- Ship production-ready code only: no TODO/FIXME markers, “optional” placeholders, or stub/placeholder crypto anywhere in the repo.
- Every exported/public function must have explicit, strict TypeScript types.
- Keep secrets encrypted at rest and handle private material only in-memory; never add plaintext secrets to the repo.
- Follow SECURITY.md invariants (decrypt only in memory, strict origin binding, canonical challenge serialization, and no blind signing).
- Always pull the next open ticket from
TICKETS.md, working strictly top-to-bottom unless the file explicitly says otherwise. - When you finish a ticket, update
TICKETS.mdto mark it complete with a checkmark (✅) so the next agent knows where to resume. - Leave the diff in a state where another agent can immediately continue (tests passing, docs updated, etc.).
- Document any follow-up constraints or caveats inside the ticket file before moving on to the next task.
- Prefer pnpm + the configured tooling for installs, builds, linting, and tests; run the full command matrix when a ticket’s DoD requires it.
- Keep commits scoped to the ticket you are working on and avoid touching unrelated files.
- If new constraints are discovered, add them here (hard rules) or to
SECURITY.mdas appropriate.