
Security News
PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems
PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.
ai-engineering-workflow
Advanced tools
Agent-neutral AI engineering team runtime with global memory, workflow gates, and traceable change history.
Agent-neutral workflow runtime for turning AI coding agents into a traceable virtual engineering team.
Installation · Quickstart · MCP Tools · Architecture · 中文
Works around Codex, Claude Code, Cursor, Gemini CLI, and other coding agents.
AI Engineering Workflow is not another coding model. It is the engineering system around coding models: roles, gates, memory, questions, trace logs, evidence, ChangeSets, and audit bundles.
Modern coding agents can implement quickly, but they often miss the habits that make software engineering reliable:
This project gives agents a workflow kernel so they can act less like a single autocomplete session and more like a disciplined engineering team.
The project is early alpha. The runtime is usable as a local MCP server and has executable tests for the current workflow kernel, but the external agent adapters are still task-packet based rather than fully autonomous process supervisors.
Use it first on non-critical repositories or small product slices.
| Link | Purpose |
|---|---|
| Repository Structure | Understand the source tree and where to add new work. |
| Architecture | Understand the MCP server, runtime, memory store, trace ledger, and adapter boundary. |
| Workflow | Understand phases, gates, stopping points, and progress feedback. |
| MCP Tools | Understand public tools and recommended call patterns. |
| Roles | Understand the virtual engineering team and role handoffs. |
| Data And Traceability | Understand where logs are saved and how audit trails are built. |
| Publishing | Prepare GitHub and npm releases. |
| Testing Matrix | Map public capabilities to executable tests. |
.
├── bin/ # CLI entrypoint and MCP server launcher
├── src/ # Runtime source code
│ ├── server.mjs # Stdio JSON-RPC MCP server
│ └── core/ # Workflow, memory, trace, context, and project modules
├── schemas/ # JSON schemas for portable records
├── prompt-pack/ # Prompt-only adapter guidance for non-MCP agents
├── tests/ # Node test suite
├── docs/ # Long-form documentation
├── examples/ # Copyable MCP configs and request examples
└── .github/ # CI, issue templates, and pull request template
After the package is published:
npm install -g ai-engineering-workflow
ai-engineering server
Or run it without a global install:
npx -y ai-engineering-workflow server
git clone https://github.com/PercivalLin/ai-engineering-workflow.git
cd ai-engineering-workflow
npm run verify
node ./bin/ai-engineering.mjs server
The package requires Node.js 20 or newer.
Use the MCP server from npm:
{
"mcpServers": {
"ai-engineering-workflow": {
"command": "npx",
"args": ["-y", "ai-engineering-workflow", "server"],
"env": {
"AI_ENGINEERING_HOME": "/Users/you/.ai-engineering"
}
}
}
}
Use the MCP server from a local checkout:
{
"mcpServers": {
"ai-engineering-workflow": {
"command": "node",
"args": ["/absolute/path/to/Vibe-Engineering/bin/ai-engineering.mjs", "server"],
"env": {
"AI_ENGINEERING_HOME": "/Users/you/.ai-engineering"
}
}
}
}
AI_ENGINEERING_HOME is optional. If omitted, global memory is stored at ~/.ai-engineering.
The normal entrypoint is advance_workflow.
Give the agent a product goal, then let it call the MCP tool against the target repository:
{
"project_root": "/absolute/path/to/target-product",
"product_goal": "Build a traceable task manager where users can create tasks, assign owners, record status changes, and export an audit trail.",
"adapter": "codex",
"risk_level": "medium"
}
The runtime will:
For CLI debugging:
ai-engineering advance \
--project /absolute/path/to/target-product \
--goal "Build a traceable task manager..." \
--adapter codex
MCP responses include progress fields that an agent harness can surface directly to the user:
current_role: active virtual team role, such as developer or architectcurrent_phase: workflow phase, such as requirements, architecture, or build_loopprogress_message: concise human-facing statusagent_feedback_prompt: instruction telling the execution agent how to explain the current status before continuingExample:
{
"current_role": "developer",
"current_phase": "build_loop",
"status": "external_agent_required",
"progress_message": "[AI Engineering Workflow] Developer is active. Phase: build_loop. Status: external_agent_required.",
"agent_feedback_prompt": "You are currently acting as: Developer.\nWorkflow phase: build_loop.\nWorkflow status: external_agent_required.\nTell the user this status briefly before continuing."
}
These fields are returned by advance_workflow, get_role_action, dispatch_agent_task, ask_user_decision, record_user_decision, and run_gate.
Project logs are stored inside the target product repository, not inside this tool repository unless this tool repository is the target.
