AgentSkillsCN

cto

适用于任何项目的、支持群组协作的AI CTO顾问。借助TeammateTool,对架构、安全、性能与代码质量进行全面并行技术分析。同时启动多位专业评审员,实时共享分析结果。首次运行时,会自动检查是否存在cto-requirements.md配置文件。触发条件包括:CTO建议、架构评审、技术栈决策、系统设计、代码质量评审、安全审计、性能评估、技术路线图、重构策略。

SKILL.md
--- frontmatter
name: cto
description: "Swarm-enabled AI CTO advisor for any project. Uses TeammateTool for parallel technical analysis across architecture, security, performance, and code quality. Spawns concurrent specialist reviewers that share findings in real-time. On first run, checks for cto-requirements.md config file. Triggers on: CTO advice, architecture review, tech stack decision, system design, code quality review, security audit, performance review, technical roadmap, refactoring strategy."
user-invocable: true
context: fork
model: opus
allowed-tools:
  - Read
  - Write
  - Edit
  - Glob
  - Grep
  - Bash
  - WebSearch
  - WebFetch
  - Task
  - TaskCreate
  - TaskUpdate
  - TaskList
  - TaskGet
  - TeammateTool
  - AskUserQuestion
  - mcp__memory__*

CTO - Universal AI Technical Advisor

A comprehensive CTO advisor skill that provides strategic technical leadership for any project. Analyzes codebases, evaluates architecture, recommends improvements, and guides technical decisions.

Core Responsibilities

1. Architecture Review

  • Evaluate system design and component relationships
  • Identify architectural anti-patterns
  • Recommend improvements for scalability and maintainability
  • Create Architecture Decision Records (ADRs)

2. Code Quality Assessment

  • Review code organization and structure
  • Identify technical debt and code smells
  • Recommend refactoring strategies
  • Evaluate testing coverage and strategy

3. Security Audit

  • Review for OWASP Top 10 vulnerabilities
  • Check authentication and authorization patterns
  • Evaluate secrets management
  • Assess input validation and output encoding

4. Performance Analysis

  • Identify performance bottlenecks
  • Review database query patterns
  • Evaluate caching strategies
  • Recommend optimization opportunities

5. Tech Stack Evaluation

  • Assess current technology choices
  • Recommend alternatives when appropriate
  • Evaluate dependency health and security
  • Plan migration strategies

Execution Modes

ModeDescriptionWhen to Use
SequentialOne analysis area at a timeSimple reviews, focused questions
SwarmParallel specialist analysts via TeammateToolFull codebase reviews, comprehensive audits

Swarm Mode Architecture

code
┌─────────────────────────────────────────────────────────────────────┐
│                        CTO SWARM ORCHESTRATOR                        │
│                                                                      │
│   ┌─────────────────────────────────────────────────────────────┐   │
│   │                 PARALLEL SPECIALIST ANALYSTS                 │   │
│   │                                                              │   │
│   │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐    │   │
│   │  │ARCHITECT │  │ SECURITY │  │  PERF    │  │ QUALITY  │    │   │
│   │  │ ANALYST  │◀─▶│ ANALYST  │◀─▶│ ANALYST  │◀─▶│ ANALYST  │    │   │
│   │  └────┬─────┘  └────┬─────┘  └────┬─────┘  └────┬─────┘    │   │
│   │       │              │              │              │         │   │
│   │       └──────────────┴──────────────┴──────────────┘         │   │
│   │                          │                                    │   │
│   │              ┌───────────┴───────────┐                       │   │
│   │              │   REAL-TIME MESSAGING  │                       │   │
│   │              │  • Cross-concern alerts │                       │   │
│   │              │  • Pattern sharing      │                       │   │
│   │              │  • Critical findings    │                       │   │
│   │              └───────────────────────┘                       │   │
│   └─────────────────────────────────────────────────────────────┘   │
│                              │                                       │
│                              ▼                                       │
│   ┌─────────────────────────────────────────────────────────────┐   │
│   │                    LIVE SYNTHESIS                            │   │
│   │  • Findings merged as they arrive                           │   │
│   │  • Cross-concern correlations detected                      │   │
│   │  • Prioritized action items generated                       │   │
│   └─────────────────────────────────────────────────────────────┘   │
│                              │                                       │
│                              ▼                                       │
│   ┌─────────────────────────────────────────────────────────────┐   │
│   │                CTO EXECUTIVE REPORT                          │   │
│   └─────────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────────┘

