Module 4: Multi-Agent Patterns

Structured problem-solving with PEO pattern

Introduction: The PEO Pattern

Planner / Executor / Observer for structured thinking

Learn to separate strategic thinking, command execution, and continuous monitoring into dedicated tmux panes. Each pane has a specialized Claude prompt that focuses its role.

Planner

Strategic thinking, asks clarifying questions, proposes investigation steps

Executor

Refines commands, explains risks, verifies results before execution

Observer

Watches logs, summarizes business impact, highlights anomalies

Lesson 4.1: PEO Pattern for Operations

Three-pane layout for structured problem-solving

Setup PEO Layout

Use the ops-peo-layout.sh script to create a 3-pane tmux session with dedicated areas for planning, execution, and observation.

ops-peo-layout.sh 
#!/usr/bin/env bash
# ops-peo-layout.sh – Planner / Executor / Observer layout for Ops
# Usage: ops-peo-layout.sh [SESSION_NAME]

SESSION_NAME="${1:-ops-peo}"

tmux has-session -t "$SESSION_NAME" 2>/dev/null
if [ $? -eq 0 ]; then
  tmux attach -t "$SESSION_NAME"
  exit 0
fi

tmux new-session -d -s "$SESSION_NAME" -n ops

# Pane 1: Planner (Claude prompt for planning)
tmux split-window -h -t "$SESSION_NAME:ops"     # Pane 2: Executor
tmux split-window -v -t "$SESSION_NAME:ops".2   # Pane 3: Observer

tmux select-pane -t "$SESSION_NAME:ops".1
tmux attach -t "$SESSION_NAME"

Planner Prompt Preview

"You are the PLANNER for business operations. I will describe a situation. Your job is to ask clarifying questions, propose a small clear list of investigative steps (max 5), and mark which steps should be done in the EXECUTOR pane and what to watch in the OBSERVER pane. Never run commands yourself."

Executor Prompt Preview

"You are the EXECUTOR for business operations. I will paste commands from the PLANNER pane. Your job is to refine these commands so they are safe and clear, explain what each command does in plain language, and remind me of any risk before I run something that changes systems."

Observer Prompt Preview

"You are the OBSERVER for business operations. I will paste output from log files, monitoring tools, or reports. Your job is to summarize what you see in terms of business impact, highlight anomalies (errors, timeouts, missing data), and suggest which details the PLANNER and EXECUTOR should focus on."

Lesson 4.1 Resources

ops-peo-layout.sh
Creates 3-pane PEO tmux session
peo-planner.md
Claude prompt for Planner role
peo-executor.md
Claude prompt for Executor role
peo-observer.md
Claude prompt for Observer role

Lesson 4.2: Failed Business Report Scenario

Apply PEO to a real incident

Scenario: Missing CEO Report

Problem: CEO's weekly revenue report didn't arrive on time

Report Triage Steps

  • Confirm: Which report, which date/time, which recipient?
  • Check if report exists in any folder/dashboard
  • Check scheduler: Is the job enabled? Did it run? Any errors?
  • Check data sources: CRM, ERP, payment gateway healthy?
  • Use Claude to explain log snippets and propose commands
  • Draft brief status update to stakeholders

How PEO Helps:

  • Planner: Clarifies which report, proposes investigation steps
  • Executor: Checks scheduler, data sources, triggers manual run
  • Observer: Watches log file for success/failure signals

Result: Found CRM API timeout, report generated, stakeholders notified. Resolution time: 35 minutes

Lesson 4.2 Resources

report-triage.md
Checklist for troubleshooting missing/failed reports

Lesson 4.3: Security Alert Scenario

Defensive incident response with PEO

Scenario: Brute Force Attack

Alert: 15 failed login attempts from foreign IP in 10 minutes

Security Triage Steps

  • Confirm scope: Which system? Which user(s)? When did it start?
  • Gather logs: Authentication, VPN/firewall, EDR/AV alerts
  • Use Claude for plain-language explanation and defensive actions
  • Containment: Lock account, force password reset, block IP if needed
  • Document: Fill incident note, record all commands and changes

How PEO Helps:

  • Planner: Assesses risk level, proposes defensive actions in order
  • Executor: Collects logs safely, blocks IP, resets passwords
  • Observer: Monitors for ongoing attempts, confirms attack stopped

Result: Attack contained, no breach confirmed, 48h enhanced monitoring activated. Containment time: 30 minutes

Lesson 4.3 Resources

sec-alert-triage.md
Security alert triage checklist (medium severity)