Universal Principles (apply to all code)
- •Single Source of Truth – Code, tests, configs, and docs MUST live in Git; artefacts regenerate from source.
- •Shift-Left Quality – Lint, SAST, DAST, and data-quality checks MUST run on every PR via GitHub Actions.
- •Compliance as Code – Rules MUST map to at least one control (SOC 2, ISO 27001, GDPR) so audits read from Git.
- •Performance & Reliability – Each service SHOULD define SLOs (p95 latency, availability) and include alert thresholds in code.
- •Design for Testability – Public contracts SHOULD be explicit, deterministic, and mock-friendly to simplify automated tests.
- •Observability by Default – Code MUST emit OpenTelemetry traces and New Relic-compatible metrics.
- •Observability Hooks – All services SHOULD expose structured logs and trace spans that unit / integration tests can assert on.
New Code
- •Cloud-Native First – New components MUST be containerised, stateless, and deployed via GitOps workflow.
- •Feature Flags over Forks – Branches > 14 days are disallowed; use toggles to protect incomplete code.
- •Secure-by-Default Templates – New repos MUST scaffold from approved templates with OWASP mitigations wired in.
Existing Code
- •Upgrade-on-Touch – When modifying legacy code, teams SHOULD migrate to supported LTS runtimes & add missing tests.
- •Strangler Pattern – Incrementally wrap/replace legacy modules rather than alter monolith internals.
- •Runtime Compensating Controls – Where shift-left tools can’t be added, deploy WAF, anomaly detection, or rate limits to match risk posture.
Development-Phase Principles
New Code
- •Secure-by-Default Templates – New repos MUST bootstrap from approved templates with OWASP Top-10 mitigations pre-wired.
- •Stateless First – Components SHOULD avoid local state; if unavoidable, they MUST persist in managed durable storage.
- •Feature Flags over Forks – Long-lived branches > 14 days are disallowed; use feature toggles instead.
- •API Contract Tests – Public APIs MUST include consumer-driven contract tests committed alongside code.
Existing Code
- •Upgrade-on-Touch – Any code touched SHOULD move to a supported LTS runtime, add missing unit tests, and replace deprecated libs.
- •Refactor via Strangler – When adding features, prefer building new modules that wrap/replace legacy endpoints incrementally.
- •Technical-Debt Ledger – Every legacy repo MUST keep a debt log; high-impact items enter the sprint backlog within one sprint.
Quality-Assurance-Phase Principles
New Code
- •Test Pyramid Guardrails – Aim for >= 80% unit, >= 15% integration, <= 5% e2e by count; gates enforce on PR.
- •Tagged Tests – Tests MUST declare tags (
unit,integration,performance,security) so CI jobs select appropriately. - •Synthetic & Pseudonymised Data – QA pipelines MUST NOT use live PII; generate synthetic or tokenised data instead.
- •Performance Baselines – New services SHOULD include load tests with SLO thresholds; regressions block merge.
- •Flaky-Test Quarantine – Tests failing > 3% of runs automatically move to quarantine and open a ticket within 24 h.
Legacy Code
- •Coverage-Growth Mandate – When fixing a bug, add tests that reproduce it; overall coverage SHOULD trend upward quarter-on-quarter.
- •Runtime Compensating Checks – If shift-left tools can’t be added, deploy runtime guards (WAF, anomaly detection) offering equivalent risk coverage.
- •Regression Test Archive – Critical bugs in legacy systems MUST
result in a regression test stored under
/tests/regression/**.