Repo Standard V1.0¶
1. Commit and PR policy¶
Use Conventional Commits syntax:
<type>[optional scope]: <description>
Allowed types:
feat
fix
docs
refactor
test
chore
ci
build
perf
revert
style
Required CI gate¶
- Semantic PR title validation is required in CI.
- The
semantic-pull-request.ymlworkflow validates every PR title. - This is the non-negotiable source of truth for release notes and changelogs.
Optional local gate¶
commitlint(via Husky for Node repos) orpre-commithooks (for Python repos) are optional but recommended for local feedback.- If
commitlintis configured withsubject-casedisabled ([0]), this is intentional: squash-merge PR titles (not individual commits) are the release source of truth. Lowercasing individual commit subjects would not meaningfully improve the final squash message and would add friction to local commits.
Recommended merge style¶
- Squash merge.
- The squash commit title should be the validated PR title.
2. Release policy¶
Use Release Please for repos that publish packages, GitHub releases, or user-facing deployable artifacts.
Release Please strategies¶
Choose the workflow template that matches the repo type:
| Repo type | Template | Notes |
|---|---|---|
| Simple / single-component | release-please.simple.yml |
General-purpose; no package.json version file |
| Node package / library | release-please.node.yml |
Bumps package.json version automatically |
| Mixed / monorepo | release-please.manifest.yml |
Requires .release-please-manifest.json + release-please-config.json |
- Node package/library repos should use the Node-specific release template (
release-please.node.yml). - Mixed repos (multiple languages, monorepos) should prefer manifest mode (
release-please.manifest.yml).
Release Please should:
- Create or update release PRs from Conventional Commit history.
- Maintain changelog.
- Bump versions where the repo has version files.
- Create GitHub releases.
Release Please owns release PRs, changelog updates, GitHub releases, and tags for repositories that enable it. Do not manually edit CHANGELOG.md or create release tags for normal releases unless intentionally bypassing Release Please.
Release Please should not be treated as the deploy tool. Deployment remains in repo-specific workflows.
3. AI/editor instruction policy¶
Use Rulesync.
Canonical files:
.rulesync/rules/*.md
rulesync.jsonc
.repo-policy.yml
Generated files:
AGENTS.md
.cursor/rules/*.mdc
.agents/rules/*.md
.agents/memories/*.md (when `antigravity-ide` target is enabled)
The CI check should regenerate and fail if generated files drift.
Non-dot agents/ paths¶
A top-level agents/ directory (without a leading dot) is not part of this standard. The standard only defines behavior for .agents/. If a repo has a flat agents/ directory, it should be for a documented purpose (e.g., an actual AI agent application). The standard's checks will flag agents/ as suspicious unless a documented exception exists.
Rulesync targets¶
The rulesync.jsonc template defines three targets:
| Target | Output | Purpose |
|---|---|---|
agentsmd |
AGENTS.md |
Universal AI agent instructions (works in any AI coding tool) |
cursor |
.cursor/rules/*.mdc |
Cursor-specific rules for IDE behavior |
antigravity-ide |
.agents/rules/*.md, .agents/memories/*.md |
Antigravity (Ante AI) IDE rules |
All three targets are enabled by default. If a downstream repo does not use a particular IDE, its generated directory can be committed but is effectively unused until that IDE is used.
Important: Rulesync output may list only changed/generated files and should not be the sole source of truth for whether all target outputs exist. To verify that all expected outputs are present, use:
find AGENTS.md .cursor .agents .rulesync -maxdepth 4 -type f -print | sort
.agents/memories/ is generated, not runtime junk¶
The antigravity-ide Rulesync target generates both .agents/rules/*.md and .agents/memories/*.md. The memories subdirectory is a valid generated output containing AI agent knowledge. If the repo opts into Antigravity IDE support, .agents/memories/ should be committed, not ignored.
If .agents/memories/ exists but rulesync.jsonc does not contain antigravity-ide, that should be flagged for manual review (it may be stale or misconfigured).
AI rules and documentation governance¶
Human documentation and AI/editor rules must evolve together.
docs/explains the standard for humans.ai/rules/*.mddefines reusable AI/editor rule templates in this standards repo.- Downstream repos copy those rules into
.rulesync/rules/*.md. - Rulesync generates
AGENTS.md,.cursor/rules/*.mdc,.agents/rules/*.md, and.agents/memories/*.md. - Generated AI/editor outputs must not be edited directly as the source of truth.
- A docs/AI-rule sync check should warn when standards docs or templates change without corresponding AI rule source changes.
See docs/ai-rules-maintenance.md for the full maintenance pipeline.
