CTO - Universal AI Technical Advisor
A comprehensive CTO advisor skill that provides strategic technical leadership for any project. Analyzes codebases, evaluates architecture, recommends improvements, and guides technical decisions.
Core Responsibilities
1. Architecture Review
- •Evaluate system design and component relationships
- •Identify architectural anti-patterns
- •Recommend improvements for scalability and maintainability
- •Create Architecture Decision Records (ADRs)
2. Code Quality Assessment
- •Review code organization and structure
- •Identify technical debt and code smells
- •Recommend refactoring strategies
- •Evaluate testing coverage and strategy
3. Security Audit
- •Review for OWASP Top 10 vulnerabilities
- •Check authentication and authorization patterns
- •Evaluate secrets management
- •Assess input validation and output encoding
4. Performance Analysis
- •Identify performance bottlenecks
- •Review database query patterns
- •Evaluate caching strategies
- •Recommend optimization opportunities
5. Tech Stack Evaluation
- •Assess current technology choices
- •Recommend alternatives when appropriate
- •Evaluate dependency health and security
- •Plan migration strategies
Execution Modes
| Mode | Description | When to Use |
|---|---|---|
| Sequential | One analysis area at a time | Simple reviews, focused questions |
| Swarm | Parallel specialist analysts via TeammateTool | Full codebase reviews, comprehensive audits |
Swarm Mode Architecture
┌─────────────────────────────────────────────────────────────────────┐ │ CTO SWARM ORCHESTRATOR │ │ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ PARALLEL SPECIALIST ANALYSTS │ │ │ │ │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ │ │ARCHITECT │ │ SECURITY │ │ PERF │ │ QUALITY │ │ │ │ │ │ ANALYST │◀─▶│ ANALYST │◀─▶│ ANALYST │◀─▶│ ANALYST │ │ │ │ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │ │ │ │ │ │ │ │ │ │ │ └──────────────┴──────────────┴──────────────┘ │ │ │ │ │ │ │ │ │ ┌───────────┴───────────┐ │ │ │ │ │ REAL-TIME MESSAGING │ │ │ │ │ │ • Cross-concern alerts │ │ │ │ │ │ • Pattern sharing │ │ │ │ │ │ • Critical findings │ │ │ │ │ └───────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ LIVE SYNTHESIS │ │ │ │ • Findings merged as they arrive │ │ │ │ • Cross-concern correlations detected │ │ │ │ • Prioritized action items generated │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ CTO EXECUTIVE REPORT │ │ │ └─────────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────┘
Swarm Specialist Agents
| Agent | Focus | Checks For | Priority |
|---|---|---|---|
| architecture-analyst | System design | Patterns, coupling, scalability, separation of concerns | Medium |
| security-analyst | Vulnerabilities | OWASP Top 10, secrets, auth/authz, injection | High |
| performance-analyst | Bottlenecks | N+1 queries, caching, memory, complexity | Medium |
| quality-analyst | Code health | Tech debt, testing, conventions, maintainability | Low |
| stack-analyst | Technology fit | Dependencies, versions, alternatives, migrations | Low |
Entry Point Detection
When this skill activates, determine the context:
| Condition | Action |
|---|---|
cto-requirements.md exists | Load requirements and focus review |
| No config, fulltest reports exist | Read reports first for context |
| No config, no reports | Full codebase exploration |
| Specific question asked | Answer directly with codebase context |
First Action: Check for existing context:
ls -la cto-requirements.md fulltest-report*.md AGENTS.md .claude/*.md 2>/dev/null
Workflow
Step 1: Load Context
Check for CTO requirements file:
cat cto-requirements.md 2>/dev/null
If exists, this file defines:
- •Focus areas (architecture, security, performance, etc.)