Swarm Specialist Agents

AgentFocusChecks ForPriority
architecture-analystSystem designPatterns, coupling, scalability, separation of concernsMedium
security-analystVulnerabilitiesOWASP Top 10, secrets, auth/authz, injectionHigh
performance-analystBottlenecksN+1 queries, caching, memory, complexityMedium
quality-analystCode healthTech debt, testing, conventions, maintainabilityLow
stack-analystTechnology fitDependencies, versions, alternatives, migrationsLow

Entry Point Detection

When this skill activates, determine the context:

ConditionAction
cto-requirements.md existsLoad requirements and focus review
No config, fulltest reports existRead reports first for context
No config, no reportsFull codebase exploration
Specific question askedAnswer directly with codebase context

First Action: Check for existing context:

bash
ls -la cto-requirements.md fulltest-report*.md AGENTS.md .claude/*.md 2>/dev/null

Workflow

Step 1: Load Context

Check for CTO requirements file:

bash
cat cto-requirements.md 2>/dev/null

If exists, this file defines:

  • Focus areas (architecture, security, performance, etc.)
  • Constraints and priorities
  • Known issues to address
  • Scope limitations

Check for existing test reports:

bash
cat fulltest-report*.md 2>/dev/null | head -200

Test reports provide:

  • Known bugs and issues
  • Console errors
  • Failed tests
  • Broken links

Check for AGENTS.md patterns:

bash
cat AGENTS.md 2>/dev/null

Repository patterns inform:

  • Existing conventions
  • Previous architectural decisions
  • Code organization

Step 2: Codebase Discovery

Detect tech stack:

bash
# Package files
ls package.json requirements.txt go.mod Cargo.toml pyproject.toml composer.json Gemfile 2>/dev/null

# Read main package file
cat package.json 2>/dev/null | head -50
cat pyproject.toml 2>/dev/null | head -50

Analyze project structure:

bash
# Directory structure
find . -type d -maxdepth 3 ! -path '*/node_modules/*' ! -path '*/.git/*' ! -path '*/dist/*' ! -path '*/__pycache__/*' 2>/dev/null | head -50

# Key configuration files
ls -la tsconfig.json .eslintrc* .prettierrc* jest.config* vitest.config* playwright.config* 2>/dev/null

Identify patterns:

code
1. Framework: Next.js, React, Vue, Express, FastAPI, etc.
2. Database: PostgreSQL, MySQL, MongoDB, Supabase, etc.
3. Testing: Jest, Vitest, Playwright, Pytest, etc.
4. Deployment: Vercel, Railway, Docker, etc.
5. State management: Redux, Zustand, Pinia, etc.

Step 3: Swarm Mode Analysis (Recommended for Full Reviews)

When performing a comprehensive review, spawn parallel specialist analysts using TeammateTool:

3.1: Spawn Specialist Swarm

code
TeammateTool.spawn({
  agents: [
    {
      name: "architecture-analyst",
      type: "cto-specialist",
      task: {
        focus: "architecture",
        codebase_context: {
          tech_stack: detected_stack,
          structure: directory_structure,
          agents_md: agents_md_content
        },
        checklist: [
          "Component organization and boundaries",
          "Dependency graph analysis",
          "API layer design",
          "Data flow patterns",
          "Circular dependency detection",
          "Separation of concerns",
          "Scalability readiness",
          "Microservices vs monolith fit"
        ]
      },
      can_message: ["orchestrator", "security-analyst", "performance-analyst", "quality-analyst"],
      priority: "medium"
    },
    {
      name: "security-analyst",
      type: "cto-specialist",
      task: {
        focus: "security",
        codebase_context: {
          tech_stack: detected_stack,
          auth_files: auth_related_files,
          api_files: api_files
        },
        checklist: [
          "OWASP Top 10 vulnerabilities",
          "Authentication flow security",
          "Authorization (RBAC/ABAC) implementation",
          "Input validation coverage",
          "SQL/NoSQL injection risks",
          "XSS vulnerability points",
          "CSRF protection",
          "Secrets management",
          "Dependency vulnerabilities (npm audit)",
          "Security headers"
        ]
      },
      can_message: ["orchestrator", "architecture-analyst", "performance-analyst"],
      priority: "high"  // Security findings are urgent
    },
    {
      name: "performance-analyst",
      type: "cto-specialist",
      task: {
        focus: "performance",
        codebase_context: {
          tech_stack: detected_stack,
          database_files: db_related_files,
          api_files: api_files
        },
        checklist: [
          "N+1 query patterns",
          "Database index coverage",
          "Caching strategy",
          "Bundle size analysis",
          "Memory leak risks",
          "Async operation handling",
          "Connection pooling",
          "Rate limiting",
          "Pagination implementation",
          "Heavy computation offloading"
        ]
      },
      can_message: ["orchestrator", "architecture-analyst", "security-analyst"],
      priority: "medium"
    },
    {
      name: "quality-analyst",
      type: "cto-specialist",
      task: {
        focus: "code_quality",
        codebase_context: {
          tech_stack: detected_stack,
          test_files: test_files,
          config_files: linter_configs
        },
        checklist: [
          "Test coverage analysis",
          "Code complexity metrics",
          "Technical debt indicators",
          "TODO/FIXME accumulation",
          "Dead code detection",
          "Naming conventions",
          "Documentation coverage",
          "Error handling patterns",
          "Logging strategy",
          "Type safety (if applicable)"
        ]
      },
      can_message: ["orchestrator", "architecture-analyst"],
      priority: "low"
    },
    {
      name: "stack-analyst",
      type: "cto-specialist",
      task: {
        focus: "tech_stack",
        codebase_context: {
          package_files: package_files,
          lock_files: lock_files,
          config_files: config_files
        },
        checklist: [
          "Dependency freshness",
          "Deprecated package usage",
          "Security advisory check",
          "License compatibility",
          "Bundle bloat detection",
          "Alternative recommendations",
          "Migration path assessment",
          "Framework version currency"
        ]
      },
      can_message: ["orchestrator", "security-analyst"],
      priority: "low"
    }
  ],
  coordination: "async"
})

