An MCP server for orchestrating parallel Claude Code worker swarms with protocol-based behavioral governance.
Enables multi-hour autonomous coding sessions with persistent state, parallel workers, and runtime enforcement of behavioral constraints.

Installation • Quick Start • Dashboard • Protocols • Tools

• Persistent State - Session state survives context compaction via MCP server
• Parallel Workers - Run multiple Claude Code workers simultaneously via tmux
• Competitive Planning - Complex features get two competing implementation plans
• Confidence Monitoring - Multi-signal scoring detects struggling workers
• Auto-retry - Failed features automatically retry with configurable limits
• Feature Dependencies - Define execution order between features
• Post-Completion Reviews - Automated code and architecture reviews with actionable findings

• Behavioral Protocols - Define constraints on what workers can/cannot do
• Pre-spawn Validation - Verify protocols allow task before worker starts
• Continuous Monitoring - Track constraint violations during execution
• LLM-Generated Protocols - Workers can propose new protocols (validated against base constraints)
• Cross-instance Sync - Share protocols across MCP instances

• Real-time Web Dashboard - Live UI at http://localhost:3456 with Server-Sent Events
• Live Terminal Streaming - Watch worker output with ANSI color support
• Review Worker Visibility - Code and architecture review progress in dashboard
• Violation Tracking - Audit log of all protocol violations
• Git Checkpoints - Commit progress after each feature

• Auto-Configuration - Set up CI/CD, issue templates, and documentation in parallel
• Platform Detection - GitHub, GitLab, Gitea, Bitbucket, Azure DevOps support
• Project Analysis - Detects languages, frameworks, and adapts configuration
• Merge Mode - Preserves existing configs by default, with optional force overwrite

• Node.js 18+
• tmux (brew install tmux on macOS)
• Claude Code CLI

One-liner install (recommended):

curl -fsSL https://raw.githubusercontent.com/cj-vana/claude-swarm/main/install.sh | bash

This will clone the repo, build, register the MCP server, and install the /swarm skill.

git clone https://github.com/cj-vana/claude-swarm.git
cd claude-swarm
npm install
npm run build

# Add to Claude Code
claude mcp add claude-swarm --scope user -- node $(pwd)/dist/index.js

# Install the skill (optional but recommended)
mkdir -p ~/.claude/skills/swarm && cp skill/SKILL.md ~/.claude/skills/swarm/

Tell Claude to use the swarm:

Use /swarm to build a REST API with authentication, user management, and tests

Or follow the workflow phases manually:

Phase 1: Setup
  → orchestrator_init - Initialize session with features
  → configure_verification - Set up test/build commands
  → set_dependencies - Define feature order

Phase 2: Pre-Work (per feature)
  → get_feature_complexity - Check if competitive planning needed
  → enrich_feature - Add relevant context

Phase 3: Execute
  → start_worker or start_parallel_workers

Phase 4: Monitor
  → sleep 180 - Wait before checking
  → check_worker (heartbeat: true) - Lightweight status
  → send_worker_message - Guide if stuck

Phase 5: Complete
  → run_verification - Run tests
  → mark_complete - Record success/failure
  → commit_progress - Git checkpoint

Phase 6: Review
  → check_reviews - Monitor automated reviews
  → get_review_results - See findings

Protocols define behavioral constraints that govern worker actions, enabling safe autonomous operation with clear boundaries.

{
  "id": "safe-refactoring-v1",
  "name": "Safe Refactoring Protocol",
  "version": "1.0.0",
  "priority": 100,
  "constraints": [
    {
      "id": "no-secrets",
      "type": "file_access",
      "rule": {
        "type": "file_access",
        "deniedPaths": ["**/.env", "**/secrets.*", "**/credentials.json"]
      },
      "severity": "error",
      "message": "Cannot access files that may contain secrets"
    }
  ],
  "enforcement": {
    "mode": "strict",
    "preExecution": true,
    "postExecution": true,
    "onViolation": "block"
  }
}

1. protocol_register - Register a new protocol
2. protocol_activate - Activate for enforcement
3. start_worker - Workers are validated against active protocols
4. [worker runs with continuous monitoring]
5. get_violations - Review any constraint violations

Workers can propose new protocols validated against immutable base constraints:

1. get_base_constraints - View immutable security rules
2. propose_protocol - Worker submits proposal
3. review_proposals - See pending proposals with risk scores
4. approve_protocol / reject_protocol - Human review for high-risk

Base Constraints (cannot be overridden):

• Certain tools always denied (e.g., dangerous system commands)
• Critical paths always protected (e.g., /etc, system files)
• Maximum privilege ceiling enforced

For complex features, spawn two planners with different approaches:

1. get_feature_complexity(featureId)     # Analyze complexity (0-100)
2. start_competitive_planning(featureId) # Spawn Planner A & B
3. [wait for planners to complete]
4. evaluate_plans(featureId)             # Compare and pick winner
5. start_worker(featureId)               # Implement with winning plan

• Planner A: Incremental, safe approach
• Planner B: Elegant, innovative approach
• Threshold: Features scoring 60+ trigger competitive planning

Real-time confidence scoring detects struggling workers:

Levels: High (80-100), Medium (50-79), Low (25-49), Critical (0-24)

set_confidence_threshold(35)       # Configure alert level
get_worker_confidence(featureId)   # Get detailed breakdown

Automated code and architecture reviews run after all workers complete:

