ltc is a CLI for autonomous agent-driven development. Give it a task queue and steering files, then let it run.
The loop
Each iteration runs agents in a pipeline:
dev → security + review (parallel) → test → document → commit
The developer agent picks the next task, implements it. Security and review agents scan the result. If they find issues, they create fix tasks that get handled before moving on. Tester writes tests. Documenter updates docs and changelog. Committer commits.
ltc init # scaffold agent configs, steering files, hooks
ltc queue add "Add user auth" --description "JWT-based auth"
ltc run # start the loop
ltc watch # TUI dashboard
Task kinds
| Kind | Behavior |
|---|---|
feature |
Full pipeline — dev through commit |
fix |
Developer only — skips security/review to prevent loops |
checkpoint |
Marks a milestone, halts loop |
gate |
Runs a shell command, halts on failure |
manual |
Requires human intervention, halts loop |
Fix tasks link to their parent feature via parent_id. The dashboard shows them nested.
ltc queue add "Fix hardcoded secret" --kind fix --priority 10
Steering files
Steering files in .kiro/steering/ are injected into every agent session:
| File | Purpose |
|---|---|
product.md |
What the project is |
tech.md |
Stack, layout, dev commands |
conventions.md |
Code style, commit format |
security.md |
Security requirements |
testing.md |
Test strategy |
Security scan hooks
After every developer session, hook scripts run and write results to .ltc/reports/. The security agent reads these on the next pass.
The scan hook auto-detects the project type and runs:
- Semgrep — SAST with auto config
- Trivy — filesystem vulnerability scanning
- Checkov — IaC scanning (Terraform, YAML, Dockerfiles)
- Bandit — Python-specific SAST
- pip-audit — Python dependency vulnerabilities
#!/usr/bin/env bash
# .ltc/hooks/post-dev-scan.sh
REPORTS=".ltc/reports"
mkdir -p "$REPORTS"
semgrep --config=auto --json -o "$REPORTS/semgrep.json" . || true
trivy fs --format json -o "$REPORTS/trivy.json" . || true
checkov -d . -o json > "$REPORTS/checkov.json" || true
All hooks exit 0 so they never kill an agent session. Findings become fix tasks.
MCP server
The queue is exposed to agents via MCP:
ltc mcp # stdio transport
Tools: queue_add, queue_next, queue_update, queue_list, queue_reorder, queue_clear.
Agents read the queue, claim tasks, and report results through the same protocol.
Configuration
ltc.toml at the project root:
[loop]
max_iterations = 10
review_every = 3
git_commits = true
max_fix_tasks = 3
CLI flags override the config file.