@grainulation/silo 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CODE_OF_CONDUCT.md +25 -0
- package/CONTRIBUTING.md +103 -0
- package/README.md +67 -59
- package/bin/silo.js +212 -86
- package/lib/analytics.js +26 -11
- package/lib/confluence.js +343 -0
- package/lib/graph.js +414 -0
- package/lib/import-export.js +29 -24
- package/lib/index.js +15 -9
- package/lib/packs.js +60 -36
- package/lib/search.js +24 -16
- package/lib/serve-mcp.js +391 -95
- package/lib/server.js +205 -110
- package/lib/store.js +34 -18
- package/lib/templates.js +28 -17
- package/package.json +7 -3
- package/packs/adr.json +219 -0
- package/packs/api-design.json +67 -14
- package/packs/architecture-decision.json +152 -0
- package/packs/architecture.json +45 -9
- package/packs/ci-cd.json +51 -11
- package/packs/compliance.json +70 -14
- package/packs/data-engineering.json +57 -12
- package/packs/frontend.json +56 -12
- package/packs/hackathon-best-ai.json +179 -0
- package/packs/hackathon-business-impact.json +180 -0
- package/packs/hackathon-innovation.json +210 -0
- package/packs/hackathon-most-innovative.json +179 -0
- package/packs/hackathon-most-rigorous.json +179 -0
- package/packs/hackathon-sprint-boost.json +173 -0
- package/packs/incident-postmortem.json +219 -0
- package/packs/migration.json +45 -9
- package/packs/observability.json +57 -12
- package/packs/security.json +61 -13
- package/packs/team-process.json +64 -13
- package/packs/testing.json +20 -4
- package/packs/vendor-eval.json +219 -0
- package/packs/vendor-evaluation.json +148 -0
|
@@ -0,0 +1,152 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "Architecture Decision (Enterprise)",
|
|
3
|
+
"description": "Extended enterprise ADR framework with governance, stakeholder alignment, and compliance integration. Builds on the base adr pack with enterprise-specific constraints for regulated environments.",
|
|
4
|
+
"version": "1.0.0",
|
|
5
|
+
"extends": "adr",
|
|
6
|
+
"claims": [
|
|
7
|
+
{
|
|
8
|
+
"id": "adec-001",
|
|
9
|
+
"type": "constraint",
|
|
10
|
+
"topic": "enterprise ADR governance",
|
|
11
|
+
"content": "Enterprise ADRs require approval chain: (1) Technical lead proposes and researches. (2) Architecture review board (ARB) reviews evidence quality. (3) Security and compliance sign off on regulated decisions. (4) VP/Director approves budget implications. Each approval is a claim in the sprint with 'documented' evidence tier.",
|
|
12
|
+
"source": {
|
|
13
|
+
"origin": "best-practice",
|
|
14
|
+
"artifact": null,
|
|
15
|
+
"connector": null
|
|
16
|
+
},
|
|
17
|
+
"evidence": "documented",
|
|
18
|
+
"status": "active",
|
|
19
|
+
"phase_added": "define",
|
|
20
|
+
"timestamp": "2026-03-21T00:00:00.000Z",
|
|
21
|
+
"conflicts_with": [],
|
|
22
|
+
"resolved_by": null,
|
|
23
|
+
"tags": ["adr", "enterprise", "governance", "approval-chain"]
|
|
24
|
+
},
|
|
25
|
+
{
|
|
26
|
+
"id": "adec-002",
|
|
27
|
+
"type": "constraint",
|
|
28
|
+
"topic": "compliance impact assessment",
|
|
29
|
+
"content": "Architecture decisions that affect data flow, storage, or access patterns must include a compliance impact assessment. For each option: (1) Does it change data residency? (2) Does it affect audit logging? (3) Does it require new BAAs or DPAs? (4) Does it change the attack surface?",
|
|
30
|
+
"source": {
|
|
31
|
+
"origin": "best-practice",
|
|
32
|
+
"artifact": null,
|
|
33
|
+
"connector": null
|
|
34
|
+
},
|
|
35
|
+
"evidence": "documented",
|
|
36
|
+
"status": "active",
|
|
37
|
+
"phase_added": "define",
|
|
38
|
+
"timestamp": "2026-03-21T00:00:00.000Z",
|
|
39
|
+
"conflicts_with": [],
|
|
40
|
+
"resolved_by": null,
|
|
41
|
+
"tags": ["adr", "compliance", "impact-assessment", "enterprise"]
|
|
42
|
+
},
|
|
43
|
+
{
|
|
