npm - great-cto - Versions diffs - 2.37.1 → 2.39.0 - Mend

great-cto 2.37.1 → 2.39.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/archetypes.js CHANGED Viewed

@@ -959,6 +959,24 @@ const RULES = [
             return `gov-public detected (${bits.join(", ") || "government domain signals"}) — FedRAMP/NIST 800-53/Section 508 gates required`;
         },
     },
+    // ── defense-govcon (US defense contractor — CMMC / NIST 800-171 / DFARS) ──
+    // Distinct from gov-public: the buyer is DoD and the obligation is protecting
+    // Controlled Unclassified Information (CUI) under DFARS 252.204-7012 + CMMC 2.0,
+    // with export controls (ITAR/EAR) and supply-chain bans (Section 889).
+    {
+        archetype: "defense-govcon",
+        score: (d) => {
+            let s = 0;
+            const kws = d.readmeKeywords;
+            // detect.ts "defense" bucket fires on cmmc / nist 800-171 / dfars / cui / itar / section 889.
+            // These are unambiguous DoD-contractor signals — more specific than generic
+            // gov-public (fedramp/government), so weight high enough to outrank it.
+            if (kws.includes("defense"))
+                s += 12;
+            return s;
+        },
+        reason: (_d) => "US defense-contractor signals (CMMC / NIST 800-171 / DFARS 252.204-7012 / CUI / ITAR / Section 889) — CMMC assessment + CUI protection gates required",
+    },
     // ── insurance (insurtech — NAIC / Solvency II / actuarial / claims fraud) ──
     // Fintech-adjacent but distinct: multi-state filings, anti-discrimination
     // pricing, actuarial model auditability, claims fraud detection.
@@ -1024,7 +1042,7 @@ const RULES = [
 // higher in this list (more specific / domain-bound first).
 const TIE_BREAK_PRIORITY = [
     "browser-extension", "iot-embedded", "web3", "game",
-    "agent-product", "fintech", "insurance", "healthcare", "edtech", "gov-public", "marketplace",
+    "agent-product", "fintech", "insurance", "healthcare", "edtech", "defense-govcon", "gov-public", "marketplace",
     "mlops", "streaming",
     "commerce", "enterprise-saas", "ai-system", "devtools",
     "data-platform", "cms", "infra", "mobile-app",
@@ -1242,6 +1260,17 @@ export function suggestCompliance(d, archetype) {
         c.add("anti-discrimination-pricing");
         c.add("actuarial-asops");
         c.add("state-doi"); // Department of Insurance per US state
+        c.add("naic-ai-model-bulletin");
+        c.add("colorado-sb-21-169"); // US insurance-AI rules
+    }
+    if (archetype === "defense-govcon") {
+        c.add("cmmc-2.0");
+        c.add("nist-800-171");
+        c.add("dfars-252.204-7012");
+        c.add("itar");
+        c.add("ear");
+        c.add("section-889");
+        c.add("fedramp");
     }
     // ── stack-derived (cross-archetype) ──────────────
     if (d.stack.includes("stripe") || d.stack.includes("braintree") ||
@@ -1301,6 +1330,7 @@ export const REVIEWERS_BY_ARCHETYPE = {
     "edtech": ["edtech-reviewer"],
     "gov-public": ["gov-reviewer", "security-officer"],
     "insurance": ["insurance-reviewer", "regulated-reviewer"],
+    "defense-govcon": ["cmmc-reviewer", "gov-reviewer", "security-officer"],
     "greenfield": [],
 };
 /**
@@ -1336,6 +1366,7 @@ export const GATES_BY_ARCHETYPE = {
     "edtech": ["plan", "qa", "edtech-review", "security", "ship", "compliance"],
     "gov-public": ["plan", "qa", "gov-review", "security", "ship", "compliance"],
     "insurance": ["plan", "qa", "insurance-review", "security", "ship", "compliance"],
+    "defense-govcon": ["plan", "qa", "cmmc-assessment", "security", "ship", "compliance"],
     "greenfield": ["plan"],
 };
 /**

package/dist/detect.js CHANGED Viewed

@@ -1113,6 +1113,10 @@ function mineReadmeKeywords(dir) {
             "sarbanes", "regulated entity", "regulated industry",
             "compliance automation", "audit trail", "iso 27001",
             "pci compliance", "soc 2 type", "compliance officer"],
+        "defense": ["cmmc", "nist 800-171", "nist sp 800-171", "dfars", "252.204-7012",
+            "controlled unclassified", "cui ", " cui", "itar", "ear99",
+            "section 889", "defense contractor", "dod contract", "govcon",
+            "facility clearance", "fcl ", "sprs", "cui marking"],
     };
     for (const [bucket, terms] of Object.entries(buckets)) {
         if (terms.some((t) => text.includes(t)))
@@ -1176,6 +1180,24 @@ function mineReadmeKeywords(dir) {
         "supplement recommendation", "supplement ai", "diet ai", "meal plan ai",
         "macro ai", "physician review", "physician hitl", "doctor in the loop",
         "clinical review workflow", "remote patient monitoring", "rpm", "teleconsultation",
+        // US-market packs — keep in sync with packs.ts SIGNALS.keywords
+        // sec-cyber-pack
+        "public company", "publicly traded", "10-k", "10k", "8-k", "8k", "s-1", "ipo",
+        "sec filing", "investor relations", "material incident", "materiality",
+        "incident response", "incident disclosure", "breach notification", "siem",
+        "security operations", "circia", "cisa reporting",
+        // adtech-privacy-pack
+        "meta pixel", "facebook pixel", "fbevents", "conversions api", "capi",
+        "google analytics", "ga4", "google tag manager", "tiktok pixel", "ad pixel",
+        "tracking pixel", "session replay", "session recording", "heatmap",
+        "fullstory", "hotjar", "logrocket", "retargeting", "behavioral advertising",
+        "vppa", "cipa", "wiretap", "my health my data", "mhmda", "consumer health data",
+        // us-ai-pack
+        "nist ai rmf", "ai rmf", "ai risk management", "colorado ai act", "sb 205",
+        "algorithmic discrimination", "consequential decision", "high-risk ai",
+        "automated decision", "ai impact assessment", "utah ai", "traiga",
+        "ai transparency", "ab 2013", "sb 942", "training data transparency",
+        "ai disclosure", "generative ai disclosure", "deepfake disclosure", "ai governance",
     ];
     for (const term of packTerms) {
         if (text.includes(term))

