BezelIQ Studio policy
internal prototype · canonical JSON + Dreamborn Forge HTML
internal generated
policy · supabase_json

BezelIQ Studio policy

policy artifact · for BezelIQ Studio · status approved

Planning Surface

Use this to decide what happens next.

Status

approved

rules
idcheckcategoryseverityrationaleapplies to
no-external-fontsgrep -r 'fonts.googleapis.com\|fonts.gstatic.com\|typekit.net\|use.typekit' {output_dir}/securityhardPrivacy, performance, and offline reliability. Dreamborn Forge self-hosts DM Sans and Fira Code.frontend
forge-tokens-onlygrep -rn '#[0-9a-fA-F]\{3,6\}\|rgb(\|rgba(' {output_dir}/src/ --include='*.vue' --include='*.css'typographyhardDesign system consistency. Hardcoded values diverge from the design system and break theme coherence.frontend
forge-register-attributegrep -r "data-register" {output_dir}/src/ --include='*.vue' --include='*.html'patternshardDreamborn CSS uses the data-register attribute to scope token sets. Without it, forge tokens do not apply.frontend
no-service-role-keygrep -r 'SERVICE_ROLE\|service_role\|eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIi' {output_dir}/src/securityhardService role key bypasses RLS and grants full database access. Frontend must use anon key only.frontend
supabase-client-onlygrep -rn "fetch.*supabase.co" {output_dir}/src/ --include='*.vue' --include='*.js' --include='*.ts'patternshardRaw fetch bypasses the client's auth header injection and type safety. All queries go through the initialized client.frontend
studio-artifacts-write-onlygrep -rn "\.from('agent_tasks').*insert\|\.from('agent_tasks').*update\|\.from('projects').*insert\|\.from('stages').*insert" {output_dir}/src/patternshardPlatform table state is owned by the runner and listener. Direct writes from Studio bypass the HCS audit trail and break the event-driven state machine.frontend
exec-gate-confirmmanual — verify approve/reject flows show a confirmation step before the HCS post callpatternshardExec gate approval is irreversible on HCS. An accidental approval advances the workflow immediately. A confirmation step prevents mis-clicks.frontend
realtime-cleanupgrep -rn 'supabase.channel\|supabase.on' {output_dir}/src/ --include='*.vue' | grep -v 'onUnmounted\|removeChannel'patternshardLeaked subscriptions accumulate across route navigation, causing duplicate events and memory growth.frontend
script-setup-onlygrep -rn '<script lang\|<script>' {output_dir}/src/ --include='*.vue' | grep -v '<script setup'patternswarnConsistency. script setup is the Vue 3 standard, more concise, better TypeScript inference.frontend
env-vars-documentedgrep -rn 'import.meta.env\.' {output_dir}/src/ --include='*.vue' --include='*.js' --include='*.ts'patternshardDeployment reliability — no surprise missing vars on Cloudflare Pages.all
no-raw-topic-ids-in-labelsgrep -rn '0\.0\.[0-9]\{7\}' {output_dir}/src/ --include='*.vue'patternswarnTwo-World Model — the machine layer (HCS IDs) is invisible to Justin. Studio renders human-readable names.frontend
artifact-render-not-rawgrep -rn 'JSON.stringify.*content\|<pre>.*content\|v-text.*content' {output_dir}/src/ --include='*.vue'patternshardTwo-World Model — Justin never reads raw JSON. ArtifactView renders structured, human-readable views from the JSON content.frontend
whitespace-over-densitygrep -rn 'padding:\s*[0-9]\{1,2\}px\|padding:\s*var(--db-space-[12])' {output_dir}/src/ --include='*.vue'typographywarnDev Studio is an interpretation workspace. Density appropriate for a monitoring dashboard is wrong here. Spacious layout aids comprehension of complex artifacts.frontend
Agent Handoff
Start Here

policy artifact · for BezelIQ Studio · status approved

Completion Evidence

No explicit evidence field yet. Require tests, screenshots, linked PRs, or reviewed outputs before marking complete.