44
|
+
"id": "adec-003",
|
|
45
|
+
"type": "constraint",
|
|
46
|
+
"topic": "cost analysis requirement",
|
|
47
|
+
"content": "Enterprise ADRs must include a cost analysis with estimate claims: (1) Implementation cost (engineering hours * loaded rate). (2) Operational cost (infrastructure, licensing, support). (3) Migration cost if changing from current state. (4) Opportunity cost of alternatives not chosen. All estimates must specify confidence range.",
|
|
48
|
+
"source": {
|
|
49
|
+
"origin": "best-practice",
|
|
50
|
+
"artifact": null,
|
|
51
|
+
"connector": null
|
|
52
|
+
},
|
|
53
|
+
"evidence": "documented",
|
|
54
|
+
"status": "active",
|
|
55
|
+
"phase_added": "define",
|
|
56
|
+
"timestamp": "2026-03-21T00:00:00.000Z",
|
|
57
|
+
"conflicts_with": [],
|
|
58
|
+
"resolved_by": null,
|
|
59
|
+
"tags": ["adr", "cost-analysis", "estimates", "enterprise"]
|
|
60
|
+
},
|
|
61
|
+
{
|
|
62
|
+
"id": "adec-004",
|
|
63
|
+
"type": "recommendation",
|
|
64
|
+
"topic": "stakeholder communication",
|
|
65
|
+
"content": "ADR output should have two formats: (1) Technical brief — full evidence, conflict resolution, detailed trade-offs for engineering. (2) Executive summary — decision, cost impact, timeline, and top 3 risks for leadership. The wheat /brief command should produce both from the same claims.",
|
|
66
|
+
"source": {
|
|
67
|
+
"origin": "best-practice",
|
|
68
|
+
"artifact": null,
|
|
69
|
+
"connector": null
|
|
70
|
+
},
|
|
71
|
+
"evidence": "stated",
|
|
72
|
+
"status": "active",
|
|
73
|
+
"phase_added": "define",
|
|
74
|
+
"timestamp": "2026-03-21T00:00:00.000Z",
|
|
75
|
+
"conflicts_with": [],
|
|
76
|
+
"resolved_by": null,
|
|
77
|
+
"tags": ["adr", "communication", "stakeholder", "enterprise"]
|
|
78
|
+
},
|
|
79
|
+
{
|
|
80
|
+
"id": "adec-005",
|
|
81
|
+
"type": "risk",
|
|
82
|
+
"topic": "decision fatigue",
|
|
83
|
+
"content": "Enterprise teams often over-ADR, creating decision records for trivial choices (which testing library, tab vs spaces). This wastes research time and creates ADR fatigue. Guideline: only create ADRs for decisions that are (1) hard to reverse, (2) affect multiple teams, or (3) have significant cost/risk implications.",
|
|
84
|
+
"source": {
|
|
85
|
+
"origin": "best-practice",
|
|
86
|
+
"artifact": null,
|
|
87
|
+
"connector": null
|
|
88
|
+
},
|
|
89
|
+
"evidence": "documented",
|
|
90
|
+
"status": "active",
|
|
91
|
+
"phase_added": "define",
|
|
92
|
+
"timestamp": "2026-03-21T00:00:00.000Z",
|
|
93
|
+
"conflicts_with": [],
|
|
94
|
+
"resolved_by": null,
|
|
95
|
+
"tags": ["adr", "decision-fatigue", "risk", "governance"]
|
|
96
|
+
},
|
|
97
|
+
{
|
|
98
|
+
"id": "adec-006",
|
|
99
|
+
"type": "factual",
|
|
100
|
+
"topic": "cross-team dependency mapping",
|
|
101
|
+
"content": "Architecture decisions in enterprise contexts frequently affect multiple teams. Before finalizing, map upstream and downstream dependencies: which teams consume or produce data/APIs affected by this decision? Each affected team should contribute at least one constraint or risk claim to the sprint.",
|
|
102
|
+
"source": {
|
|
103
|
+
"origin": "best-practice",
|
|
104
|
+
"artifact": null,
|
|
105
|
+
"connector": null
|
|
106
|
+
},
|
|
107
|
+
"evidence": "documented",
|
|
108
|
+
"status": "active",
|
|
109
|
+
"phase_added": "define",
|
|
110
|
+
"timestamp": "2026-03-21T00:00:00.000Z",
|
|
111
|
+
"conflicts_with": [],
|
|
112
|
+
"resolved_by": null,
|
|
113
|
+
"tags": ["adr", "dependencies", "cross-team", "enterprise"]
|
|
114
|
+
},
|
|
115
|
+
{
|
|
116
|
+
"id": "adec-007",
|
|
117
|
+
"type": "recommendation",
|
|
118
|
+
"topic": "ADR review cadence",
|
|
119
|
+
