Manager — codeword-triggered Manager mode + HARD delegation wall
sonnet hookTip
What is Manager mode? You type a short codeword (++m, ++mp, ++rr, or ++r) anywhere in your message and Claude instantly activates a discipline contract — just for that one message. ++m makes Claude a pure orchestrator that delegates all hands-on work. ++mp adds a full task-graph planning pass. ++rr and ++r inject review discipline (anti-regression / two-phase double-check). No setup required. The codeword is stripped from your message; your actual text is preserved.
What actually happens
You type:
++m refactor the payment moduleClaude actually receives (you never see this part — it is injected invisibly by a hook):
Note
[ INJECTED: Manager operating contract ]
You are a Manager, not an executor. Your job is orchestration only.
- Decompose the task — identify all pieces.
- Build a TaskGraph — every piece becomes a task with dependencies.
- Delegate — spawn the best specialist agent for each task.
- Run independent tasks in parallel — maximize fan-out.
- Integrate results — collect outputs, synthesize the answer.
Never implement, fix, or edit code yourself. Never run builds or tests yourself. If you catch yourself writing production code — stop and delegate instead.
refactor the payment moduleYour single line becomes: the full Manager contract (highlighted above) + your original request. The codeword ++m is consumed; your text reaches Claude unchanged. Curious how injection works? See Prompt Injection.
Codewords
| Codeword | Means | What it does |
|---|---|---|
++m | Manager | Manager + delegation for the current task — Claude orchestrates, never codes by hand |
++mp | Manager for Plan | Manager role for plan + delegation — writes the full task graph in English before starting, uses the tasks tool |
++rr | Regression Review | Regression review with double-check — after each significant phase, run a review focused on no regression + project standard + correctness; two-phase (review → double-check → fix); mandatory final cross-review at task end |
++r | Review | Review with double-check — after each significant change, run a two-phase multi-agent review (review → double-check → fix); codeword-only, no ambient injection or wall state change |
Detection order: ++mp → ++m → ++rr → ++r (longest-prefix first; ++rr is always tested before ++r).
Put the codeword anywhere: start, middle, or end of your message. Everything else is passed through unchanged.
Everyday commands
| Command | What it does |
|---|---|
/brewtools:manager status | Show what is currently on — codeword state, wall state, prompt source |
/brewtools:manager on | Turn on the HARD wall — Claude physically cannot write/edit files in this project until you turn it off |
/brewtools:manager off | Turn the HARD wall off |
/brewtools:manager edit full | Open the Manager prompt text so you can customize it |
The HARD wall
Caution
With the HARD wall ON, Claude in the main chat physically cannot edit files, write, or run mutating commands. It is forced to delegate every hands-on step to a subagent. Subagents have full freedom — they can write, edit, run tests, push commits, anything. Turn the wall on and off with /brewtools:manager on / /brewtools:manager off. It is opt-in and per-project — nothing changes until you enable it.
The wall in action
The wall is ON. You ask:
fix the bug in payment.tsClaude tries to edit the file directly — and is blocked:
Caution
Edit blocked — Manager HARD wall is ON. The main session cannot edit files, write, or run mutating commands. Delegate this to a subagent.
So Claude does the right thing — it spawns a subagent, which has full access:
- Main session: delegate
Claude spawns a developer subagent with the task “fix the bug in payment.ts”.
- Subagent: do the work
The subagent edits
payment.ts, runs the tests — all tools allowed inside a subagent. - Main session: integrate
Claude reads the subagent’s result and reports back. It never touched the file itself.
What is allowed vs blocked (wall ON)
| In the MAIN chat (wall ON) | Allowed? |
|---|---|
| Read, search, plan, delegate (Task) | Yes |
| Edit / Write files | No — delegate |
| Run mutating commands | No — delegate (read-only Bash allowed on the default level) |
| Anything inside a subagent | Yes — full freedom |
This is what “delegate everything” means in practice — the wall makes it physically true, not just a suggestion. For the deep mechanics (tool buckets, strict vs balanced, the agent_id linchpin) see the technical spoiler below.
When to use
| Situation | What to type |
|---|---|
| Delegate one complex task as Manager, just this turn | do X ++m |
| Start a full parallel plan with task breakdown | plan Y ++mp |
| Enforce the delegation rule for a whole project session | /brewtools:manager on |
| Run one task under the wall then auto-revert | refactor payment service in hard mode |
| Run task as Manager without changing any wall state | build release plan as manager |
| Check current state | /brewtools:manager status |
Technical: how the HARD wall works (tool buckets, strict vs balanced, agent_id linchpin)
The HARD wall is an optional, project-scoped guard that physically blocks the main Claude session from writing or editing files. Subagents always stay fully free — delegation is never blocked.
