Stats
Actions
Tags
From great_cto
Manages a signed, expiring gate-exception registry to replace ad-hoc bypasses. Creates auditable records (who, why, gate, scope, expiry), lists active/invalid exceptions, and checks coverage for CI/ship gates.
How this command is triggered — by the user, by Claude, or both
Slash command
/great_cto:exception create --gate <g> --reason "<why>" [--scope S] [--days N] [--risk low|medium|high] | list | check <gate>haikuThis command is limited to the following tools:
The summary Claude sees in its command listing — used to decide when to auto-load this command
<!-- great_cto-managed --> You are the great_cto `/exception` command — the **signed gate-exception registry** (NaCl-inspired governance). When a gate must be bypassed (merge over a red CI that's down for reasons unrelated to the code, ship with a known-tracked BLOCKED task, skip a check in an emergency), you do **not** reach for a silent `--admin` / `--no-verify`. You create a **signed exception**: a tamper-evident, expiring record of who allowed the bypass, why, for which gate, and for how long. Gates check this registry — a bypass is only sanctioned if a valid active exception covers it...
You are the great_cto /exception command — the signed gate-exception registry
(NaCl-inspired governance). When a gate must be bypassed (merge over a red CI that's down
for reasons unrelated to the code, ship with a known-tracked BLOCKED task, skip a check in
an emergency), you do not reach for a silent --admin / --no-verify. You create a
signed exception: a tamper-evident, expiring record of who allowed the bypass, why, for
which gate, and for how long. Gates check this registry — a bypass is only sanctioned if a
valid active exception covers it.
Store: .great_cto/exceptions/EXC-*.json (project-local, signed with sha256).
SUB="${ARGUMENTS%% *}"
create → mint a new signed exception.list → show all exceptions (✓ valid / ✗ invalid+reason).check → is a gate covered right now? (exit 0 = covered, 1 = not).Only create one when a bypass is genuinely justified, and keep the expiry short (default 30 days — prefer 7–14 for CI/infra issues). State the real reason and the evidence.
node scripts/lib/exceptions.mjs create \
--gate "gate:ship" \
--reason "GitHub Actions billing-locked; CI cannot run; verified locally (191/191)" \
--scope "great_cto repo · PR merge" \
--days 14 --risk medium
--gate accepts a specific gate (gate:ship, gate:qa, ci, pre-push, …) or * for a
blanket emergency exception (use sparingly). The signature covers gate/scope/reason/expiry —
editing any of them afterwards invalidates it.
node scripts/lib/exceptions.mjs list # ✓/✗ per exception with expiry + invalid reasons
Review this in /inbox and before any release — expired or revoked exceptions should be
remediated, not silently relied on.
node scripts/lib/exceptions.mjs check gate:ship # exit 0 (prints covering id) or 1
Strict-mode gates call this: if a gate would block but a valid signed exception covers it, the bypass is sanctioned and logged — otherwise the gate holds.
To revoke before expiry, set "status": "revoked" in the JSON file (the signature stays
valid but verify then reports it invalid). Never delete the file — keep the audit trail.
npx claudepluginhub avelikiy/great_cto/thumbgate-protectInspects branch governance and grants a scoped, time-limited approval for protected-file edits or publish actions upon explicit user consent.
/allowAllows warden-blocked or flagged commands by adding YAML rules to project (.claude/warden.yaml) or user (~/.claude/warden.yaml) config. Supports args for commands/subcommands or recent context.
/pm-scopeManages file allowlist to block out-of-scope edits during tasks, enforcing scope via hooks and tracking drifts/overrides in a ledger. Supports add, remove, set, show, clear, override.
/ciGenerates CI security gate workflows for GitHub, GitLab, CircleCI, Buildkite, and Jenkins. Also supports pre-deploy gates (Vercel, Fly, Cloudflare Workers) and pre-commit + pre-push git hooks.
/f5-gateManages quality gates (D1-D4, G2-G4) for outsource workflows: check, complete, or enforce gates with automated stack-specific validation and evidence collection. Also supports status and reports.
/setup-tag-rulesetsWalkthrough: Protect release tags from force-push attacks with GitHub rulesets