When you tell an AI coding agent to “implement the login flow,” it will write code. Sometimes excellent code. But it might also modify files outside the task scope, skip tests, introduce security vulnerabilities, or make architectural decisions you didn’t authorize. Multiply that by 50 parallel agents across 6 products, and you have a governance problem.

That’s why we built NechoOS.

The Problem: AI Agents Are Powerful but Ungoverned

ResonEcho is a multi-product software company. We build everything from fragrance discovery apps to live streaming platforms to BLE mesh networking prototypes. One person (our founder) writes the specifications. AI coding agents (Claude Code) do the implementation.

This works incredibly well — 545+ commits across 7 repositories in 34 days — until it doesn’t. Without governance, AI agents will:

• Modify files outside their task scope. A bug fix agent might “helpfully” refactor unrelated code.
• Skip validation steps. An agent optimizing for speed might bypass tests or linting.
• Make unauthorized architectural decisions. An agent might introduce a new dependency or change a data model without approval.
• Fail silently. An agent might mark a task as done when acceptance criteria haven’t been verified.

These aren’t hypothetical problems. We hit every one of them in the first two weeks of multi-agent development.

The Solution: NechoOS

NechoOS is our AI agent governance and orchestration framework. It sits between the human developer and the AI agents, ensuring that every action is authorized, scoped, and verified.

How It Works

1. PRPs (Project Request Protocols)

Every task starts with a PRP — a structured specification file with YAML frontmatter that defines:

• scope_globs — exactly which files the agent is allowed to touch
• allowed_tools — which operations are permitted (read, write, edit, execute)
• validators — automated checks that run after every tool call
• acceptance criteria — what must be true for the task to be considered complete

The human writes the PRP. The agent executes within its constraints. No PRP, no work.

2. Dual-Layer Hook System

Every tool call is intercepted twice:

• Pre-execution hooks check: Does the agent have an active PRP? Is the target file within scope? Is this tool allowed? If any check fails, the action is blocked before it executes.
• Post-execution hooks validate: Did the edit pass syntax checking? Did the test pass? Is the output within acceptable parameters? If validation fails, the error feeds back to the agent for automatic correction.

This creates a closed loop where agents self-correct within governance constraints.

3. Ralph Loop + Oracle Verification

The Ralph Loop is our guaranteed-completion pattern. The agent works until all acceptance criteria pass, then requests Oracle signing. The Oracle (a separate verification step) cryptographically confirms the task is actually done — not just “the agent says it’s done.”

No PRP is marked complete without cryptographic proof.

4. Multi-Agent Orchestration (Ultrawork)

For large tasks, NechoOS coordinates 28-50+ parallel AI agents. Each gets a scoped sub-PRP, executes independently, and results are fused. We’ve used Ultrawork for:

• Security auditing (37+ vulnerabilities discovered in a single session)
• Large-scale refactoring across multiple modules
• Comprehensive documentation generation
• Multi-perspective code review

Complexity-Based Model Routing

Not every task needs the most powerful model. NechoOS automatically routes:

• Simple tasks (rename a variable, fix a typo) → Haiku (fast, cheap)
• Standard tasks (implement a function, write a test) → Sonnet (balanced)
• Complex tasks (architectural decisions, security analysis) → Opus (deep reasoning)

This reduces average API costs while maintaining quality where it matters.

Results

NechoOS is deployed across all ResonEcho products:

• 230+ PRPs authored and executed
• 545+ commits directed by PRP specifications
• 1,400+ automated tests across the portfolio
• 6 products governed by a single framework
• 50+ parallel agents orchestrated on complex tasks

The framework doesn’t just prevent bad things from happening. It makes AI development auditable. Every action has a PRP. Every PRP has scope constraints. Every completion has Oracle verification. When a government auditor (SR&ED) or credit program reviewer asks “how was this built?”, we have a complete, cryptographically verifiable chain of evidence.

Why This Matters Beyond ResonEcho

The patterns in NechoOS — scoped specifications, dual-layer hooks, Oracle verification, multi-agent orchestration — aren’t specific to our products. Any team using AI coding agents faces the same governance challenges:

• How do you prevent scope creep in autonomous agents?
• How do you verify that AI-generated code meets your standards?
• How do you coordinate multiple agents without conflicts?
• How do you create audit trails for AI-directed work?

We’re solving these problems for ourselves, but the patterns are generalizable. As AI-assisted development becomes the norm, governance frameworks like NechoOS will be necessary infrastructure — not optional tooling.

What’s Next

We’re continuing to develop NechoOS alongside our product portfolio. Current focus areas:

• Plugin architecture — making NechoOS installable in any Claude Code project
• Self-improving skills (SFA) — agents that get better over time with human approval gates
• Cross-project governance — shared policies across multiple repositories
• Memory systems — persistent learning across development sessions

If you’re building with AI agents and care about governance, safety, and auditability, we’d love to talk. Reach out through our contact page.

Stephen Duncan, Founder ResonEcho Inc.