Run the sync checker locally:
python3 scripts/check_docs_ai_rule_sync.py --base-ref main
Strict mode:
python3 scripts/check_docs_ai_rule_sync.py --base-ref main --strict
The optional Docs / AI Rule Sync workflow template is at templates/workflows/docs-ai-rule-sync.yml.
4. CI quality gates¶
Every repo should expose the same conceptual gates, even if the commands differ:
install
format_check
lint
typecheck
test
coverage
build
docs
A gate may be explicitly disabled in .repo-policy.yml only when it is not applicable.
File and language checks are governed by the unified
code-quality-standards.md model:
- Repo profile determines which standards apply.
- File patterns determine which tools/checks run.
- CI remains authoritative.
- Pre-commit is optional local feedback.
- Existing repos should adopt newly introduced checks as warnings/report-only first.
Node version management¶
Node/TypeScript repositories must have a root .nvmrc file specifying the project's Node.js version (e.g., 24).
.nvmrcis the operational source of truth for local development (nvm use,fnm, etc.) and CI (node-version-file).- The
node_versionfield in.repo-policy.ymlis descriptive -- it documents the intended version, but.nvmrcdrives actual setup. .nvmrcis required for Node repositories.- AI rules checks use
.nvmrcwhen present and fall back to Node 24 for non-Node repositories. - CI workflow templates use
node-version-file: ".nvmrc"instead of hardcodednode-version.
A template .nvmrc (with 24) is at configs/node/.nvmrc.
Reusable workflow inputs¶
When writing CI workflows, prefer using workflow_call with inputs so that runtime versions and commands are configurable per-repo:
| Input | Default | Purpose |
|---|---|---|
node_version |
"" (uses .nvmrc) |
Node.js version for setup-node |
python_version |
"3.12" |
Python version for setup-python |
install_command |
"npm ci" or pip command |
Install dependencies |
format_check_command |
"npm run format:check" or "ruff format --check ." |
Format check |
lint_command |
"npm run lint" or "ruff check ." |
Lint check |
typecheck_command |
"npm run typecheck" or "" |
Type checking |
test_command |
"npm test" or "pytest" |
Run tests |
coverage_command |
"npm run test:coverage" or coverage run |
Coverage report |
build_command |
"npm run build" or "" |
Build step |
strict |
false |
Optional file-pattern quality checks may fail on missing tooling |
run_tools |
false |
Optional file-pattern quality checks may run installed safe tools |
fail_on_missing_tools |
false |
Alias for strict missing-tool behavior in file-pattern checks |
*_enabled |
true |
Optional file-area toggles for Python, shell, YAML, Markdown, Docker, and Make checks |
*_lint_command / markdown_check_command |
"" |
Optional repo-specific file-area check commands |
Reusable workflows that support both workflow_call and direct push/pull_request
triggers must explicitly handle empty inputs.* values. Do not assume input defaults are
available during direct-triggered runs. Workflows that are workflow_call only may rely on
their declared input defaults.
Reusable workflows (long-term preferred)¶
The preferred long-term CI standard is GitHub reusable workflows defined in repo-standards and called from downstream repos. This reduces template drift and ensures updates flow automatically.
See docs/template-drift.md for details and caller examples.
Stable consumers should pin reusable workflows to a release tag such as @v1.0.0. Use @main only for canary repositories that intentionally track unreleased changes.
Reusable workflow locations:
| Path | Purpose |
|---|---|
.github/workflows/*.reusable.yml |
Live reusable workflows callable by downstream repos |
templates/workflows/*.reusable.yml |
Copy/reference templates, if retained |
Live callable workflows:
.github/workflows/node-ci.reusable.yml.github/workflows/python-ci.reusable.yml.github/workflows/code-quality.reusable.yml(optional file-pattern analyzer)
Template copies:
templates/workflows/node-ci.reusable.ymltemplates/workflows/python-ci.reusable.ymltemplates/workflows/code-quality.reusable.yml
5. Coverage policy¶
Coverage should be phased in.
Baseline:
- Generate coverage report where tests already exist.
- Do not block merges on strict percentage initially.
Phase 1:
- Enforce coverage only for repos with existing coverage scripts.
- Use repo-local thresholds.
Phase 2:
- Enforce patch/diff coverage for changed code.
- Increase thresholds gradually.
Default starting thresholds:
libraries: 80% lines / 70% branches
services/workers: 70% lines / 60% branches
legacy/mixed repos: report-only until stable
Do not fail a useful bugfix because a legacy repo has poor historical coverage. Prefer changed-code coverage first.
Coverage remains report-only unless a repo has stable thresholds.
