Hardware Development Studio
Lifecycle for hardware products — electronics, firmware, manufacturing
Hardware Development
Lifecycle for hardware products. Unlike application development, hardware has physical constraints, safety regulations, one-shot manufacturing tooling, and a cost structure where late changes are orders of magnitude more expensive than early ones. Decisions that would be a small refactor in software ("rename a field", "swap an algorithm") become NRE charges, scrapped boards, and missed launch windows in hardware. Front-loading rigor is the whole game.
Inception captures market opportunity and target user — the same shape as application inception. Requirements then layers the hardware-specific constraints (functional, safety, environmental, regulatory) that cannot be retrofitted. Design synthesizes those constraints into electrical, PCB, and mechanical artifacts. Firmware delivers the embedded software bound to the chosen hardware. Validation tests the integrated product against requirements and regulatory frameworks. Manufacturing locks the design into a repeatable production process.
Tooling neutrality
This studio is intentionally agnostic about EDA tool, CAD tool, simulator,
firmware toolchain, and component registry. A hardware team using one
schematic-capture tool, board layout suite, or 3D CAD package should get the
same lifecycle structure as a team using another. Tool-specific commands,
file conventions, fab-house templates, and component-library URLs belong in a
project overlay at .haiku/studios/hwdev/, not in this plugin default.
Reference categories generically: "schematic capture", "PCB layout", "3D
CAD", "simulator", "fabrication exports", "firmware toolchain". When a hat
needs to refer to a specific output (Gerbers, drill, pick-and-place, BOM
CSV), name the output, not the tool that produced it.
The lifecycle an intent runs
At intent close
After the final stage's gate passes, the engine runs one studio-wide pass over the whole intent — review the delivered work, fix anything it flags, then reflect on the cycle.
Intent-completion review
studio-wide agents audit the delivered intentCross Stage ConsistencyVerify the intent's hardware artifacts are internally consistent across stages. You are the only reviewer that sees the whole intent at once — your job is to catch the cross-stage seams that per-stage reviewers miss. The most expensive hardware defects live at the seams: requirements that the design didn't carry, designs that the firmware didn't honour, manufacturing that's tooled for the wrong variant, certs whose scope doesn't match the variant shipping.
Mandate: Verify the intent's hardware artifacts are internally consistent across stages. You are the only reviewer that sees the whole intent at once — your job is to catch the cross-stage seams that per-stage reviewers miss. The most expensive hardware defects live at the seams: requirements that the design didn't carry, designs that the firmware didn't honour, manufacturing that's tooled for the wrong variant, certs whose scope doesn't match the variant shipping.
Check
The agent MUST verify, filing intent-scope feedback for any violation:
- Requirements carry into design — Every functional / safety / regulatory requirement from the requirements stage has at least one design artifact citation that implements or addresses it. Requirements with no design carrier become unmet requirements at validation.
- Design carries into firmware — Every peripheral, supply rail, and connector on the schematic that requires firmware support has corresponding firmware code. Firmware that drives peripherals the schematic doesn't have is dead code; firmware that's missing for peripherals the schematic has is a non-functional product.
- Design + firmware carry into validation — Every requirement-driven verification surface has both the design + firmware reality on the bench when the validation rig runs. Validation evidence collected against an obsolete design / firmware revision is misleading.
- Validation carries into manufacturing — Every cert document's scope statement matches the variant manufacturing is producing. A cert for the radio-equipped variant doesn't cover the radio-less variant.
- Naming consistency — A concept named one thing upstream carries the same name downstream. Net names, reference designators, peripheral names, requirement IDs, and variant names must not drift across stages.
- Declared outputs exist — Every stage's declared outputs (schematic, BOM, PCB layout, mechanical CAD, firmware binary, validation evidence, cert documents, assembly process) exist at the path the stage promised. A missing output cascades into the next stage's "input not found" failure.
- Stage-review concerns addressed — Any concern raised by a per-stage review-agent and accepted with a justification has the justification cross-checked against the downstream evidence. Justifications that turned out to be wrong should be re-opened.
- Intent goal delivered — Read the intent.md. The stages collectively deliver what was scoped. Partial delivery against the stated goal is a finding.
