@evolith/core-domain 1.0.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/domain/services/default-workflow-definition.js +4 -1
- package/dist/domain/services/default-workflow-definition.js.map +1 -1
- package/dist/gates/decision/gate-decision.js.map +1 -1
- package/package.json +1 -2
- package/rulesets/README.es.md +0 -170
- package/rulesets/README.md +0 -170
- package/rulesets/acl/README.es.md +0 -41
- package/rulesets/acl/README.md +0 -41
- package/rulesets/acl/anti-corruption-layer.rules.es.json +0 -99
- package/rulesets/acl/anti-corruption-layer.rules.json +0 -99
- package/rulesets/adr/ADR_COVERAGE.es.md +0 -133
- package/rulesets/adr/ADR_COVERAGE.md +0 -133
- package/rulesets/adr/README.es.md +0 -17
- package/rulesets/adr/README.md +0 -17
- package/rulesets/adr/adr-0002-hexagonal-architecture.rules.json +0 -103
- package/rulesets/adr/adr-0005-cicd-quality-gates.rules.json +0 -102
- package/rulesets/adr/adr-0010-multi-tenancy.rules.json +0 -129
- package/rulesets/adr/adr-0018-testing-pyramid.rules.json +0 -115
- package/rulesets/adr/adr-0032-protocol-selection.rules.json +0 -134
- package/rulesets/adr/adr-0040-multi-runtime.rules.json +0 -131
- package/rulesets/adr/adr-0050-gitflow-branching.rules.json +0 -176
- package/rulesets/adr/generated/adr-0001-monorepo-orchestration-principle.rules.json +0 -29
- package/rulesets/adr/generated/adr-0006-microservices-transition-via-sidecar-pattern.rules.json +0 -29
- package/rulesets/adr/generated/adr-0009-strict-dependency-pinning-and-automated-vulnerability-manage.rules.json +0 -29
- package/rulesets/adr/generated/adr-0011-fault-tolerance-and-resiliency-patterns.rules.json +0 -29
- package/rulesets/adr/generated/adr-0013-cloud-infrastructure-topology-and-disaster-recovery-dr.rules.json +0 -28
- package/rulesets/adr/generated/adr-0014-multi-layer-distributed-caching-strategy.rules.json +0 -29
- package/rulesets/adr/generated/adr-0015-event-driven-architecture-eda-for-intra-domain-communication.rules.json +0 -29
- package/rulesets/adr/generated/adr-0016-immutable-business-audit-trail-and-change-tracking.rules.json +0 -29
- package/rulesets/adr/generated/adr-0017-feature-flagging-strategy-for-progressive-delivery.rules.json +0 -28
- package/rulesets/adr/generated/adr-0019-tactical-design-patterns-for-future-proofing.rules.json +0 -29
- package/rulesets/adr/generated/adr-0020-identity-provider-abstraction-strategy.rules.json +0 -28
- package/rulesets/adr/generated/adr-0024-centralized-configuration-feature-platform.rules.json +0 -28
- package/rulesets/adr/generated/adr-0025-feature-flag-provider-abstraction-strategy.rules.json +0 -29
- package/rulesets/adr/generated/adr-0028-self-hosted-open-source-hybrid-infrastructure.rules.json +0 -29
- package/rulesets/adr/generated/adr-0030-two-tier-distributed-gateway-model.rules.json +0 -28
- package/rulesets/adr/generated/adr-0031-schema-per-bounded-context-and-domain-event-catalog.rules.json +0 -29
- package/rulesets/adr/generated/adr-0033-transactional-outbox-pattern-for-async-messaging.rules.json +0 -28
- package/rulesets/adr/generated/adr-0034-cqrs-pattern-application-matrix.rules.json +0 -29
- package/rulesets/adr/generated/adr-0035-distributed-saga-pattern-implementation-strategy.rules.json +0 -29
- package/rulesets/adr/generated/adr-0036-message-bus-delivery-flow-control-strategy.rules.json +0 -29
- package/rulesets/adr/generated/adr-0037-enterprise-performance-concurrency-chaos-verification-strate.rules.json +0 -28
- package/rulesets/adr/generated/adr-0039-deployment-topology-abstraction-environment-switcher.rules.json +0 -29
- package/rulesets/adr/generated/adr-0041-dual-engine-policy-evaluation-native-opa.rules.json +0 -28
- package/rulesets/adr/generated/adr-0044-configurable-security-persistence-strategy-agnosticism-vs-na.rules.json +0 -29
- package/rulesets/adr/generated/adr-0045-microservice-extraction-readiness-criteria.rules.json +0 -29
- package/rulesets/adr/generated/adr-0046-unified-traceability-via-w3c-tracecontext.rules.json +0 -29
- package/rulesets/adr/generated/adr-0047-progressive-architecture-evolution-framework-modular-monolit.rules.json +0 -29
- package/rulesets/adr/generated/adr-0048-enterprise-taxonomy-standardization-and-reference-layout.rules.json +0 -28
- package/rulesets/adr/generated/adr-0049-naming-semantics-clean-code-policy-e2e-and-global.rules.json +0 -29
- package/rulesets/adr/generated/adr-0051-enterprise-database-engine-selection-strategy.rules.json +0 -29
- package/rulesets/adr/generated/adr-0052-unit-testing-isolation-strategy-mocks-vs-stubs.rules.json +0 -29
- package/rulesets/adr/generated/adr-0053-integration-and-e2e-testing-strategy.rules.json +0 -29
- package/rulesets/adr/generated/adr-0054-database-design-and-normalization-standards.rules.json +0 -29
- package/rulesets/adr/generated/adr-0055-microfrontends-architecture-strategy.rules.json +0 -28
- package/rulesets/adr/generated/adr-0056-enterprise-naming-design-conventions-multi-language-multi-pl.rules.json +0 -29
- package/rulesets/adr/generated/adr-0057-architecture-intelligence-catalog.rules.json +0 -27
- package/rulesets/adr/generated/adr-0058-ai-consumable-architecture-knowledge.rules.json +0 -27
- package/rulesets/adr/generated/adr-0067-modular-monolith-persistence-boundaries.rules.json +0 -28
- package/rulesets/adr/generated/adr-0068-documentation-release-gitflow.rules.json +0 -29
- package/rulesets/adr/generated/adr-0069-ai-agent-context-protocol-integration.rules.json +0 -28
- package/rulesets/adr/generated/adr-0070-lean-root-repository-taxonomy.rules.json +0 -29
- package/rulesets/adr/generated/adr-0071-domain-layer-base-class-and-inheritance-strategy.rules.json +0 -29
- package/rulesets/adr/generated/adr-0072-utc-date-storage-browser-timezone-detection-and-language-res.rules.json +0 -29
- package/rulesets/adr/generated/adr-0073-unified-cli-mcp-output-contract-and-gate-evidence-schema.rules.json +0 -29
- package/rulesets/adr/generated/adr-0074-evolith-core-api-native-exposure-layer.rules.json +0 -29
- package/rulesets/adr/generated/adr-0075-core-api-authentication-strategy.rules.json +0 -28
- package/rulesets/adr/generated/adr-0076-domain-oriented-microservice-architecture-doma.rules.json +0 -28
- package/rulesets/adr/generated/adr-0077-masstransit-v9-commercial-pivot-stay-on-v8-monitor-opentrans.rules.json +0 -28
- package/rulesets/adr/generated/adr-0078-domain-financial-separation-governance.rules.json +0 -29
- package/rulesets/adr/generated/adr-0079-multi-topology-reference-corpus-and-topology-manifest-contra.rules.json +0 -29
- package/rulesets/adr/generated/adr-0080-remote-repository-reference-contract.rules.json +0 -29
- package/rulesets/adr/generated/adr-0081-agentic-ai-sandbox-isolation-boundary.rules.json +0 -29
- package/rulesets/adr/generated/adr-0082-agentic-ai-prompt-context-and-tool-trust-boundary.rules.json +0 -28
- package/rulesets/adr/generated/adr-0083-agentic-ai-action-authorization-and-audit.rules.json +0 -29
- package/rulesets/adr/generated/adr-0084-data-mesh-and-data-as-a-product.rules.json +0 -29
- package/rulesets/adr/generated/adr-0085-agnostic-opa-wasm-distribution-architecture.rules.json +0 -28
- package/rulesets/adr/generated/adr-0086-agentic-ai-telemetry-cost-control-standard.rules.json +0 -27
- package/rulesets/adr/generated/adr-0087-attribute-based-access-control-abac-for-agentic-tool-executi.rules.json +0 -29
- package/rulesets/adr/generated/adr-0088-sovereign-identity-for-agentic-ai.rules.json +0 -29
- package/rulesets/adr/generated/adr-0089-event-driven-agentic-workflow-pattern.rules.json +0 -28
- package/rulesets/adr/generated/adr-0090-rag-knowledge-governance-standard.rules.json +0 -29
- package/rulesets/adr/generated/adr-0091-workload-identity-token-rotation-standard.rules.json +0 -29
- package/rulesets/adr/generated/adr-0092-agent-infinite-loop-prevention-and-circuit-breaker-rules.rules.json +0 -29
- package/rulesets/adr/generated/adr-0093-concurrency-control-and-resource-locking-standard-for-mcp-to.rules.json +0 -29
- package/rulesets/adr/generated/adr-0094-multi-agent-handoff-and-task-delegation-standards.rules.json +0 -29
- package/rulesets/adr/generated/adr-0095-serverless-architecture-governance.rules.json +0 -29
- package/rulesets/adr/generated/adr-0096-edge-computing-architecture-governance.rules.json +0 -29
- package/rulesets/adr/generated/adr-0097-knowledge-lifecycle-governance-standard.rules.json +0 -29
- package/rulesets/adr/generated/adr-0098-rest-uri-versioning-and-deprecation-policy.rules.json +0 -29
- package/rulesets/adr/generated/adr-0099-opa-bundle-distribution-via-s3-minio.rules.json +0 -27
- package/rulesets/adr/generated/adr-ai-augmented-0001-harness-engineering-for-ai-augmented-development.rules.json +0 -29
- package/rulesets/adr/generated/adr-ai-augmented-0002-mcp-integration-protocol-for-agent-tool-invocation.rules.json +0 -29
- package/rulesets/adr/generated/adr-ai-augmented-0003-model-selection-governance-for-ai-augmented-workflows.rules.json +0 -29
- package/rulesets/adr/generated/adr-ai-augmented-0004-agents-md-as-mandatory-repository-artifact.rules.json +0 -29
- package/rulesets/adr/generated/adr-ai-augmented-0005-human-in-the-loop-policy-for-autonomous-agent-operations.rules.json +0 -29
- package/rulesets/adr/generated/adr-android-0042-canonical-android-native-mobile-architecture.rules.json +0 -29
- package/rulesets/adr/generated/adr-dotnet-0041-canonical-net-c-backend-architecture.rules.json +0 -29
