This file is procedural only. For architectural rationale, see docs/ARCHITECTURE.md.
- Project: Scriptoria
- Supported front ends: FastHTML/HTMX UI and CLI
- Package layout:
src/
- Plan before execute for complex features, refactors, and cross-module changes.
- Prefer test-first for bug fixes and new behavior that can be specified upfront.
- Keep security checks mandatory on API/routes, file handling, and export/download flows.
- Prefer immutability when practical, but do not force it at the cost of readability in Python code.
- Optimize for simple, reliable flows over speculative abstractions.
- Use
explorerfor planning, architecture checks, and focused codebase analysis. - Use
workerfor implementation tasks that touch multiple files or require isolated ownership. - Use
awaiterfor long-running operations (test suites, prolonged commands, monitoring). - Run agents in parallel only for independent tasks; keep one source of truth for merge decisions.
- Keep all Python source code under
src/. - Do not add Python source files in repository root.
- Keep CLI entrypoint in
src/universal_iiif_cli/cli.py. - Keep web entrypoint in
src/studio_app.py.
- Add dependencies only in
pyproject.tomlunder[project.dependencies]. - Install locally with
pip install -e .. - Keep Pyright configuration only in
pyrightconfig.json. - Use
universal_iiif_core.config_managerfor runtime config and path resolution. - Do not hardcode runtime paths.
- Use Ruff as the only linter/formatter.
- Enforce C901 max complexity 10.
- Use
pathlib.Pathfor path operations.
- Never hardcode secrets or tokens in source code.
- Validate input at system boundaries (routes, CLI args, external payloads).
- Enforce path safety for file read/write/download/delete operations.
- Use parameterized access patterns for DB operations (no string-built queries).
- Do not leak sensitive details in user-facing error messages.
- Keep permissive CORS only for explicit local/dev scenarios; prefer explicit origins otherwise.
- Treat these directories as user/runtime data and keep them in
.gitignore:downloads/data/local/logs/temp_images/
- Always use project tools from
.venv/bin/when available (do not assume global executables). - Install:
pip install -e . - Run web UI:
scriptoria(orpython3 src/studio_app.py) - Run CLI:
scriptoria-cli "<manifest-url>" - Run tests:
pytest tests/ - Lint/fix:
ruff check . --fix - Complexity check:
ruff check . --select C901 - Format:
ruff format .
- Dry-run cleanup first:
python scripts/clean_user_data.py --dry-run
- Confirm cleanup:
python scripts/clean_user_data.py --yes
- Include full
data/localreset only when required:- add
--include-data-local
- add
Pre-PR sequence:
- Update
.gitignorefor any new runtime directories. - Register runtime paths through
ConfigManageronly. - Run cleanup dry-run.
- Run cleanup confirm.
- Run
pytest tests/. - Run
ruff check . --select C901. - Run
ruff format ..
Run a compact verification loop for every non-trivial change:
- Build/start sanity check for touched surface (
scriptoriaor relevant CLI path). - Tests: targeted tests first, then
pytest tests/. - Lint/complexity/format: Ruff checks.
- Security spot-check: traversal/path safety, input validation, and secrets.
- Review
git difffor unintended changes.
Coverage note:
- Current repo does not enforce a global coverage gate in CI.
- When coverage tooling is available, target at least 80% on touched critical paths.
- Never commit directly to
main. - Create branches with prefixes:
feat/,fix/,docs/,chore/. - Use conventional commit prefixes:
feat:,fix:,docs:,chore:. - Use GitHub CLI for remote operations.
- Open PRs with:
gh pr create --fill
- Check PR status before finalizing:
gh pr status
- Keep commit messages descriptive for semantic release.
- Keep canonical version in
src/universal_iiif_core/__init__.py.
Use these skills when available in the active CLI skill path. These are the default skills for this repository:
architecturearchitecture-decision-recordsapi-patternsasync-python-patternspython-patternspython-performance-optimizationperformance-profilingpython-testing-patternstest-driven-developmentsystematic-debuggingwebapp-testingsearch-specialistpdf-officialdocs-architectcode-refactoring-refactor-cleansearch-firstverification-loopsecurity-reviewiterative-retrievalcontent-hash-cache-patterntdd-workflow
- Use
architectureandarchitecture-decision-recordsfor design decisions and major refactors. - Use
api-patternswhen changing API contracts, endpoints, payloads, or error models. - Use
async-python-patternsandpython-patternsfor concurrency and Python structure choices. - Use
python-performance-optimizationandperformance-profilingfor slow paths and bottlenecks. - Use
python-testing-patterns,test-driven-development, andwebapp-testingfor implementation and validation. - Use
systematic-debuggingfor any bug, regression, or failing test before proposing fixes. - Use
search-specialistfor discovery/research tasks requiring strong source vetting. - Use
pdf-officialfor PDF export/manipulation workflows. - Use
docs-architectfor technical documentation updates and flow documentation. - Use
code-refactoring-refactor-cleanfor non-trivial code cleanup and maintainability work. - Use
search-firstbefore introducing new dependencies or building new utilities. - Use
verification-loopbefore PR creation or after substantial refactors. - Use
security-reviewfor auth/input/file-handling/export-sensitive changes. - Use
iterative-retrievalfor multi-step discovery/refactor tasks with uncertain context. - Use
content-hash-cache-patternwhen adding cache for expensive file/image/PDF processing. - Use
tdd-workflowfor new features and bug fixes that require strict red-green-refactor flow.