feat(workflow): add orchestrator command

README.md

@@ -137,7 +137,11 @@ Canonical workflow state lives under `.agent-surface/workflows/<run_id>/`.
 
 Cursor-specific `.cursor/.workflow/` files are compatibility artifacts only; canonical `.agent-surface` state wins when they disagree.
 
-Start with `/flow` when the right path is unclear. Use `workflow-doctor` before acting on an existing run, and `workflow-close` to archive metrics and unresolved risks after an accepted or aborted run.
+Start with `/flow` when the right path is unclear. For formal workflow mode, start `workflow-orchestrator`; it is the long-running monitor session that spawns BOSS, worker, reviewer, judger, rescue, QA, and close roles until the run has no remaining work or automation must stop. Use `workflow-doctor` before acting on an existing run, and `workflow-close` to archive metrics and unresolved risks after an accepted or aborted run.
+
+`workflow-boss` should queue the largest coherent batch it can specify safely; `workflow-reviewer` gates the batch across AC compliance, security, docs, dependency hygiene, tests, config, and other QA risks before anything reaches `ship-commit`.
+
+`workflow-orchestrator` chooses the next role, provider, model, and launch shape from the ledger, local availability, cost, speed, context, prior outcomes, and required model independence. It records local `agents.json` state and keeps monitoring until the remaining task queue is finished, closed, quarantined, aborted, or handed to a human. It does not replace BOSS, worker, reviewer, judger, rescue, or close role-file ownership.
 
 Workflow-aware workers currently include `dev-feature`, `dev-fix`, `dev-chore`, and `dev-refactor`.
 

commands/boot-new.md

@@ -131,6 +131,8 @@ This command creates the **context infrastructure** that enables smooth vibe cod
     - **Mandatory Hooks**: `trailing-whitespace`, `end-of-file-fixer`, `check-yaml`.
     - **Language Hooks**: `ruff` (Python), `fmt` (Rust), `prettier` (Web).
     - **Go hooks**: `gofumpt`, `goimports`, `go-mod-tidy`, `go-vet`, `golangci-lint`. Use the **active fork** `TekWizely/pre-commit-golang` — the older `dnephin/pre-commit-golang` is archived (upstream abandoned ~2023) and MUST NOT be used for new projects. If the active fork's hook set is insufficient, prefer a `local` hook that calls `make lint` directly rather than pulling in an archived dep.
+    - **Commit message policy**: generate a local `commit-msg` hook that runs `scripts/check-commit-message.sh` and rejects AI attribution, AI co-author trailers, generated-by/generated-with signatures, vendor/tool advertising phrases, and AI-agent names anywhere in commit messages. The blocklist must include at least: `Cursor`, `[email protected]`, `Claude`, `Codex`, `ChatGPT`, `OpenAI`, `Anthropic`, `Gemini`, `Copilot`, `Windsurf`, `Aider`, `Devin`, `Replit Agent`, `Qodo`, `Tabnine`, `Amazon Q`, `CodeWhisperer`, `Sourcegraph Cody`, `Cline`, `Roo Code`, `OpenCode`, `Kilo Code`, `Trae`, `Continue.dev`, `Codeium`, `Augment Code`, and `Zed AI`. The hook must fail closed with a clear error; it must not rewrite the message silently.
+    - **Commit range policy**: generate `scripts/check-commit-range.sh` for CI/pre-push use. It must inspect every commit in a provided rev-list range and reject the same forbidden AI attribution, advertising, and agent-name patterns. This protects against `git commit --no-verify`, injected `git commit --trailer`, and local hook drift. Commit history is not an advertising surface for tool vendors.
 3. **Scaffold Project Rules**:
     - Copy `.cursor/rules/*.mdc` templates into the project's `.cursor/rules/`.
     - Generate `AGENTS.md` at project root for local cross-tool compatibility.
@@ -151,8 +153,9 @@ This command creates the **context infrastructure** that enables smooth vibe cod
 3. **Bootstrap CI (Minimal)**:
     - **Action**: Generate `.github/workflows/ci.yml`.
     - **Logic**: "Fail Fast".
-    - **Steps**: Checkout -> Setup Cache -> Lint (Strict) -> Test (Unit).
+    - **Steps**: Checkout with full history -> Check commit messages with `scripts/check-commit-range.sh` -> Setup Cache -> Lint (Strict) -> Test (Unit).
     - **Constraint**: Pin versions (for example `ubuntu-24.04` or the project-approved runner image, and pinned actions). Do not describe floating `latest` runner tags as pinned.
+    - **GitHub Actions range check**: use `fetch-depth: 0`. For pull requests, check `origin/${GITHUB_BASE_REF}..HEAD`; for pushes, check `${{ github.event.before }}..HEAD` and fall back to `HEAD` when the before SHA is all zeros. This status check is mandatory for protected branches.
 