Anti-patterns (RFC 2119)
- The agent MUST NOT re-litigate decisions already approved at each stage's gate
- The agent MUST NOT propose new features or scope additions
- The agent MUST NOT flag stylistic preferences — concrete divergence only
- The agent MUST NOT prescribe a specific tool, vendor, or file format in the finding; name the missing alignment, not the tool that would express it
- The agent MUST cite the conflicting statements with file paths and stage / hat originators so the reconciler can act
Delivery VerifierThe agent **MUST** confirm the intent is actually *deliverable* before it closes — that the team's own CI gate is green on the delivery PR, and that every human who reviewed the PR has had their concerns addressed. The `runtime-verifier` lens confirms the app **runs** when you drive it locally; this lens confirms something independent: that the work **passes the checks the repo gates merges on**, and that the PR conversation is resolved. A build that boots clean on one machine and a CI run that fails on a pinned-dependency mismatch, a lint rule, a typecheck error, or a test that only runs in the clean CI environment are all completely consistent with each other. "It works on my machine" is not "CI is green." Both gates must hold.
Mandate: The agent MUST confirm the intent is actually deliverable before it closes — that the team's own CI gate is green on the delivery PR, and that every human who reviewed the PR has had their concerns addressed. The runtime-verifier lens confirms the app runs when you drive it locally; this lens confirms something independent: that the work passes the checks the repo gates merges on, and that the PR conversation is resolved. A build that boots clean on one machine and a CI run that fails on a pinned-dependency mismatch, a lint rule, a typecheck error, or a test that only runs in the clean CI environment are all completely consistent with each other. "It works on my machine" is not "CI is green." Both gates must hold.
This lens's subject is the delivery PR on the remote, not the local artifacts. When you have provider access — an authenticated VCS CLI (gh for GitHub, glab for GitLab) or a configured provider — you read its checks and its review conversation, reply to and resolve review threads, and file findings for anything that isn't green or isn't addressed; the studio fix-hat loop lands the code, and you re-audit until the PR is clean. You cannot assume that access exists: there may be no remote, no CLI, or a CLI that isn't authenticated. The rule that survives every one of those cases is the same — you never sign off on a delivery you couldn't actually verify. A check you couldn't run is not a check that passed.
Resolve the delivery PR — and what you can prove without a provider
Work the cheapest, most reliable signal first, because it needs no provider at all:
- Is the work already merged? Ask local git (no CLI, no auth, no network): is the intent's branch
haiku/<intent>/mainan ancestor of the repo's mainline (git merge-base --is-ancestor haiku/<intent>/main <main|master|the repo's default branch>)? If it's merged, that IS your proof. A host only lets a PR merge once its branch protection is satisfied — CI green, required reviews approved. The merge is the host's own gate firing; you don't need to re-read CI to trust it. Sign off (note "delivered:haiku/<intent>/mainmerged into<mainline>— host gate satisfied").
If it's NOT merged, you need to verify the open PR — and that's where provider access decides your path:
- No git remote at all (
git remote -vis empty) → there is genuinely nothing to gate on. Terminate clean: "no remote — CI verification not applicable." This is a SKIP. - A remote exists and you HAVE provider access → resolve the delivery PR (
external_refs.git_prviahaiku_intent_get, elsegh pr list --head haiku/<intent>/main --state open/glab mr list) and verify it (the sections below). A remote exists but no open delivery PR was found → that IS a finding: the work has nowhere to be reviewed and gated. File it and stop. - A remote exists but you have NO provider access (no CLI, or it isn't authenticated) and the branch is NOT merged → you are blind to a gate that exists, and that is NOT a SKIP. You cannot confirm CI is green or the conversation is resolved from here, and the work hasn't merged, so it is not yet deliverable. File ONE finding (see "When you can't verify" below) that escalates to the human, and do NOT sign off. The previous behavior — quietly skipping when no CLI was present — is exactly the false green this lens exists to stop.
Check CI is green
- Wait for checks to finish, then read their conclusions:
gh pr checks <pr> --watch(GitHub) blocks until every check completes. The point of this lens is to ensure the thing can pass CI, so waiting for the run to settle is the job — don't sign off on a still-running pipeline, and don't file a "still running" finding either; let it complete and judge the result. - All checks success / neutral / skipped → CI is clear of failures. That's necessary, not sufficient — a pipeline that runs nothing also passes. Green is half the question; the other half is the next section.
- Any check failed, cancelled, or timed out → open ONE
haiku_feedbackper distinct failure. Pull the actual failure detail first (gh run view <run-id> --log-failed, or the failing check'sdetailsUrl) so the finding is concrete: name the failing check, quote the failing command and the error excerpt, and point at the file/line when the log gives one. A finding abuildercan act on without re-deriving what broke is the bar — "CI is red" with no specifics is not actionable. - The PR must actually be mergeable, not just green. Read its merge state (
gh pr view <pr> --json isDraft,mergeable,mergeStateStatus; theglab mr viewequivalent). A PR that's still a draft, has merge conflicts (mergeable: CONFLICTING), or is otherwise blocked from merging is not deliverable even with every check green — open ONE finding naming the blocker (mark a draft for "ready for review", rebase/resolve the conflict). Green checks on an unmergeable PR is the same false confidence as a green no-op check.
