gstack-execution

gstack Execution Engine

Software development execution adapted from gstack (MIT license) for Cowork. This plugin handles the build-review-ship cycle after Product Orchestrator has made the decisions about what to build and how.

Core Principle

Product Orchestrator is the board of directors. This plugin is the factory floor. It doesn't debate what to build. It builds, reviews, tests, and ships what the board decided.

Available Commands

Command	What It Does	Cowork Compatibility
/gstack-review	Pre-landing code review with structural checklist	Full — git + grep
/gstack-investigate	Root cause debugging with hypothesis testing	Full — git + grep + read
/gstack-cso	Security audit (OWASP + STRIDE + supply chain)	Full — grep + code analysis
/gstack-ship	Test + review + PR creation pipeline	Partial — needs gh CLI for PR
/gstack-design	Design system consultation and generation	Full — analysis + code gen
/gstack-qa	Browser QA testing with bug fixing	Full — via Rube Playwright
/gstack-browse	Headless browser for verification and dogfooding	Full — via Rube Playwright

How It Connects to Product Orchestrator

When Product Orchestrator's sprint protocol reaches Phase 3 (Execute), it routes tasks to this plugin based on the execution routing table:

Product Orchestrator Decision	gstack Command
"Build this feature"	Manual coding → /gstack-review → /gstack-ship
"Fix this bug"	/gstack-investigate → fix → /gstack-review
"Security audit before launch"	/gstack-cso
"Design the UI"	/gstack-design → build → /gstack-review
"Ship what we built"	/gstack-review → /gstack-ship
"Test this in a browser"	/gstack-qa or /gstack-browse
"Verify the deploy"	/gstack-browse (navigate + snapshot + verify)

Environment Requirements

This plugin works within Cowork's sandboxed Bash environment. It needs:

• Git — for diff analysis, history, branch operations. Available in Cowork sandbox.
• Grep/Read/Glob — for code analysis. Native Cowork tools.
• A codebase in the workspace — mount the project folder via Cowork's folder selector.

Required for browser commands (/gstack-qa, /gstack-browse):

• Rube (rube.sh) — provides RUBE_REMOTE_BASH_TOOL and RUBE_REMOTE_WORKBENCH for running Playwright in a remote sandbox. Browser operations run through Rube's execution environment, not the local Cowork sandbox.

Optional (enhances functionality):

• gh CLI — for PR creation in /gstack-ship. If not available, the plugin prepares everything and instructs the user to create the PR manually.
• npm/bun — for dependency auditing in /gstack-cso.

Browser Operations via Rube

gstack's original /qa and /browse skills use a compiled Chromium binary. In Cowork, we route all browser operations through Rube's remote execution tools instead.

How it works:

1. Use RUBE_REMOTE_BASH_TOOL to run Playwright commands in Rube's sandbox
2. Playwright scripts navigate, screenshot, interact with forms, and verify page state
3. Screenshots are returned as base64 and can be viewed with the Read tool
4. Results feed back into the QA report or verification checklist

Rube browser session pattern:

1. RUBE_REMOTE_WORKBENCH: Install playwright + chromium if not cached
2. RUBE_REMOTE_BASH_TOOL: Launch playwright script for navigation/screenshots
3. Read returned screenshots for visual verification
4. RUBE_REMOTE_BASH_TOOL: Run interaction scripts (fill forms, click, assert)
5. Compile results into QA report

This gives us real browser testing without needing a local binary. The tradeoff is latency (remote execution adds ~2-5s per operation vs gstack's ~100ms local), but the testing fidelity is identical.

Execution Voice

Adapted from gstack's communication philosophy:

• Lead with the point. State what it does, why it matters, what changes.
• Sound like a builder. Someone who shipped code today and verifies it works.
• Concrete always. Name the file, function, line number. Give exact commands.
• Connect to user outcomes. Why does this finding matter to the end user?
• User sovereignty. Present recommendations. Never impose.
• No AI vocabulary. No "delve", "crucial", "robust", "comprehensive", "landscape."
• Short paragraphs. Mix one-liners with 2-3 sentence blocks.

What This Plugin Does NOT Do

• No deployment. /gstack-ship prepares PRs but doesn't merge or deploy. Use your CI/CD pipeline.
• No planning. gstack's /office-hours, /plan-ceo-review, /plan-eng-review, and /plan-design-review are replaced by Product Orchestrator's deliberation engine. Don't duplicate planning here.
• No code modification during review or security audit. /gstack-review and /gstack-cso are read-only analysis. They produce findings and recommendations. Fixes are a separate step.

Completeness Principle

Borrowed from gstack: AI makes completeness near-free. Always do the complete thing. A full security audit takes gstack 15 minutes. A full code review takes 5. Don't cut corners when the marginal cost is near zero.

Task	Human Team	AI + gstack	Compression
Code review	2 hours	5 min	~25x
Security audit	2 days	15 min	~100x
Bug investigation	4 hours	15 min	~16x
Design consultation	1 day	10 min	~50x