Autonomous development,inside the lines.
Maverick is a Claude Code plugin and CLI that takes AI from a GitHub issue to a merged pull request — with quality, security, and scope boundaries enforced mechanically, not hoped for.
- Issue → merged PR
- one command
- Guardrails
- at the tool call
- State of truth
- GitHub, not disk
The gap
LLMs write code fast. They don’t come with judgment.
Attended, a developer catches these in real time. Unattended — the whole point of agentic development — nobody does, and every gap becomes a production risk. Maverick supplies the judgment as enforceable rules.
No operational instinct
Models don’t add structured logging, alerting, or monitoring unless told. Production becomes undiagnosable.
No security reasoning
They reproduce vulnerable patterns from training data — injection, secrets exposure, weak auth — without noticing.
No test discipline
Code that looks right ships with the bugs you can’t see. Without tests, there’s no safety net when no one is watching.
No workflow discipline
Commits to main, skipped CI, untraceable changes, and one giant diff where a decomposed plan belonged.
How it works
One command runs the whole delivery pipeline.
/maverick:do-issue-solo 128 drives every phase below. Each step is a real, resumable checkpoint written to GitHub — kill the machine mid-run and another instance picks up exactly where it left off.
- 01
Claim
Atomic claim + lease on the issue. Multi-instance safe.
- 02
Understand & design
A structured solution design, posted to the issue.
- 03
Decompose
Broken into ordered tasks — or sub-issues for an epic.
- 04
Implement
Task by task: verify, commit, push. Durable at each step.
- 05
Docs gate
Stale docs updated, new components documented. Always runs.
- 06
Security gate
Diff + impact set reviewed. Blocking findings halt the run.
- 07
Review
A read-only reviewer returns a binary PASS / FAIL verdict.
- 08
Merge
Auth-scan, App-approved, auto-merged. Claim released.
The difference
Guardrails the model can’t forget.
Most AI safety is a prompt — advice the model may ignore under pressure. Maverick’s hard limits are a hook that runs outside the model’s reasoning, denying dangerous actions deterministically. Defence in depth, with a real floor.
Scope-guard hook
mechanicalBlocks the action at the tool-call boundary — before any layer above sees it.
Best-practice skills
guidanceProject-specific standards loaded into the model’s context as it works.
Local verification
pre-pushLint, typecheck, and tests must pass before anything is pushed.
CI pipeline
remoteThe project’s own checks, waited on with bounded timeouts.
Agent review
binary gateA read-only reviewer returns a parsed PASS / FAIL verdict.
Human review
finalAnything ejected lands with a person, with the full trail attached.
Four hard limits, four ways to hold
- Destructive git — force-push, hard reset, branch deletion
- Commits & pushes on protected branches
- Infrastructure edits — CI configs, Dockerfiles, IaC
- Production systems & credential patterns
Autonomous work can only cross a boundary against a verified authorization on the issue itself — an agent can never self-grant. Backed by a second layer of permission rules, so it holds even if hooks are off.
What’s inside
A toolkit, not a wrapper.
Skills, agents, hooks, and a CLI that carries the deterministic parts of the workflow. Everything below ships in 4.0.0.
Mechanical scope enforcement
Destructive git, protected branches, infra edits, and production patterns are gated at the tool call — ask when a human is present, deny when they’re not.
Binary review gate
A read-only reviewer, pinned to a strong model, returns a machine-parsed PASS / FAIL. A missing or ambiguous verdict fails safe. No silent low-quality merges.
One durable state surface
Phase, branch, and artefacts live in a GitHub marker — not a local file. Any instance recovers full state by reading the issue.
Multi-instance coordination
Claims, leases, and heartbeats let many agents work an epic in parallel without collision. A dead machine’s claim expires and another takes over.
Project-specific skills
Maverick scans your codebase and generates skills that describe how your project actually does logging, testing, CI — so guidance fits your stack.
Deterministic core
The hot loop — coordination, resume, checklists, block propagation, waits — is CLI verbs with real exit codes, not prose the model re-derives each run.
Runs where you need it
Local, or a drop-in GitHub Action: label an issue and Maverick completes it on a hosted runner. A decision matrix covers hosted vs self-hosted compute.
Auditable by construction
Every design, task, gate outcome, and verdict is posted to the issue and PR. A timed workflow report is generated for every run.
Who it’s for
The same guarantees, from three angles.
Move fast — without wrecking the repo when you look away.
One command, done
Describe the work in a GitHub issue and run one skill. It designs, builds, tests, reviews, and opens the PR.
Catches what you don’t know to check
Missing tests, leaked secrets, a force-push about to nuke history — the guardrails stop it, so you don’t have to be the expert on everything.
It asks before the scary stuff
In an interactive session, boundary-crossing actions pause for your yes. You stay in control without babysitting every step.
Real code, real branch, real PR
No hidden magic — you get a normal pull request you can read, tweak, and merge.
The determinism and fail-safe defaults you’d build yourself.
Enforcement outside the model
A PreToolUse hook denies destructive git, protected-branch writes, infra edits, and prod patterns — hook denial overrides even permissive modes.
Fail-safe review contract
The reviewer is read-only and emits MAVERICK_VERDICT: PASS|FAIL; a missing or ambiguous marker is treated as FAIL. The gate can’t be talked past.
GitHub as the source of truth
One task-progress marker holds all issue state; resume is computed from GitHub, not reconstructed. Push-per-task makes it crash-safe.
Deterministic verbs, tested
Coordination, resume-point, checklists, block-propagation, and bounded PR waits are CLI commands with exit codes and an extensive unit suite.
Adopt agentic development without betting the codebase on it.
Unattended-safe by design
The dangerous actions are blocked mechanically, so autonomous runs can’t quietly cross a line no one approved.
A complete audit trail
Design, tasks, security findings, review verdict, and merge are all on the issue and PR. Every run generates a report.
Scales past one laptop
Coordination lets multiple agents work in parallel; a GitHub Action runs it on hosted compute with no infra to own.
Standards that stick
Your conventions become enforced skills and gates — not a wiki page everyone ignores.
The full issue-to-merge pipeline is validated end-to-end against a live repository, including crash recovery via stale-claim takeover.
Get started
Two ways in. Both take minutes.
Use it locally in Claude Code, or wire up the GitHub Action and let a label do the work. No cloud infrastructure required either way.
Then, inside Claude Code:
- 1
Install the Claude GitHub App — and add your ANTHROPIC_API_KEY secret.
- 2
Copy the workflow — templates/github/claude-maverick.yml into .github/workflows/.
- 3
Label an issue claude-do — Maverick works it on a hosted runner — design to merged PR.