great-cto 2.14.0 → 2.16.0

package/dist/bootstrap.js

@@ -3,6 +3,7 @@
 import { existsSync, mkdirSync, writeFileSync, readFileSync } from "node:fs";
 import { join } from "node:path";
 import { dim, success, warn } from "./ui.js";
+import { suggestJurisdictions } from "./jurisdictions.js";
 export function bootstrap(dir, detection, archetype, compliance, detectionMeta) {
     const greatCtoDir = join(dir, ".great_cto");
     const projectMd = join(greatCtoDir, "PROJECT.md");
@@ -14,6 +15,10 @@ export function bootstrap(dir, detection, archetype, compliance, detectionMeta)
     const title = inferProjectTitle(dir);
     const stackLine = detection.stack.length > 0 ? detection.stack.join(", ") : "to be defined";
     const complianceLine = compliance.length > 0 ? compliance.join(", ") : "none";
+    const jurisdictionMatches = suggestJurisdictions(detection);
+    const jurisdictionLine = jurisdictionMatches.length > 0
+        ? jurisdictionMatches.map((m) => m.jurisdiction).join(", ")
+        : "unknown";
     const teamSize = 1; // MVP default — user edits later
     const approvalLevel = "gates-only"; // default per README
     const content = `# ${title}
@@ -55,9 +60,12 @@ approval-level: ${approvalLevel}
 ## Compliance
 
 compliance: [${complianceLine}]
+jurisdiction: [${jurisdictionLine}]
 
 > \`compliance:\` list drives which checklists security-officer runs.
-> See ARCHETYPES.md "Parameter Values" for supported keys.
+> \`jurisdiction:\` is auto-detected from README geo/legal signals — edit if wrong.
+> Supported codes: eu · us · us-ca · uk · in · br · au · sg
+> See docs/jurisdiction-compliance.md for what each code activates.
 
 ## Leash
 

package/dist/detect.js

@@ -1163,6 +1163,56 @@ function mineReadmeKeywords(dir) {
         if (text.includes(term))
             kws.add(term);
     }
+    // Jurisdiction geo/legal terms — emitted verbatim so jurisdictions.ts
+    // can exact-match them. Keep in sync with JURISDICTION_SIGNALS in jurisdictions.ts.
+    const jurisdictionTerms = [
+        // EU
+        "gdpr", "dsgvo", "rgpd", "data protection officer", "dpo",
+        "right to erasure", "right to be forgotten", "data subject request",
+        "article 6", "article 9", "legitimate interest", "lawful basis",
+        "privacy by design", "privacy notice", "cookie consent",
+        "eu ai act", "eu users", "eu customers", "european union",
+        "eu data residency", "eu-west", "eu-central",
+        "nis2", "dora ict risk", "dora compliance",
+        "german users", "french users", "dutch users", "austrian",
+        "italian users", "spanish users", "polish users",
+        // US
+        "ftc", "ftc act", "us users", "us customers", "united states",
+        "american users", "coppa", "hipaa", "us privacy law",
+        "virginia cdpa", "texas tdpsa", "florida fdbr",
+        "colorado cpa", "connecticut ctdpa", "us state privacy",
+        // US-CA
+        "ccpa", "cpra", "california consumer privacy",
+        "california privacy rights", "cppa", "california residents",
+        "california users", "do not sell", "opt-out of sale",
+        "data subject rights california", "dsr california",
+        // UK
+        "uk gdpr", "information commissioner", "dpa 2018",
+        "uk users", "uk customers", "united kingdom", "british users",
+        "fca consumer duty", "uk ai regulation",
+        // IN
+        "dpdpa", "digital personal data protection", "india data",
+        "india users", "indian users", "bharat", "meity",
+        "rbi data localisation", "rbi circular", "npci", "sebi",
+        "india data residency",
+        // BR
+        "lgpd", "lei 13709", "anpd", "brazil users", "brazil customers",
+        "brazilian users", "brasil", "data encarregado", "dpo brazil",
+        "lgpd compliance",
+        // AU
+        "privacy act 1988", "australian privacy principles", "app principles",
+        "oaic", "australia users", "australian users",
+        "consumer data right", "notifiable data breach", "ndb scheme",
+        "australia data residency",
+        // SG
+        "pdpa", "pdpc", "singapore users", "singaporean users",
+        "mas guidelines", "mas tpm", "singpass", "myinfo",
+        "singapore data residency",
+    ];
+    for (const term of jurisdictionTerms) {
+        if (text.includes(term))
+            kws.add(term);
+    }
     return Array.from(kws).sort();
 }
 function safeGlob(dir, pattern, kind = "file") {

