marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claude-code-ultimate-guide/guide/roles/adoption-approaches.md
Florian BRUNIAUX 77b48db01b docs(security): add enterprise AI governance guide + templates 
New section for org-level Claude Code governance — fills the gap
between individual dev security (security-hardening.md) and what
engineering managers actually need when deploying at scale.

New files:
- guide/security/enterprise-governance.md (1117 lines)
  6 sections: local/shared split, usage charter, MCP approval
  workflow, 4 guardrail tiers (Starter/Standard/Strict/Regulated),
  policy enforcement at scale, SOC2/ISO27001 compliance guide
- examples/scripts/mcp-registry-template.yaml
  Org-level MCP registry with approved/pending/denied tracking
- examples/hooks/bash/governance-enforcement-hook.sh
  SessionStart hook validating MCPs against approved registry
- examples/scripts/ai-usage-charter-template.md
  Full charter template with data classification, use case rules,
  compliance mapping (SOC2/ISO27001/HIPAA/PCI DSS/GDPR)

Enriched sections:
- adoption-approaches.md: enterprise rollout (50+ devs) with
  3-phase approach and common mistakes
- observability.md: manager audit checklist, compliance reporting
- ai-traceability.md: evidence collection table for auditors
- production-safety.md + security-hardening.md: cross-references
  with explicit scope boundaries

Integration: guide/README.md, reference.yaml (22 new entries),
CHANGELOG.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-10 11:05:21 +01:00

430 lines
15 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Choosing Your Adoption Approach"
description: "Starting points for team adoption patterns and CLAUDE.md configuration strategies"
tags: [guide, config, workflows]
---
# Choosing Your Adoption Approach
> **Disclaimer**: Claude Code is young (~1 year). Nobody has definitive answers yet — including this guide. These are starting points based on observed patterns, not proven best practices. Adapt heavily to your context.
---
## What We Don't Know Yet
Before diving in, here's what remains genuinely uncertain:
- **Optimal CLAUDE.md size** — Some teams thrive with 10 lines, others with 100. No clear winner.
- **Team adoption patterns** — Whether top-down standardization beats organic adoption is unproven.
- **Context management thresholds** — The 70%/90% numbers are heuristics, not science.
- **ROI of advanced features** — MCP servers, hooks, agents — unclear when the setup cost pays off.
If anyone tells you they've figured this out, they're ahead of the field or overconfident.
---
## What We Do Know (Empirical Data)
Some patterns have emerged from practitioner studies and team retrospectives:
| Finding | Data | Implication |
|---------|------|-------------|
| **Scope matters most** | 1-3 files: ~85% success, 8+ files: ~40% | Start small, expand gradually |
| **CLAUDE.md sweet spot** | 4-8KB optimal, >16K degrades coherence | Concise > comprehensive |
| **Session limits** | 15-25 turns before constraint drift | Reset for new tasks |
| **Script generation ROI** | 70-90% time savings reported | Best first use case |
| **Exploration before implementation** | +20-30% decision quality | Ask for alternatives first |
**Source**: MetalBear engineering blog, arXiv practitioner studies, Reddit engineering threads (2024-2025).
---
## Starting Points (Not Prescriptions)
| Your Context | One Approach to Try |
|--------------|---------------------|
| Limited setup time | **Turnkey** — minimal config, iterate based on friction |
| Solo developer | **Autonomous** — learn concepts first, configure when needed |
| Small team (4-10) | **Hybrid** — shared basics + room for personal preferences |
| Larger team (10+) | **Turnkey + docs** — consistency matters more at scale |
These are hypotheses. Your mileage will vary.
---
## Decision Tree
```
Starting Claude Code?
├─ Need to ship today?
│ └─ YES → Turnkey Quickstart
│ └─ NO ↓
├─ Team needs shared conventions?
│ └─ YES → Turnkey + document what matters to you
│ └─ NO ↓
├─ Want to understand before configuring?
