receipts, and dashboard status proof. It must
49
+ not imply public publishing or scheduling without explicit human approval.
50
+
31
51
  Skill behavior:
32
52
 
33
53
  1. Work from `/Users/neonwatty/Desktop/codex-terminal-manager`.
@@ -42,10 +62,19 @@ Skill behavior:
42
62
  `fork_thread` unless the user explicitly asks to fork or resume this exact
43
63
  conversation. If the current thread is explicitly acting as the manager,
44
64
  use the current thread as manager and create only the worker thread.
45
- 5. Create the no-tmux binding with `conveyor create-disposable-binding`
46
- using `--template` when a template is known, `--adversarial`, a bounded
47
- `--max-iterations`, and `--json`. When step 4 produced app thread ids, pass
48
- them through `--manager-codex-app-thread-id`,
65
+ 5. Create the no-tmux binding with `conveyor create-disposable-binding`.
66
+ For same-thread Codex app visible-session loops, prefer
67
+ `--template app_visible_build_loop` for build/test dogfood or a custom
68
+ `--required-before-continue adversarial_check` gate; do not choose
69
+ cleanup-gated templates such as `build_then_clear` or
70
+ `compact_then_continue` unless the setup creates a fresh worker thread per
71
+ iteration or has a concrete app-session cleanup receipt path. For an
72
+ operator-approved ship-it loop, use `--template ship_it_loop`, save the
73
+ `ship-it-loop` manager recipe, and require branch, push, PR, CI,
74
+ mergeability, manager merge decision, merge, post-merge, and
75
+ `adversarial_check` receipts before merge or closeout. Use `--adversarial`,
76
+ a bounded `--max-iterations`, and `--json`. When step 4 produced app thread
77
+ ids, pass them through `--manager-codex-app-thread-id`,
49
78
  `--manager-codex-app-thread-title`, `--worker-codex-app-thread-id`, and
50
79
  `--worker-codex-app-thread-title` so Conveyor can surface app identities in
51
80
  `sessions`, `discover`, and setup JSON. If app thread tools are not
@@ -100,6 +129,13 @@ Idle polling rule for Codex app/no-tmux sessions:
100
129
  one-iteration Dispatch run before treating the worker pass as reported. A
101
130
  direct Codex app final answer is local thread text; it does not notify the
102
131
  manager inbox or prove the manager saw the result.
132
+ - The actual manager and worker sessions are the primary human-reviewable
133
+ transcript. SQLite, replay, and status commands are audit proof, not a
134
+ substitute for visible work. When a manager or worker consumes an inbox item,
135
+ it must print live session sections before acting and before final answer:
136
+ `CONVEYOR POLL`, `CONVEYOR RECEIVED`, `WORK`, `CONVEYOR SEND`, and
137
+ `DISPATCH`. Idle polls may end with one short `CONVEYOR IDLE` receipt, but
138
+ consumed work must never be handled silently or only summarized later.
103
139
  - Prefer `conveyor app-autopilot start <task> --json` from the operator or
104
140
  manager session when setting up a Codex app/no-tmux pair for autonomous
105
141
  heartbeat management. It records a durable pair-level heartbeat policy and
@@ -134,6 +170,16 @@ Idle polling rule for Codex app/no-tmux sessions:
134
170
  `--delivery-status skipped`; for `blocked_missing_thread`, record
135
171
  `--delivery-status blocked`. These delivery receipts audit app-thread wake
136
172
  attempts; they do not replace Dispatch inbox, heartbeat, or task evidence.
173
+ - For Codex app/no-tmux worker cleanup, do not rely on sending `/compact` or
174
+ `/clear` with `send_message_to_thread`; that arrives as ordinary prompt text.
175
+ Prefer `conveyor app-worker-rotation-plan <task> --old-worker-thread-id
176
+ <active-worker-thread-id> --require-handoff --json`. Only if the plan reports
177
+ `eligible=true`, create the replacement worker thread from the emitted
178
+ `create_replacement_worker_thread.prompt`, archive exactly the emitted
179
+ `archive_old_worker_thread.thread.id`, then run the emitted
180
+ `app-worker-rotation-record` command with the new thread id/title. The
181
+ manager must never archive a thread that is not the active bound worker in the
182
+ current plan.
137
183
  - For bounded Ralph loops, treat `ralph_loop_iteration_advanced` telemetry as
138
184
  the receipt that a worker actually consumed and began the requested
139
185
  iteration.
@@ -457,7 +503,10 @@ compact progress summary and likely next steps in SQLite. Use `manager-config`
457
503
  to save what the manager should check against, how structured supervision
458
504
  should be, acceptance criteria, planning/PRD/mockup references, and permissions
459
505
  such as `--allow-pr`, `--allow-merge-green`, and
460
- `--allow-worker-compact-clear`.
506
+ `--allow-worker-compact-clear`. For ship-it loops, also use explicit
507
+ `--permit repo.push_branch`, `--permit repo.monitor_ci`, and
508
+ `--permit repo.resolve_conflicts`; never imply these from a general request to
509
+ "ship it."
461
510
 