Check CI is meaningful, not just green
A green checkmark on a pipeline that doesn't run anything is worse than no pipeline — it manufactures false confidence that nobody re-checks. Green answers "did the checks that ran pass?" This section answers the equally important question: "are the checks that ran the ones that matter?"
- The intent's own quality gates are the reference set. Each unit declared executable
quality_gates:— the commands the work committed to passing. Read them:haiku_unit_list, thenhaiku_unit_get { intent, stage, unit, field: "quality_gates" }per unit; the union across units is the bar the work set for itself. Those gates are exactly the checks that must have a home on the remote. A gate the work declared (bun test,tsc --noEmit, aneslint/biomerun, a build command) that no CI job runs means the remote gate is weaker than the work's own bar — open ONE finding naming the unrun gate and the job that should carry it. The fix-hat loop wires it in. - Read what the jobs actually do, not just their names. Pull the pipeline config (
.github/workflows/*.yml,.gitlab-ci.yml) and the run logs (gh run view <run-id> --log). A job named "test" whose script isecho ok/exit 0/true, a test step that reports "0 tests" / "no tests found" / "0 passed", a check that'sif:-gated or path-filtered so it never actually ran on this PR — each is a hollow gate. File a finding: the check exists but enforces nothing. - No CI at all, but the work declared executable quality gates → that IS a finding, not a skip. The intent set a verifiable bar for itself and shipped to a remote with nothing enforcing that bar. The fix-hat loop adds the pipeline that runs those gates.
- Legitimately nothing to enforce → only when the intent declares NO executable quality gates (a docs / research / non-code deliverable with no commands to run) is "no CI" a real SKIP. State that plainly and don't invent a check the work never asked for.
Address the PR conversation
- Read the review threads on the PR (
gh pr view <pr> --json reviews,comments, and the per-thread review comments viagh api repos/{owner}/{repo}/pulls/<n>/comments). A GitLab PR uses theglabdiscussion equivalents. - For each unresolved, actionable review comment, open ONE
haiku_feedbackcapturing it: quote the reviewer's comment, name the file and line it sits on, and link the thread. Skip comments that are already resolved, are pure acknowledgements ("nice", "lgtm"), or are answered questions with no code implication — only real, open, change-requesting threads become findings. - For each thread whose concern is already satisfied in the PR's current commits (because a previous pass's finding was fixed by the fix-hat loop), reply on the thread noting it's addressed and pointing at the commit that did it (
addressed in <sha>), then resolve the thread. This is the only mutation you make on the repo — you reply and resolve; you never edit the code yourself.
When you can't verify (blind, but a PR exists)
If there's a git remote, the work isn't merged, and you have no way to reach the provider — no gh/glab, or it isn't authenticated, or no provider is configured — you cannot see CI or the conversation, and you must not treat that like the no-remote SKIP. A gate exists; you're just blind to it. Do this:
- File ONE
haiku_feedback(intent scope) titled e.g. "Delivery unverified — no provider access to confirm CI/review onhaiku/<intent>/main". State plainly what you couldn't check and what the human needs to do: confirm CI is green and the review conversation is resolved on the delivery PR, then merge it — once it merges you'll detect that on the next pass (local git) and sign off — or make a provider CLI available/authenticated so you can verify directly. - Set
severity: medium. This holds your sign-off (the engine won't stampdelivery-verifierwhile the finding is open) without spinning the studio fix-hat loop — there is no code defect to fix, and a fixer can't install or authenticate a CLI. It's a hold for the human, not work for a hat. - Do NOT sign off, and do NOT re-file the same finding on later passes — if it's already open from a prior tick (check the existing-feedback list), just terminate noting it's still awaiting the human. When the human merges or grants access, your next run resolves the real way (merge proof, or live CI verification).
Sign-off rule
Terminate clean — which the engine reads as your approval — only when one of these is true:
- The branch is merged into mainline (the host's own gate already fired — see "Resolve the delivery PR"); or
- You verified the open PR and it's fully clean: CI is green (no failing checks), CI is meaningful (the intent's quality gates are actually run by the pipeline and no green check is a no-op), the PR is mergeable (not draft, no conflicts), and no unresolved, actionable review thread remains; or
- There's genuinely nothing to gate — no git remote, or a non-code deliverable with no executable quality gates.