- package/rulesets/adr/generated/adr-dotnet-0060-net-multi-tenancy-dual-layer-strategy-ef-core-sql-server.rules.json +0 -29
- package/rulesets/adr/generated/adr-dotnet-0061-transactional-event-lifecycle-in-ef-core.rules.json +0 -28
- package/rulesets/adr/generated/adr-dotnet-0062-net-immutable-audit-trail-via-ddl-triggers-delta-capture.rules.json +0 -29
- package/rulesets/adr/generated/adr-dotnet-0063-b2b-request-idempotency-middleware-in-asp-net-core.rules.json +0 -28
- package/rulesets/adr/generated/adr-dotnet-0064-net-request-scope-observability-context-propagation.rules.json +0 -29
- package/rulesets/adr/generated/adr-dotnet-0065-net-pii-safe-structured-logging-pipeline-serilog.rules.json +0 -29
- package/rulesets/adr/generated/adr-dotnet-0066-net-lightweight-http-idempotency-via-imemorycache-idistribut.rules.json +0 -28
- package/rulesets/adr/generated/adr-dotnet-0069-net-grpc-service-setup-protobuf-contracts.rules.json +0 -29
- package/rulesets/adr/generated/adr-dotnet-0070-net-api-endpoint-strategy.rules.json +0 -29
- package/rulesets/adr/generated/adr-dotnet-0071-net-data-access-strategy-ef-core-as-default-orm-dapper-for-o.rules.json +0 -27
- package/rulesets/adr/generated/adr-dotnet-0072-net-aop-cross-cutting-concern-strategy-dispatchproxy-over-pi.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0003-strict-typescript-standards.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0004-frontend-offline-resilience.rules.json +0 -28
- package/rulesets/adr/generated/adr-nodejs-0007-observability-with-opentelemetry-loki-and-jaeger.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0008-progressive-multi-module-evolution-with-api-gateway-and-bff-.rules.json +0 -28
- package/rulesets/adr/generated/adr-nodejs-0012-advanced-authorization-rbac-abac-strategy.rules.json +0 -28
- package/rulesets/adr/generated/adr-nodejs-0021-high-performance-authentication-graph-compilation.rules.json +0 -28
- package/rulesets/adr/generated/adr-nodejs-0022-contextual-authentication-and-pluggable-output-projections.rules.json +0 -28
- package/rulesets/adr/generated/adr-nodejs-0023-centralized-authorization-core-strategy.rules.json +0 -28
- package/rulesets/adr/generated/adr-nodejs-0026-adaptive-mfa-and-passwordless-platform.rules.json +0 -28
- package/rulesets/adr/generated/adr-nodejs-0027-dual-protocol-api-strategy-rest-grpc.rules.json +0 -28
- package/rulesets/adr/generated/adr-nodejs-0029-adoption-of-tactical-ddd-primitives-library.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0038-enterprise-error-handling-result-pattern-strategy.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0043-data-access-and-orm-strategy-for-node-js.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0044-frontend-clean-architecture-layer-boundaries-react.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0045-frontend-state-management-zustand-tanstack-query-dual-strate.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0046-prohibition-of-raw-technical-identifiers-in-user-interfaces.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0047-actionable-user-error-contract-and-correlated-diagnostics.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0048-feature-flag-system-scope-and-structured-criteria-model.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0074-monorepo-orchestration-with-nx.rules.json +0 -29
- package/rulesets/adr/generated/adr-nodejs-0075-application-gateway-bff-with-nestjs.rules.json +0 -29
- package/rulesets/architecture/README.es.md +0 -21
- package/rulesets/architecture/README.md +0 -21
- package/rulesets/architecture/opa/progressive-axis.rego +0 -50
- package/rulesets/cli/README.es.md +0 -17
- package/rulesets/cli/README.md +0 -17
- package/rulesets/cli/core-parity.rules.json +0 -61
- package/rulesets/cli/release-readiness.rules.json +0 -77
- package/rulesets/compliance-baseline/README.es.md +0 -26
- package/rulesets/compliance-baseline/README.md +0 -26
- package/rulesets/compliance-baseline/compliance-baseline.rules.json +0 -81
- package/rulesets/contracts/README.es.md +0 -19
- package/rulesets/contracts/README.md +0 -19
- package/rulesets/contracts/evolith-machine-contracts.json +0 -29
- package/rulesets/contracts/fixtures/gate-evidence.success.json +0 -10
- package/rulesets/contracts/fixtures/output-envelope.success.json +0 -23
- package/rulesets/cross-cutting/README.es.md +0 -14
- package/rulesets/cross-cutting/README.md +0 -14
- package/rulesets/cross-cutting/compliance-baseline.rules.json +0 -81
- package/rulesets/cross-cutting/definition-of-done.rules.json +0 -135
- package/rulesets/cross-cutting/engineering-manifesto.rules.json +0 -145
- package/rulesets/cross-cutting/repository-taxonomy.rules.json +0 -172
- package/rulesets/definition-of-done/README.es.md +0 -26
- package/rulesets/definition-of-done/README.md +0 -26
- package/rulesets/definition-of-done/definition-of-done.rules.json +0 -135
- package/rulesets/engineering-manifesto/README.es.md +0 -26
- package/rulesets/engineering-manifesto/README.md +0 -26
- package/rulesets/engineering-manifesto/engineering-manifesto.rules.json +0 -145
- package/rulesets/evidence/README.es.md +0 -12
- package/rulesets/evidence/README.md +0 -12
- package/rulesets/evidence/evidence-manifest.rules.json +0 -48
- package/rulesets/executive-scorecards/executive-scorecards.rules.es.json +0 -213
- package/rulesets/executive-scorecards/executive-scorecards.rules.json +0 -213
- package/rulesets/governance/README.es.md +0 -13
- package/rulesets/governance/README.md +0 -13
- package/rulesets/governance/abac-mcp-access.rules.es.json +0 -41
- package/rulesets/governance/abac-mcp-access.rules.json +0 -41
- package/rulesets/governance/executive-scorecards.rules.es.json +0 -213
- package/rulesets/governance/executive-scorecards.rules.json +0 -213
- package/rulesets/governance/inheritance.rules.json +0 -115
- package/rulesets/governance/knowledge-intake.rules.json +0 -18
- package/rulesets/governance/open-core-boundary.rules.es.json +0 -148
- package/rulesets/governance/open-core-boundary.rules.json +0 -148
- package/rulesets/governance/satellite-contracts.rules.json +0 -183
- package/rulesets/infrastructure/helm-enforcement.rules.json +0 -21
- package/rulesets/infrastructure/opa/helm-enforcement.rego +0 -25
- package/rulesets/infrastructure/opa/helm-enforcement.test.rego +0 -31
- package/rulesets/infrastructure/opa/opa-sidecar-bundle.rego +0 -115
- package/rulesets/infrastructure/opa/opa-sidecar-bundle.test.rego +0 -66
- package/rulesets/infrastructure/opa-sidecar-bundle.rules.json +0 -18
- package/rulesets/mcp/README.es.md +0 -12
- package/rulesets/mcp/README.md +0 -12
- package/rulesets/mcp/protocol-compliance.rules.json +0 -57
- package/rulesets/observability/README.es.md +0 -12
- package/rulesets/observability/README.md +0 -12
- package/rulesets/observability/telemetry-evidence.rules.json +0 -48
- package/rulesets/opa/README.es.md +0 -22
- package/rulesets/opa/README.md +0 -22
- package/rulesets/opa/abac-mcp-tool-access.rego +0 -122
- package/rulesets/opa/abac-mcp-tool-access.test.rego +0 -33
- package/rulesets/opa/anti-corruption-layer.rego +0 -39
- package/rulesets/opa/anti-corruption-layer.test.rego +0 -118
- package/rulesets/opa/ci-cd.rego +0 -41
- package/rulesets/opa/ci-cd.test.rego +0 -23
- package/rulesets/opa/cicd-quality-gates.rego +0 -29
- package/rulesets/opa/cicd-quality-gates.test.rego +0 -54
- package/rulesets/opa/cli-core-parity.rego +0 -17
- package/rulesets/opa/cli-core-parity.test.rego +0 -39
- package/rulesets/opa/cli-readiness.rego +0 -32
- package/rulesets/opa/cli-readiness.test.rego +0 -23
- package/rulesets/opa/cli-release-readiness.rego +0 -21
- package/rulesets/opa/cli-release-readiness.test.rego +0 -46
- package/rulesets/opa/compliance-baseline.rego +0 -95
- package/rulesets/opa/compliance-baseline.test.rego +0 -89
- package/rulesets/opa/dod.rego +0 -42
- package/rulesets/opa/dod.test.rego +0 -250
- package/rulesets/opa/engineering-manifesto.rego +0 -78
- package/rulesets/opa/engineering-manifesto.test.rego +0 -133
- package/rulesets/opa/evidence.rego +0 -64
- package/rulesets/opa/evidence.test.rego +0 -23
- package/rulesets/opa/executive-scorecards.rego +0 -41
- package/rulesets/opa/executive-scorecards.test.rego +0 -60
- package/rulesets/opa/gitflow-branching.rego +0 -41
- package/rulesets/opa/gitflow-branching.test.rego +0 -60
- package/rulesets/opa/governance.rego +0 -39
- package/rulesets/opa/governance.test.rego +0 -23
- package/rulesets/opa/hexagonal-architecture.rego +0 -33
- package/rulesets/opa/hexagonal-architecture.test.rego +0 -57
- package/rulesets/opa/infrastructure/helm-enforcement.rego +0 -33
- package/rulesets/opa/infrastructure/opa-sidecar-bundle.rego +0 -42
- package/rulesets/opa/knowledge-intake.rego +0 -98
- package/rulesets/opa/knowledge-intake.test.rego +0 -50
- package/rulesets/opa/main.rego +0 -147
- package/rulesets/opa/main_test.rego +0 -149
- package/rulesets/opa/mcp.rego +0 -61
- package/rulesets/opa/mcp.test.rego +0 -27
- package/rulesets/opa/multi-runtime.rego +0 -33
- package/rulesets/opa/multi-runtime.test.rego +0 -53
- package/rulesets/opa/multi-tenancy.rego +0 -33
- package/rulesets/opa/multi-tenancy.test.rego +0 -53
- package/rulesets/opa/open-core-boundary.rego +0 -33
- package/rulesets/opa/open-core-boundary.test.rego +0 -60
- package/rulesets/opa/protocol-selection.rego +0 -29
