Fast answer, fragile result
- Reads only the obvious file
- Loses requirements during a long session
- Edits outside the intended scope
- Repeats the same failed command
- Says “fixed” before tests run
Deepwork replaces rushed “done” claims with a bounded engineering cycle: contract, inspect, plan, implement, verify, review, and pass an evidence-backed final gate.
› /deep-build @deep-build fix checkout race
Cascade can still reason, edit, and use models normally. Deepwork changes what must be true before it is allowed to write broadly or call the result complete.
Objective, acceptance criteria, constraints, assumptions, non-goals, and protected paths are recorded before implementation.
The gate compares actual tracked and untracked changes against the baseline, plan, and task contract.
Escaping links, junctions, reparse redirects, hardlinks, special files, and protected credential paths are rejected.
Only exact planned checks run through the verifier, with source fingerprints captured before and after execution.
Task evidence binds to the Cascade trajectory that began it, preventing one session from borrowing another session’s proof.
Every outcome is classified as Verified, Partially verified, or Blocked—never upgraded by confident prose.
The runtime remains on your machine because it needs local repository access and must be launched by Windsurf as a `stdio` MCP.
# 1. Clone
git clone https://github.com/saisharan0103/windsurf-deepwork.git
cd windsurf-deepwork
# 2–3. Reproduce and verify the release
npm ci
npm run check
powershell -NoProfile -File .\scripts\test-installer.ps1
# 4. Install globally for the current Windows user
powershell -NoProfile -ExecutionPolicy Bypass `
-File .\scripts\install.ps1
# 5. Reload Windsurf, then use in Cascade
/deep-build @deep-build <your task>
Installer safety: it stages the runtime, proves the real Windows hook command, preserves predecessor config, records ownership, and rolls back on failure.
~\.codeium\windsurf\deepwork-runtime~\.codeium\windsurf\deepwork-state~\.codeium\windsurf\mcp_config.jsonThe always-on rule keeps the boundary short. The skill and workflows expand only when a non-trivial task needs the full procedure.
Freeze the goal and acceptance criteria.
Map repository state and affected paths.
Bind files and checks to each criterion.
Edit one coherent unit at a time.
Run exact planned commands and fingerprint.
Search independently for counterexamples.
Prove evidence and current Git scope agree.
Inspection, plan, current fingerprints, every planned command, Git scope, and acceptance evidence pass.
Useful work exists, but a relevant check is manual, skipped, unavailable, or lacks the authoritative MCP gate.
Evidence contradicts completion, a safety boundary was hit, or a required user/platform decision is unavailable.
Use the same prompt in each Arena candidate so the comparison is meaningful.
/deep-build @deep-build
Objective: <what must change>
Acceptance criteria:
- <observable result one>
- <observable result two>
Constraints:
- preserve existing user changes
- ask before deployments, secrets, or destructive actions
Verification:
- run the repository-native focused and regression checks
- require deepwork.final_gate before claiming Verified
A small tool surface makes discovery predictable and keeps the model focused on evidence instead of an oversized integration catalog.
deepwork.task_begin
Records the objective, acceptance criteria, non-goals, constraints, assumptions, allowed and protected paths, task ID, and canonical workspace.
CONTRACTdeepwork.inspect_repository
Builds a bounded inventory from Git, manifests, ripgrep or a filesystem fallback, and a link/reparse scan.
READ ONLYdeepwork.record_plan
Persists ordered steps, risks, exact intended files, and every verification command before implementation writes are allowed.
SCOPEdeepwork.run_verification
Executes one exact planned check without a shell, in a minimal environment, and fails if relevant source changes during verification.
EXECUTES CODEdeepwork.task_status
Returns the append-only task evidence and the current quality-gate stage for transparent recovery and handoff.
EVIDENCEdeepwork.final_gate
Refuses PASS unless the plan, post-change checks, acceptance evidence, current fingerprints, diff summary, and actual Git scope agree.
AUTHORITATIVECascade remains the MCP client. Deepwork runs as a local Node process, while task evidence stays outside the project and Git remains the source-of-truth for changed scope.
Deepwork cannot switch hosted models or launch Arena through MCP. Windsurf’s native Arena is the documented route for genuine multi-model candidates.
