Subtask + Ravi
Subtask + Ravi
What Subtask Is
Subtask is a Claude Code Skill and CLI that turns a single orchestrator agent into a parallel coding team. You describe what you want built; Claude drafts tasks via subtask draft; subagents (Claude Code or Codex) execute them concurrently, each in its own isolated Git worktree. A TUI tracks live progress, diffs, and bidirectional conversations between the orchestrator and its subagents.
The key properties:
- Parallel, conflict-free — each task lives in a dedicated worktree, so subagents never step on each other.
- Bidirectional steering — the orchestrator can interrupt a running subagent mid-task, give new instructions, and resume without killing the session.
- Persistent tasks — task state survives restarts; the full graph is on disk.
- Multi-agent — supports Claude Code and Codex subagents interchangeably.
The developer reports ~60 tasks merged in a week using this workflow. Install with brew install zippoxer/tap/subtask or curl -fsSL https://subtask.dev/install.sh | bash, then add the Claude Code plugin with /plugin marketplace add zippoxer/subtask.
The Problem Subtask Exposes
Subtask solves parallelism beautifully. What it doesn’t solve is identity.
When subagents work on real systems — calling external APIs, running integration tests against staging environments, verifying OAuth flows, signing up for third-party services — they need credentials. In a single-agent workflow, you can pass a shared API key and move on. In a parallel multi-agent workflow, that pattern breaks down:
- Multiple subagents sharing one API key create attribution nightmares and hit rate limits unpredictably.
- Baking credentials into worktree environments leaks secrets into Git history and agent context.
- Staging environments with 2FA block subagents entirely unless someone handles TOTP.
- Integration tests that require real email addresses or phone numbers have nowhere to get them.
Ravi is the missing layer: it gives each subagent its own scoped, disposable identity for the duration of a task.
Where Ravi Plugs In
1. Scoped credential injection at task dispatch
When subtask draft creates a task, a subtask-ravi hook provisions a minimal vault context for that task’s worktree. Each subagent environment receives only the credentials it needs — nothing extra — pulled from Ravi’s encrypted secrets store at dispatch time.
The orchestrator never manages credential lifecycle. Ravi does.
2. Disposable identities for integration testing
A large class of subagent tasks is “implement and test this signup/auth/OAuth flow.” These require real, working email addresses and phone numbers — not mocks.
Ravi provisions temporary identities on demand: a real inbox, a real phone number, scoped to the task. The subagent can receive verification emails, complete SMS-based OTP flows, and confirm end-to-end behavior. When the task closes or merges, the identity is archived. No persistent test accounts to manage, no shared inboxes to collide on.
3. TOTP for staging environments
If subagents access internal tooling protected by two-factor authentication, Ravi TOTP handles it automatically — no baked-in TOTP seeds in agent prompts or worktree files, no human in the loop for every 2FA challenge.
Concrete Setup
Prerequisites
- Subtask installed and configured (
subtask install --guidein Claude Code) - Ravi account with a provisioned identity (
ravi_get_infoto confirm) - Ravi secrets store populated with credentials subagents will need
Hook: subtask-ravi
Add a pre-dispatch hook that injects Ravi context into each new worktree:
#!/usr/bin/env bash
# .subtask/hooks/pre-dispatch.sh
# Called by subtask before a subagent starts. $SUBTASK_WORKTREE is the worktree path.
TASK_ID="$1"
WORKTREE="$SUBTASK_WORKTREE"
# Provision a short-lived Ravi identity for this task
RAVI_EMAIL=$(ravi identity create --name "subtask-$TASK_ID" --format email)
RAVI_PHONE=$(ravi identity create --name "subtask-$TASK_ID" --format phone)
# Write scoped env file into worktree (gitignored)
cat > "$WORKTREE/.ravi-task-env" <<EOF
RAVI_TASK_EMAIL=$RAVI_EMAIL
RAVI_TASK_PHONE=$RAVI_PHONE
EOF
echo "Ravi identity provisioned for task $TASK_ID"And a cleanup hook on merge or close:
#!/usr/bin/env bash
# .subtask/hooks/post-merge.sh
TASK_ID="$1"
ravi identity archive "subtask-$TASK_ID" 2>/dev/null || true
echo "Ravi identity archived for task $TASK_ID"Subagent task example
With Ravi injected, a subagent working on an OAuth integration test can do this naturally:
You: implement the GitHub OAuth callback and write an integration test with Subtask
Claude:
├─► Skill(Subtask)
├─► Bash(subtask draft feat/github-oauth "Implement GitHub OAuth callback with integration test")
└─⏺ Task dispatched. Ravi identity provisioned for the test inbox.
[Subagent in worktree feat/github-oauth]
- Implements the OAuth callback handler
- Uses $RAVI_TASK_EMAIL to receive the GitHub verification email
- Reads the verification link from Ravi inbox
- Confirms end-to-end flow passes
- Opens diff for orchestrator reviewParallel tasks, parallel identities
You: run integration tests for auth, payments, and notifications in parallel with Subtask
Claude:
├─► subtask draft test/auth
├─► subtask draft test/payments
├─► subtask draft test/notifications
└─⏺ Three tasks running. Each subagent has its own Ravi identity — separate inboxes, separate phone numbers, no collisions.Why Ravi Adds Value Here
Isolation without overhead. In a multi-agent workflow, shared credentials are a liability. Ravi gives each worktree its own identity boundary automatically, with no manual provisioning by the developer.
Audit trail across the task graph. Every credential use, email received, and verification completed is tied to a specific Ravi identity — which maps back to a specific Subtask task. When something goes wrong in a parallel run, you know exactly which subagent touched what.
Real end-to-end testing. Mocked email addresses catch nothing. Ravi’s real inboxes and phone numbers let subagents run the full integration loop — signup, verify, authenticate — without standing up shared test accounts or involving a human.
Clean teardown. Task identities are archived on merge. No orphaned test accounts, no credentials lingering in worktree files, no cleanup work for the developer.
TOTP without secrets in context. Staging environments with 2FA no longer block subagents. Ravi handles the TOTP challenge at the infrastructure level, keeping secrets out of agent prompts entirely.