great-cto 2.12.1 → 2.15.0

package/dist/adapt.js

@@ -94,6 +94,7 @@ using it for pattern-matched work silently skips specialist review.
 | API contract: OpenAPI, GraphQL schema, webhook signatures | \`api-platform-reviewer\` |
 | Voice/IVR/telephony, Twilio, recording-consent, TCPA | \`voice-ai-reviewer\` |
 | Clinical / SaMD / FDA / FHIR / PHI | \`ai-clinical-reviewer\`, \`fda-reviewer\` |
+| Wearable telemetry, HealthKit, Health Connect, Garmin, Samsung Health, fitness AI, mental health AI, nutrition AI, supplement AI, physician HITL | \`digital-health-reviewer\` |
 | Lending, ECOA, FCRA, NMLS, adverse action | \`lending-credit-reviewer\` |
 | HR-AI, hiring, AEDT, resume screening | \`hr-ai-reviewer\` |
 | Infra-as-code: Terraform / Helm / CDK / Pulumi | \`infra-reviewer\` |

package/dist/bootstrap.js

@@ -3,6 +3,7 @@
 import { existsSync, mkdirSync, writeFileSync, readFileSync } from "node:fs";
 import { join } from "node:path";
 import { dim, success, warn } from "./ui.js";
+import { suggestJurisdictions } from "./jurisdictions.js";
 export function bootstrap(dir, detection, archetype, compliance, detectionMeta) {
     const greatCtoDir = join(dir, ".great_cto");
     const projectMd = join(greatCtoDir, "PROJECT.md");
@@ -14,6 +15,10 @@ export function bootstrap(dir, detection, archetype, compliance, detectionMeta)
     const title = inferProjectTitle(dir);
     const stackLine = detection.stack.length > 0 ? detection.stack.join(", ") : "to be defined";
     const complianceLine = compliance.length > 0 ? compliance.join(", ") : "none";
+    const jurisdictionMatches = suggestJurisdictions(detection);
+    const jurisdictionLine = jurisdictionMatches.length > 0
+        ? jurisdictionMatches.map((m) => m.jurisdiction).join(", ")
+        : "unknown";
     const teamSize = 1; // MVP default — user edits later
     const approvalLevel = "gates-only"; // default per README
     const content = `# ${title}
@@ -55,9 +60,12 @@ approval-level: ${approvalLevel}
 ## Compliance
 
 compliance: [${complianceLine}]
+jurisdiction: [${jurisdictionLine}]
 
 > \`compliance:\` list drives which checklists security-officer runs.
-> See ARCHETYPES.md "Parameter Values" for supported keys.
+> \`jurisdiction:\` is auto-detected from README geo/legal signals — edit if wrong.
+> Supported codes: eu · us · us-ca · uk · in · br · au · sg
+> See docs/jurisdiction-compliance.md for what each code activates.
 
 ## Leash
 

package/dist/detect.js

@@ -1163,6 +1163,55 @@ function mineReadmeKeywords(dir) {
         if (text.includes(term))
             kws.add(term);
     }
+    // Jurisdiction geo/legal terms — emitted verbatim so jurisdictions.ts
+    // can exact-match them. Keep in sync with JURISDICTION_SIGNALS in jurisdictions.ts.
+    const jurisdictionTerms = [
+        // EU
+        "gdpr", "dsgvo", "rgpd", "data protection officer", "dpo",
+        "right to erasure", "right to be forgotten", "data subject request",
+        "article 6", "article 9", "legitimate interest", "lawful basis",
+        "privacy by design", "privacy notice", "cookie consent",
+        "eu ai act", "eu users", "eu customers", "european union",
+        "eu data residency", "eu-west", "eu-central",
+        "nis2", "dora ict risk", "dora compliance",
+        "german users", "french users", "dutch users", "austrian",
+        "italian users", "spanish users", "polish users",
+        // US
+        "ftc", "ftc act", "us users", "us customers", "united states",
+        "american users", "coppa", "hipaa", "us privacy law",
+        "virginia cdpa", "texas tdpsa", "florida fdbr",
+        "colorado cpa", "connecticut ctdpa", "us state privacy",
+        // US-CA
+        "ccpa", "cpra", "california consumer privacy",
+        "california privacy rights", "cppa", "california residents",
+        "california users", "do not sell", "opt-out of sale",
+        // UK
+        "uk gdpr", "information commissioner", "dpa 2018",
+        "uk users", "uk customers", "united kingdom", "british users",
+        "fca consumer duty", "uk ai regulation",
+        // IN
+        "dpdpa", "digital personal data protection", "india data",
+        "india users", "indian users", "bharat", "meity",
+        "rbi data localisation", "rbi circular", "npci", "sebi",
+        "india data residency",
+        // BR
+        "lgpd", "lei 13709", "anpd", "brazil users", "brazil customers",
+        "brazilian users", "brasil", "data encarregado", "dpo brazil",
+        "lgpd compliance",
+        // AU
+        "privacy act 1988", "australian privacy principles", "app principles",
+        "oaic", "australia users", "australian users",
+        "consumer data right", "notifiable data breach", "ndb scheme",
+        "australia data residency",
+        // SG
+        "pdpa", "pdpc", "singapore users", "singaporean users",
+        "mas guidelines", "mas tpm", "singpass", "myinfo",
+        "singapore data residency",
+    ];
+    for (const term of jurisdictionTerms) {
+        if (text.includes(term))
+            kws.add(term);
+    }
     return Array.from(kws).sort();
 }
 function safeGlob(dir, pattern, kind = "file") {

