Orchestrate
/hub:orchestrate is for changes that cross ≥3 domains and need explicit staging. It runs in two phases: planner produces a plan, you approve it, then agents execute with clear hand-offs.
When to use it
- Multi-domain work (API + frontend + mobile + infra, etc.).
- Risky or irreversible changes that deserve a review step.
- When you want the execution split across agents, not done by one.
When NOT to use it
- Single-agent work. Use create or enhance.
- No existing plan and no clear scope. Use brainstorm first.
Invocation
/hub:orchestrate migrate auth from sessions to JWT across API + frontend + mobile@hub orchestrate migrate auth from sessions to JWT across API + frontend + mobileThe two phases
Phase 1 — plan
hub:orchestrator explores the repo, produces a plan that names every agent and every step with hand-offs, and shows you a HEAVY gate including the full dependency graph. You approve, tweak, or cancel.
Phase 2 — implement
The approved plan executes. Each agent runs in order, passes context to the next, and you see a clean transcript block per agent.
Example session
Sessions → JWT migration
user
/hub:orchestrate migrate auth from sessions to JWT across API + frontend + mobile
hub:orchestrator
Phase 1: plan. Exploring repo…
Plan ready. 5 agents, 7 steps. Dependency graph attached. Token est: ~185k.
- database-architect — add
refresh_tokenstable, migration - backend-specialist — JWT issue/refresh/revoke endpoints
- security-auditor — review signing, rotation, logout behaviour
- frontend-specialist — replace session cookies with token storage + refresh
- mobile-developer — Keychain/Keystore token storage + refresh in RN
gate
HEAVY · 5 agents · ~185k tokens · MoSCoW + graph shown · [y/n/tweak]
user
y
hub:database-architect
refresh_tokens table + 0012_jwt_auth migration. Done.
hub:backend-specialist
Issue/refresh/revoke wired. Legacy session endpoints deprecated with 410 + sunset header.
hub:security-auditor
HS256 → RS256 recommended. Rotation every 7d. All good otherwise. Applied.
hub:frontend-specialist
Token storage in httpOnly refresh + in-memory access. Axios interceptor for refresh.
hub:mobile-developer
iOS Keychain + Android Keystore. Refresh on app foreground. Tested on both sims.
Pro tips
- Use orchestrate when the risk is “one agent forgot the other domain.” The plan phase makes hand-offs explicit.
- Tweak the plan, not the prompt. The HEAVY gate accepts
tweak— use it to reorder steps or drop an agent. - Ledger afterwards.
/hub:ledger by-agentreveals which specialist ate the most tokens. Next time, you can warn them to be conservative.
Next steps
- Create — lighter, single-chain scaffolding for greenfield.
- Approval gate — how the HEAVY frame is built.
- Security auditor — the agent that caught HS256 here.