Project-local runtime state:
<target-project>/.ai-engineering/project.yaml
<target-project>/.ai-engineering/workflow-state.json
<target-project>/.ai-engineering/trace-ledger.jsonl
<target-project>/.ai-engineering/decision-log.jsonl
<target-project>/.ai-engineering/evidence/
<target-project>/.ai-engineering/changesets/
<target-project>/.ai-engineering/context/
<target-project>/.ai-engineering/context/task-packets/
<target-project>/.ai-engineering/audit-bundles/
<target-project>/docs/ai-artifacts/
Global memory:
~/.ai-engineering/memory/principles/
~/.ai-engineering/memory/playbooks/
~/.ai-engineering/memory/anti-patterns/
~/.ai-engineering/memory/cases/
~/.ai-engineering/memory/rules/
~/.ai-engineering/memory/role-checklists/
~/.ai-engineering/memory/stack-knowledge/
~/.ai-engineering/memory/organization-preferences/
~/.ai-engineering/agents/
~/.ai-engineering/sandbox-rules/
Useful inspection commands:
tail -n 20 <target-project>/.ai-engineering/trace-ledger.jsonl
tail -n 20 <target-project>/.ai-engineering/decision-log.jsonl
find <target-project>/.ai-engineering -maxdepth 2 -type f | sort
find ~/.ai-engineering -maxdepth 3 -type f | sort
| Role | Responsibility | Primary outputs |
|---|---|---|
| PM | clarify product goal, users, scope, priorities, acceptance criteria | PRD or lightweight spec, requirements, success criteria |
| Architect / Tech Lead | design technical approach, interfaces, risks, migration, rollback | ADR, interface contract, risk register |
| Delivery Manager | break work into small batches and keep gates moving | backlog, task queue, Definition of Ready, Definition of Done |
| Developer | implement focused, traceable code changes | code, tests, ChangeSet, implementation notes |
| QA | verify acceptance, regression, edge, and failure paths | test matrix, test evidence, failure reproduction |
| Security | check threats, dependencies, secrets, permissions, data risk | security review, risk findings, evidence |
| SRE / DevOps | check CI, deployment, observability, SLO, rollback | release readiness, operational evidence |
| Reviewer | independently review diff, architecture fit, tests, maintainability | review findings, approval or blocker |
| Writer | produce user/developer-facing delivery docs | README, API docs, changelog, release notes |
| Learning Coach | convert evidence-backed outcomes into reusable memory | candidate playbooks, anti-patterns, policy rules |
| Trace Auditor | verify traceability from goal to code to evidence to release | audit bundle, traceability matrix, missing-link findings |
Each role has a mission, principles, decision frameworks, artifact contract, quality bar, inputs, outputs, and gates in src/core/defaults.mjs.
The automated state machine follows this shape:
advance_workflow moves through as many safe steps as it can, then stops at one of these boundaries:
The runtime should explore before asking.
It should ask the user when ambiguity affects:
It should not ask for:
Questions are recorded in the decision log with default assumptions and impact.
Every code modification should be recorded as a ChangeSet.
A ChangeSet records:
change_idtask_id, requirement_id, or decision_idThis enables two directions of traceability:
| Tool | Purpose |
|---|---|
advance_workflow | high-level automatic workflow advancement |
create_goal | create a product goal or engineering task |
scan_project_context | scan repository facts and inferred test commands |
retrieve_global_experience | search global engineering memory |
get_role_action | get the next task packet for a role |
ask_user_decision | create a structured high-impact question |
record_user_decision | record a user answer |
dispatch_agent_task | create a task packet for Codex, Claude Code, Cursor, Gemini CLI, or another adapter |
record_changeset | record traceable modification metadata |
record_artifact | record requirements, ADRs, release notes, retros, or other artifacts |
record_backlog | record Delivery Manager backlog items |
record_evidence | record tests, scans, reviews, security checks, deployments, or manual evidence |
run_gate | run the current or selected phase gate |
propose_learning | create evidence-backed global memory candidates |
promote_or_rollback_rule | move rules through candidate, sandbox, default, or deprecated states |
export_audit_bundle | export timeline, decisions, evidence, ChangeSets, matrix, and summary |
For agents or environments that cannot use MCP directly, see:
prompt-pack/codex-skill.md
prompt-pack/claude-code.md
prompt-pack/generic-agent.md
These prompt packs tell the agent how to behave as one role in the virtual team and what evidence it must return.
npm run check
npm test
npm run verify
npm run ci
npm run smoke
The implementation is dependency-light on purpose. The MCP server uses stdio JSON-RPC directly so the workflow kernel remains portable across agent harnesses.
See TESTING.md for the experiment matrix that maps public capabilities to executable tests. See docs/ for architecture, workflow, roles, data, and publishing guides.
Before publishing:
package.json with repository, homepage, and bugs URLs.docs/ and examples/ for stale placeholders.npm view ai-engineering-workflow version
An npm 404 usually means the package name is not currently published.
npm adduser
npm whoami
This package sets publishConfig.registry to the official npm registry so publishing does not accidentally target a local mirror.
npm run ci
npm pack --dry-run
npm publish
For a scoped public package such as @your-scope/ai-engineering-workflow, use:
npm publish --access public
The npm docs recommend reviewing package contents for sensitive or unnecessary information before publishing, testing the package, and using --access public for scoped public packages. See the official npm docs for package.json, npm publish, and scoped public packages:
This tool writes project workflow data to the target repository and global memory to AI_ENGINEERING_HOME or ~/.ai-engineering.
Before sharing logs, audit bundles, or global memory, check for:
Do not publish generated .ai-engineering/ runtime directories by default unless the target project intentionally treats audit logs as public artifacts.
The role prompts in src/core/defaults.mjs are original syntheses for this project. They do not vendor or copy complete third-party skill prompts. The design was informed by these public references:
Adaptation notes:
MIT
FAQs
Agent-neutral AI engineering team runtime with global memory, workflow gates, and traceable change history.
The npm package ai-engineering-workflow receives a total of 17 weekly downloads. As such, ai-engineering-workflow popularity was classified as not popular.
We found that ai-engineering-workflow demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.

Security News
Open source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.

Research
/Security News
Malicious Chrome and Firefox extensions posed as free VPNs while stealing clipboard data through later extension updates.