PromptScript¶
One source. Every AI agent.
Prompt-as-code with inheritance, validation, and a versioned registry. Compiled to 37 targets.
Get Started in 5 Minutes See All 37 Formatters Enterprise Guide GitHub
# Checkout Service v2.1
← @acme/platform
← @stacks/node-typescript
## Identity
Senior Engineer specializing in the
Checkout Service.
## Tech Stack
TypeScript 5.x · Node 20+ · PostgreSQL
Prisma ORM · Zod · Vitest
## Standards
✓ Strict mode, no `any`
✓ Zod for all input validation
✓ 90% test coverage target
✓ Conventional Commits
## Security
⛔ Never log PII or card data
⛔ Parameterized SQL only
⛔ No secrets in source code
## Commands
/review Security code review
/migrate Safe DB migration
## Skills
► security-audit OWASP scan---
mode: agent
tools: [codebase, terminal]
description: Security code review
---
Perform security-focused code review
on the Checkout Service.
Check for:
• SQL injection vulnerabilities
• XSS attack vectors
• Exposed secrets and API keys
• Input validation gaps
• IDOR vulnerabilities---
mode: agent
tools: [terminal, codebase]
description: Database migration
---
Generate Prisma migration safely.
Steps:
1. Analyze schema changes
2. Generate migration file
3. Review for data loss risks
4. Create rollback plan
5. Validate with dry run---
name: security-audit
description: OWASP vulnerability scan
---
# Security Audit
Run a comprehensive OWASP Top 10 scan.
Scan for:
• Injection (SQL, NoSQL, OS)
• Broken authentication
• Sensitive data exposure
• Security misconfiguration
• Insecure dependencies# Checkout Service v2.1
← @acme/platform
← @stacks/node-typescript
## Identity
Senior Engineer specializing in the
Checkout Service.
## Tech
TypeScript 5.x · Node 20+ · Prisma
Zod validation · Vitest
## Commands
/review Security code review
/migrate Safe DB migration
## Standards
✓ Strict mode, no `any`
✓ Zod for all input validation
✓ Conventional Commits
## Don'ts
✗ Don't log PII or card data
✗ Don't use raw SQL queries
✗ Don't commit secretsPerform security-focused code review
on the Checkout Service.
Check for:
• SQL injection vulnerabilities
• XSS attack vectors
• Exposed secrets and API keys
• Input validation gaps
• IDOR vulnerabilitiesGenerate Prisma migration safely.
Steps:
1. Analyze schema changes
2. Generate migration file
3. Review for data loss risks
4. Create rollback plan
5. Validate with dry run---
name: security-audit
description: OWASP vulnerability scan
---
# Security Audit
Run a comprehensive OWASP Top 10 scan.
Scan for:
• Injection (SQL, NoSQL, OS)
• Broken authentication
• Sensitive data exposure
• Security misconfiguration---
description: Checkout Service v2.1
globs: ["src/**/*.ts"]
alwaysApply: true
---
# Checkout Service
← @acme/platform
← @stacks/node-typescript
## Identity
Senior Engineer specializing in the
Checkout Service.
## Stack
TypeScript 5.x · Node 20+ · Prisma
Zod validation · Vitest
## Standards
✓ Strict mode, no `any`
✓ Zod for all input validation
✓ 90% test coverage
## Security
⛔ Never log PII or card data
⛔ Parameterized queries only
⛔ No secrets in source code---
description: OWASP vulnerability scan
globs: ["src/**/*.ts"]
---
# Security Audit
Run a comprehensive OWASP Top 10 scan.
Scan for:
• Injection (SQL, NoSQL, OS)
• Broken authentication
• Sensitive data exposure
• Security misconfiguration
• Insecure dependencies# Checkout Service v2.1
← @acme/platform
← @stacks/node-typescript
## Identity
Senior Engineer specializing in the
Checkout Service.
## Tech
TypeScript 5.x · Node 20+ · Prisma
Zod validation · Vitest
## Standards
✓ Strict mode, no `any`
✓ Zod for all input validation
✓ Conventional Commits
## Security
⛔ Never log PII or card data
⛔ Parameterized queries only
⛔ No secrets in source code# Checkout Service Agent v2.1
← @acme/platform
← @stacks/node-typescript
## Role
Senior Engineer specializing in the
Checkout Service.
## Commands
/review Security code review
/migrate Safe DB migration
## Handoffs
➜ security-audit OWASP scan
## Standards
✓ Strict mode, no `any`
✓ Zod for all input validation---
name: security-audit
description: OWASP vulnerability scan
---
# Security Audit
Run a comprehensive OWASP Top 10 scan.
Scan for:
• Injection (SQL, NoSQL, OS)
• Broken authentication
• Sensitive data exposure
• Security misconfiguration# Checkout Service v2.1
← @acme/platform
← @stacks/node-typescript
## Identity
Senior Engineer specializing in the
Checkout Service.
