status: active
timestamp: 2026-06-20
tags: [policy, repo, archive, allowlist, safety, family]
Repos never to archive
Allowlist of repos archive scripts MUST NOT touch
Repos never to archive
This allowlist is checked before any gh repo archive operation by any
script under scripts/. Anything listed here is
load-bearing in the chirag127/oriz* family — submodule, npm-published
package, or critical dev tooling — and MUST NOT be archived even if
GitHub stats (zero stars, no recent push) would otherwise mark it as a
cleanup candidate.
The same logic that protects empty placeholder repos from deletion applies here: low GitHub activity is not a signal of low importance in this family. Most submodules are private-purpose code with audience of one (me) and zero stars by design.
gh repo archive is reversible (unlike delete), but archived repos
lose Issues/PRs as a working surface, get an “Archived” banner that
confuses anyone landing from a doc link, and break agents that expect
the repo to be writable. The cost of archiving a load-bearing repo is
real even if recoverable.
Generated from .gitmodules + npm + manual
Master
chirag127/oriz
11 site submodules (all oriz-<name>-site)
chirag127/homechirag127/blog-sitechirag127/ncertchirag127/lorechirag127/cards-sitechirag127/finance-tools-sitechirag127/journal-sitechirag127/dev-tools-sitechirag127/image-tools-sitechirag127/pdf-tools-sitechirag127/me
oriz-urls-to-md-site is currently an empty slug reservation — see
Empty does not mean abandoned.
Package submodules (npm-published or shared library)
chirag127/oriz-kit(mounted atpackages/oriz-ui)chirag127/firebase-initchirag127/auth-uichirag127/contact-formchirag127/sidebarchirag127/oriz-family
Active future submodules
chirag127/post-site(active submodule atpackages/oriz-omnipost)chirag127/oriz-lifestream(planned; will become a submodule when the lifestream service is wired)
MCP servers + dev tooling (npm-published, load-bearing across the family)
chirag127/envpact-mcp— secrets MCP server, listed in.mcp.jsoneverywherechirag127/envpact-cli— secrets CLI, used by the env-example sync workflowchirag127/secenv-mcp— predecessor MCP server for secrets, kept for back-compatchirag127/agentflow— parallel agent orchestrator used in dev
Brand / org-level
chirag127/oriz-family(already listed above; restated here for the family-wide grep).
How to update this file
When a new repo joins the family — becomes a submodule, gets
npm-published under chirag127, or becomes a critical dev-tool —
add it here in the same chat / same PR that introduces the
dependency. The
self-update rule applies.
The
script (and any future archive scripts) reads this file as input by
grepping for chirag127/<name> bullets, taking the union of every
slug found, and refusing to archive anything in that set. Adding a
new bullet here is the only way to extend the allowlist — there is no
secondary list inside the script.
Defense in depth
The archive script also hard-skips any repo whose name starts with
oriz-, regardless of whether it appears in this file. That
double-coverage means:
- A new
oriz-*repo that the agent forgot to add here is still protected. - This file is the audit trail; the script’s
oriz-prefix check is the belt-and-braces fallback.
If the two ever disagree (e.g. an oriz- repo is intentionally
deprecated and should be archived), update both the script and
this file in the same commit, with a one-line ## Removed from allowlist section here noting the slug, the date, and the
authorising user message.
Cross-refs
- — canonical "empty but reserved" example
../rules/interaction/never-delete-empty-placeholder-repos.md— sibling rule, deletion side../rules/development/push-by-default.md— outward-effect carve-out that gatesgh repo archive../branding/repo-naming-suffixes.md— slug taxonomy this allowlist is built around- — first script that reads this file