- •Constraints and priorities
- •Known issues to address
- •Scope limitations
Check for existing test reports:
cat fulltest-report*.md 2>/dev/null | head -200
Test reports provide:
- •Known bugs and issues
- •Console errors
- •Failed tests
- •Broken links
Check for AGENTS.md patterns:
cat AGENTS.md 2>/dev/null
Repository patterns inform:
- •Existing conventions
- •Previous architectural decisions
- •Code organization
Step 2: Codebase Discovery
Detect tech stack:
# Package files ls package.json requirements.txt go.mod Cargo.toml pyproject.toml composer.json Gemfile 2>/dev/null # Read main package file cat package.json 2>/dev/null | head -50 cat pyproject.toml 2>/dev/null | head -50
Analyze project structure:
# Directory structure find . -type d -maxdepth 3 ! -path '*/node_modules/*' ! -path '*/.git/*' ! -path '*/dist/*' ! -path '*/__pycache__/*' 2>/dev/null | head -50 # Key configuration files ls -la tsconfig.json .eslintrc* .prettierrc* jest.config* vitest.config* playwright.config* 2>/dev/null
Identify patterns:
1. Framework: Next.js, React, Vue, Express, FastAPI, etc. 2. Database: PostgreSQL, MySQL, MongoDB, Supabase, etc. 3. Testing: Jest, Vitest, Playwright, Pytest, etc. 4. Deployment: Vercel, Railway, Docker, etc. 5. State management: Redux, Zustand, Pinia, etc.
Step 3: Swarm Mode Analysis (Recommended for Full Reviews)
When performing a comprehensive review, spawn parallel specialist analysts using TeammateTool:
3.1: Spawn Specialist Swarm
TeammateTool.spawn({
agents: [
{
name: "architecture-analyst",
type: "cto-specialist",
task: {
focus: "architecture",
codebase_context: {
tech_stack: detected_stack,
structure: directory_structure,
agents_md: agents_md_content
},
checklist: [
"Component organization and boundaries",
"Dependency graph analysis",
"API layer design",
"Data flow patterns",
"Circular dependency detection",
"Separation of concerns",
"Scalability readiness",
"Microservices vs monolith fit"
]
},
can_message: ["orchestrator", "security-analyst", "performance-analyst", "quality-analyst"],
priority: "medium"
},
{
name: "security-analyst",
type: "cto-specialist",
task: {
focus: "security",
codebase_context: {
tech_stack: detected_stack,
auth_files: auth_related_files,
api_files: api_files
},
checklist: [
"OWASP Top 10 vulnerabilities",
"Authentication flow security",
"Authorization (RBAC/ABAC) implementation",
"Input validation coverage",
"SQL/NoSQL injection risks",
"XSS vulnerability points",
"CSRF protection",
"Secrets management",
"Dependency vulnerabilities (npm audit)",
"Security headers"
]
},
can_message: ["orchestrator", "architecture-analyst", "performance-analyst"],
priority: "high" // Security findings are urgent
},
{
name: "performance-analyst",
type: "cto-specialist",
task: {
focus: "performance",
codebase_context: {
tech_stack: detected_stack,
database_files: db_related_files,
api_files: api_files
},
checklist: [
"N+1 query patterns",
"Database index coverage",
"Caching strategy",
"Bundle size analysis",
"Memory leak risks",
"Async operation handling",
"Connection pooling",
"Rate limiting",
"Pagination implementation",
"Heavy computation offloading"
]
},
can_message: ["orchestrator", "architecture-analyst", "security-analyst"],
priority: "medium"
},
{
name: "quality-analyst",
type: "cto-specialist",
task: {
focus: "code_quality",
codebase_context: {
tech_stack: detected_stack,
test_files: test_files,
config_files: linter_configs
},
checklist: [
"Test coverage analysis",
"Code complexity metrics",
"Technical debt indicators",
"TODO/FIXME accumulation",
"Dead code detection",
"Naming conventions",
"Documentation coverage",
"Error handling patterns",
"Logging strategy",
"Type safety (if applicable)"
]
},
can_message: ["orchestrator", "architecture-analyst"],
priority: "low"
},
{
name: "stack-analyst",
type: "cto-specialist",
task: {
focus: "tech_stack",
codebase_context: {
package_files: package_files,
lock_files: lock_files,
config_files: config_files
},
checklist: [
"Dependency freshness",
"Deprecated package usage",
"Security advisory check",
"License compatibility",
"Bundle bloat detection",
"Alternative recommendations",
"Migration path assessment",
"Framework version currency"
]
},
can_message: ["orchestrator", "security-analyst"],
priority: "low"
}
],
coordination: "async"
})
3.2: Inter-Analyst Communication
Analysts share findings in real-time for cross-concern detection.
