Skip to content

[codey] Add team pilot validation guide #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Conalh merged 1 commit into from
May 22, 2026
Merged

[codey] Add team pilot validation guide #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@ If your team uses another agent config surface, open a
If your team is testing PolicyMesh across multiple repositories, needs org-level
policy review, shared baselines, exception ownership, or cross-repo reports, open a
[team validation signal](https://github.com/Conalh/PolicyMesh/issues/new?template=team-validation.yml).
For a concrete multi-repo trial path, use the [team pilot guide](docs/TEAM_PILOT.md).
The paid-layer validation tracker is
[issue #5](https://github.com/Conalh/PolicyMesh/issues/5); hosted SaaS work should wait for repeated team signals there.

Expand Down
55 changes: 55 additions & 0 deletions docs/TEAM_PILOT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# PolicyMesh Team Pilot

Use this when a team wants to validate whether the free GitHub Action is enough before any paid team layer or hosted SaaS work is built.

## Pilot Setup

Run across at least two repositories that use AI-agent configuration in normal pull requests. Start advisory so the pilot measures signal quality without blocking developers.

```yaml
name: PolicyMesh

on:
pull_request:

permissions:
contents: read

jobs:
policymesh:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- uses: Conalh/PolicyMesh@v0.1.18
with:
fail-on: none
```

Keep the workflow unchanged for the first pass unless the repository needs the `repo` input for a subdirectory audit.

## What To Record

For each repository, record:

- Active surfaces: root MCP, Cursor MCP, VS Code MCP, Codeium MCP, Windsurf MCP, Claude settings, Codex settings, and Codex MCP tables.
- Finding counts by severity from the Action summary.
- Whether annotations point at the file and line the team would actually review.
- Whether each warning is actionable, noisy, or missing important context.
- Whether advisory mode is enough or a stricter `fail-on` threshold would be used after tuning.

## Paid-Layer Signals

Do not treat a single warning as paid-layer validation. Paid-layer work needs repeated team needs that the free Action and repo-local workflow config cannot solve.

Useful validation signals include:

- shared baselines or defaults that multiple repositories should inherit;
- central severity policy that cannot be managed in each repo workflow;
- exception ownership, expiry, approval, or review history;
- cross-repo reports, audit exports, or dashboard/API needs;
- a blocker that prevents trying PolicyMesh in pull requests even with `fail-on: none`.

## Report Back

Open a [team validation signal](https://github.com/Conalh/PolicyMesh/issues/new?template=team-validation.yml) with the repository count, active surfaces, finding patterns, and any paid-layer need. The paid-layer tracker remains [issue #5](https://github.com/Conalh/PolicyMesh/issues/5).
9 changes: 9 additions & 0 deletions test/workflow.test.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ test('issue templates collect detector and team validation feedback', async () =
const missingSurface = await readFile(join(packageRoot, '.github', 'ISSUE_TEMPLATE', 'missing-surface.yml'), 'utf8');
const teamValidation = await readFile(join(packageRoot, '.github', 'ISSUE_TEMPLATE', 'team-validation.yml'), 'utf8');
const readme = await readFile(join(packageRoot, 'README.md'), 'utf8');
const teamPilot = await readFile(join(packageRoot, 'docs', 'TEAM_PILOT.md'), 'utf8');

assert.match(falsePositive, /repository-count/);
assert.match(missingSurface, /Review surface/);
Expand All @@ -108,6 +109,14 @@ test('issue templates collect detector and team validation feedback', async () =
assert.match(teamValidation, /Reporting or export need/);
assert.match(teamValidation, /Team workflow/);
assert.match(teamValidation, /Paid-layer signal/);
assert.match(teamPilot, /Conalh\/PolicyMesh@v0\.1\.18/);
assert.match(teamPilot, /Run across at least two repositories/);
assert.match(teamPilot, /Finding counts by severity/);
assert.match(teamPilot, /shared baselines/);
assert.match(teamPilot, /exception ownership/);
assert.match(teamPilot, /cross-repo reports/);
assert.match(teamPilot, /team-validation\.yml/);
assert.match(readme, /TEAM_PILOT\.md/);
assert.match(readme, /team-validation\.yml/);
assert.match(readme, /issues\/5/);
});
Expand Down