Orchestrator → PM → Architect/Dev → QA+Security | With feedback loops and optional parallelization
This merges Anthropic's Orchestrator-Workers (Pattern A) with Planner-Generator-QA (Pattern B) into one unified pipeline. Parallelization happens at the Orchestrator level; within each task, execution is sequential with a QA↔Dev feedback loop.
| Agent | Model | Role | Tools Access | Context |
|---|---|---|---|---|
| Orchestrator | Opus | Top-level task decomposition and result synthesis. This is your main Claude Code session. | All tools + Agent spawning | Full project context |
| PM | Opus | Gathers requirements, reads relevant code, creates spec with acceptance criteria. Validates completion. | Read, Grep, Glob, Bash (read-only commands), Agent (to spawn Architect) | Full project context + CLAUDE.md |
| Architect/Dev | Sonnet | Implements the plan step by step. Writes code, runs tests, iterates until implementation matches spec. | Read, Write, Edit, Bash, Grep, Glob (full code tools) | PM's spec + relevant files only (focused context) |
| QA + Security | Sonnet | Tests from scratch (fresh context). Runs test suite, checks security (auth, injection, secrets, deps). Reports bugs or passes. | Read, Grep, Glob, Bash (tests + security scans only). NO Write/Edit — QA never fixes, only reports. | Fresh — reads acceptance criteria + code, no implementation history |
Claude Code's native Agent tool already supports this. The Orchestrator is your main session; PM, Architect, and QA are sub-agents spawned with different models and prompts.
# How the Orchestrator (your main session) dispatches: 1. Spawn PM agent (Opus) → Reads codebase, gathers context → Produces: spec.md with acceptance criteria → Returns spec to Orchestrator 2. Spawn Architect agent (Sonnet, worktree isolation) → Receives PM's spec → Implements step by step → Returns: "implementation complete" 3. Spawn QA agent (Sonnet, fresh context) → Receives ONLY: acceptance criteria + file paths → Runs tests, security checks → Returns: PASS or BUG_REPORT 4. If BUG_REPORT: → Spawn Architect again with bug report → Spawn QA again after fix → Max 3 iterations 5. Spawn PM agent for final validation → Confirms all criteria met → Returns: COMPLETE
Define each agent as a reusable persona in your project. Then invoke them by name from your main session or from a custom command.
.claude/agents/pm.ymlname: pm
model: opus
description: "Product Manager — gathers context, creates specs, validates completion"
tools:
- Read
- Grep
- Glob
- Bash
instructions: |
You are a Product Manager agent. Your job:
PHASE 1 — PLANNING:
1. Read the task description from the Orchestrator
2. Explore the codebase to understand current state (Grep, Glob, Read)
3. Identify all files that need to change
4. Write a detailed spec with:
- Summary of what needs to happen
- File-by-file change list
- Acceptance criteria (testable, specific)
- Security considerations
5. Return the spec
PHASE 2 — VALIDATION (when called after QA passes):
1. Review the QA report
2. Verify all acceptance criteria are met
3. Return COMPLETE or flag remaining issues
.claude/agents/architect.ymlname: architect
model: sonnet
description: "Architect/Developer — implements code changes step by step"
tools:
- Read
- Write
- Edit
- Bash
- Grep
- Glob
instructions: |
You are an Architect/Developer agent. Your job:
1. Receive a spec from the PM agent
2. For each change in the spec:
a. Read the current file
b. Plan the minimal edit needed
c. Apply the edit
d. Run relevant tests (if they exist)
3. Work sequentially through the spec — do NOT skip steps
4. After all changes, run the full test suite
5. Return a summary of what was changed and test results
If you receive a BUG_REPORT from QA:
1. Read the bug report carefully
2. Reproduce each bug
3. Fix each bug with minimal changes
4. Re-run tests
5. Return summary of fixes
RULES:
- Never modify files outside the spec's scope
- Every edit must be reversible (clean diffs)
- Run tests after every significant change
- If something is ambiguous in the spec, implement the safest interpretation
.claude/agents/qa.ymlname: qa
model: sonnet
description: "QA + Security — tests implementation from scratch, reports bugs"
tools:
- Read
- Grep
- Glob
- Bash
# NO Write or Edit — QA never modifies code
instructions: |
You are a QA + Security agent. You review code with FRESH EYES.
You have NO knowledge of how the code was written — only what exists now.
