ai-flow-dev 2.1.9 → 2.2.1

package/prompts/mobile/flow-build-phase-4.md

@@ -1,372 +1,553 @@
-# Phase 4: Permissions & Native Features
+## PHASE 4: Security & Authentication (15-20 min)
 
-**Duration:** 15-20 minutes
-**Questions:** ~10 questions
-**Output:** docs/permissions.md, docs/native-features.md, parts of ai-instructions.md
----
-## 🎯 Objective
+> **Order for this phase:** 4.1 → 4.2 → 4.3 → 4.4 → 4.5 → 4.6 → 4.7 → 4.8 → 4.9 → 4.10 → 4.11
 
-Define what **native features and permissions** your app will use:
+> **📌 Scope-based behavior:**
+>
+> - **MVP:** Ask 4.1-4.5 only (auth basics + CORS), skip 4.6-4.11 (advanced security), mark as "TBD"
+> - **Production-Ready:** Ask 4.1-4.8 and 4.11, skip or simplify 4.9 (compliance) and 4.10 (audit logging)
+> - **Enterprise:** Ask all questions 4.1-4.11 with emphasis on compliance and audit trails
 
-1. What permissions will you request?
-2. What native features will you integrate?
-3. How will you handle permission requests?
-4. What third-party SDKs will you use?
----
-## 📋 Questions
+### Objective
 
-### Question 4.1: Camera Permission
+Define security policies, authentication, authorization, and compliance requirements.
 
-**Will your app use the camera?**
+---
 
-A) ⭐ **Yes - Photo Capture**
+## 🔍 Pre-Flight Check (Smart Skip Logic)
 
-- Take photos within app
-- Requires: Camera permission
-- Best for: Social apps, productivity apps
+> 📎 **Reference:** See [prompts/shared/smart-skip-preflight.md](../shared/smart-skip-preflight.md) for the complete smart skip logic.
 
-B) **Yes - Video Recording**
+**Execute Pre-Flight Check for Phase 4:**
 
-- Record videos
-- Requires: Camera + Microphone permissions
-- Best for: Video apps, social media
+- **Target File**: `specs/security.md`
+- **Phase Name**: "SECURITY & AUTHENTICATION"
+- **Key Items**: Auth strategy, encryption, security patterns, compliance
+- **Typical Gaps**: Compliance requirements, audit logging, security policies
 
-C) **Yes - QR Code Scanning**
+**Proceed with appropriate scenario based on audit data from `.ai-flow/cache/audit-data.json`**
 
-- Scan QR codes
-- Requires: Camera permission
-- Best for: Payment apps, utilities
+---
 
-D) **No Camera Access**
+## Phase 4 Questions (Full Mode)
 
-- No camera features
-- Best for: Most apps
+**4.1 Authentication Method**
 
-**Your answer:**
-
-**If camera selected, ask:**
-
-- What library will you use?
-  - React Native: react-native-camera, react-native-vision-camera
-  - Flutter: camera, image_picker
-  - Native: AVFoundation (iOS), Camera2 (Android)
----
-### Question 4.2: Location Permission
-
-**Will your app use location services?**
-
-A) ⭐ **Yes - When In Use** (Recommended)
-
-- Location only when app is active
-- Requires: Location When In Use permission
-- Best for: Most location-based apps
-
-B) **Yes - Always**
+```
+How will users authenticate?
 
-- Location even when app is backgrounded
-- Requires: Always permission (harder to get approved)
-- Best for: Navigation, fitness tracking
+A) ⭐ JWT (JSON Web Tokens) - Recommended for APIs
 
-C) **Yes - Approximate Location**
+- Stateless, scalable
+- Access + Refresh token pattern
 
-- Approximate location only (less privacy-invasive)
-- Best for: Location-based content
+B) 🔥 Session-based - Traditional web apps
 
-D) **No Location Access**
+- Server-side sessions
+- Cookie-based
 
-- No location features
-- Best for: Most apps
+C) ⚡ OAuth 2.0 / OpenID Connect - External providers
 
-**Your answer:**
+- "Sign in with Google/GitHub/etc."
+- Delegated authentication
 
-**If location selected, ask:**
+D) 🏆 Multi-factor (MFA) - Enterprise security
 
-- What library will you use?
-  - React Native: @react-native-community/geolocation, react-native-maps
-  - Flutter: geolocator, google_maps_flutter
-  - Native: CoreLocation (iOS), Location Services (Android)
----
-### Question 4.3: Push Notifications
+- OTP, SMS, authenticator app
+- Required or optional?
 