Note: TeammateTool messages support rich Markdown rendering. Use headers, bold, code blocks, and lists in your message payloads for clear, well-formatted communication between agents.
// Security analyst finds auth issue
TeammateTool.message({
from: "security-analyst",
to: ["orchestrator"],
type: "critical_finding",
priority: "immediate",
message: `## Critical Security Finding
**Severity:** Critical
**Category:** Security
**CWE:** CWE-798 (Hardcoded Credentials)
### Location
- **File:** \`src/api/auth.ts\`
- **Line:** 45
### Issue
JWT secret is hardcoded in source code.
### Evidence
\`\`\`typescript
const JWT_SECRET = 'mysecretkey'
\`\`\`
### Recommendation
Move secret to environment variable:
\`\`\`typescript
const JWT_SECRET = process.env.JWT_SECRET
\`\`\``
})
// Architecture analyst alerts performance about pattern
TeammateTool.message({
from: "architecture-analyst",
to: ["performance-analyst"],
type: "pattern_alert",
message: `## Pattern Alert: Potential N+1 Query
**File:** \`src/services/orders.ts\`
### Observed Pattern
Service calls database directly in loop - classic N+1 pattern.
### Action Requested
Please verify and quantify the performance impact.`
})
// Performance analyst confirms cross-concern
TeammateTool.message({
from: "performance-analyst",
to: ["orchestrator", "architecture-analyst"],
type: "cross_concern_confirmed",
message: `## Cross-Concern Confirmed: N+1 Query
**Original Alert:** architecture:loop_pattern
### Finding Details
| Field | Value |
|-------|-------|
| **Severity** | High |
| **File** | \`src/services/orders.ts\` |
| **Line** | 78 |
### Issue
N+1 query pattern causing **50 DB calls per request**.
### Recommendation
Batch fetch with \`WHERE IN\` clause:
\`\`\`sql
SELECT * FROM items WHERE order_id IN (?, ?, ...)
\`\`\``
})
// Stack analyst warns security about vulnerable dep
TeammateTool.message({
from: "stack-analyst",
to: ["security-analyst", "orchestrator"],
type: "vulnerability_alert",
message: `## Vulnerability Alert: Outdated Dependency
### Package Details
- **Package:** \`lodash\`
- **Current Version:** 4.17.15
- **Vulnerability:** Prototype Pollution
- **Severity:** High
### Fix
Upgrade to version **4.17.21+**:
\`\`\`bash
npm install lodash@^4.17.21
\`\`\``
})
3.3: Live Progress Dashboard
## CTO Analysis Progress (Live) | Analyst | Status | Findings | Critical | Duration | |---------|--------|----------|----------|----------| | security-analyst | ✅ Complete | 5 | 1 | 2m 15s | | architecture-analyst | 🔄 Running | 3 | 0 | 2m 45s | | performance-analyst | ✅ Complete | 4 | 0 | 1m 58s | | quality-analyst | 🔄 Running | 2 | 0 | 2m 10s | | stack-analyst | ✅ Complete | 6 | 0 | 1m 30s | ### Critical Findings (Live) 🚨 [security] JWT secret hardcoded in src/api/auth.ts:45 └─ Detected 1m 30s ago ### Cross-Concern Alerts ⚠️ architecture → performance: N+1 confirmed in orders service ⚠️ stack → security: Vulnerable lodash version detected ### Emerging Patterns 📊 3 analysts flagged error handling inconsistency 📊 2 analysts noted missing input validation
3.4: Swarm Synchronization
Wait for all analysts before final synthesis:
TeammateTool.sync({
name: "analysis-complete",
wait_for: [
"security-analyst",
"architecture-analyst",
"performance-analyst",
"quality-analyst",
"stack-analyst"
],
timeout: 300, // 5 minutes max
on_partial_timeout: {
// If one analyst is slow, synthesize available findings
action: "synthesize_available",
mark_incomplete: ["slow_analyst_name"]
},
on_complete: "generate_executive_report"
})
3.5: Swarm Findings Synthesis
Merge all analyst findings into unified report:
{
"swarmAnalysis": {
"mode": "swarm",
"duration": "3m 42s",
"analysts": {
"security-analyst": { "findings": 5, "critical": 1 },
"architecture-analyst": { "findings": 3, "critical": 0 },
"performance-analyst": { "findings": 4, "critical": 0 },
"quality-analyst": { "findings": 2, "critical": 0 },
"stack-analyst": { "findings": 6, "critical": 0 }
},
"crossConcerns": [
{
"analysts": ["architecture", "performance"],
"issue": "N+1 query in order service",
"combinedSeverity": "high"
}
],
"emergingPatterns": [
{
"pattern": "Inconsistent error handling",
"flaggedBy": ["security", "architecture", "quality"],
"recommendation": "Implement centralized error handler"
}
],
"totalFindings": 20,
"criticalCount": 1,
"highCount": 4,
"mediumCount": 8,
"lowCount": 7
}
}
Step 3-Alt: Sequential Analysis (For Focused Reviews)
Use sequential mode when:
- •Answering a specific question ("Should we use GraphQL?")
