Phoenix is a Elixir natural fit for web service / api. GreatCTO auto-detects both β adds the web-service archetype overlay, wires web-service-specific gates, and runs 83 specialist agents around your existing Phoenix workflow.
GreatCTO reads your mix.exs and detects phoenix + web-service archetype from signals: imports, file structure, env vars, README hints.
Attaches the web-service archetype overlay: OWASP API Top-10, GDPR data-minimization, SLO + error-budget gates. Override if your specifics differ; the defaults are sensible for Phoenix-style projects.
qa-engineer runs mix test --cover / credo --strict; security-officer audits Ecto query injection + Phoenix CSRF; performance-engineer profiles BEAM scheduler + Ecto pool.
Bugs you've hit before in other Phoenix projects (connection-pool exhaustion, ORM N+1 queries, retry storms) β the agent's Step 0 includes the prior detection order. MTTR drops 94 % on second occurrence (methodology).
$ cd my-phoenix-app && npx great-cto init β scanning manifestsβ¦ found manifest β stack: phoenix (Elixir) β archetype: web-service β overlay: applied β 83 agents ready $ /start "add authenticated REST endpoint" βΈ architect drafting ARCH-web-service.mdβ¦ βΈ pm decomposing into beads tasksβ¦ β gate:plan β your approval needed
Approve β 3 senior-devs run in parallel worktrees β 5 reviewers fan out in parallel β gate:ship β deploy. One real run walked stage-by-stage: /proof.
This is the shape of what senior-dev drafts for "authenticated REST endpoint" β auth first, schema validation, and the audit line the web-service reviewer requires before gate:ship opens.
# lib/app_web/controllers/web_service_controller.ex β reviewed by 5 agents
defmodule AppWeb.WebServiceController do
use AppWeb, :controller
plug :require_authenticated_user # security-officer: auth before handler
def create(conn, params) do
with {:ok, attrs} <- validate(params), # qa-engineer: changeset enforced
{:ok, result} <- WebService.handle(attrs, conn.assigns.current_user) do
AuditLog.record(conn.assigns.current_user.id, "authenticated REST endpoint", result.confidence) # gate:web-service
json(conn, result)
end
end
endweb-service overlay.Public REST / GraphQL APIs with SLO gates and error budgets.
Internal platform APIs with authenticated service-to-service calls.
Partner-facing APIs with rate limiting and usage metering.
No black-box "AI does it all" loop. GreatCTO is a deterministic state machine β 8 stages, 22 nodes, 2 human gates. Every node maps to a real agent on GitHub. Inspect the state machine β
$ npx great-cto init
Free, MIT, runs locally. Built as a Claude Code plugin β install with one command.
Eight stages, two human gates, four memory layers. Why this exact shape, and what I tried that didn't work.
One run, one feature, from prompt to merged PR. Time, cost, and gate-by-gate breakdown β no marketing math.
Regex vs LLM-based archetype detection, the false-positive count, and why I keep rejecting the obvious fix.
The bottleneck in agentic SDLC isn't model quality β it's process governance. Here's the state machine that closes the gap.