"content": "Schedule quarterly ADR reviews: (1) Are accepted ADRs still valid? (2) Have any assumptions changed? (3) Are deprecated ADRs properly linked to replacements? (4) Do new team members know where to find ADRs? Use the wheat graph to find ADRs with stale evidence or unresolved conflicts.",
|
|
120
|
+
"source": {
|
|
121
|
+
"origin": "best-practice",
|
|
122
|
+
"artifact": null,
|
|
123
|
+
"connector": null
|
|
124
|
+
},
|
|
125
|
+
"evidence": "stated",
|
|
126
|
+
"status": "active",
|
|
127
|
+
"phase_added": "define",
|
|
128
|
+
"timestamp": "2026-03-21T00:00:00.000Z",
|
|
129
|
+
"conflicts_with": [],
|
|
130
|
+
"resolved_by": null,
|
|
131
|
+
"tags": ["adr", "review-cadence", "maintenance", "enterprise"]
|
|
132
|
+
},
|
|
133
|
+
{
|
|
134
|
+
"id": "adec-008",
|
|
135
|
+
"type": "constraint",
|
|
136
|
+
"topic": "technology radar alignment",
|
|
137
|
+
"content": "Enterprise ADRs for technology choices should reference the organization's technology radar (adopt/trial/assess/hold). Proposing a 'hold' technology requires exceptional evidence. Moving a technology from 'assess' to 'adopt' should be backed by a prototype phase with 'tested' evidence tier.",
|
|
138
|
+
"source": {
|
|
139
|
+
"origin": "best-practice",
|
|
140
|
+
"artifact": "https://www.thoughtworks.com/radar",
|
|
141
|
+
"connector": null
|
|
142
|
+
},
|
|
143
|
+
"evidence": "documented",
|
|
144
|
+
"status": "active",
|
|
145
|
+
"phase_added": "define",
|
|
146
|
+
"timestamp": "2026-03-21T00:00:00.000Z",
|
|
147
|
+
"conflicts_with": [],
|
|
148
|
+
"resolved_by": null,
|
|
149
|
+
"tags": ["adr", "technology-radar", "enterprise", "governance"]
|
|
150
|
+
}
|
|
151
|
+
]
|
|
152
|
+
}
|
package/packs/architecture.json
CHANGED
|
@@ -8,7 +8,11 @@
|
|
|
8
8
|
"type": "constraint",
|
|
9
9
|
"topic": "microservices operational overhead",
|
|
10
10
|
"content": "Microservices add operational overhead proportional to service count: each service needs its own CI/CD pipeline, monitoring, alerting, and on-call rotation. Below ~10 engineers, this cost often exceeds the benefit.",
|
|
11
|
-
"source": {
|
|
11
|
+
"source": {
|
|
12
|
+
"origin": "best-practice",
|
|
13
|
+
"artifact": null,
|
|
14
|
+
"connector": null
|
|
15
|
+
},
|
|
12
16
|
"evidence": "documented",
|
|
13
17
|
"status": "active",
|
|
14
18
|
"phase_added": "define",
|
|
@@ -22,7 +26,11 @@
|
|
|
22
26
|
"type": "risk",
|
|
23
27
|
"topic": "distributed transaction complexity",
|
|
24
28
|
"content": "Distributed transactions across microservices require saga patterns or two-phase commit. Both add complexity and failure modes that don't exist in a monolith.",
|
|
25
|
-
"source": {
|
|
29
|
+
"source": {
|
|
30
|
+
"origin": "best-practice",
|
|
31
|
+
"artifact": null,
|
|
32
|
+
"connector": null
|
|
33
|
+
},
|
|
26
34
|
"evidence": "documented",
|
|
27
35
|
"status": "active",
|
|
28
36
|
"phase_added": "define",
|
|
@@ -36,7 +44,11 @@
|
|
|
36
44
|
"type": "factual",
|
|
37
45
|
"topic": "event-driven eventual consistency",
|
|
38
46
|
"content": "Event-driven architectures decouple producers from consumers but introduce eventual consistency. Any user-facing flow that requires strong consistency must use synchronous calls or compensating transactions.",
|
|
39
|
-
"source": {
|
|
47
|
+
"source": {
|
|
48
|
+
"origin": "best-practice",
|
|
49
|
+
"artifact": null,
|
|
50
|
+
"connector": null
|
|
51
|
+
},
|
|
40
52
|
"evidence": "documented",
|
|
41
53
|
"status": "active",
|
|
42
54
|
"phase_added": "define",
|
|
@@ -50,7 +62,11 @@
|
|
|
50
62
|
"type": "recommendation",
|
|
51
63
|
"topic": "modular monolith first",
|
|
52
64
|
"content": "Start with a modular monolith (clear module boundaries, separate data access per module) and extract services only when a module has a distinct scaling, deployment, or team-ownership need.",
