Enterprise Example¶
Complete enterprise PromptScript deployment with central governance.
Architecture¶
flowchart TB
subgraph Central["Central Registry (GitHub)"]
org["@acme/base<br/>Organization standards"]
sec["@acme/security<br/>Security policies"]
comp["@acme/compliance<br/>Compliance rules"]
end
subgraph Teams["Team Registries"]
fe["@acme/frontend"]
be["@acme/backend"]
mobile["@acme/mobile"]
data["@acme/data"]
end
subgraph Projects["100+ Projects"]
p1["web-app"]
p2["api-gateway"]
p3["mobile-app"]
p4["data-pipeline"]
end
org --> fe
org --> be
org --> mobile
org --> data
sec --> fe
sec --> be
sec --> mobile
sec --> data
comp --> fe
comp --> be
fe --> p1
be --> p2
mobile --> p3
data --> p4Central Registry¶
Repository Structure¶
acme-promptscript-registry/
├── README.md
├── CHANGELOG.md
├── CODEOWNERS
├── @acme/
│ ├── base.prs # Organization base
│ ├── security.prs # Security standards
│ └── compliance.prs # Compliance (SOC2, GDPR)
├── @frontend/
│ ├── base.prs # Frontend team base
│ ├── react.prs # React-specific
│ └── vue.prs # Vue-specific
├── @backend/
│ ├── base.prs # Backend team base
│ ├── node.prs # Node.js
│ └── python.prs # Python
├── @mobile/
│ ├── base.prs
│ ├── ios.prs
│ └── android.prs
├── @data/
│ └── base.prs
└── @fragments/
├── testing.prs
├── documentation.prs
└── ci-cd.prs
acme/base.prs¶
@meta {
id: "@acme/base"
syntax: "1.0.0"
org: "ACME Corporation"
}
@identity {
"""
You are an AI coding assistant at ACME Corporation.
## Core Values
- **Quality First**: Write production-ready code
- **Security Always**: Security is not optional
- **User Focus**: Consider the end user
- **Team Player**: Write code others can maintain
## Standards
Follow ACME Engineering Standards v3.0
(https://wiki.acme.com/engineering-standards)
"""
}
@standards {
code: [
"Code review required with minimum 2 approvers",
"Document all public APIs",
"Add inline comments for complex logic",
"Write tests for all code (80% coverage)"
]
git: [
"Use conventional commits format",
"Branch naming: type/TICKET-description",
"Signed commits required"
]
deployment: [
"Environments: dev, staging, prod",
"Production requires team-lead and security approval"
]
}
@restrictions {
- "Never commit secrets, credentials, or API keys"
- "Never bypass code review for production changes"
- "Never deploy without passing CI/CD"
- "Never ignore security scanner findings"
- "Never use deprecated dependencies with known CVEs"
- "Never store PII in logs"
}
@shortcuts {
"/standards": "Review against ACME standards"
"/security": "Security review"
"/perf": "Performance review"
}
acme/security.prs¶
@meta {
id: "@acme/security"
syntax: "1.0.0"
}
@identity {
"""
Apply ACME security standards to all code.
Security is everyone's responsibility.
"""
}
@standards {
authentication: [
"Use OAuth 2.0 / OIDC",
"MFA required (TOTP or WebAuthn)",
"Session timeout: 3600 seconds",
"Enable refresh token rotation"
]
authorization: [
"RBAC with ABAC extensions",
"Apply least privilege principle",
"Audit logging required"
]
dataProtection: [
"Encrypt at rest with AES-256",
"Encrypt in transit with TLS 1.3",
"Mask PII in all outputs",
"Follow data classification for retention"
]
dependencies: [
"Daily vulnerability scanning",
"Critical vulnerabilities block deployment",
"High vulnerabilities: fix within 7 days",
"Medium vulnerabilities: fix within 30 days"
]
secrets: [
"Store in HashiCorp Vault",
"Rotate every 90 days",
"Never store secrets in code"
]
}
@restrictions {
- "Never store passwords in plain text"
- "Never log sensitive data (passwords, tokens, PII)"
- "Never use MD5 or SHA1 for security purposes"
- "Never disable TLS certificate verification"
- "Never use eval() or similar unsafe functions"
- "Never trust user input without validation"
- "Never expose stack traces in production"
- "Always use parameterized queries (no SQL concatenation)"
- "Always validate and sanitize file uploads"
- "Always implement rate limiting for APIs"
}
@knowledge {
"""
## Security Resources
- Security Guidelines: https://wiki.acme.com/security
- Incident Response: https://wiki.acme.com/incident-response
- Security Training: https://learn.acme.com/security
- Bug Bounty: https://hackerone.com/acme
## Contacts
- Security Team: security@acme.com
- Incident Hotline: +1-800-SEC-ACME
- Slack: #security-help
"""
}
@shortcuts {
"/threat-model": "Help create a threat model"
"/vuln-check": "Check for common vulnerabilities"
"/secure-code": "Review code for security issues"
}
acme/compliance.prs¶
@meta {
id: "@acme/compliance"
syntax: "1.2.0"
}
@identity {
"""
Ensure code meets ACME compliance requirements.