│ └─ YES → Autonomous Learning Path
│ └─ NO → Turnkey, adjust as you go
```
---
## Turnkey Quickstart
### Step 1: Create Minimal Config
```bash
mkdir -p .claude
```
Create `.claude/CLAUDE.md`:
```markdown
# Project: [your-project-name]
## Stack
- Runtime: [Node 20 / Python 3.11 / etc.]
- Framework: [Next.js / FastAPI / etc.]
## Commands
- Test: `npm test` or `pytest`
- Lint: `npm run lint` or `ruff check`
## Convention
- [One rule you care most about, e.g., "TypeScript strict mode required"]
```
### Step 2: Verify Setup
```bash
claude
```
Then ask:
```
What's this project's test command?
```
**Pass**: Returns your configured command.
**Fail**: CLAUDE.md not loaded — check path is `.claude/CLAUDE.md` or `./CLAUDE.md`
### Step 3: First Real Task
```bash
claude "Review the README and suggest improvements"
```
Claude should reference your stack and conventions automatically.
**Done.** Add more config only when you hit friction.
---
## Autonomous Learning Path
If you prefer understanding before configuring, here's a progressive approach. No time estimates — speed depends on your familiarity with AI tools.
### Phase 1: Mental Model
**Goal**: Understand how Claude Code operates before adding config.
1. Read [Section 5: Mental Model](./ultimate-guide.md) (line 1675)
2. Core concept: Claude works in a loop — prompt → plan → execute → verify
3. **Try it**: Complete a few real tasks with zero config. Notice where friction appears.
### Phase 2: Context Management
**Goal**: Understand the main constraint of the tool.
1. Read [Context Management](./ultimate-guide.md) (line 944)
2. The general idea (exact thresholds vary by use case):
- Low usage: work freely
- Medium usage: be more selective
- High usage: consider `/compact`
- Near limit: `/clear` to reset
3. **Try it**: Check `/status` periodically. See how your usage patterns develop.
### Phase 3: Memory Files
**Goal**: Give Claude project context.
1. Read [Memory Files](./ultimate-guide.md) (line 2218)
2. Precedence: project `.claude/CLAUDE.md` > global `~/.claude/CLAUDE.md`
3. **Try it**: Create a minimal CLAUDE.md, test if Claude picks it up.
### Phase 4: Extensions (when friction appears)
Add complexity only when you hit real problems:
| Friction | Possible Solution | Reference |
|----------|-------------------|-----------|
| Repeating same task often | Consider an agent | [Agent Template](./ultimate-guide.md) line 2793 |
| Security concern | Consider a hook | [Hook Templates](./ultimate-guide.md) line 4172 |
| Need external tool access | Consider MCP | [MCP Config](./ultimate-guide.md) line 4771 |
| AI repeats same mistake | Add a specific rule | Start with one line, not ten |
Whether these solutions are worth the setup cost depends on your context.
---
## Sanity Checks
These are signals that things are working, not rigid milestones.
### Basic Setup Works
```bash
claude --version # Responds with version
claude /status # Shows context info
claude /mcp # Lists MCP servers (may be empty)
```
If these fail: installation issue — try `claude doctor`.
### Config Is Being Read
**Test**: Ask Claude "What's the test command for this project?"
If it returns your configured command, CLAUDE.md is loaded. If not, check the path.
### You're Managing Context
**Signal**: You've noticed when context gets high and acted on it.
This develops naturally with use. If you never think about context, either you're not using Claude intensively, or you're ignoring signals that might matter.
### Extensions Feel Useful (or not needed)
**Signal**: You've either created something (agent, hook, command) that helps, or you haven't needed to.
Both are fine. Extensions are optional — don't add them just to have them.
