Every agent in the GreatCTO pipeline.

ai-eval-engineer

Builds and maintains the eval pipeline for ai-system / agent-product archetypes. Outputs tests/eval/EVAL-*.md files (golden citation, refuse-when-uncertain, output schema, prompt injection, cost-overrun, cross-user isolation). Runs regression on every prompt or model change. Dete

core · haiku

ai-prompt-architect

Designs and versions LLM system prompts for ai-system / agent-product archetypes. Outputs ADR-PROMPT-{name}.md files with sha256-pinned prompt text, jailbreak resistance test cases, and revision history. Pairs with ai-eval-engineer for golden-set scenarios.

core · sonnet

architect

Use when starting any new feature. Creates architecture docs, ADRs, cost estimates, Well-Architected review. Always first in the pipeline.

core · claude-opus-4-7

continuous-learner

Use at session end (auto-triggered by SessionEnd hook) or via /learn command. Extracts repeatable patterns, decisions, and cost outliers from the session and writes structured entries to .great_cto/lessons.md. Promotes high-confidence patterns to ~/.great_cto/decisions.md after ≥

core · claude-haiku-4-5

devops

Use after gate:ship is approved. Deploys using the method matching the project type.

core · haiku

l3-support

Production support. Monitors logs, triages incidents, creates Beads tasks. For P0 — immediate investigation + postmortem.

core · sonnet

performance-engineer

Performance specialist. Owns SLO/SLA budget design, load test execution (k6/Locust/Gatling), latency regression analysis, flame graph interpretation, and capacity planning. Runs after senior-dev, before QA. Writes docs/performance/PERF-{slug}.md. Activated when performance-sla is

core · sonnet · [data-platform, enterprise, commerce, web-app, infra]

pm

Use after architect produces the ARCH doc. Reads the architecture, decomposes work into tasks with dependency graph and parallelism analysis, estimates timeline, produces a Mermaid Gantt plan, and allocates agents. Creates gate:plan for human approval before any senior-dev starts

core · sonnet · [ai-system, agent-product, commerce, web3, browser-extension, game, regulated, fintech, iot-embedded, data-platform, mobile-app, library, enterprise, web-app, devtools, infra, marketing-site]

project-auditor

Use for /audit or when no PROJECT.md exists. Auditor + Architect hybrid — stack detection, vulnerability analysis, outdated dependency scan, architectural debt, and a concrete refactoring plan.

core · sonnet

qa-engineer

Use after senior-dev completes implementation. Analyzes actual code, then runs type-appropriate QA, writes report, files bugs in Beads.

core · haiku

security-officer

Use after QA passes. Runs security audit by project type, writes report, controls gate:ship.

core · sonnet

senior-dev

Use to implement tasks from Beads backlog. Claims a task, implements with TDD, closes when done. Can run in parallel.

core · sonnet

ai-clinical-reviewer

Clinical AI / clinical decision-support pre-implementation reviewer. Specialises in FDA GMLP (10 guiding principles), predetermined change-control plan (PCCP), human-in-the-loop boundaries, EU AI Act Annex III «medical» high-risk obligations, hallucination guardrails, citation-gr

reviewer · sonnet · [ai-system, agent-product, regulated]

ai-security-reviewer

AI-specific pre-implementation threat modelling for ai-system / agent-product archetypes. Specialises in OWASP LLM Top 10 (prompt injection, output exfiltration, SSRF in tool layer, supply chain, cost runaway, cross-user isolation, model jailbreak, RAG poisoning). Outputs threat

reviewer · sonnet

api-platform-reviewer

API platform / dev-API pre-implementation reviewer. Specialises in rate-limit design (token-bucket / sliding-window per tier), OAuth 2.1 + PKCE scope hygiene, webhook signing (HMAC-SHA256 + replay-window + retry policy), idempotency keys, RFC 8594 Sunset header, deprecation polic

reviewer · sonnet · [devtools, library, ai-system, agent-product, web-service]

bio-data-reviewer

Biomedical data platform pre-implementation reviewer. Specialises in FHIR R5 / HL7 v2 conformance, OMOP CDM, OHDSI, genomics formats (VCF / BAM / CRAM / FASTQ), DICOM SR, de-identification (Safe Harbor + Expert Determination, ≤0.04 re-id risk), GA4GH Data Use Ontology, dbGaP subm

