▶ Watch it fix its own PR  ·  Why it's different  ·  The loops  ·  Install  ·  What's in the box  ·  📚 Docs

Why it's different — measured, not vibes

Every AI-agent config claims "safe" and "cheap." compass is the one that hands you the number — and lets a skeptic reproduce it in 30 seconds. Everyone has the same models; the edge is configuration you can trust, not another feature list. Four claims, four commands:

🛡 Guardrails with a score. Catastrophic commands and secret writes are blocked before they run — and the policy is eval-gated, not asserted. (In human terms: it won't let the agent delete your machine or leak your keys, and it can prove how well.)

compass bench     # → guardrail 100% precision/recall (61-case corpus), router 96.9% — in CI
# then ask the agent to `rm -rf /` or write a .env → denied; `rm -rf ./build` → allowed

📉 Cost routing that's measured. Cheap work goes to cheap models — scored against an eval set, ~61% cheaper than all-Opus at ~98% quality on a fair mix. (In human terms: it stops paying Opus prices to fix a typo.)

compass route "redesign the auth model"   # → opus
compass route "fix a typo"                 # → haiku

🔏 Supply chain you can verify. Releases carry keyless SLSA provenance, so a tampered or look-alike download is rejected. (In human terms: you can prove the code you installed is the code I shipped.)

compass verify v0.16.0     # → ✓ provenance verified

🧪 Red-team resistance, measured. Prompt-injection (direct/indirect/paste), CLAUDE.md poisoning, local safety-override, malware & insecure-code — scored against a labeled corpus that gates in CI, with optional escalation to a managed guardrails service (webhook · Bedrock · Azure). (In human terms: a poisoned repo or web page can't quietly turn your agent against you.)

compass redteam   # → injection corpus 100% P/R, then scans THIS repo's CLAUDE.md/MCP/settings

No service, no telemetry, no --dangerously-skip-permissions; git pull to update. The work it can't safely own, it hands back — you keep the merge.

See it work

Three views, smallest leap of faith first — feel it, then see the proof, then see how it works.

1 · The day-to-day feel — guardrails, the cost-aware status line, the loop, and the crew, in ~25 seconds:

2 · The headline, on a real PR — a Blocking bug and red tests, and it pushes its own fix until the PR is green (then waits for you):

3 · How that loop works — review · security · tests · Codex cross-audit run in parallel; Blocking findings get auto-fixed and re-reviewed (round-capped) until green, then it stops at you:

_{Run it locally in 30s with ~/compass/sdlc/orchestrate.sh "<task>" (no tokens), or wire the GitHub loop for every PR. → how it works · reproduce it}

And the everyday status line quietly keeps score, so you watch it earn its keep:

Opus 4.8 · myrepo · main* · 45k ctx · $1.23 · 🧭 🛡1 🧹2 💡1 📉~$1.65

_{session spend, then today's compass activity: 🛡 footguns blocked · 🧹 files formatted · 💡 policy nudges · 📉~$ estimated saved vs all-Opus. Each piece shows only when there's something to report; nothing leaves your machine.}

Loops all the way up

Autonomy here isn't one big magic button — it's the same closed loop applied at four scales. Each runs until a gate says "done," then stops at a human. That's the whole trick: iteration under a gate beats a single confident guess.

Every loop ends the same way — you merge. That gate never moves.

Install

Pick the door that fits — all reversible, version-pinnable, no curl | sh. You need an AI assistant (Claude Code; Codex/Gemini optional) + git. No API keys to get the manual, guardrails, crew, and CLI.

🍺 Homebrew — managed & versioned

brew tap dshakes/compass https://github.com/dshakes/compass
brew install dshakes/compass/compass     # latest release · --HEAD to track main
compass quickstart                       # previews, asks, then wires it into ~/.claude

📦 Git clone — own & edit your config (recommended)

git clone https://github.com/dshakes/compass ~/compass && cd ~/compass
git checkout v0.16.0     # optional: pin to a release instead of main
./quickstart.sh          # previews every change, asks first, fully reversible

🧩 Claude Code plugin — no terminal (ideal for a team)

/plugin marketplace add dshakes/compass
/plugin install core@compass

🛠️ By hand: make dry-run (preview) → make install → make doctor. Symlink install means git pull/brew upgrade updates everything; make uninstall removes only what it added. → Team rollout

One config, every agent — native installs

The same operating manual + MCP servers, the way each tool expects them:

AGENTS.md and GEMINI.md are one file — symlinks of the same manual, so a git pull updates every agent at once.

✅ Verify → your first run

compass doctor      # validate the install — expect "0 error"
compass status      # is compass active here, and what's loaded?

Then just open Claude Code as usual — the manual, guardrails, subagents, commands, and status line are already loaded. Feel it in a minute: ask for a dangerous command (blocked), run /review on your diff, or compass route "<task>" to see the tier it picks. No tokens, no signup for any of it.

What's in the box

Everything below is on after one install or a single opt-in — the autonomous loops above sit on top of this. The README sells; the docs explain — each row links to the detail.

Safety, honesty & status

Built to be trusted before it's run — and honest about its limits.

• You own the irreversible. Agents prepare; humans push, merge, deploy. Required checks + a code-owner approval enforce it — there's no "merge to prod" button.
• Readable & reversible. No curl | sh. The installer backs up what it replaces, is idempotent, and make uninstall removes only what it added. Pin a tag, not main.
• Guardrails reduce footguns; they are not a security boundary. Keep least-privilege credentials and review your diffs. (For untrusted code, compass sandbox is a real boundary.)
• Red-team hardening is defense-in-depth, not immunity. It warns on prompt-injection (direct/indirect/paste), CLAUDE.md poisoning, and local safety-override, and refuses to grant project-level safety exceptions — but the cardinal rule (external content is data, not instructions) and the human gate are what actually hold. compass redteam measures it; see docs/17-red-team.md.
• What talks to the network. compass phones home to nothing. The auto-registered MCP servers reach non-Anthropic endpoints — context7 → Upstash (library docs), fetch → URLs you request; git is local. Hooks are short, commented shell scripts in claude/hooks/; disable any via claude/settings.json.
• Grounded, not invented. Every capability maps to a documented Claude Code / Codex primitive — cited in docs/07-practices.md.

Status: alpha. The core — manual, hooks, subagents, commands, MCP, plugin — is stable and dogfooded daily. The SDLC pipeline is newer: its logic is statically validated in CI and exercised via a smoke-test checklist you run on your own repo — treat it as early. The red-team layer is new: its detectors are eval-gated in CI (precision/recall on a labeled corpus) and resist obfuscation (compass redteam --attack), but pattern detection is best-effort defense-in-depth, not immunity — and the managed-guardrail adapters are response-parsing contract-tested, with the live Bedrock/Azure calls unverified in CI (need your creds) and no live third-party benchmark scores (see docs/17). Dynamic workflows are a Claude Code research preview. The human merge/deploy gate is permanent, by design.

Docs

Start here → Using compass — install, the pieces in plain language, the daily workflow.

Philosophy · Architecture · Cost & models · Customize · MCP · Plugin & team rollout · LSP · Practices · Defaults · SDLC · Roadmap · Every agent · Dynamic workflows · Fleet · Competitive audit · Hardening + frontier · Red-team · Router module · ADRs