- package/rulesets/opa/protocol-selection.test.rego +0 -46
- package/rulesets/opa/rbac/gate-role-enforcement.rego +0 -112
- package/rulesets/opa/repository-taxonomy.rego +0 -98
- package/rulesets/opa/repository-taxonomy.test.rego +0 -91
- package/rulesets/opa/satellite-contracts.rego +0 -42
- package/rulesets/opa/satellite-contracts.test.rego +0 -70
- package/rulesets/opa/schemas/abac-mcp-tool-access.input.schema.json +0 -21
- package/rulesets/opa/schemas/anti-corruption-layer.input.schema.json +0 -25
- package/rulesets/opa/schemas/ci-cd.input.schema.json +0 -27
- package/rulesets/opa/schemas/cicd-quality-gates.input.schema.json +0 -33
- package/rulesets/opa/schemas/cli-core-parity.input.schema.json +0 -30
- package/rulesets/opa/schemas/cli-readiness.input.schema.json +0 -28
- package/rulesets/opa/schemas/cli-release-readiness.input.schema.json +0 -26
- package/rulesets/opa/schemas/compliance-baseline.input.schema.json +0 -25
- package/rulesets/opa/schemas/dod.input.schema.json +0 -38
- package/rulesets/opa/schemas/engineering-manifesto.input.schema.json +0 -24
- package/rulesets/opa/schemas/evidence.input.schema.json +0 -35
- package/rulesets/opa/schemas/executive-scorecards.input.schema.json +0 -36
- package/rulesets/opa/schemas/gitflow-branching.input.schema.json +0 -36
- package/rulesets/opa/schemas/governance.input.schema.json +0 -19
- package/rulesets/opa/schemas/hexagonal-architecture.input.schema.json +0 -46
- package/rulesets/opa/schemas/knowledge-intake.input.schema.json +0 -57
- package/rulesets/opa/schemas/mcp.input.schema.json +0 -38
- package/rulesets/opa/schemas/multi-runtime.input.schema.json +0 -27
- package/rulesets/opa/schemas/multi-tenancy.input.schema.json +0 -27
- package/rulesets/opa/schemas/open-core-boundary.input.schema.json +0 -36
- package/rulesets/opa/schemas/protocol-selection.input.schema.json +0 -26
- package/rulesets/opa/schemas/repository-taxonomy.input.schema.json +0 -18
- package/rulesets/opa/schemas/satellite-contracts.input.schema.json +0 -38
- package/rulesets/opa/schemas/taxonomy.input.schema.json +0 -27
- package/rulesets/opa/schemas/testing-pyramid.input.schema.json +0 -42
- package/rulesets/opa/schemas/version-pinning.input.schema.json +0 -39
- package/rulesets/opa/sdlc/coverage.rego +0 -49
- package/rulesets/opa/sdlc/coverage.test.rego +0 -29
- package/rulesets/opa/sdlc/pyramid-distribution.rego +0 -31
- package/rulesets/opa/sdlc/pyramid-distribution.test.rego +0 -33
- package/rulesets/opa/taxonomy.rego +0 -51
- package/rulesets/opa/taxonomy.test.rego +0 -28
- package/rulesets/opa/telemetry-evidence.rego +0 -102
- package/rulesets/opa/testing-pyramid.rego +0 -49
- package/rulesets/opa/testing-pyramid.test.rego +0 -81
- package/rulesets/opa/version-pinning.rego +0 -99
- package/rulesets/opa/version-pinning.test.rego +0 -28
- package/rulesets/phase-gates/README.es.md +0 -28
- package/rulesets/phase-gates/README.md +0 -28
- package/rulesets/phase-gates/phase-gates.rules.json +0 -297
- package/rulesets/quality-thresholds/README.es.md +0 -28
- package/rulesets/quality-thresholds/README.md +0 -28
- package/rulesets/quality-thresholds/quality-thresholds.rules.json +0 -96
- package/rulesets/repository-taxonomy/README.es.md +0 -26
- package/rulesets/repository-taxonomy/README.md +0 -26
- package/rulesets/repository-taxonomy/repository-taxonomy.rules.json +0 -172
- package/rulesets/satellite-contracts/README.es.md +0 -27
- package/rulesets/satellite-contracts/README.md +0 -27
- package/rulesets/satellite-contracts/satellite-contracts.rules.json +0 -183
- package/rulesets/schema/README.es.md +0 -39
- package/rulesets/schema/README.md +0 -39
- package/rulesets/schema/adr.schema.json +0 -138
- package/rulesets/schema/agile-backlog.schema.json +0 -91
- package/rulesets/schema/ballpark-estimation.schema.json +0 -109
- package/rulesets/schema/build-vs-compose.schema.json +0 -98
- package/rulesets/schema/cli-impact-analysis.schema.json +0 -114
- package/rulesets/schema/discovery-canvas.schema.json +0 -92
- package/rulesets/schema/evolith-user-story.schema.json +0 -105
- package/rulesets/schema/evolith-yaml.schema.json +0 -191
- package/rulesets/schema/functional-story.schema.json +0 -111
- package/rulesets/schema/gate-evidence.schema.json +0 -85
- package/rulesets/schema/integration-evidence.schema.json +0 -47
- package/rulesets/schema/knowledge-intake.schema.json +0 -67
- package/rulesets/schema/knowledge-projection.schema.json +0 -24
- package/rulesets/schema/maturity-evidence.schema.json +0 -59
- package/rulesets/schema/observability-validation.schema.json +0 -85
- package/rulesets/schema/on-call-handoff.schema.json +0 -91
- package/rulesets/schema/output-envelope.schema.json +0 -102
- package/rulesets/schema/prd.schema.json +0 -117
- package/rulesets/schema/release-notes.schema.json +0 -138
- package/rulesets/schema/rollback-rehearsal.schema.json +0 -73
- package/rulesets/schema/ruleset-sdlc.schema.json +0 -59
- package/rulesets/schema/ruleset-standard.schema.json +0 -73
- package/rulesets/schema/security-scan-report.schema.json +0 -79
- package/rulesets/schema/source-registry.schema.json +0 -51
- package/rulesets/schema/technical-feasibility.schema.json +0 -66
- package/rulesets/schema/technical-story.schema.json +0 -112
- package/rulesets/schema/test-summary-report.schema.json +0 -158
- package/rulesets/schema/topology-composition.schema.json +0 -43
- package/rulesets/schema/topology-manifest.schema.json +0 -421
- package/rulesets/sdlc/README.es.md +0 -12
- package/rulesets/sdlc/README.md +0 -12
- package/rulesets/sdlc/default-workflow.yaml +0 -73
- package/rulesets/sdlc/dependency-pinning.rules.json +0 -183
- package/rulesets/sdlc/phase-gates.rules.json +0 -297
- package/rulesets/sdlc/quality-thresholds.rules.json +0 -96
- package/rulesets/topologies/README.es.md +0 -42
- package/rulesets/topologies/README.md +0 -42
- package/rulesets/topologies/agentic-ai/README.es.md +0 -142
- package/rulesets/topologies/agentic-ai/README.md +0 -142
- package/rulesets/topologies/agentic-ai/adoption.es.md +0 -37
- package/rulesets/topologies/agentic-ai/adoption.md +0 -37
- package/rulesets/topologies/agentic-ai/agent.config.schema.json +0 -100
- package/rulesets/topologies/agentic-ai/agentic-ai.rego +0 -46
- package/rulesets/topologies/agentic-ai/agentic-ai.rules.json +0 -109
- package/rulesets/topologies/agentic-ai/agentic-ai.test.rego +0 -68
- package/rulesets/topologies/agentic-ai/agentic-ai.wasm +0 -0
- package/rulesets/topologies/agentic-ai/cli/cli-flows.es.md +0 -35
- package/rulesets/topologies/agentic-ai/cli/cli-flows.md +0 -45
- package/rulesets/topologies/agentic-ai/evidence.es.md +0 -25
- package/rulesets/topologies/agentic-ai/evidence.md +0 -25
- package/rulesets/topologies/agentic-ai/evolution.es.md +0 -26
- package/rulesets/topologies/agentic-ai/evolution.md +0 -26
- package/rulesets/topologies/agentic-ai/fixtures/invalid-agent.config.json +0 -48
- package/rulesets/topologies/agentic-ai/fixtures/valid-agent.config.json +0 -48
- package/rulesets/topologies/agentic-ai/maturity.es.md +0 -33
- package/rulesets/topologies/agentic-ai/maturity.md +0 -33
- package/rulesets/topologies/agentic-ai/mcp/mcp-manifest.json +0 -100
- package/rulesets/topologies/agentic-ai/openapi/openapi.yaml +0 -187
- package/rulesets/topologies/agentic-ai/operations.es.md +0 -32
- package/rulesets/topologies/agentic-ai/operations.md +0 -32
- package/rulesets/topologies/agentic-ai/parity-fixtures/compliant.json +0 -18
- package/rulesets/topologies/agentic-ai/parity-fixtures/violation.json +0 -22
- package/rulesets/topologies/agentic-ai/patterns.es.md +0 -32
- package/rulesets/topologies/agentic-ai/patterns.md +0 -32
- package/rulesets/topologies/agentic-ai/resilience.es.md +0 -26
- package/rulesets/topologies/agentic-ai/resilience.md +0 -26
- package/rulesets/topologies/agentic-ai/runbooks.es.md +0 -48
- package/rulesets/topologies/agentic-ai/runbooks.md +0 -48
- package/rulesets/topologies/agentic-ai/security.es.md +0 -26
- package/rulesets/topologies/agentic-ai/security.md +0 -26
- package/rulesets/topologies/agentic-ai/topology.manifest.json +0 -127
- package/rulesets/topologies/data-mesh/README.es.md +0 -69
- package/rulesets/topologies/data-mesh/README.md +0 -69
- package/rulesets/topologies/data-mesh/adoption.es.md +0 -95
- package/rulesets/topologies/data-mesh/adoption.md +0 -95
- package/rulesets/topologies/data-mesh/cli/cli-flows.es.md +0 -41
- package/rulesets/topologies/data-mesh/cli/cli-flows.md +0 -53
- package/rulesets/topologies/data-mesh/data-mesh.rego +0 -11
- package/rulesets/topologies/data-mesh/data-mesh.rules.json +0 -100
- package/rulesets/topologies/data-mesh/data-mesh.test.rego +0 -107
- package/rulesets/topologies/data-mesh/data-mesh.wasm +0 -0
- package/rulesets/topologies/data-mesh/evidence.es.md +0 -111
- package/rulesets/topologies/data-mesh/evidence.md +0 -111
- package/rulesets/topologies/data-mesh/evolution.es.md +0 -67
- package/rulesets/topologies/data-mesh/evolution.md +0 -67
- package/rulesets/topologies/data-mesh/fixtures/invalid.topology.config.json +0 -12
- package/rulesets/topologies/data-mesh/fixtures/valid.topology.config.json +0 -12
- package/rulesets/topologies/data-mesh/maturity.es.md +0 -36
- package/rulesets/topologies/data-mesh/maturity.md +0 -36
- package/rulesets/topologies/data-mesh/mcp/mcp-manifest.json +0 -68
- package/rulesets/topologies/data-mesh/openapi/openapi.yaml +0 -186