3.2: Inter-Analyst Communication

Analysts share findings in real-time for cross-concern detection.

Note: TeammateTool messages support rich Markdown rendering. Use headers, bold, code blocks, and lists in your message payloads for clear, well-formatted communication between agents.

code
// Security analyst finds auth issue
TeammateTool.message({
  from: "security-analyst",
  to: ["orchestrator"],
  type: "critical_finding",
  priority: "immediate",
  message: `## Critical Security Finding

**Severity:** Critical
**Category:** Security
**CWE:** CWE-798 (Hardcoded Credentials)

### Location
- **File:** \`src/api/auth.ts\`
- **Line:** 45

### Issue
JWT secret is hardcoded in source code.

### Evidence
\`\`\`typescript
const JWT_SECRET = 'mysecretkey'
\`\`\`

### Recommendation
Move secret to environment variable:
\`\`\`typescript
const JWT_SECRET = process.env.JWT_SECRET
\`\`\``
})

// Architecture analyst alerts performance about pattern
TeammateTool.message({
  from: "architecture-analyst",
  to: ["performance-analyst"],
  type: "pattern_alert",
  message: `## Pattern Alert: Potential N+1 Query

**File:** \`src/services/orders.ts\`

### Observed Pattern
Service calls database directly in loop - classic N+1 pattern.

### Action Requested
Please verify and quantify the performance impact.`
})

// Performance analyst confirms cross-concern
TeammateTool.message({
  from: "performance-analyst",
  to: ["orchestrator", "architecture-analyst"],
  type: "cross_concern_confirmed",
  message: `## Cross-Concern Confirmed: N+1 Query

**Original Alert:** architecture:loop_pattern

### Finding Details
| Field | Value |
|-------|-------|
| **Severity** | High |
| **File** | \`src/services/orders.ts\` |
| **Line** | 78 |

### Issue
N+1 query pattern causing **50 DB calls per request**.

### Recommendation
Batch fetch with \`WHERE IN\` clause:
\`\`\`sql
SELECT * FROM items WHERE order_id IN (?, ?, ...)
\`\`\``
})

// Stack analyst warns security about vulnerable dep
TeammateTool.message({
  from: "stack-analyst",
  to: ["security-analyst", "orchestrator"],
  type: "vulnerability_alert",
  message: `## Vulnerability Alert: Outdated Dependency

### Package Details
- **Package:** \`lodash\`
- **Current Version:** 4.17.15
- **Vulnerability:** Prototype Pollution
- **Severity:** High

### Fix
Upgrade to version **4.17.21+**:
\`\`\`bash
npm install lodash@^4.17.21
\`\`\``
})

3.3: Live Progress Dashboard

markdown
## CTO Analysis Progress (Live)

| Analyst | Status | Findings | Critical | Duration |
|---------|--------|----------|----------|----------|
| security-analyst | ✅ Complete | 5 | 1 | 2m 15s |
| architecture-analyst | 🔄 Running | 3 | 0 | 2m 45s |
| performance-analyst | ✅ Complete | 4 | 0 | 1m 58s |
| quality-analyst | 🔄 Running | 2 | 0 | 2m 10s |
| stack-analyst | ✅ Complete | 6 | 0 | 1m 30s |

