Case Study

Master OS

A custom AI operating system that orchestrates work across seven business domains — from a music label to an algorithmic trading system — using Claude Code agents, 9 git repositories, and a hooks-deterministic trust boundary model.

Status Production — running daily

Phase Phase 6 (shipped 2026-05-07)

Scale 9 repos · 336 wiki pages · 241 passing tests · A 19/19

What is the Master OS?

The Master OS is a custom AI operating system designed, built, and operated by Sean Traynor across seven business domains: Sandbox (content and curriculum engine), UMANO (music events and record label), VioletStudios (AI production tools), Suite52 (artist persona), AIQuantify (algorithmic trading — hard-siloed), MaxProduct (AI product incubator), and Personal (career and professional assets).

Nine independent git repositories are unified under a single orchestration layer. One command — /start — drives the full session loop. The system runs daily, compounds institutional knowledge continuously, and enforces trust boundaries at the infrastructure level rather than relying on model instruction-following.

The design premise: a solo operator running multiple businesses simultaneously can 10x throughput if the orchestration layer is correct — but correctness requires infrastructure enforcement, not convention. The Master OS is that infrastructure.

Architecture: Phase 6 Hybrid Orchestration

Phase 6, shipped 2026-05-07, replaced 10 discrete Phase 5 routines with a single /start command running an 8-phase intelligent session loop.

The Hybrid Model

The original Phase 6 design spawned a dedicated Opus-class session-orchestrator subagent to own the full loop. It was dead on arrival: Claude Code spawned subagents do not receive the Task or AskUserQuestion tools regardless of what's declared in their tools: frontmatter. No Task means no parallel scout spawning. No AskUserQuestion means no multi-choice interview.

The fix — now permanent doctrine — is to keep the session loop in the main session, which retains the full toolkit. The main session spawns subagents only where the restricted palette is sufficient. This is the Hybrid model: main session as orchestrator, subagents as specialists.

Session Loop Phases

Phase	Action	Freshness skip?
0	Initialize — load session state, check health	Never
1	Scout dispatch — 8 parallel per-brand scouts read new signal	Yes — skip if no new commits
2	Housekeeping — surface system_doctor failures as tickets	Yes — if A grade held
3	Outstanding state load — open tickets, blocked items	Never
4	Brief — synthesize scout output for operator	Yes — if scouts skipped
5	Interview prompt — 5 questions per engaged brand	Yes — if ran today
6	Ticket draft + approval — one-at-a-time	Never (queue must drain)
7	Dispatch — parallel-by-brand executor launch	Never
8	Distillation + session close	Yes — if ran today

Hooks-Deterministic / CLAUDE.md-Advisory Split

Every trust boundary that must hold 100% of the time is implemented as a Claude Code hook (PreToolUse JSON). CLAUDE.md files and .claude/rules/*.md are advisory — read by language models, not enforced by the runtime. This separation means the system's correctness does not depend on model obedience; it depends on hook execution.

ticket-state-guard.json

Blocks any direct write to tickets.json. All ticket state transitions must go through scripts/tickets.py, which validates against a finite state machine. Accidental state corruption is structurally impossible.

pre-merge-gate.json

Intercepts git merge on any claude/T-* branch. Fails the merge unless: verifier verdict is pass, pytest is green, ruff is clean, system_doctor reports A 19/19. Broken code cannot reach main.

boundary-guard.json + safety_guard.py

Four-layer isolation for AIQuantify, the live trading system. Any one layer can fail independently; all four must fail simultaneously to breach the boundary.

worktree-cleanup.json

SessionStart GC that removes stale worktrees: 24h after merge, 3d after blocked, 1d orphan. Branch accumulation is a solved problem.

Multi-Repo Coordination

Parallel-by-Brand Worktrees

When tickets are dispatched, the session orchestrator spawns one ticket-executor per brand concurrently. Each executor gets its own git worktree at .claude/worktrees/<TICKET_ID>/ on branch claude/<TICKET_ID>, preventing same-repo collisions while maximizing throughput. A six-brand dispatch runs in parallel — the total session time is bounded by the slowest ticket, not the sum of all tickets.

FF-Merge Direct-to-Main

No PRs, no review queues. Every ticket branch merges to main via fast-forward once the pre-merge gate passes. The operator is a single person; ceremony adds no value. A git revert is the recovery mechanism, not a review gate. The pre-merge gate hook serves as CI — pytest, ruff, and system_doctor must all pass before any merge is permitted.

