http://www.markalston.net/claude-code-wiki/enterprise-rollout/appendix/Recent content in Appendix on Claude Code WikiHugoen-ushttp://www.markalston.net/claude-code-wiki/enterprise-rollout/appendix/build-out-timeline/Mon, 01 Jan 0001 00:00:00 +0000http://www.markalston.net/claude-code-wiki/enterprise-rollout/appendix/build-out-timeline/<h1 id="build-out-timeline--12-week-implementation">Build-Out Timeline &ndash; 12-Week Implementation<a class="anchor" href="#build-out-timeline--12-week-implementation">#</a></h1> <h2 id="week-by-week-schedule">Week-by-Week Schedule<a class="anchor" href="#week-by-week-schedule">#</a></h2> <h3 id="weeks-12-discovery-and-infrastructure-design">Weeks 1–2: Discovery and Infrastructure Design<a class="anchor" href="#weeks-12-discovery-and-infrastructure-design">#</a></h3> <p><strong>Infrastructure Workstream</strong></p> <ul> <li>CISO alignment meeting: define &ldquo;no code leaves network&rdquo; (Level 1, 2, or 3)</li> <li>Design AWS account structure for Bedrock isolation</li> <li>Design VPC endpoint + PrivateLink architecture</li> <li>Evaluate LLM gateway options (LiteLLM vs. Kong vs. Portkey)</li> <li>Begin Terraform for VPC endpoint and networking</li> </ul> <p><strong>Platform Engineering Workstream</strong></p> <ul> <li>Inventory top 5 codebases by developer count</li> <li>Interview 2–3 senior engineers per codebase: &ldquo;What do you always tell new developers? What patterns do people consistently get wrong?&rdquo;</li> <li>Identify Cohort 1 candidates (25 power users)</li> </ul> <p><strong>Change Management Workstream</strong></p>http://www.markalston.net/claude-code-wiki/enterprise-rollout/appendix/cf-analogy-map/Mon, 01 Jan 0001 00:00:00 +0000http://www.markalston.net/claude-code-wiki/enterprise-rollout/appendix/cf-analogy-map/<h1 id="cloud-foundry-to-claude-code-analogy-map">Cloud Foundry to Claude Code Analogy Map<a class="anchor" href="#cloud-foundry-to-claude-code-analogy-map">#</a></h1> <p>For consultants coming from a Cloud Foundry background, these analogies help translate platform engineering concepts into the Claude Code domain.</p> <h2 id="core-concept-mapping">Core Concept Mapping<a class="anchor" href="#core-concept-mapping">#</a></h2> <table> <thead> <tr> <th>Cloud Foundry</th> <th>Claude Code</th> <th>Explanation</th> </tr> </thead> <tbody> <tr> <td><strong>Org/Space structure</strong></td> <td>Settings hierarchy (managed → project → user)</td> <td>Multi-level configuration with inheritance and isolation between teams</td> </tr> <tr> <td><strong>Buildpacks</strong></td> <td>Skills and CLAUDE.md conventions</td> <td>Opinionated frameworks that encode best practices &ndash; developers get patterns by default</td> </tr> <tr> <td><strong>Service Broker catalog</strong></td> <td>Approved MCP servers</td> <td>Curated set of external integrations available to developers, centrally managed</td> </tr> <tr> <td><strong>App manifest (manifest.yml)</strong></td> <td>Project <code>.claude/settings.json</code> + <code>CLAUDE.md</code></td> <td>Declarative configuration checked into the repo that defines how the tool interacts with the project</td> </tr> <tr> <td><strong>Platform operator</strong></td> <td>Platform engineering team managing <code>managed-settings.json</code></td> <td>Central team that owns the platform layer, sets policies, and enables developer self-service</td> </tr> <tr> <td><strong><code>cf push</code></strong></td> <td>Developer runs <code>claude</code> with everything pre-configured</td> <td>The developer experience is simple because the platform handles complexity underneath</td> </tr> <tr> <td><strong>Stemcells / base images</strong></td> <td>Devcontainers / Coder workspace templates</td> <td>Standardized environment that ensures consistent tooling across all developers</td> </tr> <tr> <td><strong>Diego cells</strong></td> <td>LLM Gateway + Bedrock</td> <td>The compute layer that actually runs workloads, abstracted from the developer</td> </tr> <tr> <td><strong>UAA (User Account and Authentication)</strong></td> <td>SSO + gateway authentication</td> <td>Centralized identity and access management</td> </tr> <tr> <td><strong>Quota plans</strong></td> <td>Per-team token budgets via LLM gateway</td> <td>Resource limits that prevent any single team from consuming disproportionate capacity</td> </tr> <tr> <td><strong>App security groups</strong></td> <td>Deny rules in managed-settings.json</td> <td>Network/access restrictions that define what the workload can and cannot reach</td> </tr> <tr> <td><strong>Route services / service mesh</strong></td> <td>LLM Gateway (LiteLLM / Kong AI)</td> <td>Intermediary that handles routing, auth, logging, and policy enforcement</td> </tr> <tr> <td><strong>BOSH releases</strong></td> <td>Skills packaged as plugins</td> <td>Versioned, distributable packages of capability</td> </tr> <tr> <td><strong>Cloud Controller API</strong></td> <td>Claude Code CLI + MCP protocol</td> <td>The interface through which developers and automation interact with the platform</td> </tr> <tr> <td><strong>Logs / Loggregator</strong></td> <td>CloudTrail + gateway logs + CloudWatch</td> <td>Multi-layer observability stack for audit, debugging, and cost tracking</td> </tr> <tr> <td><strong>Ops Manager tiles</strong></td> <td>MCP server integrations</td> <td>Pre-built integrations that extend the platform&rsquo;s capabilities</td> </tr> </tbody> </table> <h2 id="the-core-insight">The Core Insight<a class="anchor" href="#the-core-insight">#</a></h2> <p><strong>Claude Code without platform engineering is like giving 500 developers raw <code>cf push</code> access with no buildpacks, service brokers, or app manifests.