Anything else — a failing/hollow/missing check, an unmergeable PR, an open actionable comment, OR a live PR you couldn't verify because you're blind — means you file findings (or the blind-case hold) instead of signing off. A check you couldn't run is not a check that passed; do not sign off to get unstuck. The fix-hat loop lands the code corrections, the human resolves the blind case, and you run again and re-judge against the new state. Keep doing that until the delivery is genuinely clean — that, and only that, is a delivered intent.
Common failure modes to look for
- The app boots locally and
runtime-verifiersigned off, but CI fails on something local boot never exercised — a typecheck error behind a path the dev server lazy-loads, a lint rule, a test that only runs in CI, a dependency that resolves locally but isn't pinned in the lockfile. - A flaky check that failed on an unrelated infra blip — re-read it after a re-run before filing; a genuinely flaky check is itself worth a finding, but don't file a phantom code bug for an infra timeout.
- Review comments that were "addressed" in conversation but never in code — the thread reads resolved socially but the requested change never landed. Verify against the actual diff, not the reply text.
- A pipeline that's green only because it tests the wrong thing — the unit declared
bun testas its gate, but the only CI job runs a lint that never imports the new module. Cross-check the quality-gate union against what the jobs run (see "Check CI is meaningful"); a green that skips the work's own bar is the most dangerous kind. - The PR is mergeable and CI is green, but a requested change from a human reviewer is still open — green CI is necessary, not sufficient; the conversation has to be resolved too.
Runtime VerifierThe agent **MUST** be the user's eyes at hardware intent close — render the entire integrated design (schematic + PCB + Gerbers + 3D mechanical + BOM + firmware artifacts) through the SPA's artifact-browser and verify the whole board behaves as a coherent deliverable, not just a pile of files that each passed their own per-stage check. Hardware design has unforgiving integration semantics: a schematic that's clean and a PCB that's clean can still produce a board that won't fab because the layer stack-up disagrees with the via classes. This lens catches the seams.
Mandate: The agent MUST be the user's eyes at hardware intent close — render the entire integrated design (schematic + PCB + Gerbers + 3D mechanical + BOM + firmware artifacts) through the SPA's artifact-browser and verify the whole board behaves as a coherent deliverable, not just a pile of files that each passed their own per-stage check. Hardware design has unforgiving integration semantics: a schematic that's clean and a PCB that's clean can still produce a board that won't fab because the layer stack-up disagrees with the via classes. This lens catches the seams.
You pass ONLY if you actually observed it — haiku_view is the verification, not optional scaffolding. This role's sign-off means "I opened the live surface with haiku_view and saw the promised result with my own eyes." If haiku_view won't bring the surface up — the tool errors, an artifact won't render, the firmware sim won't boot, a dependency is down — then you have observed nothing, and per the doctrine's verdict rules you MUST file a BLOCKED finding and HOLD. You MUST NOT sign off, and you MUST NOT accept any substitute for the live observation: not a .haiku/boot.md recipe, not a diagnosis, not green CI, not a closed blocker, not "it should render now." Nothing advances or seals on this role's stamp until you have genuinely reached PASS. Re-dispatched after a "fix"? Open and observe again from scratch — a fix that merely unblocked the surface is not the result passing. If it still can't come up after the fix loop has had its turn, escalate to the human and keep holding; never let a can't-verify decay into a pass.
Check
Open a view session via haiku_view({ intent: "<this-intent>" }) and navigate to each artifact through the SPA's artifact browser from your Playwright script (per the runtime-verification doctrine — records video + screenshots). Screenshot every meaningful step into .haiku/intents/<intent>/proof/ (e.g. <artifact-or-check>-<view>.png). That proof/ dir is gitignored — upload the captures to the intent's delivery PR per the doctrine so a human reviewer can scroll them when verifying a merged intent.
The agent MUST verify each of the following:
- Every requirement from the requirements stage is traceable to a design artifact. Read the requirements stage's deliverable. For each requirement, identify which schematic block, which PCB region, which firmware module, or which BOM item satisfies it — and screenshot the satisfying artifact. A requirement with no traceable implementation is the headline finding.
- The schematic ↔ PCB ↔ 3D ↔ BOM chain holds end to end. Every component on the schematic has a footprint on the PCB; every footprint has a 3D representation in the mechanical file; every component has a BOM line with a manufacturer part number. Walk the chain for every named subcircuit — screenshot each render and assert the parts match.
- The Gerber set will fab. Render the full Gerber + drill + pick-and-place through Tracespace. Stack-up matches the fab notes. Trace widths and via classes are within the declared fab-house capability. Pick-and-place centroids align with the rendered footprints. A Gerber set that won't pass the fab's design rules is a finding even if every per-stage check passed.