-**Will your app send push notifications?**
+E) API Keys - Service-to-service
 
-A) ⭐ **Yes - User Notifications** (Recommended)
+- Simple, stateless
+- Limited use cases
 
-- Notify users of important events
-- Requires: Notification permission
-- Best for: Most apps
+Your choice: __
+Why?
+```
 
-B) **Yes - Background Notifications**
+**4.2 JWT Configuration (if using JWT)**
 
-- Notify even when app is closed
-- Requires: Background modes
-- Best for: Real-time apps
+```
+JWT token configuration:
+
+Access Token:
+- Lifetime: __ (recommended: 15min - 1hour)
+- Algorithm: __ (recommended: RS256 or HS256)
+
+Refresh Token:
+- Lifetime: __ (recommended: 7-30 days)
+- Storage: [httpOnly cookie / localStorage / database]
+- Rotation strategy: [rotate on use / rotate periodically / no rotation]
+
+Token claims to include:
+- userId ✅
+- email ✅
+- roles ✅
+- Custom: __
+```
 
-C) **No Push Notifications**
+**4.3 Authorization Model**
 
-- No notifications
-- Best for: Simple apps, privacy-focused apps
+```
+How will you manage permissions?
 
-**Your answer:**
+A) ⭐ Role-Based Access Control (RBAC)
+- Users have roles (admin, user, moderator, etc.)
+- Roles have permissions
+- Simple and common
 
-**If notifications selected, ask:**
+B) 🏆 Attribute-Based Access Control (ABAC)
+- Fine-grained based on attributes
+- Complex rules
+- Enterprise use cases
 
-- What service will you use?
-  - Firebase Cloud Messaging (FCM)
-  - OneSignal
-  - Pusher
-  - Custom backend
----
-### Question 4.4: Photo Library Access
+C) 🔒 Resource-based (Ownership)
+- Users can only access their own resources
+- Simple projects
 
-**Will your app access the photo library?**
+D) 🌐 Multi-tenant with role hierarchy
+- Organization → Teams → Users
+- Complex enterprise systems
 
-A) ⭐ **Yes - Read Only**
+Your choice: __
 
-- Select photos from library
-- Requires: Photo Library Read permission
-- Best for: Most apps that need photos
+List the roles you'll need:
+-
+-
 
-B) **Yes - Read & Write**
+List key permissions:
+-
+-
+```
 
-- Save photos to library
-- Requires: Photo Library Write permission
-- Best for: Photo editing apps
+**4.4 Password Policy**
 
-C) **No Photo Library Access**
+```
+Password requirements:
+
+A) ⭐ Recommended Policy
+- Minimum 8 characters
+- At least 1 uppercase, 1 lowercase, 1 number
+- Special characters encouraged but not required
+- No maximum length limit
+- Hash with bcrypt (12 rounds) or argon2
+
+B) 🏆 Strong Policy (Enterprise)
+- Minimum 12 characters
+- Uppercase, lowercase, number, special char required
+- Password expiration every 90 days
+- Password history (can't reuse last 5)
+
+C) 🔓 Simple Policy
+- Minimum 6 characters
+- No complexity requirements
+- Good for low-risk apps
+
+Your choice: __
+
+Hashing algorithm:
+A) ⭐ bcrypt (rounds: 10-12) - Recommended
+B) argon2 - More secure, newer
+C) scrypt - Good alternative
+```
 
-- No photo library features
-- Best for: Apps that don't need photos
+**4.5 Rate Limiting**
 
-**Your answer:**
----
-### Question 4.5: Contacts Access
+```
+Will you implement rate limiting?
 
-**Will your app access contacts?**
+A) ⭐ Yes - Recommended for all public APIs
 
-A) ⭐ **Yes - Read Contacts**
+Rate limits by endpoint type:
+- Authentication endpoints: ** requests per ** (e.g., 5 per 15 min)
+- Public read endpoints: ** requests per ** (e.g., 100 per minute)
+- Write endpoints: ** requests per ** (e.g., 30 per minute)
+- Admin endpoints: ** requests per ** (e.g., 1000 per minute)
 
-- Import contacts
-- Requires: Contacts Read permission
-- Best for: Social apps, messaging apps
+Rate limiting strategy:
+A) IP-based
+B) User/API key-based
+C) Both
 