.gitignore guidance¶
Ensure the following entries are in every repo's .gitignore:
# Build and coverage artifacts
coverage/
htmlcov/
.coverage
# DO NOT ignore .agents/memories/ if using the antigravity-ide Rulesync target
# .agents/memories/ contains generated AI agent knowledge and should be committed
Previously tracked coverage/ files may appear as D coverage/... in git status after adding coverage/ to .gitignore. This is acceptable cleanup -- not a blocker. Adding or modifying generated coverage/ files (A coverage/... or M coverage/...) should still be a blocker in a standards migration PR.
6. Docs and governance policy¶
Required docs:
README.md
.repo-policy.yml
AGENTS.md
CONTRIBUTING.md
LICENSE or LICENSE.md
.github/PULL_REQUEST_TEMPLATE.md
Recommended docs:
docs/development.md
docs/deployment.md
docs/release.md
License selection¶
- Public/open-source repos should use an explicit open-source license. MIT is the default recommendation (
templates/licenses/LICENSE-MIT.txt). - Private/proprietary repos should use a proprietary/all-rights-reserved notice (
templates/licenses/LICENSE-PROPRIETARY.txt). - Do not add or change a license casually. Licensing decisions should be reviewed by the repo owner.
- Agents must never change license terms unless explicitly instructed.
- Private repos should not accidentally receive an open-source license.
The .repo-policy.yml visibility and license fields should match the chosen license:
visibility: public # public | private
license: MIT # MIT | proprietary | none
governance:
contributing: required
pull_request_template: required
Required README concepts (validated by docs-check.yml via keyword/concept matching, not exact headings):
Overview
Local development
Checks (CI, quality gates, lint, test, etc.)
Deployment or release process
Environment variables / secrets (or "None required")
AI/editor instructions
A repo with no environment variables may satisfy the requirement with "None required."
7. Repo classes¶
Use these profiles:
typescript-library
typescript-cloudflare-worker
typescript-app
python-home-assistant
python-service
mixed-special
The profile determines CI defaults and migration risk.
Profile templates¶
Each profile template (under templates/repo-policy.*.yml) includes:
| Field | Description |
|---|---|
name |
Descriptive example name |
profile |
Profile identifier |
visibility |
Repository visibility (public or private) |
license |
License type (MIT, proprietary, or none) |
governance |
Required governance files (contributing, pull_request_template) |
node_version / python_version / package_manager |
Runtime configuration (descriptive; .nvmrc is operational for Node) |
commands |
Install, format, lint, typecheck, test, coverage, build |
quality_gates |
Required checks |
release |
Release Please configuration |
deploy |
Deploy provider and workflow |
migration_notes |
Notes specific to this profile's migration |
Python typechecking¶
Python typechecking (mypy, pyright, etc.) is adopted repo-by-repo. It is not enforced globally. Templates include an empty typecheck: "" field and a comment explaining the policy. Individual repos may add a typecheck command when ready.
8. Dependency updates¶
Dependabot¶
Dependabot is the baseline dependency update tool for all repositories.
Copy templates/dependabot.yml to .github/dependabot.yml in each repo.
The template includes weekly updates for:
- GitHub Actions
- npm (root directory, with grouped dev dependency updates)
- pip (root directory)
For monorepos or repos with nested projects, add additional directory entries for each sub-project.
See docs/dependency-updates.md for customization guidance.
9. Secret scanning¶
A baseline secret scanning workflow is at templates/workflows/secret-scan.yml.
The workflow uses TruffleHog to scan PR diffs for verified secrets. It is configured conservatively (--results=verified) to reduce false positives.
Branch protection should require the Secret Scan check once it passes consistently in a repo.
See docs/security-scanning.md for configuration and recommended workflow.
10. Template drift management¶
Repo-standards supports two approaches for managing template drift:
| Approach | When to use |
|---|---|
| Copied templates (default) | Initial migration, early adoption. Templates are copied into each repo. Drift must be reassessed manually. |
| GitHub reusable workflows (preferred long-term) | After the standard stabilizes. Workflows live in repo-standards and are called from downstream repos. Updates flow automatically. |
See docs/template-drift.md for caller examples and migration guidance.
11. Branch protection¶
After migration, the following required checks should be configured in branch protection rules for the default branch:
| Check | Required when |
|---|---|
| Semantic Pull Request | Always |
| AI Rules | Always (if .rulesync/ is present) |
| CI | Always |
| Docs | Always |
| Docs / AI Rule Sync | Recommended (warns when docs/templates change without AI rule source updates) |
| Secret Scan | Recommended (once it passes consistently) |
| Deploy check | When deploy workflow is configured |
| Release check | When Release Please is configured |
See docs/branch-protection.md for details.