- package/rulesets/topologies/data-mesh/operations.es.md +0 -63
- package/rulesets/topologies/data-mesh/operations.md +0 -63
- package/rulesets/topologies/data-mesh/parity-fixtures/compliant.json +0 -18
- package/rulesets/topologies/data-mesh/parity-fixtures/violation.json +0 -21
- package/rulesets/topologies/data-mesh/patterns.es.md +0 -67
- package/rulesets/topologies/data-mesh/patterns.md +0 -67
- package/rulesets/topologies/data-mesh/resilience.es.md +0 -64
- package/rulesets/topologies/data-mesh/resilience.md +0 -64
- package/rulesets/topologies/data-mesh/runbooks.es.md +0 -147
- package/rulesets/topologies/data-mesh/runbooks.md +0 -147
- package/rulesets/topologies/data-mesh/security.es.md +0 -66
- package/rulesets/topologies/data-mesh/security.md +0 -66
- package/rulesets/topologies/data-mesh/topology.config.schema.json +0 -30
- package/rulesets/topologies/data-mesh/topology.manifest.json +0 -107
- package/rulesets/topologies/edge-computing/README.es.md +0 -81
- package/rulesets/topologies/edge-computing/README.md +0 -81
- package/rulesets/topologies/edge-computing/adoption.es.md +0 -268
- package/rulesets/topologies/edge-computing/adoption.md +0 -268
- package/rulesets/topologies/edge-computing/cli/cli-flows.es.md +0 -41
- package/rulesets/topologies/edge-computing/cli/cli-flows.md +0 -53
- package/rulesets/topologies/edge-computing/edge-computing.rego +0 -41
- package/rulesets/topologies/edge-computing/edge-computing.rules.json +0 -50
- package/rulesets/topologies/edge-computing/edge-computing.test.rego +0 -33
- package/rulesets/topologies/edge-computing/edge-computing.wasm +0 -0
- package/rulesets/topologies/edge-computing/evidence.es.md +0 -263
- package/rulesets/topologies/edge-computing/evidence.md +0 -263
- package/rulesets/topologies/edge-computing/evolution.es.md +0 -257
- package/rulesets/topologies/edge-computing/evolution.md +0 -257
- package/rulesets/topologies/edge-computing/fixtures/invalid.topology.config.json +0 -6
- package/rulesets/topologies/edge-computing/fixtures/valid.topology.config.json +0 -6
- package/rulesets/topologies/edge-computing/maturity.es.md +0 -36
- package/rulesets/topologies/edge-computing/maturity.md +0 -36
- package/rulesets/topologies/edge-computing/mcp/mcp-manifest.json +0 -72
- package/rulesets/topologies/edge-computing/openapi/openapi.yaml +0 -187
- package/rulesets/topologies/edge-computing/operations.es.md +0 -148
- package/rulesets/topologies/edge-computing/operations.md +0 -148
- package/rulesets/topologies/edge-computing/parity-fixtures/compliant.json +0 -12
- package/rulesets/topologies/edge-computing/parity-fixtures/violation.json +0 -13
- package/rulesets/topologies/edge-computing/patterns.es.md +0 -291
- package/rulesets/topologies/edge-computing/patterns.md +0 -290
- package/rulesets/topologies/edge-computing/resilience.es.md +0 -232
- package/rulesets/topologies/edge-computing/resilience.md +0 -229
- package/rulesets/topologies/edge-computing/runbooks.es.md +0 -405
- package/rulesets/topologies/edge-computing/runbooks.md +0 -405
- package/rulesets/topologies/edge-computing/security.es.md +0 -218
- package/rulesets/topologies/edge-computing/security.md +0 -218
- package/rulesets/topologies/edge-computing/topology.config.schema.json +0 -13
- package/rulesets/topologies/edge-computing/topology.manifest.json +0 -113
- package/rulesets/topologies/event-driven/README.es.md +0 -71
- package/rulesets/topologies/event-driven/README.md +0 -71
- package/rulesets/topologies/event-driven/adoption.es.md +0 -67
- package/rulesets/topologies/event-driven/adoption.md +0 -67
- package/rulesets/topologies/event-driven/cli/cli-flows.es.md +0 -41
- package/rulesets/topologies/event-driven/cli/cli-flows.md +0 -53
- package/rulesets/topologies/event-driven/event-driven.rego +0 -11
- package/rulesets/topologies/event-driven/event-driven.rules.json +0 -100
- package/rulesets/topologies/event-driven/event-driven.test.rego +0 -107
- package/rulesets/topologies/event-driven/event-driven.wasm +0 -0
- package/rulesets/topologies/event-driven/evidence.es.md +0 -69
- package/rulesets/topologies/event-driven/evidence.md +0 -69
- package/rulesets/topologies/event-driven/evolution.es.md +0 -59
- package/rulesets/topologies/event-driven/evolution.md +0 -59
- package/rulesets/topologies/event-driven/fixtures/invalid.topology.config.json +0 -12
- package/rulesets/topologies/event-driven/fixtures/valid.topology.config.json +0 -12
- package/rulesets/topologies/event-driven/maturity.es.md +0 -36
- package/rulesets/topologies/event-driven/maturity.md +0 -36
- package/rulesets/topologies/event-driven/mcp/mcp-manifest.json +0 -68
- package/rulesets/topologies/event-driven/openapi/openapi.yaml +0 -186
- package/rulesets/topologies/event-driven/operations.es.md +0 -67
- package/rulesets/topologies/event-driven/operations.md +0 -67
- package/rulesets/topologies/event-driven/parity-fixtures/compliant.json +0 -18
- package/rulesets/topologies/event-driven/parity-fixtures/violation.json +0 -21
- package/rulesets/topologies/event-driven/patterns.es.md +0 -68
- package/rulesets/topologies/event-driven/patterns.md +0 -68
- package/rulesets/topologies/event-driven/resilience.es.md +0 -65
- package/rulesets/topologies/event-driven/resilience.md +0 -65
- package/rulesets/topologies/event-driven/runbooks.es.md +0 -79
- package/rulesets/topologies/event-driven/runbooks.md +0 -79
- package/rulesets/topologies/event-driven/security.es.md +0 -59
- package/rulesets/topologies/event-driven/security.md +0 -59
- package/rulesets/topologies/event-driven/topology.config.schema.json +0 -30
- package/rulesets/topologies/event-driven/topology.manifest.json +0 -109
- package/rulesets/topologies/progressive-axis/distributed-modules/distributed-modules.rules.es.json +0 -111
- package/rulesets/topologies/progressive-axis/distributed-modules/distributed-modules.rules.json +0 -111
- package/rulesets/topologies/progressive-axis/microservices/microservices.rules.es.json +0 -106
- package/rulesets/topologies/progressive-axis/microservices/microservices.rules.json +0 -106
- package/rulesets/topologies/progressive-axis/modular-monolith/modular-monolith.rules.es.json +0 -148
- package/rulesets/topologies/progressive-axis/modular-monolith/modular-monolith.rules.json +0 -148
- package/rulesets/topologies/serverless/README.es.md +0 -74
- package/rulesets/topologies/serverless/README.md +0 -74
- package/rulesets/topologies/serverless/adoption.es.md +0 -50
- package/rulesets/topologies/serverless/adoption.md +0 -50
- package/rulesets/topologies/serverless/cli/cli-flows.es.md +0 -41
- package/rulesets/topologies/serverless/cli/cli-flows.md +0 -53
- package/rulesets/topologies/serverless/evidence.es.md +0 -66
- package/rulesets/topologies/serverless/evidence.md +0 -66
- package/rulesets/topologies/serverless/evolution.es.md +0 -36
- package/rulesets/topologies/serverless/evolution.md +0 -36
- package/rulesets/topologies/serverless/fixtures/invalid.topology.config.json +0 -6
- package/rulesets/topologies/serverless/fixtures/valid.topology.config.json +0 -6
- package/rulesets/topologies/serverless/maturity.es.md +0 -36
- package/rulesets/topologies/serverless/maturity.md +0 -36
- package/rulesets/topologies/serverless/mcp/mcp-manifest.json +0 -72
- package/rulesets/topologies/serverless/openapi/openapi.yaml +0 -186
- package/rulesets/topologies/serverless/operations.es.md +0 -36
- package/rulesets/topologies/serverless/operations.md +0 -36
- package/rulesets/topologies/serverless/parity-fixtures/compliant.json +0 -13
- package/rulesets/topologies/serverless/parity-fixtures/violation.json +0 -15
- package/rulesets/topologies/serverless/patterns.es.md +0 -36
- package/rulesets/topologies/serverless/patterns.md +0 -36
- package/rulesets/topologies/serverless/resilience.es.md +0 -36
- package/rulesets/topologies/serverless/resilience.md +0 -36
- package/rulesets/topologies/serverless/runbooks.es.md +0 -68
- package/rulesets/topologies/serverless/runbooks.md +0 -68
- package/rulesets/topologies/serverless/security.es.md +0 -36
- package/rulesets/topologies/serverless/security.md +0 -36
- package/rulesets/topologies/serverless/serverless.rego +0 -32
- package/rulesets/topologies/serverless/serverless.rules.json +0 -33
- package/rulesets/topologies/serverless/serverless.test.rego +0 -28
- package/rulesets/topologies/serverless/serverless.wasm +0 -0
- package/rulesets/topologies/serverless/topology.config.schema.json +0 -28
- package/rulesets/topologies/serverless/topology.manifest.json +0 -114
|
@@ -1,183 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../schema/ruleset-standard.schema.json",
|
|
3
|
-
"$id": "https://evolith.dev/rulesets/sdlc/dependency-pinning.rules.json",
|
|
4
|
-
"title": "Dependency Pinning and Vulnerability Management Rules",
|
|
5
|
-
"description": "Machine-readable enforcement of ADR-0009 (Strict Dependency Pinning and Automated Vulnerability Management). Applies to all Evolith satellite repositories containing package.json files.",
|
|
6
|
-
"version": "1.0.0",
|
|
7
|
-
"adrId": "ADR-0009",
|
|
8
|
-
"adrTitle": "Strict Dependency Pinning and Automated Vulnerability Management",
|
|
9
|
-
"status": "Approved",
|
|
10
|
-
"effectiveDate": "2026-06-07",
|
|
11
|
-
"rules": [
|
|
12
|
-
{
|
|
13
|
-
"id": "DEP-01",
|
|
14
|
-
"severity": "MUST NOT",
|
|
15
|
-
"category": "version-pinning",