---
## Common Pitfalls
These patterns seem problematic based on observations, though individual experiences vary.
| Pattern | What happens | Alternative |
|---------|--------------|-------------|
| **Large copied config** | Rules get ignored, unclear what matters | Start small, add based on friction |
| **Over-engineering setup** | Time spent configuring instead of coding | Use templates as starting point |
| **No shared conventions** | Team members diverge, onboarding confusion | Document a few essentials |
| **Everything enabled immediately** | Complexity without clear benefit | Enable features when you need them |
These aren't universal truths — some teams thrive with large configs or full feature sets.
---
## Team Size Considerations
These are starting points, not rules. Team dynamics matter more than headcount.
### Solo / Small Team (2-3)
**Typical structure**:
```
./CLAUDE.md # Project basics, committed
~/.claude/CLAUDE.md # Personal preferences
```
**What might work**:
- Short project CLAUDE.md with stack and main commands
- Personal config for model preferences, flags
- Extensions only if you find yourself repeating tasks often
**Watch for**: Over-engineering. If you're spending more time on config than coding, step back.
### Medium Team (4-10)
**Typical structure**:
```
./CLAUDE.md # Team conventions (committed)
./.claude/settings.json # Shared hooks (committed)
~/.claude/CLAUDE.md # Individual preferences (not committed)
```
**What might work**:
- Shared conventions that the team actually follows
- Security hooks if relevant to your context
- Room for personal preferences
**One way to split things**:
| Shared (repo) | Personal (~/.claude) |
|---------------|----------------------|
| Test/lint commands | Model preferences |
| Project conventions | Custom agents |
| Commit format | Flag defaults |
**Production teams**: Implement [Production Safety Rules](production-safety.md) for port/DB/infrastructure protection via hooks and permission deny rules.
**Watch for**: Conventions that exist on paper but aren't followed.
### Larger Team (10+)
**Typical structure**:
```
./CLAUDE.md # Documented, committed
./.claude/settings.json # Standard hooks, committed
./.claude/agents/ # Shared agents, committed
~/.claude/CLAUDE.md # Personal additions
```
**What might work**:
- Documented conventions with rationale
- Standardized hooks across the team
- Onboarding that covers basics like `/status`
- **Production teams**: Enforce [Production Safety Rules](production-safety.md) via hooks and permission deny rules
**Watch for**: Config drift. Without some coordination, setups diverge over time. Whether that matters depends on your team.
> **Emerging approach**: Some organizations explore "corporate AI marketplaces" to pool AI skills, agents, and rules at the organizational level rather than individual teams (Hugo/Writizzy 2026[^hugo2026]). Few documented production implementations yet, but the concept addresses governance at scale.
### Enterprise Rollout (50+ developers or regulated environments)
At this scale, individual team setups are not enough. You need a shared config baseline that applies consistently across all projects.
**Phased rollout approach:**
**Phase 1 — Foundation (Week 12)**: Establish the governance baseline.
- Create org-level shared config repo (`.claude/` templates per tier)
- Publish AI Usage Charter (see [charter template](../../examples/scripts/ai-usage-charter-template.md))
- Start MCP registry with currently-used MCPs (even if just 3 entries)
- Install global safety hooks on all developer machines via onboarding script
**Phase 2 — Adoption (Week 36)**: Roll out project configs.
- Classify existing projects by tier (Starter / Standard / Strict / Regulated)
- Bootstrap each project with the appropriate tier config via setup script
- Add Claude Code onboarding to engineering onboarding checklist
- Run first governance audit to baseline the current state
**Phase 3 — Optimization (Month 23)**: Refine based on friction.
- Review hook false positive rate — tune rules that block legitimate work
- Identify MCP requests and process them through registry workflow
- Add CI/CD governance gates to catch config drift
- Conduct first quarterly MCP registry review
**Common rollout mistakes at this scale:**
| Mistake | Effect | Fix |
|---------|--------|-----|
| Rolling out Strict tier everywhere on day 1 | Developer resistance, workarounds | Start with Standard, move critical projects to Strict |
| No central config repo | Every team diverges within weeks | Platform team owns shared templates |
| Governance checks that block work | Developers disable hooks | Warn-only hooks, fix the root cause |
| No onboarding → charter ignored | Policy exists on paper only | 30-min onboarding session per team |
**For formal compliance programs** (SOC2, ISO27001, HIPAA), the additional requirements around audit trails, data classification, and review cycles are covered in [Enterprise AI Governance](../security/enterprise-governance.md).
