This guide applies to every CHNAI LAB repository. We are an AI-native team: everyone builds with AI agents (Claude Code, Copilot, etc.), so our workflow is designed to keep agent-speed development traceable, reviewable, and safe.
For agent-specific rules, also read AGENTS.md and
docs/AI_AGENT_WORKFLOW.md. For sensitive work,
read SECURITY.md before you share context with any tool.
mainis always deployable. Nobody — human or agent — commits directly tomain. All work lands through pull requests.- Every change traces to an issue. If it's worth doing, it's worth an
issue. PRs link their issue with
Closes #N. - Small PRs win. One PR = one concern. A reviewer (human or agent) should understand it in under 10 minutes.
- Agents are teammates, humans are owners. An agent can write the code, but a human opens the PR, verifies the result, and is accountable for it.
Issue → Branch → Build (with your agent) → PR → Review → Squash-merge → Delete branch
- Pick or open an issue describing the problem/outcome (not the code).
- Branch from fresh
main:git checkout main && git pull --rebase origin main git checkout -b feat/42-lesson-progress - Build. Point your agent at the issue. Keep commits small and coherent.
- Open a PR early (draft is fine). Fill in the template — especially How it was verified and AI involvement.
- Review. At least one other human approves product-repo PRs. Review the behavior and risk, not just the diff — agents produce plausible-looking code; verify it actually runs.
- Squash-merge, then delete the branch. The issue closes automatically.
- Accept the CHNAI LAB org invite.
- Turn on GitHub two-factor authentication.
- Confirm which product repos you can access.
- Clone only the repo assigned to your task.
- Ask your AI agent to read the org guide and the repo guide before editing.
- Open a small first PR: docs, test, bug fix, or one isolated feature slice.
Use this first prompt for any agent:
Read AGENTS.md, CONTRIBUTING.md, SECURITY.md, README.md, and CLAUDE.md if it
exists. Summarize the repo rules, product boundary, checks, and risk before
editing. Do not use secrets. Work on a branch. Keep the change small and prepare
a PR summary with verification.
- Branch names:
feat/<issue>-slug,fix/<issue>-slug,chore/…,docs/…— e.g.fix/17-pos-change-due. - Commits follow Conventional Commits:
feat: …,fix: …,chore: …,docs: …,refactor: …,test: …. - When an AI agent authored the code, keep its co-author trailer in the commit
(e.g.
Co-Authored-By: Claude <[email protected]>). This is how we keep agent work honest and searchable later.
- Agents work on branches, never on
main. Configure your agent's working directory on a feature branch before it starts editing. - Give agents context, not secrets. Each repo keeps a
CLAUDE.md/AGENTS.mdwith project context, commands, and conventions so any teammate's agent onboards instantly. Never paste tokens, customer data, or credentials into prompts, commits, or agent context files. - Verify before you push. "The agent said it works" is not verification. Run the app / tests yourself and record what you did in the PR's How it was verified section.
- One agent session ≈ one branch. If your agent pivots to a different concern, open a new issue and branch instead of growing the PR.
- Record AI involvement in the PR. Say which agent helped, what it changed, what a human reviewed, and what commands or screens proved the result.
- Sync before you push:
git pull --rebase origin main(rebase, don't merge, so history stays linear). - Never
git push --forcea shared branch. On your own PR branch,--force-with-leaseonly. - Push at least daily on active branches — unpushed work is invisible to the team and to reviewers.
- Delete branches after merge (GitHub offers the button; take it).
- Dependabot PRs: whoever owns the repo that week reviews/merges them; don't let them pile up.
- Org owners (founders) administer repos, settings, and merges to
main. - Members get
writethrough product teams on the repos they build; they work through PRs like everyone else. - New teammates join the chnai-lab org (not personal-repo invites), so access is managed in one place.
- Outside collaborators are temporary. If someone is joining the team, invite them to the org and assign repo access through a product team.
Reviewers check:
- The issue and PR match.
- The agent followed the repo guide.
- The change is small enough to review.
- The verification is real.
- Public/private boundaries are respected.
- Claims are supported and conservative.
Before you merge, your PR should answer — from the PR page alone, without asking you:
- What issue does this close?
- What changed, in one paragraph?
- How was it verified (commands run, screenshots, test output)?
- What did the AI agent do vs. what did the human check?
- Did the change avoid secrets, private user data, and overbroad public claims?