Agent Workflow Documents: Making Patterns Practical

Phase 1: Receive Work (from CPO)
Phase 2: Planning (if complex: 5+ steps)
Phase 3: Implementation (ReAct loop)
  1. REASON: What's my goal? What are my options?
  2. ACT: Take one focused action
  3. OBSERVE: Did it work? What changed?
  4. REFLECT: Progress? Continue or adjust?
  (Repeat until complete)
Phase 4: Quality Checks (tests, lint, security)
Phase 5: Documentation (code docs, activity log)
Phase 6: Handoff (to CISO or COO)

REASONING:
- Goal: Implement user authentication
- Options: Custom auth, Supabase, Auth0
- Decision: Supabase (in tech stack, faster, secure)
- Next action: Install @supabase/supabase-js

ACTION:
pnpm add @supabase/supabase-js

OBSERVATION:
✓ Package installed
✓ Client file created
✗ TypeScript error: Missing env vars
New info: Need SUPABASE_URL and SUPABASE_ANON_KEY

REFLECTION:
- Progress: 40% (installed but not configured)
- Learning: Need env vars before client works
- Next: Create .env.local with credentials
- Decision: ITERATE

Phase 1: Discover (Problem Definition)
  - Identify problem from users/data
  - Validate severity and impact
  - Frame opportunity

Phase 2: Define (Requirements & Scope)
  - Explore solutions
  - Scope MVP with acceptance criteria
  - Prioritize using RICE scoring
  - Handoff to CTO with clear requirements

Phase 3: Monitor (During Development)
  - Answer CTO questions
  - Review progress/demos
  - Negotiate scope if needed

Phase 4: Validate (Post-Launch)
  - Measure impact (adoption, retention)
  - Reflect on learnings
  - Plan v2 improvements

FROM: CPO
TO: CTO

WHAT: Build authentication feature
WHY: Enable paid tier (strategic priority)

REQUIREMENTS:
- User can sign up with email/password
- User can sign in
- User stays logged in (remember me)

SUCCESS CRITERIA:
- 80% task success rate
- <2 min to complete signup

CONSTRAINTS:
- Must use Supabase (tech stack)
- Must meet CISO security requirements
- Timeline: 2 weeks preferred

OPEN QUESTIONS:
- Password requirements?
- Social auth now or later?

Phase 1: Pre-Merge Verification
  - Technical readiness (CTO: tests pass)
  - Security readiness (CISO: approved)
  - Product readiness (CPO: acceptance met)
  - Documentation readiness (activity log, changelog)

Phase 2: Merge to Main
  - Final verification (local tests)
  - Squash and merge (clean history)
  - Tag release (if applicable)

Phase 3: Update Documentation
  - Activity log (required for every merge)
  - Changelog (required for user-facing changes)
  - README (if setup changed)

Phase 4: Release Communication
  - Coordinate with CMO (blog post ready?)
  - Internal communication (team chat, support)

Phase 5: Post-Merge Monitoring
  - Immediate checks (error rates, metrics)
  - First 24 hours (watch for issues)
  - Rollback if needed

Phase 1: Request Triage
  - Is security review needed?
  - Full review vs quick review?

Phase 2: Security Review
  - Authentication & authorization checklist
  - Data protection checklist
  - Input validation checklist
  - Access control checklist
  - Dependencies checklist
  - Logging & monitoring checklist

Phase 3: Risk Assessment
  - Likelihood (High/Medium/Low)
  - Impact (Critical/High/Low)
  - Risk Score (Likelihood × Impact)
  - Decision: Block/Fix/Mitigate/Accept

Phase 4: Provide Guidance (to CTO)
  - Required fixes with suggestions
  - Recommendations (not blocking)
  - Approval conditions
  - Timeline estimate

Phase 5: Re-Review & Approval
  - Verify fixes implemented
  - Final risk assessment
  - Handoff to COO with deployment requirements

Phase 1: Content Planning
  - Quarterly content calendar
  - Map content to product launches (from CPO)
  - Plan content types (launch, educational, thought leadership)

Phase 2: Content Creation
  - Week 1: Research & outline
  - Week 2: Write first draft
  - Week 3: Review (CPO for accuracy, CEO for messaging)

Phase 3: Content Distribution
  - Multi-channel (blog, email, social)
  - Community channels (Reddit, HN, Dev.to)
  - Coordinate timing with COO

Phase 4: Performance Tracking
  - Engagement metrics (views, time on page)
  - Conversion metrics (CTA clicks, sign-ups)
  - SEO metrics (rankings, backlinks)
  - Reflection: What worked? What to change?

