Platform Agent Workflows

Overview

Actual workflow map

Open any workflow card below to jump straight to the relevant pipeline.

Research Open workflow

Draft once, self-proofread, run dual review, then save.

Research separates writing quality from factual accuracy so each check does one job well before the document is finalized.

research → self-proofread → proofreadGPT → accuracyGPT → dedupe + apply

Lead Researcher

Control Dual GPT review

Output Saved research file

Implementation Open workflow

Architect, scrutinize, hand off, implement, review twice, then summarize.

This overview card follows the architecture-driven path rather than the smaller direct-delivery path.

architect → scrutinizeGPT → handoff → implement → review x2GPT → summary

Lead Architect → Implementer

Control Two review cycles

Output Implementation summary

Documentation Open workflow

Queue a feature, draft both documents, verify them, then update.

Documentation runs one feature at a time so the drafts, checks, and backlog status stay aligned.

backlog → draft business → draft technical → verifyGPT → fix + update

Lead Documenter

Control GPT document verification

Output Two documents plus backlog status

Security Open workflow

Assess exposure, challenge findings twice, then report.

Security stays read-only throughout and ends with a prioritized report rather than a code change cycle.

scope → threat intelligence → owasp assessment → scrutinize x2GPT → reconcile → final report

Lead Pen Tester

Control Two GPT scrutiny rounds

Output Prioritized risk report

Implementation

Design, handoff, implement, review, fix, summarize

The implementation flow can start with architecture or move directly to delivery, but it always closes with structured review, fixes, and a final summary of what changed.

Executive flow

Route

Choose Architect for larger work or Implementer for smaller direct changes.

→

Build

Implement the change from either the architecture document or the direct scope.

→

Review x2

Run two review cycles, each with GPT-backed scrutiny.

→

Close

Deliver the changed scope, review status, and any remaining issues.

More details Technical steps, subagents, artifacts, handoffs, and review loops

.github/agents/architect.agent.md .github/agents/implementer.agent.md .github/agents/code-reviewer.agent.md .github/agents/gpt-architect-scrutinizer.agent.md .github/agents/gpt-code-review-scrutinizer.agent.md

Primary agents

Who owns what

Architect

Designs the work, writes the architecture, verifies it with GPT, then formally hands off.

Implementer

Either follows an architecture document or works directly on small tasks, then owns the fix loop and summary.

Code Reviewer

Reviews changed files, self-verifies, runs two GPT scrutiny passes, and returns merged findings.

Subagents

Specialists in this pipeline

Explore GPT Architect Scrutinizer GPT Code Review Scrutinizer

The primary agents are orchestration layers. The heavy codebase research or independent review is explicitly pushed into subagents.

Persisted artifacts

Files that carry state

.architect-output/architecture.md .architect-output/changed-files.md .architect-output/implementation-plan.md documents/<feature>/<feature>-technical-document.md

These files carry workflow state between the design, implementation, and review steps.

Model pinning

Actual, not assumed

Architect, Implementer, and Code Reviewer: no model pin in YAML
GPT Architect Scrutinizer: GPT-5.4
GPT Code Review Scrutinizer: GPT-5.4

scope implementation

Start by choosing the Implementer mode

The real flow is not simply Architect then Implementer. implementer.agent.md defines two operating modes: Mode A when an architecture document exists, and Mode B for small direct tasks. Large direct work should stop and route back through Architect.

Mode A

architect-driven

Use this when .architect-output/architecture.md exists.

Implementer reads the architecture document first.
Steps 1-3 from direct mode are skipped.
The architecture document becomes the spec.

Mode B

direct

Use this only for small, well-scoped work.

Clarify requirements.
Research patterns with Explore.
Break the work into tasks and persist implementation-plan.md.
If the work grows past roughly 20 budget units, stop and recommend Architect.

design Architect model not pinned

Architect scopes, researches, estimates, and writes the architecture

Architect loads project knowledge, asks clarifying questions if the request is ambiguous, offloads codebase research to Explore, estimates weighted budget units, and writes a structured architecture document.

Research is meant to be offloaded to Explore rather than reading many files directly.
Oversized work is split into ordered Implementer-sized tasks.
The architecture is saved to .architect-output/architecture.md.

research Explore

Explore is the read-heavy subagent for codebase research and pattern discovery in this pipeline.

review GPT Architect Scrutinizer GPT-5.4

Architecture gets scrutinized before handoff

Architect must run a GPT-based architecture review against requirements coverage, reference pattern quality, database design, API to DB consistency, permissions, migration sanity, behavioral gaps, and task split validity.

scrutinize → verify → revise → save

formal handoff .architect-output/architecture.md

Only one formal handoff is defined: Architect to Implementer

The handoff label is Implement Architecture. The prompt explicitly tells Implementer to read .architect-output/architecture.md and follow the design decisions and task breakdown exactly.