|
|
16
|
-
"title": "No caret (^) range specifiers in package.json",
|
|
17
|
-
"description": "Every dependency in package.json (dependencies, devDependencies, peerDependencies, optionalDependencies) MUST use an exact version string. The caret prefix (^) is prohibited. Example: use '18.3.1', not '^18.3.1'.",
|
|
18
|
-
"rationale": "ADR-0009 §1: Caret ranges allow automatic minor/patch upgrades during npm install, breaking reproducibility and making CVE introduction unpredictable.",
|
|
19
|
-
"validationQuery": "grep -r '\"\\^' package.json — zero matches expected in any package.json file.",
|
|
20
|
-
"blocking": true,
|
|
21
|
-
"checklistItem": "no-caret-ranges",
|
|
22
|
-
"autoFixStrategy": "Remove ^ prefix from all dependency versions. Run 'npm install --save-exact' or 'npm pkg set dependencies.<pkg>=<version>' with exact version.",
|
|
23
|
-
"appliesTo": [
|
|
24
|
-
"dependencies",
|
|
25
|
-
"devDependencies",
|
|
26
|
-
"peerDependencies",
|
|
27
|
-
"optionalDependencies"
|
|
28
|
-
]
|
|
29
|
-
},
|
|
30
|
-
{
|
|
31
|
-
"id": "DEP-02",
|
|
32
|
-
"severity": "MUST NOT",
|
|
33
|
-
"category": "version-pinning",
|
|
34
|
-
"title": "No tilde (~) range specifiers in package.json",
|
|
35
|
-
"description": "Every dependency in package.json MUST use an exact version string. The tilde prefix (~) is prohibited. Example: use '18.3.1', not '~18.3.1'.",
|
|
36
|
-
"rationale": "ADR-0009 §1: Tilde ranges allow automatic patch upgrades, breaking reproducibility in the same way as caret ranges.",
|
|
37
|
-
"validationQuery": "grep -r '\"~' package.json — zero matches expected in any package.json file.",
|
|
38
|
-
"blocking": true,
|
|
39
|
-
"checklistItem": "no-tilde-ranges",
|
|
40
|
-
"autoFixStrategy": "Remove ~ prefix from all dependency versions. Pin to exact current resolved version from package-lock.json.",
|
|
41
|
-
"appliesTo": [
|
|
42
|
-
"dependencies",
|
|
43
|
-
"devDependencies",
|
|
44
|
-
"peerDependencies",
|
|
45
|
-
"optionalDependencies"
|
|
46
|
-
]
|
|
47
|
-
},
|
|
48
|
-
{
|
|
49
|
-
"id": "DEP-03",
|
|
50
|
-
"severity": "MUST NOT",
|
|
51
|
-
"category": "version-pinning",
|
|
52
|
-
"title": "No wildcard (*) or latest-tag version specifiers",
|
|
53
|
-
"description": "Version specifiers using '*', 'latest', 'x', or 'X' wildcards are prohibited. Every package must reference a specific semver string.",
|
|
54
|
-
"rationale": "ADR-0009 §1: Wildcard versions resolve to arbitrary latest at install time, making the dependency tree completely non-deterministic.",
|
|
55
|
-
"validationQuery": "Verify no dependency value matches: *, latest, x, X, or empty string.",
|
|
56
|
-
"blocking": true,
|
|
57
|
-
"checklistItem": "no-wildcard-versions"
|
|
58
|
-
},
|
|
59
|
-
{
|
|
60
|
-
"id": "DEP-04",
|
|
61
|
-
"severity": "MUST",
|
|
62
|
-
"category": "lock-file",
|
|
63
|
-
"title": "package-lock.json (or equivalent) must be committed",
|
|
64
|
-
"description": "A lock file (package-lock.json for npm, yarn.lock for Yarn, pnpm-lock.yaml for pnpm) MUST be committed to version control and kept current. The lock file is the source of truth for reproducible builds.",
|
|
65
|
-
"rationale": "ADR-0009 §4: CI pipelines must execute 'npm ci' which requires a committed lock file. Without it, npm install resolves fresh versions on every run.",
|
|
66
|
-
"validationQuery": "Lock file exists in repository root (or workspace root) and is not in .gitignore.",
|
|
67
|
-
"blocking": true,
|
|
68
|
-
"checklistItem": "lock-file-committed"
|
|
69
|
-
},
|
|
70
|
-
{
|
|
71
|
-
"id": "DEP-05",
|
|
72
|
-
"severity": "MUST",
|
|
73
|
-
"category": "ci-installation",
|
|
74
|
-
"title": "CI pipelines use 'npm ci' not 'npm install'",
|
|
75
|
-
"description": "Continuous Integration pipelines MUST use 'npm ci' (clean install) to install dependencies. 'npm install' is prohibited in CI because it may update the lock file and resolve different versions.",
|
|
76
|
-
"rationale": "ADR-0009 §4: 'npm ci' installs exactly what the lock file specifies. 'npm install' may silently update packages, defeating the purpose of pinning.",
|
|
77
|
-
"validationQuery": "CI workflow files (.github/workflows/*.yml) contain 'npm ci' for dependency installation. No 'npm install' step present in CI dependency installation steps.",
|
|
78
|
-
"blocking": true,
|
|
79
|
-
"checklistItem": "ci-uses-npm-ci"
|
|
80
|
-
},
|
|
81
|
-
{
|
|
82
|
-
"id": "DEP-06",
|
|
83
|
-
"severity": "MUST",
|
|
84
|
-
"category": "security-audit",
|
|
85
|
-
"title": "CI pipeline runs npm audit at high severity level",
|
|
86
|
-
"description": "Every PR and main branch CI run MUST execute 'npm audit --audit-level=high'. Any High or Critical CVE causes an immediate build failure and blocks merge.",
|
|
87
|
-
"rationale": "ADR-0009 §3: Zero-Tolerance CI check for High/Critical vulnerabilities is the primary automated security gate.",
|
|
88
|
-
"validationQuery": "CI workflow includes 'npm audit --audit-level=high' or equivalent. Build fails when exit code is non-zero.",
|
|
89
|
-
"blocking": true,
|
|
90
|
-
"checklistItem": "ci-npm-audit-high"
|
|
91
|
-
},
|
|
92
|
-
{
|
|
93
|
-
"id": "DEP-07",
|
|
94
|
-
"severity": "MUST",
|
|
95
|
-
"category": "security-audit",
|
|
96
|
-
"title": "Zero High or Critical CVEs in production dependencies",
|
|
97
|
-
"description": "No High or Critical CVEs may be present in the production dependency tree at time of merge to main or at release. Medium CVEs require documented justification.",
|
|
98
|
-
"rationale": "ADR-0009 §3 and quality-thresholds QT-03: Zero High/Critical CVE tolerance in production releases. This rule is consistent with the cross-cutting security threshold.",
|
|
99
|
-
"baseline": {
|
|
100
|
-
"critical": 0,
|
|
101
|
-
"high": 0,
|
|
102
|
-
"medium": "documented-justification-required"
|
|
103
|
-
},
|
|
104
|
-
"blocking": true,
|
|
105
|
-
"checklistItem": "zero-high-critical-cves"
|
|
106
|
-
},
|
|
107
|
-
{
|
|
108
|
-
"id": "DEP-08",
|
|
109
|
-
"severity": "SHOULD",
|
|
110
|
-
"category": "overrides",
|
|
111
|
-
"title": "npm overrides entries must be documented with CVE reference",
|
|
112
|
-
"description": "When the 'overrides' field in package.json is used to force a transitive dependency to a safe version, each override entry MUST include a comment or corresponding entry in a companion overrides-rationale.json documenting the CVE or reason for the override.",
|
|
113
|
-
"rationale": "Overrides are a powerful escape hatch that can mask dependency resolution issues if undocumented. Each override should be traceable to a specific security finding or compatibility requirement.",
|
|
114
|
-
"validationQuery": "If package.json contains an 'overrides' section, each override key corresponds to a documented rationale. Check CHANGELOG.md, PR description, or companion overrides-rationale.json.",
|
|
115
|
-
"blocking": false,
|
|
116
|
-
"checklistItem": "overrides-documented"
|
|
117
|
-
},
|
|
118
|
-
{
|
|
119
|
-
"id": "DEP-09",
|
|
120
|
-
"severity": "SHOULD",
|
|
121
|
-
"category": "bot-policy",
|
|
122
|
-
"title": "Automated dependency update bot configured",
|
|
123
|
-
"description": "Repositories SHOULD have Dependabot or Renovate configured to propose dependency bump PRs automatically. This ensures managed incremental upgrades rather than accumulated drift.",
|
|
124
|
-
"rationale": "ADR-0009 §2: Automated bot policy is required for sustainable maintenance of exact-pinned dependencies. Without it, pins become stale security liabilities.",
|
|
125
|
-
"validationQuery": "File .github/dependabot.yml or .renovaterc.json (or equivalent) exists and is configured for the npm ecosystem.",
|
|
126
|
-
"blocking": false,
|
|
127
|
-
"checklistItem": "dependency-bot-configured"
|
|
128
|
-
},
|
|
129
|
-
{
|
|
130
|
-
"id": "DEP-10",
|
|
131
|
-
"severity": "MUST",
|
|
132
|
-
"category": "version-pinning",
|
|
133
|
-
"title": "Workspaces inherit the exact-version policy",
|
|
134
|
-
"description": "In monorepos using npm workspaces, Yarn workspaces, or pnpm workspaces, the exact-version policy (no ^ or ~) applies to ALL workspace package.json files, not just the root package.json.",
|
|
135
|
-
"rationale": "ADR-0009 §1 applies universally. Workspace packages that use ranges introduce non-determinism even when the root is pinned.",
|
|
136
|
-
"validationQuery": "All package.json files in workspace packages (not just root) are free of ^ and ~ prefixes.",
|
|
137
|
-
"blocking": true,
|
|
138
|
-
"checklistItem": "workspaces-pinned"
|
|
139
|
-
}
|
|
140
|
-
],
|
|
141
|
-
"waiverPolicy": {
|
|
142
|
-
"description": "A waiver may be used only when the organization deliberately accepts a temporary deviation from the pinning or audit policy.",
|
|
143
|
-
"requiredFields": [
|
|
144
|
-
"rule",
|
|
145
|
-
"justification",
|
|
146
|
-
"affectedPackages",
|
|
147
|
-
"owner",
|
|
148
|
-
"expirationDate",
|
|
149
|
-
"mitigationPlan"
|
|
150
|
-
],
|
|
151
|
-
"exceptions": {
|
|
152
|
-
"cves": "High/Critical CVEs cannot be waived in production releases without explicit Executive Risk Acceptance. Medium CVEs require documented justification with remediation timeline.",
|
|
153
|
-
"ranges": "Range specifiers (^ or ~) cannot be used in production package.json files. peerDependencies in published libraries may use ranges by exception with Architecture Board approval."
