great-cto 2.19.0 → 2.21.0

package/dist/archetypes.js

@@ -1068,13 +1068,52 @@ export function pickArchetype(d) {
                 break;
         }
     }
+    // ── Pack hints for low/medium confidence or niche stacks ────────────────
+    // Surfaces domain-specific packs that the archetype alone doesn't capture.
+    const suggestedPacks = confidence !== "high"
+        ? inferPackHints(d)
+        : inferPackHints(d).filter((p) => isNichePack(p)); // always surface niche packs
     return {
         primary: top.archetype,
         confidence,
         rationale: top.reason,
         alternatives,
+        ...(suggestedPacks.length > 0 ? { suggestedPacks } : {}),
     };
 }
+/** Niche packs that should surface even at high confidence */
+function isNichePack(pack) {
+    return ["robotics-pack", "climate-pack", "drug-discovery-pack",
+        "clinical-trials-pack", "em-fintech-pack"].includes(pack);
+}
+/**
+ * Infer likely domain packs from README/infra keywords when the archetype
+ * scorer doesn't have a dedicated high-confidence rule for the domain.
+ */
+function inferPackHints(d) {
+    const hints = [];
+    const kws = new Set([...d.readmeKeywords, ...(d.infraKeywords ?? [])]);
+    const has = (...terms) => terms.some((t) => kws.has(t));
+    if (has("robot", "ros2", "ros 2", "cobot", "drone", "uav"))
+        hints.push("robotics-pack");
+    if (has("carbon", "ghg", "mrv", "emission", "verra", "sbti"))
+        hints.push("climate-pack");
+    if (has("clinical", "ctms", "edc", "cdisc", "randomization", "irb"))
+        hints.push("clinical-trials-pack");
+    if (has("drug discovery", "binding affinity", "admet", "chembl", "alphafold"))
+        hints.push("drug-discovery-pack");
+    if (has("recruit", "hiring", "candidate", "ats", "aedt"))
+        hints.push("hr-ai-pack");
+    if (has("loan", "lending", "bnpl", "underwrit", "fcra"))
+        hints.push("lending-pack");
+    if (has("voice", "telephony", "ivr", "stt", "tts", "outbound call"))
+        hints.push("voice-pack");
+    if (has("india", "upi", "rbi", "mpesa", "gcash", "pix", "cross-border", "remittance"))
+        hints.push("em-fintech-pack");
+    if (has("public api", "api key", "developer portal", "openapi"))
+        hints.push("api-platform-pack");
+    return hints;
+}
 // Compliance hints — auto-suggested based on stack and README.
 export function suggestCompliance(d, archetype) {
     const c = new Set();

package/dist/bootstrap.js

@@ -4,12 +4,13 @@ import { existsSync, mkdirSync, writeFileSync, readFileSync } from "node:fs";
 import { join } from "node:path";
 import { dim, success, warn } from "./ui.js";
 import { suggestJurisdictions } from "./jurisdictions.js";
+import { compileFlow, renderFlowMd } from "./flow.js";
 export function bootstrap(dir, detection, archetype, compliance, detectionMeta) {
     const greatCtoDir = join(dir, ".great_cto");
     const projectMd = join(greatCtoDir, "PROJECT.md");
     if (existsSync(projectMd)) {
         warn(`.great_cto/PROJECT.md already exists — not overwriting.`);
-        return { projectMdPath: projectMd, created: false, skippedReason: "already exists" };
+        return { projectMdPath: projectMd, created: false, skippedReason: "already exists", flow: null };
     }
     mkdirSync(greatCtoDir, { recursive: true });
     const title = inferProjectTitle(dir);
@@ -120,7 +121,14 @@ when you actually start work:
 `;
     writeFileSync(projectMd, content, "utf-8");
