npm installinstalls project dependenciesnpm run devstarts the local Fastify server with reloadnpm run buildcompiles TypeScriptnpm run testruns the automated test suitenpm run lintruns the TypeScript typecheck used as linting
- Keep the implementation minimal and local-first
- Use Fastify route handlers with zod parsing for request validation
- Use SQLite through
better-sqlite3; prefer:memory:in tests - Keep bond settlement logic in
src/service.ts - Add tests for state transitions through Fastify injection rather than only unit-level helpers
This repository is developed with help from AI. These rules apply regardless of model or tool.
- The user is a beginner.
- Use baby steps.
- Provide clear, small, actionable steps.
For any meaningful change:
- Make the smallest safe change.
- Verify:
- run typecheck/build (as applicable)
- run demo script(s) / minimal tests
- Commit with a clear message.
- Push to GitHub immediately after committing. Do not leave commits unpushed unless explicitly told to hold off.
- Update README with:
- what changed
- how to verify
- next steps
If verification fails, stop and fix before proceeding.
- Treat auth/token/nonce/replay/transport logic as high risk.
- Prefer safety and clarity over speed.
- Never weaken security checks to “make it work”.
- Log security-relevant events (without leaking secrets).
- Never hardcode secrets.
- Never commit tokens/keys/.env.
- Use example files and documented env vars instead.
- Ask before large refactors.
- Prefer small diffs and incremental steps.
- Keep diffs under ~100 lines per change. If a change exceeds 300 lines, stop and break it into smaller pieces before proceeding.
- When uncertain, propose 2 options with tradeoffs and default to safer.
- Do not claim something is verified unless you list what you ran/checked.
| Excuse | Rebuttal |
|---|---|
| "I'll add tests later" | Tests are not optional. Write them now. |
| "It's just a prototype" | Prototypes become production. Build it right. |
| "This change is too small to break anything" | Small changes cause subtle bugs. Run the tests. |
| "I already know this works" | You don't. Verify it. |
| "Cleaning up this adjacent code will save time" | Stay in scope. File it for later. |
| "The user probably meant X" | Don't assume. Ask. |
| "Skipping the audit since it's straightforward" | Straightforward changes still need verification. |
| "I'll commit everything at the end" | Commit after each verified change. No batching. |
- Vertical slice: implement one complete feature top to bottom (route, logic, test) before starting another
- Risk-first slice: tackle the riskiest or most uncertain piece first to surface problems early
- Contract-first slice: define the API contract or interface first, then implement behind it
- Never give more than ONE step at a time.
- After giving a single step, STOP and wait for the user to say "done".
- Do not provide future steps, and do not include multi-step lists.
The project context file must include three sections:
- What we know for sure
- What we're assuming without proof
- What we don't know yet
- What would break this design if it turned out to be wrong
Tag milestones and claims with one of: Idea (sounds right, haven't tested), Prototype (built it, works in demo path), Tested (tests exist and pass), Production (deployed, hardened, verified from outside), Security-verified (red-teamed and survived).
For each significant decision: what was decided, why, what was rejected, what would cause reconsideration.
Before writing any code, define: what we're building, what problem it solves, what the smallest version is, and what's out of scope. No code until this is written down.
The following file types are private and must be listed in .gitignore from the first commit:
*_PROJECT_CONTEXT.md(e.g., AGENTGATE_PROJECT_CONTEXT.md) — private session context- Build logs (e.g., marketgate_build_log.md) — internal development notes
AGENT_OPERATING_CONTRACT.md— private working agreementprocess-template*.md— personal development playbookagent-identity*.json— contain private keys
If any of these files exist but are not in .gitignore, add them immediately before making any other changes. If any have already been committed, remove them from tracking with git rm --cached before proceeding.