|
|
53
|
-
"source": {
|
|
65
|
+
"source": {
|
|
66
|
+
"origin": "best-practice",
|
|
67
|
+
"artifact": null,
|
|
68
|
+
"connector": null
|
|
69
|
+
},
|
|
54
70
|
"evidence": "documented",
|
|
55
71
|
"status": "active",
|
|
56
72
|
"phase_added": "define",
|
|
@@ -78,7 +94,11 @@
|
|
|
78
94
|
"type": "constraint",
|
|
79
95
|
"topic": "SQL vs NoSQL decision criteria",
|
|
80
96
|
"content": "SQL databases provide ACID transactions and are the correct default for structured data with relationships. NoSQL is justified when: (a) schema is truly unpredictable, (b) horizontal write scaling is required, or (c) access patterns are pure key-value.",
|
|
81
|
-
"source": {
|
|
97
|
+
"source": {
|
|
98
|
+
"origin": "best-practice",
|
|
99
|
+
"artifact": null,
|
|
100
|
+
"connector": null
|
|
101
|
+
},
|
|
82
102
|
"evidence": "documented",
|
|
83
103
|
"status": "active",
|
|
84
104
|
"phase_added": "define",
|
|
@@ -106,7 +126,11 @@
|
|
|
106
126
|
"type": "risk",
|
|
107
127
|
"topic": "shared database coupling",
|
|
108
128
|
"content": "Shared databases between services create hidden coupling. Schema changes in one service break others. Each service should own its data store, exposing data only through APIs.",
|
|
109
|
-
"source": {
|
|
129
|
+
"source": {
|
|
130
|
+
"origin": "best-practice",
|
|
131
|
+
"artifact": null,
|
|
132
|
+
"connector": null
|
|
133
|
+
},
|
|
110
134
|
"evidence": "documented",
|
|
111
135
|
"status": "active",
|
|
112
136
|
"phase_added": "define",
|
|
@@ -134,7 +158,11 @@
|
|
|
134
158
|
"type": "constraint",
|
|
135
159
|
"topic": "per-client rate limiting",
|
|
136
160
|
"content": "API gateway rate limiting must be set per client, not globally. Global limits allow a single misbehaving client to consume the entire quota. Use token bucket or sliding window algorithms.",
|
|
137
|
-
"source": {
|
|
161
|
+
"source": {
|
|
162
|
+
"origin": "best-practice",
|
|
163
|
+
"artifact": null,
|
|
164
|
+
"connector": null
|
|
165
|
+
},
|
|
138
166
|
"evidence": "documented",
|
|
139
167
|
"status": "active",
|
|
140
168
|
"phase_added": "define",
|
|
@@ -148,7 +176,11 @@
|
|
|
148
176
|
"type": "recommendation",
|
|
149
177
|
"topic": "circuit breaker pattern",
|
|
150
178
|
"content": "Circuit breakers (open after N failures, half-open after timeout, close after success) prevent cascade failures. Every synchronous cross-service call should have a circuit breaker with configurable thresholds.",
|
|
151
|
-
"source": {
|
|
179
|
+
"source": {
|
|
180
|
+
"origin": "best-practice",
|
|
181
|
+
"artifact": null,
|
|
182
|
+
"connector": null
|
|
183
|
+
},
|
|
152
184
|
"evidence": "documented",
|
|
153
185
|
"status": "active",
|
|
154
186
|
"phase_added": "define",
|
|
@@ -162,7 +194,11 @@
|
|
|
162
194
|
"type": "factual",
|
|
163
195
|
"topic": "p99 latency over average",
|
|
164
196
|
"content": "Latency at the 99th percentile (p99) matters more than average latency for user experience. A system with 50ms average but 2s p99 feels worse than one with 100ms average and 200ms p99.",
|
|
165
|
-
"source": {
|
|
197
|
+
"source": {
|
|
198
|
+
"origin": "best-practice",
|
|
199
|
+
"artifact": null,
|
|
200
|
+
"connector": null
|
|
201
|
+
},
|
|
166
202
|
"evidence": "documented",
|
|
167
203
|
"status": "active",
|
|
168
204
|
"phase_added": "define",
|
package/packs/ci-cd.json
CHANGED
|
@@ -8,7 +8,11 @@
|
|
|
8
8
|
"type": "constraint",
|
|
9
9
|
"topic": "pipeline time budget",
|
|
10
10
|
"content": "CI pipelines should complete in under 10 minutes for the critical path (lint, test, build). Pipelines over 15 minutes measurably reduce PR throughput and encourage developers to batch changes, increasing merge conflict risk. Parallelize test suites and cache dependencies aggressively.",
