Payment Card Industry Data Security Standard. Doesn't usually apply to cli tool — but if your specific case touches it, here's how the overlay wires up.
In your cli tool project, GreatCTO detects the archetype and overlays the cli-tool reviewer agent. PCI-DSS gates can be attached on demand if your case requires. The reviewer reads the regulation text, your code, your tests, and emits a verdict per requirement — with a diff if anything's missing.
Stack signals + manifests + README keywords identify cli-tool as the project type. PCI-DSS is opt-in for this archetype.
The reviewer agent prompt encodes each requirement above as a check. When a PR touches relevant code paths, the reviewer fires with the specific check that matters.
Each gate decision is logged to .great_cto/gates.log with timestamp, reviewer, verdict, and rationale. Auditors get a tidy CSV; no scrambling at audit time.
When an auditor flags something in one project, the lesson promotes to ~/.great_cto/decisions.md after the 3rd similar finding. Next project's first run includes the lesson in Step 0.
It does not certify you. PCI-DSS compliance requires human accountability — a CISO sign-off, a DPO review, in some cases an external auditor. GreatCTO ships the evidence; you still own the attestation.
It does not substitute legal review. The reviewer agent encodes commonly accepted readings of the regulation, not your specific jurisdictional interpretation. For high-stakes cases, lawyer involvement is still load-bearing.
It does not eliminate gaps in the requirements list. The list above is the surface area we cover programmatically. PCI-DSS has more (Annex II's, sub-clauses, jurisdictional carve-outs). Override the reviewer prompt in agents/cli-tool-reviewer.md for your specifics.
Every box on the diagram is a clickable link to the agent's source on GitHub.
Voice-AI pack rollout: TCPA + STIR/SHAKEN + state recording consent gates auto-wired. Timeline, costs, artifacts.
The cli-tool-reviewer prompt is auditable. Read it, override it, fork it.
$ npx great-cto init
Free, MIT, runs locally. The reviewer agent ships with the npm package — no SaaS portal, no compliance vendor lock-in.