reviewer · sonnet · [data-platform, regulated, ai-system]

biosecurity-reviewer

Biosecurity / dual-use research pre-implementation reviewer. Specialises in NIH DURC policy + P3CO framework, IGSC DNA-synthesis screening (Harmonized Screening Protocol v2), Australia Group export controls, Biological Weapons Convention (BWC) compliance, AI x biology dual-use ri

reviewer · sonnet · [ai-system, regulated, data-platform]

cli-reviewer

CLI tool pre-implementation reviewer. Specialises in shell-injection prevention (no shell, argv arrays only), CLI UX conventions (--help / --version / exit codes / --json mode / NO_COLOR), cross-platform path handling, secret redaction in --verbose, and dangerous-default detectio

reviewer · sonnet

climate-mrv-reviewer

Climate measurement-reporting-verification (MRV) pre-implementation reviewer. Specialises in GHG Protocol Scope 1/2/3, ISO 14064-1/-2/-3, Verra VCS / Gold Standard / Puro.earth methodology compliance, SBTi targets, CDP disclosure, EU CBAM, EPA GHGRP, double-counting prevention, a

reviewer · sonnet · [data-platform, ai-system, regulated]

clinical-trials-reviewer

Clinical-trial platform pre-implementation reviewer. Specialises in ICH-GCP E6(R3), 21 CFR Part 11 (electronic records + audit trail + e-signatures), CDISC SDTM/ADaM data standards, IRB workflow, informed consent versioning, AE/SAE 24h reporting, MHRA + EMA equivalents, and decen

reviewer · sonnet · [regulated, ai-system, data-platform]

cms-reviewer

CMS / content-platform pre-implementation reviewer. Specialises in schema.org structured data, Core Web Vitals (LCP / INP / CLS), DMCA §512 safe-harbor workflow, UGC moderation (CSAM / NCMEC reporting / spam / hate-speech), image optimization (AVIF / WebP / responsive srcset), si

reviewer · sonnet

data-platform-reviewer

Data-platform pre-implementation reviewer. Specialises in dbt model contracts, Spark / Airflow lineage, PII detection in driver logs, GDPR retention enforcement, BI dashboard SLOs, and SAR / DPIA readiness. Outputs threat model TM-{slug}.md and signs off retention + lineage decis

reviewer · sonnet

db-migration-reviewer

Database migration safety specialist. Activates when migrations/ files are detected in a PR or feature branch. Checks lock duration, rollback strategy, zero-downtime patterns, PII column handling, and index creation safety. Writes docs/migrations/MIGRATE-{slug}.md. Blocks deploy

reviewer · sonnet · [web-service, commerce, enterprise, data-platform, fintech, regulated, web-app]

devtools-reviewer

Devtools (CLI plugin / IDE extension / dev SDK) pre-implementation reviewer. Specialises in Sigstore signing + SLSA Level 3 provenance, OpenSSF Scorecard ≥ 7, telemetry-leak prevention (no paths / no usernames / no source), reproducible builds, and update-channel signature verifi

reviewer · sonnet

drug-discovery-ml-reviewer

AI / ML drug-discovery pre-implementation reviewer. Specialises in model cards for binding affinity / ADMET / toxicity prediction, retrospective validation on held-out targets, applicability-domain analysis, uncertainty quantification, dataset provenance + version pinning (ChEMBL

reviewer · sonnet · [ai-system, regulated, data-platform]

edtech-reviewer

Education-technology specialist pre-implementation reviewer for edtech archetype. Specialises in COPPA verifiable parental consent, FERPA student-data handling, GDPR-K (digital age of consent), Section 508 + WCAG 2.2 AA accessibility, child-safety content moderation (CSAM hash, N

reviewer · sonnet · [edtech]

emerging-markets-fintech-reviewer

Emerging-markets fintech pre-implementation reviewer. Specialises in India DPDP Act 2023 + RBI tokenization + UPI rails; Nigeria NDPR + CBN; Singapore MAS PSA; Philippines BSP; Indonesia OJK; Vietnam data-localization; Brazil LGPD + PIX; Mexico CONDUSEF. Plus data-localization ma

