Always install the latest version of every dependency — When adding or refreshing a dependency in any oriz repo, install the latest published version. Old deps eventually reach end-of-life and may go paid — staying current is a never-hit-quotas requirement, not a preference.
Community packages first — prefer external dependencies over hand-rolling — Locked 2026-06-23. Default to a well-maintained community library/package over hand-rolling. Reasons: less code we maintain, fewer bugs, more eyeballs on the dep. Caveats: dep must be MIT/Apache/ISC-licensed, have >100 stars OR be from a known-good org (Cloudflare, Vercel, Astro, Anthropic, Firebase, Hono, TanStack), and not pull in 50+ transitive deps. Override the prior 'lazy-third-party-first' uncertainty: yes, reach for the dep.
Conventional commits — Every commit message uses a Conventional Commits prefix: feat, fix, chore, docs, refactor, test.
Fork discipline — minimum diff, rebase-friendly, upstream-aligned — All forks live under chirag127/ on GitHub and repos/oriz/frk//// on disk. Reason: org-level secrets only propagate within the org; forks on personal accounts can't inherit them. Slug + disk folder = upstream name by default, unless the fork ships as a distinct product (CWS / store / npm) — then rename to a <purpose>-bs-ext / -cli / etc. compliant slug. All code changes minimum-diff, marked with per-fork <slug>: comments, documented in per-fork knowledge/divergence.md.
Git identity — always use chirag127's GitHub noreply email — Every commit on this machine attributes to chirag127 via the noreply email 76880977+chirag127@users.noreply.github.com. Set globally + locally + in every submodule. Past commits with chirag@oriz.in stay (history rewrites cost more than the cosmetic win). Going forward, no public email leak in .git history, no chance of attribution drift, and GitHub's Select-an-account dialog can't pick a different identity.
Never force-push to main — Force-push to main requires a separate, explicit user instruction — distinct from a normal push instruction.
Never call Web3Forms from server-side code — Web3Forms server-side calls require their paid plan plus an IP allow-list. Cloudflare Workers' egress IPs rotate. Always submit Web3Forms from the browser.
One branch only — main — Only the main branch exists, in the master oriz repo and in every submodule under sites/, packages/, extensions/.
Playwright persistent sessions rules — Constraints and guidelines for using persistent contexts and cookies in headless/cloud Playwright automation loops.
Push to main by default — no explicit say-so needed — Standing authorisation: agents commit AND push to main immediately after every change. Removes the prior "no push without explicit user say-so" rule. Outward-effect actions still require confirmation.
Every repo in the family must work independently when cloned alone — Cloning any single oriz submodule directly must give a fully working dev environment. The umbrella oriz repo orchestrates; it does not own the code. A solo clone of any site must pnpm install + pnpm build successfully without the master repo.
Tests in parallel + master pnpm install -r is THE install command — Vitest + Playwright + Storybook per app and per package; master CI matrix-fans all suites in parallel. Always work from c:/D/oriz/ (the umbrella). One install command from master covers every submodule.
pnpm is the package manager for every JS repo in the family — pnpm is mandatory across the oriz family. Its content-addressable global store at ~/.pnpm-store is what makes the 'no duplication' goal achievable when 11+ sites share dependencies.