Enterprise Pilot Blueprint
Use this blueprint when you want to pilot SCC with one or two teams before a wider rollout.
SCC v1 is the governed runtime layer for AI coding agents. It standardizes how agents run, which plugins and MCP servers are allowed, how project configuration is inherited, and how developers can inspect the effective configuration.
Pilot Scope
Section titled “Pilot Scope”Start with:
- one organization config;
- one or two team profiles;
- one real project per team;
- Claude Code and/or Codex as the approved providers;
- one network policy baseline;
- one documented exception process.
Do not start the pilot by designing a new project registry, identity platform, or plugin marketplace workflow. SCC already treats the current project as the repository/worktree being launched.
Baseline Controls
Section titled “Baseline Controls”| Surface | Pilot decision |
|---|---|
| Providers | Choose which teams can use Claude Code, Codex, or both |
| Plugins | Approve marketplaces and default plugins in org config |
| MCP servers | Allow only declared org/team/project MCP servers |
| Network policy | Set the org default, then let teams/projects tighten only |
| Dev environment commands | Use named dev_environment.commands; execute only with scc dev run <name> so audit and cwd bounds apply |
| Project config | Allow .scc.yaml only for teams that can support it |
| Exceptions | Use time-bounded local or policy exceptions |
Rollout Steps
Section titled “Rollout Steps”-
Create the org config.
Terminal window scc org initscc org validate org-config.json -
Select a pilot team and verify its effective config.
Terminal window scc team switch backendscc config explainscc config explain --json -
Add one project
.scc.yamlonly if the team needs project-specific additions.Terminal window scc config validatescc config explain --field deniedscc config explain --field network -
Run a dry launch before asking developers to use the profile.
Terminal window scc start --dry-run --non-interactive ~/project -
Capture troubleshooting artifacts during the pilot.
Terminal window scc support bundlescc support launch-auditscc support safety-audit
Executable Pilot Config
Section titled “Executable Pilot Config”Start with one org config and one project config. Keep identifiers boring and auditable; the value is in repeatable inheritance, not a clever naming scheme.
{ "schema_version": "1.0.0", "organization": { "name": "Example Municipality", "id": "example-muni" }, "defaults": { "allowed_providers": ["claude", "codex"], "allowed_plugins": ["scc-safety-net", "internal-*"], "allowed_mcp_servers": ["*.example.gov"], "network_policy": "web-egress-enforced", "dev_environment": { "commands": { "test": { "argv": ["uv", "run", "pytest", "-q"], "working_directory": ".", "timeout_seconds": 120, "description": "Run the project test suite" } } }, "session": { "timeout_hours": 8, "auto_resume": true } }, "security": { "blocked_plugins": ["shadow-*"], "blocked_mcp_servers": ["*.personal.example"], "allow_stdio_mcp": false }, "delegation": { "teams": { "allow_additional_plugins": ["internal-*"], "allow_additional_mcp_servers": ["casework"], "allow_dev_environment_commands": ["casework"] }, "projects": { "inherit_team_delegation": true } }, "profiles": { "casework": { "description": "Casework pilot team", "allowed_plugins": ["scc-safety-net"], "additional_plugins": ["internal-case-helper"], "additional_mcp_servers": [ { "name": "casework", "type": "sse", "url": "https://casework.example.gov/mcp" } ], "delegation": { "allow_project_overrides": true } } }}additional_plugins: - internal-repo-linter
additional_mcp_servers: - name: project-docs type: sse url: https://docs.example.gov/mcp
# Projects may tighten inherited policy.network_policy: locked-down-web
session: timeout_hours: 4
dev_environment: commands: test: argv: ["uv", "run", "pytest", "-q"] working_directory: "." timeout_seconds: 120 description: "Run this repository's test suite" logs: api: argv: ["docker", "compose", "logs", "--tail", "100", "api"] timeout_seconds: 30 description: "Read recent API logs" health_checks: api: argv: ["curl", "-fsS", "http://localhost:8000/health"] timeout_seconds: 10 description: "Check local API health"Run the pilot checks from the project repository:
scc org validate org-config.jsonscc team switch caseworkscc config validatescc config explainscc config explain --jsonscc config explain --field networkscc config explain --field blockedscc config explain --field deniedscc config explain --field dev_environmentscc dev status . --jsonscc dev run test . --jsonscc dev logs api . --jsonscc dev health api . --jsonscc start --provider claude --dry-run --json --non-interactive .scc start --provider codex --dry-run --json --non-interactive .scc support bundleExpected review signals:
- effective provider is either
claudeorcodex; - effective team is
casework; internal-case-helperandinternal-repo-linterappear only if allowed by policy;- looser
network_policyattempts would appear under “Ignored Policy Changes”; dev_environment.commands,dev_environment.logs, anddev_environment.health_checksappear in explain/status output with fixedargvlists;scc dev status . --jsonreports the effective bridge contract without executing a host process;scc dev run test . --json,scc dev logs api . --json, andscc dev health api . --jsonwrite pre-execution audit events, return bounded stdout/stderr tails, and do not put stdout/stderr content in durable audit metadata;- network MCP servers are blocked when the effective policy is
locked-down-web; - dry-run output contains the provider launch contract without starting Docker;
- support bundle manifest includes provider, runtime, policy, and work-context evidence.
Project Switching Model
Section titled “Project Switching Model”In v1, project identity is the repository/worktree path that SCC launches, plus the selected team and provider. Quick resume uses that work context rather than a separate project registry.
For developers, the workflow is:
scc team switch backendcd ~/project-ascc start
scc team switch platformcd ~/project-bscc start --provider codexUse .scc.yaml for project-specific additions, not for team selection. If a developer needs to change teams for a project, use scc team switch or scc start --team.
Audit Checks
Section titled “Audit Checks”For a pilot review, collect:
scc config explain --jsonfor each pilot team/project;scc doctor <project> --jsonfor each devcontainer-based project;scc start --dry-run --json --non-interactive <project>for each provider;scc support bundleafter representative launches;- the org config and any project
.scc.yamlfiles reviewed in the pilot.
Use these artifacts to answer:
- Which provider ran?
- Which team profile applied?
- Which plugins and MCP servers were active?
- Which additions were blocked, denied, or ignored?
- Which network policy was effective?
- Which named dev-environment commands were accepted, denied, ignored, or run?
- If launching from a devcontainer, did
runtime_mount_sourcematch the host-visible workspace path expected by the Docker daemon? - For devcontainer or Compose projects, did the “Dev Environment Bridge” doctor check list the detected files and state that SCC does not mount the Docker socket into agent containers or attach them to arbitrary project networks?
For pilot machines that intentionally allow live Docker smoke checks, run:
SCC_REAL_RUNTIME_SMOKE=1 \SCC_REAL_RUNTIME_IMAGE=scc-agent-claude:latest \uv run pytest -q --no-cov -m real_runtimeThis is optional. Normal SCC CI does not require Docker.
Not in v1
Section titled “Not in v1”These are roadmap items, not pilot prerequisites:
- SSO, SAML federation, and SCIM provisioning;
- group-to-team, provider, policy profile, and admin-role entitlement mapping;
- provider credential brokering;
- read-only enterprise admin visibility;
- centralized SBOM export;
- CycloneDX inventory generation;
- running the agent inside the existing devcontainer;
- attaching the SCC agent container to arbitrary devcontainer or Compose service networks;
- a central project registry.
The planned identity work is tracked in Enterprise Identity Roadmap. That page is a future-state architecture note, not a current SCC v1 capability list.