🏢 pack: enterprise-pack

Pass SOC2 Type 2 without the consultant retainer.

Q: What human gates does enterprise-pack introduce?

gate:tenant-isolation (security + architect), gate:sox-itgc (compliance + IT lead), gate:audit-log-immutable (security). These layer on top of the standard plan/ship gates.

Q: What if my project doesn't match these signals exactly?

You can manually add the pack name to PROJECT.md or run /migrate to re-run detection with updated rules.

Selling to Fortune 500? GreatCTO auto-attaches enterprise-pack with multi-tenant isolation decision (RLS / schema / DB-per-tenant), SSO (SAML / OIDC / SCIM), SOX ITGC (access control / change mgmt / SoD), immutable audit logs, plus SOC2 Type 2 readiness and admin-impersonation safety.

$ npx great-cto init All packs ↗

Auto-attach signals

Detected by CLI when:

multi-tenant · saml · oidc · scim · soc2 · sox · audit-log · tenant-id · row-level-security

The pack rides on top of your base archetype (web-service, ai-system, fintech, …) — it doesn't replace it. Auto-injects reviewer agents into the pipeline + opens human gates listed below.

Reviewer agents activated

1 specialist added to the pipeline.

01 · enterprise-saas-reviewer

Multi-tenant isolation (RLS / schema / DB) · SAML / OIDC / SCIM · SOX ITGC · immutable audit logs · data-residency · tier-based feature flags · admin-impersonation safety · SOC2 Type 2 readiness

Human gates introduced

3 new gate types on top of `gate:plan` + `gate:ship`.

Gate	Owner	Trigger
`gate:tenant-isolation`	security + architect	before any cross-tenant feature
`gate:sox-itgc`	compliance + IT lead	for changes to access control / SoD
`gate:audit-log-immutable`	security	before any production write

Required artefacts before senior-dev claims tasks

8 concrete deliverables.

✓ Multi-tenant isolation strategy doc (RLS / schema / DB per tenant)
✓ SAML 2.0 + OIDC + SCIM provisioning matrix per IdP (Okta / Azure AD / OneLogin / Ping)
✓ SOX ITGC control matrix (access / change-mgmt / SoD / IT ops)
✓ Immutable audit log via append-only storage (S3 Object Lock / DLT)
✓ Data-residency map (US / EU / APAC regions)
✓ Admin-impersonation audit trail + customer-visible log
✓ SOC2 Type 2 control narratives + evidence collection plan
✓ Tier-based feature flag config (Free / Pro / Enterprise)

EVAL suite required

5 golden-set scenarios shipped as templates.

Each EVAL has ≥5 test cases, pass threshold, regression interpretation, cross-refs to TM + gates. Run via your existing test framework.

EVAL-enterprise-tenant-isolation-rls.md
EVAL-enterprise-saml-scim-roundtrip.md
EVAL-enterprise-sox-sod-violation-detect.md
EVAL-enterprise-audit-log-tamper.md
EVAL-enterprise-admin-impersonation-trail.md

Regulatory surface covered

6 standards / regulations addressed.

SOX § 404 + 302 SOC 2 Type 2 (AICPA TSC) ISO 27001:2022 GDPR Art. 32 (security of processing) CCPA / CPRA NIS2 Directive

FAQ

Common questions about enterprise-pack.

When does enterprise-pack auto-attach?

When the CLI detects these signals in your repo: multi-tenant · saml · oidc · scim · soc2 · sox · audit-log · tenant-id · row-level-security. Override anytime by editing packs: in PROJECT.md.

What human gates does enterprise-pack introduce?

gate:tenant-isolation (security + architect), gate:sox-itgc (compliance + IT lead), gate:audit-log-immutable (security). These layer on top of the standard plan/ship gates.

What if my project doesn't match these signals exactly?

You can manually add the pack name to PROJECT.md or run /migrate to re-run detection with updated rules.

30 seconds

Drop GreatCTO into any repo — enterprise-pack attaches automatically.

$ npx great-cto init

no signup·runs locally·pay your own API