Phase 1 · Set up the AI System

Before you build or ship the app, you set up the AI System — the agent operating system that makes every later playbook step faster, safer, and reproducible. This section runs once per machine plus once per app.

Git policy

Each step that writes repo files ends with one structured commit on develop (C1–C6 below). author/v* stays vendor-only forever; Verify & gate is verify-only (no commit). The next section — Commit & freeze — adds the remote and pushes; it does not recreate the vendor baseline. Vendor rollback before C1 is _source/ on disk; after C1, diff against author-vX.X.X.

Commit	Step	Contains
C1	01 · Create the project	Pristine vendor + bootstrap .gitignore (also author/v* + tag)
C2	02 · Machine setup	.vscode/*.json + .claude/claude-mode/ + .claude/skills/zaj-laravel-codecanyon/
C3	03 · Project constitution	AGENTS.md, CLAUDE.md
C4	04 · Claude config	.claude/settings.json + guards
C5	05 · Rules & skills	.claude/rules/, .claude/skills/ (stack skills), .claude/agents/
C6	06 · Cursor & other IDEs	.mcp.json, .cursor/

Why the AI System comes first

A CodeCanyon app is someone else’s code. You will be reading unfamiliar vendor source, making surgical edits you must be able to find again at the next vendor update, and running destructive-capable commands (migrations, seeders, deploys). An agent that boots with a written constitution, the right permission mode, and a library of rules turns that risky work into a guided, gated, recoverable process. Set it up first; coast on it for the other ten phases.

What “the AI System” actually is

It’s a small set of plain-text files committed to the repo (plus a couple of gitignored personal ones) that any AI coding tool reads on startup:

• AGENTS.md — the one cross-tool contract every agent reads first (constitution).
• CLAUDE.md — thin pointer that sends Claude Code agents to the constitution.
• CLAUDE.local.md (gitignored) — your env cheat sheet on this machine: local .test URL, SSH alias, server IP, DNS zone ID, resolved PHP binary, deployment-phase scratch notes, and a pointer to where passwords live (Stored in: 1Password vault … or a gitignored credentials file path). Agents load it when the file exists; git never sees it, so teammates don’t inherit your paths or secret locations. Not team rules (AGENTS.md), not vendor edit history (_CUSTOMIZATIONS.md), not passwords themselves.
• IDE wiring — multi-tool config committed to the repo:
  • .mcp.json — project MCP servers (e.g. Laravel Boost).
  • .cursor/ — boot rule, skills, commands, agents, hooks (mirrors .claude/).
  • Gemini / Codex mirrors (optional) — thin pointers back to AGENTS.md.
• .claude/ folder — Claude Code project config (seeded by the kit); it contains:
  • .claude/settings.json — project-wide settings everyone shares (committed).
  • .claude/settings.local.json — your permission mode (strict / medium / yolo) plus personal model / thinking budget / auto-compact (gitignored).
  • .claude/rules/ — behavioral (feedback_*), reference (reference_*), and project context (project_context.md), seeded from the shared template set.
  • .claude/skills/ — reusable procedures, including the deployment orchestrator and stack skills.
  • .claude/hooks/ — PreToolUse guards (destructive commands, vendor edits) that run even in yolo mode.
  • .claude/claude-mode/ — strict · medium · yolo presets plus the mode switcher.

Once the kit is seeded (or you write the files by hand), the tree on disk looks like this:

• AGENTS.md cross-tool constitution (committed)
• CLAUDE.md thin pointer → AGENTS.md (committed)
• CLAUDE.local.md your env overlay — URLs, SSH, infra IDs, credential pointers (gitignored)
• .mcp.json MCP servers e.g. Laravel Boost (committed)
• Directory.vscode/

  • settings.json Intelephense excludes _source/ (committed)
  • extensions.json canonical PHP/Laravel extensions (committed)
• Directory.cursor/

  • rules/000-boot.mdc boots Cursor → constitution + .claude/rules/
  • Directoryskills/ deploy orchestrator + stack (mirror .claude/skills/)

    • …
  • commands/deploy-codecanyon.md orchestrator stub
  • Directoryagents/ project subagents (empty by default)

    • …
  • hooks.json destructive-command guard (via block-destructive.sh)
• Directory.claude/

  • settings.json project-wide (committed)
  • settings.local.json permission mode (gitignored)
  • Directoryrules/

    • feedback_* behavioral
    • reference_* stack reference
    • project_context.md
  • Directoryskills/ orchestrator + stack (committed)

    • …
  • Directoryhooks/ destructive + vendor-edit guards

    • …
  • Directoryclaude-mode/ strict · medium · yolo presets

    • …

flowchart TD
  Boot["Agent session start"] --> AG["AGENTS.md<br/>(cross-tool constitution)"]
  AG --> CL["CLAUDE.md (thin pointer)"]
  AG --> CLL["CLAUDE.local.md<br/>(gitignored personal notes)"]
  Boot --> S[".claude/settings.json (committed)"]
  Boot --> SL[".claude/settings.local.json<br/>(gitignored · permission mode)"]
  SL --> Hook["PreToolUse hook<br/>block-destructive.sh"]
  Boot --> R[".claude/rules/<br/>feedback_* · reference_* · project_*"]
  Boot --> SK[".claude/skills/<br/>deploy orchestrator + stack skills"]
  Boot --> CSK[".cursor/skills/ · commands/ · agents/<br/>(mirror Claude layers)"]
  Boot --> MCP[".mcp.json + .cursor/rules/ + hooks.json"]

CLAUDE.local.md

Copy CLAUDE.local.md.example from the AI-System kit. Personal overlay only: local URL, SSH, infra IDs, and pointers to secrets — never passwords. Team rules → AGENTS.md; shared progress → committed task-ledger.md.

