Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/avelikiy/great_cto

The engineering process for solo founders and teams up to 50 engineers - without the overhead.
https://github.com/avelikiy/great_cto

agentic-coding claude-code-plugin claude-code-skills claude-code-subagents code-review cto multi-agent sdlc

Last synced: about 5 hours ago
JSON representation

The engineering process for solo founders and teams up to 50 engineers - without the overhead.

Awesome Lists containing this project

README 

          



great_cto



**Your AI engineering team for ~$34/month.**



[![npm](https://img.shields.io/npm/v/great-cto?label=npx%20great-cto&color=cb3837)](https://www.npmjs.com/package/great-cto)

[![npm downloads](https://img.shields.io/npm/dm/great-cto?color=cb3837&label=downloads)](https://www.npmjs.com/package/great-cto)

[![License](https://img.shields.io/badge/license-MIT-green)](LICENSE)

[![Claude Code Plugin](https://img.shields.io/badge/Claude_Code-Plugin-blueviolet)](https://claude.com/plugins)

[![Savings](https://img.shields.io/badge/one_real_run-$2.39_vs_$5460_human-darkgreen)](https://greatcto.systems/proof)



great_cto pipeline: Flow Compiler → gate:plan → 57 agents → gate:ship → Deployed



```bash

npx great-cto init

```



[Website](https://greatcto.systems) · [One real run →](https://greatcto.systems/proof) · [Live demo](https://greatcto.systems/r/CsqYVXs1Vibac5yp) · [Discussions](https://github.com/avelikiy/great_cto/discussions) · [Changelog](CHANGELOG.md)



[Русский](docs/ru/README.md) · [简体中文](docs/zh-CN/README.md) · [繁體中文](docs/zh-TW/README.md) · [日本語](docs/ja/README.md) · [한국어](docs/ko/README.md) · [Español](docs/es/README.md) · [Português](docs/pt-BR/README.md) · [Deutsch](docs/de/README.md) · [Français](docs/fr/README.md)






---



## The problem



You're a solo CTO. You write the code, review the code, deploy the code. Nobody's catching:



- The GDPR clause you missed in the payment flow

- The N+1 query that shows up in prod at 10× scale

- The auth middleware hole you'll read about in a bug report



Hiring a senior engineer to review: **$15,000/month.** Doing it yourself: **risk.**



## What you get



57 specialist agents — architect, 12-angle reviewer, QA, security officer, devops — wired into a gated pipeline tuned to your stack and jurisdiction.



**You make two decisions per feature.** Everything else runs automatically.



## By the numbers



| | |

|---|---|

| LLM cost (one real feature, traced) | **$2.39** |

| Human-equivalent for the same work | **~$5,460** |

| Defects caught that QA had missed | **2** |

| Monthly cost (20 pipeline runs) | **~$34** |

| Specialist agents | **57** |

| Archetypes auto-detected | **25** |

| Jurisdictions | **12** (GDPR · HIPAA · PCI-DSS · SOX · and more) |



→ [Full trace with all artefacts](https://greatcto.systems/proof)



## How it works



**`npx great-cto init`** — scans your stack and README, detects jurisdiction (GDPR? HIPAA? PCI?), writes `.great_cto/FLOW.md` with the exact agents, gates, and compliance frameworks for your project.



**`/start "describe the feature"`** — critics review the architecture and spec before any code is written. You review the plan at `gate:plan`.



**Agents run automatically** — senior-dev implements with TDD, 12-angle review, QA, security, devops. You approve ship at `gate:ship`.



## Three projects — three different pipelines



Same command. Output depends on what you're building and where it runs:



| | **Fintech startup · EU** | **Healthcare portal · US** | **CLI tool** |

|---|---|---|---|

| Specialist agents | `pci-reviewer` · `gdpr-reviewer` · `regulated-reviewer` | `fda-reviewer` · `healthcare-reviewer` · `security-officer` | `cli-reviewer` |

| Human gates | `gate:gdpr-dpia` · `gate:plan` · `gate:ship` | `gate:clinical-validation` · `gate:plan` · `gate:ship` | `gate:plan` |

| Compliance | GDPR · PCI-DSS · SOX | HIPAA · HITECH | — |

| Cost / cycle | ~$8–18 | ~$8–18 | ~$0.5–3 |



→ Try the interactive picker: [greatcto.systems/#flow-picker](https://greatcto.systems/#flow-picker)



## The dashboard you'll actually check



`great-cto board` opens at `http://localhost:3141` — Kanban with realtime SSE, per-agent cost tile, pipeline status, 30-day LLM spend vs human-equivalent baseline.