package/dist/jurisdictions.js

@@ -0,0 +1,156 @@
+// Jurisdiction detection — auto-detect applicable compliance frameworks
+// from project geography signals (README keywords, infra region hints).
+//
+// Three-axis detection model:
+//   archetype  → what you build  (ai-system, healthcare, fintech…)
+//   pack       → what you use    (digital-health-pack, lending-pack…)
+//   jurisdiction → where you operate  (eu, us-ca, in, br, uk, au, sg)
+//
+// Jurisdiction overlays add specialist reviewer agents and human gates
+// ON TOP OF archetype + pack pipelines.
+// ── Compliance map ────────────────────────────────────────────────────────
+const JURISDICTION_REVIEWERS = {
+    "eu": ["gdpr-reviewer"],
+    "us": ["us-privacy-reviewer"],
+    "us-ca": ["us-privacy-reviewer"],
+    "uk": ["gdpr-reviewer"], // UK GDPR closely mirrors EU GDPR
+    "in": ["dpdpa-reviewer"],
+    "br": ["gdpr-reviewer"], // LGPD mirrors GDPR — same reviewer covers
+    "au": ["us-privacy-reviewer"], // Privacy Act 1988 — covered by privacy reviewer
+    "sg": ["us-privacy-reviewer"], // PDPA — covered by privacy reviewer
+};
+const JURISDICTION_GATES = {
+    "eu": ["gate:gdpr-dpia", "gate:eu-ai-act-classification"],
+    "us": ["gate:us-state-privacy-matrix"],
+    "us-ca": ["gate:ccpa-dsrp", "gate:us-state-privacy-matrix"],
+    "uk": ["gate:uk-gdpr-dpia"],
+    "in": ["gate:dpdpa-consent-framework"],
+    "br": ["gate:lgpd-dpia"],
+    "au": ["gate:au-privacy-act-assessment"],
+    "sg": ["gate:pdpa-dpo"],
+};
+const JURISDICTION_LAWS = {
+    "eu": ["GDPR (EU) 2016/679", "EU AI Act 2024/1689", "NIS2 Directive 2022/2555", "ePrivacy Directive"],
+    "us": ["FTC Act § 5", "COPPA (if under-13)", "US state privacy laws (VA CDPA · TX TDPSA · FL FDBR · CO CPA · CT CTDPA)"],
+    "us-ca": ["CCPA / CPRA", "California AG enforcement", "CPPA rulemaking"],
+    "uk": ["UK GDPR", "DPA 2018", "ICO guidance", "FCA Consumer Duty (if fintech)"],
+    "in": ["DPDPA 2023 (Digital Personal Data Protection Act)", "IT Act 2000 § 43A", "SPDI Rules 2011", "RBI data localisation (if fintech)"],
+    "br": ["LGPD (Lei 13.709/2018)", "ANPD resolutions", "Marco Civil da Internet"],
+    "au": ["Privacy Act 1988 (Cth)", "Australian Privacy Principles (APPs)", "CDR (if fintech)", "OAIC enforcement"],
+    "sg": ["PDPA 2012 (amended 2021)", "MAS TRM Guidelines (if fintech)", "PDPC Advisory Guidelines"],
+};
+// ── Signal dictionary ─────────────────────────────────────────────────────
+export const JURISDICTION_SIGNALS = {
+    "eu": {
+        keywords: [
+            // Legal / regulatory terms
+            "gdpr", "dsgvo", "rgpd", "data protection officer", "dpo",
+            "right to erasure", "right to be forgotten", "data subject request",
+            "article 6", "article 9", "legitimate interest", "lawful basis",
+            "privacy by design", "privacy notice", "cookie consent",
+            "eu ai act", "eu users", "eu customers", "european union",
+            "eu data residency", "eu-west", "eu-central",
+            // NIS2 / DORA
+            "nis2", "dora ict risk", "dora compliance",
+            // Locales / markets
+            "german users", "french users", "dutch users", "austrian",
+            "italian users", "spanish users", "polish users",
+        ],
+    },
+    "us": {
+        keywords: [
+            "ftc", "ftc act", "us users", "us customers", "united states",
+            "american users", "coppa", "hipaa",
+            "virginia cdpa", "texas tdpsa", "florida fdbr", "colorado cpa",
+            "connecticut ctdpa", "us state privacy", "us privacy law",
+        ],
+    },
+    "us-ca": {
+        keywords: [