## Tech
TypeScript 5.x · Node 20+ · Prisma
## Commands
/review Security code review
/migrate Safe DB migration
## Skills
▶ security-audit OWASP scan
## Standards
✓ Strict mode, no `any`
✓ Zod for all input validationPerform security-focused code review
on the Checkout Service.
Check for:
• SQL injection vulnerabilities
• XSS attack vectors
• Exposed secrets and API keys
• Input validation gaps
• IDOR vulnerabilities---
name: security-audit
description: OWASP vulnerability scan
---
# Security Audit
Run a comprehensive OWASP Top 10 scan.
Scan for:
• Injection (SQL, NoSQL, OS)
• Broken authentication
• Sensitive data exposure# Checkout Service v2.1
← @acme/platform
← @stacks/node-typescript
## Identity
Senior Engineer specializing in the
Checkout Service.
## Tech
TypeScript 5.x · Node 20+ · Prisma
## Commands
/review Security code review
/migrate Safe DB migration
## Don'ts
✗ Don't log PII or card data
✗ Don't use raw SQL queries
✗ Don't commit secrets[command]
name = "review"
description = "Security code review"
[command.steps]
action = "review"
# Check for:
# SQL injection vulnerabilities
# XSS attack vectors
# Exposed secrets/API keys
# Input validation gaps---
name: security-audit
description: OWASP vulnerability scan
---
# Security Audit
Run a comprehensive OWASP Top 10 scan.
Scan for:
• Injection (SQL, NoSQL, OS)
• Broken authentication
• Sensitive data exposureWhy PromptScript?
Enterprise-grade features for managing AI instructions at scale
Write Once, Compile to 37 AI Agents
Define standards in PromptScript. Compile to GitHub Copilot, Claude Code, Cursor, Windsurf, Cline, Roo Code, and 31 more. Add new agents without rewriting.
37 agents and counting - see all supported formatters
Hierarchical Inheritance at Scale
Org-wide policies inherit into team standards, which inherit into projects. Change once at the top, propagate everywhere.
Audit Trails & Policy Enforcement
Every standard versioned and traceable. Run prs validate --strict in CI to block non-compliant configs before production.
Your Private Standards Registry
Host standards in a private Git registry. Teams inherit from @company/security, @company/react-app - your standards, your control.
CI/CD Pipeline Integration
Add prs compile --check to your pipeline. Detect drift, enforce standards, fail builds on non-compliance.
Zero-Touch Rollout to 100+ Repos
Update a security policy once. Every repo gets the latest standards compiled to every AI tool - no manual PRs.
Zero Learning Curve
A PromptScript language skill is automatically compiled into your AI agents. They learn the syntax and manage your .prs files for you — just ask in plain language.
Import from Anywhere
Use packages from Git repositories - or import skills directly from any AI coding plugin
# Company-wide security rules
@use @company/security
# Team-specific standards
@use @company/standards/code-quality
# Open-source skills (auto-discovered from SKILL.md)
@use github.com/some-org/claude-skills/skills/tdd-workflow
# Pin to a version
@use @company/security@^1.0.0
Configure aliases once, use everywhere:
# promptscript.yaml
registries:
'@company': github.com/acme/promptscript-base
'@team': github.com/acme/team-frontend
Zero infrastructure required - uses Git directly. Private repo? Your existing SSH keys and tokens just work.
The Problem: AI Instructions Don't Scale
Your organization adopted AI coding tools. Without infrastructure, every team configures differently.
Scale Problem
Updating a security policy across 100 microservices takes weeks of manual PRs. One change = 100 commits.
Tool Fragmentation
Your teams use Copilot, Claude, and Cursor. Each has its own format. Keeping them in sync is a full-time job.
Governance Void
No audit trail. Junior devs miss critical security context. Unvetted instructions everywhere.
Vendor Lock-in Risk
You went all-in on Cursor rules. Now leadership evaluates Claude Code. Rewriting 200 repos is not an option.
The Solution: PromptOps
PromptOps is the practice of managing AI instructions as versioned, auditable infrastructure. Treat your AI instructions as managed infrastructure - compiled, validated, and deployed.
flowchart TB
subgraph org["🏢 Organization Registry"]
direction TB
OrgSec["@company/security<br/>(Security team)"]
OrgTS["@company/typescript<br/>(Platform team)"]
OrgJava["@company/java<br/>(Platform team)"]
end
subgraph teams["👥 Team Standards"]
direction TB
Backend["@backend/standards"]
Frontend["@frontend/standards"]
Data["@data/standards"]
end
subgraph projects["📦 Project Repos (100+)"]
direction TB
P1["checkout-service/.prs"]
P2["user-api/.prs"]
P3["dashboard/.prs"]
Pn["...more repos"]
end
OrgSec --> Backend & Frontend & Data
OrgTS --> Backend & Frontend
OrgJava --> Data
Backend --> P1 & P2
Frontend --> P3
Data --> Pn
subgraph compile["⚙️ prs compile"]
Compiler
end
P1 & P2 & P3 --> Compiler
Compiler --> Copilot["GitHub Copilot"]
Compiler --> Claude["Claude Code"]
Compiler --> Cursor["Cursor"]
Compiler --> Antigravity["Antigravity"]
Compiler --> Factory["Factory AI"]
Compiler --> OpenCode["OpenCode"]
Compiler --> Gemini["Gemini CLI"]
Compiler --> CI["CI/CD Audit"]See It In Action
Write once, compile to all major AI tools
@meta { id: "checkout-service" syntax: "1.0.0" }
@inherit @company/backend-standards
@identity {
"""
You are an expert Fullstack Engineer working on the Checkout Service.