[^hugo2026]: Hugo, ["AI's Impact on State of the Art in Software Engineering in 2026"](https://eventuallymaking.io/p/ai-s-impact-on-the-state-of-the-art-in-software-engineering-in-2026), Feb 6, 2026. Based on interviews with Doctolib, Malt, Alan, Google Cloud, Brevo, ManoMano, Ilek, Clever Cloud engineering teams.
---
## Common Situations
### "I'm evaluating Claude Code for my team"
**Quick test approach**:
1. Install: `npm i -g @anthropic-ai/claude-code`
2. Run in an existing project: `claude`
3. Try a real task: `claude "Analyze this codebase architecture"`
4. Check `/status` to understand token usage
**Questions to answer**:
- Does Claude understand your stack without config?
- Does a minimal CLAUDE.md improve results?
- Can your team learn context management basics?
Consider skipping advanced features (MCP, hooks, agents) during initial evaluation.
### "My team disagrees on configuration"
**One way to think about it**:
| Layer | Typical owner | Typical content |
|-------|---------------|-----------------|
| Repo CLAUDE.md | Team decision | Stack, commands, core conventions |
| Repo hooks | Security-minded team members | Guardrails if needed |
| Personal ~/.claude | Individual | Preferences, personal agents |
How you resolve conflicts depends on your team culture. Some teams vote, some defer to tech leads, some let individuals diverge.
### "Claude keeps making the same mistake"
**Tempting**: Add many rules to prevent it.
**Often better**: Add one specific rule, test if it works, iterate.
```markdown
## [Specific issue]
When doing [X], avoid [specific mistake].
Instead: [correct approach]
```
If the rule doesn't help, it might be too vague. Make it more specific or reconsider if rules are the right solution.
### "I inherited a large CLAUDE.md"
**One approach**:
1. Ask Claude to summarize what the CLAUDE.md says
2. Compare to what the team actually does
3. Remove rules that aren't followed or referenced
4. Keep what's genuinely useful
**Heuristic**: If you can't explain why a rule exists, consider removing it.
### "When should I add more complexity?"
There's no universal answer. Some signals that might suggest it:
| Signal | Possible response |
|--------|-------------------|
| Repeating the same prompt often | Consider a command |
| Security concern | Consider a hook |
| Need external tool access | Consider MCP |
| Same questions from team | Consider documentation |
But also: maybe you don't need more complexity. Simple setups work for many teams.
---
## Quick Reference
### Useful Commands
| Command | Purpose |
|------------|----------------------------------|
| `/status` | Check context usage |
| `/compact` | Compress context when it's high |
| `/clear` | Reset context entirely |
| `/plan` | Enter planning mode |
| `/model` | Switch between models |
How often you use these depends on your workflow.
### Model Costs (Relative)
| Model | Cost | Typical use cases |
|--------|------|--------------------------------|
| Haiku | $ | Simple tasks, quick responses |
| Sonnet | $$ | General development |
| Opus | $$$ | Complex analysis, architecture |
Most people start with Sonnet. Adjust based on your experience.
---
## Related Resources
- [Personalized Onboarding](../tools/onboarding-prompt.md) — Interactive setup
- [Setup Audit](../tools/audit-prompt.md) — Diagnose configuration issues
- [Examples Library](../examples/README.md) — Templates to adapt
- [Main Guide](./ultimate-guide.md) — Full reference
- [Reference YAML](../machine-readable/reference.yaml) — Condensed lookup
---
*This guide reflects current observations, not proven best practices. The field is young — adapt heavily to your context. Feedback welcome: [CONTRIBUTING.md](../CONTRIBUTING.md)*
Reference in a new issue View git blame Copy permalink