# Pilot Setup Checklist

Use this checklist for the first paid Workflow Firewall pilot.

## Before The Working Session

- Confirm private npm access for the customer or paired pilot environment.
- Confirm the repo uses Node.js / TypeScript and GitHub Actions.
- Confirm one workflow owner and one reviewer.
- Confirm the workflow has an existing integration test or CI slice.
- Confirm which trace fields are safe to record.

## Install

```bash
npm config set //registry.npmjs.org/:_authToken "$NPM_ACCESS_TOKEN"
npm install -D @driftfence/cli @driftfence/sdk @driftfence/mcp
npx driftfence init --owners @workflow-owner
```

Use a template only when it matches the workflow closely:

```bash
npx driftfence init --owners @workflow-owner --template release-npm
npx driftfence init --owners @workflow-owner --template package-registry
npx driftfence init --owners @workflow-owner --template stripe-subscription-cancel
```

## Record And Approve

1. Instrument the selected integration test with `@driftfence/sdk`.
2. Run the test and confirm `.driftfence/traces/*.json` is generated.
3. Draft the first contract:
   `npx driftfence draft --precision summary`
4. Review and accept:
   `npx driftfence accept --recorded-by <reviewer>`
5. Protect `.driftfence/contracts/**` with CODEOWNERS or branch rules.

## Agent Setup

```bash
npx driftfence agent-install --host all --mcp-command "npx driftfence-mcp"
```

For MCP-capable hosts, configure:

```bash
npx driftfence-mcp
```

Shell fallback:

```bash
npx driftfence query --files <repo-relative-file> --format text
```

## Observe Then Enforce

Run observe mode first:

```bash
npx driftfence check --mode observe
```

Promote to enforce only after report noise is understood:

```bash
npx driftfence check --mode enforce
```

## Readout Inputs

Capture:

- checks run
- conforming and non-conforming reports
- intentional behavior changes
- suppressions
- reviewer time to decision
- recommended required-status rollout