### Critical Findings (Live)
🚨 [security] JWT secret hardcoded in src/api/auth.ts:45
   └─ Detected 1m 30s ago

### Cross-Concern Alerts
⚠️ architecture → performance: N+1 confirmed in orders service
⚠️ stack → security: Vulnerable lodash version detected

### Emerging Patterns
📊 3 analysts flagged error handling inconsistency
📊 2 analysts noted missing input validation

3.4: Swarm Synchronization

Wait for all analysts before final synthesis:

code
TeammateTool.sync({
  name: "analysis-complete",
  wait_for: [
    "security-analyst",
    "architecture-analyst",
    "performance-analyst",
    "quality-analyst",
    "stack-analyst"
  ],
  timeout: 300,  // 5 minutes max
  on_partial_timeout: {
    // If one analyst is slow, synthesize available findings
    action: "synthesize_available",
    mark_incomplete: ["slow_analyst_name"]
  },
  on_complete: "generate_executive_report"
})

3.5: Swarm Findings Synthesis

Merge all analyst findings into unified report:

json
{
  "swarmAnalysis": {
    "mode": "swarm",
    "duration": "3m 42s",
    "analysts": {
      "security-analyst": { "findings": 5, "critical": 1 },
      "architecture-analyst": { "findings": 3, "critical": 0 },
      "performance-analyst": { "findings": 4, "critical": 0 },
      "quality-analyst": { "findings": 2, "critical": 0 },
      "stack-analyst": { "findings": 6, "critical": 0 }
    },
    "crossConcerns": [
      {
        "analysts": ["architecture", "performance"],
        "issue": "N+1 query in order service",
        "combinedSeverity": "high"
      }
    ],
    "emergingPatterns": [
      {
        "pattern": "Inconsistent error handling",
        "flaggedBy": ["security", "architecture", "quality"],
        "recommendation": "Implement centralized error handler"
      }
    ],
    "totalFindings": 20,
    "criticalCount": 1,
    "highCount": 4,
    "mediumCount": 8,
    "lowCount": 7
  }
}

Step 3-Alt: Sequential Analysis (For Focused Reviews)

Use sequential mode when:

  • Answering a specific question ("Should we use GraphQL?")
  • Focused single-area review ("Just check security")
  • Limited context/time available

Architecture Review

Check component organization:

bash
# Find main source directories
find . -type d -name "src" -o -name "app" -o -name "lib" -o -name "components" 2>/dev/null | head -10

# Analyze imports/dependencies
grep -r "import.*from" --include="*.ts" --include="*.tsx" --include="*.js" | head -50

Identify patterns:

  • Circular dependencies
  • God components/modules
  • Proper separation of concerns
  • API layer architecture
  • Database access patterns

Create findings report:

markdown
## Architecture Review Findings

### Strengths
- [What's done well]

### Areas for Improvement
| Area | Current State | Recommendation | Priority |
|------|---------------|----------------|----------|
| [Area] | [Issue] | [Fix] | HIGH/MED/LOW |

### Recommended Refactoring
1. [Specific action with rationale]

Code Quality Assessment

Check for code smells:

bash
# Large files (potential god objects)
find . -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.py" \) ! -path '*/node_modules/*' -exec wc -l {} \; | sort -rn | head -20

# Complex functions (many if/else, deep nesting)
grep -rn "if.*{" --include="*.ts" --include="*.tsx" | head -30

# TODO/FIXME comments
grep -rn "TODO\|FIXME\|HACK\|XXX" --include="*.ts" --include="*.tsx" --include="*.js" --include="*.py" | head -20

Review testing:

bash
# Test file coverage
find . -type f \( -name "*.test.*" -o -name "*.spec.*" -o -name "*_test.py" \) ! -path '*/node_modules/*' | wc -l

# Source file count for comparison
find . -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.py" \) ! -path '*/node_modules/*' ! -name "*.test.*" ! -name "*.spec.*" | wc -l

Security Audit

Check for common vulnerabilities:

bash
# Hardcoded secrets
grep -rn "password\s*=\|api_key\s*=\|secret\s*=\|token\s*=" --include="*.ts" --include="*.js" --include="*.py" ! -path '*/node_modules/*' | head -20

# SQL injection risks
grep -rn "query.*\$\|execute.*\$\|raw.*\$" --include="*.ts" --include="*.js" --include="*.py" | head -20