Install-once + state-gate
/brewtools:manager on copies hardmode-guard.mjs from the plugin cache into <cwd>/.claude/brewtools/manager/hardmode-guard.mjs and registers a PreToolUse * entry in <cwd>/.claude/settings.local.json (personal, gitignored). The guard is registered once; subsequent on calls overwrite it (so plugin updates propagate) without adding duplicates. A /reload or session restart is required after first install.
The guard reads <cwd>/.claude/brewtools/manager/state.json on every PreToolUse call. When hard !== true, the guard exits immediately — no denial. off flips state.hard=false without touching settings.local.json; the guard stays registered but becomes a no-op. This split exists because editing settings while the wall is armed would be blocked — the state flip is self-exempt and always succeeds.
agent_id linchpin — main session blocked, subagents free
The PreToolUse payload carries agent_id / agent_type only for subagent-internal tool calls. Main-session calls have no agent_id. The guard denies mutations only when agent_id is absent. Subagents pass through freely — delegation itself is never blocked.
Tool buckets
| Bucket | Tools | Main session while wall ON |
|---|---|---|
| ALWAYS-ALLOW | Read, Grep, Glob, Task, Agent, Skill, TaskCreate, TaskUpdate, TaskList, TaskGet, TodoWrite, AskUserQuestion | Always allowed — delegate / read / track |
| ALWAYS-BLOCK | Write, Edit, NotebookEdit, WebFetch, MCP-write tools | Always denied — hands-on mutation |
| LEVEL-gated | Bash, WebSearch, MCP-read tools | Decided by level (see below) |
Strict vs balanced
| Aspect | strict | balanced (default) |
|---|---|---|
Bash | Fully OFF — every command denied | Read-only classifier — allow inspection, deny mutation |
| Allowed Bash (balanced) | — | git status/log/diff/show/branch, ls, cat, pwd, which, echo, head, tail, wc, gh ... list/view, grep/rg, find (no -delete/-exec) |
| Denied Bash (balanced) | — | >, >>, rm, mv, cp, git commit/push/reset, npm install, pnpm, yarn add, pip install, mkdir, touch, chmod, sed -i, tee, kill, $(...), node -e |
WebSearch | OFF | ON |
| MCP-read | Explicit-allow list only | Heuristic allow (read-shaped tool names) |
| MCP-write | Denied | Denied |
The balanced Bash classifier is an allowlist of known-safe read-only commands, NOT a shell evaluator. Command substitution $(...) and node -e / --eval are denied even in balanced mode.
Off-switch safety
| Guarantee | Mechanism |
|---|---|
/brewtools:manager off is never blocked | Skill tool is ALWAYS-ALLOW; state writer is self-exempt by path anchor |
Works even at level strict | writeState target path (.claude/brewtools/manager/state.json) is exempt from Bash denial |
| Every denied tool call shows the exit command | Deny reason: Manager HARD wall is ON -- delegate via Task/Agent, or run /brewtools:manager off to exit. |
Technical: prompt resolution + scopes (where the Manager text comes from)
How the codeword injection works
On every user message, manager-prompt.mjs scans the prompt text. Detection order follows longest-prefix first: ++mp → ++m → ++rr → ++r. This ensures ++mp is never mis-matched as ++m, and ++rr is never mis-matched as ++r. If no codeword is present (and the wall is not armed), the hook exits immediately — no file I/O, zero overhead.
The hook resolves the prompt text for the detected mode (full or planmode) via three-level fallback:
- Project override:
.claude/brewtools/manager/prompts/<mode>.md - Global override:
~/.claude/manager/prompts/<mode>.md - Plugin default: plugin
references/<mode>.md
Project and global overrides survive plugin updates because they live outside the plugin cache.
When the HARD wall is armed, the Manager (full) block is also ambient-injected every turn with no codeword needed — codewords and wall injection are independent channels.
Scope table
| Thing | Scope | Files |
|---|---|---|
Wall flags {"{"}hard, level{"}"} | PROJECT ONLY | <cwd>/.claude/brewtools/manager/state.json |
| Wall registration (guard) | PROJECT ONLY | <cwd>/.claude/settings.local.json + <cwd>/.claude/brewtools/manager/hardmode-guard.mjs |
Soft mode field (informational) | project state | same state.json |
Prompt-text overrides (edit/reset) | project or global | project: <cwd>/.claude/brewtools/manager/prompts/<mode>.md — global: ~/.claude/manager/prompts/<mode>.md |
The wall flags (hard/level) are resolved project-only. Passing --scope global to on/off/level is silently ignored (wall has no global scope); the flag only applies to prompt-text override scope in edit/reset.
