OmniAI/omniai-ds-code-package
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
c367198385fef1abb0b5eeafdbe79936a6147f8e
omniai-ds-code-package/AGENTS.md
T

2.8 KiB
Raw Blame History

Project Rules

Asset, Key, And Runtime Data Governance

These rules are mandatory for all frontend, backend, deployment, and agent-generated changes.

  1. Image and media assets must be stored in OSS.

    • Do not commit product images, demo images, generated images, videos, or other large media assets into src/assets or other source folders.
    • Code may reference media only by OSS URL or by data returned from an API.
    • Local assets are limited to tiny build-critical files such as icons or placeholders, and require explicit justification.

  2. Frontend code must not contain API keys or secrets.

    • Do not hard-code provider keys, access keys, tokens, private endpoints, passwords, or bearer tokens in TypeScript, CSS, HTML, Vite config, Nginx snippets, or checked-in docs.
    • Browser-delivered code must treat every visible value as public.

  3. Provider keys are owned by the server key pool.

    • AI provider credentials are stored and managed server-side.
    • The frontend requests work through application APIs; the server leases provider keys from the concurrency/key pool and calls providers on behalf of the client.
    • Do not add direct browser-to-provider calls that require provider credentials.

  4. Application data must come through APIs.

    • Do not hard-code product data, pricing, model availability, provider routing, account state, usage state, or operational configuration in the frontend.
    • Use typed API clients and server-provided payloads for runtime data.
    • Static constants are allowed only for presentation defaults that are not business-authoritative.

  5. Do not use fixed environment configuration in application code.

    • Do not bake production hostnames, provider endpoints, keys, or environment-specific behavior into source code.
    • Environment-specific values belong in server deployment configuration, secret management, or runtime configuration endpoints.
    • Frontend code must not add fixed VITE_* or equivalent environment variables for API hosts, provider hosts, business data, or secrets.
    • If the browser needs runtime configuration, it must request that data from an application API.

  6. Deployment configuration must follow the same rules.

    • Nginx and process manager configs must not embed provider API keys or long-lived credentials.
    • Reverse proxies should route application traffic to the backend, not expose third-party credentials.
    • Secrets must be rotated immediately if found in source, Git remotes, shell history, Nginx config, process manager config, or logs.

  7. Reviews must reject violations.

    • Any new local media file, hard-coded key, direct provider credential path, or fixed production config is a blocking issue.
    • Prefer deleting local assets and replacing them with OSS URLs returned by APIs or server-managed config.
Reference in New Issue View Git Blame Copy Permalink