FUNCTIONAL TESTING:
1. Read the acceptance criteria from the PM spec
2. Read the implementation (files listed in spec)
3. Run the existing test suite: check for failures
4. For each acceptance criterion:
a. Verify it's met by reading the code
b. If testable, write and run a quick validation
5. Check edge cases the spec might have missed
SECURITY REVIEW:
1. Check for injection vulnerabilities (SQL, XSS, command injection)
2. Check authentication/authorization logic
3. Grep for hardcoded secrets, API keys, passwords
4. Check dependency versions for known CVEs (if package.json/requirements.txt exists)
5. Verify input validation on all user-facing endpoints
6. Check for insecure defaults
OUTPUT FORMAT:
If all clear:
STATUS: PASS
Summary of what was tested
Security: no issues found
If bugs found:
STATUS: FAIL
BUG_REPORT:
- Bug 1: [file:line] description, severity (critical/major/minor)
- Bug 2: ...
SECURITY_ISSUES:
- Issue 1: [file:line] description, severity
Suggested fix approach (but do NOT write the fix yourself)
This is the control flow that runs in your main Claude Code session (the Orchestrator). You can implement this as a custom slash command or just invoke it manually.
.claude/commands/build.md# /build — Full PM → Architect → QA pipeline
When the user runs /build with a task description:
1. **PM PHASE** — Spawn the PM agent (Opus):
- Pass: the task description + project context
- Receive: detailed spec with acceptance criteria
- Save spec to: /tmp/current-spec.md
2. **ARCHITECT PHASE** — Spawn the Architect agent (Sonnet, worktree):
- Pass: the spec from step 1
- Receive: implementation summary + test results
- If tests fail: loop Architect up to 2 times
3. **QA PHASE** — Spawn the QA agent (Sonnet, fresh context):
- Pass: ONLY the acceptance criteria + changed file paths
- Do NOT pass implementation details or Architect's summary
- Receive: PASS or BUG_REPORT
4. **FIX LOOP** (if QA returns FAIL):
- Pass BUG_REPORT to Architect agent
- After fix, pass back to QA (fresh instance)
- Max 3 QA↔Architect iterations
- If still failing after 3: escalate to PM for re-planning
5. **PM VALIDATION** — Spawn PM agent again:
- Pass: original spec + QA's PASS report
- Receive: COMPLETE or remaining issues
6. **RETURN** — Summarize to user:
- What was built
- What was tested
- Security review results
- Files changed
Agents don't share memory — they communicate through artifacts (files and structured messages).
| Handoff | What's Passed | What's NOT Passed |
|---|---|---|
| Orchestrator → PM | Task description, project context | — |
| PM → Architect | Spec with file list, acceptance criteria, security notes | PM's reasoning process |
| Architect → QA | Acceptance criteria + list of changed files (paths only) | Implementation details, diffs, Architect's reasoning — QA must review cold |
| QA → Architect (bug loop) | Structured BUG_REPORT with file:line + description | QA's internal testing methodology |
| QA → PM (pass) | PASS report + security summary | — |
| PM → Orchestrator | COMPLETE status + summary | Internal spec details |
| Agent | Model | Why This Model | Cost Impact |
|---|---|---|---|
| Orchestrator | Opus | Needs strong reasoning for task decomposition and synthesis | Low — runs briefly at start and end |
| PM | Opus | Planning quality directly determines implementation quality. Cheap to run (mostly reads). | Low — reads files, writes one spec |
| Architect | Sonnet | Bulk of the work — code generation, edits, test runs. Sonnet is fast and cost-effective here. | High — most tokens spent here |
| QA + Security | Sonnet | Needs to read and reason about code, but doesn't write. Sonnet is sufficient. | Medium — reads code, runs tests |
For most coding tasks, you don't need parallel lanes. The flow simplifies to:
You (Orchestrator) → PM → Architect → QA ↔ Architect → PM → You
This is the default. Use this for features, bug fixes, refactors.
For complex features that need research first:
Orchestrator → [3× Sonnet researchers in parallel] → Orchestrator synthesizes → PM → Architect → QA → PM
This prepends Pattern A's research phase before Pattern B's build phase.
For implementing multiple independent features simultaneously:
Orchestrator → [PM₁→Arch₁→QA₁ | PM₂→Arch₂→QA₂ | PM₃→Arch₃→QA₃] → Orchestrator merges
Each feature gets its own PM→Architect→QA pipeline running in parallel worktrees. Orchestrator merges results at the end.
If your project has serious security requirements (Web3 smart contracts, financial logic), split QA into two agents:
QA Agent (functional testing) + Security Agent (dedicated security review with stricter prompts)
The Security Agent would specifically check: reentrancy, integer overflow, access control, gas optimization (for Solidity), and common Web3 attack vectors.
.claude/agents/ directory/build command into .claude/commands/build.md/build "your task description" in Claude Code