+            "ccpa", "cpra", "california consumer privacy",
+            "california privacy rights", "cppa", "california residents",
+            "california users", "do not sell", "opt-out of sale",
+            "data subject rights california", "dsr california",
+        ],
+    },
+    "uk": {
+        keywords: [
+            "uk gdpr", "information commissioner", "dpa 2018",
+            "uk users", "uk customers", "united kingdom", "british users",
+            "fca consumer duty", "uk ai regulation",
+        ],
+    },
+    "in": {
+        keywords: [
+            // Data protection
+            "dpdpa", "digital personal data protection", "india data",
+            "india users", "indian users", "bharat", "meity",
+            // Fintech / telecom
+            "rbi data localisation", "rbi circular", "npci", "sebi",
+            "india data residency",
+        ],
+    },
+    "br": {
+        keywords: [
+            "lgpd", "lei 13709", "anpd", "brazil users", "brazil customers",
+            "brazilian users", "brasil", "data encarregado", "dpo brazil",
+            "lgpd compliance",
+        ],
+    },
+    "au": {
+        keywords: [
+            "privacy act 1988", "australian privacy principles", "app principles",
+            "oaic", "australia users", "australian users",
+            "consumer data right", "notifiable data breach", "ndb scheme",
+            "australia data residency",
+        ],
+    },
+    "sg": {
+        keywords: [
+            "pdpa", "pdpc", "singapore users", "singaporean users",
+            "mas guidelines", "mas tpm", "singpass", "myinfo",
+            "singapore data residency",
+        ],
+    },
+};
+// ── Public API ─────────────────────────────────────────────────────────────
+/** Return jurisdictions whose signals match the detection result. */
+export function suggestJurisdictions(d) {
+    const matches = [];
+    const kwLower = d.readmeKeywords.map((k) => k.toLowerCase());
+    for (const code of Object.keys(JURISDICTION_SIGNALS)) {
+        const { keywords } = JURISDICTION_SIGNALS[code];
+        const matchedKeywords = keywords.filter((kw) => kwLower.includes(kw));
+        if (matchedKeywords.length === 0)
+            continue;
+        matches.push({
+            jurisdiction: code,
+            reviewers: JURISDICTION_REVIEWERS[code],
+            signals: matchedKeywords.slice(0, 8),
+            humanGates: JURISDICTION_GATES[code],
+            laws: JURISDICTION_LAWS[code],
+        });
+    }
+    matches.sort((a, b) => a.jurisdiction.localeCompare(b.jurisdiction));
+    return matches;
+}
+/** Flatten matched jurisdictions to unique sorted reviewer names. */
+export function suggestJurisdictionReviewers(d) {
+    const all = new Set();
+    for (const m of suggestJurisdictions(d))
+        for (const r of m.reviewers)
+            all.add(r);
+    return Array.from(all).sort();
+}
+/** Flatten matched jurisdictions to unique sorted gate ids. */
+export function suggestJurisdictionGates(d) {
+    const all = new Set();
+    for (const m of suggestJurisdictions(d))
+        for (const g of m.humanGates)
+            all.add(g);
+    return Array.from(all).sort();
+}
+/** Registry of all known jurisdiction codes — useful for /doctor. */
+export function listJurisdictions() {
+    return Object.keys(JURISDICTION_SIGNALS).sort();
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "great-cto",
-  "version": "2.14.0",
+  "version": "2.16.0",
   "description": "One command install for the great_cto Claude Code plugin. Auto-detects your stack, picks the right archetype, bootstraps PROJECT.md.",
   "keywords": [
     "claude-code",