Implementation Plan · Desktop app · Mission Control

Mission Control already runs on any folder — the work is making it feel native on a code repo

The desktop app opens any folder as a “vault.” Point it at a git repo and three things already work with zero changes: it discovers the claude sessions you ran in that repo’s terminal, it launches new agents with the repo as their working directory, and it never touches your git tree (no worktrees, no branches, push is a manual button). What’s not generic is everything layered on top — the instructions injected into every agent, and the Plan/Canvas workflow, all assume an HTML-Docs document vault. The plan below is a four-phase path to gate those behind a “repo mode.”

3
Subsystems already repo-generic
1
Real blocker: injected prompts
4
Phases to “any repo”
0
Changes to your git tree, ever
01How the binding works today

The repo is the vault

There is no separate “project” concept. You pick a folder; that folder’s absolute path is the single key everything derives from. For a code repo the app auto-detects it (it sees package.json, Cargo.toml, go.mod, pyproject.toml…) and switches to repo-aware indexing so it never treats your source .html as documents.

YOUR GIT REPO ~/code/my-app pick as vault → cwdSlug( path ) / and . → - ① DISCOVER — terminal sessions you already ran ~/.claude/projects/   -Users-you-code-my-app/     <session>.jsonl ×N read-only · head+tail scan · no hooks needed Fleet cards, live title · working/idle (from tail) step · N/total todos · time-ago “From terminal” sessions ② LAUNCH — new agents from the app spawn: claude -p --stream-json cwd = repo root ← unchanged --permission-mode · --model no worktree · no branch · in-place Writes into the same transcript dir → app + terminal sessions unify git stays read-only (push = manual button)
The folder’s absolute path is the only binding. It slugs into the Claude Code transcript directory (discovery) and is passed verbatim as the agent’s cwd (launch). Both halves are already path-driven and repo-agnostic.

02What already works vs what doesn’t

Capability matrix

Every Mission Control subsystem, graded for “drop it on an arbitrary git repo today.” Green needs nothing; amber degrades or needs gating; red is a genuine blocker for the intended experience.

SubsystemStatusBehaviour on a plain code repo (no .html)
Folder picker → open vaultGenericNative OS folder picker; any directory is valid. Repo auto-detected via manifest files, switches to repo-aware indexing.
Terminal-session discoveryGenericReads ~/.claude/projects/<slug>/*.jsonl for the repo path. Works with zero hooks. Title, working/idle, and todo progress all derived from the transcript.
New-session launchGenericSpawns claude -p with cwd = repo root, chosen model + permission mode. Direct & Ask modes are content-neutral.
Git handlingGenericRead-only status + diff meter; degrades cleanly in a non-git folder. Never creates worktrees/branches; push is user-gated.
Usage / cost analyticsGenericToken accounting reads the same transcripts; caches to .htmldocs/usage-cache.json under the repo.
Injected system promptsBlockerEvery agent is told it’s in an “HTML-Docs vault,” to write deliverables as self-contained .html into plans/ debriefs/ canvas/, in a fixed brand design system. Wrong instructions for a code task.
“Plan first” modeNeeds workFunctionally works, but the plan is a plans/*.html vault document (regions, versions, comments) rendered in the editor — not a repo-native artifact a dev would commit.
Editor / Docs screenDegradesOnly indexes .html in doc folders; on a code repo the Docs list is simply empty. Harmless, but a dead surface.
Session Canvas (stage/debrief)Needs workNon-plan sessions are told to keep a canvas/*.html visualization; the rich stage view depends on .claude/canvas/ hooks being installed.
Per-vault storageCosmeticSession records + title cache live in .htmldocs/ inside the repo — should be gitignored or relocated so it doesn’t litter the tree.
Cloud sync (html-docs.com)IndependentA separate, manual, opt-in Drive-style screen. Not required by Mission Control; simply leave it unused on a code repo.

03The gaps, precisely

Everything html-docs-specific lives in two places

The launch mechanics are clean. The coupling is (a) the text injected into agents and (b) the assumption that a “plan” is a vault HTML document. Fix those two and the rest is cosmetics.

Blocker

Injected agent instructions

Three prompt builders are appended to every agent’s system prompt. All assume an HTML-Docs vault: write deliverables as self-contained .html into plans/ · debriefs/ · canvas/, obey a fixed clay/serif design system, emit hd-options buttons. A code agent should get repo-native guidance instead.

prompts.ts → deliverablePrompt() · canvasPrompt()
agent-manager.ts → planSystemPrompt() · Docsmith
Needs work

Plan = vault document

“Plan first” creates a plans/<slug>.html through the vault document model — regions, version snapshots, comment threads, freeze-on-approve. Elegant for docs; foreign to a dev who wants a Markdown plan they can read in the diff and commit.

agent-manager.ts → startPlanSession() · submitPlan()
vault-manager.ts → planTemplateBody · PLAN_HEAD_STYLE
Degrades