     success(`created .great_cto/PROJECT.md ${dim(`(archetype: ${archetype})`)}`);
-    return { projectMdPath: projectMd, created: true, skippedReason: null };
+    // Write FLOW.md — compiled delivery flow for agents and user
+    const confidence = detectionMeta?.confidence ?? "medium";
+    const size = (detection.projectSize ?? "medium");
+    const flow = compileFlow(archetype, size, detection, compliance, confidence);
+    const flowMdPath = join(greatCtoDir, "FLOW.md");
+    const generatedAt = new Date().toISOString().slice(0, 10);
+    writeFileSync(flowMdPath, renderFlowMd(flow, generatedAt), "utf-8");
+    return { projectMdPath: projectMd, created: true, skippedReason: null, flow };
 }
 /**
  * Slugify a project title into a tenant-id safe for HTTP headers and audit

package/dist/detect.js

@@ -1004,6 +1004,10 @@ export function detect(dir) {
     const readmeKeywords = mineReadmeKeywords(dir);
     for (const kw of readmeKeywords)
         sig(`readme:${kw}`, "README");
+    // ── Infra signals (Wave 2b) — terraform/env/docker/homepage ──
+    const infraKeywords = mineInfraKeywords(dir, pkg);
+    for (const kw of infraKeywords)
+        sig(`infra:${kw}`, "infra");
     return {
         stack: Array.from(stack).sort(),
         languages: Array.from(languages).sort(),
@@ -1022,6 +1026,7 @@ export function detect(dir) {
         scripts: scriptHints,
         projectSize,
         readmeKeywords,
+        infraKeywords,
     };
 }
 // ── helpers ──────────────────────────────────────────────────
@@ -1208,6 +1213,25 @@ function mineReadmeKeywords(dir) {
         "pdpa", "pdpc", "singapore users", "singaporean users",
         "mas guidelines", "mas tpm", "singpass", "myinfo",
         "singapore data residency",
+        // CA
+        "pipeda", "quebec law 25", "bill 64", "opc canada", "casl",
+        "canadian users", "canada users", "canadian customers", "canadian residents",
+        "osfi", "fintrac", "ca-central", "ca-west", "canada-central",
+        // JP
+        "appi", "personal information protection commission", "ppc japan",
+        "japan users", "japanese users", "japan customers",
+        "fsa japan", "jfsa", "fisc",
+        "ap-northeast-1", "ap-northeast-3", "japan east", "japan west",
+        // CN
+        "pipl", "personal information protection law", "data security law",
+        "mlps", "classified protection", "cyberspace administration",
+        "china users", "chinese users", "mainland china",
+        "pboc", "cn-north", "cn-east", "cn-south", "china-east", "china-north",
+        // KR
+        "pipa korea", "pipa", "personal information protection act korea",
+        "pipc", "isms-p", "kisa", "k-isms",
+        "korea users", "korean users", "south korea users",
+        "fsc korea", "ap-northeast-2", "korea central", "korea south",
     ];
     for (const term of jurisdictionTerms) {
         if (text.includes(term))
@@ -1215,6 +1239,148 @@ function mineReadmeKeywords(dir) {
     }
     return Array.from(kws).sort();
 }
+/**
+ * Mine infra-level jurisdiction signals that README often omits:
+ * - Terraform/Pulumi/CDK region strings (eu-west-1, ap-northeast-2, …)
+ * - .env.example / .env.sample / .env.test AWS_REGION / AZURE_LOCATION / GCP_REGION
+ * - docker-compose.yml TZ= environment variables
+ * - package.json homepage TLD (.de, .fr, .jp, .cn, .kr, .ca, …)
+ *
+ * Returns a flat list of canonical keyword strings that jurisdiction.ts can match.
