◆ open-source · built on opencode · bun + typescript
You write the PRD. A convoy ships the feature.
Convoy takes a PRD and turns it into a structured, reviewable implementation — a pipeline of specialized agents, each running on the model best suited to its job, leaving one commit per phase.
git clone https://github.com/Inakitajes/convoy && cd convoy && bun install && make install - ✓ implementer 1:47 $1.92gpt-5.6-terra#xhigh
- ✓ patterns 0:58 $0.71gpt-5.6-terra#xhigh
- ✓ security 1:12 $0.83gpt-5.6-terra#xhigh
- ✓ design 0:44 $0.31z-ai/glm-5.2
- ✓ tests 1:21 $0.96gpt-5.6-terra#xhigh
- ✓ adversarial 1:06 $0.58z-ai/glm-5.2
↑ a simulated implement run, replayed live — this is what the dashboard looks like while convoy works
01 · $ convoy explain the-problem
A first draft is not shippable code.
The quality of agent-written code comes from what happens after the first pass. Convoy automates that follow-through as a pipeline — so it happens every time, not when someone remembers.
Single session, single blind spot
One agent in one session reviews its own work. What ships is a first draft — blind spots, shortcuts and all.
The follow-through is the work
Pattern alignment, security audits, tests, adversarial review. The steps that make code shippable are exactly the ones that get skipped.
Orchestrating by hand doesn't scale
Re-prompting, re-reviewing and re-committing across phases by hand is a full-time job. Convoy makes it repeatable.
02 · $ convoy run implement
PRD in. Six commits out.
convoy --prompt-file prd.md runs the default implement pipeline. What lands has already been pattern-aligned, security-audited, design-polished, tested and adversarially reviewed.
-
implementer
gpt-5.6-terra#xhighImplements the feature following the repo's existing patterns.
-
patterns
gpt-5.6-terra#xhighRefactors without changing behavior; aligns with the rest of the code.
-
security
gpt-5.6-terra#xhighAudits and fixes security issues before they ship.
-
design
z-ai/glm-5.2Polishes the UI following the repo's design system.
-
tests
gpt-5.6-terra#xhighAutomated tests plus relevant E2E and integration coverage.
-
adversarial
z-ai/glm-5.2Final adversarial review before the PR even exists.
03 · $ convoy explain fan-out
Different models catch different things.
Audits fan out in parallel across two models — a GPT and a Claude reviewing the same diff find different issues. Findings are triaged adversarially before any fix lands.
◆ Any provider you're authenticated with
Built on OpenCode, so every step can run on any model from any provider — within the same run. Step, agent and default models are all overridable.
◆ Subscription-friendly cross-vendor reviews
runner: claude-code executes audit steps with your local claude CLI — genuine model diversity without paying per token.
◆ Fan-out is a one-liner, always read-only
parallel: and models: run audits concurrently, one per model. Convoy forces them read-only and verifies the git baseline afterwards.
04 · $ convoy cat .convoy/config.yaml
Pipelines are YAML, not code.
Any number of steps, your own agents, your own models, human gates anywhere. Define a ship pipeline — refine the branch, sync with base, draft the PR — and run convoy -p ship.
# .convoy/config.yaml — your team's actual workflow
pipelines:
audit:
steps:
- implementer
- parallel: # concurrent, forced read-only
- patterns
- security
- agent: clean-code
models: # one run per model
- anthropic/claude-opus-4-8
- openai/gpt-5.6-terra#xhigh
- type: human # a named human gate, anywhere
name: sign-off
- agent: adversarial
name: triage
reports: all - implement The default. PRD → audited, polished, tested implementation. writes code
- implement-lite Same workflow on lower-cost models. writes code
- ultra-implement Two-model fan-out on every review, plus a blocking-fix pass. writes code
- refine Audit the current diff, triage findings, apply accepted fixes. writes code
- ultra-refine refine with every audit fanned out across two models. writes code
- review Parallel audits synthesized into one prioritized report. report only
- review-lite review on lower-cost models. report only
05 · $ convoy explain guard-rails
Autonomy with a seatbelt.
Convoy owns the operational layer around the agents: guard rails, commit safety and a live permission gate — so a pipeline can run unattended without running wild.
permission gate
Agents run with a restricted bash policy: an allowlist of safe commands, a hard denylist — git push, deploys, sudo, curl | sh — and everything else falls through to ask.
approve? [o]nce, [a]lways, [r]eject >
smart auto-accept
--smart hands each request to an external AI judge with every tool disabled. Safe requests auto-approve; anything risky escalates to you. Fail-closed by design.
convoy --smart --smart-model anthropic/claude-haiku-4-5
commit safety
Before each commit, staged files are scanned for common secret names. A match aborts the commit and resets the index — nothing leaks.
.env* *.pem id_rsa* credentials* *.keystore
human gates
Drop a type: human step anywhere in a pipeline. The run pauses indefinitely until you continue, open the live session, or abort.
- type: human name: sign-off
06 · $ convoy convoy --help
CLI and TUI, interchangeably.
Plain flags and prompt files — --no-tui gives you plain logs for pipes and CI — or drive everything from the TUI: live dashboard, cost, tokens and provider limits while the run is live.
- $ convoy # interactive launcher
- $ convoy --prompt-file prd.md # run the default pipeline
- $ convoy -p review "pre-merge check" # report-only second opinion
- $ convoy runs # browse & attach to past runs
- $ convoy config # edit global & project config in a TUI
- $ convoy --resume 20260519-103045-x7q2 # pick up where a run failed
07 · $ convoy init --global
Ship your first pipeline in five minutes.
Convoy stores no provider credentials — it uses the providers you already authenticated in OpenCode.
git clone https://github.com/Inakitajes/convoy && cd convoy && bun install && make install