# Part 2 — Claude Code: Asset Templates

Downloadable, fill-in templates for every major Claude Code configuration surface
in the QRefAI *AI Coding Field Guide*, Part 2. Copy these into your platform repo
and replace every `<PLACEHOLDER>`.

```
.
├── CLAUDE.md                              # 1. Instruction-memory golden template (≤200-line budget annotated)
├── agents/                                # 2. Subagent pack (.claude/agents/*.md)
│   ├── security-reviewer.md               #    read-only security persona; blocks on hard-coded secrets
│   ├── code-reviewer.md                   #    general review; shares the code-review skill with Copilot
│   ├── architect-review.md                #    pipeline stage: validates the PLAN before code
│   ├── implementer-tester.md              #    execution stage; run in a FORKED context
│   └── docs-writer.md                     #    cheap haiku persona; match model/effort to the job
├── skills/regulatory-logging/             # 3. Skill template (open SKILL.md standard)
│   ├── SKILL.md                           #    description-as-trigger pattern called out
│   ├── references/redaction-rules.md      #    tier-3 bulky material (0 tokens until opened)
│   ├── scripts/check-audit-coverage.sh    #    tier-3 executable helper
│   └── assets/audit-event.template.json   #    tier-3 copy-from template
├── hooks/                                 # 4. Hooks bundle (control layer)
│   ├── settings.json                      #    three jobs: protect-paths / lint / audit
│   └── protect-paths.sh                   #    PreToolUse gate — exit 2 BLOCKS the edit
├── policies/                              # 5. Enterprise policy plane
│   ├── managed-settings.json              #    deny-list / model-pinning / marketplace-lock; array-merge rule documented
│   └── managed-settings.d-10-security.json#    team-owned fragment showing array merge in practice
├── plugin-example/.claude-plugin/         # 6. Private-marketplace starter pair
│   ├── plugin.json                        #    minimal plugin bundle manifest
│   └── marketplace.json                   #    catalog manifest; SHA-pinning rule documented
└── telemetry/                             # 7. Two-pipeline audit
    ├── otel.env                           #    OpenTelemetry — covers prompt/tool-use content
    └── compliance-pull.sh                 #    Compliance API daily pull — does NOT cover that content
```

## Notes

- **JSON files use `//`-prefixed keys for inline documentation.** These are valid
  JSON strings (Claude Code ignores unknown keys), so the files parse as-is. Delete
  the `//` keys in production if you prefer.
- **`audit-event.template.json` is JSONC** (it has real `//` line comments) because
  it's a copy-from template, not a parsed config.
- **Shell scripts are stubs.** Wire `protect-paths.sh`, `check-audit-coverage.sh`,
  and `compliance-pull.sh` to your real codebase patterns, auth, and warehouse.
- **The through-line:** always-true facts → `CLAUDE.md`; task playbooks → skills;
  workers with a role → subagents; advisory rules become enforced only via hooks;
  user-unoverridable policy → `managed-settings.json`; audit needs **both** pipelines.

_Snapshot of the mid-2026 consensus. Re-verify vendor specifics (flags, event names,
API paths) before relying on them — this field moves monthly._