+ */
+function mineInfraKeywords(dir, pkg) {
+    const kws = new Set();
+    // ── 1. package.json homepage TLD → jurisdiction keyword ──────────────────
+    const homepageTldMap = {
+        ".de": "german users", ".at": "austrian", ".fr": "french users",
+        ".nl": "dutch users", ".es": "spanish users", ".it": "italian users",
+        ".pl": "polish users", ".eu": "eu users",
+        ".co.uk": "uk users", ".uk": "uk users",
+        ".ca": "canadian users",
+        ".jp": "japan users",
+        ".cn": "china users",
+        ".kr": "korea users",
+        ".com.br": "brazil users", ".br": "brazil users",
+        ".com.au": "australia users", ".au": "australia users",
+        ".sg": "singapore users",
+        ".in": "india users",
+    };
+    const homepage = (pkg?.homepage ?? "").toLowerCase();
+    if (homepage) {
+        for (const [tld, kw] of Object.entries(homepageTldMap)) {
+            if (homepage.includes(tld))
+                kws.add(kw);
+        }
+    }
+    // ── 2. .env / docker-compose TZ= → jurisdiction ──────────────────────────
+    const tzRegionMap = [
+        [/tz=europe\//i, "eu users"],
+        [/tz=america\/toronto|tz=canada/i, "canadian users"],
+        [/tz=asia\/tokyo/i, "japan users"],
+        [/tz=asia\/shanghai|tz=asia\/beijing|tz=prc|tz=asia\/hong_kong/i, "china users"],
+        [/tz=asia\/seoul/i, "korea users"],
+        [/tz=asia\/kolkata|tz=asia\/calcutta/i, "india users"],
+        [/tz=america\/sao_paulo/i, "brazil users"],
+        [/tz=australia\//i, "australia users"],
+        [/tz=asia\/singapore/i, "singapore users"],
+        [/tz=europe\/london/i, "uk users"],
+    ];
+    const envFiles = [".env.example", ".env.sample", ".env.test", ".env.local.example",
+        "docker-compose.yml", "docker-compose.yaml",
+        "docker-compose.dev.yml", "docker-compose.prod.yml"];
+    for (const f of envFiles) {
+        const p = join(dir, f);
+        if (!existsSync(p))
+            continue;
+        try {
+            const txt = readFileSync(p, "utf-8").slice(0, 8000).toLowerCase();
+            // AWS_REGION / AZURE_LOCATION / GCP_REGION / REGION
+            const awsRegion = txt.match(/(?:aws_region|region)\s*=\s*["']?([a-z0-9-]+)/g) ?? [];
+            for (const m of awsRegion) {
+                const val = m.split(/=\s*["']?/)[1] ?? "";
+                if (/^eu-/.test(val) || /^europe/.test(val))
+                    kws.add("eu users");
+                if (/^ca-/.test(val) || val.includes("canada"))
+                    kws.add("canadian users");
+                if (/^ap-northeast-1$|^ap-northeast-3$/.test(val))
+                    kws.add("japan users");
+                if (/^ap-northeast-2$/.test(val))
+                    kws.add("korea users");
+                if (/^cn-/.test(val) || val.includes("china"))
+                    kws.add("china users");
+                if (/^ap-south-1$/.test(val) || val.includes("india"))
+                    kws.add("india users");
+                if (/^ap-southeast-1$/.test(val))
+                    kws.add("singapore users");
+                if (/^ap-southeast-2$/.test(val))
+                    kws.add("australia users");
+                if (/^sa-east/.test(val))
+                    kws.add("brazil users");
+                if (/^us-/.test(val) || /^us_/.test(val))
+                    kws.add("us users");
+                if (val.includes("uk") || val.includes("europe") && val.includes("west"))
+                    kws.add("uk users");
+            }
+            for (const [re, kw] of tzRegionMap) {
+                if (re.test(txt))
+                    kws.add(kw);
+            }
+        }
+        catch { /* unreadable */ }
+    }
+    // ── 3. Terraform / Pulumi / CloudFormation region strings ─────────────────
+    const tfFiles = [];