|
|
11
|
-
"source": {
|
|
11
|
+
"source": {
|
|
12
|
+
"origin": "best-practice",
|
|
13
|
+
"artifact": null,
|
|
14
|
+
"connector": null
|
|
15
|
+
},
|
|
12
16
|
"evidence": "production",
|
|
13
17
|
"status": "active",
|
|
14
18
|
"phase_added": "define",
|
|
@@ -22,7 +26,11 @@
|
|
|
22
26
|
"type": "factual",
|
|
23
27
|
"topic": "blue-green deployment mechanics",
|
|
24
28
|
"content": "Blue-green deployment maintains two identical production environments. Traffic routes to blue (current) while green receives the new version. After green passes health checks, traffic switches via load balancer. Rollback is instant (switch back to blue). Cost: 2x infrastructure during deployment window. Database migrations must be backwards-compatible since both versions share the database.",
|
|
25
|
-
"source": {
|
|
29
|
+
"source": {
|
|
30
|
+
"origin": "best-practice",
|
|
31
|
+
"artifact": null,
|
|
32
|
+
"connector": null
|
|
33
|
+
},
|
|
26
34
|
"evidence": "documented",
|
|
27
35
|
"status": "active",
|
|
28
36
|
"phase_added": "define",
|
|
@@ -36,7 +44,11 @@
|
|
|
36
44
|
"type": "recommendation",
|
|
37
45
|
"topic": "canary deployment percentage",
|
|
38
46
|
"content": "Canary deployments should start at 1-5% of traffic, bake for 10-15 minutes while monitoring error rates and latency, then expand to 25%, 50%, 100% with automated rollback if error rate exceeds 1% above baseline or p99 latency increases by more than 50%. Full rollout should take 30-60 minutes minimum.",
|
|
39
|
-
"source": {
|
|
47
|
+
"source": {
|
|
48
|
+
"origin": "best-practice",
|
|
49
|
+
"artifact": null,
|
|
50
|
+
"connector": null
|
|
51
|
+
},
|
|
40
52
|
"evidence": "production",
|
|
41
53
|
"status": "active",
|
|
42
54
|
"phase_added": "define",
|
|
@@ -50,7 +62,11 @@
|
|
|
50
62
|
"type": "risk",
|
|
51
63
|
"topic": "database migration coupling",
|
|
52
64
|
"content": "Deploying application code and database migrations simultaneously causes failures if the migration is slow or fails mid-deploy. Decouple migrations: deploy migration first (must be backwards-compatible with current code), verify, then deploy application code. Use expand-and-contract pattern for schema changes.",
|
|
53
|
-
"source": {
|
|
65
|
+
"source": {
|
|
66
|
+
"origin": "best-practice",
|
|
67
|
+
"artifact": null,
|
|
68
|
+
"connector": null
|
|
69
|
+
},
|
|
54
70
|
"evidence": "production",
|
|
55
71
|
"status": "active",
|
|
56
72
|
"phase_added": "define",
|
|
@@ -64,7 +80,11 @@
|
|
|
64
80
|
"type": "recommendation",
|
|
65
81
|
"topic": "feature flag lifecycle",
|
|
66
82
|
"content": "Feature flags should have an owner, a creation date, and a planned removal date. Flags older than 90 days without removal should trigger a tech debt alert. Stale feature flags accumulate as dead code paths and make testing combinatorially complex. Use a flag management service (LaunchDarkly, Unleash, or custom) rather than config files.",
|
|
67
|
-
"source": {
|
|
83
|
+
"source": {
|
|
84
|
+
"origin": "best-practice",
|
|
85
|
+
"artifact": null,
|
|
86
|
+
"connector": null
|
|
87
|
+
},
|
|
68
88
|
"evidence": "documented",
|
|
69
89
|
"status": "active",
|
|
70
90
|
"phase_added": "define",
|
|
@@ -78,7 +98,11 @@
|
|
|
78
98
|
"type": "constraint",
|
|
79
99
|
"topic": "immutable build artifacts",
|
|
80
100
|
"content": "Build artifacts must be immutable: the exact same artifact (Docker image, binary, package) that passes CI is the one deployed to staging and production. Never rebuild for different environments. Use environment variables or config injection for environment-specific settings. Tag artifacts with git SHA for traceability.",
|
|
81
|
-
"source": {
|
|
101
|
+
"source": {
|
|
102
|
+
"origin": "best-practice",