1. All features complete -> session status changes to "reviewing"
2. Code review worker analyzes: bugs, security, style, test coverage
3. Architecture review worker analyzes: coupling, patterns, scalability
4. Findings aggregated into progress log
5. Session completes with review summary

Review workers output structured JSON findings:

• .claude/orchestrator/workers/code-review.findings.json
• .claude/orchestrator/workers/architecture-review.findings.json

Severity levels: clean, minor, moderate, major, critical

Convert review findings into actionable features:

# View available issues from reviews
implement_review_suggestions(projectDir)

# Create features from specific issues
implement_review_suggestions(projectDir, issueIndices: [0, 2, 5])

# Auto-select warnings and errors
implement_review_suggestions(projectDir, autoSelect: true, minSeverity: "warning")

Configure or trigger manually:

configure_reviews(enabled: true, skipOnFailure: false)
run_review(reviewTypes: ["code", "architecture"])
get_review_results(format: "detailed")

Automatically configure repositories with development best practices:

# Analyze repository freshness and missing configs
setup_analyze(projectDir)

# Initialize setup with parallel workers
setup_init(projectDir)

# Check setup progress
setup_status(projectDir)

# Skip specific config types
setup_init(projectDir, skipConfigs: ["dependabot", "release-please"])

# Force overwrite existing files
setup_init(projectDir, force: true)

# Override platform detection
setup_init(projectDir, platform: "gitlab")

The orchestrator creates git snapshot branches before each worker starts, enabling safe rollback of failed features.

1. Snapshot Creation: start_worker creates swarm/{featureId} branch at current HEAD
2. Worker Execution: Worker makes changes to working directory
3. On Failure: Use rollback_feature to restore pre-worker state

# Rollback all files changed by feature
rollback_feature(projectDir, featureId: "feature-1")

# Rollback specific files only
rollback_feature(projectDir, featureId: "feature-1", files: ["src/component.ts"])

Warning: When rolling back in parallel worker environments, other workers' changes to the same files will also be reverted.

A real-time web dashboard is available at http://localhost:3456:

• Session Overview - Progress bar, feature counts, session statistics
• Feature Cards - Status, dependencies, worker assignment
• Live Terminal Output - Real-time streaming with ANSI color support
• Review Worker Progress - Code and architecture review visibility
• Dark Mode - Automatic theme detection

The dashboard exposes a REST API for programmatic access:

Server-Sent Events (/api/events):

• status - Session status changes
• feature - Feature status updates
• worker - Active worker count changes
• reviewWorker - Review worker status updates
• log - New progress log entries
• heartbeat - Keep-alive (every 15s)

Claude Code orchestrates workers through the MCP Server. Workers run in isolated tmux sessions and share access to the project codebase. The dashboard provides real-time monitoring via SSE.

your-project/
├── .claude/orchestrator/
│   ├── state.json              # Session state
│   ├── feature_list.json       # Feature status
│   ├── protocols/
│   │   ├── registry.json       # Protocol definitions
│   │   ├── active.json         # Active protocols
│   │   ├── violations.json     # Violation records
│   │   ├── audit.json          # Audit log
│   │   └── proposals/          # Pending proposals
│   ├── sync/                   # Cross-instance sync
│   └── workers/
│       ├── *.prompt            # Worker prompts
│       ├── *.log               # Worker output logs
│       ├── *.done              # Completion markers
│       ├── *.status            # Worker status
│       ├── *.plan.json         # Competitive plans
│       ├── *.confidence        # Self-reported confidence
│       ├── code-review.findings.json        # Code review results
│       └── architecture-review.findings.json # Architecture review results
├── claude-progress.txt         # Human-readable log
└── init.sh                     # Environment setup

• Path traversal protection - All file paths validated against project directory
• Cryptographically secure IDs - Uses crypto.randomUUID()
• Symlink escape prevention - Real paths validated before file operations
• Input validation - All inputs validated with Zod schemas

• Pattern validation - isDangerousRegexPattern() detects catastrophic backtracking
• Safe regex testing - safeRegexTest() falls back to literal matching for dangerous patterns
• Glob-to-regex conversion - Proper metacharacter escaping prevents injection

• Bounded collections - Operation counts, alerts, and observed patterns have maximum limits
• LRU eviction - Least-recently-used entries removed when limits reached (max 50 cached managers)
• Timestamp truncation - Historical data pruned to prevent unbounded growth

• Localhost-only CORS - Dashboard only accepts requests from localhost origins
• No external network access - Workers operate in isolated tmux sessions

• Fail-closed enforcement - Unknown constraint types block by default
• Command allowlist - Only safe verification commands allowed
• No shell injection - Uses execFile with arguments, prompts via files
• Circuit breaker pattern - Monitor auto-stops after repeated failures
• Review worker isolation - Read-only tools (no Bash access)

• Base constraints - Immutable security rules cannot be overridden
• Proposal validation - LLM-generated protocols checked against security boundaries
• Token-based matching - Tool prohibition uses exact token matching, not substring

• Anthropic's "Effective harnesses for long-running agents"
• MAKER: "Solving a Million-Step LLM Task with Zero Errors"
• Multi-Agent Collaboration via Evolving Orchestration
• AFlow: Automatic Workflow Optimization
• AgentsNet: Coordinating Multi-Agent Networks

• Requires tmux (WSL on Windows)
• Workers use your Claude Code subscription
• Protocol enforcement is observational (monitors but doesn't intercept tool calls)
• Complex feature detection is heuristic-based

Contributions welcome! See CONTRIBUTING.md for guidelines.

MIT