|
|
154
|
-
}
|
|
155
|
-
},
|
|
156
|
-
"summaryChecklist": [
|
|
157
|
-
"no-caret-ranges",
|
|
158
|
-
"no-tilde-ranges",
|
|
159
|
-
"no-wildcard-versions",
|
|
160
|
-
"lock-file-committed",
|
|
161
|
-
"ci-uses-npm-ci",
|
|
162
|
-
"ci-npm-audit-high",
|
|
163
|
-
"zero-high-critical-cves",
|
|
164
|
-
"overrides-documented",
|
|
165
|
-
"dependency-bot-configured",
|
|
166
|
-
"workspaces-pinned"
|
|
167
|
-
],
|
|
168
|
-
"references": [
|
|
169
|
-
"reference/architecture/adrs/core/0009-strict-dependency-pinning-vulnerability-management.md",
|
|
170
|
-
"rulesets/sdlc/quality-thresholds.rules.json",
|
|
171
|
-
"rulesets/definition-of-done/definition-of-done.rules.json",
|
|
172
|
-
"reference/architecture/adrs/core/0005-ci-cd-quality-codeql.md"
|
|
173
|
-
],
|
|
174
|
-
"exitCriteria": {
|
|
175
|
-
"description": "All MUST rules must pass. SHOULD rules are strongly recommended but advisory. A dependency-pinning violation BLOCKS merge to main.",
|
|
176
|
-
"validationTools": [
|
|
177
|
-
"npm audit",
|
|
178
|
-
"grep for ^ and ~ in package.json files",
|
|
179
|
-
"lock file presence check",
|
|
180
|
-
"CI workflow analysis"
|
|
181
|
-
]
|
|
182
|
-
}
|
|
183
|
-
}
|
|
@@ -1,297 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../schema/ruleset-sdlc.schema.json",
|
|
3
|
-
"$id": "https://evolith.dev/rulesets/sdlc/phase-gates.rules.json",
|
|
4
|
-
"title": "SDLC Phase Gate Rules",
|
|
5
|
-
"description": "Canonical phase exit gate criteria for the Evolith 5-phase SDLC. Each gate requires objective evidence; manual confidence cannot override a failed gate.",
|
|
6
|
-
"version": "1.0.0",
|
|
7
|
-
"effectiveDate": "2026-01-01",
|
|
8
|
-
"gates": [
|
|
9
|
-
{
|
|
10
|
-
"phase": 1,
|
|
11
|
-
"name": "Business Sign-Off",
|
|
12
|
-
"description": "Scope frozen; funding authorized; architectural constraints aligned.",
|
|
13
|
-
"playbookRef": "../../reference/governance/sdlc/01-playbooks/phase-1-business-signoff.md",
|
|
14
|
-
"mandatoryEvidence": [
|
|
15
|
-
{
|
|
16
|
-
"artifact": "PRD",
|
|
17
|
-
"schemaRef": "../schema/prd.schema.json",
|
|
18
|
-
"status": "Approved",
|
|
19
|
-
"validation": "PRD status = Approved AND approvalEvidence present AND date filled"
|
|
20
|
-
},
|
|
21
|
-
{
|
|
22
|
-
"artifact": "Discovery Canvas",
|
|
23
|
-
"validation": "Initiative registered with customer pain points and expected value"
|
|
24
|
-
},
|
|
25
|
-
{
|
|
26
|
-
"artifact": "Technical Feasibility Canvas",
|
|
27
|
-
"schemaRef": "../schema/technical-feasibility.schema.json",
|
|
28
|
-
"validation": "Technical feasibility and quality attributes documented with NFRs"
|
|
29
|
-
},
|
|
30
|
-
{
|
|
31
|
-
"artifact": "Ballpark Estimation",
|
|
32
|
-
"validation": "T-Shirt sizing completed with team composition"
|
|
33
|
-
},
|
|
34
|
-
{
|
|
35
|
-
"artifact": "MoSCoW Prioritization Matrix",
|
|
36
|
-
"validation": "MoSCoW analysis completed for Phase 0 with at least one MUST item and valid priority distribution"
|
|
37
|
-
},
|
|
38
|
-
{
|
|
39
|
-
"artifact": "Build-versus-Compose Analysis",
|
|
40
|
-
"schemaRef": "../schema/build-vs-compose.schema.json",
|
|
41
|
-
"validation": "Discovery evaluated open-source/free-tier/commercial alternatives with a governed Adopt/Embed/Integrate/Extend/Build/Reject disposition, three-year cost, licensing, tenant isolation, provider replaceability, and PoC requirements; native development requires explicit justification (Product Vision §5.3)"
|
|
42
|
-
}
|
|
43
|
-
],
|
|
44
|
-
"blockingCriteria": [
|
|
45
|
-
{
|
|
46
|
-
"criterion": "Scope is ambiguous",
|
|
47
|
-
"action": "BLOCK — return to Phase 1"
|
|
48
|
-
},
|
|
49
|
-
{
|
|
50
|
-
"criterion": "Technical constraints or cloud quotas are unaligned",
|
|
51
|
-
"action": "BLOCK — return to Phase 1"
|
|
52
|
-
},
|
|
53
|
-
{
|
|
54
|
-
"criterion": "Architecture constraints are ignored",
|
|
55
|
-
"action": "BLOCK — return to Phase 1"
|
|
56
|
-
}
|
|
57
|
-
],
|
|
58
|
-
"accountableRole": "Product Owner",
|
|
59
|
-
"waiverAuthority": "Executive Sponsor",
|
|
60
|
-
"waiverRequiredFields": [
|
|
61
|
-
"criterion",
|
|
62
|
-
"justification",
|
|
63
|
-
"risk",
|
|
64
|
-
"owner",
|
|
65
|
-
"expirationDate",
|
|
66
|
-
"mitigationPlan"
|
|
67
|
-
]
|
|
68
|
-
},
|
|
69
|
-
{
|
|
70
|
-
"phase": 2,
|
|
71
|
-
"name": "Design Baseline Approved",
|
|
72
|
-
"description": "Architecture decisions are documented; bounded contexts defined; functional stories written.",
|
|
73
|
-
"playbookRef": "../../reference/governance/sdlc/01-playbooks/phase-2-design-baseline.md",
|
|
74
|
-
"mandatoryEvidence": [
|
|
75
|
-
{
|
|
76
|
-
"artifact": "ADR Registry",
|
|
77
|
-
"validation": "All architecture decisions have corresponding ADR. No undocumented decisions."
|
|
78
|
-
},
|
|
79
|
-
{
|
|
80
|
-
"artifact": "Functional Stories",
|
|
81
|
-
"schemaRef": "../schema/functional-story.schema.json",
|
|
82
|
-
"validation": "All Functional Stories in Ready state with BDD acceptance criteria"
|
|
83
|
-
},
|
|
84
|
-
{
|
|
85
|
-
"artifact": "Reference Blueprint Alignment",
|
|
86
|
-
"validation": "Product architecture diagrams traceable to Evolith Reference Blueprint"
|
|
87
|
-
},
|
|
88
|
-
{
|
|
89
|
-
"artifact": "Simplicity Checklist Phase 1",
|
|
90
|
-
"validation": "Passed — no over-engineering detected"
|
|
91
|
-
},
|
|
92
|
-
{
|
|
93
|
-
"artifact": "Bounded Context Map",
|
|
94
|
-
"validation": "All contexts identified with ownership and persistence strategy"
|
|
95
|
-
}
|
|
96
|
-
],
|
|
97
|
-
"blockingCriteria": [
|
|
98
|
-
{
|
|
99
|
-
"criterion": "Significant architecture decisions are undocumented",
|
|
100
|
-
"action": "BLOCK — require ADR before design baseline"
|
|
101
|
-
},
|
|
102
|
-
{
|
|
103
|
-
"criterion": "Bounded context boundaries are contradictory",
|
|
104
|
-
"action": "BLOCK — require context map resolution"
|
|
105
|
-
},
|
|
106
|
-
{
|
|
107
|
-
"criterion": "Functional stories lack acceptance criteria",
|
|
108
|
-
"action": "BLOCK — return to story writing"
|
|
109
|
-
}
|
|
110
|
-
],
|
|
111
|
-
"accountableRole": "Software Architect",
|
|
112
|
-
"waiverAuthority": "Architecture Board",
|
|
113
|
-
"waiverRequiredFields": [
|
|
114
|
-
"criterion",
|
|
115
|
-
"justification",
|
|
116
|
-
"risk",
|
|
117
|
-
"owner",
|
|
118
|
-
"expirationDate",
|
|
119
|
-
"mitigationPlan"
|
|
120
|
-
]
|
|
121
|
-
},
|
|
122
|
-
{
|
|
123
|
-
"phase": 3,
|
|
124
|
-
"name": "Successful Build",
|
|
125
|
-
"description": "All code merged to main; CI passes; quality gates green; definition of done satisfied.",
|
|
126
|
-
"mandatoryEvidence": [
|
|
127
|
-
{
|
|
128
|
-
"artifact": "Technical Stories",
|
|
129
|
-
"schemaRef": "../schema/technical-story.schema.json",
|
|
130
|
-
"validation": "All technical stories Done; traceable to Functional Stories"
|
|
131
|
-
},
|
|
132
|
-
{
|
|
133
|
-
"artifact": "CI Pipeline",
|
|
134
|
-
"validation": "CI run green on main branch. No failing tests, no lint errors, no security scan failures"
|
|
135
|
-
},
|
|
136
|
-
{
|
|
137
|
-
"artifact": "Definition of Done Checklist",
|
|
138
|
-
"validation": "All DoD items checked per Technical Story"
|
|
139
|
-
},
|
|
140
|
-
{
|
|
141
|
-
"artifact": "Documentation Delta",
|
|
142
|
-
"validation": "Updated ADRs, inline documentation, README changes included in merge"
|
|
143
|
-
},
|
|
144
|
-
{
|
|
145
|
-
"artifact": "Coverage Report",
|
|
146
|
-
"validation": "Business logic coverage >= 80% per Quality Thresholds rules"
|
|
147
|
-
}
|
|
148
|
-
],
|
|
149
|
-
"blockingCriteria": [
|
|
150
|
-
{
|
|
151
|
-
"criterion": "CI fails on main branch",
|
|
152
|
-
"action": "BLOCK merge — fix CI before merge"
|
|
153
|
-
},
|
|
154
|
-
{
|
|
155
|
-
"criterion": "Coverage below threshold (< 80%)",
|
|
156
|
-
"action": "BLOCK merge — add tests or request waiver"
|
|
157
|
-
},
|
|
158
|
-
{
|
|
159
|
-
"criterion": "High or Critical CVEs detected",
|
|
160
|
-
"action": "BLOCK merge — remediate CVEs or request security waiver"
|
|
161
|
-
},
|
|
162
|
-
{
|
|
163
|
-
"criterion": "Missing code review approval",
|
|
164
|
-
"action": "BLOCK merge — require review"
|
|
165
|
-
}
|
|
166
|
-
],
|
|
167
|
-
"accountableRole": "Tech Lead",
|
|
168
|
-
"waiverAuthority": "Architecture Board (with exception for CVEs requires Executive Risk Acceptance)",
|
|
169
|
-
"waiverRequiredFields": [
|
|
170
|
-
"criterion",
|
|
171
|
-
"justification",
|
|
172
|
-
"risk",
|
|
173
|
-
"owner",
|
|
174
|
-
"expirationDate",
|
|
175
|
-
"mitigationPlan",
|
|
176
|
-
"approvalAuthority"
|
|
177
|
-
]
|
|
178
|
-
},
|
|
179
|
-
{
|
|
180
|
-
"phase": 4,
|
|
181
|
-
"name": "RC Stamped",
|
|
182
|
-
"description": "All quality thresholds verified; security scans clean; UAT passed; release candidate formally approved.",
|
|
183
|
-
"playbookRef": "../../reference/governance/sdlc/01-playbooks/phase-4-rc-stamp.md",
|
|
184
|
-
"mandatoryEvidence": [
|
|
185
|
-
{
|
|
186
|
-
"artifact": "Test Summary Report",
|
|
187
|
-
"schemaRef": "../schema/test-summary-report.schema.json",
|
|
188
|
-
"templateRef": "../../reference/governance/sdlc/04-artifact-templates/test-summary-report-template.md",
|
|
189
|
-
"validation": "All quality gates green or explicitly waived. RC stamped by QA Lead and Tech Lead."
