
Security News
Risky Biz Podcast: AI Agents Are Raising the Stakes for Software Supply Chain Security
Open source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.
rstack-agents
Advanced tools
Production-ready agentic SDLC framework for Pi and coding agents — orchestrator, builder/validator teams, lifecycle state, and specialist reuse
RStack SDLC is a framework-independent, governed AI software-delivery harness developed by Richardson Gunde.
It gives AI coding agents a repeatable SDLC instead of ad-hoc prompting:
clarify → plan → spec → approve → build → validate → release-readiness → learn
RStack ships with a native Pi adapter today, but the framework itself is portable. The core assets are Markdown/JSON-compatible and can be used from Claude Code, Codex CLI, Gemini CLI, Qwen Code, MCP-capable clients, or any custom agent harness.
| Layer | Purpose |
|---|---|
agents/core/ | Orchestrator, builder, and validator team contracts. |
agents/sdlc/ | Full lifecycle pipeline agents from environment discovery to release readiness. |
agents/specialists/ | Backend, frontend, devops, QA, security, data, product, docs, and other specialists. |
skills/ | Reusable workflow instructions. |
prompts/ | Prompt templates and command-style workflows. |
plugins/ | Domain packs with manifests, agents, skills, and commands. |
extensions/rstack-sdlc.ts | Native Pi runtime adapter. |
.rstack/runs/ | Generated run state, specs, approvals, traceability, tasks, and validation evidence. |
Current package assets:
196 agents
156 skills
36 prompts
72 plugins
Pi is the first native runtime because it gives RStack the hooks needed for a real governed harness:
| RStack need | Pi support |
|---|---|
| Custom SDLC tools | pi.registerTool() |
| Slash commands | pi.registerCommand() |
| Lifecycle hooks | pi.on(...) |
| Safety gates | tool_call hook |
| Tool evidence logging | tool_result hook |
| Skill/prompt discovery | resources_discover hook |
| Installable package | pi install |
| Isolated worker delegation | pi --mode json subprocesses |
But the reusable RStack knowledge lives in portable files:
agents/
skills/
prompts/
plugins/
docs/public/
So the correct framing is:
RStack SDLC is a portable AI-SDLC framework with a first-class Pi adapter today.
From npm after publishing:
pi install npm:rstack-agents
From this local checkout:
cd /Users/richardsongunde/projects/SDLC-rstack
pi install .
One-off local test without installing:
pi -e /Users/richardsongunde/projects/SDLC-rstack/extensions/rstack-sdlc.ts
Then ask Pi:
Use RStack to plan, build, validate, test, document, and prepare this feature for release: <your goal>
Use this when your framework can read files but does not have a native RStack adapter yet.
git clone https://github.com/richard-devbot/SDLC-rstack.git ~/rstack-agents
export RSTACK_HOME=~/rstack-agents
Or use this local checkout:
export RSTACK_HOME=/Users/richardsongunde/projects/SDLC-rstack
Universal bootstrap prompt:
Use RStack SDLC from $RSTACK_HOME.
Read agents/core/orchestrator.md first.
Use agents/core/builder.md for implementation tasks.
Use agents/core/validator.md for read-only verification.
Use agents/sdlc/ for lifecycle routing.
Use skills/ and plugins/ only when relevant.
Write run state under .rstack/runs/<run_id>/.
Require specs, approvals, traceability, builder.json, validation.json, and command evidence.
Never claim DONE without evidence.
Claude Code can use project/user subagents and slash commands. RStack can run there today as portable agent assets.
From your target project:
export RSTACK_HOME=/Users/richardsongunde/projects/SDLC-rstack
mkdir -p .claude/agents/rstack .claude/commands/rstack .rstack/vendor/rstack
cp -R "$RSTACK_HOME/agents" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/skills" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/plugins" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/prompts" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/agents"/* .claude/agents/rstack/
cp "$RSTACK_HOME/prompts"/*.md .claude/commands/rstack/ 2>/dev/null || true
Add to CLAUDE.md:
# RStack SDLC
Use RStack SDLC from `.rstack/vendor/rstack`.
Start with `.rstack/vendor/rstack/agents/core/orchestrator.md`.
Use `.rstack/vendor/rstack/agents/core/builder.md` for implementation tasks.
Use `.rstack/vendor/rstack/agents/core/validator.md` for read-only verification.
Write all run state under `.rstack/runs/<run_id>/`.
Require specs, approvals, traceability, `builder.json`, and `validation.json`.
Never claim DONE without evidence.
This gives Claude Code the RStack operating model. It does not yet provide Pi-native hooks like tool_call gating unless a Claude Code adapter is added later.
From your target project:
export RSTACK_HOME=/Users/richardsongunde/projects/SDLC-rstack
mkdir -p .rstack/vendor/rstack
cp -R "$RSTACK_HOME/agents" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/skills" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/plugins" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/prompts" .rstack/vendor/rstack/
cat > AGENTS.md <<'EOF'
# RStack SDLC
Use RStack SDLC from `.rstack/vendor/rstack`.
Read `.rstack/vendor/rstack/agents/core/orchestrator.md` first.
