CodeCanyon AI System kit

The companion kit for Phase 1 · Set up the AI System. Copy its contents into a fresh CodeCanyon Laravel project root, run seed.sh, and you have the full agent operating system: a cross-tool constitution, Claude permission modes with a destructive-command blocker, the universal rule set, and Cursor/Gemini/Codex wiring.

Install

# 1. Copy the kit's CONTENTS into your project root, then:
bash seed.sh        # renames dot-* → real dotfiles, materializes project_context.md
# 2. Follow the printed steps: fill <placeholders>, pick a mode, RESTART the session.

Why the dot- prefix

Static hosting mangles leading-dot files, so the kit ships dot-claude/, dot-mcp.json, dot-cursor/ etc. seed.sh renames every dot-* back to its real dotfile (depth-first, so parent renames don’t break nested ones like dot-claude/dot-gitignore → .claude/.gitignore).

What’s inside

• AGENTS.md cross-tool constitution (canonical)
• CLAUDE.md thin pointer → AGENTS.md
• CLAUDE.local.md.example personal env (gitignored after copy)
• dot-mcp.json → .mcp.json (Laravel Boost)
• dot-cursorignore → .cursorignore
• Directorydot-cursor/

  • rules/000-boot.mdc Cursor boot rule → constitution
• Directorydot-claude/ → .claude/

  • settings.json project-wide (committed)
  • settings.local.json.example personal mode (gitignored)
  • dot-gitignore → .gitignore
  • Directoryrules/ 32 universal rules + project_context template + seeder

    • …
  • Directoryskills/ install deploy orchestrator + stack skills

    • …
  • commands/deploy-codecanyon.md orchestrator stub
  • hooks/vendor-edit-reminder.sh advisory vendor-edit guard
  • Directoryagents/ project subagents (empty)

    • …
  • Directoryclaude-mode/ switcher + block-destructive hook + 3 presets

    • …
• seed.sh the installer
• MANIFEST.md full file map + committed/gitignored split

Browse the kit files →

The constitution (AGENTS.md)

Every agent reads this first. The canonical, tool-agnostic contract:

# AGENTS.md — <AppName>
> Cross-tool constitution. Every AI agent reads this FIRST.

## Read first (the read-set)
1. AGENTS.md   2. .claude/rules/   3. CLAUDE.local.md   4. _CUSTOMIZATIONS.md

## Safety rules (non-negotiable)
- Tinker: never CUD records without explicit approval; prefer read-only SQL.
- Vendor files: never modify vendor/; log deviations in _CUSTOMIZATIONS.md.
- Migrations: guard with hasTable/hasColumn; never fresh|wipe|reset on shared data.
- .env: always double-quote values (special chars truncate unquoted).
- Secrets: never echo secret chars into a session; use the secrets manager.
- Post-change: run `git diff --name-only` and report before committing.

Permission modes + the hard-block hook

claude-mode/ ships three presets and a switcher. The PreToolUse hook runs above the permission system — it blocks destructive commands even in bypassPermissions (yolo) mode:

./.claude/claude-mode/bin/set-claude-mode.sh medium   # strict | medium | yolo | show

# the hook hard-blocks (exit 2) regardless of mode:
echo '{"tool":"Bash","input":{"command":"rm -rf /"}}' \
  | ./.claude/claude-mode/hooks/block-destructive.sh   # → BLOCKED, exit 2

| Mode | defaultMode | Use when | |---|---|---| | strict | plan | Security/deploy/review — read-only | | medium | acceptEdits | Default for active dev | | yolo | bypassPermissions | Local refactors — never prod/real creds |

Universal rules (.claude/rules/)

32 committed rules — behavioral (feedback_*) and reference (reference_*) — loaded at every session start: vendor-handling traps, the ZAJ:BEGIN/END customization-ownership system, Laravel execution patterns, secret/Stripe safety, i18n gotchas, and the rule-persistence protocol. See the rules & skills step for the full catalog.

Full walkthrough

The six Phase 1 steps explain every file and the reasoning behind it:

1. Machine setup
2. Project constitution
3. Claude config
4. Rules & skills
5. Cursor & other IDEs
6. Verify & gate