|
|
190
|
-
},
|
|
191
|
-
{
|
|
192
|
-
"artifact": "Acceptance Validation",
|
|
193
|
-
"validation": "Product Owner signs off on acceptance criteria verification"
|
|
194
|
-
},
|
|
195
|
-
{
|
|
196
|
-
"artifact": "Security Scan Report",
|
|
197
|
-
"schemaRef": "../schema/security-scan-report.schema.json",
|
|
198
|
-
"templateRef": "../../reference/governance/sdlc/04-artifact-templates/security-scan-report-template.md",
|
|
199
|
-
"validation": "Zero High/Critical CVEs in production-bound artifacts; structure conforms to security-scan-report.schema.json"
|
|
200
|
-
},
|
|
201
|
-
{
|
|
202
|
-
"artifact": "Integration Evidence",
|
|
203
|
-
"schemaRef": "../schema/integration-evidence.schema.json",
|
|
204
|
-
"templateRef": "../../reference/governance/sdlc/04-artifact-templates/integration-evidence-template.md",
|
|
205
|
-
"validation": "Every declared inter-component contract exercised; no FAIL entries without waiver; structure conforms to integration-evidence.schema.json"
|
|
206
|
-
},
|
|
207
|
-
{
|
|
208
|
-
"artifact": "Pyramid Distribution",
|
|
209
|
-
"validation": "70% unit / 20% integration / 10% E2E target met or deviation explained"
|
|
210
|
-
}
|
|
211
|
-
],
|
|
212
|
-
"blockingCriteria": [
|
|
213
|
-
{
|
|
214
|
-
"criterion": "Any mandatory quality metric fails",
|
|
215
|
-
"action": "BLOCK RC stamp — remediate or waiver"
|
|
216
|
-
},
|
|
217
|
-
{
|
|
218
|
-
"criterion": "Acceptance criteria remain unverified",
|
|
219
|
-
"action": "BLOCK RC stamp — return to validation"
|
|
220
|
-
},
|
|
221
|
-
{
|
|
222
|
-
"criterion": "Technical debt ratio exceeds 5%",
|
|
223
|
-
"action": "BLOCK RC stamp — remediation plan required"
|
|
224
|
-
}
|
|
225
|
-
],
|
|
226
|
-
"accountableRole": "QA Lead",
|
|
227
|
-
"waiverAuthority": "Architecture Board",
|
|
228
|
-
"waiverRequiredFields": [
|
|
229
|
-
"criterion",
|
|
230
|
-
"justification",
|
|
231
|
-
"risk",
|
|
232
|
-
"owner",
|
|
233
|
-
"expirationDate",
|
|
234
|
-
"mitigationPlan"
|
|
235
|
-
]
|
|
236
|
-
},
|
|
237
|
-
{
|
|
238
|
-
"phase": 5,
|
|
239
|
-
"name": "Production Live",
|
|
240
|
-
"description": "Deployment executed; observability verified nominal; monitoring active; rollback procedure confirmed.",
|
|
241
|
-
"playbookRef": "../../reference/governance/sdlc/01-playbooks/zero-downtime-release.md",
|
|
242
|
-
"mandatoryEvidence": [
|
|
243
|
-
{
|
|
244
|
-
"artifact": "Release Notes",
|
|
245
|
-
"schemaRef": "../schema/release-notes.schema.json",
|
|
246
|
-
"validation": "Release scope, deployment steps, rollback procedure, observability checklist all present and complete"
|
|
247
|
-
},
|
|
248
|
-
{
|
|
249
|
-
"artifact": "Observability Validation",
|
|
250
|
-
"schemaRef": "../schema/observability-validation.schema.json",
|
|
251
|
-
"templateRef": "../../reference/governance/sdlc/04-artifact-templates/observability-validation-template.md",
|
|
252
|
-
"validation": "Metrics nominal, logs flowing, traces complete for all production paths; structure conforms to observability-validation.schema.json"
|
|
253
|
-
},
|
|
254
|
-
{
|
|
255
|
-
"artifact": "Rollback Procedure",
|
|
256
|
-
"schemaRef": "../schema/rollback-rehearsal.schema.json",
|
|
257
|
-
"templateRef": "../../reference/governance/sdlc/04-artifact-templates/rollback-rehearsal-template.md",
|
|
258
|
-
"validation": "Rollback steps documented and tested. Last good version identified. Rehearsal evidence confirms rollback within budget."
|
|
259
|
-
},
|
|
260
|
-
{
|
|
261
|
-
"artifact": "On-Call Handoff",
|
|
262
|
-
"schemaRef": "../schema/on-call-handoff.schema.json",
|
|
263
|
-
"templateRef": "../../reference/governance/sdlc/04-artifact-templates/on-call-handoff-template.md",
|
|
264
|
-
"validation": "On-call team briefed with runbook references, escalation paths, alert ownership, and SLA acknowledgement confirmed."
|
|
265
|
-
},
|
|
266
|
-
{
|
|
267
|
-
"artifact": "Deployment Evidence",
|
|
268
|
-
"validation": "Deployment artifacts (images, configs) traceable to RC"
|
|
269
|
-
}
|
|
270
|
-
],
|
|
271
|
-
"blockingCriteria": [
|
|
272
|
-
{
|
|
273
|
-
"criterion": "Monitoring is not nominal",
|
|
274
|
-
"action": "BLOCK Production Live — investigate before deploy"
|
|
275
|
-
},
|
|
276
|
-
{
|
|
277
|
-
"criterion": "Rollback procedure is undefined",
|
|
278
|
-
"action": "BLOCK Production Live — document rollback first"
|
|
279
|
-
},
|
|
280
|
-
{
|
|
281
|
-
"criterion": "Release is not traceable to RC",
|
|
282
|
-
"action": "BLOCK Production Live — ensure RC → Release chain"
|
|
283
|
-
}
|
|
284
|
-
],
|
|
285
|
-
"accountableRole": "DevOps Lead",
|
|
286
|
-
"waiverAuthority": "Technology Director",
|
|
287
|
-
"waiverRequiredFields": [
|
|
288
|
-
"criterion",
|
|
289
|
-
"justification",
|
|
290
|
-
"risk",
|
|
291
|
-
"owner",
|
|
292
|
-
"expirationDate",
|
|
293
|
-
"mitigationPlan"
|
|
294
|
-
]
|
|
295
|
-
}
|
|
296
|
-
]
|
|
297
|
-
}
|
|
@@ -1,96 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../schema/ruleset-standard.schema.json",
|
|
3
|
-
"$id": "https://evolith.dev/rulesets/sdlc/quality-thresholds.rules.json",
|
|
4
|
-
"title": "SDLC Quality Threshold Rules",
|
|
5
|
-
"description": "Canonical release-blocking quality thresholds for Evolith satellites. These thresholds apply to all SDLC phases where construction or validation occurs.",
|
|
6
|
-
"version": "1.0.0",
|
|
7
|
-
"effectiveDate": "2026-01-01",
|
|
8
|
-
"waiverPolicy": {
|
|
9
|
-
"description": "A waiver may be used only when the organization deliberately accepts a temporary deviation.",
|
|
10
|
-
"requiredFields": [
|
|
11
|
-
"criterion",
|
|
12
|
-
"justification",
|
|
13
|
-
"risk",
|
|
14
|
-
"owner",
|
|
15
|
-
"expirationDate",
|
|
16
|
-
"mitigationPlan",
|
|
17
|
-
"approvalAuthority"
|
|
18
|
-
],
|
|
19
|
-
"exceptions": {
|
|
20
|
-
"cves": "High/Critical security vulnerabilities cannot be waived in production releases without explicit Executive Risk Acceptance",
|
|
21
|
-
"coverage": "Business logic coverage below 80% cannot be waived without Architecture Board approval and remediation plan"
|
|
22
|
-
}
|
|
23
|
-
},
|
|
24
|
-
"rules": [
|
|
25
|
-
{
|
|
26
|
-
"id": "QT-01",
|
|
27
|
-
"severity": "MUST",
|
|
28
|
-
"category": "testing",
|
|
29
|
-
"title": "Code Coverage",
|
|
30
|
-
"description": "Coverage below 80% on business logic BLOCKS merge (Phase 3) and RC stamp (Phase 4).",
|
|
31
|
-
"blocking": true
|
|
32
|
-
},
|
|
33
|
-
{
|
|
34
|
-
"id": "QT-02",
|
|
35
|
-
"severity": "MUST",
|
|
36
|
-
"category": "code-quality",
|
|
37
|
-
"title": "Cyclomatic Complexity",
|
|
38
|
-
"description": "Methods or functions exceeding cyclomatic complexity of 15 BLOCK merge or RC stamp without refactoring plan or explicit waiver.",
|
|
39
|
-
"blocking": true
|
|
40
|
-
},
|
|
41
|
-
{
|
|
42
|
-
"id": "QT-03",
|
|
43
|
-
"severity": "MUST",
|
|
44
|
-
"category": "security",
|
|
45
|
-
"title": "Security Vulnerabilities",
|
|
46
|
-
"description": "Any High or Critical CVE BLOCKS merge, RC stamp, and production release. Medium CVEs require justification.",
|
|
47
|
-
"blocking": true
|
|
48
|
-
},
|
|
49
|
-
{
|
|
50
|
-
"id": "QT-04",
|
|
51
|
-
"severity": "MUST",
|
|
52
|
-
"category": "code-quality",
|
|
53
|
-
"title": "Technical Debt Ratio",
|
|
54
|
-
"description": "Technical debt ratio > 5% BLOCKS RC stamp unless a remediation plan with explicit timeline and owner is approved.",
|
|
55
|
-
"blocking": true
|
|
56
|
-
},
|
|
57
|
-
{
|
|
58
|
-
"id": "QT-05",
|
|
59
|
-
"severity": "MUST",
|
|
60
|
-
"category": "testing",
|
|
61
|
-
"title": "Testing Pyramid Distribution",
|
|
62
|
-
"description": "Release with materially skewed distribution (e.g., 40% unit / 50% integration) requires written explanation. Not a hard block but must be reviewed.",
|
|
63
|
-
"blocking": true
|
|
64
|
-
},
|
|
65
|
-
{
|
|
66
|
-
"id": "QT-06",
|
|
67
|
-
"severity": "MUST",
|
|
68
|
-
"category": "documentation",
|
|
69
|
-
"title": "Documentation Delta",
|
|
70
|
-
"description": "Code changes that alter behavior, introduce new API endpoints, change architecture, or modify operations without corresponding documentation BLOCK merge and Production Live.",
|
|
71
|
-
"blocking": true
|
|
72
|
-
},
|
|
73
|
-
{
|
|
74
|
-
"id": "QT-07",
|
|
75
|
-
"severity": "MUST",
|
|
76
|
-
"category": "operations",
|
|
77
|
-
"title": "Observability Evidence",
|
|
78
|
-
"description": "Any production API path without traces, structured logs, or metrics BLOCKS Production Live declaration.",
|
|
79
|
-
"blocking": true
|
|
80
|
-
},
|
|
81
|
-
{
|
|
82
|
-
"id": "QT-08",
|
|
83
|
-
"severity": "MUST",
|
|
84
|
-
"category": "contract",
|
|
85
|
-
"title": "API Contract Compatibility",
|
|
86
|
-
"description": "Breaking changes to inter-module (gRPC/REST) contracts BLOCK merge. Consumer-driven contract tests must pass.",
|
|
87
|
-
"blocking": true
|
|
88
|
-
}
|
|
89
|
-
],
|
|
90
|
-
"references": [
|
|
91
|
-
"../sdlc/phase-gates.rules.json",
|
|
92
|
-
"adr/0018-testing-pyramid-quality-gates.md",
|
|
93
|
-
"adr/0049-naming-semantics-clean-code-policy.md",
|
|
94
|
-
"adr/0005-ci-cd-quality-codeql.md"
|
|
95
|
-
]
|
|
96
|
-
}
|
|
@@ -1,42 +0,0 @@
|
|
|
1
|
-
# Hub de Rulesets Topologicos
|
|
2
|
-
|
|
3
|
-
> **Navegacion Bilingue:** [English Version](./README.md)
|
|
4
|
-
|
|
5
|
-
Esta area define el modelo canonico de resolucion de rulesets topologicos para la gobernanza de Evolith Core.