reviewer · sonnet · [commerce, regulated, web-service]

enterprise-saas-reviewer

B2B / enterprise-SaaS pre-implementation reviewer. Specialises in multi-tenant isolation (row-level security / schema-per-tenant / DB-per-tenant decision), SSO (SAML / OIDC / SCIM), immutable audit logs, data-residency, tier-based feature flags, admin-impersonation safety, and SO

reviewer · sonnet

fda-reviewer

FDA / SaMD (Software as Medical Device) pre-implementation reviewer. Specialises in IMDRF SaMD classification (Class I/II/III), 510(k) vs De Novo vs PMA path selection, predicate analysis, IEC 62304 software lifecycle, ISO 14971 risk management, IEC 82304 health software, EU MDR/

reviewer · sonnet · [regulated, ai-system, agent-product]

firmware-reviewer

IoT/embedded specialist pre-implementation reviewer. Specialises in OTA update strategy, ETSI EN 303 645 compliance, secure boot validation, hardware-in-the-loop test design, power profiling, watchdog patterns, RTOS/firmware-specific patterns (Zephyr, ESP-IDF, FreeRTOS, embassy).

reviewer · sonnet

game-reviewer

Game / interactive-entertainment pre-implementation reviewer. Specialises in COPPA under-13 compliance, ESRB / PEGI / IARC age-rating alignment, IAP age-gates and spending limits, loot-box odds disclosure (BE / NL / DE / China), accessibility (WCAG 2.2 + game a11y guidelines), an

reviewer · sonnet

glp-glab-reviewer

GLP / GMP / GxP data-integrity pre-implementation reviewer. Specialises in 21 CFR Part 58 (Good Laboratory Practice for non-clinical), 21 CFR Part 211 (GMP for manufacturing), OECD GLP, ALCOA+ data integrity principles, raw data definition + retention, study director responsibili

reviewer · sonnet · [regulated, data-platform]

gov-reviewer

Government / public-sector specialist pre-implementation reviewer for gov-public archetype. Specialises in FedRAMP authorization-boundary scoping (Moderate/High), NIST 800-53 control mapping, FISMA compliance, Section 508 accessibility, Privacy Impact Assessment (PIA) generation,

reviewer · sonnet · [gov-public]

healthcare-reviewer

Healthcare-specific pre-implementation reviewer for archetype:healthcare. Specialises in HIPAA Security Rule (45 CFR 164.308–318), Business Associate Agreement (BAA) chain, FHIR/HL7 implementation gotchas, PHI access logging (immutable audit), HITECH breach-notification timelines

reviewer · sonnet

hr-ai-reviewer

HR-AI / AI-recruiting pre-implementation reviewer. Specialises in NYC Local Law 144 AEDT (4/5-rule bias audit, candidate notice ≥10 business days, annual third-party audit), EEOC AI guidance, Illinois AI Video Interview Act, Colorado SB 205, Maryland HB 1202, EU AI Act Annex III

reviewer · sonnet · [ai-system, agent-product, enterprise]

infra-reviewer

Infrastructure-as-code pre-implementation reviewer. Specialises in Terraform / Pulumi / Helm / CDK safety — drift detection, IAM least-privilege, public-resource blocking (S3 / GCS / Azure Blob), CIS benchmarks, KMS rotation, and rollback-path enforcement. Outputs threat model TM

reviewer · sonnet

insurance-reviewer

Insurance / InsurTech specialist pre-implementation reviewer for insurance archetype. Specialises in NAIC Model Acts (50-state filing matrix), Solvency II (EU capital adequacy), IFRS 17 insurance contracts, ACORD standards, actuarial model auditability (ASOPs), anti-discriminatio

reviewer · sonnet · [insurance]

lab-automation-reviewer

Lab-automation / cloud-lab pre-implementation reviewer. Specialises in SiLA2 / OPC-UA device integrations, LIMS chain-of-custody, sample barcode traceability, instrument qualification (IQ/OQ/PQ), reagent lot tracking, scheduling + collision avoidance on robotic platforms, recover

reviewer · sonnet · [iot-embedded, data-platform, ai-system]