package/dist/flow.js CHANGED Viewed

@@ -47,6 +47,7 @@ const GATE_LABEL = {
     "edtech-review": "gate:edtech-review",
     "gov-review": "gate:gov-review",
     "insurance-review": "gate:insurance-review",
+    "cmmc-assessment": "gate:cmmc-assessment",
 };
 // Cost (low, high) per feature cycle by archetype tier
 const ARCHETYPE_COST = {

package/dist/packs.js CHANGED Viewed

@@ -21,6 +21,9 @@ const PACK_REVIEWERS = {
     "climate-pack": ["climate-mrv-reviewer", "biosecurity-reviewer"],
     "drug-discovery-pack": ["drug-discovery-ml-reviewer", "glp-glab-reviewer", "lab-automation-reviewer"],
     "digital-health-pack": ["digital-health-reviewer", "ai-clinical-reviewer", "healthcare-reviewer"],
+    "sec-cyber-pack": ["sec-cyber-disclosure-reviewer"],
+    "adtech-privacy-pack": ["adtech-privacy-reviewer", "us-privacy-reviewer"],
+    "us-ai-pack": ["us-ai-reviewer"],
 };
 const PACK_GATES = {
     "voice-pack": ["gate:voice-compliance"],
@@ -34,6 +37,9 @@ const PACK_GATES = {
     "climate-pack": ["gate:mrv-methodology", "gate:durc-signoff", "gate:open-weights-release"],
     "drug-discovery-pack": ["gate:model-card-signoff", "gate:csv-validation", "gate:iq-oq-pq"],
     "digital-health-pack": ["gate:wellness-vs-samd", "gate:hitl-design", "gate:wearable-api-access", "gate:supplement-safety", "gate:mental-health-protocol"],
+    "sec-cyber-pack": ["gate:cyber-disclosure-readiness"],
+    "adtech-privacy-pack": ["gate:tracking-consent"],
+    "us-ai-pack": ["gate:ai-governance"],
 };
 // Trigger signals — stack tokens OR README keywords.
 const SIGNALS = {
@@ -106,6 +112,35 @@ const SIGNALS = {
             "remote patient monitoring", "rpm", "teleconsultation",
         ],
     },
+    "sec-cyber-pack": {
+        stack: ["pagerduty", "opsgenie", "statuspage", "splunk", "datadog-siem", "sentinel", "wazuh"],
+        keywords: [
+            "public company", "publicly traded", "10-k", "10k", "8-k", "8k", "s-1", "ipo",
+            "sec filing", "investor relations", "material incident", "materiality",
+            "incident response", "incident disclosure", "breach notification", "siem",
+            "security operations", "soc 2 incident", "circia", "cisa reporting",
+        ],
+    },
+    "adtech-privacy-pack": {
+        stack: ["fbevents", "facebook-pixel", "meta-pixel", "gtag", "ga4", "google-tag-manager", "gtm", "tiktok-pixel", "fullstory", "hotjar", "logrocket", "mouseflow", "smartlook"],
+        keywords: [
+            "meta pixel", "facebook pixel", "fbevents", "conversions api", "capi",
+            "google analytics", "ga4", "google tag manager", "tiktok pixel", "ad pixel",
+            "tracking pixel", "session replay", "session recording", "heatmap",
+            "fullstory", "hotjar", "logrocket", "retargeting", "behavioral advertising",
+            "vppa", "cipa", "wiretap", "my health my data", "mhmda", "consumer health data",
+        ],
+    },
+    "us-ai-pack": {
+        stack: [],
+        keywords: [
+            "nist ai rmf", "ai rmf", "ai risk management", "colorado ai act", "sb 205",
+            "algorithmic discrimination", "consequential decision", "high-risk ai",
+            "automated decision", "ai impact assessment", "utah ai", "traiga",
+            "ai transparency", "ab 2013", "sb 942", "training data transparency",
+            "ai disclosure", "generative ai disclosure", "deepfake disclosure", "ai governance",
+        ],
+    },
 };
 /** Return packs whose signals match the detection result. Deterministic + sorted. */
 export function suggestPacks(d) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "great-cto",
-  "version": "2.37.1",
+  "version": "2.39.0",
   "description": "One command install for the great_cto Claude Code plugin. Auto-detects your stack, picks the right archetype, bootstraps PROJECT.md.",
   "keywords": [
     "claude-code",