- •Focused single-area review ("Just check security")
- •Limited context/time available
Architecture Review
Check component organization:
# Find main source directories find . -type d -name "src" -o -name "app" -o -name "lib" -o -name "components" 2>/dev/null | head -10 # Analyze imports/dependencies grep -r "import.*from" --include="*.ts" --include="*.tsx" --include="*.js" | head -50
Identify patterns:
- •Circular dependencies
- •God components/modules
- •Proper separation of concerns
- •API layer architecture
- •Database access patterns
Create findings report:
## Architecture Review Findings ### Strengths - [What's done well] ### Areas for Improvement | Area | Current State | Recommendation | Priority | |------|---------------|----------------|----------| | [Area] | [Issue] | [Fix] | HIGH/MED/LOW | ### Recommended Refactoring 1. [Specific action with rationale]
Code Quality Assessment
Check for code smells:
# Large files (potential god objects)
find . -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.py" \) ! -path '*/node_modules/*' -exec wc -l {} \; | sort -rn | head -20
# Complex functions (many if/else, deep nesting)
grep -rn "if.*{" --include="*.ts" --include="*.tsx" | head -30
# TODO/FIXME comments
grep -rn "TODO\|FIXME\|HACK\|XXX" --include="*.ts" --include="*.tsx" --include="*.js" --include="*.py" | head -20
Review testing:
# Test file coverage find . -type f \( -name "*.test.*" -o -name "*.spec.*" -o -name "*_test.py" \) ! -path '*/node_modules/*' | wc -l # Source file count for comparison find . -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.py" \) ! -path '*/node_modules/*' ! -name "*.test.*" ! -name "*.spec.*" | wc -l
Security Audit
Check for common vulnerabilities:
# Hardcoded secrets grep -rn "password\s*=\|api_key\s*=\|secret\s*=\|token\s*=" --include="*.ts" --include="*.js" --include="*.py" ! -path '*/node_modules/*' | head -20 # SQL injection risks grep -rn "query.*\$\|execute.*\$\|raw.*\$" --include="*.ts" --include="*.js" --include="*.py" | head -20 # eval usage grep -rn "\beval\b\|exec\b" --include="*.ts" --include="*.js" --include="*.py" | head -10
Check dependencies:
# Run security audit if available npm audit 2>/dev/null | head -50 pip-audit 2>/dev/null | head -50
Performance Analysis
Check for performance issues:
# N+1 query patterns (multiple similar queries) grep -rn "\.find\|\.findOne\|\.query\|\.select" --include="*.ts" --include="*.js" | head -30 # Missing indexes hints grep -rn "ORDER BY\|GROUP BY\|WHERE" --include="*.sql" | head -20 # Large bundle concerns cat package.json 2>/dev/null | jq '.dependencies' 2>/dev/null | head -30
Step 4: Generate Report
Create comprehensive CTO report:
# CTO Technical Assessment **Project:** [Name] **Date:** [Date] **Reviewer:** AI CTO Advisor --- ## Executive Summary [2-3 sentence overview of findings and key recommendations] --- ## Tech Stack Overview | Layer | Technology | Version | Health | |-------|------------|---------|--------| | Frontend | [Tech] | [Ver] | Good/Fair/Poor | | Backend | [Tech] | [Ver] | Good/Fair/Poor | | Database | [Tech] | [Ver] | Good/Fair/Poor | | Testing | [Tech] | [Ver] | Good/Fair/Poor | --- ## Architecture Assessment ### Current State [Description of current architecture] ### Strengths - [Strength 1] - [Strength 