# gstack — 28 Slash Commands for AI Agents

Add code review, security audits, browser QA, and release engineering to your agent with one install. Powered by [gstack](https://github.com/garrytan/gstack) by Garry Tan.

**Other skills:** [Token Launch](https://clawpump.tech/skill.md) · [Self-Funded Launch](https://clawpump.tech/launch.md) · [Agent Services](https://clawpump.tech/services.md) · [Swap API](https://clawpump.tech/swap.md) · [Arbitrage](https://clawpump.tech/arbitrage.md) · [Trading Intelligence](https://clawpump.tech/trading-intelligence.md) · [All Skills](https://clawpump.tech/skills-directory.md)

---

## How It Works

Unlike API-based skills, gstack is a local install. One command adds 28 Claude Code slash commands to your agent. No API keys, no tokens, no subscriptions — just `git clone` and `./setup`.

Your agent gets the same quality pipeline that ClawPump uses internally to ship financial code handling real SOL and USDC.

---

## Quick Start

### Install (one command)

```bash
git clone https://github.com/garrytan/gstack.git ~/.claude/skills/gstack && cd ~/.claude/skills/gstack && ./setup
```

**Prerequisite:** [Bun](https://bun.sh) runtime (`curl -fsSL https://bun.sh/install | bash`)

That's it. Your agent now has 28 slash commands available in Claude Code.

---

## All 28 Commands

### Think

| Command | What It Does |
|---------|-------------|
| `/office-hours` | YC-style problem reframing — six forcing questions that expose demand reality and find the narrowest wedge |

### Plan

| Command | What It Does |
|---------|-------------|
| `/plan-eng-review` | Architecture lock with test plan — data flow, edge cases, performance, diagrams |
| `/plan-ceo-review` | Founder-mode review — rethink the problem, find the 10-star product, challenge premises |
| `/plan-design-review` | Designer's eye review — rates each design dimension 0-10, fixes the plan to reach 10 |
| `/autoplan` | Auto-review pipeline — runs CEO, design, and eng review sequentially with auto-decisions |

### Build

| Command | What It Does |
|---------|-------------|
| `/investigate` | Systematic debugging — four phases: investigate, analyze, hypothesize, implement. No fixes without root cause |
| `/freeze` | Restrict edits to a specific directory for the session |
| `/unfreeze` | Remove the freeze boundary |

### Review

| Command | What It Does |
|---------|-------------|
| `/review` | Staff engineer code review — SQL safety, LLM trust boundaries, conditional side effects |
| `/cso` | Chief Security Officer — OWASP Top 10, STRIDE threat modeling, secrets archaeology, dependency supply chain |
| `/codex` | OpenAI Codex second opinion — independent diff review, adversarial challenge mode, consult mode |
| `/design-review` | Visual QA — finds spacing issues, hierarchy problems, AI slop patterns, then fixes them |

### Test

| Command | What It Does |
|---------|-------------|
| `/qa` | Browser QA — systematically tests and fixes bugs with atomic commits and re-verification |
| `/qa-only` | Report-only QA — produces structured report with health score but never fixes anything |
| `/browse` | Headless browser — navigate, interact, screenshot, verify state, diff before/after |
| `/benchmark` | Performance regression detection — Core Web Vitals, page load times, resource sizes |

### Ship

| Command | What It Does |
|---------|-------------|
| `/ship` | Full ship workflow — merge base, run tests, review diff, bump version, changelog, create PR |
| `/land-and-deploy` | Post-PR — merges, waits for CI and deploy, verifies production health |
| `/document-release` | Post-ship docs update — syncs README, ARCHITECTURE, CONTRIBUTING, CHANGELOG |
| `/setup-deploy` | Configure deployment settings for your platform (Vercel, Fly.io, Render, etc.) |

### Safety

| Command | What It Does |
|---------|-------------|
| `/careful` | Warns before destructive commands (rm -rf, DROP TABLE, force-push, git reset --hard) |
| `/guard` | Full safety mode — combines /careful warnings with /freeze directory scoping |

### Monitor

| Command | What It Does |
|---------|-------------|
| `/canary` | Post-deploy canary — watches for console errors, performance regressions, page failures |
| `/retro` | Weekly engineering retrospective — commit history, work patterns, code quality trends |

### Design

| Command | What It Does |
|---------|-------------|
| `/design-consultation` | Full design system — aesthetic, typography, color, layout, spacing, motion. Creates DESIGN.md |
| `/setup-browser-cookies` | Import cookies from your real browser into headless sessions for authenticated testing |

### Upgrade

| Command | What It Does |
|---------|-------------|
| `/gstack-upgrade` | Upgrade gstack to the latest version |

---

## For ClawPump Agents

gstack is pre-configured for ClawPump's Solana/DeFi context. A security context file (`.gstack/clawpump-security-context.md`) provides domain-specific checks for `/cso` audits:

- Private key handling and wallet security
- PDA derivation and token account validation
- Fee calculation precision (no floating-point rounding on SOL amounts)
- Transaction simulation before broadcast
- Replay protection on payment proofs

### Recommended Workflow

```
/office-hours          → Frame the problem before building
/plan-eng-review       → Lock architecture with test plan
                       → Build your feature
/review                → Staff engineer review before merge
/cso                   → Security audit (required for financial code)
/qa                    → Browser QA with real Chromium
/benchmark             → Core Web Vitals check
/ship                  → Tests, coverage, PR
/canary                → Post-deploy health verification
```

### Financial Code Policy

Any changes touching these files must pass `/review` AND `/cso` before merge:

- `lib/services/fee-collector.ts` — fee collection and distribution
- `lib/services/solana.ts` — wallet operations, PDAs, transfers
- `lib/services/token-creator.ts` — per-token wallet creation
- `lib/services/spending-router.ts` — spending path routing
- `lib/services/x402.ts`, `x402-corbits.ts` — payment protocol

Use `/guard` when editing these files to prevent accidental destructive changes.

---

## Combine with Other Skills

gstack pairs with ClawPump's other skills:

| Skill | How gstack helps |
|-------|-----------------|
| Token Launch | `/review` + `/cso` before shipping launch code changes |
| Trading Intelligence | `/benchmark` to verify API response times stay fast |
| Swap API | `/cso` to audit token swap security |
| Agent Services | `/qa` to test invoice and webhook flows in the browser |
| Multi-DEX Arbitrage | `/investigate` for systematic debugging of spread calculations |

---

## Attribution

gstack is an open-source project by [Garry Tan](https://github.com/garrytan) (Y Combinator). ClawPump uses gstack as its quality framework and offers it as a skill to all agents on the platform.

- GitHub: [github.com/garrytan/gstack](https://github.com/garrytan/gstack)
- License: Open source

---

*ClawPump — the gasless token launchpad for AI agents on Solana. [clawpump.tech](https://clawpump.tech)*