Engineering Playbook

AGENTS.md — build & deploy conventions

This file is a contract. Any AI coding session (Claude Code, Cursor, Copilot, v0, …) working in a repo that vendors this file MUST follow it. The human-readable version is HANDBOOK.md. Source of truth lives in the engineering-playbook repo — do not diverge a project's copy silently.

Using this in a project

Copy this file to the repo root. Add a one-line CLAUDE.md that says See AGENTS.md. Then set these two lines for the project and delete the others:

DEPLOY CLASS:  container-image | managed-source
DEPLOY TARGET: coolify | digitalocean | render | fly | railway | vercel | cloudflare | netlify | <other-in-class>

Everything in Core applies to every project. Then apply the one deploy class that matches. The per-target notes at the end are just reminders for named instances — the class section is what's binding.


Core — every project, every stack

The loop (trunk-based)

AI-assisted work

Secrets

Dependencies

Gates (block the merge; run them locally before you push)

Wire these as required status checks and protect main (no direct pushes, no merge while red):

  1. format + lint (Biome, or ESLint + Prettier)
  2. type-check (tsc --noEmit)
  3. tests (unit/component; end-to-end where they exist)
  4. content/schema validation where the project has it
  5. build

Security scanning is part of the pipeline too — see your deploy class for where it runs.

Language


Deploy class: container-image

Coolify · DigitalOcean App Platform (image mode) · a VPS/Droplet + Docker · Render · Fly.io · Railway · Kamal

Principle — build once, scan the artefact, the platform pulls it. CI builds one image, scans that image, pushes it to a registry; the host pulls the exact tag. Never build on the production box: you'd ship something you never scanned, and heavy builds crash small hosts.

Deploy class: managed-source

Vercel · Cloudflare (via the OpenNext adapter) · Netlify

Principle — the platform builds from your repo. Git integration gives per-PR previews and trunk→production automatically. There is no image, so the "scan the artefact" gate is replaced by source + dependency scanning in CI.


Per-target reminders (instances of the classes above)

Target Class Deploy Previews DB option Watch out for
Coolify container-image pulls GHCR image built-in per-PR Postgres as a separate resource docker login PAT; single-container shape; no port mapping
DigitalOcean container-image (App Platform image / Droplet+Docker) image or source Preview Apps via a GH Action managed PG add-on or Neon Preview Apps need the delete-action to clean up on close
Render / Fly / Railway container-image pulls image per-PR (varies) managed PG / external confirm health-check + single-container assumptions
Vercel managed-source git integration automatic Neon (marketplace) Vercel Postgres/KV retired; pin the framework preset
Cloudflare managed-source OpenNext build Pages/Workers git previews Neon via Hyperdrive, or D1 Next version floor; adapter feature caveats
Netlify managed-source git integration automatic external (Neon/Supabase) confirm the Next adapter covers the features you use

Any other host: ask does CI hand over an image, or does the platform build from source? → apply that class. Do not special-case per vendor beyond this table.