For implementation, follow `.rstack/vendor/rstack/agents/core/builder.md`.
For verification, follow `.rstack/vendor/rstack/agents/core/validator.md`.
Use SDLC pipeline agents from `.rstack/vendor/rstack/agents/sdlc/`.
Use skills from `.rstack/vendor/rstack/skills/` and plugin packs from `.rstack/vendor/rstack/plugins/`.
Write run state under `.rstack/runs/<run_id>/`.
Require specs, approval gates, traceability, builder contracts, validation contracts, and command evidence.
EOF
Then run Codex CLI from that project.
From your target project:
export RSTACK_HOME=/Users/richardsongunde/projects/SDLC-rstack
mkdir -p .rstack/vendor/rstack
cp -R "$RSTACK_HOME/agents" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/skills" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/plugins" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/prompts" .rstack/vendor/rstack/
cat > GEMINI.md <<'EOF'
# RStack SDLC
Use RStack SDLC from `.rstack/vendor/rstack`.
Start with `.rstack/vendor/rstack/agents/core/orchestrator.md`.
Use the SDLC pipeline in `.rstack/vendor/rstack/agents/sdlc/`.
Use plugin packs from `.rstack/vendor/rstack/plugins/` only when relevant to the task domain.
Maintain `.rstack/runs/<run_id>/` with specs, approvals, traceability, tasks, builder.json, and validation.json.
Do not perform destructive actions without explicit human approval.
Do not claim DONE without command evidence.
EOF
Then run Gemini CLI from that project.
From your target project:
export RSTACK_HOME=/Users/richardsongunde/projects/SDLC-rstack
mkdir -p .rstack/vendor/rstack
cp -R "$RSTACK_HOME/agents" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/skills" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/plugins" .rstack/vendor/rstack/
cp -R "$RSTACK_HOME/prompts" .rstack/vendor/rstack/
cat > AGENTS.md <<'EOF'
# RStack SDLC
Use RStack SDLC from `.rstack/vendor/rstack`.
Act as the RStack orchestrator first, not as a direct coder.
Read `.rstack/vendor/rstack/agents/core/orchestrator.md`, then route to builder and validator contracts.
Use `.rstack/vendor/rstack/agents/sdlc/` for lifecycle stages.
Use `.rstack/vendor/rstack/plugins/` as domain packs.
Write `.rstack/runs/<run_id>/` state and preserve traceability.
Require human approval gates before implementation and release decisions.
EOF
Then run Qwen Code from that project.
RStack does not yet ship a native Desktop/MCP adapter.
Today:
Planned MCP tool surface:
sdlc_start
sdlc_clarify
sdlc_plan
sdlc_spec
sdlc_approve
sdlc_agents
sdlc_build_next
sdlc_validate
sdlc_status
sdlc_memory
sdlc_orchestrate
sdlc_start
sdlc_clarify
sdlc_plan
sdlc_spec
sdlc_approve
sdlc_build_next
sdlc_validate
sdlc_status
sdlc_memory
Example:
Use RStack to build a production-ready todo app with auth, tests, docs, and release readiness.
Recommended first calls:
sdlc_orchestrate(goal="Build a production-ready todo app with auth, tests, docs, and release readiness")
sdlc_start(goal="Build a production-ready todo app with auth, tests, docs, and release readiness")
sdlc_clarify()
sdlc_plan()
Approve gates before build execution:
sdlc_approve(artifact="plan.md", status="APPROVED")
sdlc_approve(artifact="requirements.json", status="APPROVED")
sdlc_approve(artifact="architecture.md", status="APPROVED")
Then continue:
sdlc_build_next()
sdlc_validate()
sdlc_status()
| Tool | Purpose |
|---|---|
sdlc_orchestrate | Load RStack orchestrator, builder, and validator operating instructions for a goal. |
sdlc_start | Create .rstack/runs/<run_id>/ state for a new SDLC run. |
sdlc_clarify | Ask or capture product-owner answers before planning. |
sdlc_plan | Create lifecycle tasks, draft specs, registry files, routing metadata, and traceability. |
sdlc_spec | Read or update governed spec artifacts under .rstack/runs/<run_id>/specs/. |
sdlc_approve | Record human approval/rejection gates for plans, requirements, architecture, release readiness, or destructive actions. |
sdlc_agents | List available packaged/project-local agents, skills, and plugins by kind/domain. |
sdlc_delegate | Spawn isolated Pi worker agents for single or bounded parallel tasks. Validators default to read-only tools. |
sdlc_build_next | Prepare the next gated builder task packet with core, SDLC, specialist, skill, and plugin context. |
sdlc_validate | Validate builder output and write validation.json. |
sdlc_status | Show run status, task progress, missing approvals, registry counts, and next recommended action. |
sdlc_memory | Search or append project learnings for future runs. |
Native Pi slash commands:
/sdlc
/sdlc-agents
The package CLI is framework-neutral and useful for inspection:
rstack-agents list agents
rstack-agents list skills
rstack-agents list plugins
rstack-agents validate
rstack-agents add plugin <name>
Local development equivalent:
node bin/rstack-agents.js list agents