  Kanban board with realtime SSE updates




Metrics — cost, velocity, savings_x
Metrics — LLM cost, human-equivalent baseline, savings_x ratio

Inbox — gates, P0, blocked, stale
Inbox — pending gates, P0 incidents, blocked tasks, stale in-progress



Agent fleet — 57 specialists with run counts
Agents — 57 specialists with last-used + run counts

Memory layers and crystallized patterns
Memory — 11 layers + crystallized incident patterns



**Built for the one-person engineering org.** Indie hackers, solo founders, technical CTOs running everything themselves. *Not for teams* — see [FAQ](docs/FAQ.md#is-great_cto-for-teams).



## Install



```bash

npx great-cto init

```



Restart Claude Code after init. **Requires:** [Claude Code](https://claude.com/claude-code) · Node 18.17+



Superpowers and Beads companion plugins install automatically — no manual setup needed.



---



📖 Full documentation — two gates · critics · 57 agents · 25 archetypes · 12 jurisdictions · 33+ compliance frameworks · board · cost · MCP



## Two decisions per feature



```

🟡 gate:plan   ←  you decide here (architecture + tasks + cost)


🤖 senior-dev → 12-angle review → qa-engineer → security-officer → devops


🟢 gate:ship   ←  you decide here (PR ready, security signed off)

```



Architects, planners, reviewers, QA, security, DevOps run automatically between those two human checkpoints. **Memory persists** between sessions: every gate verdict appends to `~/.great_cto/decisions.md`, every retrospective appends to per-project `lessons.md`, and `/crystallize` promotes high-impact patterns to a global library agents query before re-solving.



## Critics before the plan



The most expensive bugs aren't in the code — they're in decisions made before coding starts. Three critic agents run before the Plan stage, at the three positions where a mistake costs the most:



| Critic | Catches |

|---|---|

| **Architecture critic** | Coupling that rules out multi-tenancy later · "obvious" O(n²) on real-scale data · circular dependencies between bounded contexts |

| **Spec critic** | "We solved the wrong problem" — the worst class of bug, because no unit test will catch it · misaligned acceptance criteria · scope that was never agreed on |

| **Schema critic** | `NOT NULL` without a default on a 50M-row table (deadlock in 10min after deploy) · missing `CONCURRENTLY` on index creation · irreversible migrations with no rollback path |



Previously critics only activated starting from Plan. Now the pipeline catches architectural and spec-level mistakes before implementation begins — when reverting costs hours, not days.



## How great_cto compares



|  | **great_cto** | Devin | Claude Code (alone) |

|---|---|---|---|

| Open source | ✅ MIT | ❌ closed | ❌ closed plugin model |

| Self-host | ✅ runs locally | ❌ Cognition cloud | ✅ |

| BYOK / multi-model | ✅ Claude Code | ❌ proprietary | ❌ Anthropic only |

| Specialist agents | **57** (architect · PM · 12-angle review · QA · security · devops · 42 reviewers across archetypes, packs & jurisdictions) | 1 generalist | 1 generalist |

| SDLC orchestration | architect → plan → impl → review → QA → security → devops | one-shot autonomy | edit loop |

| Human gates | ✅ 2 per feature (plan + ship) | ❌ none | ❌ |

| Memory across sessions | ✅ `decisions.md` + `lessons.md` + crystallize | ⚠️ thread only | ⚠️ thread only |

| Cost tracking | ✅ per-agent + 30d history + savings_x | ❌ | ❌ |

| Compliance frameworks | ✅ 33+ (PCI · HIPAA · SOX · GDPR · CCPA · DPDPA · EU AI Act · FDA SaMD · COPPA · FERPA · FedRAMP · NAIC · …) | ❌ | ❌ |

| Pricing | free (you pay your LLM provider) | $500/mo | $20/mo |

| Setup | `npx great-cto init` | sign up | install CLI |



great_cto is **not** another coding-agent loop — it's the **orchestration layer above** the coding agent you already use. Think "specialist team that reviews and gates the work" rather than "another assistant that types code."