Prompt resolution chain
| Priority | State source | Prompt override source |
|---|---|---|
| 1 (highest) | .claude/brewtools/manager/state.json | .claude/brewtools/manager/prompts/<mode>.md |
| 2 | ~/.claude/manager/state.json | ~/.claude/manager/prompts/<mode>.md |
| 3 (lowest) | Hardcoded {"{"}enabled:true, mode:"full"{"}"} | Plugin references/<mode>.md |
Global paths (~/.claude/*) are protected from direct Write/Edit tool access (Claude Code v3.4.70+). The skill writes them via bundled Node helpers using atomic lock+tmp+rename.
Plan Mode addon (++mp)
When ++mp is detected, the hook injects both the full Manager block and the Plan Mode addon. The addon instructs the model to: write the full TaskGraph in English into the plan before starting; mark tasks with parallel / critical-path indicators; output all task and plan text in English regardless of user prompt language.
Full command and intent reference (all actions, hard-one-shot vs manager-run)
The skill also understands natural-language Russian (e.g. on/off, hard mode, status). The complete RU+EN trigger list lives in the skill’s SKILL.md.
Actions
| Action | Command / natural language | Effect |
|---|---|---|
on | /brewtools:manager on | INSTALL guard + ARM the HARD wall (project). /reload on first install only |
off | /brewtools:manager off | DISARM the wall (state flip only — registration kept, guard no-ops) |
uninstall | /brewtools:manager uninstall | DEREGISTER guard from settings.local.json, then /reload |
level strict | /brewtools:manager level strict | Wall strictness = strict (Bash fully off) |
level balanced | /brewtools:manager level balanced | Wall strictness = balanced (read-only Bash allowed) |
status | /brewtools:manager status | Full explainer: codewords + wall state + effective prompt sources |
mode full | /brewtools:manager mode full | Set prompt-text mode to full (informational only) |
mode planmode | /brewtools:manager mode planmode | Set prompt-text mode to planmode (informational only) |
edit [full|planmode] | /brewtools:manager edit | Copy plugin default into project override for editing |
reset [full|planmode] | /brewtools:manager reset | Delete project override, revert to plugin default |
hard-one-shot | <task> in hard mode | Wall ON — run task as Manager — auto-revert wall OFF when done (reverts even on failure or abort) |
manager-run | <task> as manager | Run task as Manager with wall UNTOUCHED (discipline via injected prompt only — no wall toggle) |
inline-run | /brewtools:manager <task> | Prepend Manager block, execute — no state change |
Expected status output (wall off)
# Manager -- status
## Codewords (ALWAYS active -- hook-driven, independent of this skill)
Type `++m` anywhere -> injects the Manager (full) block for that one turn.
Type `++mp` anywhere -> injects the Manager + Plan Mode block for that one turn.
Type `++rr` anywhere -> injects the Regression Review contract for that one turn.
Type `++r` anywhere -> injects the Review contract for that one turn.
--- injected by ++m (full) ---
<full Manager block text>
--- injected by ++mp (planmode) ---
<planmode block text>
## HARD wall (this project) -- registered=no armed=OFF level=balanced (state source: default)
Enable: /brewtools:manager on
Disable: /brewtools:manager off
Uninstall: /brewtools:manager uninstall
Level: /brewtools:manager level strict | balancedhard-one-shot vs manager-run
hard-one-shot (<task> in hard mode) actually toggles the guard: wall ON — task runs — wall auto-reverts OFF when done, even on failure or abort. The guard never silently persists.
manager-run (<task> as manager) does NOT touch the wall state at all. Manager discipline is enforced via the injected prompt only. Use this when you want Manager behavior without arming or changing the guard.
Think Short
Companion output-control skill — inject brevity directives via SessionStart and per-agent PreToolUse rather than per-prompt codewords.
Prompt Injection
How the ++m / ++mp / ++rr / ++r codewords inject the Manager / review contract into the model — the full mechanism explained.
Brewtools overview
All brewtools skills and agents in one place.
GitHub source
Source code — skill, manager-prompt.mjs hook, hardmode-guard.mjs, prompt references, and state helpers.
Updating plugins
/brewtools:plugin-update to check and update the brewcode plugin suite in one command.
See the FAQ for details.