+    function collectTf(d, depth) {
+        if (depth > 4)
+            return;
+        const SKIP = new Set(["node_modules", ".git", "dist", ".terraform"]);
+        try {
+            for (const e of readdirSync(d)) {
+                if (SKIP.has(e))
+                    continue;
+                const p = join(d, e);
+                try {
+                    const st = statSync(p);
+                    if (st.isDirectory()) {
+                        collectTf(p, depth + 1);
+                        continue;
+                    }
+                    if (/\.(tf|yaml|yml|json)$/.test(e) && st.size < 200_000)
+                        tfFiles.push(p);
+                }
+                catch { /* skip */ }
+                if (tfFiles.length > 40)
+                    return;
+            }
+        }
+        catch { /* skip */ }
+    }
+    collectTf(dir, 0);
+    const regionPatterns = [
+        [/\beu-west-\d|eu-central-\d|eu-north-\d|eu-south-\d|europe-west\d|europe-north\d|westeurope|northeurope|germanywestcentral|francecentral\b/i, "eu users"],
+        [/\bca-central-\d|canadacentral|canadaeast\b/i, "canadian users"],
+        [/\bap-northeast-1\b|\bjapan-east\b|\bjapaneast\b|\bjapanwest\b/i, "japan users"],
+        [/\bap-northeast-2\b|\bkoreacentral\b|\bkoreasouth\b/i, "korea users"],
+        [/\bcn-north-\d|\bcn-east-\d|\bcn-northwest-\d|\bchinanorth\b|\bchinaeast\b/i, "china users"],
+        [/\bap-south-\d|\bcentralindia\b|\bsouthindia\b|\bwestindia\b/i, "india users"],
+        [/\bap-southeast-1\b|\bsoutheastasia\b/i, "singapore users"],
+        [/\bap-southeast-2\b|\baustralia\b|\baustraliasoutheast\b|\baustraliaeast\b/i, "australia users"],
+        [/\bsa-east-\d|\bbrazilsouth\b|\bbrazilsoutheast\b/i, "brazil users"],
+        [/\buksouth\b|\bukwest\b|\buk-south\b/i, "uk users"],
+        [/\bus-east-\d|\bus-west-\d|\beastus\b|\bwestus\b|\bcentralus\b/i, "us users"],
+    ];
+    for (const p of tfFiles) {
+        try {
+            const txt = readFileSync(p, "utf-8").slice(0, 50_000);
+            for (const [re, kw] of regionPatterns) {
+                if (re.test(txt))
+                    kws.add(kw);
+            }
+        }
+        catch { /* skip */ }
+    }
+    return Array.from(kws).sort();
+}
 function safeGlob(dir, pattern, kind = "file") {
     try {
         const entries = readdirSync(dir);

package/dist/flow.js

@@ -0,0 +1,188 @@
+// flow.ts — compiles all detection outputs into a single user-facing FlowResult.
+// Pure function: no I/O, no side effects.
+// Called by bootstrap.ts (writes FLOW.md) and main.ts (prints summary).
+import { reviewersFor, gatesFor } from "./archetypes.js";
+import { suggestPackReviewers, suggestPackGates, suggestPacks } from "./packs.js";
+import { suggestJurisdictions, suggestJurisdictionReviewers, suggestJurisdictionGates } from "./jurisdictions.js";
+// ── Human-readable titles ─────────────────────────────────────────────────
+const ARCHETYPE_TITLE = {
+    "fintech": "Fintech",
+    "healthcare": "Healthcare",
+    "enterprise-saas": "Enterprise SaaS",
+    "agent-product": "AI agent",
+    "ai-system": "AI system",
+    "mlops": "MLOps pipeline",
+    "commerce": "E-commerce",
+    "marketplace": "Marketplace",
+    "mobile-app": "Mobile app",
+    "web-service": "Web service",
+    "library": "Library / SDK",
+    "cli-tool": "CLI tool",
+    "data-platform": "Data platform",
+    "streaming": "Streaming system",
+    "infra": "Infrastructure",
+    "devtools": "Developer tool",
+    "browser-extension": "Browser extension",
+    "game": "Game",
+    "web3": "Web3 / DeFi",
+    "iot-embedded": "IoT / embedded",
+    "cms": "CMS",
+    "edtech": "EdTech",
+    "gov-public": "Government",
+    "insurance": "Insurance",
+    "regulated": "Regulated system",
+    "greenfield": "New project",
+};