## Jurisdiction detection



`npx great-cto init` scans three signal sources — README keywords, infra region strings (Terraform, `.env` `AWS_REGION=`, docker-compose `TZ=`), and `package.json` homepage TLD — and auto-detects which of **12 jurisdictions** apply:



| Jurisdiction | Signals (README + infra) | Frameworks | Reviewer |

|---|---|---|---|

| `eu` | gdpr · eu users · nis2 · eu ai act · `eu-west-*` · `.de` TLD | GDPR · EU AI Act · NIS2 · ePrivacy | `gdpr-reviewer` |

| `us-ca` | ccpa · cpra · california residents · do not sell | CCPA / CPRA | `us-privacy-reviewer` |

| `uk` | uk gdpr · information commissioner · dpa 2018 | UK GDPR · DPA 2018 | `gdpr-reviewer` |

| `in` | dpdpa · india users · rbi data localisation | DPDPA 2023 · RBI | `dpdpa-reviewer` |

| `br` | lgpd · anpd · brazil users | LGPD | `gdpr-reviewer` |

| `au` | privacy act 1988 · oaic · notifiable data breach | Privacy Act 1988 · CDR | `us-privacy-reviewer` |

| `sg` | pdpa · pdpc · mas guidelines · singpass | PDPA · MAS TRM | `us-privacy-reviewer` |

| `ca` | pipeda · quebec law 25 · casl · canadian users · `ca-central-*` | PIPEDA · Quebec Law 25 · CASL · OSFI B-10 | `us-privacy-reviewer` |

| `jp` | appi · japan users · my number · `ap-northeast-1` · `japaneast` | APPI 2022 · PPC Guidelines · FISC | `us-privacy-reviewer` |

| `cn` | pipl · mlps · china users · `cn-north-*` · `cn-east-*` | PIPL 2021 · DSL 2021 · MLPS 2.0 · CBDT | `gdpr-reviewer` |

| `kr` | pipa korea · isms-p · kisa · korea users · `ap-northeast-2` | PIPA · ISMS-P · FSC regulations | `us-privacy-reviewer` |

| `us` | ftc · us users · virginia cdpa · texas tdpsa | FTC Act · US state privacy laws | `us-privacy-reviewer` |



Word-boundary matching prevents false positives (`"india"` doesn't match `"indiana"`). Detected jurisdiction is written to `PROJECT.md` as `jurisdiction: [eu, us-ca]` and gates the appropriate reviewer on every feature. Override manually:



```yaml

jurisdiction: [eu, us-ca]

```



## Three commands you use every day



```bash

/start "build a refund endpoint with PCI-DSS scoping"

# → architect → enterprise-saas-reviewer (PCI-DSS auto-loaded)

# → pm → 5 Beads tasks → gate:plan (you approve)

# → senior-dev → 12-angle review → qa → security-officer

# → gate:ship (you approve) → devops → deployed



/inbox

# Pending gates · P0 incidents · blocked tasks · stale in-progress



/digest

# Weekly DORA + delta vs last week + cost-per-feature roll-up

```



Plus: `/audit` (existing-codebase scan), `/cost` (LLM router savings), `/sec` (security umbrella), `/oncall`, `/release`, `/rfc`. Full list: `~/.claude/commands/` after install.



## Cost



```

~$34/month for a typical solo-CTO project — 20 pipeline runs/month, indicative.

```



| Pipeline | Cost/run | Runs/mo | Total |

|---|---|---|---|

| quick (config / typo) | $0.10 | 10 | $1 |

| quick (new endpoint) | $1 | 6 | $6 |

| standard (feature) | $5 | 3 | $15 |

| deep (cross-cutting) | $12 | 1 | $12 |

| | | | **~$34** |



Pay your own Anthropic API tokens. **No per-seat fee. No SaaS lock-in.** Routine triage auto-routes to Kimi K2 (Sonnet-equivalent at ~5× lower cost) → 60–80% reduction on log clustering.



## 25 archetypes auto-detected



Each archetype activates its own specialist agents and compliance checklists. Top 7:



| Archetype | Tier | Specialist agents | Compliance |

|---|---|---|---|

| `enterprise-saas` | **deep** | enterprise-saas-reviewer | soc2-type-2 · iso27001 · gdpr · ccpa |

| `agent-product` | **deep** | ai-prompt-architect · ai-eval · ai-security | eu-ai-act · owasp-llm-top-10 |

| `fintech` | **deep** | pci · regulated | pci-dss · sox · kyc-aml · gdpr · dora |

| `mlops` | **deep** | mlops-reviewer · ai-eval | eu-ai-act · nist-ai-rmf · iso42001 |

| `library` | baseline | library-reviewer | openssf · sbom |

| `cli-tool` | baseline | cli-reviewer | — |

| `mobile-app` | standard | mobile-store-reviewer | store-policy · gdpr |



Full table (25 archetypes) + how detection works: [docs/ARCHETYPES.md](docs/ARCHETYPES.md).