 ### Phase 7: UI Target Scaffold (web | desktop | mobile)
 

commands/boot-workflow.md

@@ -41,14 +41,19 @@ User invokes command (e.g., "dev-refactor", "arch-roadmap")
      ↑                ↑         ↓       ↓          ↓
 [ops-report] ─→ [dev-fix] ──────┴─ [dev-refactor] ←┘
      ↑                ↑
-       [qa-sec]
+         [qa-sec]
 ```
 
+For formal workflow mode, start `workflow-orchestrator`. It is the long-running monitor that spawns each role session, chooses provider/model/role assignments from quality, cost, speed, context, prior outcomes, and review independence, and stays active until the run is closed, quarantined, aborted, human-blocked, or has no remaining task work. `boot-workflow` remains the workflow map, ledger contract, and role-file reference.
+
 ### Structured workflow (v3 — validated run ledger)
 
 For medium/high-risk tasks requiring formal spec → implement → verify → review cycles. **A round processes a batch of tasks**, not a single task.
 
 ```text
+[workflow-orchestrator] [long-running monitor: choose role + provider/model, spawn, heartbeat, rehydrate]
+    |
+    v
 [workflow-boss] [validated run: run_id + lock + base commit/tree + filescope + tasks[] + batch_policy]
     |
     v

commands/workflow-boss.md

@@ -16,15 +16,16 @@ If essential repo context is missing, run `boot-context` first.
 - **The worker burns through the queue** in dependency order, stopping only on (a) a blocker on the current task, (b) self-assessed context pressure, or (c) the queue going empty.
 - **The reviewer reviews the batch**, emitting per-task verdicts plus an aggregate status.
 - **Single-task runs are still legal** — a queue of one uses the same v3 ledger shape.
-- **Don't over-batch.** Group tasks that share FILESCOPE, contract, or test surface. Don't queue 30 unrelated chores into one BOSS — that defeats reviewer focus.
+- **Maximize coherent batching.** Assign as many related tasks as can be specified safely in one round, constrained by shared FILESCOPE, route, dependency chain, risk, context budget, and verification cost.
+- **Don't over-batch.** Group tasks that share FILESCOPE, contract, or test surface. Don't queue unrelated chores or mixed-risk work into one BOSS — that defeats reviewer focus.
 - **Use workflow only when it earns its overhead.** Direct small edits do not need six roles. Use this path for medium/high-risk, multi-step, cross-file, security-sensitive, or ambiguity-heavy work.
 - **The run ledger is the source of truth.** `run.json` plus `events.ndjson` records state transitions; role files are artifacts, not state authority.
 
 ## PROTOCOL
 
 ### Phase 0: Workflow bootstrap (role files)
 
-- `workflow-boss` is the entrypoint that starts or refreshes workflow mode.
+- `workflow-orchestrator` is the monitored workflow entrypoint. `workflow-boss` is the first spec-owning role it spawns, and it may still be invoked directly for manual respec or recovery.
 - Use the project-local workflow folder: `.agent-surface/workflows/<run_id>/`
 - Write the active-run pointer at `.agent-surface/workflows/current.json`.
 - Treat `.cursor/.workflow/` as a Cursor compatibility surface only. It may mirror latest role files, but it is not canonical.
@@ -72,11 +73,13 @@ If essential repo context is missing, run `boot-context` first.
 Build a list of 1 to N tasks. Each task is independently reviewable, verifiable, and revertable.
 
 - Sort tasks by dependency. Use `depends_on: [task_id, …]` when a task requires the output of an earlier one.
+- Prefer a full useful queue over a tiny handoff. If more related tasks fit the same route, FILESCOPE, and verification surface, include them instead of leaving obvious follow-up tasks for a later BOSS round.
 - Prefer one concern, one testable behavior, one reversible patch per task. Estimate by filescope size, dependency count, and verify cost, not line count.
+- Split the run instead of batching when tasks require different worker routes, unrelated filescopes, incompatible risk levels, or separate human approvals.
 - Each task gets its own `plan` (3–8 steps), `ac`, and `verify` commands.
 - Don't pre-commit the worker to a specific implementation — leave room for judgment, but pin the contract.
 - Each task must be isolatable: require either `patch_required: true` (default) or `commit_required: true` if the user wants per-task commits. Without patch/commit isolation, `MERGE_PARTIAL` is disabled.
-- Default `max_tasks_per_round` to 3 unless the task queue is tiny or low-risk. Larger batches require a short justification.
+- Default `max_tasks_per_round` to 5 for coherent low/medium-risk queues. Use fewer for high-risk, ambiguous, cross-cutting, dependency, data, security, or approval-gated work. Larger batches require a short justification tied to shared filescope and cheap verification.
 
 Keep the process deterministic: route by explicit `workflow.next_command` plus the task queue, not free-form agent debate.
 
@@ -110,7 +113,7 @@ Define when the worker should stop the round:
 
 - `stop_on`: subset of `["blocker", "context_pressure", "queue_empty", "max_tasks_cap", "drift_check"]` (default: all five).
 - `context_pressure_threshold_pct`: heuristic for context budget (default: 70), backed by concrete counters.
-- `max_tasks_per_round`: default 3. Use 5 only for low-risk small tasks; justify anything higher.
+- `max_tasks_per_round`: default 5 for coherent low/medium-risk queues. Use 1–3 for high-risk or unclear work; justify anything higher than 5.
 - `drift_check_every`: re-read BOSS spec after this many completed tasks (default: 5). Catches scope drift before it metastasizes.
 - `timeout_budget_ms`: max elapsed runner time for a round before handoff.
 - Context pressure counters: files opened, total bytes read, commands run, verify cycles, log bytes, failed attempts, elapsed time, and model-reported context usage when available.