Skip to content
/
Tier A A6 Multi-agent orchestrator

aistack

aistack · blackms/aistack · ★ 51 · last commit 2026-01-30

Coordinates 11 specialized AI agents with adversarial code review, JWT agent identity, and 6-provider multi-model routing against shared SQLite memory.

Best whenCode quality requires an adversarial agent that actively tries to break output before acceptance — not a passive reviewer, but a hostile attacker.
Skip ifSingle-agent code generation without adversarial review, Hard-coding provider choice for all agents
vs seeds
claude-flow(MCP-anchored toolserver, SQLite memory, hierarchical coordination) but adds three novel dimensions absent from all 11 s…
Primitive shape 61 total
Subagents 11 Hooks 4 MCP tools 46
00

Summary

aistack — Summary

aistack is a production-grade TypeScript multi-agent orchestration framework published as the npm package @blackms/aistack. It ships 11 specialized AI agent types (coordinator, coder, tester, reviewer, architect, adversarial, analyst, researcher, security-auditor, devops, documentation), 46 MCP tools, a React 18 web dashboard at port 3001, and SQLite+FTS5+vector memory — all in a single npm install. The framework's central differentiator is the adversarial validation loop: a dedicated "adversarial reviewer" agent that actively tries to break generated code using predefined attack vectors (injection, race conditions, auth bypass, etc.) before the output is accepted. It supports 6 LLM providers (Anthropic, OpenAI, OpenAI Responses API, Gemini CLI, Codex, and Ollama) and routes different agents to different providers via config, making multi-model deployments first-class. Drift detection and consensus checkpoints are built-in as quality gates separate from the adversarial loop. Compared to seeds: closest to claude-flow in MCP-anchored memory and multi-agent coordination, but aistack adds the explicit adversarial subagent pattern (absent from claude-flow), per-session JWT+RBAC agent identity (unique in the corpus), and a 6-provider multi-model matrix where claude-flow is single-provider.

01

Overview

aistack — Overview

Origin

Created by Alessandro Annini (blackms). First published to npm as @blackms/aistack. Version 1.6.1 at time of analysis. GitHub: https://github.com/blackms/aistack. The project grew out of the premise that single-agent sessions cannot produce production-grade code without adversarial review; the adversarial agent is the central design feature.

Philosophy

From the README: "Production-grade agent orchestration with adversarial validation, persistent memory, and real-time web dashboard." The core mental model is a software development team where:

  • The Coordinator breaks down requirements and orchestrates workflow
  • Specialized agents (Coder, Tester, Architect, etc.) execute their domain tasks
  • The Adversarial agent serves as a hostile critic that actively tries to break what the Coder produced
  • Memory persists learnings ("Always use bcrypt for passwords") across sessions

Key design choices

  1. Adversarial-first quality: every code generation cycle includes adversarial review before acceptance — not an optional toggle but an architectural requirement
  2. Agent identity with JWT/RBAC: each spawned agent has a cryptographic identity token and role, preventing agents from assuming unauthorized capabilities
  3. Drift detection: compares agent behavior over time and flags when outputs diverge from expected patterns, acting as an early warning for hallucination drift
  4. Consensus checkpoints: multiple agents must agree on a result before moving forward — similar in concept to claude-flow's Raft consensus but implemented in the TypeScript runtime layer

Taglines from README

"Ultra-Modern Multi-Agent Orchestration for Claude Code" "11 agents · 46 MCP tools · 6 LLM providers · SQLite + FTS5 · Web dashboard · Agent Identity · Drift Detection · Consensus Checkpoints · Resource Monitoring"

02

Architecture

aistack — Architecture

Distribution

  • npm package: @blackms/aistack (v1.6.1)
  • Install: npm install @blackms/aistack
  • CLI binary: aistack (from bin.aistack in package.json pointing to ./dist/cli/index.js)
  • MCP add: claude mcp add aistack -- npx @blackms/aistack mcp start
  • Required runtime: Node.js >= 20.0.0