12. Repository health baseline¶
Required for new repos¶
Every new repository must include:
README.md
.repo-policy.yml
AGENTS.md
CONTRIBUTING.md
LICENSE or LICENSE.md
SECURITY.md
.github/PULL_REQUEST_TEMPLATE.md
.gitignore
.editorconfig
.env.example
Warnings for existing repos during migration¶
When migrating existing repositories, the following items should be addressed but are not blockers:
SECURITY.md
.env.example
.editorconfig
issue templates (.github/ISSUE_TEMPLATE/)
ADR directory (docs/decisions/)
CODEOWNERS
devcontainer
license scanning
Repository health files¶
.gitignore¶
- Required for all repos
- Use templates from
templates/gitignore/based on project type: node.gitignorefor Node.js projectspython.gitignorefor Python projectscloudflare-worker.gitignorefor Cloudflare Workersmixed.gitignorefor mixed-language projects- Ensure
coverage/is ignored in all repos - Do not ignore
.agents/memories/if using theantigravity-ideRulesync target
.env.example¶
- Required for all repos with environment variables
- Document required environment variable names with blank or placeholder values only
- Do not commit real secret values
- Include Honeybadger placeholders if using Honeybadger:
HONEYBADGER_API_KEY= HONEYBADGER_ENVIRONMENT=development - For Cloudflare Workers, add comments explaining that production secrets should be configured with Wrangler/Cloudflare secrets
.editorconfig¶
- Required for all repos
- Ensures consistent code formatting across editors
- Template at
templates/.editorconfig - Default settings:
- LF line endings
- UTF-8 charset
- 2 spaces for JavaScript/TypeScript/JSON/YAML
- 4 spaces for Python
- Preserve trailing whitespace in Markdown
SECURITY.md¶
- Required for all repos
- Template at
templates/SECURITY.md - Include:
- Supported versions
- How to report a vulnerability
- Contact method placeholder
- Expected response timeline
- Request not to disclose publicly before coordination
- Note that secrets should never be included in reports
Issue templates¶
- Optional but recommended
- Templates at
templates/.github/ISSUE_TEMPLATE/ - Include:
bug_report.yml- for reporting bugsfeature_request.yml- for feature requestsconfig.yml- to disable blank issues and provide contact links
ADRs (Architecture Decision Records)¶
- Optional but recommended for significant architectural decisions
- Template at
templates/docs/decisions/ADR-000-template.md - Store in
docs/decisions/directory - Use ADR-XXX naming convention (e.g., ADR-001, ADR-002)
CODEOWNERS¶
- Optional guidance, not required
- Template at
templates/.github/CODEOWNERS - Document that users must update the owner before copying
- Example:
# Default owner * @YOUR_GITHUB_USERNAME
Devcontainers¶
- Optional guidance for repos with heavier setup
- Useful for Cloudflare Workers or Python service repos
- Not required in the standards assessment
- Document when and why to use devcontainers
Dependency license scanning¶
- Optional future quality gate
- Not required in current standards
- For Node: consider tools like
license-checker - For Python: consider tools like
pip-licenses - Document as future enhancement in repo documentation
Blocker vs warning guidance¶
When assessing a standards migration PR, the assessor should distinguish between:
Blockers (must fix before merging)¶
- Missing
.repo-policy.yml - Missing
.rulesync/rules/* - Missing generated AI/editor files (
AGENTS.md,.cursor/rules/*.mdc,.agents/rules/*.md) - Changed or added generated coverage artifacts (
A coverage/...orM coverage/...) - Secret-like files in the diff
- Risky deploy changes in a standards-only PR
Warnings / follow-up work (standard migration is acceptable)¶
- Deleted generated coverage artifacts (
D coverage/...whencoverage/is in.gitignore) - Low test coverage
- ESLint warnings or errors
- npm audit vulnerabilities
- Legacy stale agent files being removed
- Missing pinned Rulesync tooling dependency. Rulesync is mandatory for every
repo; non-Node repos should use a private tooling-only
package.json. - Missing
.nvmrcin a Node repo (recommended but not yet required) - Missing
.github/dependabot.yml(recommended but not yet required) - Missing secret scanning workflow (recommended but not yet required)
- Missing
.gitignore(warning initially, blocker for strict/new repo mode if supported) - Missing
.editorconfig(warning initially) - Missing
.env.example(warning initially) - Missing
SECURITY.md(warning initially) - Missing issue templates (optional warning)
- Missing ADR directory/template (optional recommendation only)