Initialize Git and commit or preserve the intended starting point. Untracked files are not copied into Arena worktrees by default.
Open the live model picker and select two strong, different models available to your account.
Use the same `/deep-build @deep-build` task in both isolated candidates. Model multipliers are charged additively.
Score repository coverage, diff scope, regression tests, security risk, and final-gate evidence.
Have the retained models review the winning diff without relying on its self-justification, then rerun affected checks.
A skill can require a careful process; it cannot secretly force a model’s hidden reasoning budget, select a Windsurf-hosted model, or start another Cascade session.
WhatsApp can become a notification or task-intake channel through a separate companion service. It cannot directly call a local Windsurf `stdio` MCP.
A local watcher reads redacted Deepwork task metadata and sends milestone notifications through Meta’s WhatsApp Cloud API. Incoming messages can stay limited to safe queries such as `status TASK-ID`.
A true two-way channel needs its own webhook API, authentication, durable job store, queue, isolated worker, GitHub identity, approvals, and response sender. It must orchestrate Deepwork explicitly.
Create a Meta app with WhatsApp, connect a business phone number, configure an HTTPS webhook, subscribe to message events, and store tokens outside source control.
Validate the webhook challenge and request signature, reject replayed events, allowlist senders, and enforce idempotency before creating a job.
Store task ID, sender, repository allowlist key, status, approval state, idempotency key, timestamps, and redacted evidence—not repository contents or secrets.
Use a fresh low-privilege worker per job, a least-privilege GitHub App, an explicit branch, bounded time and cost, and a final pull request for human review.
A parser should reject everything outside the documented grammar. Free-form context can be attached to a task, but it must never become a shell command.
Static, public, versioned with the source.
DEPLOYEDNeeds local filesystem and Windsurf `stdio` access.
INCLUDEDPublic HTTPS ingress and secret management.
BLUEPRINTDurable idempotency, approval, and status records.
BLUEPRINTIsolates untrusted code from the webhook service.
BLUEPRINTDeepwork constrains, detects, records, and refuses. It does not change the operating-system identity of Windsurf or make repository-controlled tests harmless.
Reject workspace escapes, protected paths, unsafe links, hardlinks, special files, and mid-scan changes.
Allow read-only terminal inspection; block network, deploy, destructive, chained, installer, and inline-interpreter forms.
Non-Deepwork MCP calls remain blocked unless the exact lowercase `server/tool` is deliberately allowlisted.
Append-only state, task identity, and content fingerprints prevent proof reuse after later edits.
Untrusted repository? Turn off automatic command execution, remove secrets from the environment, and use a disposable low-privilege VM or container. Hooks are policy checks, not kernel mediation.
Reload Windsurf, inspect `~\.codeium\windsurf\mcp_config.json`, run the installed doctor, and check whether the Enterprise administrator enabled or allowlisted the exact `deepwork` server configuration.
node "$HOME\.codeium\windsurf\deepwork-runtime\src\cli.js" doctorComplete `task_begin`, `inspect_repository`, `record_plan`, and the required unique reads first. The hook is enforcing the intended order.
Record the exact command in the task plan and run it through `deepwork.run_verification`. Direct terminal access is deliberately limited to read-only inspection.
Review the tool’s trust boundary, then allowlist only its exact lowercase `server/tool` identity through `DEEPWORK_ALLOWED_MCP_TOOLS`. Keep the list minimal.
Rerun every planned command after the latest write, remove out-of-scope changes, provide typed evidence for each criterion, and confirm current fingerprints. Manual evidence or unavailable Git keeps the result partial.
The installed file changed or ownership could not be proved. Preserve the change and inspect `deepwork-install.json` plus the ownership backups. Do not delete config just to force installation.
Not as a drop-in replacement for this release. The current MCP uses local `stdio` and needs the repository filesystem. A remote HTTP transport would require authentication, tenant isolation, repository provisioning, secret management, and a redesigned security boundary.
No documented Windsurf MCP interface does that. A WhatsApp companion can accept tasks and return status, while native Arena still starts manually unless a future supported API changes that boundary.
Try a shorter term such as “MCP”, “test”, “install”, “Arena”, or “WhatsApp”.
Use GitHub for distribution, Pages for the guide, Windsurf for the local client, and the final gate for the truth.