Directory structure (source)

src/
  agents/
    definitions/    # 11 TypeScript agent class files
    identity-service.ts
    registry.ts
    spawner.ts
  cli/
    commands/       # init, agent, mcp, memory, status, web, workflow, plugin, agent-watch
  mcp/
    tools/          # agent-tools, github-tools, identity-tools, memory-tools,
                    # review-loop-tools, session-tools, system-tools, task-tools
  memory/
    sqlite-store.ts
    fts-search.ts
    vector-search.ts
    access-control.ts
  providers/        # anthropic, openai, gemini-cli, codex, ollama (6 total)
  workflows/        # multi-phase workflow engine
  auth/             # JWT + RBAC
  github/           # GitHub issues/PRs
  plugins/          # plugin system
  hooks/            # lifecycle hooks
web/                # React 18 dashboard (Vite + React 18)
data/               # SQLite DB (aistack.db)

Config file

aistack.config.json in project root:

{
  "version": "1.5.3",
  "providers": { "default": "anthropic", ... },
  "memory": { "path": "./data/aistack.db", "vectorSearch": {...} },
  "agents": { "maxConcurrent": 5, "defaultTimeout": 300 },
  "web": { "enabled": true, "port": 3001 },
  "hooks": { "sessionStart": true, "sessionEnd": true, "preTask": true, "postTask": true }
}

Required runtime

  • Node.js >= 20.0.0
  • TypeScript compiled to ESM
  • SQLite (via better-sqlite3 bundled)

Target AI tools

  • Claude Code (MCP client)
  • Any MCP-compatible client
  • Also functions as standalone npm library

LLM Providers

  1. Anthropic (claude-sonnet-4-20250514 default)
  2. OpenAI (gpt-4o)
  3. OpenAI Responses API
  4. Gemini CLI
  5. Codex
  6. Ollama (local, llama3.2 default)
03

Components

aistack — Components

Agent definitions (11)

Agent Purpose
coordinator Orchestrate tasks across agents, decompose requirements, assign specialists
coder Implement features, write code
tester Write and run tests, verify correctness
reviewer Quality assurance, standard code review
adversarial Hostile code reviewer — actively tries to break code via attack vectors
architect Design decisions, system design
analyst Data and performance analysis
researcher Information gathering
security-auditor Security-focused review and audit
devops Infrastructure and deployment tasks
documentation Generate docs and documentation

CLI commands (10)

Command Purpose
aistack init Initialize project, create aistack.config.json and data/
aistack agent Spawn and manage agents
aistack agent-watch Watch agent status in real time
aistack mcp Start/manage MCP server
aistack memory Query and manage memory store
aistack status Show current session/agent status
aistack web start Start React dashboard at port 3001
aistack workflow Run multi-phase workflow
aistack plugin Manage plugins
aistack (global) Root entry point via commander.js

MCP tools (46 across 9 modules)

Module Key tools
agent-tools spawn_agent, stop_agent, list_agents, get_agent_status
github-tools create_issue, create_pr, list_issues
identity-tools create_identity, verify_identity, get_permissions
memory-tools store_memory, search_memory, list_memories, delete_memory
review-loop-tools start_review_loop, get_review_result, accept_review
session-tools create_session, get_session, list_sessions, end_session
system-tools get_status, get_config, health_check
task-tools create_task, assign_task, complete_task, get_task

Hooks (lifecycle, 4)

  • sessionStart — initialize session state
  • sessionEnd — persist session artifacts
  • preTask — pre-task validation
  • postTask — post-task quality checks

Memory subsystems (3)

  • SQLiteStore — primary structured storage (SQLite)
  • FTSSearch — full-text search via SQLite FTS5
  • VectorSearch — vector similarity search (requires OpenAI embeddings API)

Web dashboard (React 18)

  • Vite + React 18 frontend in web/
  • Dev port: 5173/5174
  • Served by backend at port 3001 via aistack web start
05

Prompts

aistack — Prompt Excerpts

Excerpt 1: Coordinator agent system prompt

Source: src/agents/definitions/coordinator.ts

You are a task coordinator focused on orchestrating work across agents.