T-30: Campaign planning with CPO
T-14: Content creation sprint
T-7: Review and approval
T-0: Launch execution (coordinated with COO)
T+7: Follow-up content
T+30: Impact report

Cycle 1:
  REASON: Error says "undefined user" - maybe user not fetched?
  ACT: Add console.log before user access
  OBSERVE: User object is null
  REFLECT: Need to check why fetch returns null. ITERATE.

Cycle 2:
  REASON: Fetch returns null - maybe query is wrong?
  ACT: Log the database query
  OBSERVE: Query has typo in WHERE clause
  REFLECT: Found the bug! Fix typo. ITERATE.

FROM: CTO
TO: COO

READY TO MERGE: Authentication feature (PR #123)

STATUS:
- ✅ All tests passing
- ✅ Code review approved
- ✅ CISO security review complete

DEPLOYMENT NOTES:
- New environment variables needed
- No database migrations
- No breaking changes

MONITORING:
- Watch auth error rates
- Monitor signup funnel

ROLLBACK PLAN:
- Safe to revert (no data migrations)

REQUEST: Merge to main and tag v1.2.0

RICE Scoring:
Score = (Reach × Impact × Confidence) / Effort

Example:
Feature: Authentication
- Reach: 1000 users/quarter
- Impact: 3 (massive - enables paid tier)
- Confidence: 80%
- Effort: 2 weeks

Score = (1000 × 3 × 0.8) / 2 = 1200
(Higher score = higher priority)

CPO uses Planning Pattern:
1. Gather Input:
   - User feedback: "Need authentication for paid tier"
   - Support tickets: 15 requests for accounts
   - Analytics: 40% of trial users want to save work

2. Validate Problem:
   - 1000 users/quarter affected (high reach)
   - Blocks revenue (critical impact)
   - Proven solution exists (high confidence)

3. Prioritize:
   RICE = (1000 × 3 × 0.8) / 2 = 1200 (top priority)

4. Define Requirements → Handoff to CTO

CTO uses ReAct loop:

Cycle 1:
  REASON: Need auth → Use Supabase (tech stack)
  ACT: Install @supabase/supabase-js
  OBSERVE: ✓ Installed, ✗ Missing env vars
  REFLECT: Need env setup → ITERATE

Cycle 2:
  REASON: Need Supabase credentials
  ACT: Create .env.local with keys
  OBSERVE: ✓ Client works, ✗ No UI yet
  REFLECT: 50% done → ITERATE

Cycle 3:
  REASON: Need signup/login UI
  ACT: Create auth components
  OBSERVE: ✓ UI works, ✗ Tests missing
  REFLECT: 80% done → ITERATE

Cycle 4:
  REASON: Need tests for quality gate
  ACT: Write integration tests
  OBSERVE: ✓ All tests pass
  REFLECT: Implementation complete → CONTINUE

→ Handoff to CISO for security review

CISO uses Risk Assessment:

Review Checklist:
- ✅ Passwords hashed (bcrypt)
- ⚠️ No rate limiting (HIGH RISK)
- ⚠️ Sessions never expire (MEDIUM RISK)

Risk Scores:
- No rate limiting: 6 (High) → BLOCK
- No session timeout: 4 (Medium) → BLOCK

Decision: BLOCKED pending fixes

→ Handoff back to CTO with guidance

CTO implements CISO recommendations:

Cycle 5:
  REASON: Need rate limiting
  ACT: Add express-rate-limit middleware
  OBSERVE: ✓ Rate limiting works
  REFLECT: Fixed HIGH risk → ITERATE

Cycle 6:
  REASON: Need session expiration
  ACT: Set maxAge: 30 days
  OBSERVE: ✓ Sessions expire correctly
  REFLECT: Fixed MEDIUM risk → CONTINUE

→ Handoff back to CISO for re-review

CISO verifies fixes:
- ✅ Rate limiting implemented
- ✅ Session timeout set
- ✅ All HIGH/MEDIUM risks mitigated

Decision: APPROVED

→ Handoff to COO for deployment

COO executes wrap-up workflow:

Phase 1: Pre-Merge Verification
- ✅ CTO: Tests pass
- ✅ CISO: Approved
- ✅ CPO: Acceptance criteria met
- ✅ Activity log updated

Phase 2: Merge to Main
- Squash and merge PR #123
- Tag v1.2.0

Phase 3: Update Documentation
- Activity log entry added
- Changelog updated

Phase 4: Release Communication
→ Handoff to CMO for announcement

Phase 5: Post-Merge Monitoring
- No errors detected ✅
- Performance within targets ✅

CMO executes launch campaign:
- 10:00 AM: Publish blog post
- 10:30 AM: Send email announcement
- 11:00 AM: Post to social media
- Track metrics: 15 sign-ups in first day ✅
- Reflection: Technical content resonates