|
|
6
|
-
|
|
7
|
-
**GT-329:** Las 5 topologias avanzadas (`serverless`, `edge-computing`, `event-driven`, `data-mesh`, `agentic-ai`) han sido reubicadas aqui desde `reference/architecture/topologies/` como su **ubicacion ejecutable canonica**. Las topologias de `progressive-axis` permanecen en `reference/architecture/topologies/progressive-axis/` por razones historicas. La guia topologica legible por humanos vive en `reference/architecture/topologies/`. Esta carpeta contiene las reglas legibles por maquina que consumen CLI, MCP, Service CORE API, CI y futuros resolvers topologicos.
|
|
8
|
-
|
|
9
|
-
## Modelo de Ejecucion
|
|
10
|
-
|
|
11
|
-
| Preocupacion | Ubicacion Canonica | Proposito |
|
|
12
|
-
|---|---|---|
|
|
13
|
-
| Schema de manifiesto | `rulesets/schema/topology-manifest.schema.json` | Validar cada `topology.manifest.json`. |
|
|
14
|
-
| Reglas topologicas Native | `spec.artifacts.rulesets[]` declarado por el manifiesto | Ejecutar checks especificos de topologia en el evaluador Native. |
|
|
15
|
-
| Politicas topologicas OPA | `spec.artifacts.opaPolicies[]` declarado por el manifiesto | Ejecutar politicas Rego equivalentes para paridad OPA. |
|
|
16
|
-
| Corpus humano | `reference/architecture/topologies/` | Explicar intencion, restricciones, ADRs y reglas de composicion topologica. |
|
|
17
|
-
|
|
18
|
-
## Dimensiones Gobernadas
|
|
19
|
-
|
|
20
|
-
| Dimension | Topologias | Patron de Ruta de Reglas |
|
|
21
|
-
|---|---|---|
|
|
22
|
-
| `progressive-axis` | `modular-monolith`, `distributed-modules`, `microservices` | `rulesets/topologies/progressive-axis/<topology>/` |
|
|
23
|
-
| `execution` | `serverless`, `edge-computing` | `rulesets/topologies/serverless/`, `rulesets/topologies/edge-computing/` |
|
|
24
|
-
| `integration` | `event-driven` | `rulesets/topologies/event-driven/` |
|
|
25
|
-
| `data` | `data-mesh` | `rulesets/topologies/data-mesh/` |
|
|
26
|
-
| `ai` | `agentic-ai` | `rulesets/topologies/agentic-ai/` |
|
|
27
|
-
|
|
28
|
-
## Reglas de Enforcement
|
|
29
|
-
|
|
30
|
-
- No crear un CLI, servidor MCP o Core API separado por topologia.
|
|
31
|
-
- No colocar diseno topologico legible por humanos como fuente ejecutable de verdad; manifiestos y sus rulesets declarados son el contrato ejecutable.
|
|
32
|
-
- No construyas rutas legacy de archivos F1/F2/F3. Resuelve el alias de compatibilidad mediante el manifiesto topologico del eje progresivo.
|
|
33
|
-
- Cada nueva regla topologica ejecutable debe preservar Dual-Engine Parity cuando ambos motores apliquen.
|
|
34
|
-
- Las politicas OPA no deben desviarse de la semantica de reglas Native.
|
|
35
|
-
- Las reglas topologicas no deben codificar presupuesto, ROI, costo, staffing, priorizacion, timing ni ownership de negocio.
|
|
36
|
-
|
|
37
|
-
## Estado Actual
|
|
38
|
-
|
|
39
|
-
La ubicacion de rulesets topologicos esta autorizada. Los perfiles topologicos concretos y sus reglas Native mas OPA se rastrean en el [Tablero de Seguimiento de Gaps](../../reference/governance/standards/vision/gap-tracking.es.md).
|
|
40
|
-
|
|
41
|
-
---
|
|
42
|
-
[Volver al Hub de Rulesets](../README.es.md)
|
|
@@ -1,42 +0,0 @@
|
|
|
1
|
-
# Topology Rulesets Hub
|
|
2
|
-
|
|
3
|
-
> **Bilingual Navigation:** [Version en Espanol](./README.es.md)
|
|
4
|
-
|
|
5
|
-
This area defines the canonical topology-ruleset resolution model for Evolith Core governance.
|
|
6
|
-
|
|
7
|
-
**GT-329:** The 5 advanced topologies (`serverless`, `edge-computing`, `event-driven`, `data-mesh`, `agentic-ai`) have been relocated here from `reference/architecture/topologies/` as their **canonical executable location**. The `progressive-axis` topologies remain in `reference/architecture/topologies/progressive-axis/` for historical reasons. Human-readable topology guidance lives in `reference/architecture/topologies/`. This folder contains the machine-readable rules that CLI, MCP, Service CORE API, CI, and future topology resolvers consume.
|
|
8
|
-
|
|
9
|
-
## Execution Model
|
|
10
|
-
|
|
11
|
-
| Concern | Canonical Location | Purpose |
|
|
12
|
-
|---|---|---|
|
|
13
|
-
| Manifest schema | `rulesets/schema/topology-manifest.schema.json` | Validate every `topology.manifest.json`. |
|
|
14
|
-
| Native topology rules | Manifest-declared `spec.artifacts.rulesets[]` | Execute topology-specific checks in the Native evaluator. |
|
|
15
|
-
| OPA topology policies | Manifest-declared `spec.artifacts.opaPolicies[]` | Execute equivalent Rego policies for OPA parity. |
|
|
16
|
-
| Human corpus | `reference/architecture/topologies/` | Explain topology intent, constraints, ADRs, and composition rules. |
|
|
17
|
-
|
|
18
|
-
## Governed Dimensions
|
|
19
|
-
|
|
20
|
-
| Dimension | Topologies | Rule Path Pattern |
|
|
21
|
-
|---|---|---|
|
|
22
|
-
| `progressive-axis` | `modular-monolith`, `distributed-modules`, `microservices` | `rulesets/topologies/progressive-axis/<topology>/` |
|
|
23
|
-
| `execution` | `serverless`, `edge-computing` | `rulesets/topologies/serverless/`, `rulesets/topologies/edge-computing/` |
|
|
24
|
-
| `integration` | `event-driven` | `rulesets/topologies/event-driven/` |
|
|
25
|
-
| `data` | `data-mesh` | `rulesets/topologies/data-mesh/` |
|
|
26
|
-
| `ai` | `agentic-ai` | `rulesets/topologies/agentic-ai/` |
|
|
27
|
-
|
|
28
|
-
## Enforcement Rules
|
|
29
|
-
|
|
30
|
-
- Do not create a separate CLI, MCP server, or Core API per topology.
|
|
31
|
-
- Do not place human-readable topology design as the source of executable truth; manifests and their declared rulesets are the executable contract.
|
|
32
|
-
- Do not construct legacy F1/F2/F3 file paths. Resolve the compatibility alias through the progressive-axis topology manifest.
|
|
33
|
-
- Every new enforceable topology rule must preserve Dual-Engine Parity when both engines apply.
|
|
34
|
-
- OPA policies must not drift from Native rule semantics.
|
|
35
|
-
- Topology rules must not encode business budget, ROI, cost, staffing, prioritization, timing, or business ownership.
|
|
36
|
-
|
|
37
|
-
## Current Status
|
|
38
|
-
|
|
39
|
-
The topology ruleset location is authorized. Concrete topology profiles and their Native plus OPA rules are tracked in the [Gap Tracking Board](../../reference/governance/standards/vision/gap-tracking.md).
|
|
40
|
-
|
|
41
|
-
---
|
|
42
|
-
[Back to Rulesets Hub](../README.md)
|