2] ### Concerns | Issue | Severity | Impact | Effort to Fix | |-------|----------|--------|---------------| | [Issue] | HIGH/MED/LOW | [Impact] | [Effort] | --- ## Code Quality ### Metrics - Lines of Code: [X] - Test Coverage: [X]% - Technical Debt: [Low/Medium/High] ### Key Findings 1. [Finding with recommendation] 2. [Finding with recommendation] --- ## Security ### Vulnerabilities Found | Issue | Severity | Location | Remediation | |-------|----------|----------|-------------| | [Issue] | CRITICAL/HIGH/MED/LOW | [File:Line] | [Fix] | ### Recommendations 1. [Security improvement] 2. [Security improvement] --- ## Performance ### Bottlenecks Identified 1. [Bottleneck with solution] 2. [Bottleneck with solution] ### Optimization Opportunities 1. [Opportunity] 2. [Opportunity] --- ## Prioritized Action Items ### Immediate (This Week) 1. [ ] [Critical issue to fix] ### Short-term (This Month) 1. [ ] [Important improvement] ### Long-term (This Quarter) 1. [ ] [Strategic initiative] --- ## Technical Debt Register | Item | Origin | Impact | Estimated Effort | Priority | |------|--------|--------|------------------|----------| | [Debt item] | [When introduced] | [Impact] | [Hours/Days] | 1-5 | --- ## Appendix: Architecture Decision Records ### ADR-001: [Title] **Status:** Proposed **Context:** [Why is this decision needed?] **Decision:** [What is the proposed solution?] **Consequences:** [What are the trade-offs?]
Step 5: Present and Discuss
Present findings:
## CTO Assessment Complete I've analyzed your codebase. Here's a summary: **Overall Health:** [Good/Fair/Needs Attention] **Top 3 Priorities:** 1. [Priority 1] - [Severity] 2. [Priority 2] - [Severity] 3. [Priority 3] - [Severity] **Quick Wins Available:** [Y/N - list if yes] Would you like me to: A. Show the full detailed report B. Focus on security findings C. Deep dive into architecture D. Create a refactoring plan
Step 6: Implementation Handoff
IMPORTANT: After presenting recommendations, ALWAYS ask the user before implementing:
Use the AskUserQuestion tool to prompt:
question: "Would you like me to implement these recommendations using /autonomous-dev?"
header: "Implement"
options:
- label: "Yes, implement all (Recommended)"
description: "Launch autonomous-dev to implement all prioritized recommendations"
- label: "Yes, implement selected"
description: "Choose which recommendations to implement"
- label: "No, just the report"
description: "Keep the analysis - I'll implement manually"
If user selects "Yes, implement all":
- •Create a structured PRD from the recommendations
- •Invoke
/autonomous-devskill with the PRD - •Let autonomous-dev handle the implementation
If user selects "Yes, implement selected":
- •Present numbered list of recommendations
- •Ask which items to implement
- •Create focused PRD for selected items
- •Invoke
/autonomous-devwith the scoped PRD
If user selects "No, just the report":
- •Confirm the report is saved (if written to file)
- •Offer to answer any questions about findings
- •End the CTO session
NEVER implement recommendations without explicit user approval.
Completion Signals
This skill explicitly signals completion via structured status returns. Never rely on heuristics like "consecutive iterations without tool calls" to detect completion.
