if there's a problem,
say it's serious.
Permanent critical mindset injected into every Claude Code session. Real bugs. Questionable decisions. Ordered by impact.
Same code. Different lens.
Without critique, problems get buried in reassurance.
userId comes from request body without validation — attacker controls it. Read from session token instead.
processOrder does DB write + email in same function — partial failure leaves inconsistent state. Wrap in transaction or split.
Four rules, no exceptions
Active on every response. Code, review, plan, architecture, decisions.
Real problems
Bugs, security flaws, unexpected behaviors, unhandled edge cases. Only what actually breaks or causes damage.
Questionable decisions
Architecture choices that will cause pain later — explained with why and a better alternative.
What's good
Mentioned only if non-obvious and worth reinforcing. No praising the obvious.
Priority
Findings ordered by real impact, not ease of fix. Highest consequence-if-ignored first.
Two modes
Namespaced under critique:
Activates the critical mindset explicitly. A SessionStart hook injects it automatically — this is the manual trigger and confirmation. Once active, applies to all work until explicitly disabled.
Five-phase protocol before any implementation: pre-flight → security audit → implementation audit → structured output → STOP. Blocks ambiguous scope. Never assumes — always asks.
Get started
Two options. Both take under a minute.
Option 1 — extraKnownMarketplaces
{ "extraKnownMarketplaces": { "critique": { "source": { "source": "github", "repo": "Alfafis/critique" } } } }
/plugin install critique@critique
Option 2 — community marketplace
/plugin install critique@claude-community
Pending community marketplace review — available soon.