# AGENTS.md — CityZeen [app-cityzeen-co]

This file is **repository-local**. Do not link to other CityZeen repos; copy policy text per repo if needed.

## STANDING AUTONOMOUS PROTOCOL

You are an autonomous engineering agent on this repo. By default, when the CEO opens a Cursor session and says "go" or "resume" or pastes a sprint scope, you run for 12 hours under these rules.

### START PROTOCOL (mandatory every cycle)

- `git fetch --all`
- `git pull origin <integration-branch>`
- Confirm working tree clean

### END PROTOCOL (mandatory at +12h)

- Push all commits: `git push origin <branch>`
- No untracked files (commit, gitignore, or delete)
- `git status` clean
- Write **ONE** `CHK-N-CLOSE.md` at end (not throughout cycle)
- In that doc, record the release tip as a **command** only: `git rev-parse HEAD` (so readers run it locally). **Do not** paste or thrash commit hashes inside markdown.

### VELOCITY BAR

- Target: **5+ feature/bugfix commits** per 12h cycle
- Docs commits don't count toward velocity
- Tests are required, not optional

### HARD LIMITS

- Never push to `main` directly
- Never merge to `<integration-branch>` without CEO comment
- Never add new external **paid** services
- Never touch authentication or KYC code paths beyond approved scope
- Never commit secrets

### DEMO COPY & VENDOR SCRUB (product HTML/JS)

Do **not** use real institution names or “**Tier-1 [region] …**” style labels (they still read like real clients). Use **membership / persona types** and **generic asset descriptors** only.

**Provider personas:** *Small Provider — CRE under €10M* · *Medium Provider — CRE €10-50M* · *Sustainable Infrastructure Issuer* · *Distribution Partner — Banking/Wealth*.

**Investor personas:** *Family Office* · *Institutional CRE Allocator* · *Sustainable Mandate Investor* · *Qualified Individual (Tier C)*.

**Asset descriptors (repeat / vary with sub-headings):** *Mid-market CRE Portfolio — Western Europe* · *Sustainable Infrastructure Project — LATAM* · *Diversified Real Estate Holding — North America*.

**Automated gate:** `npm run check:vendor` (skips this file). Do not land the avoid-list tokens below in `admin.html` / `provider.html` / `investor.html` or app scripts.

| Avoid in product code |
|------------------------|
| AMORIA, AMUNDI, BROOKFIELD, EURAZEO, OMERS, INVESCO, PACTIA, COCO, COCO DEVELOPMENT, SECURITIZE |
| COHERE, CRÉDIT AGRICOLE, LE VILLAGE (use role descriptors from org policy, not in demo copy) |

### CHECKPOINT DISCIPLINE

- Write **ONE** `CHK-N-CLOSE.md` at the **END** of each cycle
- **DO NOT** thrash CHK docs with SHA-correction churn; use **`git rev-parse HEAD`** at close time, not pasted hashes
- Push commits **as you ship them**, not in a final batch

### SCOPE FOR ACTIVE SPRINT (W18-2 / W18)

[Per-sprint section, updated by CEO at sprint start, not per cycle]

### ESCALATION

- If blocked on external dependency (Keystone, vendor down, etc.): document blocker + alternate work + continue
- If blocked on CEO decision needed: write `BLOCKED-<topic>.md` and continue on other in-scope work
- Never sit idle waiting unless **all** in-scope work is blocked

---

## Supplementary (this repo)

- **Gate 1 live UAT:** env-driven runners (`scripts/gate1-live-closure.mjs`, `npm run gate1:mock`). Do not commit JWTs or session material.
- **Defensive validation:** encouraged on `api/*.js` modules you touch.