+// Gate id (StandardGate) → user label
+const GATE_LABEL = {
+    "plan": "gate:plan",
+    "arch": "gate:arch",
+    "code": "gate:code",
+    "qa": "gate:qa",
+    "security": "gate:security",
+    "compliance": "gate:compliance",
+    "ship": "gate:ship",
+    "cost": "gate:cost-forecast",
+    "oracle-review": "gate:oracle-review",
+    "edtech-review": "gate:edtech-review",
+    "gov-review": "gate:gov-review",
+    "insurance-review": "gate:insurance-review",
+};
+// Cost (low, high) per feature cycle by archetype tier
+const ARCHETYPE_COST = {
+    "fintech": [8, 18],
+    "healthcare": [8, 18],
+    "agent-product": [8, 18],
+    "mlops": [8, 18],
+    "marketplace": [8, 18],
+    "enterprise-saas": [8, 18],
+    "regulated": [8, 18],
+    "edtech": [8, 18],
+    "gov-public": [8, 18],
+    "insurance": [8, 18],
+    "web3": [8, 18],
+    "commerce": [3, 8],
+    "mobile-app": [3, 8],
+    "web-service": [3, 8],
+    "data-platform": [3, 8],
+    "streaming": [3, 8],
+    "devtools": [3, 8],
+    "browser-extension": [3, 8],
+    "game": [3, 8],
+    "cms": [3, 8],
+    "ai-system": [3, 8],
+    "iot-embedded": [3, 8],
+    "infra": [3, 8],
+    "library": [0.5, 3],
+    "cli-tool": [0.5, 3],
+    "greenfield": [0.5, 3],
+};
+// ── Main export ───────────────────────────────────────────────────────────
+/**
+ * Compile all detection outputs into a single FlowResult.
+ *
+ * Pure function — no file I/O. Called by bootstrap.ts (FLOW.md) and
+ * main.ts (summary output).
+ */
+export function compileFlow(archetype, size, detection, compliance, confidence) {
+    // ── Agents ──────────────────────────────────────────────────────────────
+    const agentSet = new Set(reviewersFor(archetype));
+    for (const r of suggestPackReviewers(detection))
+        agentSet.add(r);
+    for (const r of suggestJurisdictionReviewers(detection))
+        agentSet.add(r);
+    // Always include base orchestration agents
+    agentSet.add("architect");
+    agentSet.add("senior-dev");
+    agentSet.add("qa-engineer");
+    // ── Gates ────────────────────────────────────────────────────────────────
+    const gateSet = new Set(gatesFor(archetype, size).map((g) => GATE_LABEL[g] ?? `gate:${g}`));
+    for (const g of suggestPackGates(detection))
+        gateSet.add(g);
+    for (const g of suggestJurisdictionGates(detection))
+        gateSet.add(g);
+    // ── Packs + jurisdictions for routing block ──────────────────────────────
+    const packs = suggestPacks(detection);
+    const jurisdictions = suggestJurisdictions(detection);
+    // ── Title ────────────────────────────────────────────────────────────────
+    const productLabel = ARCHETYPE_TITLE[archetype] ?? archetype;
+    const jCodes = jurisdictions
+        .slice(0, 3)
+        .map((j) => j.jurisdiction.toUpperCase())
+        .join(" + ");
+    const title = jCodes ? `${productLabel} · ${jCodes}` : productLabel;
+    // ── ID ───────────────────────────────────────────────────────────────────
+    const id = [archetype, ...jurisdictions.map((j) => j.jurisdiction)]
+        .join("-")
+        .toLowerCase();
+    // ── Cost range ────────────────────────────────────────────────────────────
+    const costEntry = ARCHETYPE_COST[archetype] ?? [3, 8];
+    const [low, high] = costEntry;
+    return {
+        id,
+        title,
+        agents: Array.from(agentSet).sort(),
+        gates: Array.from(gateSet).sort(),
+        compliance: [...new Set(compliance)].sort(),
+        costRange: { low, high },
+        routing: {
+            archetype,
+            packs: packs.map((p) => p.pack),
+            jurisdictions: jurisdictions.map((j) => j.jurisdiction),
+            confidence,
+        },
+    };
+}
+/**
+ * Render FLOW.md content from a FlowResult.
+ * Exported separately so bootstrap.ts can call it without depending on main.ts.