# eval usage
grep -rn "\beval\b\|exec\b" --include="*.ts" --include="*.js" --include="*.py" | head -10

Check dependencies:

bash
# Run security audit if available
npm audit 2>/dev/null | head -50
pip-audit 2>/dev/null | head -50

Performance Analysis

Check for performance issues:

bash
# N+1 query patterns (multiple similar queries)
grep -rn "\.find\|\.findOne\|\.query\|\.select" --include="*.ts" --include="*.js" | head -30

# Missing indexes hints
grep -rn "ORDER BY\|GROUP BY\|WHERE" --include="*.sql" | head -20

# Large bundle concerns
cat package.json 2>/dev/null | jq '.dependencies' 2>/dev/null | head -30

Step 4: Generate Report

Create comprehensive CTO report:

markdown
# CTO Technical Assessment

**Project:** [Name]
**Date:** [Date]
**Reviewer:** AI CTO Advisor

---

## Executive Summary

[2-3 sentence overview of findings and key recommendations]

---

## Tech Stack Overview

| Layer | Technology | Version | Health |
|-------|------------|---------|--------|
| Frontend | [Tech] | [Ver] | Good/Fair/Poor |
| Backend | [Tech] | [Ver] | Good/Fair/Poor |
| Database | [Tech] | [Ver] | Good/Fair/Poor |
| Testing | [Tech] | [Ver] | Good/Fair/Poor |

---

## Architecture Assessment

### Current State
[Description of current architecture]

### Strengths
- [Strength 1]
- [Strength 2]

### Concerns
| Issue | Severity | Impact | Effort to Fix |
|-------|----------|--------|---------------|
| [Issue] | HIGH/MED/LOW | [Impact] | [Effort] |

---

## Code Quality

### Metrics
- Lines of Code: [X]
- Test Coverage: [X]%
- Technical Debt: [Low/Medium/High]

### Key Findings
1. [Finding with recommendation]
2. [Finding with recommendation]

---

## Security

### Vulnerabilities Found
| Issue | Severity | Location | Remediation |
|-------|----------|----------|-------------|
| [Issue] | CRITICAL/HIGH/MED/LOW | [File:Line] | [Fix] |

### Recommendations
1. [Security improvement]
2. [Security improvement]

---

## Performance

### Bottlenecks Identified
1. [Bottleneck with solution]
2. [Bottleneck with solution]

### Optimization Opportunities
1. [Opportunity]
2. [Opportunity]

---

## Prioritized Action Items

### Immediate (This Week)
1. [ ] [Critical issue to fix]

### Short-term (This Month)
1. [ ] [Important improvement]

### Long-term (This Quarter)
1. [ ] [Strategic initiative]

---

## Technical Debt Register

| Item | Origin | Impact | Estimated Effort | Priority |
|------|--------|--------|------------------|----------|
| [Debt item] | [When introduced] | [Impact] | [Hours/Days] | 1-5 |

---

## Appendix: Architecture Decision Records

### ADR-001: [Title]
**Status:** Proposed
**Context:** [Why is this decision needed?]
**Decision:** [What is the proposed solution?]
**Consequences:** [What are the trade-offs?]

Step 5: Present and Discuss

Present findings:

code
## CTO Assessment Complete

I've analyzed your codebase. Here's a summary:

**Overall Health:** [Good/Fair/Needs Attention]

**Top 3 Priorities:**
1. [Priority 1] - [Severity]
2. [Priority 2] - [Severity]
3. [Priority 3] - [Severity]

**Quick Wins Available:** [Y/N - list if yes]

Would you like me to:
A. Show the full detailed report
B. Focus on security findings
C. Deep dive into architecture
D. Create a refactoring plan

Step 6: Implementation Handoff

IMPORTANT: After presenting recommendations, ALWAYS ask the user before implementing:

Use the AskUserQuestion tool to prompt:

code
question: "Would you like me to implement these recommendations using /autonomous-dev?"
header: "Implement"
options:
  - label: "Yes, implement all (Recommended)"
    description: "Launch autonomous-dev to implement all prioritized recommendations"
  - label: "Yes, implement selected"
    description: "Choose which recommendations to implement"
  - label: "No, just the report"
    description: "Keep the analysis - I'll implement manually"

If user selects "Yes, implement all":

  1. Create a structured PRD from the recommendations
  2. Invoke /autonomous-dev skill with the PRD
  3. Let autonomous-dev handle the implementation

If user selects "Yes, implement selected":

  1. Present numbered list of recommendations
  2. Ask which items to implement
  3. Create focused PRD for selected items
  4. Invoke /autonomous-dev with the scoped PRD

If user selects "No, just the report":

  1. Confirm the report is saved (if written to file)
  2. Offer to answer any questions about findings
  3. End the CTO session

NEVER implement recommendations without explicit user approval.


