Repo & process
Repo hygiene and process: secrets via SOPS only (no plaintext env), the Python toolchain (uv), import/path conventions, file & directory naming, and commit conventions. The dependency allowlist is its own contract — see Dependencies.
Repo & process contract
Repo hygiene and process: secrets via SOPS only (no plaintext env), the Python toolchain (uv), import/path conventions, file & directory naming, and commit conventions. The dependency allowlist is its own contract — see Dependencies.
The rule
- 🔒 Secrets go through SOPS only. No plaintext
.envfiles anywhere, under any name. A.gitignoreis NOT protection. Docs reference SOPS pointers + commands, never raw values. - 🔒
uvis the only Python package manager/toolchain for the backend. No repo-local.venv(cross-drive hardlink failures) —UV_PROJECT_ENVIRONMENTpoints uv at an environment outside the checkout. Python dependencies are declared inpyproject.tomland allowlisted ingovernance/allowed-deps.json.
Enforced by
scripted scan + dependency-cruiser — derived from these rules
- Secrets scan — flags any plaintext secret /
.envfile committed to the repo. - Venv scan (pending) — flags a repo-local
.venv.
Open items (confirm to lock)
- Imports & path conventions — define and lock.
- File & directory naming — define and lock.
- Commit conventions (commitlint) — confirm and lock.
Frontend (shell, components, a11y)
How the frontend is built, from the v3 standard: one slot-based seven-region shell every route mounts into, the agent-native message-type vocabulary, page states (loading/empty/error), the component set, composition leveling, and accessibility basics.
Dependencies
Every dependency confirmed, added one page at a time. The allowlist is the source of truth.