Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From great_cto
Shared review framework defining the mandatory output artifact format, severity scale, verdict structure, and workflow scaffold for all 60+ domain reviewers. Every domain reviewer (pci, oracle, gov, healthcare, mlops, etc.) must follow this skeleton to eliminate duplication.
How this skill is triggered — by the user, by Claude, or both
Slash command
/great_cto:archetype-review-baseWhen to use
Apply when invoked as ANY domain reviewer: - pci-reviewer, oracle-reviewer, gov-reviewer, healthcare-reviewer, mlops-reviewer, ai-security-reviewer, edtech-reviewer, enterprise-saas-reviewer, insurance-reviewer, regulated-reviewer, marketplace-reviewer, cms-reviewer, devtools-reviewer, library-reviewer, cli-reviewer, data-platform-reviewer, streaming-reviewer, infra-reviewer, firmware-reviewer, game-reviewer, web-store-reviewer, mobile-store-reviewer, db-migration-reviewer, ai-prompt-architect, ai-eval-engineer Do NOT apply when running security-officer general STRIDE — that's a different review tier (cross-domain, fallback for archetypes without a domain reviewer).
docs/**.great_cto/verdicts/**This skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Every domain reviewer follows this skeleton. Each reviewer's own
Every domain reviewer follows this skeleton. Each reviewer's own SKILL.md adds the domain heuristics on top. This skill defines the parts that must be IDENTICAL across all reviewers.
Pre-implementation reviewers (the 60+ *-reviewer agents, invoked by architect
BEFORE senior-dev claims tasks) write a threat model at
docs/sec-threats/TM-{slug}.md and append a <!-- HANDOFF --> block (see
"Workflow scaffold" below). That is the convention 64/64 reviewers use today.
The Findings / Severity / Verdict structure below is the CONTENT format that
goes inside that artifact (and inside any post-implementation
docs/reviews/REVIEW-{slug}.md produced by a review-tier agent). Path differs by
phase; the section grammar is identical.
The report (TM or REVIEW) MUST contain these sections in this exact order:
# REVIEW-{slug} — {reviewer name}
Reviewed: {commit-sha or file paths or ARCH doc reference}
Standard: {regulation / framework you applied — list specific clauses}
Date: {ISO timestamp}
## Scope
2-3 sentences. What did you look at? What's intentionally out of scope?
## Findings
For each finding, use this exact format:
- **[Critical|High|Medium|Low]** {one-sentence finding title}
- Location: {file:line or component name}
- Rationale: {why this matters IN THIS DOMAIN — cite a regulation or
domain-specific best practice. Generic "could be a problem" is
rejected.}
- Remediation: {specific fix — code change, config change, or
architectural change. NOT "consider adding X" — write the exact change.}
- References: {URL or document section}
Order findings: Critical → High → Medium → Low.
If no findings at a tier, write: "_None at {tier} severity._"
## Verdict
VERDICT: {APPROVED|BLOCKED} reason="{specific reason}"
Severity is graded against THIS DOMAIN's regulatory or correctness baseline, not generic STRIDE severity. Examples:
Cite the standard in Rationale. If you can't, the finding is probably generic and should be reduced one severity tier (the security-officer agent handles generic concerns).
VERDICT: APPROVED is allowed only when ALL Critical and ALL High
findings have remediation in the bd backlog. (Use
bd ready --label {your-archetype} to check.)VERDICT: BLOCKED is required when even one Critical or High has no
remediation, OR when discovery surfaced an unknown that you couldn't
resolve.You are the SPECIALIST. Your job is the domain-specific stuff that generic STRIDE / OWASP misses. Decision rule:
| The check is about… | Belongs to |
|---|---|
| Card data, PCI scope, idempotency in payments | pci-reviewer |
| Oracle staleness, MEV, contract upgradeability | oracle-reviewer |
| PHI flows, BAA chain, FHIR/HL7 | healthcare-reviewer |
| Generic XSS, SQLi, weak hashing, secrets in source | security-officer (NOT you) |
| Generic "needs error handling" | senior-dev / code-reviewer (NOT you) |
If a finding is generic, mention it briefly but DON'T inflate severity. Defer to the appropriate generic reviewer.
Before emitting VERDICT: BLOCKED, apply the skeptical-triage skill
(3 rounds of self-challenge). False-positive BLOCKED at gate:plan wastes
CTO time. Only block when 3/3 rounds confirm.
After writing your report, append ONE line to your verdict log:
{ISO-ts} {APPROVED|BLOCKED} feature={slug} review=docs/reviews/REVIEW-{slug}-{reviewer}.md criticals={N} highs={M} mediums={K} cost=${USD}
The board's readVerdicts() parser anchors on the leading timestamp.
Format MUST be space-separated; pipe-separated form parses as
verdict='|' and breaks the pipeline status display.
prose-styleEscalate to security-officer (not just BLOCK) when:
Escalation: create a bd task with label security-officer and
blocks your review verdict.
Before writing your verdict line, grep your draft for:
\b(generally|somewhat|fairly|mostly|possibly|perhaps|maybe)\b — rewriteIf any check fires in a non-quoted block, fix before signing off.
Every reviewer shares the same skeleton. It lives HERE; a domain reviewer's own prompt should add only its domain heuristics on top, never re-state the steps below. (Historically each reviewer copied ~80 lines of this — that duplication is what this skill exists to remove.)
senior-dev is in pre-implementation mode AND the project archetype matches
yours (or an applies_to: you declare).You run BEFORE senior-dev claims tasks. Your Critical/High findings must have a remediation in the bd backlog before the pipeline proceeds.
mkdir -p docs/sec-threats
ARCH=$(ls docs/architecture/ARCH-*.md 2>/dev/null | sort -V | tail -1)
[ -z "$ARCH" ] && { echo "BLOCKED: no ARCH doc — architect must run first." >&2; exit 1; }
SLUG=$(basename "$ARCH" .md | sed 's/^ARCH-//')
TM="docs/sec-threats/TM-${SLUG}.md"
Then read, in order: the ARCH doc's domain-relevant sections, the source files in
your domain, and any .great_cto/PROJECT.md fields your domain needs (e.g.
code-sets:, payers:, compliance:).
docs/sec-threats/TM-${SLUG}.mdUse your domain template at skills/great_cto/templates/TM-{archetype}.md if one
exists, else the Findings/Severity/Verdict grammar above. End the file with a
hand-off block the orchestrator parses:
<!-- HANDOFF -->
{your-name}-verdict: signed-off | blocked
critical-findings: <N>
high-findings: <M>
must-implement-before-senior-dev:
- <specific change 1>
- <specific change 2>
gate: <gate:domain-signoff or — if none>
skills: frontmatter is the source of truth.See skills/archetype-review-base/reviewer-template.md for the minimal shape a
domain reviewer should follow after this scaffold is factored out.
npx claudepluginhub avelikiy/great_ctoRuns parallel specialized reviewers (deep-reviewer, devil-advocate, fact-checker, tone-guardian, structure-analyst) with presets for content, strategy, code, security, and academic review. Merges findings through a consensus gate.
Runs parallel reviews from 6 reviewers (security, UX/DX, external Codex/Gemini CLIs, domain experts) on code, plans, or requirements for quality gates. Invoke via /review --mode code/plan/clarify.
Walks through a structured interview to customize the review molecule, producing a review-standards.md configuration document for atom loading, severity, report format, scope, insight capture, and health logging.