OWASP Top 10 for Large Language Model Applications. Doesn't usually apply to game โ but if your specific case touches it, here's how the overlay wires up.
In your game project, GreatCTO detects the archetype and overlays the game reviewer agent. OWASP LLM Top 10 gates can be attached on demand if your case requires. The reviewer reads the regulation text, your code, your tests, and emits a verdict per requirement โ with a diff if anything's missing.
Stack signals + manifests + README keywords identify game as the project type. OWASP LLM Top 10 is opt-in for this archetype.
The reviewer agent prompt encodes each requirement above as a check. When a PR touches relevant code paths, the reviewer fires with the specific check that matters.
Each gate decision is logged to .great_cto/gates.log with timestamp, reviewer, verdict, and rationale. Auditors get a tidy CSV; no scrambling at audit time.
When an auditor flags something in one project, the lesson promotes to ~/.great_cto/decisions.md after the 3rd similar finding. Next project's first run includes the lesson in Step 0.
It does not certify you. OWASP LLM Top 10 compliance requires human accountability โ a CISO sign-off, a DPO review, in some cases an external auditor. GreatCTO ships the evidence; you still own the attestation.
It does not substitute legal review. The reviewer agent encodes commonly accepted readings of the regulation, not your specific jurisdictional interpretation. For high-stakes cases, lawyer involvement is still load-bearing.
It does not eliminate gaps in the requirements list. The list above is the surface area we cover programmatically. OWASP LLM Top 10 has more (Annex II's, sub-clauses, jurisdictional carve-outs). Override the reviewer prompt in agents/game-reviewer.md for your specifics.
Every box on the diagram is a clickable link to the agent's source on GitHub.
Voice-AI pack rollout: TCPA + STIR/SHAKEN + state recording consent gates auto-wired. Timeline, costs, artifacts.
The game-reviewer prompt is auditable. Read it, override it, fork it.
$ npx great-cto init
Free, MIT, runs locally. The reviewer agent ships with the npm package โ no SaaS portal, no compliance vendor lock-in.