We are SOC 2 Type II and GDPR compliant.
"""
}
@standards {
soc2: [
"Logging required with 1 year retention",
"Tamper-proof audit logs",
"Access control documented and reviewed quarterly",
"Change management: documented, approved, tested"
]
gdpr: [
"Apply data minimization",
"Enforce purpose limitation",
"Consent management required",
"Support right to erasure",
"Enable data portability",
"Breach notification within 72 hours"
]
pci: [
"Applies to payment services only",
"Never store full PAN",
"Encryption required"
]
}
@restrictions {
- "Never process data beyond stated purpose"
- "Never retain data longer than necessary"
- "Always document data processing activities"
- "Always provide data subject rights mechanisms"
- "Never transfer data to non-approved regions"
}
@knowledge {
"""
## Compliance Resources
- Compliance Portal: https://compliance.acme.com
- Data Classification: https://wiki.acme.com/data-classification
- Privacy Policy: https://acme.com/privacy
## Data Classification
- **Public**: Marketing materials, public docs
- **Internal**: Internal communications, non-sensitive
- **Confidential**: Business data, customer info
- **Restricted**: PII, financial data, credentials
## Regional Requirements
- EU: GDPR compliance required
- California: CCPA compliance required
- Healthcare: HIPAA where applicable
"""
}
frontend/base.prs¶
@meta {
id: "@frontend/base"
syntax: "3.0.0"
team: "Frontend Platform"
}
# In a multi-file setup, you would inherit and use:
@inherit @acme/base
@use @acme/security
@use @acme/compliance
@identity {
"""
You are a frontend developer at ACME.
## Expertise
- Modern JavaScript/TypeScript
- React ecosystem
- Web performance optimization
- Accessibility (WCAG 2.1 AA)
- Design systems
"""
}
@context {
"""
## Frontend Platform Stack
- **Framework**: React 18
- **Language**: TypeScript 5
- **Build**: Vite 5
- **Styling**: TailwindCSS + @acme/design-tokens
- **State**: React Query + Zustand
- **Testing**: Vitest + Testing Library + Playwright
- **Components**: @acme/ui (shared design system)
## Architecture
- Feature-based folder structure
- Micro-frontends for large apps
- Module federation for sharing
- API client generation from OpenAPI
## Key Resources
- Design System: https://design.acme.com
- Component Library: https://ui.acme.com
- Frontend Wiki: https://wiki.acme.com/frontend
"""
}
@standards {
code: [
"Use React 18+ framework",
"TypeScript in strict mode",
"Functional components with hooks and composition",
"React Query for server state, Zustand for client",
"TailwindCSS with @acme/design-tokens"
]
performance: [
"Initial bundle < 200KB gzipped",
"Per-route code splitting",
"LCP < 2.5s, FID < 100ms, CLS < 0.1"
]
accessibility: [
"WCAG 2.1 AA compliance",
"Automated testing with axe-core",
"Manual testing required for new features",
"Support keyboard navigation and screen readers",
"Ensure color contrast and focus management"
]
testing: [
"Unit tests with Vitest (80% coverage)",
"Integration tests with Testing Library",
"E2E tests with Playwright for happy paths"
]
}
@restrictions {
- "Never use class components"
- "Never use any type without documentation"
- "Never ignore accessibility requirements"
- "Never skip loading/error states"
- "Never hardcode URLs or config values"
- "Never use inline styles (use Tailwind)"
}
@shortcuts {
"/component": """
Create a new React component with:
- TypeScript interface for props
- Unit tests
- Storybook story
- Accessibility considerations
"""
"/hook": "Create a custom React hook with tests"
"/test": """
Write tests using:
- Vitest for unit tests
- Testing Library for integration
- Proper mocking patterns
"""
"/a11y": "Review for accessibility issues"
"/perf": "Review for performance issues"
}
Project Configuration¶
Example Project¶
# checkout-app/promptscript/project.prs
@meta {
id: "checkout-app"
syntax: "2.1.0"
}
# In a multi-file setup, you would inherit from frontend base:
@inherit @frontend/base
@context {
project: "Checkout Application"
repository: "github.com/acme/checkout-app"
team: "Commerce"
productOwner: "Jane Smith"
techLead: "John Doe"
"""
## Overview
Multi-step checkout flow for ACME e-commerce platform.
Handles cart review, shipping, payment, and confirmation.