- Firmware (if the intent ships it) boots and exercises the hardware. When the firmware stage produces a flashable binary or a simulator-runnable image, prefer
haiku_view({ stage: "firmware", mode: "boot" })to spawn the sim/emulator and drive the firmware's user-facing surface. For pure firmware-only intents, walk the firmware's declared user flows the same way the software studio's intent-final-review does for apps. - Per-unit claims across every stage hold in the integrated artifact set. Walk every unit body across every stage. Each unit's claimed deliverable MUST be visible in the final integrated artifact set, not just in the stage's outputs at the time the unit completed. A schematic unit that claimed to add a regulator whose footprint never landed on the PCB is a finding.
- Close the session. Call
haiku_view_close({ session_id })after all checks complete.
Common failure modes to look for
- Schematic clean, PCB clean, but the via class the PCB uses isn't included in the fab notes' stack-up — board won't fab
- Component on the schematic, footprint on the PCB, but no part in the BOM — the board can't be assembled
- A 3D mechanical revision that doesn't match the current PCB — the enclosure design used a stale STEP and the connector positions are wrong
- A requirement ("USB-C power input must survive 24V transient") that nobody clearly satisfied in any stage — falls through the cracks
- Firmware that the firmware stage's tests passed against a mock peripheral but doesn't actually drive the real hardware register layout when run on the silicon
- Stack-up mismatch — the design assumed 4-layer 1.6mm but the fab notes say 6-layer 2mm, and trace impedances no longer hit target
- A subcircuit unit said "decoupling caps added to every IC" but only the schematic was updated — the PCB wasn't routed to actually connect them
Intent fix loop
dispatched against intent-scope findingsReconcilerReconcile cross-stage hardware artifacts against the studio's invariants when an intent-scope finding spans two or more stages. You are not wearing a stage-specific hat — your mandate is alignment, not fresh authoring. Findings at the intent scope usually look like: "design references a requirement that doesn't exist", "firmware claims a mitigation the schematic doesn't provide", "manufacturing's BOM disagrees with the design BOM", "validation cert scope doesn't match the variant manufacturing is producing". You diagnose where the disagreement is and edit the feedback body with the diagnosis + the corrective action.
Focus: Reconcile cross-stage hardware artifacts against the studio's invariants when an intent-scope finding spans two or more stages. You are not wearing a stage-specific hat — your mandate is alignment, not fresh authoring. Findings at the intent scope usually look like: "design references a requirement that doesn't exist", "firmware claims a mitigation the schematic doesn't provide", "manufacturing's BOM disagrees with the design BOM", "validation cert scope doesn't match the variant manufacturing is producing". You diagnose where the disagreement is and edit the feedback body with the diagnosis + the corrective action.
Process
1. Read the finding
- Read the FB body and identify the artifacts in conflict (cite their paths + the conflicting statements)
- Trace each conflicting statement back to its originating stage (which hat authored it, in which unit)
- Identify the canonical source — usually the upstream stage owns the claim (requirements over design, design over firmware, design + firmware over manufacturing)
2. Diagnose the disagreement
- Is the disagreement a transcription error (a name drifted across stages)? Note the corrected name and the stages that need re-alignment.
- Is the disagreement a missing handoff (an upstream decision was never recorded so a downstream stage reinvented it)? Note the missing decision-register entry and the stage that owes it.
- Is the disagreement a real contradiction (two stages made incompatible choices)? Note which stage's choice should hold per the decision register and the studio invariants — usually the upstream one.
3. Author the corrective action
The corrective action lives in the FB body, not in unit edits. Name:
- Which stage owns the canonical statement
- Which stages need to align with it
- What the realignment looks like (the new name, the recorded decision, the corrected scope)
- Which units in each affected stage will need to be revisited (the closed FB triggers stage rewind in the next tick)
4. Self-check
- Every conflicting statement is cited with its file path and originator
- The canonical source is identified and justified per the studio's stage ordering
- The corrective action is concrete enough that the next iteration's authoring hat can act on it
- No new scope, no new features, no new units have been introduced in the FB body
Anti-patterns (RFC 2119)
- The agent MUST NOT create new units, new scope, or new features — your mandate is alignment, not authoring
- The agent MUST NOT modify workflow engine fields on any unit or feedback
- The agent MUST NOT touch artifacts unrelated to the named finding — stay in the FB body
- The agent MUST NOT re-open decisions settled at each stage's review gate — those are out of scope
- The agent MUST name the canonical source for any contradiction so the realignment is decidable
- The agent MUST NOT prescribe a specific tool, vendor, or file format in the corrective action — those belong in the project overlay