|
|
103
|
+
"artifact": null,
|
|
104
|
+
"connector": null
|
|
105
|
+
},
|
|
82
106
|
"evidence": "documented",
|
|
83
107
|
"status": "active",
|
|
84
108
|
"phase_added": "define",
|
|
@@ -92,7 +116,11 @@
|
|
|
92
116
|
"type": "risk",
|
|
93
117
|
"topic": "rollback without data rollback",
|
|
94
118
|
"content": "Code rollbacks do not roll back data. If version N+1 wrote data in a new format, rolling back to version N may leave incompatible data in the database. Design writes to be forward-compatible: version N should tolerate data written by N+1. This constraint makes additive-only schema changes critical.",
|
|
95
|
-
"source": {
|
|
119
|
+
"source": {
|
|
120
|
+
"origin": "best-practice",
|
|
121
|
+
"artifact": null,
|
|
122
|
+
"connector": null
|
|
123
|
+
},
|
|
96
124
|
"evidence": "production",
|
|
97
125
|
"status": "active",
|
|
98
126
|
"phase_added": "define",
|
|
@@ -120,7 +148,11 @@
|
|
|
120
148
|
"type": "recommendation",
|
|
121
149
|
"topic": "trunk-based development",
|
|
122
150
|
"content": "Trunk-based development (short-lived branches merged to main within 1-2 days) correlates with higher DORA metrics than Gitflow. Long-lived feature branches (over 3 days) have exponentially higher merge conflict probability. Use feature flags instead of feature branches for incomplete work.",
|
|
123
|
-
"source": {
|
|
151
|
+
"source": {
|
|
152
|
+
"origin": "best-practice",
|
|
153
|
+
"artifact": null,
|
|
154
|
+
"connector": null
|
|
155
|
+
},
|
|
124
156
|
"evidence": "documented",
|
|
125
157
|
"status": "active",
|
|
126
158
|
"phase_added": "define",
|
|
@@ -134,7 +166,11 @@
|
|
|
134
166
|
"type": "recommendation",
|
|
135
167
|
"topic": "test pyramid enforcement",
|
|
136
168
|
"content": "Enforce the test pyramid in CI: 70% unit tests (fast, isolated), 20% integration tests (database, APIs), 10% end-to-end tests (browser, full stack). Inverted pyramids (heavy E2E, few unit tests) result in slow, flaky pipelines. Quarantine flaky tests immediately rather than retrying them.",
|
|
137
|
-
"source": {
|
|
169
|
+
"source": {
|
|
170
|
+
"origin": "best-practice",
|
|
171
|
+
"artifact": null,
|
|
172
|
+
"connector": null
|
|
173
|
+
},
|
|
138
174
|
"evidence": "documented",
|
|
139
175
|
"status": "active",
|
|
140
176
|
"phase_added": "define",
|
|
@@ -148,7 +184,11 @@
|
|
|
148
184
|
"type": "risk",
|
|
149
185
|
"topic": "secret exposure in CI logs",
|
|
150
186
|
"content": "CI systems frequently leak secrets in build logs through debug output, error messages, or environment variable dumps. Use secret masking features in your CI platform. Never pass secrets as command-line arguments (visible in process listings). Audit CI logs quarterly for accidental secret exposure.",
|
|
151
|
-
"source": {
|
|
187
|
+
"source": {
|
|
188
|
+
"origin": "best-practice",
|
|
189
|
+
"artifact": null,
|
|
190
|
+
"connector": null
|
|
191
|
+
},
|
|
152
192
|
"evidence": "production",
|
|
153
193
|
"status": "active",
|
|
154
194
|
"phase_added": "define",
|
|
@@ -172,4 +212,4 @@
|
|
|
172
212
|
"tags": ["ci-cd", "deploy-frequency", "mttr", "reliability"]
|
|
173
213
|
}
|
|
174
214
|
]
|
|
175
|
-
}
|
|
215
|
+
}
|
package/packs/compliance.json
CHANGED
|
@@ -8,7 +8,11 @@
|
|
|
8
8
|
"type": "constraint",
|
|
9
9
|
"topic": "HIPAA encryption at rest",
|
|
10
10
|
"content": "Protected Health Information (PHI) must be encrypted at rest using AES-256 or equivalent, per HIPAA Security Rule 45 CFR 164.312(a)(2)(iv).",
|
|
11
|
-
"source": {
|
|
11
|
+
"source": {
|
|
12
|
+
"origin": "regulation",
|
|
13
|
+
"artifact": "45 CFR 164.312",
|
|
14
|
+
"connector": null
|
|
15
|
+
},
|
|
12
16
|
"evidence": "documented",
|
|
13
17
|
"status": "active",
|
|
14
18
|
"phase_added": "define",
|
|