## Core Principles
- Break complex tasks into clear, actionable steps
- Assign work to appropriate specialists
- Track progress and handle blockers
- Synthesize results into coherent output

## Coordination Approach
1. Analyze the task requirements
2. Decompose into subtasks
3. Identify dependencies between tasks
4. Assign to appropriate agent types
5. Monitor progress and adjust as needed
6. Aggregate and validate results

## Task Decomposition
- Each subtask should be self-contained
- Define clear inputs and expected outputs
- Identify which agent type is best suited
- Order tasks by dependencies

## Agent Assignments
- **coder**: Implementation tasks
- **researcher**: Information gathering
- **tester**: Test creation and validation
- **reviewer**: Quality assurance
- **architect**: Design decisions
- **analyst**: Data and performance analysis

Prompting technique: Role-persona with explicit task-decomposition protocol and agent-routing table. Uses imperative headings to activate specific behaviors.

Excerpt 2: Adversarial agent system prompt

Source: src/agents/definitions/adversarial.ts

You are an ADVERSARIAL code reviewer. Your mission is to BREAK the code.

## Core Mindset
- ASSUME the code has bugs until proven otherwise
- ACTIVELY try to break the code with edge cases
- BE SKEPTICAL of all claims and assumptions
- NEVER accept "it probably works" - demand proof

## Attack Vectors (Check ALL)
1. Input Validation: NULL, empty, negative, overflow, injection
2. State & Race Conditions: concurrent access, async timing, memory leaks
3. Error Handling: missing try/catch, silent failures, resource leaks
4. Security: auth bypass, IDOR, secrets exposure, insecure defaults
5. Logic Errors: off-by-one, boundaries, floating point, division by zero
6. Performance: O(n^2), unbounded recursion, N+1 queries

## Output Format
**[SEVERITY: CRITICAL/HIGH/MEDIUM/LOW]** - Issue Title
- **Location**: file:line
- **Attack Vector**: How to exploit
- **Impact**: What happens when exploited
- **Required Fix**: Specific remediation

**VERDICT: APPROVE** or **VERDICT: REJECT**

Prompting technique: Adversarial persona activation with mandatory checklist (all 6 attack vectors must be checked), structured severity classification, and binary verdict gate. Uppercase verbs ("BREAK", "ASSUME", "NEVER") enforce hostile posture.

09

Uniqueness

aistack — Uniqueness & Positioning

Differs from seeds

Closest to claude-flow in overall architecture: MCP-anchored toolserver with SQLite memory, hierarchical multi-agent coordination, TypeScript runtime. The key deltas:

  1. Adversarial subagent — aistack's defining feature is a dedicated hostile reviewer whose sole purpose is to break generated code. Claude-flow has no adversarial agent; superpowers and spec-driver have adversarial review skills but not a dedicated agent type with its own identity and system prompt.

  2. Agent identity + RBAC — JWT-based agent identity (each agent gets a cryptographic identity token scoped to its session and role) prevents unauthorized capability escalation. No other seed framework has this.

  3. 6-provider multi-model — aistack allows different agents to use different LLM providers (e.g., adversarial runs on GPT-4o, coder on Claude Sonnet). Claude-flow hardcodes Claude as primary; taskmaster-ai has multi-model but only for named roles (main/research/fallback).

  4. Drift detection — periodic comparison of agent output distributions to detect hallucination drift over time. Novel in the corpus.

  5. Consensus checkpoints — configurable quorum requirement before phase advancement. Claude-flow has Raft/Byzantine consensus for swarm coordination, but aistack's consensus is at the individual task verification layer.