## 11 domain packs — overlay reviewers



Domain packs ride **on top of** archetypes. Auto-attached when CLI detects pack-specific signals (deps, README terms). Each pack adds its own reviewer(s), threat-model template, EVAL suite, and human gates — independent of base archetype.



| Category | Packs |

|---|---|

| **AI verticals** | `voice-pack` · `clinical-pack` · `hr-ai-pack` · `drug-discovery-pack` |

| **Digital health** | `digital-health-pack` _(wearable telemetry · mental-health AI · nutrition AI · physician HITL)_ |

| **Fintech / regulated** | `lending-pack` · `em-fintech-pack` |

| **High-compliance** | `clinical-trials-pack` · `climate-pack` |

| **Engineering** | `api-platform-pack` · `robotics-pack` |



→ **24 human-gate types** + 38 reference EVAL suites + 15 TM templates. Browse all 11 packs with **4-layer journey visualization** (archetype → pack → reviewer → gate): [greatcto.systems/packs.html](https://greatcto.systems/packs.html).



## One real run, fully traced



A Python CLI feature shipped through the full pipeline: **$2.39 LLM spend** vs ~$5,460 human-equivalent. Security caught two real defects QA had passed (`list(stream_csv())` defeated streaming → 14.5 MB peak RSS on 13 MB input). Multi-reviewer model catching what single agents miss, before merge.



Full trace + artefacts: [greatcto.systems/proof](https://greatcto.systems/proof) · raw: [`docs/qa/runs/2026-05-09/E2E-CLI-PIPELINE.md`](docs/qa/runs/2026-05-09/E2E-CLI-PIPELINE.md).



## CI integration



Drop into any GitHub Actions workflow:



```yaml

- run: npx great-cto@latest ci ./ --sarif results.sarif

- uses: github/codeql-action/upload-sarif@v3

  if: always()

  with: { sarif_file: results.sarif }

```



`great-cto ci` auto-detects `$GITHUB_ACTIONS` and emits `::error file=...,line=N::` annotations inline on PR diffs. Exit codes: 0 clean / 1 findings / 2 setup error.



## Test pyramid



Layered test suite — **structural + state-machine tier runs in <2 min for $0** (`node --test tests/*.test.mjs`); real-LLM tier (25 archetypes × 4-8 stages + 11 packs + 9 reviewers) runs on-demand via OpenRouter for ~$5–10. Full breakdown: [docs/testing/](docs/testing/).



## MCP



Native [MCP](https://modelcontextprotocol.io/) server — **7 tools** callable from Claude Desktop or any MCP host. Local (no board needed): `detect_archetype` · `estimate_cost` · `query_decisions`. Board-backed: `project_status` · `cost_summary` · `pipeline_stages` · `recent_verdicts`.



```json

{ "mcpServers": { "great-cto": { "command": "npx", "args": ["-y", "great-cto@latest", "mcp"] } } }

```



Full setup + internal MCPs (Grafana, LLM router, Beads): [docs/MCP.md](docs/MCP.md).



## Email alerts (zero-setup)



Five things that need you to act in <2h get emailed automatically — even when you're away from the board:



| Trigger | When |

|---|---|

| 🚨 **P0 incident** | A P0 task opens in any project |

| ⏸️ **Gate stale > 2h** | A `gate:ship` is waiting on you for hours |

| 🛡️ **Security BLOCKED** | `security-officer` rejected a merge |

| 💸 **Budget alert** | Monthly LLM spend crosses 80% / 100% of budget |

| 📊 **Weekly digest** | Friday 09:00 — shipped, spent, savings, QA |



**Setup**: board → **Notifications** tab → enter email → enter the 6-digit code we send → pick triggers. No Resend signup, no API keys — delivery routed through `greatcto.systems/notify` (free, 100 emails/24h per verified email).



## Limitations & non-goals



- **Not for teams** — solo-CTO is the product. 2+ engineers? You've outgrown it.