+ */
+export function renderFlowMd(flow, generatedAt) {
+    const agentLines = flow.agents.map((a) => `- ${a}`).join("\n");
+    const gateLines = flow.gates.map((g) => `- ${g}`).join("\n");
+    const complianceLines = flow.compliance.length > 0
+        ? flow.compliance.map((c) => `- ${c}`).join("\n")
+        : "- none";
+    const packLines = flow.routing.packs.length > 0
+        ? flow.routing.packs.join(", ")
+        : "none";
+    const jLines = flow.routing.jurisdictions.length > 0
+        ? flow.routing.jurisdictions.join(", ")
+        : "none";
+    return `# Delivery Flow
+
+> Auto-generated by \`great-cto init\` on ${generatedAt}.
+> This file tells agents how to orchestrate your SDLC.
+> Regenerates on \`npx great-cto init --force\`. Edit \`_routing:\` to tune.
+
+## Detected
+
+${flow.title}
+
+## Agents
+
+${agentLines}
+
+## Human gates
+
+${gateLines}
+
+## Compliance
+
+${complianceLines}
+
+## Cost estimate
+
+$${flow.costRange.low}–$${flow.costRange.high} per feature cycle
+
+---
+
+<!-- Internal routing — view with: great-cto flow explain -->
+_routing:
+  id: ${flow.id}
+  archetype: ${flow.routing.archetype}
+  packs: [${packLines}]
+  jurisdictions: [${jLines}]
+  confidence: ${flow.routing.confidence}
+`;
+}

package/dist/jurisdictions.js

@@ -18,6 +18,10 @@ const JURISDICTION_REVIEWERS = {
     "br": ["gdpr-reviewer"], // LGPD mirrors GDPR — same reviewer covers
     "au": ["us-privacy-reviewer"], // Privacy Act 1988 — covered by privacy reviewer
     "sg": ["us-privacy-reviewer"], // PDPA — covered by privacy reviewer
+    "ca": ["us-privacy-reviewer"], // PIPEDA + Quebec Law 25
+    "jp": ["us-privacy-reviewer"], // APPI — covered by privacy reviewer
+    "cn": ["gdpr-reviewer"], // PIPL structure mirrors GDPR concepts
+    "kr": ["us-privacy-reviewer"], // PIPA — covered by privacy reviewer
 };
 const JURISDICTION_GATES = {
     "eu": ["gate:gdpr-dpia", "gate:eu-ai-act-classification"],
@@ -28,6 +32,10 @@ const JURISDICTION_GATES = {
     "br": ["gate:lgpd-dpia"],
     "au": ["gate:au-privacy-act-assessment"],
     "sg": ["gate:pdpa-dpo"],
+    "ca": ["gate:pipeda-pia", "gate:quebec-law25-consent"],
+    "jp": ["gate:appi-third-party-transfer", "gate:appi-ppc-registration"],
+    "cn": ["gate:pipl-consent-framework", "gate:mlps-classification", "gate:pipl-data-localisation"],
+    "kr": ["gate:pipa-isms-p", "gate:pipa-consent-framework"],
 };
 const JURISDICTION_LAWS = {
     "eu": ["GDPR (EU) 2016/679", "EU AI Act 2024/1689", "NIS2 Directive 2022/2555", "ePrivacy Directive"],
@@ -38,6 +46,10 @@ const JURISDICTION_LAWS = {
     "br": ["LGPD (Lei 13.709/2018)", "ANPD resolutions", "Marco Civil da Internet"],
     "au": ["Privacy Act 1988 (Cth)", "Australian Privacy Principles (APPs)", "CDR (if fintech)", "OAIC enforcement"],
     "sg": ["PDPA 2012 (amended 2021)", "MAS TRM Guidelines (if fintech)", "PDPC Advisory Guidelines"],
+    "ca": ["PIPEDA (Personal Information Protection and Electronic Documents Act)", "Quebec Law 25 / Bill 64", "CASL (if email marketing)", "OSFI B-10 (if fintech)"],
+    "jp": ["APPI 2022 (Act on Protection of Personal Information)", "PPC Guidelines", "My Number Act (if govt-adjacent)", "FISC (if fintech)"],