@@ -22,7 +26,11 @@
|
|
|
22
26
|
"type": "constraint",
|
|
23
27
|
"topic": "HIPAA encryption in transit",
|
|
24
28
|
"content": "PHI in transit must be encrypted via TLS 1.2 or higher. Unencrypted transmission channels (HTTP, FTP) are prohibited for PHI.",
|
|
25
|
-
"source": {
|
|
29
|
+
"source": {
|
|
30
|
+
"origin": "regulation",
|
|
31
|
+
"artifact": "45 CFR 164.312(e)(1)",
|
|
32
|
+
"connector": null
|
|
33
|
+
},
|
|
26
34
|
"evidence": "documented",
|
|
27
35
|
"status": "active",
|
|
28
36
|
"phase_added": "define",
|
|
@@ -36,7 +44,11 @@
|
|
|
36
44
|
"type": "constraint",
|
|
37
45
|
"topic": "HIPAA business associate agreements",
|
|
38
46
|
"content": "A Business Associate Agreement (BAA) must be signed with every third-party vendor that processes, stores, or transmits PHI, including cloud providers.",
|
|
39
|
-
"source": {
|
|
47
|
+
"source": {
|
|
48
|
+
"origin": "regulation",
|
|
49
|
+
"artifact": "45 CFR 164.502(e)",
|
|
50
|
+
"connector": null
|
|
51
|
+
},
|
|
40
52
|
"evidence": "documented",
|
|
41
53
|
"status": "active",
|
|
42
54
|
"phase_added": "define",
|
|
@@ -50,7 +62,11 @@
|
|
|
50
62
|
"type": "constraint",
|
|
51
63
|
"topic": "HIPAA minimum necessary access",
|
|
52
64
|
"content": "Access to PHI must follow minimum necessary standard — users see only the data required for their role. Role-based access control (RBAC) is the typical implementation.",
|
|
53
|
-
"source": {
|
|
65
|
+
"source": {
|
|
66
|
+
"origin": "regulation",
|
|
67
|
+
"artifact": "45 CFR 164.502(b)",
|
|
68
|
+
"connector": null
|
|
69
|
+
},
|
|
54
70
|
"evidence": "documented",
|
|
55
71
|
"status": "active",
|
|
56
72
|
"phase_added": "define",
|
|
@@ -64,7 +80,11 @@
|
|
|
64
80
|
"type": "constraint",
|
|
65
81
|
"topic": "HIPAA audit log retention",
|
|
66
82
|
"content": "Audit logs of all PHI access events must be retained for a minimum of 6 years. Logs must include user identity, timestamp, and action performed.",
|
|
67
|
-
"source": {
|
|
83
|
+
"source": {
|
|
84
|
+
"origin": "regulation",
|
|
85
|
+
"artifact": "45 CFR 164.312(b)",
|
|
86
|
+
"connector": null
|
|
87
|
+
},
|
|
68
88
|
"evidence": "documented",
|
|
69
89
|
"status": "active",
|
|
70
90
|
"phase_added": "define",
|
|
@@ -78,7 +98,11 @@
|
|
|
78
98
|
"type": "constraint",
|
|
79
99
|
"topic": "SOC 2 Type II observation period",
|
|
80
100
|
"content": "SOC 2 Type II requires demonstrating that security controls operated effectively over a minimum observation period of 6 months (typically 12 months).",
|
|
81
|
-
"source": {
|
|
101
|
+
"source": {
|
|
102
|
+
"origin": "standard",
|
|
103
|
+
"artifact": "AICPA Trust Services Criteria",
|
|
104
|
+
"connector": null
|
|
105
|
+
},
|
|
82
106
|
"evidence": "documented",
|
|
83
107
|
"status": "active",
|
|
84
108
|
"phase_added": "define",
|
|
@@ -92,7 +116,11 @@
|
|
|
92
116
|
"type": "constraint",
|
|
93
117
|
"topic": "SOC 2 change management",
|
|
94
118
|
"content": "Change management controls must track all production changes with approval records, rollback plans, and post-deployment verification.",
|
|
95
|
-
"source": {
|
|
119
|
+
"source": {
|
|
120
|
+
"origin": "standard",
|
|
121
|
+
"artifact": "AICPA CC8.1",
|
|
122
|
+
"connector": null
|
|
123
|
+
},
|
|
96
124
|
"evidence": "documented",
|
|
97
125
|
"status": "active",
|
|
98
126
|
"phase_added": "define",
|
|
@@ -106,7 +134,11 @@
|
|
|
106
134
|
"type": "constraint",
|
|
107
135
|
"topic": "SOC 2 incident response",
|
|
108
136
|
"content": "Incident response plan must define severity levels, escalation paths, communication templates, and post-incident review process. Annual tabletop exercises required.",
|
|
109
|
-
"source": {
|
|
137
|
+
"source": {
|
|
138
|
+
"origin": "standard",
|
|
139
|
+