Completion Signals

This skill explicitly signals completion via structured status returns. Never rely on heuristics like "consecutive iterations without tool calls" to detect completion.

Completion Signal Format

At the end of analysis, return:

json
{
  "status": "complete|partial|blocked|failed",
  "analysisType": "sequential|swarm",
  "summary": "Brief description of findings",
  "findings": {
    "critical": 0,
    "high": 0,
    "medium": 0,
    "low": 0
  },
  "reports": ["List of generated reports"],
  "userActionRequired": "What user should do next (if any)"
}

Success Signal (Sequential Mode)

json
{
  "status": "complete",
  "analysisType": "sequential",
  "summary": "Completed focused security audit of authentication system",
  "findings": {
    "critical": 1,
    "high": 2,
    "medium": 3,
    "low": 5
  },
  "reports": [".testing/reports/cto-security-audit-2026-01-30.md"],
  "topPriorities": [
    "Fix hardcoded JWT secret (CRITICAL)",
    "Add rate limiting to login endpoint (HIGH)",
    "Implement CSRF protection (HIGH)"
  ],
  "userActionRequired": "Review findings and approve implementation"
}

Success Signal (Swarm Mode)

json
{
  "status": "complete",
  "analysisType": "swarm",
  "summary": "Completed full codebase review with 5 parallel analysts",
  "swarmMetrics": {
    "analysts": 5,
    "duration": "3m 42s",
    "crossConcerns": 2,
    "emergingPatterns": 3
  },
  "findings": {
    "critical": 1,
    "high": 4,
    "medium": 8,
    "low": 7
  },
  "reports": [".testing/reports/cto-full-review-2026-01-30.md"],
  "analystSummaries": {
    "security": "1 critical, 3 high findings",
    "architecture": "0 critical, 1 high, 3 medium findings",
    "performance": "0 critical, 2 medium findings",
    "quality": "0 critical, 5 low findings",
    "stack": "0 critical, 3 medium findings"
  },
  "userActionRequired": "Review prioritized action items and approve fixes"
}

Partial Completion Signal

json
{
  "status": "partial",
  "analysisType": "swarm",
  "summary": "3 of 5 analysts completed, 2 timed out",
  "completedAnalysts": ["security", "architecture", "performance"],
  "incompleteAnalysts": ["quality", "stack"],
  "partialFindings": {
    "critical": 1,
    "high": 3,
    "medium": 4,
    "low": 0
  },
  "reason": "Quality and stack analysts exceeded timeout",
  "reports": [".testing/reports/cto-partial-review-2026-01-30.md"],
  "userActionRequired": "Review partial findings or re-run incomplete analysts"
}

Blocked Signal

json
{
  "status": "blocked",
  "analysisType": "sequential",
  "summary": "Cannot access codebase - directory not readable",
  "blockers": [
    "Project directory not found at specified path",
    "No package.json or requirements.txt detected",
    "Missing read permissions for source files"
  ],
  "userInputRequired": "Please navigate to project root directory or specify correct path"
}

Failed Signal

json
{
  "status": "failed",
  "analysisType": "swarm",
  "summary": "Swarm analysis failed - unable to spawn analysts",
  "errors": [
    "TeammateTool not available in current environment",
    "Insufficient context window for parallel analysis"
  ],
  "fallbackAction": "Retry with sequential mode",
  "recoverySuggestions": [
    "Use 'sequential' mode instead of 'swarm'",
    "Enable TeammateTool support",
    "Reduce scope to specific area (e.g., security only)"
  ]
}

When to Signal

  • After sequential analysis: Signal "complete" when report is generated and user prompt shown
  • After swarm analysis: Signal "complete" when all analysts finish and synthesis is done
  • During swarm: Signal "partial" if some analysts timeout but others complete
  • Any blocker: Signal "blocked" immediately (e.g., codebase not found, permissions issue)
  • Any failure: Signal "failed" with clear error and recovery path
  • Before implementation: Always signal "complete" and wait for user approval before invoking autonomous-dev

Configuration File: cto-requirements.md

Create this file in your project to guide CTO reviews:

markdown
# CTO Requirements

## Focus Areas
<!-- Which areas should receive priority attention? -->
- [ ] Architecture review
- [ ] Code quality
- [ ] Security audit
- [ ] Performance analysis
- [ ] Tech stack evaluation
- [ ] Testing strategy

