# Phased Asset Checklist — Building the Harness > Build the harness in dependency order. Each phase produces concrete artifacts and > unblocks the next. Checkboxes are Markdown task syntax — they render as interactive > in Notion, GitHub, Obsidian, and most editors. > > QRefAI *AI Coding Field Guide*, Part 6 (Q6.3). Pair with the rollout scorecard > (which governs *deploying* what you build here). How to use: import into Notion (or keep in the platform repo). Assign an owner per phase. Don't start a phase until the prior phase's "exit" item is checked. --- ## Phase 0 — Foundations (decide before building) - [ ] Stand up the `dev-platform` repo from the skeleton. - [ ] Decide build policy: commit `build/` outputs, or treat as ephemeral. - [ ] Pick your model-pinning targets (inference-profile ARNs / deployment names). - [ ] Choose your code-intelligence MCP server (see Part 5 selection sheet). - [ ] Name owners for each of the seven primitives. - [ ] **Exit:** `scripts/compile.sh` runs green on the empty skeleton. ## Phase 1 — Context layer (instruction memory) - [ ] Write the canonical `instructions/AGENTS.md` (lean; version-pinned; real snippets). - [ ] Add `claude-overrides.md` and the front-loaded `copilot-instructions.head.md`. - [ ] Verify the Copilot head compiles to < 4,000 chars. - [ ] Compile and eyeball `CLAUDE.md` + `copilot-instructions.md` outputs. - [ ] **Exit:** a pilot repo loads context correctly on both vendors. ## Phase 2 — Capability layer (skills + MCP) - [ ] Port the starter skill library (code-review, secure-coding-checklist, pii-handling, regulatory-logging, db-migration, incident-runbook). - [ ] Write each skill's `description` as an explicit trigger. - [ ] Move bulky material into each skill's `references/` (tier-3). - [ ] Register code-intelligence + needed MCP servers in `mcp-servers/manifest.json`. - [ ] Add the 1–3 domain skills your org actually needs (payments / kyc / clinical…). - [ ] **Exit:** agents load the right skill for a representative task, unprompted. ## Phase 3 — Control layer (agents + hooks + workflows) - [ ] Author the subagent pack in `agents/` (security-reviewer, code-reviewer, …). - [ ] Add the hooks seed to the repo template (`.claude/settings.json`). - [ ] Write the `protect-paths.sh` blocking gate (PreToolUse). - [ ] Add gh-aw `workflows/` (security-guard at minimum). - [ ] **Exit:** a bad edit is blocked locally AND a bad PR is flagged in CI. ## Phase 4 — Governance layer (policy + review + audit) - [ ] Write `policies/managed-settings.json` (deny-list, model pin, marketplace lock). - [ ] Write `policies/main-protection.json` (auto Copilot review + required human review). - [ ] Stand up the OpenTelemetry pipeline (prompt/tool-use content). - [ ] Schedule the Compliance API daily pull into your warehouse. - [ ] Stream the GitHub Enterprise audit log to your SIEM. - [ ] Fill the compliance crosswalk (artifacts → ISO/NIST controls). - [ ] **Exit:** you can reconstruct an agent action end-to-end from your own data. ## Phase 5 — Distribution - [ ] Write `plugin.json` + `marketplace.json`; SHA-pin plugins. - [ ] Make `templates/repo-template/` a GitHub template repo. - [ ] Wire `bootstrap-repo.sh` to this platform repo as `TEMPLATE_SRC`. - [ ] Distribute `managed-settings.json` via MDM. - [ ] Add the `compile-check.yml` CI gate so outputs never drift from source. - [ ] **Exit:** a brand-new repo and a freshly-bootstrapped existing repo both come up compliant by default. ## Phase 6 — Operate & iterate - [ ] Dashboards live (tool_decision, mcp_connection, blocked-session rate). - [ ] Developer feedback channel for bad blocks; triaged weekly. - [ ] Quarterly review: prune stale instructions, refresh pinned versions & MCP picks. - [ ] Run the `agents-md-maintainer` workflow to catch context drift. - [ ] **Exit (ongoing):** the harness is treated as a living product with an owner. --- ### Progress | Phase | Owner | Status | Exit met? | |-------|-------|--------|-----------| | 0 — Foundations | | | ☐ | | 1 — Context | | | ☐ | | 2 — Capability | | | ☐ | | 3 — Control | | | ☐ | | 4 — Governance | | | ☐ | | 5 — Distribution | | | ☐ | | 6 — Operate | | | ☐ | _Mid-2026 snapshot. Treat the harness as a living product, not a one-time build._