+    "cn": ["PIPL 2021 (Personal Information Protection Law)", "DSL 2021 (Data Security Law)", "MLPS 2.0 (Cybersecurity Classified Protection)", "CBDT (cross-border data transfer rules)", "CAC regulations"],
+    "kr": ["PIPA (Personal Information Protection Act)", "ISMS-P certification (mandatory for large platforms)", "Network Act", "FSC regulations (if fintech)"],
 };
 // ── Signal dictionary ─────────────────────────────────────────────────────
 export const JURISDICTION_SIGNALS = {
@@ -112,15 +124,95 @@ export const JURISDICTION_SIGNALS = {
             "singapore data residency",
         ],
     },
+    "ca": {
+        keywords: [
+            // Privacy law
+            "pipeda", "quebec law 25", "bill 64", "privacy commissioner",
+            "opc canada", "casl", "canadian users", "canada users",
+            "canadian customers", "canadian residents",
+            // Fintech
+            "osfi", "fintrac", "aml canada",
+            // Infra
+            "ca-central", "ca-west", "canada-central",
+        ],
+    },
+    "jp": {
+        keywords: [
+            // Privacy law
+            "appi", "personal information protection commission", "ppc japan",
+            "japan users", "japanese users", "japan customers",
+            "my number", "individual number act",
+            // Fintech
+            "fsa japan", "jfsa", "fisc",
+            // Infra
+            "ap-northeast-1", "ap-northeast-3", "japan east", "japan west",
+            "japaneast", "japanwest",
+        ],
+    },
+    "cn": {
+        keywords: [
+            // Privacy / data laws
+            "pipl", "personal information protection law", "data security law",
+            "dsl 2021", "mlps", "classified protection", "cybersecurity law",
+            "cac", "cyberspace administration", "cbdt",
+            "china users", "chinese users", "mainland china",
+            // Cross-border
+            "cross-border data transfer china", "security assessment cac",
+            "standard contract cac", "personal information export",
+            // Fintech
+            "pboc", "nfra", "cbirc", "csrc", "alipay", "wechatpay",
+            // Infra
+            "cn-north", "cn-northwest", "cn-east", "cn-south",
+            "china-east", "china-north", "chinaeast", "chinanorth",
+        ],
+    },
+    "kr": {
+        keywords: [
+            // Privacy / data laws
+            "pipa korea", "pipa", "personal information protection act korea",
+            "pipc", "privacy commissioner korea",
+            "korea users", "korean users", "south korea users",
+            "isms-p", "kisa", "k-isms",
+            // Fintech
+            "fsc korea", "fss korea", "kftc",
+            // Infra
+            "ap-northeast-2", "korea central", "korea south",
+            "koreacentral", "koreasouth",
+        ],
+    },
 };
 // ── Public API ─────────────────────────────────────────────────────────────
+/**
+ * Word-boundary aware keyword match.
+ * Handles both single tokens ("gdpr") and multi-word phrases ("eu ai act").
+ * Multi-word phrases matched as substrings (spaces already serve as boundaries).
+ * Single tokens matched with word-boundary regex to avoid "india" → "indiana".
