Multi-Agent Autonomous Development: Aileron's Internal Build Stack

The only blocking gate. task test in connector repos, go test ./… + project-specific checks elsewhere. Runs inside the coder’s microVM after the diff is staged, then again in CI on the pushed branch. A failing test means the coder loops back to its plan or escalates plan-violation to the planner. The reviewer is advisory; the validator is law.

Owns .claude/projects/<repo>/memory/ and per-role memory files. Reconciles new learnings from completed tasks back into project memory, dedupes, prunes stale entries. Read-mostly; writes only to memory paths. Runs after merge, not during the build loop. Justification: without this, every parallel agent re-learns the same lessons.

When two coders’ branches conflict, the integrator rebases one onto the other, regenerates generated files (not hand-merges them), re-runs tests, force-pushes. Same patterns as ~/.claude/CLAUDE.md’s shepherd loop, generalized across parallel branches. Phase 3 because we need to first prove a single planner/coder/reviewer triplet works before adding a fourth role.

One cmux workspace per active development task. Inside the workspace, each role is a pane: planner pane, coder pane, reviewer pane, log/notification pane. The sidebar surfaces the git branch, PR status, and last cmux notify per workspace — so we glance once and see whether any agent wants attention. We do not rely on cmux for orchestration; it’s the surface.

Each task gets its own worktree under .claude/worktrees/<task-slug> on a per-task branch. Single-threaded writes per worktree is the Cognition invariant: only one coder agent touches a given worktree. Reviewers and planners read across worktrees; writers stay inside theirs.

Each worktree mounts into a containerized environment chosen via the wrapper’s —container-runtime selector: Docker sbx microVMs (default, strongest local isolation), Dagger container-use, Podman, or any other backend the wrapper supports. Default-deny egress with an allowlist (registry.npmjs.org, api.anthropic.com, api.openai.com, github.com IPs, our own infra). Read-only host mounts except for the worktree path. No host credentials inside the container; OAuth tokens and API keys live on the host and are injected via the same boundary-injection pattern we sell in v4. Eventually the wrapper’s —mediation aileron selector loads Aileron-runtime as the in-container mediation layer — same shape we ship to customers, closing the customer-zero loop literally.

Inside the container, agents run claude —dangerously-skip-permissions or codex exec —yolo —json. We turn the CLI’s own sandbox off on purpose because the container is the perimeter — double-sandboxing produces opaque permission errors (Codex’s docs are explicit on this). Outside a container, this would be unsafe. Inside, it’s the right setting.

Planner runs /ce-plan, which writes a CE plan to docs/plans/YYYY-MM-DD-NNN-<type>-<slug>-plan.md with Implementation Units, per-unit files, test scenarios, and verification. Coder runs /ce-work-beta <plan-path>, which reads the plan in full and dispatches its units (with our microVM at $SANDBOX_FLAG). The full plan crosses the boundary — never a summary; CE polls its JSON output schema rather than a marker file.

Coder opens the PR with the conventional-commit title and Summary/Test plan body. The reviewer subscribes to pull_request events on our repos (GitHub webhook → small dispatcher) and spawns a fresh review microVM with read-only mounts. Reviewer posts findings via gh pr review. Async, non-blocking on tests.

Tests green + reviewer findings ≤ medium severity → coder auto-merges with gh pr merge —squash —admin —delete-branch (our family convention). Findings ≥ high → cmux notification to the human; merge held. Phase 0 keeps every merge under human review; phases below describe when we relax that.

Every documented Claude Code skip-permissions incident (the Oct 2025 rm -rf / and the Dec 2025 home-directory wipe) happened outside a real isolation boundary. Inside a microVM, the worst case is a corrupted ephemeral filesystem we discard. Skip-permissions is safe only because of the layer below it.

Cognition’s rule, learned the expensive way. Multiple coders never write to the same worktree. The integrator role (phase 3) is the only place merges happen, and it serializes them.

Typed envelopes carry the planner’s complete reasoning, not a summary. The coder sees what the planner saw. The reviewer sees the planner’s envelope and the coder’s diff. The 17× error-amplification reports from bag-of-agents systems are downstream of summarization-at-boundaries; we avoid the failure by not summarizing.

Reviewer agents are advisory by design. A reviewer-as-blocker introduces a rubber-stamping risk (the reviewer learns to pass everything because nothing else does) and a deadlock risk (two LLMs disagree, no escalation path). Tests are the law. Reviewer findings inform human attention prioritization. How the supervisor operationalizes this: the reviewer phase calls gh pr review —comment (never —approve or —request-changes); the comment body shows severity + count only (never finding titles, to prevent the reviewer’s output from steering the human’s read of the PR); the auto-merge gate evaluates tests-green via gh api check-suites independently of any reviewer signal. The reviewer cannot block a merge; tests can.

The same shape Aileron sells: credentials live at the boundary, injected per request. The microVM holds API keys for the LLM provider it’s using — nothing else. GitHub tokens injected at git push time via the host’s gh CLI proxied into the VM. This is exactly the v4 credential-sealing model applied to our own dev loop.

Steve Yegge’s Gas Town reportedly burns ~$100/hour at 12-30 parallel Claude agents. We set a per-task dollar ceiling (envelope field budget_usd) and a per-day workspace ceiling; the coder exits with budget-exhausted when crossed. Cheap to add early, expensive to retrofit.