node bin/rstack-agents.js list skills
node bin/rstack-agents.js list plugins
node bin/rstack-agents.js validate
node bin/rstack-agents.js add plugin backend-development
RStack enforces this operating model:
clarify → plan → spec → approve → build → validate → release-readiness → memory
Required controls:
builder.json.validation.json.traceability.json.Generated run state:
.rstack/
memory/
learnings.jsonl
registry/
registry.json
agents.json
skills.json
plugins.json
routing.json
runs/
<run_id>/
manifest.json
context.md
plan.md
tasks.json
approvals.json
traceability.json
events.jsonl
specs/
product-brief.md
requirements.json
architecture.md
implementation-report.json
qa-report.json
security-review.md
handoff.md
release-readiness.json
tasks/
<task_id>/
prompt.md
builder.json
validation.json
Orchestrator / team lead
├── SDLC pipeline agents
│ ├── environment
│ ├── transcript
│ ├── requirements
│ ├── documentation
│ ├── planning
│ ├── jira
│ ├── architecture
│ ├── code
│ ├── testing
│ ├── deployment
│ ├── summary
│ ├── feedback loop
│ ├── security threat model
│ ├── compliance checker
│ └── cost estimation
├── Builder team
│ ├── backend specialists
│ ├── frontend specialists
│ ├── devops specialists
│ ├── data specialists
│ └── docs specialists
└── Validator team
├── QA specialists
├── security specialists
├── architecture reviewers
├── code reviewers
└── performance/accessibility reviewers
The native Pi adapter maps lifecycle tasks to packaged SDLC agents:
001-product-clarification -> 00-environment, 01-transcript
002-requirements -> 02-requirements, 04-planning, 05-jira
003-architecture -> 06-architecture, 12-security-threat-model, 14-cost-estimation
004-implementation -> 07-code
005-testing -> 08-testing
006-security-review -> 12-security-threat-model, 13-compliance-checker
007-documentation -> 03-documentation, 10-summary
008-release-readiness -> 09-deployment, 10-summary, 11-feedback-loop
Each generated task includes:
{
"pipeline_agents": ["agent.02-requirements", "agent.04-planning"],
"specialists": ["agent.02-requirements", "plugin.backend-development"]
}
Other adapters should preserve this routing contract.
Plugin packs under plugins/ are domain bundles. Each pack can include:
plugin.json
agents/*.md
skills/**/SKILL.md
commands/*.md
RStack uses them this way:
plugin.backend-development.RStack blocks these during governed native runs unless approved:
rm -rf
git push
npm publish
terraform apply/destroy
kubectl apply/delete
helm install/upgrade/uninstall
DROP TABLE
DELETE FROM
RStack also protects secret-like write paths:
.env
.env.*
id_rsa
id_ed25519
credentials.*
secrets.*
.npmrc
.pypirc
To allow a destructive action:
sdlc_approve(artifact="destructive-action", status="APPROVED")
or set:
RSTACK_ALLOW_DESTRUCTIVE=1
Package assets are the default source of truth. Target projects can add local overrides:
.rstack/agents/
.rstack/skills/
.rstack/prompts/
.rstack/plugins/
.pi/rstack/agents/
.pi/rstack/skills/
.pi/rstack/prompts/
.pi/rstack/plugins/
cd /Users/richardsongunde/projects/SDLC-rstack
npm install
npm test
npm run validate
npm audit --audit-level=high
npm pack --dry-run
Type-check the Pi adapter:
npx -y -p typescript tsc --noEmit --allowImportingTsExtensions --module NodeNext --moduleResolution NodeNext --target ES2022 --skipLibCheck extensions/rstack-sdlc.ts
npm test
npm run validate
npm audit --audit-level=high
npm pack --dry-run
npm login
npm publish --access public
The package is configured to include:
extensions/
agents/
skills/
prompts/
plugins/
bin/
src/
docs/public/
README.md
And exclude private runtime/workspace folders such as:
.claude/
.agents/
.codex/
node_modules/
logs/
outputs/
Recommended next adapters:
1. adapters/mcp expose RStack tools to MCP clients
2. adapters/claude-code export agents/commands/skills into Claude Code layout
3. adapters/codex generate AGENTS.md + task runner
4. adapters/gemini generate GEMINI.md + command pack
5. adapters/qwen generate AGENTS.md + command pack
6. adapters/sdk Node/Python library for custom harnesses
docs/public/pi-extension.md
docs/public/productivity-roadmap.md
docs/public/product-overview.md
MIT
FAQs
Production-ready agentic SDLC framework for Pi and coding agents — orchestrator, builder/validator teams, lifecycle state, and specialist reuse
The npm package rstack-agents receives a total of 65 weekly downloads. As such, rstack-agents popularity was classified as not popular.
We found that rstack-agents demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
Open source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.

Research
/Security News
Malicious Chrome and Firefox extensions posed as free VPNs while stealing clipboard data through later extension updates.

Research
/Security News
Miasma Mini Shai-Hulud hits @immobiliarelabs Backstage plugins, targeting GitLab and LDAP auth packages on npm.