package/dist/jurisdictions.js

@@ -0,0 +1,156 @@
+// Jurisdiction detection — auto-detect applicable compliance frameworks
+// from project geography signals (README keywords, infra region hints).
+//
+// Three-axis detection model:
+//   archetype  → what you build  (ai-system, healthcare, fintech…)
+//   pack       → what you use    (digital-health-pack, lending-pack…)
+//   jurisdiction → where you operate  (eu, us-ca, in, br, uk, au, sg)
+//
+// Jurisdiction overlays add specialist reviewer agents and human gates
+// ON TOP OF archetype + pack pipelines.
+// ── Compliance map ────────────────────────────────────────────────────────
+const JURISDICTION_REVIEWERS = {
+    "eu": ["gdpr-reviewer"],
+    "us": ["us-privacy-reviewer"],
+    "us-ca": ["us-privacy-reviewer"],
+    "uk": ["gdpr-reviewer"], // UK GDPR closely mirrors EU GDPR
+    "in": ["dpdpa-reviewer"],
+    "br": ["gdpr-reviewer"], // LGPD mirrors GDPR — same reviewer covers
+    "au": ["us-privacy-reviewer"], // Privacy Act 1988 — covered by privacy reviewer
+    "sg": ["us-privacy-reviewer"], // PDPA — covered by privacy reviewer
+};
+const JURISDICTION_GATES = {
+    "eu": ["gate:gdpr-dpia", "gate:eu-ai-act-classification"],
+    "us": ["gate:us-state-privacy-matrix"],
+    "us-ca": ["gate:ccpa-dsrp", "gate:us-state-privacy-matrix"],
+    "uk": ["gate:uk-gdpr-dpia"],
+    "in": ["gate:dpdpa-consent-framework"],
+    "br": ["gate:lgpd-dpia"],
+    "au": ["gate:au-privacy-act-assessment"],
+    "sg": ["gate:pdpa-dpo"],
+};
+const JURISDICTION_LAWS = {
+    "eu": ["GDPR (EU) 2016/679", "EU AI Act 2024/1689", "NIS2 Directive 2022/2555", "ePrivacy Directive"],
+    "us": ["FTC Act § 5", "COPPA (if under-13)", "US state privacy laws (VA CDPA · TX TDPSA · FL FDBR · CO CPA · CT CTDPA)"],
+    "us-ca": ["CCPA / CPRA", "California AG enforcement", "CPPA rulemaking"],
+    "uk": ["UK GDPR", "DPA 2018", "ICO guidance", "FCA Consumer Duty (if fintech)"],
+    "in": ["DPDPA 2023 (Digital Personal Data Protection Act)", "IT Act 2000 § 43A", "SPDI Rules 2011", "RBI data localisation (if fintech)"],
+    "br": ["LGPD (Lei 13.709/2018)", "ANPD resolutions", "Marco Civil da Internet"],
+    "au": ["Privacy Act 1988 (Cth)", "Australian Privacy Principles (APPs)", "CDR (if fintech)", "OAIC enforcement"],
+    "sg": ["PDPA 2012 (amended 2021)", "MAS TRM Guidelines (if fintech)", "PDPC Advisory Guidelines"],
+};
+// ── Signal dictionary ─────────────────────────────────────────────────────
+export const JURISDICTION_SIGNALS = {
+    "eu": {
+        keywords: [
+            // Legal / regulatory terms
+            "gdpr", "dsgvo", "rgpd", "data protection officer",
+            "right to erasure", "right to be forgotten", "data subject request",
+            "article 6", "article 9", "legitimate interest", "lawful basis",
+            "privacy by design", "privacy notice", "cookie consent",
+            "eu ai act", "eu users", "eu customers", "european union",
+            "eu data residency", "eu-west", "eu-central",
+            // NIS2 / DORA
+            "nis2", "dora ict risk", "dora compliance",
+            // Locales / markets
+            "german users", "french users", "dutch users", "austrian",
+            "italian users", "spanish users", "polish users",
+        ],
+    },
+    "us": {
+        keywords: [
+            "ftc", "ftc act", "us users", "us customers", "united states",
+            "american users", "coppa", "hipaa",
+            "virginia cdpa", "texas tdpsa", "florida fdbr", "colorado cpa",
