archetype-review-base
Über
Dies ist ein grundlegendes Prüfungsrahmenwerk, das alle domänenspezifischen Prüfer implementieren müssen, um eine einheitliche Struktur, Schweregradbewertungen und Urteilsformatierung sicherzustellen. Es definiert die Grenze zwischen domänenspezifischen Heuristiken und generischen Prüfungen und beseitigt Duplizierung über 18 verschiedene Prüferprompts hinweg. Verwenden Sie diese Fähigkeit immer, wenn Sie einen der aufgeführten Domänenprüfer aufrufen, jedoch nicht für allgemeine domänenübergreifende Sicherheitsüberprüfungen.
Schnellinstallation
Claude Code
Empfohlennpx skills add avelikiy/great_cto -a claude-code/plugin add https://github.com/avelikiy/great_ctogit clone https://github.com/avelikiy/great_cto.git ~/.claude/skills/archetype-review-baseKopieren Sie diesen Befehl und fügen Sie ihn in Claude Code ein, um diese Fähigkeit zu installieren
Dokumentation
Archetype-review-base — shared review framework
Every domain reviewer follows this skeleton. Each reviewer's own SKILL.md adds the domain heuristics on top. This skill defines the parts that must be IDENTICAL across all reviewers.
Mandatory report sections
A domain review report is a markdown file at
docs/reviews/REVIEW-{slug}-{reviewer}.md. It MUST contain these
sections in this exact order:
# REVIEW-{slug} — {reviewer name}
Reviewed: {commit-sha or file paths or ARCH doc reference}
Standard: {regulation / framework you applied — list specific clauses}
Date: {ISO timestamp}
## Scope
2-3 sentences. What did you look at? What's intentionally out of scope?
## Findings
For each finding, use this exact format:
- **[Critical|High|Medium|Low]** {one-sentence finding title}
- Location: {file:line or component name}
- Rationale: {why this matters IN THIS DOMAIN — cite a regulation or
domain-specific best practice. Generic "could be a problem" is
rejected.}
- Remediation: {specific fix — code change, config change, or
architectural change. NOT "consider adding X" — write the exact change.}
- References: {URL or document section}
Order findings: Critical → High → Medium → Low.
If no findings at a tier, write: "_None at {tier} severity._"
## Verdict
VERDICT: {APPROVED|BLOCKED} reason="{specific reason}"
Severity scale (DOMAIN-anchored)
Severity is graded against THIS DOMAIN's regulatory or correctness baseline, not generic STRIDE severity. Examples:
- A PCI reviewer rating an unencrypted PAN at REST = Critical (PCI scope violation; immediate regulatory exposure)
- An oracle reviewer rating a Chainlink staleness < 1h = High (likely OK now, MEV vulnerable in stress)
- A gov reviewer rating Section 508 a11y gaps = High (federal contract risk; not Critical because not an immediate breach)
Cite the standard in Rationale. If you can't, the finding is probably generic and should be reduced one severity tier (the security-officer agent handles generic concerns).
Verdict rules
VERDICT: APPROVEDis allowed only when ALL Critical and ALL High findings have remediation in the bd backlog. (Usebd ready --label {your-archetype}to check.)VERDICT: BLOCKEDis required when even one Critical or High has no remediation, OR when discovery surfaced an unknown that you couldn't resolve.- Medium and Low findings do NOT block. Note them; pipeline continues.
Domain heuristic vs generic check
You are the SPECIALIST. Your job is the domain-specific stuff that generic STRIDE / OWASP misses. Decision rule:
| The check is about… | Belongs to |
|---|---|
| Card data, PCI scope, idempotency in payments | pci-reviewer |
| Oracle staleness, MEV, contract upgradeability | oracle-reviewer |
| PHI flows, BAA chain, FHIR/HL7 | healthcare-reviewer |
| Generic XSS, SQLi, weak hashing, secrets in source | security-officer (NOT you) |
| Generic "needs error handling" | senior-dev / code-reviewer (NOT you) |
If a finding is generic, mention it briefly but DON'T inflate severity. Defer to the appropriate generic reviewer.
Apply skeptical-triage
Before emitting VERDICT: BLOCKED, apply the skeptical-triage skill
(3 rounds of self-challenge). False-positive BLOCKED at gate:plan wastes
CTO time. Only block when 3/3 rounds confirm.