+ */
+function matchesKeyword(text, kw) {
+    if (kw.includes(" ")) {
+        // Multi-word phrase: substring match is fine (space = implicit boundary)
+        return text.includes(kw);
+    }
+    // Single token: require word boundaries
+    try {
+        return new RegExp(`(?<![a-z0-9_-])${kw.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}(?![a-z0-9_-])`).test(text);
+    }
+    catch {
+        return text.includes(kw);
+    }
+}
 /** Return jurisdictions whose signals match the detection result. */
 export function suggestJurisdictions(d) {
     const matches = [];
-    const kwLower = d.readmeKeywords.map((k) => k.toLowerCase());
+    // Combine README keywords + infra keywords (both already lowercased)
+    const allKeywords = [
+        ...d.readmeKeywords.map((k) => k.toLowerCase()),
+        ...(d.infraKeywords ?? []).map((k) => k.toLowerCase()),
+    ];
+    const combined = allKeywords.join(" ");
     for (const code of Object.keys(JURISDICTION_SIGNALS)) {
         const { keywords } = JURISDICTION_SIGNALS[code];
-        const matchedKeywords = keywords.filter((kw) => kwLower.includes(kw));
+        const matchedKeywords = keywords.filter((kw) => matchesKeyword(combined, kw));
         if (matchedKeywords.length === 0)
             continue;
         matches.push({

package/dist/main.js

@@ -18,6 +18,7 @@ import { install, findInstalledVersions } from "./installer.js";
 import { enableGreatCto } from "./settings.js";
 import { installAllCompanions } from "./companion.js";
 import { bootstrap } from "./bootstrap.js";
+import { compileFlow } from "./flow.js";
 import { shouldUseLlmFallback, suggestArchetypeFromLlm } from "./llm-fallback.js";
 import { readFileSync, copyFileSync, chmodSync, existsSync as fsExistsSync } from "node:fs";
 import { dirname, join } from "node:path";
@@ -576,23 +577,26 @@ async function runInit(args) {
         }
     }
     const compliance = suggestCompliance(detection, archetype);
-    log(`  ${dim("archetype:")} ${cyan(archetype)} ${dim(`(confidence: ${confidence})`)}`);
-    log(`  ${dim("rationale:")} ${rationale}`);
-    if (alternatives.length > 0) {
-        log(`  ${dim("alternatives:")} ${alternatives.join(", ")}`);
+    // Compile flow — used for user-facing summary AND written to FLOW.md by bootstrap()
+    const compiledFlow = compileFlow(archetype, (detection.projectSize ?? "medium"), detection, compliance, confidence);
+    // ── User-facing "Compiled flow" summary ──────────────────────────────────
+    log("");
+    log(`${bold("Compiled flow:")} ${cyan(compiledFlow.title)}`);
+    log(`  ${dim("Agents:")}     ${compiledFlow.agents.join(" · ")}`);
+    log(`  ${dim("Gates:")}      ${compiledFlow.gates.join(" · ")}`);
+    if (compiledFlow.compliance.length > 0) {
+        log(`  ${dim("Compliance:")} ${compiledFlow.compliance.join(", ")}`);
     }
-    log(`  ${dim("suggested compliance:")} ${compliance.length > 0 ? compliance.join(", ") : "none"}`);
-    // v1.0.144+: ask user to confirm archetype if confidence is low
-    // OR if alternatives are present and not user-specified
+    log(`  ${dim("Cost:")}       ~$${compiledFlow.costRange.low}–$${compiledFlow.costRange.high} per feature cycle`);
+    log("");
+    // Low-confidence notice — show only when actionable
     if (!args.yes && !args.archetype && (confidence === "low" || (confidence === "medium" && alternatives.length >= 2))) {
-        log("");
-        log(`${bold("⚠ Archetype detection confidence:")} ${cyan(confidence)}`);
-        log(`  Top candidate: ${cyan(archetype)} — ${dim(rationale)}`);
+        log(`  ${yellow("⚠")} ${dim(`Detected as ${cyan(archetype)} (${confidence} confidence).`)}`);
         if (alternatives.length > 0) {
-            log(`  Alternatives:  ${alternatives.map(a => cyan(a)).join(", ")}`);
+            log(`  ${dim("Alternatives: " + alternatives.join(", "))}`);
         }
-        log(`  ${dim("If wrong, override with: --archetype " + (alternatives[0] ?? "<name>"))}`);
-        log(`  ${dim("Or edit .great_cto/PROJECT.md after install — agents read 'archetype:' field.")}`);
+        log(`  ${dim("Override: npx great-cto init --archetype <name>")}`);
+        log("");
     }
     // Confirmation
     if (!args.yes) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "great-cto",
-  "version": "2.19.0",
+  "version": "2.21.0",
   "description": "One command install for the great_cto Claude Code plugin. Auto-detects your stack, picks the right archetype, bootstraps PROJECT.md.",
   "keywords": [
     "claude-code",