"artifact": "AICPA CC7.3-CC7.5",
|
|
140
|
+
"connector": null
|
|
141
|
+
},
|
|
110
142
|
"evidence": "documented",
|
|
111
143
|
"status": "active",
|
|
112
144
|
"phase_added": "define",
|
|
@@ -120,7 +152,11 @@
|
|
|
120
152
|
"type": "constraint",
|
|
121
153
|
"topic": "SOC 2 access reviews",
|
|
122
154
|
"content": "Logical access reviews must be performed quarterly. Terminated employee access must be revoked within 24 hours of separation.",
|
|
123
|
-
"source": {
|
|
155
|
+
"source": {
|
|
156
|
+
"origin": "standard",
|
|
157
|
+
"artifact": "AICPA CC6.1-CC6.3",
|
|
158
|
+
"connector": null
|
|
159
|
+
},
|
|
124
160
|
"evidence": "documented",
|
|
125
161
|
"status": "active",
|
|
126
162
|
"phase_added": "define",
|
|
@@ -134,7 +170,11 @@
|
|
|
134
170
|
"type": "constraint",
|
|
135
171
|
"topic": "GDPR cross-border data transfer",
|
|
136
172
|
"content": "Personal data of EU residents cannot be transferred outside the EEA without an adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules.",
|
|
137
|
-
"source": {
|
|
173
|
+
"source": {
|
|
174
|
+
"origin": "regulation",
|
|
175
|
+
"artifact": "GDPR Articles 44-49",
|
|
176
|
+
"connector": null
|
|
177
|
+
},
|
|
138
178
|
"evidence": "documented",
|
|
139
179
|
"status": "active",
|
|
140
180
|
"phase_added": "define",
|
|
@@ -148,7 +188,11 @@
|
|
|
148
188
|
"type": "constraint",
|
|
149
189
|
"topic": "GDPR right to erasure",
|
|
150
190
|
"content": "Data subjects have the right to erasure ('right to be forgotten'). Systems must support complete deletion of a user's personal data within 30 days of request.",
|
|
151
|
-
"source": {
|
|
191
|
+
"source": {
|
|
192
|
+
"origin": "regulation",
|
|
193
|
+
"artifact": "GDPR Article 17",
|
|
194
|
+
"connector": null
|
|
195
|
+
},
|
|
152
196
|
"evidence": "documented",
|
|
153
197
|
"status": "active",
|
|
154
198
|
"phase_added": "define",
|
|
@@ -162,7 +206,11 @@
|
|
|
162
206
|
"type": "constraint",
|
|
163
207
|
"topic": "GDPR breach notification",
|
|
164
208
|
"content": "Data breaches affecting personal data must be reported to the supervisory authority within 72 hours of discovery. Affected individuals must be notified without undue delay if risk is high.",
|
|
165
|
-
"source": {
|
|
209
|
+
"source": {
|
|
210
|
+
"origin": "regulation",
|
|
211
|
+
"artifact": "GDPR Articles 33-34",
|
|
212
|
+
"connector": null
|
|
213
|
+
},
|
|
166
214
|
"evidence": "documented",
|
|
167
215
|
"status": "active",
|
|
168
216
|
"phase_added": "define",
|
|
@@ -176,7 +224,11 @@
|
|
|
176
224
|
"type": "constraint",
|
|
177
225
|
"topic": "GDPR lawful basis for processing",
|
|
178
226
|
"content": "Processing personal data requires a lawful basis (consent, contract, legal obligation, vital interest, public task, or legitimate interest). Consent must be freely given, specific, and withdrawable.",
|
|
179
|
-
"source": {
|
|
227
|
+
"source": {
|
|
228
|
+
"origin": "regulation",
|
|
229
|
+
"artifact": "GDPR Article 6",
|
|
230
|
+
"connector": null
|
|
231
|
+
},
|
|
180
232
|
"evidence": "documented",
|
|
181
233
|
"status": "active",
|
|
182
234
|
"phase_added": "define",
|
|
@@ -190,7 +242,11 @@
|
|
|
190
242
|
"type": "constraint",
|
|
191
243
|
"topic": "GDPR data protection impact assessment",
|
|
192
244
|
"content": "A Data Protection Impact Assessment (DPIA) is mandatory before processing that is likely to result in high risk to individuals, including large-scale profiling or systematic monitoring.",
|
|
193
|
-
"source": {
|
|
245
|
+
"source": {
|
|
246
|
+
"origin": "regulation",
|
|
247
|
+
"artifact": "GDPR Article 35",
|
|
248
|
+
"connector": null
|
|
249
|
+
},
|
|
194
250
|
"evidence": "documented",
|
|
195
251
|
"status": "active",
|
|
196
252
|
"phase_added": "define",
|