+            "connecticut ctdpa", "us state privacy", "us privacy law",
+        ],
+    },
+    "us-ca": {
+        keywords: [
+            "ccpa", "cpra", "california consumer privacy",
+            "california privacy rights", "cppa", "california residents",
+            "california users", "do not sell", "opt-out of sale",
+            "data subject rights california", "dsr california",
+        ],
+    },
+    "uk": {
+        keywords: [
+            "uk gdpr", "information commissioner", "dpa 2018",
+            "uk users", "uk customers", "united kingdom", "british users",
+            "fca consumer duty", "uk ai regulation",
+        ],
+    },
+    "in": {
+        keywords: [
+            // Data protection
+            "dpdpa", "digital personal data protection", "india data",
+            "india users", "indian users", "bharat", "meity",
+            // Fintech / telecom
+            "rbi data localisation", "rbi circular", "npci", "sebi",
+            "india data residency",
+        ],
+    },
+    "br": {
+        keywords: [
+            "lgpd", "lei 13709", "anpd", "brazil users", "brazil customers",
+            "brazilian users", "brasil", "data encarregado", "dpo brazil",
+            "lgpd compliance",
+        ],
+    },
+    "au": {
+        keywords: [
+            "privacy act 1988", "australian privacy principles", "app principles",
+            "oaic", "australia users", "australian users",
+            "consumer data right", "notifiable data breach", "ndb scheme",
+            "australia data residency",
+        ],
+    },
+    "sg": {
+        keywords: [
+            "pdpa", "pdpc", "singapore users", "singaporean users",
+            "mas guidelines", "mas tpm", "singpass", "myinfo",
+            "singapore data residency",
+        ],
+    },
+};
+// ── Public API ─────────────────────────────────────────────────────────────
+/** Return jurisdictions whose signals match the detection result. */
+export function suggestJurisdictions(d) {
+    const matches = [];
+    const kwLower = d.readmeKeywords.map((k) => k.toLowerCase());
+    for (const code of Object.keys(JURISDICTION_SIGNALS)) {
+        const { keywords } = JURISDICTION_SIGNALS[code];
+        const matchedKeywords = keywords.filter((kw) => kwLower.includes(kw));
+        if (matchedKeywords.length === 0)
+            continue;
+        matches.push({
+            jurisdiction: code,
+            reviewers: JURISDICTION_REVIEWERS[code],
+            signals: matchedKeywords.slice(0, 8),
+            humanGates: JURISDICTION_GATES[code],
+            laws: JURISDICTION_LAWS[code],
+        });
+    }
+    matches.sort((a, b) => a.jurisdiction.localeCompare(b.jurisdiction));
+    return matches;
+}
+/** Flatten matched jurisdictions to unique sorted reviewer names. */
+export function suggestJurisdictionReviewers(d) {
+    const all = new Set();
+    for (const m of suggestJurisdictions(d))
+        for (const r of m.reviewers)
+            all.add(r);
+    return Array.from(all).sort();
+}
+/** Flatten matched jurisdictions to unique sorted gate ids. */
+export function suggestJurisdictionGates(d) {
+    const all = new Set();
+    for (const m of suggestJurisdictions(d))
+        for (const g of m.humanGates)
+            all.add(g);
+    return Array.from(all).sort();
+}
+/** Registry of all known jurisdiction codes — useful for /doctor. */
+export function listJurisdictions() {
+    return Object.keys(JURISDICTION_SIGNALS).sort();
+}