-B) **Yes - Read & Write**
+Tool:
+A) express-rate-limit / @nestjs/throttler
+B) Redis-based rate limiting
+C) API Gateway (AWS, Kong, etc.)
+```
 
-- Add contacts
-- Requires: Contacts Write permission
-- Best for: Contact management apps
+**4.6 CORS Policy**
 
-C) **No Contacts Access**
+```
+CORS (Cross-Origin Resource Sharing) configuration:
 
-- No contact features
-- Best for: Most apps
+Allowed origins:
+A) ⭐ Specific domains - https://myapp.com, https://admin.myapp.com
+B) 🔧 Development only - localhost:3000, localhost:5173
+C) ⚠️ Wildcard (*) - Allow all (NOT recommended for production)
 
-**Your answer:**
----
-### Question 4.6: Biometric Authentication
+Your allowed origins:
+-
 
-**Will your app use biometric authentication?**
+Allowed methods: [GET, POST, PUT, PATCH, DELETE, OPTIONS]
+Credentials: [true/false] - Allow cookies/auth headers
+Max age: __ seconds (cache preflight)
+```
 
-A) ⭐ **Yes - Face ID / Touch ID / Fingerprint** (Recommended)
+**4.7 Data Encryption**
 
-- Secure authentication
-- Requires: Face ID / Touch ID permission
-- Best for: Secure apps, banking apps
+```
+Encryption requirements:
+
+In Transit (HTTPS/TLS):
+A) ✅ Yes, always - TLS 1.2+ required ⭐
+B) Development only HTTP, production HTTPS
+C) Optional
+
+At Rest (Database/Files):
+A) ⭐ Yes, encrypt sensitive fields - PII, payment info, secrets
+B) 🏆 Yes, full database encryption - Enterprise requirement
+C) No encryption - Low-risk data only
+
+Fields to encrypt:
+-
+-
+
+Encryption method:
+A) AES-256-GCM (symmetric)
+B) Database-level encryption
+C) Application-level encryption
+```
 
-B) **No Biometric Auth**
+**4.8 Security Headers**
 
-- Traditional password/PIN only
-- Best for: Simple apps
+```
+Which security headers will you implement?
 
-**Your answer:**
+A) ✅ All recommended headers (use helmet.js or equivalent)
+- Content-Security-Policy
+- X-Frame-Options: DENY
+- X-Content-Type-Options: nosniff
+- Strict-Transport-Security (HSTS)
+- X-XSS-Protection
 
-**If biometric selected, ask:**
+B) Basic headers only
+C) None (not recommended)
+```
 
-- What library will you use?
-  - React Native: react-native-biometrics, react-native-touch-id
-  - Flutter: local_auth
-  - Native: LocalAuthentication (iOS), BiometricPrompt (Android)
----
-### Question 4.7: File System Access
+**4.9 Compliance Requirements**
 