Observable failure modes

  • Vector search requires OpenAI API key even if using Anthropic for agents (embedding dependency)
  • maxConcurrent=5 default may bottleneck large task decompositions
  • Adversarial loop can become infinite if the coder never satisfies the adversarial agent's criteria (no max-iteration safeguard documented)
  • Web dashboard requires the same Node.js process to serve both API and frontend — no independent scaling

Competitive positioning

aistack targets teams wanting automated adversarial review as a quality gate, similar to having a dedicated security red-team member embedded in CI. It is more opinionated about code quality (adversarial gate) and less opinionated about methodology (no SPARC/BMAD equivalent).

04

Workflow

aistack — Workflow

Standard development workflow

User task → Coordinator → Coder → Adversarial → (loop until APPROVE) → Tester → Documentation

Phase breakdown

Phase Actor Artifact
Task intake User → Coordinator task specification
Decomposition Coordinator subtask list + agent assignments
Implementation Coder code files
Adversarial review Adversarial APPROVE or REJECT with severity list
Iteration (if REJECT) Coder → Adversarial fixed code
Testing Tester test suite + results
Security audit Security Auditor security findings
Documentation Documentation API docs / README
Memory storage Memory Manager learned patterns in SQLite

Approval gates

  1. Adversarial VERDICT gate — code is not accepted until adversarial agent issues VERDICT: APPROVE
  2. Consensus checkpoint — multiple agents must agree (quorum) before advancing phases
  3. Drift detection check — flagged if agent outputs deviate from baselines

TDD enforcement

  • Tester agent is explicitly responsible for writing tests before implementation is accepted
  • Test results feed back into coordinator; failed tests trigger Coder re-assignment

Multi-phase workflow engine

The workflow CLI command and underlying workflows/ module supports defining multi-phase pipelines that persist intermediate artifacts to data/aistack.db.

Session persistence

All tasks, phases, and agent outputs are stored in aistack.db with session scoping, allowing cross-session resumption.

06

Memory Context

aistack — Memory & Context

Storage layer

Primary: SQLite database at ./data/aistack.db (configurable via memory.path)

Three subsystems built on top:

Subsystem Class Purpose
Structured store SQLiteStore Sessions, tasks, projects, specifications, agents
Full-text search FTSSearch SQLite FTS5 — search across memory entries by content
Vector search VectorSearch OpenAI text-embedding-3-small embeddings, optional

Memory schema (key types)

From src/memory/index.ts types:

  • Session — per-session container
  • Task / ProjectTask — individual work items
  • Project — project-level context
  • Specification — spec artifacts with type and status
  • MemoryEntry — arbitrary key-value with namespace and tags
  • ReviewComment — adversarial/reviewer feedback stored for learning

Access control

MemoryAccessControl class in memory/access-control.ts — agent context (agentId + sessionId) scopes what memory a given agent can read or write. Agents cannot read other sessions' memory without includeShared: true.

Persistence scope

global — the SQLite file persists across all sessions and projects (not wiped between runs).

Cross-session handoff

Memory entries tagged with agent learnings ("Always use bcrypt for passwords") are retrieved as context at session start via the MCP memory_recall tools, injecting prior learnings into new sessions automatically.

Optional; requires OPENAI_API_KEY. When enabled, each memory entry is embedded and stored alongside the SQLite row. Similarity search supplements FTS5 for semantic queries.

Compaction

No explicit compaction protocol documented; SQLite VACUUM is available via the aistack memory CLI command.

07

Orchestration

aistack — Orchestration

Multi-agent pattern

Hierarchical — a Coordinator agent decomposes tasks and assigns them to specialist workers. Workers (coder, tester, adversarial, etc.) operate in their domain and report back.

The adversarial review introduces a consensus element: code is not promoted until the adversarial agent issues VERDICT: APPROVE. Consensus checkpoints (configurable) require quorum agreement among multiple agents before phase advancement.

Subagent definition format

code-class — each agent is a TypeScript object conforming to the AgentDefinition interface:

export interface AgentDefinition {
  type: string;
  name: string;
  description: string;
  systemPrompt: string;
  capabilities: string[];
}

Instantiated via spawner.ts using the registry.