Doc-only surfaces

The Editor and Cloud screens are built for .html documents. On a code repo they’re empty, not broken — but they’re dead rail entries that make the app feel mis-targeted.

editor/* · screens/cloud.tsx · vault-picker.tsx copy
Cosmetic

Footprint in the repo

.htmldocs/ (session records, title cache) and any .claude/canvas/ state get written inside the working tree. On a shared repo that’s noise in git status unless ignored.

agent-manager.ts → sessionsDir() · titles.ts · steering.ts

One policy to flag: the deliverable prompt tells every agent to commit locally but never git push, and says this overrides any repo instruction that says to push. On your own repo that’s intentional; on someone else’s repo, imposing it silently is a decision worth surfacing (see Decisions).


04The plan

Four phases, front-loaded value

Phase 1 alone makes the app genuinely useful on any repo — it’s a prompt-gating change, not new infrastructure. Later phases add polish and isolation. Each phase ships independently.

0

Verify the free lunch

Confirm · no code change
½ day
  • Open a real non-html repo (e.g. a Rust or Python project) as a vault; confirm terminal sessions discover, a new Direct session launches with the right cwd, and git stays untouched.
  • Write down what actually feels wrong — this validates that the only real problem is the injected prompts, not the plumbing.
1

Repo mode — gate the prompts

The load-bearing phase
2–3 days
  • Reuse the existing isRepoVault signal as an explicit workspace kind (docs | repo), surfaced through the vault info and settable in the picker.
  • Make deliverablePrompt / canvasPrompt / planSystemPrompt conditional: in repo mode, swap in a code-native system prompt (respect the repo’s own CLAUDE.md, use its conventions, no html/design-system/hd-options instructions).
  • Decide the git-push policy per workspace kind instead of hardcoding the override (see Decisions).
  • Outcome: Direct and Ask sessions on any repo now behave like a normal Claude Code run, driven from a fleet dashboard.
2

Repo-native plan mode

Make “Plan first” fit a codebase
3–5 days
  • In repo mode, write the plan as a Markdown file (plans/<slug>.md or .claude/plans/) instead of a vault HTML document — reviewable in the diff, committable.
  • Keep the approve → freeze → execute state machine, but back it with the plain file + a lightweight approval record rather than the version/comment document model.
  • Render the plan in the stage panel via read-only Markdown; the editor/regions path stays docs-only.
3

Multi-repo & footprint polish

Living in many projects
2–3 days
  • Store a recent-workspaces list (settings holds only lastVaultPath today) and add a quick switcher — the natural shape for someone hopping between repos.
  • Repo-aware picker copy and rail: hide/relabel the Docs & Cloud entries in repo mode (they read oddly on a codebase).
  • Stop leaving a tracked footprint: the app writes .htmldocs/ into the tree and never ignores it today — write a .htmldocs/.gitignore containing * on first use (one-line fix), or relocate the state entirely.
4

Optional — worktree isolation

Only if you run parallel agents
Spike
  • Today every session shares one working tree, so two agents editing at once collide. If parallel fleets on one repo become real, launch each in a git worktree and surface per-session branches.
  • Defer until the workflow demands it — it’s the highest-complexity, lowest-certainty item, and the current in-place model is fine for one-at-a-time work.

05Decisions to make first

Three forks worth settling before Phase 1

Each changes the shape of the work. My recommendation is marked on each.

Should the “never push” policy apply to arbitrary repos?

The deliverable prompt currently forbids git push and explicitly overrides the repo’s own “push after tasks” instruction. That’s a sensible guardrail, but silently overriding another project’s stated workflow is a stronger stance on a repo you don’t own.

Recommend: keep “commit locally, never push” as the repo-mode default, but make it a visible, per-workspace toggle rather than an invisible hardcode.

Plan artifact: Markdown file, or keep the HTML document model?

The HTML plan gives you live regions, version history and inline comments for free — genuinely nice. But it lands as an .html file a code reviewer won’t want in the tree, and it couples plan mode to the whole vault document engine.

Recommend: Markdown in repo mode; keep HTML documents for docs-mode vaults. Same state machine, different backing file.

Worktree isolation now, or defer?

In-place execution means parallel agents on one repo fight over the working tree. Worktrees fix it but add real complexity (creation, cleanup, branch surfacing, discovery-path implications since each worktree is a different cwd slug).

Recommend: defer to Phase 4. Ship the single-agent experience first; most repo work is one agent at a time.


Recommended first move

Run Phase 0 today — it needs no code

Open one of your non-html repos as a vault and drive a Direct session end to end. You’ll see the plumbing already works and feel exactly where the injected prompt fights the task. That firsthand list is the spec for Phase 1, and it’ll confirm the core claim of this plan: the fleet, discovery, launch and git-safety are done — only the words we put in the agent’s mouth are wrong.