otto

OTTO is a specialized privacy compliance agent designed to safeguard development workflows against critical data protection violations. By integrating directly into AI-assisted coding environments like Claude Code, Cursor, and OpenCode, it serves as an automated firewall that sits between AI-generated code and production commits. The agent focuses on detecting violations of EU GDPR (2016/679) and Brazilian LGPD (13.709/18) regulations, helping developers identify high-risk code patterns that could lead to severe financial penalties—often reaching up to 4% of annual global turnover. It is an essential tool for engineering teams and individual developers who rely on LLMs to accelerate coding but need to maintain strict regulatory compliance.

• Automatically scans codebases for hardcoded sensitive data such as SSNs, national IDs, email addresses, and phone numbers.

• Identifies unsafe logging practices, including the accidental output of user objects or query strings containing PII to logs.

• Detects missing consent checks for tracking scripts, analytics, and cookie implementations to ensure lawful data processing.

• Analyzes SQL queries and API endpoints for data minimization violations, flagging 'SELECT *' patterns that expose excessive user information.

• Monitors for unencrypted sensitive data, including plaintext passwords, API keys, and insecure storage methods like localStorage for authentication tokens.

• Provides immediate, actionable feedback in the terminal, blocking commits until privacy violations are rectified with suggested code fixes.

• Operates in both automatic hook mode (Claude Code) and manual invocation mode (/otto) for broader editor compatibility.

• Intended for developers working on applications that handle user data, especially those shipping products to European and Brazilian markets.

• Supports integration into build pipelines and CI/CD workflows to catch compliance regressions during the development cycle.

• Designed to function with various programming languages, focusing on patterns typical in JavaScript, TypeScript, and SQL database interactions.

• Constantly updated with regex-based pattern matching to evolve alongside changing privacy compliance requirements.

• Employs a defensive approach by emphasizing security-by-design, purpose limitation, and the principles of data minimization.