462
511
  ## Manager Recipes
463
512
 
@@ -471,6 +520,9 @@ First-draft recipes:
471
520
 
472
521
  - `GoalBuddy Conveyor` — one parent board, one active child board, PR/CI/merge
473
522
  or `satisfied_on_main` proof, and parent receipt update before the next child.
523
+ - `Creative Ops Campaign` — one manager supervises multiple named worker slots
524
+ for channel-specific creative assets using campaign state, dashboard status,
525
+ assignment receipts, asset review receipts, and human publish gates.
474
526
  - `Test Coverage Loop` — require test coverage evidence plus structured
475
527
  adversarial proof before another worker pass.
476
528
  - `UX Polish Loop` — require browser/screenshot/visual-diff evidence plus
@@ -479,6 +531,9 @@ First-draft recipes:
479
531
  nudge sparingly, and keep permissions minimal.
480
532
  - `PR/CI/Merge Ralph Loop` — manage PR readiness, CI, fixes, merge, handoff,
481
533
  and compact/clear receipts.
534
+ - `Autonomous Ship-It Loop` — push branch, open PR, monitor CI, handle bounded
535
+ conflicts, and merge only after manager-owned mergeability, merge decision,
536
+ post-merge, and adversarial evidence.
482
537
 
483
538
  Support patterns:
484
539
 
@@ -504,10 +559,16 @@ the human interaction in the Codex chat where the user is already working and
504
559
  keeps SQLite writes explicit. Use `manager-config --interactive` only as a
505
560
  terminal fallback for a human running `conveyor` directly.
506
561
 
507
- Before instructing high-level actions such as PR creation, green PR merge, or
508
- worker compact/clear, check the saved policy:
562
+ Before instructing high-level actions such as branch push, PR creation, CI
563
+ monitoring, conflict resolution, green PR merge, or worker compact/clear, check
564
+ the saved policy:
509
565
 
510
566
  ```bash
567
+ conveyor manager-permission my-task repo.push_branch --require
568
+ conveyor manager-permission my-task repo.open_pr --require
569
+ conveyor manager-permission my-task repo.monitor_ci --require
570
+ conveyor manager-permission my-task repo.resolve_conflicts --require
571
+ conveyor manager-permission my-task repo.merge_green_pr --require
511
572
  conveyor manager-permission my-task worker_compact_clear \
512
573
  --require-handoff --require
513
574
  ```
@@ -538,6 +599,11 @@ This command checks `worker_compact_clear`, requires a saved handoff, records a
538
599
  durable command, and sends Codex `/compact` to the worker's tmux pane. Use
539
600
  `--clear` for `/clear`, or `--prompt-only` to send the conservative
540
601
  verify/update-handoff prompt instead of a slash command.
602
+ For Codex app workers, use app worker rotation instead of this tmux slash path:
603
+ `conveyor app-worker-rotation-plan my-task --old-worker-thread-id
604
+ <active-worker-thread-id> --require-handoff --json`, followed by Codex app
605
+ `create_thread`, exact old-worker `set_thread_archived`, and
606
+ `app-worker-rotation-record`.
541
607
 
542
608
  ## Manager Loop Pattern
543
609
 
@@ -581,6 +647,43 @@ child board active, require PR/CI/merge or `satisfied_on_main` proof before
581
647
  marking a child done, and update the parent receipt before activating the next
582
648
  child.
583
649
 