package/dist/packs.js

@@ -1,6 +1,7 @@
 // Domain pack detection — overlay packs that ride on top of base archetypes.
 // Wave 1-3 (2026-05): voice, clinical, hr-ai, api-platform, lending, clinical-trials,
 // robotics, em-fintech, climate, drug-discovery.
+// Wave 4 (2026-05): digital-health (wearable, mental-health, nutrition AI, physician HITL).
 //
 // A pack is a regulatory/domain overlay that triggers one or more specialist
 // reviewers (agents/{name}-reviewer.md) when its signals appear in stack,
@@ -19,6 +20,7 @@ const PACK_REVIEWERS = {
     "em-fintech-pack": ["emerging-markets-fintech-reviewer"],
     "climate-pack": ["climate-mrv-reviewer", "biosecurity-reviewer"],
     "drug-discovery-pack": ["drug-discovery-ml-reviewer", "glp-glab-reviewer", "lab-automation-reviewer"],
+    "digital-health-pack": ["digital-health-reviewer", "ai-clinical-reviewer", "healthcare-reviewer"],
 };
 const PACK_GATES = {
     "voice-pack": ["gate:voice-compliance"],
@@ -31,6 +33,7 @@ const PACK_GATES = {
     "em-fintech-pack": ["gate:license-strategy"],
     "climate-pack": ["gate:mrv-methodology", "gate:durc-signoff", "gate:open-weights-release"],
     "drug-discovery-pack": ["gate:model-card-signoff", "gate:csv-validation", "gate:iq-oq-pq"],
+    "digital-health-pack": ["gate:wellness-vs-samd", "gate:hitl-design", "gate:wearable-api-access", "gate:supplement-safety", "gate:mental-health-protocol"],
 };
 // Trigger signals — stack tokens OR README keywords.
 const SIGNALS = {
@@ -84,6 +87,25 @@ const SIGNALS = {
             "glp", "gmp", "gxp", "preclinical", "lims", "eln", "annex 11", "alcoa",
             "lab automation", "cloud lab", "robotic biology", "liquid handler", "hamilton", "tecan", "beckman", "opentrons", "plate reader", "sequencer", "hplc", "mass spec", "sila"],
     },
+    "digital-health-pack": {
+        stack: ["healthkit", "health-connect", "garmin-connect-iq", "samsung-health", "fitbit", "polar", "withings", "oura", "whoop"],
+        keywords: [
+            // wearable / biometric
+            "wearable", "apple watch", "apple health", "healthkit", "health connect", "garmin", "samsung health",
+            "google fit", "fitbit", "heart rate", "hrv", "heart rate variability", "spo2", "sleep tracking",
+            "sleep stages", "biometric sensor", "stress score", "activity tracking", "ecg wearable",
+            // mental health / wellness AI
+            "mental health", "mental wellness", "wellbeing", "mindfulness ai", "stress detection",
+            "burnout detection", "mood tracking", "anxiety ai", "depression ai", "phq-9", "gad-7",
+            "digital therapeutics", "dtx", "cbt app", "dbt app", "therapy ai",
+            // fitness / nutrition AI
+            "personalised training", "personalized training", "fitness ai", "nutrition ai",
+            "supplement recommendation", "supplement ai", "diet ai", "meal plan ai", "macro ai",
+            // HITL clinical
+            "physician review", "physician hitl", "doctor in the loop", "clinical review workflow",
+            "remote patient monitoring", "rpm", "teleconsultation",
+        ],
+    },
 };
 /** Return packs whose signals match the detection result. Deterministic + sorted. */
 export function suggestPacks(d) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "great-cto",
-  "version": "2.12.1",
+  "version": "2.15.0",
   "description": "One command install for the great_cto Claude Code plugin. Auto-detects your stack, picks the right archetype, bootstraps PROJECT.md.",
   "keywords": [
     "claude-code",