This service handles payments using hexagonal architecture.
"""
}
@standards {
typescript: [
"Strict mode enabled",
"Never use any type"
]
testing: [
"Use vitest as test framework",
"Maintain 90% code coverage"
]
}
@restrictions {
- "Never expose API keys in code"
- "Never skip input validation"
}
@shortcuts {
"/review": "Security-focused code review"
"/test": "Write unit tests with Vitest"
}
@skills {
security-audit: {
description: "Audit code for vulnerabilities"
content: "Check for: SQL injection, XSS, IDOR, PII leaks."
}
}
Generated file tree:
.github/
├── copilot-instructions.md
├── prompts/
│ ├── review.prompt.md
│ └── test.prompt.md
└── copilot-skills/
└── security-audit.md
.github/copilot-instructions.md
# GitHub Copilot Instructions
> Auto-generated from project.prs
## Project
You are an expert Fullstack Engineer working on the Checkout Service.
This service handles payments using hexagonal architecture.
## Code Standards
- TypeScript: strict mode, no `any` types
- Testing: vitest, 90% coverage
## Restrictions
- Never expose API keys in code
- Never skip input validation
<!-- Inherited from @company/backend-standards -->
.github/prompts/review.prompt.md
---
mode: agent
description: Security-focused code review
---
Perform a security-focused code review on the selected code.
Check for: SQL injection, XSS, IDOR, PII leaks.
.github/prompts/test.prompt.md
---
mode: agent
description: Write unit tests with Vitest
---
Write comprehensive unit tests for the selected code using Vitest.
Target coverage: 90%.
.github/copilot-skills/security-audit.md
Generated file tree:
CLAUDE.md
# CLAUDE.md
## Project
You are an expert Fullstack Engineer working on the Checkout Service.
This service handles payments using hexagonal architecture.
## Code Style
- Strict TypeScript, no `any`
- Testing: vitest, >90% coverage
## Don'ts
- Don't expose API keys in code
- Don't skip input validation
## Commands
/review - Security-focused code review
/test - Write unit tests with Vitest
.claude/skills/review.md
---
name: review
description: Security-focused code review
---
Perform a security-focused code review.
Check for: SQL injection, XSS, IDOR, PII leaks.
.claude/skills/test.md
---
name: test
description: Write unit tests with Vitest
---
Write comprehensive unit tests using Vitest.
Target coverage: 90%.
.claude/skills/security-audit.md
Generated file tree:
.cursor/rules/checkout-service.mdc
---
description: Checkout Service standards
globs: ["src/**/*.ts"]
alwaysApply: true
---
You are working on the Checkout Service.
This service handles payments using hexagonal architecture.
## Code Style
- TypeScript: strict mode, no `any`
- Testing: vitest, 90% coverage
## Never
- Expose API keys in code
- Skip input validation
.cursor/rules/security-audit.mdc
Generated file tree:
.agent/rules/checkout-service.md
---
description: Checkout Service standards
activation: always
---
You are working on the Checkout Service.
This service handles payments using hexagonal architecture.
## Code Style
- TypeScript: strict mode, no `any`
- Testing: vitest, 90% coverage
## Never
- Expose API keys in code
- Skip input validation
.agent/rules/security-audit.md
Before & After
See the difference PromptScript makes
Maintain separate config files for each AI tool in every repo:
.github/copilot-instructions.md # GitHub Copilot
CLAUDE.md # Claude Code
.cursor/rules/project.mdc # Cursor
AGENTS.md # Codex / Factory
GEMINI.md # Gemini CLI
- No validation - instructions drift silently
- No inheritance - copy-paste across repos
- No audit trail - who changed what?
- Switching tools = rewrite instructions, READMEs, and docs everywhere
Write one .prs file, compile to all 37 agents:
@meta { id: "my-project" syntax: "1.0.0" }
@inherit @company/standards
@identity { """You are an expert developer.""" }
- Validated at compile time and in CI/CD
- Hierarchical inheritance from org → team → project
- Full audit trail via Git
- New tools supported automatically
See It Live
Try PromptScript right in your browser - no installation needed
Video walkthrough coming soon
Join the Community
PromptScript is open source and early-adopter friendly
We're building the future of AI instruction management in the open.
Ready to Standardize Your AI Instructions?
Join engineering teams using PromptScript to manage AI context at scale
Get Started in 5 Minutes Enterprise? Let's Talk View on GitHub