Completion Signal Format
At the end of analysis, return:
{
"status": "complete|partial|blocked|failed",
"analysisType": "sequential|swarm",
"summary": "Brief description of findings",
"findings": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0
},
"reports": ["List of generated reports"],
"userActionRequired": "What user should do next (if any)"
}
Success Signal (Sequential Mode)
{
"status": "complete",
"analysisType": "sequential",
"summary": "Completed focused security audit of authentication system",
"findings": {
"critical": 1,
"high": 2,
"medium": 3,
"low": 5
},
"reports": [".testing/reports/cto-security-audit-2026-01-30.md"],
"topPriorities": [
"Fix hardcoded JWT secret (CRITICAL)",
"Add rate limiting to login endpoint (HIGH)",
"Implement CSRF protection (HIGH)"
],
"userActionRequired": "Review findings and approve implementation"
}
Success Signal (Swarm Mode)
{
"status": "complete",
"analysisType": "swarm",
"summary": "Completed full codebase review with 5 parallel analysts",
"swarmMetrics": {
"analysts": 5,
"duration": "3m 42s",
"crossConcerns": 2,
"emergingPatterns": 3
},
"findings": {
"critical": 1,
"high": 4,
"medium": 8,
"low": 7
},
"reports": [".testing/reports/cto-full-review-2026-01-30.md"],
"analystSummaries": {
"security": "1 critical, 3 high findings",
"architecture": "0 critical, 1 high, 3 medium findings",
"performance": "0 critical, 2 medium findings",
"quality": "0 critical, 5 low findings",
"stack": "0 critical, 3 medium findings"
},
"userActionRequired": "Review prioritized action items and approve fixes"
}
Partial Completion Signal
{
"status": "partial",
"analysisType": "swarm",
"summary": "3 of 5 analysts completed, 2 timed out",
"completedAnalysts": ["security", "architecture", "performance"],
"incompleteAnalysts": ["quality", "stack"],
"partialFindings": {
"critical": 1,
"high": 3,
"medium": 4,
"low": 0
},
"reason": "Quality and stack analysts exceeded timeout",
"reports": [".testing/reports/cto-partial-review-2026-01-30.md"],
"userActionRequired": "Review partial findings or re-run incomplete analysts"
}
Blocked Signal
{
"status": "blocked",
"analysisType": "sequential",
"summary": "Cannot access codebase - directory not readable",
"blockers": [
"Project directory not found at specified path",
"No package.json or requirements.txt detected",
"Missing read permissions for source files"
],
"userInputRequired": "Please navigate to project root directory or specify correct path"
}
Failed Signal
{
"status": "failed",
"analysisType": "swarm",
"summary": "Swarm analysis failed - unable to spawn analysts",
"errors": [
"TeammateTool not available in current environment",
"Insufficient context window for parallel analysis"
],
"fallbackAction": "Retry with sequential mode",
"recoverySuggestions": [
"Use 'sequential' mode instead of 'swarm'",
"Enable TeammateTool support",
"Reduce scope to specific area (e.g., security only)"
]
}
When to Signal
- •After sequential analysis: Signal "complete" when report is generated and user prompt shown
- •After swarm analysis: Signal "complete" when all analysts finish and synthesis is done
- •During swarm: Signal "partial" if some analysts timeout but others complete
- •Any blocker: Signal "blocked" immediately (e.g., codebase not found, permissions issue)
- •Any failure: Signal "failed" with clear error and recovery path
- •Before implementation: Always signal "complete" and wait for user approval before invoking autonomous-dev
Configuration File: cto-requirements.md
Create this file in your project to guide CTO reviews:
# CTO Requirements ## Focus Areas <!-- Which areas should receive priority attention? --> - [ ] Architecture review - [ ] Code quality - [ ] Security audit - [ ] Performance analysis - [ ] Tech stack evaluation - [ ] Testing strategy ## Constraints <!-- What should the CTO consider when making recommendations? --> - Budget: [Limited/Moderate/Flexible] - Timeline: [Urgent/Normal/Long-term] - Team size: [X developers] - Team expertise: [Junior/Mixed/Senior] ## Known Issues <!-- Document issues you're already aware of --> 1. [Known issue 1] 2. [Known issue 2] ## Out of Scope <!-- What should NOT be reviewed this time? --> - [Area to skip] ## Priority Questions <!-- Specific questions to answer --> 1. [Question 1] 2. [Question 2]
Tech Stack Evaluation Matrix
