# Part 4 — Cross-Cutting Problems: Asset Templates

Org-scale assets for the QRefAI *AI Coding Field Guide*, Part 4 — the pieces that
turn per-repo configs into a governed platform. Copy into your `dev-platform` repo
and adapt.

```
.
├── bootstrap-repo.sh                      # 1. Retrofit an EXISTING repo with the standard harness
├── scaffold/                              # 2. GitHub TEMPLATE repo — fork via "Use this template"
│   ├── README.md                          #    how to use the template + sync strategy
│   ├── AGENTS.md                          #    cross-vendor canonical context (golden file)
│   ├── CLAUDE.md                          #    thin Claude wrapper (@imports AGENTS.md)
│   ├── .github/
│   │   ├── copilot-instructions.md        #    Copilot repo-wide layer
│   │   ├── CODEOWNERS                      #    so required code-owner review has owners
│   │   ├── instructions/payments.instructions.md
│   │   ├── agents/security-scout.agent.md
│   │   ├── workflows/security-guard.md
│   │   ├── workflows/agents-md-maintainer.md
│   │   └── rulesets/main-protection.json
│   └── .claude/settings.json              #    hooks seed
├── governance-chain-runbook.md            # 3. Identity → Policy → Review → Audit → Rollout checklist
├── compliance/
│   ├── compliance-crosswalk.xlsx          # 4. Auditor-ready crosswalk (ISO 27001 + NIST 800-53), with Status dropdown
│   └── compliance-crosswalk.csv           #    same data, forkable into any tool
└── gateway/
    └── mcp-gateway-allowlist.json         # 5. Centralized MCP gateway allowlist stub (supply-chain choke point)
```

## How these fit together

- **Two distribution paths, one source of truth.** `scaffold/` is the **golden
  template repo** for *new* repos ("Use this template"); `bootstrap-repo.sh` is the
  **retrofit** for *existing* repos. Both pull from the same golden files, so fixing
  a template once propagates everywhere.
- **The runbook is the operating manual.** `governance-chain-runbook.md` walks the
  five links every org needs — most have the ends (identity, rollout) and miss the
  middle (policy distribution, mandatory review, audit). Work it top to bottom.
- **The crosswalk is what auditors literally ask for.** Each harness artifact mapped
  to the ISO 27001:2022 Annex A control and NIST 800-53 Rev5 control it evidences,
  plus an "evidence to show an auditor" column and a Status dropdown. Fill Owner/
  Status and it doubles as your implementation tracker.
- **The gateway is the supply-chain defense.** Route all agent→MCP traffic through
  one allowlisting, version-pinning, secret-injecting, logging choke point — and
  enforce its use from `managed-settings.json`. Vendor-native allowlists help but
  can be name-matched/bypassed; the gateway is the defense in depth.

## Notes

- **`bootstrap-repo.sh` is safe by default** — it never overwrites existing files
  unless you set `OVERWRITE=1`, and it only applies the ruleset if `APPLY_RULESET=1`
  (otherwise it copies the JSON for manual import). Point it at your real template
  with `TEMPLATE_SRC`.
- **JSON files use `//`-prefixed keys for inline docs** (valid JSON; delete in prod),
  consistent with Parts 2–3.
- **The crosswalk is a mapping aid, not a certification.** Map it to your own control
  set and auditor's framework version.

_Snapshot of the mid-2026 consensus. Re-verify vendor specifics (ruleset fields,
gateway schema, control IDs) before relying on them — this field moves monthly._