Vibe-code with discipline
koryph turns AI coding agents into a software factory. Point it at a git repo and it plans the work, runs a fleet of agents in parallel without merge conflicts, keeps them inside budget and policy, merges only what passes your gate — and ships signed, attested releases at the end. One static binary. No SaaS. Nothing to unsubscribe from.
Install · Quickstart · Zero to shipped · Download
Why koryph exists
Tools like Claude Code changed the constraint. An AI agent writes a feature in
minutes — so the bottleneck is no longer typing code, it is everything around
the code: keeping five agents from trampling each other, keeping spend inside
your subscription, keeping unreviewed changes off main, keeping commits
signed and settings hardened, and turning the result into a release someone
else can actually trust and install.
Vibe coding without that process is how you get a repo full of merge conflicts, a surprise bill, and an unshippable pile of code. Doing that process by hand is how you lose the speed you just gained.
koryph is the missing assembly line. It carries the process — planning, parallelism, review, budgets, hygiene, releases — so you and your agents can carry the ideas. It is opinionated about process, never about your application: no frameworks chosen for you, no folder layouts, no lock-in.
The three pillars
Build — the agent factory. koryph reads your project's task graph (beads), batches conflict-free work by each task's declared footprint, and dispatches headless agents into isolated git worktrees — in parallel, continuously, under the correct account. Finished work goes through review → rebase → your green gate → fast-forward merge. Nothing lands that doesn't pass.
Protect — hygiene as code. Branch-protection rulesets, repo settings, and
security posture live as committed JSON you can check and apply
(koryph repo check|apply), with named profiles like the built-in
oss-solo-maintainer. Commit signing is enforced from vault-served keys.
Protected paths keep agents away from your CI, hooks, and policy files.
koryph doctor catches drift before it bites.
Ship — the release train. Conventional commits drive versioning for any language. Releases are draft-until-complete and immutable: binaries, checksums, SBOMs, cosign signatures, and SLSA build provenance all attach before anything publishes. A vault-backed release bot keeps PR checks flowing — with graceful fallbacks when you can't install one.
Datasheet
| Feature | What you get | |
|---|---|---|
| Build | Footprint scheduler | Tasks declare what they touch; only conflict-free work runs in parallel — no merge-conflict roulette |
| Rolling dispatch | Slots refill continuously as work finishes; the fleet never idles waiting for a "wave" to end | |
| Worktree isolation | Every agent works in its own git worktree; your checkout is never touched | |
| Review pipeline | Reviewer findings block the merge until addressed; then rebase, gate, fast-forward | |
| Green gate | Your own build/test/lint commands are the merge gate — if it's red, it doesn't land | |
| Cost governors | Per-provider concurrency caps that adapt to rate limits (AIMD + circuit breakers), plus subscription-burn tracking and quota calibration | |
| Account safety | Each project pins its account; identity is verified fail-closed before any dispatch | |
| Multi-runtime | Runtime-neutral core with personas and model tiers (frontier / standard / light); Claude Code today, adapter seam for codex, cursor, and others | |
| Planning skills | /koryph-plan, /koryph-import, /koryph-replan — turn a design doc or a prompt into a correctly-footprinted, dependency-aware task graph |
|
| Protect | Posture profiles | Repo hygiene as named, applyable configuration — rulesets, settings, secret scanning, org-level rules |
| Signing, vault-served | SSH commit signing with keys resolved on demand from Proton Pass, 1Password, macOS Keychain, or an encrypted file — never plaintext by default | |
| Protected paths | Merges that touch CI, hooks, or policy files are refused; a human lands those | |
| Doctor | One command reports drift across settings, signing, credentials, release infra, and DNS | |
| Scanner fragments | Opt-in gitleaks, vulnerability scanning, and license-allowlist presets | |
| Ship | Release train | release-please + GoReleaser (or your own build commands) behind one contract that works for any language |
| Supply chain | SBOM (SPDX), cosign keyless signatures, SLSA Build L3 provenance, immutable draft-until-complete releases — verifiable by anyone | |
| Release bot | A GitHub App provisioned in one browser click (koryph bot create), key in your vault, so Release PRs trigger checks unaided |
|
| Docs publishing | Zensical/MkDocs book to GitHub Pages on every docs push, custom domain and HTTPS included | |
| Operate | Live cockpit | koryph board, roster, and a VS Code extension with a tree view and quota status bar |
| Everything in the binary | Provisioning, hygiene, validation, releases — a brew-style install is the complete product; scripts are shims |
What koryph is not
- Not a SaaS. There is no account, no telemetry, no server. Everything runs on your machine against your git remotes and your AI subscriptions.
- Not a framework. koryph never chooses your language, layout, or dependencies. Delete koryph and your repo is still a perfectly ordinary repo — you lose the factory, not the product.
- Not a replacement for judgment. The gate, the review stage, and protected paths exist precisely so that speed never outruns your standards.
Get started
# 1. Install — single static binary, no runtime needed
# (see the installation guide for download + verification)
koryph version
# 2. Register a project and let an agent loop build from your task graph
koryph project add . --account personal --identity you@example.com
koryph run --project <id> --once --auto-merge --review
Continue with the quickstart, or read Zero to shipped for the full journey — plan, build, protect, release.
This book serves both audiences: the user guide for operators and collaborators, and the developer guide for contributors to koryph itself.
The name
koryph comes from the Ancient Greek κορυφαῖος (koryphaios) — the leader of the chorus in classical Greek drama. The koryphaios stood at the head of the chorus and spoke on its behalf whenever it took part in the action: one voice fronting many performers moving in step. The root κορυφή (koryphē) means "crest" or "summit", and the word lives on in several modern languages as a term for the leading figure in a field.
That is exactly this tool's job: one process fronting a fleet of autonomous coding agents — queueing their work, dispatching them in parallel, and speaking for them at the merge. It is pronounced KOR-iff.
For AI agents and tools: a machine-readable index of the canonical docs
(llmstxt.org format) is published at /llms.txt — ingest it to map
the project and its operating contract.