When evaluating technology choices:
| Criterion | Weight | Description |
|---|---|---|
| Fit | 25% | Solves the specific problem well |
| Maturity | 20% | Production-ready, active community |
| Team Fit | 20% | Team can learn/use effectively |
| Scalability | 15% | Handles growth requirements |
| Ecosystem | 10% | Libraries, tools, integrations |
| Cost | 10% | Licensing, hosting, operations |
Scoring Template:
| Option | Fit | Maturity | Team | Scale | Ecosystem | Cost | Score |
|---|---|---|---|---|---|---|---|
| [Option A] | /10 | /10 | /10 | /10 | /10 | /10 | [Weighted] |
Security Checklist
Application Security
- • Input validation on all user inputs
- • Output encoding (XSS prevention)
- • SQL injection prevention (parameterized queries)
- • CSRF protection
- • Rate limiting on APIs
- • Secure session management
Infrastructure Security
- • HTTPS everywhere (TLS 1.3)
- • Secrets in environment variables / secret manager
- • Principle of least privilege (IAM)
- • Regular dependency updates
- • Security headers configured
Data Security
- • Encryption at rest
- • Encryption in transit
- • PII handling compliance
- • Backup and disaster recovery
- • Audit logging
Scaling Tiers Guide
Tier 1: 0-1K users ├── Single server sufficient ├── Managed database (Supabase/Neon) ├── Basic caching └── Estimated cost: $0-50/month Tier 2: 1K-10K users ├── Horizontal scaling ready ├── Read replicas if needed ├── Redis caching layer ├── CDN for static assets └── Estimated cost: $50-500/month Tier 3: 10K-100K users ├── Auto-scaling groups ├── Database sharding consideration ├── Queue-based async processing ├── Full observability stack └── Estimated cost: $500-5K/month Tier 4: 100K+ users ├── Microservices consideration ├── Multi-region deployment ├── Advanced caching strategies ├── Dedicated database clusters └── Estimated cost: $5K+/month
Memory Integration
Save valuable insights to Memory MCP for cross-project learning:
When to save:
- •Discovered an architectural pattern that worked well
- •Found a security vulnerability pattern to avoid
- •Learned something about a specific technology
- •Made a strategic decision that proved successful
Entity types:
// Save architectural pattern
mcp__memory__create_entities({
entities: [{
name: "architecture:pattern-name",
entityType: "architecture-decision",
observations: [
"Context: when to use",
"Pattern: what it is",
"Benefits: why it works",
"Trade-offs: what to watch for"
]
}]
})
// Save security learning
mcp__memory__create_entities({
entities: [{
name: "security:vulnerability-type",
entityType: "security-insight",
observations: [
"Vulnerability: description",
"Detection: how to find it",
"Prevention: how to avoid it",
"Applies to: frameworks/languages"
]
}]
})
Swarm Mode Configuration
Enable swarm mode in your cto-requirements.md:
## Execution Mode mode: swarm # or "sequential" ## Swarm Configuration swarm: max_concurrent_analysts: 5 timeout_seconds: 300 critical_finding_action: immediate_notify cross_concern_detection: true live_dashboard: true
Or configure globally:
{
"cto": {
"defaultMode": "swarm",
"swarmConfig": {
"analysts": ["security", "architecture", "performance", "quality", "stack"],
"priorityOrder": ["security", "performance", "architecture", "quality", "stack"],
"timeoutSeconds": 300,
"crossConcernDetection": true
}
}
}
Swarm vs Sequential Comparison
| Aspect | Sequential | Swarm |
|---|---|---|
| Execution | One area at a time | All areas concurrent |
| Duration | Sum of all analyses | Max of all analyses |
| Cross-Concerns | Manual correlation | Auto-detected |
| Critical Findings | Found after all complete | Immediately surfaced |
| Token Usage | Lower (single context) | Higher (5 contexts) |
| Best For | Focused questions | Full codebase review |
When to Use Each Mode
Use Swarm Mode:
- •Full codebase review ("Review this project as CTO")
- •Pre-launch audit
- •New project onboarding
- •Quarterly health check
- •Due diligence review
Use Sequential Mode:
- •Specific question ("Is our auth secure?")
- •Single area focus ("Review architecture only")
- •Quick check before PR
- •Limited time available
Task Cleanup
Use TaskUpdate with status: "deleted" to clean up completed or stale task chains:
{"taskId": "1", "status": "deleted"}
This prevents task list clutter during long review sessions.