## Constraints
<!-- What should the CTO consider when making recommendations? -->
- Budget: [Limited/Moderate/Flexible]
- Timeline: [Urgent/Normal/Long-term]
- Team size: [X developers]
- Team expertise: [Junior/Mixed/Senior]

## Known Issues
<!-- Document issues you're already aware of -->
1. [Known issue 1]
2. [Known issue 2]

## Out of Scope
<!-- What should NOT be reviewed this time? -->
- [Area to skip]

## Priority Questions
<!-- Specific questions to answer -->
1. [Question 1]
2. [Question 2]

Tech Stack Evaluation Matrix

When evaluating technology choices:

CriterionWeightDescription
Fit25%Solves the specific problem well
Maturity20%Production-ready, active community
Team Fit20%Team can learn/use effectively
Scalability15%Handles growth requirements
Ecosystem10%Libraries, tools, integrations
Cost10%Licensing, hosting, operations

Scoring Template:

OptionFitMaturityTeamScaleEcosystemCostScore
[Option A]/10/10/10/10/10/10[Weighted]

Security Checklist

Application Security

  • Input validation on all user inputs
  • Output encoding (XSS prevention)
  • SQL injection prevention (parameterized queries)
  • CSRF protection
  • Rate limiting on APIs
  • Secure session management

Infrastructure Security

  • HTTPS everywhere (TLS 1.3)
  • Secrets in environment variables / secret manager
  • Principle of least privilege (IAM)
  • Regular dependency updates
  • Security headers configured

Data Security

  • Encryption at rest
  • Encryption in transit
  • PII handling compliance
  • Backup and disaster recovery
  • Audit logging

Scaling Tiers Guide

code
Tier 1: 0-1K users
├── Single server sufficient
├── Managed database (Supabase/Neon)
├── Basic caching
└── Estimated cost: $0-50/month

Tier 2: 1K-10K users
├── Horizontal scaling ready
├── Read replicas if needed
├── Redis caching layer
├── CDN for static assets
└── Estimated cost: $50-500/month

Tier 3: 10K-100K users
├── Auto-scaling groups
├── Database sharding consideration
├── Queue-based async processing
├── Full observability stack
└── Estimated cost: $500-5K/month

Tier 4: 100K+ users
├── Microservices consideration
├── Multi-region deployment
├── Advanced caching strategies
├── Dedicated database clusters
└── Estimated cost: $5K+/month

Memory Integration

Save valuable insights to Memory MCP for cross-project learning:

When to save:

  • Discovered an architectural pattern that worked well
  • Found a security vulnerability pattern to avoid
  • Learned something about a specific technology
  • Made a strategic decision that proved successful

Entity types:

javascript
// Save architectural pattern
mcp__memory__create_entities({
  entities: [{
    name: "architecture:pattern-name",
    entityType: "architecture-decision",
    observations: [
      "Context: when to use",
      "Pattern: what it is",
      "Benefits: why it works",
      "Trade-offs: what to watch for"
    ]
  }]
})

// Save security learning
mcp__memory__create_entities({
  entities: [{
    name: "security:vulnerability-type",
    entityType: "security-insight",
    observations: [
      "Vulnerability: description",
      "Detection: how to find it",
      "Prevention: how to avoid it",
      "Applies to: frameworks/languages"
    ]
  }]
})

Swarm Mode Configuration

Enable swarm mode in your cto-requirements.md:

markdown
## Execution Mode
mode: swarm  # or "sequential"

## Swarm Configuration
swarm:
  max_concurrent_analysts: 5
  timeout_seconds: 300
  critical_finding_action: immediate_notify
  cross_concern_detection: true
  live_dashboard: true

Or configure globally:

json
{
  "cto": {
    "defaultMode": "swarm",
    "swarmConfig": {
      "analysts": ["security", "architecture", "performance", "quality", "stack"],
      "priorityOrder": ["security", "performance", "architecture", "quality", "stack"],
      "timeoutSeconds": 300,
      "crossConcernDetection": true
    }
  }
}

Swarm vs Sequential Comparison

AspectSequentialSwarm
ExecutionOne area at a timeAll areas concurrent
DurationSum of all analysesMax of all analyses
Cross-ConcernsManual correlationAuto-detected
Critical FindingsFound after all completeImmediately surfaced
Token UsageLower (single context)Higher (5 contexts)
Best ForFocused questionsFull codebase review

When to Use Each Mode

Use Swarm Mode:

  • Full codebase review ("Review this project as CTO")
  • Pre-launch audit
  • New project onboarding
  • Quarterly health check
  • Due diligence review

Use Sequential Mode:

  • Specific question ("Is our auth secure?")
  • Single area focus ("Review architecture only")
  • Quick check before PR
  • Limited time available

Task Cleanup

Use TaskUpdate with status: "deleted" to clean up completed or stale task chains:

json
{"taskId": "1", "status": "deleted"}

This prevents task list clutter during long review sessions.