implement Implementer model not pinned

Implementer loads skills, works task by task, and tracks changed files

Implementer either follows the architecture document or operates in direct mode, but in both cases it loads relevant skills before touching code, implements tasks one by one, and appends every touched file to .architect-output/changed-files.md.

architecture.md changed-files.md implementation-plan.md

implement task discipline

Each task is expected to move through the to-do list from in progress to completed. The file instructs the agent not to batch the plan silently.

research Explore

Implementer can use Explore when understanding a pattern would require reading three or more files.

review Code Reviewer model not pinned

Review cycle 1 runs a full review, not a quick spot check

The first Code Reviewer run checks the changed file set in full, works through the code-review skill categories, self-verifies its own findings, and then performs two GPT scrutiny passes before findings go back to Implementer.

cycle 1 nested GPT rounds GPT-5.4

Code Reviewer cycle 1

review files → self-verify → GPT round 1 → reconcile → GPT round 2 → return findings

The second GPT pass is a final verification of the merged review, not a duplicate of the first pass.

fix all severities

Implementer is instructed to fix every finding that comes back

The file is explicit: MINOR, MAJOR, and CRITICAL findings all get fixed before the second review cycle. The point of the next pass is verification, not selective cleanup.

cycle 2 verification rerun GPT-5.4

Code Reviewer cycle 2 verifies the fixes

review again → GPT round 1 → reconcile → GPT round 2 → clean or escalate

If findings still remain after this second cycle, Implementer does not invent more loops. It summarizes the remaining items and escalates them to the user.

summary deliver

The end of the flow is a concrete implementation summary

The final output includes requirement, app, scope, files created, files modified, migrations, permissions, review cycle count, auto-fixed findings, and anything still unresolved after the second review cycle.

Documentation

Backlog, draft, verify, fix, update, summarize

The documentation flow works one feature at a time so drafting, verification, and backlog status stay aligned before the next feature begins.

Executive flow

Queue

Pick the next feature from the backlog and work it end to end.

→

Draft

Create the business and technical documents as a matched pair.

→

Verify

Use GPT-5.4 to check the drafts against the code and each other.

→

Update

Apply fixes and mark the backlog status for that feature.

More details Drafting steps, verification rules, outputs, and backlog handling

.github/agents/documenter.agent.md .github/agents/draft-documenter.agent.md .github/agents/gpt-doc-scrutinizer.agent.md

Primary agent

Documenter

Documenter manages the backlog, invokes the drafting and verification subagents, applies fixes, updates status, and summarizes the completed feature set.

model not pinned one feature at a time sequential workflow

Subagents

Draft and scrutiny specialists

Draft Documenter - Claude Opus 4.6 GPT Doc Scrutinizer - GPT-5.4

The agent file explicitly says not to use Explore here. Documentation work is meant to favor the higher-accuracy drafting subagent instead.

Outputs

What gets written

documents/<area>/<topic>-business-document.md documents/<area>/<topic>-technical-document.md documents/documentation-backlog.md /memories/session/

Ground truth rule

No Explore in this pipeline

documenter.agent.md explicitly says the coordinator must not use Explore because the fast models are not preferred for documentation accuracy.

scope Documenter model not pinned

Documenter starts from the documentation backlog

The workflow begins by reading documents/documentation-backlog.md and translating the requested feature set into a todo list with one feature per item.

loop per feature

The next steps repeat one feature at a time

The workflow is deliberately sequential. Documenter finishes a full business and technical pair, plus verification and backlog update, before moving to the next feature.

draft Draft Documenter Claude Opus 4.6

Draft the business document first

Draft Documenter reads every relevant source file in the module path, uses the AccessIQ Launch Planning business document as the reference pattern, and writes a business-focused document for PM and analyst audiences.

*-business-document.md

draft Draft Documenter Claude Opus 4.6

Draft the technical document second

The technical draft is a separate subagent run. It reads the same source code, reads the sibling business document for consistency, then writes the exhaustive technical reference document.

*-technical-document.md

verify GPT Doc Scrutinizer GPT-5.4

Verify both documents against the code and against each other

The verifier reads the business document, technical document, and source modules together. It checks completeness, accuracy, pattern adherence, cross-document consistency, and clarity.

documents + source → completeness → accuracy → consistency

fix critical + major first

Documenter applies fixes, then updates the backlog

The file instructs Documenter to fix all CRITICAL and MAJOR findings, fix MINOR issues if they are straightforward, save the files again, then update the feature status in documentation-backlog.md.

summary persist

The final output is a documented feature set, not just draft files

Documenter ends by summarizing how many features were documented, what was skipped, what GPT findings were rejected, and how many files were created.