- **Not a replacement for senior engineers** — codifies process; doesn't make architectural judgement calls without one.

- **Not a CI/CD system** — gates run locally / in-session. You still need GitHub Actions for actual merge.

- **Not certification-audited** — PCI/HIPAA/SOC2 archetype scaffolds are starting points, not certifications.

- **Not deterministic** — LLM-generated outputs. Every gate verdict should be sanity-checked.



## FAQ (top 5)



**Is my source code used to train models?** No. Claude API zero-retention by default for paying customers. great_cto adds nothing.



**How do you keep token costs down?** Haiku-by-default + Kimi K2 router for triage (60–80% savings) + cost-guard hook.



**Can I disable hooks?** Every hook honors `GREAT_CTO_DISABLE_=1`. Per-file secret-scan opt-out: `// great_cto:allow-secrets`.



**What if I'm not solo?** great_cto is built for the one-person engineering org. If you have 2+ engineers and need shared boards / multi-seat auth, you've outgrown it.



Full FAQ: [docs/FAQ.md](docs/FAQ.md).



## Architecture



The plugin runs inside Claude Code (or any MCP-capable host); 57 agents are markdown specs; tasks live in Beads (dolt, git-native); memory is plain markdown (no vector store). Diagram + stack table: [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md).



## What's new



**v2.21.0** (May 2026) — **Flow Compiler UX**: `npx great-cto init` now prints a **Compiled flow** with agents, gates, compliance, and cost estimate per feature cycle. Writes `.great_cto/FLOW.md` — agents read it to know exactly how to orchestrate your SDLC.



**v2.20.0** (May 2026) — **Detection v2**: **12-jurisdiction coverage** (added CA · JP · CN · KR with full legal framework + human gates) · **infra-signal detection** (Terraform region strings, `.env` `AWS_REGION=`, docker-compose `TZ=`, `package.json` homepage TLD) · **word-boundary matching** (no more "india" → "indiana" false positives) · **pack hints** for niche archetypes (`suggestedPacks` surfaces robotics/climate/clinical-trials/hr-ai/em-fintech packs when confidence is low). Token savings: –87.7% per pipeline run (v2.19.0 context-architecture redesign).



**v2.19.0** (May 2026) — **Token economy Phase 1+2**: artifact summaries (≤250 tokens, auto-generated) + task-aware memory filter (top-k relevant entries per task). –87.7% tokens per pipeline run.



**v2.17.0** (May 2026) — **companion plugins auto-install** · **Architecture / Spec / Schema critics** before Plan stage.



[Full changelog →](CHANGELOG.md)



## Roadmap



- **Evals runner in CI** — run golden-set eval suites on every PR, catch prompt regressions automatically

- **Self-improving loop** — agents that learn from verdicts and improve their own prompts over time

- **Decision scoring** — track which gate decisions turned out to be right; surface patterns

- **/crystallize** — promote high-impact lessons to reusable skills the whole pipeline can query



[Vote on the next feature →](https://github.com/avelikiy/great_cto/discussions/categories/ideas)



## Author



[avelikiy](https://github.com/avelikiy) — CTO building AI-native trading and fintech platforms (0→1, 1→N). great_cto is the result of automating my own loops, one agent at a time. Every rule appeared in response to a real problem in a real production system.



## Community



| Channel | What |

|---|---|

| 🐛 [Issues](https://github.com/avelikiy/great_cto/issues) | Bugs, feature requests, archetype proposals |

| 💡 [Discussions](https://github.com/avelikiy/great_cto/discussions) | Questions, patterns, show-and-tell |

| 📝 [Blog](https://velikiy.hashnode.dev) | Architecture deep-dives |

| 🔒 [SECURITY.md](SECURITY.md) | Responsible disclosure |



## Contributing & License



Pull requests welcome — see [CONTRIBUTING.md](CONTRIBUTING.md). Good first issues: [`good-first-issue`](https://github.com/avelikiy/great_cto/issues?q=is%3Aopen+label%3Agood-first-issue).



MIT — see [LICENSE](LICENSE).



If great_cto saved you time, please star the repo — it helps other solo CTOs find it.



[![Star History Chart](https://api.star-history.com/svg?repos=avelikiy/great_cto&type=Date)](https://star-history.com/#avelikiy/great_cto&Date)



---






**Built by [@avelikiy](https://github.com/avelikiy)**

*Stop being the only person who can ship.*