The loop is /last30days <topic> → /ce-plan → /ce-work-beta (with the microVM at $SANDBOX_FLAG) → tests → PR. The microVM is in place from day one — we are not running CE against the host and then “adding containers later,” because the trust boundary is what makes skip-permissions safe. The plan acts as the leash: it forces the coder to commit to an approach with acceptance criteria and stops it from quietly redesigning mid-build. Exit met: three CE-driven PRs landed — this strategy doc’s own Phase 0–2 rewrite (aileron-internal#34), the wrapper itself (aileron-tools#1), and the supervisor (aileron-tools#4).

CE’s /ce-brainstorm and /ce-plan phases ran on the host; handoff <plan-path> dispatched the work to a containerized Claude session running /ce-work-beta. Phase 2 and 3 absorbed and operationalized the host-side phases (see below), so handoff is now an internal primitive the supervisor’s coder phase delegates to, rather than a user-facing entry point. Honest about gaps: v0 is env-var credential injection (not per-request boundary injection); no egress allowlist; no in-container shell mediation. v1 swaps in aileron-runtime as the in-container mediation layer when it’s ready to host arbitrary agents — a backend flip, not a rewrite.

The aileron-agent supervisor in aileron-tools/bin/aileron-agent chains four role-tuned containers per task — brainstormer (Opus, interactive TTY), planner (Opus, headless, —disallowedTools AskUserQuestion), coder (delegates to handoff), reviewer (Sonnet, read-only worktree mount, —output-format json). Role configs live at aileron-tools/roles/<role>/{CLAUDE,AGENTS}.md and are mounted read-only into each phase’s container at /opt/aileron-tools-roles/; the read-only mount is the trust boundary preventing in-container tampering. The aileron-pipeline wrapper-skill plugin (aileron-tools/plugins/aileron-pipeline/) routes pipeline-mode invocations to /ce-brainstorm or /ce-plan per AILERON_PHASE, suppressing the post-generation menus that would otherwise block headless runs. Exit met: the kickoff is aileron-agent task <slug> —idea ”…” — one command opens the brainstorm dialogue, the supervisor detaches after the requirements doc lands, the rest of the chain runs headless. The old ~/.zshrc cmux launcher snippet was removed (PR #45+#46) — cmux panes now land in plain shell, the supervisor brings up Claude only inside the brainstormer container.

The reviewer phase runs as part of the supervisor’s chain (not a separate webhook subscription) — same shape, simpler ops. Auto-merge fires when four deterministic gates pass: tests-green via gh api /repos/…/check-suites (bounded poll on pending; CodeRabbit filtered out of the tests-green set and evaluated separately); CodeRabbit-clean when present; path policy via gh pr diff —name-only against a hardcoded V0 allowlist (docs/*, *.md, README*, CHANGELOG*, Gemfile.lock, package-lock.json, go.sum); the soak threshold (AILERON_AGENT_SOAK_THRESHOLD=0 opts in). The merge token (AILERON_AGENT_MERGE_TOKEN) is host-side and never enters any container; it’s guarded by a default-deny repo allowlist (AILERON_AGENT_MERGE_REPO_ALLOWLIST). Reviewer findings are advisory only — the comment body shows severity + count, never finding titles — consistent with invariant 4 below. Exit met for landing the capability; the operational measurement of ”≥ 50% of PRs auto-merged with no production regressions” only starts after the user opts into the soak ramp.

Run 4-5 parallel task workspaces, each with its own chain. Add the integrator role when conflicts start showing up. Measure throughput, merge rate, cost per merged PR. Exit: sustained 4-task parallelism for a week with cost under target.

Introduce the librarian after merge to reconcile new learnings into .claude/projects/<repo>/memory/. Split memory files by role (planner_memory, coder_memory, reviewer_memory) so each role only loads what it needs. Exit criterion is open — this is where the stack starts to compound.

Managed Agents (gVisor isolation, default-deny egress, scoped /workspace) is the production-grade hosted path. Tradeoff: lower setup cost vs. less control and a dependency on Anthropic’s plumbing. Recommendation: local for phase 0-2, evaluate Managed for phase 4+.

Per-repo policy file declares which paths are auto-mergeable (docs, action.md, README, generated files) and which require human review (runtime/, shell-mediation/, credential paths). Reviewer agent surfaces the policy decision in its findings.

If two agents in parallel workspaces both want to update project memory, who wins? Open question: serialize memory writes through the librarian (phase 5), or allow per-workspace memory branches that merge later?

If Gas Town’s $100/hr at 12 agents is representative, the cost per merged PR could exceed the engineering cost it replaces. Phase 4’s exit criterion is “cost under target” — we set that target before phase 4 starts (proposal: $5 per merged PR median, $20 ceiling).

Cross-provider review (Claude reviewing Codex) is more robust than same-provider, but the failure mode is real. Mitigation: periodic adversarial test PRs (intentional bugs) seeded by the human to verify the reviewer catches them. If catch rate drops below 80%, escalate or rotate models.

Docker sbx is new (March 2026); driver issues on Apple Silicon are still being reported. Fallback plan: Lima + Dagger container-use if sbx proves unstable in phase 1.

~2,400 open issues against ~21k stars; fast-moving, rough edges. Risk to phase 2. Fallback: tmux + scripts; everything we build above the surface layer is cmux-agnostic on purpose, so the swap is mechanical.