Research

Research, self-proofread, proofread, fact-check, reconcile, save

The research flow produces one written deliverable and then improves confidence in it through separate checks for writing quality and factual accuracy.

Executive flow

Draft

Create the research document and save the first version.

→

Self-proofread

Clean up the document before external review begins.

→

Dual GPT review

Run separate GPT-5.4 passes for writing quality and accuracy.

→

Save

Reconcile findings and publish the final saved document.

More details Proofreading, fact-checking, reconciliation, and output mechanics

.github/agents/researcher.agent.md .github/agents/gpt-research-proofreader.agent.md .github/agents/gpt-research-accuracy-checker.agent.md

Primary agent

Researcher

Researcher is responsible for the draft, its own self-proofreading, reconciliation of both GPT reviews, and the final saved file.

model not pinned writes markdown

Verification split

Two GPT roles, not one

GPT Research Proofreader GPT Research Accuracy Checker

One subagent focuses on prose quality. The other focuses on claims, logic, technical correctness, source validity, and currency.

research Researcher model not pinned

Researcher writes the initial document

The first step is broad research using available tools, followed by a full markdown draft saved to the specified path or, by default, under documents/research/.

self-proofread Researcher

Self-proofread comes before any subagent review

The pipeline expects the coordinator to fix its own grammar, clarity, and structure issues first, before paying for any GPT verification passes.

proofread GPT Research Proofreader GPT-5.4

One subagent checks the writing

The proofreader is responsible for grammar, clarity, structure, consistency, and completeness. Its findings are about editorial quality.

accuracy GPT Research Accuracy Checker GPT-5.4

The second subagent checks the claims

This pass looks for factual accuracy, technical correctness, logical consistency, source validity, and outdated information. It is not performing the same job as the proofreader.

deduplicate apply

Researcher reconciles both GPT reports into one fix pass

The workflow explicitly says to deduplicate overlapping findings first, then independently verify each one, apply valid fixes, and skip or challenge invalid ones.

summary save final file

The flow ends with a saved document and a small audit trail

The final response is expected to say what was researched, where the file was saved, how many findings came from each GPT reviewer, and how many were accepted versus rejected.

Security

Threat intelligence, OWASP review, two GPT scrutiny rounds, final report

The security workflow is a structured read-only assessment that moves from threat research to validation and ends with a prioritized report for decision-makers.

Executive flow

Research

Define scope and gather current threat intelligence first.

→

Assess

Review dependencies, config, and OWASP exposure without changing code.

→

Challenge

Use two GPT-5.4 scrutiny rounds to test the findings.

→

Report

Deliver the prioritized risk report and recommendations.

More details Threat intelligence, OWASP sequencing, GPT scrutiny rounds, and report composition

.github/agents/pen-tester.agent.md .github/agents/gpt-pen-test-scrutinizer.agent.md

Primary agent

Pen Tester

Pen Tester owns scope, threat intelligence, dependency audit, OWASP analysis, severity calibration, reconciliation, and the final report.

model not pinned read-only grey-box

Scrutiny agent

GPT Pen Test Scrutinizer

The same GPT subagent is used twice. In round one it verifies and hunts for missed vulnerabilities. In round two it checks the merged report for blind spots, severity consistency, and remediation quality.

GPT-5.4 used in round 1 and round 2

Documented exceptions

Things the workflow says not to flag as vulnerabilities

CORS wildcard allowed because infra enforces it.
JWT signature verification intentionally disabled for Graph tokens.
Refresh token in registration error is an intentional signup-flow behavior.

scope threat intelligence Pen Tester model not pinned

Start by determining scope and collecting current threat intelligence

The file explicitly requires online research for relevant CVEs and advisories before the actual code assessment begins.

dependency audit config audit

Then audit dependencies, security configuration, Docker, and secrets handling

This is where the workflow points the assessor to requirements.txt, the security and config files, rate limiting, and Docker configuration.

OWASP self-verify

OWASP Top 10 review comes before any GPT scrutiny

The workflow steps through access control, injection, crypto, misconfiguration, logging, SSRF, and the other OWASP categories, then removes false positives and calibrates severity before sending anything to GPT.

round 1 GPT Pen Test Scrutinizer GPT-5.4

Round 1 verifies exploitability and looks for missed attack paths

verify findings → find missed vulnerabilities → challenge severity → merge or reject

round 2 final verification GPT Pen Test Scrutinizer GPT-5.4

Round 2 checks the merged report for blind spots and consistency

The second pass is narrower: remaining blind spots, severity consistency, and remediation quality in the reconciled report.

summary final report

The end result is a report, not an edit session

The Pen Tester rules explicitly say not to modify files. The deliverable is the structured report with executive summary, threat intelligence, findings, documented exceptions, and recommendations.