</strong></p>http://www.markalston.net/claude-code-wiki/enterprise-rollout/appendix/reference-configs/Mon, 01 Jan 0001 00:00:00 +0000http://www.markalston.net/claude-code-wiki/enterprise-rollout/appendix/reference-configs/<h1 id="reference-configurations">Reference Configurations<a class="anchor" href="#reference-configurations">#</a></h1> <h2 id="managed-settingsjson-enterprise-baseline">managed-settings.json (Enterprise Baseline)<a class="anchor" href="#managed-settingsjson-enterprise-baseline">#</a></h2> <p>Deploy to all developer machines via Mobile Device Management (MDM).</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;env&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;CLAUDE_CODE_USE_BEDROCK&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;ANTHROPIC_BEDROCK_BASE_URL&#34;</span><span class="p">:</span> <span class="s2">&#34;https://llm-gateway.internal.corp.com/bedrock&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;CLAUDE_CODE_SKIP_BEDROCK_AUTH&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;cleanupPeriodDays&#34;</span><span class="p">:</span> <span class="mi">14</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;permissions&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;disableBypassPermissionsMode&#34;</span><span class="p">:</span> <span class="s2">&#34;disable&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;deny&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Read(**/.env)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Read(**/.env.*)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Read(**/secrets/**)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Read(**/.ssh/**)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Read(**/credentials*)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(sudo:*)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(su:*)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(curl:*)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(wget:*)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(ssh:*)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(rm -rf:*)&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;allowManagedPermissionRulesOnly&#34;</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;allowManagedHooksOnly&#34;</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;strictKnownMarketplaces&#34;</span><span class="p">:</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div><h3 id="file-locations">File Locations<a class="anchor" href="#file-locations">#</a></h3> <table> <thead> <tr> <th>Platform</th> <th>Path</th> </tr> </thead> <tbody> <tr> <td>macOS</td> <td><code>/Library/Application Support/ClaudeCode/managed-settings.json</code></td> </tr> <tr> <td>Linux</td> <td><code>/etc/claude-code/managed-settings.json</code></td> </tr> <tr> <td>Windows</td> <td><code>C:\Program Files\ClaudeCode\managed-settings.json</code></td> </tr> </tbody> </table> <h2 id="developer-shell-environment-variables">Developer Shell Environment Variables<a class="anchor" href="#developer-shell-environment-variables">#</a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># /etc/profile.d/claude-code.sh</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Bedrock routing (also set in managed-settings.json env)</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">CLAUDE_CODE_USE_BEDROCK</span><span class="o">=</span><span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">ANTHROPIC_BEDROCK_BASE_URL</span><span class="o">=</span><span class="s1">&#39;https://llm-gateway.internal.corp.com/bedrock&#39;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">CLAUDE_CODE_SKIP_BEDROCK_AUTH</span><span class="o">=</span><span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC</span><span class="o">=</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Corporate CA cert for proxy (if applicable)</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">NODE_EXTRA_CA_CERTS</span><span class="o">=</span><span class="s1">&#39;/etc/ssl/certs/corp-ca-bundle.pem&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Optional: Model overrides</span> </span></span><span class="line"><span class="cl"><span class="c1"># export ANTHROPIC_MODEL=&#39;claude-sonnet-4-5-20250929&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># export ANTHROPIC_DEFAULT_HAIKU_MODEL=&#39;us.anthropic.claude-haiku-4-5-20251001-v1:0&#39;</span></span></span></code></pre></div><h2 id="terraform-vpc-endpoint-for-bedrock">Terraform: VPC Endpoint for Bedrock<a class="anchor" href="#terraform-vpc-endpoint-for-bedrock">#</a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_vpc_endpoint&#34; &#34;bedrock_runtime&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> vpc_id</span> <span class="o">=</span> <span class="k">aws_vpc</span><span class="p">.