Artifact Shape
  • rules: 13 items
  • version: 1
  • project id: bezeliq-studio
  • updated at: 2026-04-28
Structured Payload

Machine-readable source fields

rules
idcheckcategoryseverityrationaleapplies to
no-external-fontsgrep -r 'fonts.googleapis.com\|fonts.gstatic.com\|typekit.net\|use.typekit' {output_dir}/securityhardPrivacy, performance, and offline reliability. Dreamborn Forge self-hosts DM Sans and Fira Code.frontend
forge-tokens-onlygrep -rn '#[0-9a-fA-F]\{3,6\}\|rgb(\|rgba(' {output_dir}/src/ --include='*.vue' --include='*.css'typographyhardDesign system consistency. Hardcoded values diverge from the design system and break theme coherence.frontend
forge-register-attributegrep -r "data-register" {output_dir}/src/ --include='*.vue' --include='*.html'patternshardDreamborn CSS uses the data-register attribute to scope token sets. Without it, forge tokens do not apply.frontend
no-service-role-keygrep -r 'SERVICE_ROLE\|service_role\|eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIi' {output_dir}/src/securityhardService role key bypasses RLS and grants full database access. Frontend must use anon key only.frontend
supabase-client-onlygrep -rn "fetch.*supabase.co" {output_dir}/src/ --include='*.vue' --include='*.js' --include='*.ts'patternshardRaw fetch bypasses the client's auth header injection and type safety. All queries go through the initialized client.frontend
studio-artifacts-write-onlygrep -rn "\.from('agent_tasks').*insert\|\.from('agent_tasks').*update\|\.from('projects').*insert\|\.from('stages').*insert" {output_dir}/src/patternshardPlatform table state is owned by the runner and listener. Direct writes from Studio bypass the HCS audit trail and break the event-driven state machine.frontend
exec-gate-confirmmanual — verify approve/reject flows show a confirmation step before the HCS post callpatternshardExec gate approval is irreversible on HCS. An accidental approval advances the workflow immediately. A confirmation step prevents mis-clicks.frontend
realtime-cleanupgrep -rn 'supabase.channel\|supabase.on' {output_dir}/src/ --include='*.vue' | grep -v 'onUnmounted\|removeChannel'patternshardLeaked subscriptions accumulate across route navigation, causing duplicate events and memory growth.frontend
script-setup-onlygrep -rn '<script lang\|<script>' {output_dir}/src/ --include='*.vue' | grep -v '<script setup'patternswarnConsistency. script setup is the Vue 3 standard, more concise, better TypeScript inference.frontend
env-vars-documentedgrep -rn 'import.meta.env\.' {output_dir}/src/ --include='*.vue' --include='*.js' --include='*.ts'patternshardDeployment reliability — no surprise missing vars on Cloudflare Pages.all
no-raw-topic-ids-in-labelsgrep -rn '0\.0\.[0-9]\{7\}' {output_dir}/src/ --include='*.vue'patternswarnTwo-World Model — the machine layer (HCS IDs) is invisible to Justin. Studio renders human-readable names.frontend
artifact-render-not-rawgrep -rn 'JSON.stringify.*content\|<pre>.*content\|v-text.*content' {output_dir}/src/ --include='*.vue'patternshardTwo-World Model — Justin never reads raw JSON. ArtifactView renders structured, human-readable views from the JSON content.frontend
whitespace-over-densitygrep -rn 'padding:\s*[0-9]\{1,2\}px\|padding:\s*var(--db-space-[12])' {output_dir}/src/ --include='*.vue'typographywarnDev Studio is an interpretation workspace. Density appropriate for a monitoring dashboard is wrong here. Spacious layout aids comprehension of complex artifacts.frontend
version

1

project id

bezeliq-studio

updated at

2026-04-28