The flow at a glance

0 / 7 done Reset

1. 1 Create the project & bring in the code
   Make the project folder, stage the CodeCanyon ZIP in _source/, bootstrap anchored .gitignore + git init, copy the app to root, prove nothing was missed with the rsync -ain completeness gate, commit the pristine vendor baseline (C1) on author/v* + tag, then write .vscode/ on disk (gitignored until C2). See Create the project.
2. 2 Machine setup (once per machine)
   Authenticate gh, register your MCP servers, copy claude-mode + the orchestrator into the project, then commit C2 (.vscode/ + machine tooling). See Machine setup.
3. 3 Write the project constitution
   AGENTS.md + thin CLAUDE.md + gitignored CLAUDE.local.md via a short onboarding interview, plus your credential store. See Project constitution.
4. 4 Configure Claude permissions + hooks
   Write .claude/settings.json, pick a permission mode, wire the destructive-command and vendor-edit guards, then commit C4. See Claude config.
5. 5 Seed rules + install skills
   Seed .claude/rules/ from the template set, drop the stack skills and deploy orchestrator into .claude/skills/, then restart. See Rules & skills.
6. 6 Wire the other IDEs
   .mcp.json (Laravel Boost), .cursor/rules/000-boot.mdc, optional Gemini/Codex mirrors. See Cursor & other IDEs.
7. 7 Verify + gate
   Run the verification checklist and fresh-session smoke test — verify-only (C1–C6 already on develop). See Verify & gate.

Skip the typing — use the kit

Everything below ships as a copy-paste template kit so you don’t hand-author these files. The kit reproduces the full set — AGENTS.md, CLAUDE.md, the .claude/ tree (settings, rules, skills, hooks), .mcp.json, the Cursor boot rule, and a seed.sh that drops it all into place.

Kit shortcut — constitution through Cursor

One command from your project root (after Create the project and Machine setup) carries you through constitution, Claude config, rules, and Cursor wiring:

curl -fsSL https://library.zajapps.com/kits/codecanyon-ai-system.tgz | tar -xz && bash seed.sh

Details in Project constitution (or browse the file map first). Still finish with Verify & gate.

➡️ CodeCanyon AI-System Kit — download, copy into the project root, run seed.sh, fill placeholders, restart your session.

The sub-pages explain what each file does and why so you can adapt it; the kit gives you the what ready-made.

Sub-steps

1 · Create the project Stage the ZIP, bootstrap git, copy app to root, rsync gate, and commit the pristine vendor baseline (C1).

2 · Machine setup Once per machine: gh auth, MCP, claude-mode kit, orchestrator — commit C2.

3 · Project constitution AGENTS.md, CLAUDE.md, onboarding interview, and credential store pointers.

4 · Claude config settings.json, permission mode, destructive + vendor-edit hooks — commit C4.

5 · Rules & skills Seed .claude/rules/, install stack skills and deploy orchestrator — commit C5.

6 · Cursor & other IDEs .mcp.json, Cursor boot rule, optional Gemini/Codex mirrors — commit C6.

7 · Verify & gate Verify-only checklist + fresh-session smoke test before Phase 2.

Canonical slug order (legacy 00-create-project retired):

Step	Slug
1	01-project-setup
2	02-machine-setup
3–7	03-project-constitution … 07-verify-and-gate

The committed vs gitignored split (read this once)

The single most important concept in this phase: which files travel with the repo and which stay on your machine.

File	Committed?	Why
AGENTS.md, CLAUDE.md	✅ C3	The shared contract — every teammate and every tool reads it
.claude/settings.json	✅ C4	Project-wide settings (e.g. disabledMcpjsonServers for project .mcp.json) everyone should share
.claude/claude-mode/	✅ C2	Permission-mode switcher + block-destructive hook tree
.claude/rules/**	✅ C5	Team-shared behavioral + reference rules — travel on clone
.claude/skills/**	✅ C5 (orchestrator at C2)	Reusable procedures; deploy orchestrator lands at C2, stack skills at C5
.mcp.json	✅ C6	Project MCP servers (e.g. Laravel Boost)
.vscode/*.json	✅ C2	Single-LSP editor config (written at Create the project, committed at machine setup)
.claude/settings.local.json	❌ Gitignored	Personal — permission mode + per-project model / thinking / auto-compact (overrides global for this repo)
CLAUDE.local.md	❌ Gitignored	Personal overlay — your local URL, SSH/hosting paths, zone IDs, credential-store pointer, phase scratch; never secrets or team rules
Secrets / .env*	❌ Gitignored	Never in the repo — use a secrets manager

Keep this split honest and the rest of the phase is mechanical.