lending-credit-reviewer

Lending / consumer + SMB credit pre-implementation reviewer. Specialises in ECOA / Reg B adverse-action notices (30-day rule, ≤4 principal reasons), FCRA permissible purpose + dispute flow, NMLS state lending license matrix, Military Lending Act 36% APR cap, UDAAP, CFPB §1033 ope

reviewer · sonnet · [commerce, regulated, ai-system]

library-reviewer

Library / SDK pre-implementation reviewer. Specialises in semver enforcement, public API surface diffing (api-extractor / pyright / cargo public-api), backward-compat matrix testing, CHANGELOG discipline, migration guides, and supply-chain hardening (Sigstore / OpenSSF Scorecard)

reviewer · sonnet

marketplace-reviewer

Two-sided marketplace pre-implementation reviewer. Specialises in Stripe Connect / Adyen MarketPay payouts, seller KYC (Persona / Onfido / Sumsub), marketplace facilitator tax (US Wayfair v. SD), 1099-K reporting, escrow / hold-and-release, dispute mediation, two-sided fee model,

reviewer · sonnet

mlops-reviewer

MLOps / model lifecycle pre-implementation reviewer. Specialises in dataset versioning (DVC / LakeFS), distributed training cost budgets, model registry (MLflow / W&B), drift detection (Evidently / WhyLabs), bias / fairness audit (Fairlearn / AIF360), shadow + A/B model serving,

reviewer · sonnet

mobile-store-reviewer

Mobile-app pre-implementation reviewer for App Store / Play Store policy compliance. Specialises in IAP receipt validation, push token security, privacy nutrition labels, deep-link verification, and platform-specific rejections. Outputs threat model TM-{slug}.md and signs off sto

reviewer · sonnet

oracle-reviewer

Web3-DeFi specialist pre-implementation reviewer. Specialises in oracle strategy (Chainlink/Pyth/TWAP), MEV protection (sandwich/JIT/flash-loan), upgradeability decision (Immutable/UUPS/Diamond/Beacon), L2 sequencer halts, custody/multisig/timelock, formal verification scope. Out

reviewer · sonnet

pci-reviewer

Commerce-specific pre-implementation reviewer. Specialises in PCI-DSS scope reduction (SAQ-A vs SAQ-D), idempotency proof, webhook signature validation, refund/dispute flow, Strong Customer Authentication (SCA / PSD2 EU), PSP failover. Outputs threat model TM-{slug}.md and signs

reviewer · sonnet

regulated-reviewer

Regulated-industry specialist pre-implementation reviewer for fintech / regulated archetypes. Specialises in DORA ICT risk (Articles 5 & 16), NIS2 Article 21 controls, ISO27001 SoA gap analysis, SOX ITGC (access control, change management, SoD), HIPAA PHI handling + BAA requireme

reviewer · sonnet · [regulated, fintech]

robotics-safety-reviewer

Robotics / physical AI safety pre-implementation reviewer. Specialises in ISO 10218-1/-2 (industrial), ISO/TS 15066 (cobot force/pressure limits), ISO 13482 (service robots), IEC 61508 functional safety (SIL levels), ROS 2 DDS-security profiles, hazard analysis (HARA), e-stop ver

reviewer · sonnet · [iot-embedded, ai-system, agent-product, regulated]

streaming-reviewer

Streaming / event-driven pre-implementation reviewer. Specialises in exactly-once semantics (idempotent producer + transactional outbox), backpressure (Flink watermarks / Kinesis throttling), CDC patterns (Debezium / Maxwell), Schema Registry compatibility rules, DLQ handling, p9

reviewer · sonnet

voice-ai-reviewer

Voice-AI / telephony pre-implementation reviewer. Specialises in TCPA prior-express-consent, STIR/SHAKEN attestation, state recording-consent matrix (one-/two-party), CRTC CASL (Canada), Ofcom CLI rules (UK), EU AI Act Article 50 synth-voice disclosure, deepfake laws (CA AB-2655,

reviewer · sonnet · [agent-product, ai-system]

web-store-reviewer

Pre-implementation Web Store policy reviewer for browser-extension archetype. Validates manifest.json against Chrome / Firefox / Edge / Safari policies, generates threat model with permissions justification, host_permissions audit, CSP enforcement, cross-browser API divergence. O

reviewer · sonnet