🌐 archetype: web-service

Ship REST/GraphQL APIs without the OWASP Top-10 surprise.

Building with Express, Fastify, Django, FastAPI, Spring Boot, or Rails? GreatCTO auto-detects the web-service archetype and ships OWASP API Top-10, GDPR data-minimization, and SLO/error-budget gates from day one.

$ npx great-cto init Back to home ↗
What you avoid

The 5 API bugs that leak data.

Without GreatCTO

  • Missing rate limit — credential stuffing in week 2
  • CORS misconfigured — third-party JS reads tokens
  • Stack traces leaked in 500 responses
  • JWT signature not verified server-side
  • No input validation on path params — SSRF
  • One incident · GDPR notification · 4% revenue fine.

With GreatCTO

  • security-officer covers OWASP API1–10 every commit
  • CORS + CSP + rate-limit gate on senior-dev output
  • Error responses sanitized; stack traces only to logs
  • JWT, OAuth scopes, and session fixation auto-checked
  • Input validation enforced via OpenAPI schema
  • 0-day-1 audit-ready, no compliance officer needed.
Auto-applied gates

Detected: express + postgres
web-service archetype.

Compliance auto-suggested: gdpr · owasp-api-top-10. Specialist agents activated:

01 · security-officer

OWASP API Top-10

A01 broken access control · A02 crypto failures · A03 injection · A07 identification failures. Every commit, every endpoint, every dependency.

02 · performance-engineer

SLO budget design

p50/p95/p99 latency targets · k6 load tests · capacity planning. Activated when performance-sla is set in PROJECT.md.

03 · code-reviewer

12-angle review

Idempotency · concurrency · race conditions · N+1 · cache invalidation · log-injection. 12 independent passes on every PR.

04 · senior-dev

TDD with audit trail

RED → GREEN → IMPROVE. Every gate approval written to ~/.great_cto/decisions.md — append-only, auditor-ready.

Domain pack overlays

Likely to overlay on web-service.

Packs auto-attach when CLI detects pack-specific signals (e.g. twilio in deps → voice-pack). Each pack adds its own reviewer agents + human gates on top of the base archetype pipeline.

+ API Platform
OAuth 2.1, webhook signing, idempotency, RFC 8594 Sunset
30 seconds

Drop into any Express / FastAPI / Django repo.

$ npx great-cto init
no signup·runs locally·pay your own API