Quick Commands
| Command | Action |
|---|---|
| "status" | Show current review progress |
| "focus [area]" | Narrow review to specific area (sequential) |
| "swarm review" | Force swarm mode for full analysis |
| "deep dive [component]" | Detailed analysis of component |
| "create adr" | Generate Architecture Decision Record |
| "implement" | Prompt for /autonomous-dev implementation |
| "plan refactor" | Create refactoring roadmap |
Integration with Other Skills
With autonomous-dev
When CTO review identifies refactoring needs:
CTO identifies issue → Asks user for approval → Creates refactoring PRD → autonomous-dev implements
Note: CTO always asks before invoking autonomous-dev. Never auto-implement.
With fulltest-skill
CTO reads fulltest reports for context:
fulltest finds bugs → CTO analyzes patterns → Recommends systemic fixes
With cpo-ai-skill
CTO serves as technical advisor during product development:
CPO defines product → CTO advises architecture → Implementation proceeds
Example Invocations
Swarm Mode: Full Review
User: "Review this codebase as a CTO" CTO Advisor (Swarm Mode): 1. Checks for cto-requirements.md 2. Performs codebase discovery 3. Spawns 5 parallel analysts via TeammateTool: - security-analyst - architecture-analyst - performance-analyst - quality-analyst - stack-analyst # Real-time output: [0:15] security-analyst: 🔍 Scanning auth patterns... [0:22] architecture-analyst: 🔍 Mapping component boundaries... [0:28] security-analyst: 🚨 CRITICAL: Hardcoded JWT secret found [0:35] performance-analyst: ⚠️ N+1 query detected in orders [0:42] architecture-analyst → performance-analyst: "Check service loop pattern" [0:55] performance-analyst: ✅ Confirmed N+1 (cross-concern with architecture) [1:10] quality-analyst: ℹ️ Test coverage at 45% [1:25] stack-analyst: ⚠️ 3 vulnerable dependencies found # Synthesis (live as findings arrive): - Critical: 1 (security) - High: 3 (security, performance, stack) - Medium: 5 - Cross-concerns detected: 2 4. Generates executive report 5. Asks: "Would you like me to implement fixes using /autonomous-dev?"
Sequential Mode: Focused Security Audit
User: "Do a security audit of the authentication system" CTO Advisor (Sequential Mode): 1. Locates auth-related files 2. Reviews authentication flow 3. Checks for OWASP vulnerabilities 4. Reviews session management 5. Checks secrets handling 6. Generates security-focused report
Swarm Mode: Pre-Launch Audit
User: "We're launching next week - full CTO review please" CTO Advisor (Swarm Mode): 1. Spawns all 5 analysts with "launch_readiness" focus 2. Each analyst prioritizes launch-blocking issues 3. Cross-concern detection catches: - Security + Performance: "Rate limiting missing on public API" - Architecture + Quality: "No error boundary in React app" 4. Generates launch readiness checklist: ❌ 2 blockers (must fix) ⚠️ 5 should fix ℹ️ 8 nice to have 5. Creates prioritized fix plan for autonomous-dev
Architecture Decision
User: "Should we migrate from REST to GraphQL?" CTO Advisor (Sequential - focused question): 1. Analyzes current REST implementation 2. Evaluates GraphQL fit for use cases 3. Considers team expertise 4. Calculates migration effort 5. Provides scored recommendation 6. Creates ADR for decision
Version
Current Version: 2.0.0 (Swarm-enabled) Last Updated: January 2026
Changelog
- •2.0.0: Added swarm mode with parallel specialist analysts
- •5 concurrent analysts (security, architecture, performance, quality, stack)
- •Real-time cross-concern detection
- •Live progress dashboard
- •Inter-analyst communication via TeammateTool
- •1.0.0: Initial release with sequential analysis
Requirements
- •Sequential Mode: Standard Claude Code
- •Swarm Mode: Requires
claude-sneakpeekor official TeammateTool support
See Also
- •autonomous-dev - For implementing refactoring recommendations
- •fulltest-skill - For comprehensive testing
- •cpo-ai-skill - For product lifecycle orchestration