Isolation mechanism

No worktree isolation. Agents operate on the same file system but are scoped within their session context in SQLite. Agent memory is separated by agentId + sessionId ACL.

Multi-model support

Yes — 6 providers configurable per-agent type:

{
  "providers": {
    "default": "anthropic",
    "anthropic": { "model": "claude-sonnet-4-20250514" },
    "openai": { "model": "gpt-4o" },
    "ollama": { "baseUrl": "...", "model": "llama3.2" }
  }
}

Administrators can route the adversarial agent to a different model from the coder agent.

Execution mode

continuous-ralph — the Coordinator runs an event loop dispatching subtasks to workers, polling results, and re-queuing failed tasks. Circuit breakers prevent runaway failures.

Circuit breakers

CircuitBreaker in src/utils/retry.ts:

  • 5 failures → opens circuit
  • 2 consecutive successes → closes
  • 60s timeout
  • 30s half-open retry delay

Max concurrent agents

5 (configurable via agents.maxConcurrent in config)

Crash recovery

Circuit breakers provide failure recovery; session state is persisted to SQLite, enabling partial resumption, though there is no explicit checkpoint-resume CLI.

08

Ui Cli Surface

aistack — UI & CLI Surface

CLI binary

Binary name: aistack Entry: ./dist/cli/index.js Built with: Commander.js

Subcommands:

  • aistack init — project initialization
  • aistack agent [spawn|stop|list|status] — agent management
  • aistack agent-watch — real-time agent monitoring
  • aistack mcp [start|stop|status] — MCP server control
  • aistack memory [search|list|delete|vacuum] — memory operations
  • aistack status — session/system status
  • aistack web [start|stop] — dashboard control
  • aistack workflow [run|list|status] — workflow execution
  • aistack plugin [list|install|remove] — plugin management

Web dashboard

Exists: yes Type: web-dashboard Port: 3001 Tech stack: React 18 + Vite (frontend), Node.js HTTP server (backend) Dev port: 5173/5174 (Vite dev server)

Dashboard features include:

  • Real-time agent status monitoring
  • Memory browser
  • Session management
  • Workflow visualization

Served by starting the backend with aistack web start which both serves the API and the pre-built React bundle.

MCP server

aistack mcp start registers an MCP server via stdio transport. 9 tool modules, 46 total tools. Claude Code adds it via: claude mcp add aistack -- npx @blackms/aistack mcp start

Observability

  • Sentry integration (via @sentry/node) for error tracking
  • Per-component structured logging via logger.child('component-name')
  • Status endpoints accessible via CLI and web dashboard

IDE integration

Claude Code (via MCP). No VS Code extension or dedicated IDE plugin.

Related frameworks

same archetype · same primary tool · same memory type

Claude-Flow / Ruflo ★ 55k
A6 Multi-agent orchestrator

Eliminates single-agent context limits and sequential bottlenecks by orchestrating fault-tolerant swarms of specialized AI agents…

Hermes Agent (NousResearch) ★ 168k
A6 Multi-agent orchestrator

Self-improving personal AI agent with closed learning loop, 7 terminal backends, and messaging gateway — not tied to any AI…

OpenCode ★ 165k
A6 Multi-agent orchestrator

Terminal-first AI coding agent with multi-model routing, native desktop app, and a typed .opencode/ configuration system for…

OpenHands ★ 75k
A6 Multi-agent orchestrator

Open-source AI software development platform (open-source Devin alternative) with Docker sandbox isolation, 77.6% SWE-bench…

DeerFlow ★ 70k
A6 Multi-agent orchestrator

Long-horizon superagent that researches, codes, and creates by orchestrating parallel sub-agents with isolated contexts in Docker…

oh-my-openagent (omo) ★ 60k
A6 Multi-agent orchestrator

Multi-provider AI agent orchestration for OpenCode: escape vendor lock-in by routing Sisyphus (Claude/Kimi/GLM) and Hephaestus…