Machine-Readable Repo Registry

scripts/repo_protocol.py::REPOS is the single source of truth for all 9 repo paths, push policies, auto-commit paths, and skip paths. No script hard-codes the repo list — all walk it from the registry. This makes the topology extensible without touching every consumer.

Novel Patterns

Hard Silos with 4-Layer Defense

AIQuantify is a live algorithmic trading system. Its isolation is not advisory — it is enforced by four independent mechanisms:

.claude/settings.json deny-list (blocks file reads at the Claude Code config layer)
.claude/rules/aiquantify.md (advisory rule, loaded for every session)
boundary-guard.json PreToolUse hook (intercepts Bash, Read, Write, Edit before execution)
scripts/safety_guard.py runtime check (called by ticket-executor at every Bash invocation)

Any one layer failing does not breach the silo — all four must fail simultaneously. This is defense-in-depth for a system where a misread could trigger financial consequences.

Agent Contracts via system_doctor

Every agent in the system has a declared contract. The librarian writes only wiki/<Brand>/. The operator-global writes only wiki/_global/. The ticket-executor writes only to its worktree and tickets.json (via the API, not directly). Scouts and distillers are read-only.

These aren't conventions. python3 scripts/system_doctor.py --grade validates all 8 agent contracts exist, have correct frontmatter, and are registered. A 19/19 checks. Deviation surfaces as a housekeeping ticket at the next session start.

Distillation as a Compounding Wiki

Every session produces artifacts: session logs, merged tickets, blocked tickets, research notes. The first /start of each new calendar day runs a distillation phase that converts yesterday's artifacts into durable wiki knowledge.

The pipeline: scripts/distill.py gather assembles DistillationPayloads per brand → parallel distiller subagents classify candidates as high/medium/low confidence → distill.py route determines target authority → librarian writes wiki/<Brand>/; operator-global writes wiki/_global/. Distillers never write directly — they classify and propose. Authority chains are preserved at the distillation boundary.

High-confidence findings (verified-merged tickets, clean research) auto-promote. Medium-confidence surfaces in the next session interview for approval. Low-confidence stays in the daily ledger only. The compound effect: each day the system gets smarter without any manual curation effort.

Scale Metrics

336

Wiki pages (active knowledge base)

A 19/19

system_doctor grade (all checks passing)

241

Passing pytest tests

Git repos in network

Agent contracts defined and validated

Active business domains orchestrated

Shipping Evidence

Shipped 2026-05-07

Phase 6 Conversational Orchestration

Complete replacement of the Phase 5 routines layer (10 discrete routines) with a single /start command running an 8-phase intelligent session loop. Net result: +52 new tests (241 total passing), system_doctor A 19/19, wiki grew from 123 to 133 operational pages during the migration alone.

Merged Commit aed82d8

T-2026-05-07-_global-01: Phase 6 shakedown

End-to-end smoke test ticket: full pipeline — scout → interview → ticket draft → approval → executor → verifier → pre-merge-gate → FF-merge → session log — runs correctly in a live session.

Demonstrated Ongoing

Parallel-by-brand dispatch

Multiple tickets dispatched and executed concurrently across brand worktrees in the same session. Zero-collision parallel execution demonstrated across 6 simultaneous ticket-executors.

Key Takeaways for AI Systems Architects

Hooks beat prompts for invariants. Anything that must hold 100% of the time needs a hook. CLAUDE.md is advice; hooks are guarantees.
Runtime constraints determine architecture. The hybrid orchestration model came from discovering a hard constraint in Claude Code's subagent toolkit — not from theory. Ship the system the runtime supports, not the one you drew on a whiteboard.
Authority delegation scales without bureaucracy. Agent contracts mean any subagent can be trusted to stay in its lane structurally, without manual review of every action. This enables true parallelism.
Compounding knowledge is the moat. A system that gets smarter every day via distillation compounds faster than a static system. The quality floor rises automatically.
One-operator + one-command = full stack throughput. The OS achieves parallel-by-brand execution across 7 domains from a single /start. Ceremony is the enemy of throughput for a solo operator.

Want to discuss this architecture or explore similar patterns for your team?

Get in touch Read the essay →