</span><span class="k">main</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"><span class="n"> service_name</span> <span class="o">=</span> <span class="s2">&#34;com.amazonaws.${var.region}.bedrock-runtime&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> vpc_endpoint_type</span> <span class="o">=</span> <span class="s2">&#34;Interface&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> private_dns_enabled</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> subnet_ids</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">private_subnet_ids</span> </span></span><span class="line"><span class="cl"><span class="n"> security_group_ids</span> <span class="o">=</span> <span class="p">[</span><span class="k">aws_security_group</span><span class="p">.</span><span class="k">bedrock_endpoint</span><span class="p">.</span><span class="k">id</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> policy</span> <span class="o">=</span> <span class="k">jsonencode</span><span class="p">(</span>{ </span></span><span class="line"><span class="cl"><span class="n"> Version</span> <span class="o">=</span> <span class="s2">&#34;2012-10-17&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> Statement</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> { </span></span><span class="line"><span class="cl"><span class="n"> Effect</span> <span class="o">=</span> <span class="s2">&#34;Allow&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> Principal</span> <span class="o">=</span> <span class="s2">&#34;*&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> Action</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;bedrock:InvokeModel&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;bedrock:InvokeModelWithResponseStream&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> Resource</span> <span class="o">=</span> <span class="s2">&#34;*&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"> }<span class="p">)</span> </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_security_group&#34; &#34;bedrock_endpoint&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> name_prefix</span> <span class="o">=</span> <span class="s2">&#34;bedrock-endpoint-&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> vpc_id</span> <span class="o">=</span> <span class="k">aws_vpc</span><span class="p">.</span><span class="k">main</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">ingress</span> { </span></span><span class="line"><span class="cl"><span class="n"> from_port</span> <span class="o">=</span> <span class="m">443</span> </span></span><span class="line"><span class="cl"><span class="n"> to_port</span> <span class="o">=</span> <span class="m">443</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> cidr_blocks</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">developer_subnet_cidrs</span> </span></span><span class="line"><span class="cl"><span class="n"> description</span> <span class="o">=</span> <span class="s2">&#34;Allow HTTPS from developer subnets&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">egress</span> { </span></span><span class="line"><span class="cl"><span class="n"> from_port</span> <span class="o">=</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="n"> to_port</span> <span class="o">=</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;-1&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> cidr_blocks</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;0.0.0.0/0&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">}</span></span></code></pre></div><h2 id="iam-policy-for-bedrock-access">IAM Policy for Bedrock Access<a class="anchor" href="#iam-policy-for-bedrock-access">#</a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Version&#34;</span><span class="p">:</span> <span class="s2">&#34;2012-10-17&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Statement&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Effect&#34;</span><span class="p">:</span> <span class="s2">&#34;Allow&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Action&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;bedrock:InvokeModel&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;bedrock:InvokeModelWithResponseStream&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;bedrock:ListInferenceProfiles&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;Resource&#34;</span><span class="p">:</span> <span class="s2">&#34;*&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div><p>Attach to the IAM role used by the LLM gateway service, not to individual developer users.</p>