Verdict log line
After writing your report, append ONE line to your verdict log:
{ISO-ts} {APPROVED|BLOCKED} feature={slug} review=docs/reviews/REVIEW-{slug}-{reviewer}.md criticals={N} highs={M} mediums={K} cost=${USD}
The board's readVerdicts() parser anchors on the leading timestamp.
Format MUST be space-separated; pipe-separated form parses as
verdict='|' and breaks the pipeline status display.
Prose rules — apply skill prose-style
- No hedge words ("generally", "somewhat", "maybe")
- Lead with the conclusion
- Concrete evidence (file:line) over adjectives
- No filler openings ("In this review, we will...")
- Verdict line on the LAST line of the report
When to escalate vs review
Escalate to security-officer (not just BLOCK) when:
- The finding crosses your domain boundary (e.g. PCI reviewer hits a generic SQLi — that's security-officer's job)
- A regulatory question is ambiguous (e.g. "is this BA or sub-processor under HIPAA?")
- The user has provided conflicting requirements (BLOCKED on contradictions, not on your domain expertise)
Escalation: create a bd task with label security-officer and
blocks your review verdict.
Self-test before sign-off
Before writing your verdict line, grep your draft for:
\b(generally|somewhat|fairly|mostly|possibly|perhaps|maybe)\b— rewrite- Any finding without a Location line — fix
- Any finding without Remediation as a SPECIFIC change — fix
- Any Critical/High without remediation-in-bd — flip to BLOCKED
If any check fires in a non-quoted block, fix before signing off.
GitHub Repository
Frequently asked questions
What is the archetype-review-base skill?
archetype-review-base is a Claude Skill by avelikiy. Skills package instructions and resources that Claude loads on demand, so Claude can perform archetype-review-base-related tasks without extra prompting.
How do I install archetype-review-base?
Use the install commands on this page: add archetype-review-base to Claude Code as a plugin, or clone its repository into your skills directory, then restart Claude so it picks up the skill.
What category does archetype-review-base belong to?
archetype-review-base is in the Other category, tagged ai.
Is archetype-review-base free to use?
Yes. archetype-review-base is listed on AIMCP and free to install. It runs inside Claude, so no separate service account is required to use the skill itself.
Verwandte Skills
LlamaGuard ist Metas 7-8B-Parameter-Modell zur Moderation von LLM-Eingaben und -Ausgaben in sechs Sicherheitskategorien wie Gewalt und Hassrede. Es bietet eine Genauigkeit von 94-95 % und kann mit vLLM, Hugging Face oder Amazon SageMaker eingesetzt werden. Nutzen Sie diese Skill, um Inhaltsfilterung und Sicherheitsguardrails einfach in Ihre KI-Anwendungen zu integrieren.
Diese Claude Skill unterstützt Entwickler bei der Optimierung von Cloud-Kosten durch Ressourcen-Dimensionierung, Tagging-Strategien und Ausgabenanalysen. Sie bietet einen Rahmen zur Senkung von Cloud-Ausgaben und zur Implementierung von Kosten-Governance für AWS, Azure und GCP. Nutzen Sie sie, wenn Sie Infrastrukturkosten analysieren, Ressourcen richtig dimensionieren oder Budgetvorgaben einhalten müssen.
Diese Claude Skill analysiert Sportwettenmärkte inklusive Handicaps, Over/Unders und Spezialwetten, indem sie historische Trends und situative Statistiken untersucht, um Wertwetten zu identifizieren. Sie liefert strukturierte Markdown-Ausgaben mit umsetzbaren Empfehlungen zu Bildungszwecken. Entwickler sollten dies für Sportwetten-Analysetools nutzen, wobei zu beachten ist, dass es nur zur Unterhaltung/Bildung konzipiert wurde.
Diese Fähigkeit quantisiert LLMs auf 8-Bit- oder 4-Bit-Präzision mittels bitsandbytes und erreicht dabei eine Speicherreduzierung von 50–75 % bei minimalem Genauigkeitsverlust. Sie ist ideal für den Betrieb größerer Modelle mit begrenztem GPU-Speicher oder zur Beschleunigung von Inferenzvorgängen und unterstützt Formate wie INT8, NF4 und FP4. Die Fähigkeit integriert sich in HuggingFace Transformers und ermöglicht QLoRA-Training sowie 8-Bit-Optimierer.