Quick Commands

CommandAction
"status"Show current review progress
"focus [area]"Narrow review to specific area (sequential)
"swarm review"Force swarm mode for full analysis
"deep dive [component]"Detailed analysis of component
"create adr"Generate Architecture Decision Record
"implement"Prompt for /autonomous-dev implementation
"plan refactor"Create refactoring roadmap

Integration with Other Skills

With autonomous-dev

When CTO review identifies refactoring needs:

code
CTO identifies issue → Asks user for approval → Creates refactoring PRD → autonomous-dev implements

Note: CTO always asks before invoking autonomous-dev. Never auto-implement.

With fulltest-skill

CTO reads fulltest reports for context:

code
fulltest finds bugs → CTO analyzes patterns → Recommends systemic fixes

With cpo-ai-skill

CTO serves as technical advisor during product development:

code
CPO defines product → CTO advises architecture → Implementation proceeds

Example Invocations

Swarm Mode: Full Review

code
User: "Review this codebase as a CTO"

CTO Advisor (Swarm Mode):
1. Checks for cto-requirements.md
2. Performs codebase discovery
3. Spawns 5 parallel analysts via TeammateTool:
   - security-analyst
   - architecture-analyst
   - performance-analyst
   - quality-analyst
   - stack-analyst

# Real-time output:
[0:15] security-analyst: 🔍 Scanning auth patterns...
[0:22] architecture-analyst: 🔍 Mapping component boundaries...
[0:28] security-analyst: 🚨 CRITICAL: Hardcoded JWT secret found
[0:35] performance-analyst: ⚠️ N+1 query detected in orders
[0:42] architecture-analyst → performance-analyst: "Check service loop pattern"
[0:55] performance-analyst: ✅ Confirmed N+1 (cross-concern with architecture)
[1:10] quality-analyst: ℹ️ Test coverage at 45%
[1:25] stack-analyst: ⚠️ 3 vulnerable dependencies found

# Synthesis (live as findings arrive):
- Critical: 1 (security)
- High: 3 (security, performance, stack)
- Medium: 5
- Cross-concerns detected: 2

4. Generates executive report
5. Asks: "Would you like me to implement fixes using /autonomous-dev?"

Sequential Mode: Focused Security Audit

code
User: "Do a security audit of the authentication system"

CTO Advisor (Sequential Mode):
1. Locates auth-related files
2. Reviews authentication flow
3. Checks for OWASP vulnerabilities
4. Reviews session management
5. Checks secrets handling
6. Generates security-focused report

Swarm Mode: Pre-Launch Audit

code
User: "We're launching next week - full CTO review please"

CTO Advisor (Swarm Mode):
1. Spawns all 5 analysts with "launch_readiness" focus
2. Each analyst prioritizes launch-blocking issues
3. Cross-concern detection catches:
   - Security + Performance: "Rate limiting missing on public API"
   - Architecture + Quality: "No error boundary in React app"
4. Generates launch readiness checklist:
   ❌ 2 blockers (must fix)
   ⚠️ 5 should fix
   ℹ️ 8 nice to have
5. Creates prioritized fix plan for autonomous-dev

Architecture Decision

code
User: "Should we migrate from REST to GraphQL?"

CTO Advisor (Sequential - focused question):
1. Analyzes current REST implementation
2. Evaluates GraphQL fit for use cases
3. Considers team expertise
4. Calculates migration effort
5. Provides scored recommendation
6. Creates ADR for decision

Version

Current Version: 2.0.0 (Swarm-enabled) Last Updated: January 2026

Changelog

  • 2.0.0: Added swarm mode with parallel specialist analysts
    • 5 concurrent analysts (security, architecture, performance, quality, stack)
    • Real-time cross-concern detection
    • Live progress dashboard
    • Inter-analyst communication via TeammateTool
  • 1.0.0: Initial release with sequential analysis

Requirements

  • Sequential Mode: Standard Claude Code
  • Swarm Mode: Requires claude-sneakpeek or official TeammateTool support

See Also