## Key Integrations
- Payment: Stripe Elements
- Shipping: ShipEngine API
- Tax: Avalara
- Analytics: Segment + Mixpanel
## Architecture
- Micro-frontend (Module Federation)
- Shared shell: @acme/commerce-shell
- Feature flags: LaunchDarkly
"""
}
@extend standards {
payment: {
provider: "Stripe"
pciCompliance: true
neverStoreCardData: true
}
}
@knowledge {
"""
## API Endpoints
### Cart Service (cart.acme.com)
- GET /cart - Get current cart
- PUT /cart/items/:id - Update item
- DELETE /cart/items/:id - Remove item
### Checkout Service (checkout.acme.com)
- POST /checkout/start - Initialize checkout
- PUT /checkout/:id/shipping - Set shipping
- PUT /checkout/:id/payment - Process payment
- POST /checkout/:id/complete - Complete order
## Feature Flags
- checkout-apple-pay: Apple Pay integration
- checkout-express: One-click checkout
- checkout-affirm: Affirm financing
## Error Codes
- CART_EMPTY: Cart has no items
- SHIPPING_UNAVAILABLE: Cannot ship to address
- PAYMENT_DECLINED: Payment failed
- INVENTORY_ERROR: Item out of stock
"""
}
@shortcuts {
"/checkout-flow": "Help with checkout flow implementation"
"/payment": "Help with Stripe payment integration"
"/shipping": "Help with shipping calculation"
"/cart": "Help with cart management"
}
Project Config¶
# checkout-app/promptscript.yaml
input:
entry: promptscript/project.prs
registry:
url: https://github.com/acme/promptscript-registry
auth:
token: ${GITHUB_TOKEN}
targets:
github:
enabled: true
output: .github/copilot-instructions.md
claude:
enabled: true
output: CLAUDE.md
cursor:
enabled: true
output: .cursor/rules/project.mdc
validation:
strict: true
rules:
require-knowledge: warning
watch:
debounce: 300
Governance¶
CODEOWNERS¶
# Registry CODEOWNERS
* @acme/platform-team
# Organization base requires security review
@acme/base.prs @acme/security-team @acme/platform-team
@acme/security.prs @acme/security-team
@acme/compliance.prs @acme/compliance-team @acme/legal
# Team bases require team lead approval
@frontend/ @acme/frontend-leads
@backend/ @acme/backend-leads
@mobile/ @acme/mobile-leads
PR Template¶
## PromptScript Registry Change
### Type
- [ ] Organization policy update
- [ ] Team configuration update
- [ ] New fragment
- [ ] Bug fix
### Breaking Change?
- [ ] Yes - includes migration guide
- [ ] No
### Checklist
- [ ] Updated version in @meta
- [ ] Added CHANGELOG entry
- [ ] Tested with sample project
- [ ] Notified affected teams
CI/CD¶
Registry CI¶
# .github/workflows/registry-ci.yml
name: Registry CI
on:
push:
branches: [main]
pull_request:
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install PromptScript
run: npm install -g @promptscript/cli
- name: Validate all files
run: |
for file in $(find . -name "*.prs"); do
echo "Validating $file..."
prs validate "$file" --strict
done
- name: Check for circular dependencies
run: ./scripts/check-circular-deps.sh
test-projects:
runs-on: ubuntu-latest
needs: validate
strategy:
matrix:
project: [sample-frontend, sample-backend, sample-mobile]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: acme/${{ matrix.project }}
path: test-project
- name: Install PromptScript
run: npm install -g @promptscript/cli
- name: Compile test project
working-directory: test-project
run: prs compile
env:
PROMPTSCRIPT_REGISTRY: ${{ github.workspace }}
Project CI¶
# Project .github/workflows/promptscript.yml
name: PromptScript
on:
push:
paths:
- 'promptscript/**'
- 'promptscript.yaml'
pull_request:
paths:
- 'promptscript/**'
- 'promptscript.yaml'
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install PromptScript
run: npm install -g @promptscript/cli
- name: Validate
run: prs validate --strict
env:
GITHUB_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
- name: Ensure compiled files are up to date
run: |
prs compile
if ! git diff --exit-code; then
echo "::error::Generated files are out of date"
echo "Run 'prs compile' and commit the changes"
exit 1
fi
env:
GITHUB_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
Metrics & Monitoring¶
Adoption Dashboard¶
Track across the organization:
# metrics-config.yaml
metrics:
- name: projects_with_promptscript
query: count(repos with promptscript.yaml)
- name: registry_update_frequency
query: commits per week to registry
- name: validation_error_rate
query: CI failures due to promptscript validation
- name: average_inheritance_depth
query: avg(@inherit chain length)
Best Practices Summary¶
Organization Base
Keep @acme/base focused on universal policies that apply everywhere.
Security Integration
Always @use @acme/security in team bases, never skip security.
Version Management
Tag registry releases and pin versions in production projects.
Breaking Changes
Major version bumps require migration guides and team notification.
Review Process
All registry changes need appropriate CODEOWNER approval.
Rollout Timeline¶
| Phase | Duration | Goals |
|---|---|---|
| Pilot | 4 weeks | 3 teams, feedback collection |
| Team Rollout | 8 weeks | All teams onboarded |
| Mandatory | Ongoing | Required for new projects |
| Full Migration | 6 months | All existing projects migrated |