Payment Card Industry Data Security Standard. Applies to web service / api by default.
In your web service / api project, GreatCTO detects the archetype and overlays the web-service reviewer agent. PCI-DSS gates auto-attach. The reviewer reads the regulation text, your code, your tests, and emits a verdict per requirement โ with a diff if anything's missing.
Stack signals + manifests + README keywords identify web-service as the project type. PCI-DSS is in the default gate set for this archetype.
The reviewer agent prompt encodes each requirement above as a check. When a PR touches relevant code paths, the reviewer fires with the specific check that matters.
Each gate decision is logged to .great_cto/gates.log with timestamp, reviewer, verdict, and rationale. Auditors get a tidy CSV; no scrambling at audit time.
When an auditor flags something in one project, the lesson promotes to ~/.great_cto/decisions.md after the 3rd similar finding. Next project's first run includes the lesson in Step 0.
It does not certify you. PCI-DSS compliance requires human accountability โ a CISO sign-off, a DPO review, in some cases an external auditor. GreatCTO ships the evidence; you still own the attestation.
It does not substitute legal review. The reviewer agent encodes commonly accepted readings of the regulation, not your specific jurisdictional interpretation. For high-stakes cases, lawyer involvement is still load-bearing.
It does not eliminate gaps in the requirements list. The list above is the surface area we cover programmatically. PCI-DSS has more (Annex II's, sub-clauses, jurisdictional carve-outs). Override the reviewer prompt in agents/web-service-reviewer.md for your specifics.
Every box on the diagram is a clickable link to the agent's source on GitHub.
Voice-AI pack rollout: TCPA + STIR/SHAKEN + state recording consent gates auto-wired. Timeline, costs, artifacts.
The web-service-reviewer prompt is auditable. Read it, override it, fork it.
$ npx great-cto init
Free, MIT, runs locally. The reviewer agent ships with the npm package โ no SaaS portal, no compliance vendor lock-in.