650
+ Natural-language requests such as "run a multi-channel creative ops campaign",
651
+ "have one manager coordinate YouTube, TikTok, LinkedIn, and Facebook workers",
652
+ "generate imagery, HyperFrames, videos, and copy across channels", or "use
653
+ multiple first-time manager guys and girls" should resolve to the Creative Ops
654
+ Campaign recipe unless the user chooses a custom policy. The manager should:
655
+
656
+ 1. Create or reuse a campaign with `conveyor campaign create`.
657
+ 2. Create one worker slot per channel or discipline with `campaign add-slot`,
658
+ preserving Codex app thread ids/titles when available.
659
+ 3. Record structured channel briefs with `campaign brief`.
660
+ 4. Assign work with `campaign assign` before asking a worker to produce assets.
661
+ 5. Record worker output with `campaign asset` using sanitized prompt summaries,
662
+ asset type, review status, and safe artifact paths.
663
+ 6. Use `campaign dashboard --name <campaign> --json` or
664
+ `dashboard --campaign <campaign>` as the manager status surface.
665
+ 7. Rotate stale/context-heavy workers only with `campaign rotate-slot` and an
666
+ exact `--expected-thread-id`; archive only with `campaign archive-slot` and
667
+ the exact current thread id.
668
+ 8. Treat public publishing, scheduling, posting, external account access,
669
+ private phone content, raw audio, tokens, JWTs, keys, archives, and IPAs as
670
+ human-gated or forbidden unless the operator explicitly approves the narrow
671
+ action.
672
+
673
+ Do not claim that the campaign system is fully dogfooded merely because the
674
+ recipe was configured. Final campaign dogfood requires dashboard proof, asset
675
+ receipts, manager review decisions, and a separate dogfood receipt or blocker.
676
+
677
+ Natural-language requests such as "ship this autonomously", "let the manager
678
+ open the PR and merge when green", or "have the manager handle conflicts and
679
+ merge" must resolve to the `ship-it-loop` recipe or an explicit custom policy.
680
+ Use `conveyor qa-plan ship-it-loop` to retrieve the permission boundaries,
681
+ correlation markers, lifecycle evidence template, and negative QA checks. The
682
+ manager must record `branch_ready`, `branch_pushed`, `pr_url`, `ci_green`,
683
+ `mergeability_clean`, `manager_merge_decision`, `merge`,
684
+ `post_merge_verification`, and structured `adversarial_check` evidence before
685
+ treating the loop as merge-ready. CI green is not a merge decision.
686
+
584
687
  ```bash
585
688
  conveyor cycle my-task
586
689
  # {
@@ -652,6 +755,11 @@ Acceptance criteria are living supervision state, not just setup text. Inspect
652
755
  versus follow-up.
653
756
  - Record current-task criteria as proposed or accepted, and record follow-up
654
757
  criteria as deferred.
758
+ - Keep manager closeout/control-plane proof out of accepted worker criteria.
759
+ Items such as `finish-task`, `--require-criteria-audit`, final task state,
760
+ heartbeat teardown, and final manager reporting belong in the manager final
761
+ report, audit, replay, or epilogue evidence unless the task is explicitly
762
+ Conveyor closeout QA.
655
763
  - Use `conveyor criteria` to accept, satisfy, defer, or reject
656
764
  criteria as evidence accumulates.
657
765
  - Before finishing, compare the worker's receipts and verification against all
@@ -796,6 +904,31 @@ etc.) run `conveyor db-doctor --live`.
796
904
  current manager is a Codex app session with thread tools, send only
797
905
  `send_ready=true` wake prompts with `send_message_to_thread`, then record the
798
906
  outcome with `app-wakeup-record-delivery`.
907
+ - "fresh worker", "clear app worker", or "rotate Codex app worker": require a
908
+ saved worker handoff, run `app-worker-rotation-plan` with the active bound
909
+ worker thread id, create a new same-project worker thread from the emitted
910
+ prompt, archive only the exact old worker thread id emitted by the plan, and
911
+ record with `app-worker-rotation-record`. If the plan is blocked or the old
912
+ id does not exactly match the active bound worker, stop and report the
913
+ blocker.
914
+ - "set up a Creative Ops Campaign", "run a multi-channel campaign", or "one
915
+ manager with multiple channel workers": use the Creative Ops Campaign recipe;
916
+ create or reuse a campaign, add one slot per channel or discipline, record
917
+ briefs, assign work before worker prompts, require `campaign asset` receipts
918
+ for outputs, run `campaign dashboard --name <campaign> --json` for manager
919
+ status, and require exact-thread `campaign rotate-slot`/`campaign
920
+ archive-slot` for owned worker cleanup. Do not publish or schedule without
921
+ explicit human approval.
922
+ - "set up an autonomous ship-it loop", "ship this through PR and merge", or
923
+ "merge when green": resolve to `ship-it-loop` unless the user explicitly
924
+ chooses a custom policy. Show the locked recipe summary, require explicit
925
+ operator confirmation for `repo.push_branch`, `repo.open_pr`,
926
+ `repo.monitor_ci`, `repo.resolve_conflicts`, and `repo.merge_green_pr`, then
927
+ create or use a `ship_it_loop` run. Before merge, require fresh CI,
928
+ mergeability, manager merge decision, merge receipt, post-merge verification,
929
+ and adversarial proof receipts. If conflict retries hit the configured limit,
930
+ block with sanitized evidence and the next exact action instead of continuing
931
+ to wake the worker.
799
932
  - "register this Codex session as the worker for dashboard setup <CODE>":
800
933
  derive `dashboard-<CODE>-worker`, run `conveyor doctor-self`, then
801
934
  `conveyor register-worker --name dashboard-<CODE>-worker --pid <PID> --cwd <CWD> --tmux-session <SESSION>`.
@@ -833,6 +966,8 @@ conveyor qa-plan emergent-criteria
833
966
  conveyor qa-plan emergent-criteria --json
834
967
  conveyor qa-plan tmux-errors
835
968
  conveyor qa-plan tmux-errors --json
969
+ conveyor qa-plan ship-it-loop
970
+ conveyor qa-run ship-it-loop --receipt-output /tmp/ship-it-loop-receipt.json --json
836
971
  ```
837
972
 
838
973
  Use `emergent-criteria` when validating a real worker/manager pair through
@@ -1,5 +1,5 @@
1
1
  interface:
2
2
  display_name: "Manage Codex Workers"
3
- short_description: "Manage tmux-backed Codex workers"
4
- default_prompt: "Use $manage-codex-workers to start, supervise, or stop a Codex worker with conveyor."
3
+ short_description: "Manage Codex app or tmux workers"
4
+ default_prompt: "Use $manage-codex-workers to start, supervise, rotate, or stop Codex worker sessions with conveyor."
5
5
  brand_color: "#2563EB"