-**Will your app access the file system?**
+```
+Does your project need to comply with specific regulations or standards?
+
+Some projects must follow legal requirements or industry standards. If you're not sure, you can select "None" and add compliance requirements later.
+
+Select all that apply:
+
+A) 🌍 GDPR (General Data Protection Regulation)
+   What it is: EU data privacy regulation
+   When it applies: If you process personal data of users in the European Union
+   What it means: Users have rights to access, delete, and export their data
+   Key requirements:
+   - Right to access data (users can request their data)
+   - Right to deletion (users can request data removal)
+   - Data portability (users can export their data)
+   - Consent management (explicit consent for data processing)
+   Example: "We serve users in Germany, so we need GDPR compliance"
+
+B) 🏥 HIPAA (Health Insurance Portability and Accountability Act)
+   What it is: US healthcare data protection law
+   When it applies: If you handle Protected Health Information (PHI) - medical records, health data
+   What it means: Strict rules for protecting patient health information
+   Key requirements:
+   - PHI protection (encryption, access controls)
+   - Audit logs (track who accessed what health data)
+   - Encryption requirements (data must be encrypted)
+   Example: "We're building a telemedicine platform that stores patient records"
+
+C) 💳 PCI-DSS (Payment Card Industry Data Security Standard)
+   What it is: Security standard for credit card processing
+   When it applies: If you process, store, or transmit credit card information
+   What it means: Strict security rules to protect cardholder data
+   Key requirements:
+   - Never store CVV (security code on card)
+   - Tokenize card numbers (use tokens instead of real numbers)
+   - Secure transmission (encrypted connections required)
+   Example: "We process credit card payments directly (not using Stripe/PayPal)"
+
+D) 🏢 SOC 2 (System and Organization Controls 2)
+   What it is: Security and compliance standard for SaaS companies
+   When it applies: If you're selling B2B SaaS and need to prove security to enterprise customers
+   What it means: Documented security controls and processes
+   Key requirements:
+   - Security controls (documented security measures)
+   - Audit trails (logs of all security-relevant actions)
+   - Access controls (who can access what)
+   Example: "We're selling to Fortune 500 companies who require SOC 2 certification"
+
+E) 🇺🇸 CCPA (California Consumer Privacy Act)
+   What it is: California state privacy law
+   When it applies: If you have California users and meet certain thresholds (revenue/users)
+   What it means: California users have privacy rights
+   Key requirements:
+   - Right to know what data is collected
+   - Right to delete data
+   - Right to opt-out of data sales
+   Example: "We have users in California and meet the revenue threshold"
+
+F) None - No specific compliance requirements
+   Select this if you're not sure or don't need compliance yet
+
+Selected: __
+
+For each selected, list specific requirements that apply to your project:
+
+Example for GDPR:
+- Must allow users to download all their data in JSON format
+- Must completely delete user data when requested (not just soft delete)
+- Need cookie consent banner for EU users
+- Privacy policy must be accessible and up-to-date
+
+Example for SOC 2:
+- Need 90-day audit log retention
+- Quarterly access control reviews required
+- Security incident response procedures documented
+- Continuous monitoring of administrative actions
+```
 
-A) ⭐ **Yes - Document Picker**
+**4.10 Logging & Audit Trail**
 
-- Let users select files
-- Requires: File access permission
-- Best for: Document apps, file managers
+```
+What security events will you log?
 
-B) **Yes - File Storage**
+A) ✅ Authentication events
+- Login success/failure
+- Password changes
+- Account creation
 
-- Save files to device
-- Requires: Storage permission
-- Best for: File management apps
+B) ✅ Authorization events
+- Permission denied
+- Role changes
 
-C) **No File System Access**
+C) ✅ Data access
+- Sensitive data views
+- Exports/downloads
 
-- No file features
-- Best for: Most apps
+D) ✅ Data modifications
+- Create/Update/Delete operations
+- Who, what, when
 
-**Your answer:**
----
-### Question 4.8: Microphone Access
+Log retention: __ days (recommended: 90+ days)
+Log storage: [Database / File system / External service (CloudWatch, Datadog)]
+```
 
-**Will your app use the microphone?**
+**4.11 API Keys Management**
 
-A) ⭐ **Yes - Audio Recording**
+```
+Will you use API keys for service-to-service authentication?
+
+A) ⭐ Yes - API keys for programmatic access
+B) No - JWT/Sessions only
+
+If yes:
+- Key format: [Prefix + random string, UUID, etc.]
+- Key length: __ characters
+- Storage: [Hashed in database, Plain text (not recommended)]
+- Hashing algorithm: [bcrypt, SHA-256, etc.]
+
+Key rotation:
+A) ⭐ Manual rotation - Rotate on demand
+B) Automatic rotation - Rotate every __ days
+C) No rotation
+
+Key revocation:
+- Process: __
+- Reasons: [Compromised, Expired, User request, Security incident]
+
+Rate limiting by API key tier:
+- Free tier: __ requests per __
+- Paid tier: __ requests per __
+- Enterprise: __ requests per __
+```
 
-- Record audio
-- Requires: Microphone permission
-- Best for: Voice notes, recording apps
+**4.12 Dependency Security**
 
-B) **Yes - Voice Calls**
+```
+How will you manage dependency security?
+
+A) ⭐ Automated scanning - Regular security audits (npm audit, Snyk, Dependabot)
+B) Manual scanning - Check vulnerabilities manually
+C) No scanning - Not recommended
+
+Scanning frequency:
+A) ⭐ On every install/update
+B) Daily automated scans
+C) Weekly scans
+D) Monthly scans
+
+Vulnerability response:
+- Critical: Fix within __ hours
+- High: Fix within __ days
+- Medium: Fix within __ days
+- Low: Fix in next release
+
+Tools:
+- Dependency scanner: __
+- Security alerts: [GitHub Dependabot, Snyk, npm audit, etc.]
+```
 
-- Make voice/video calls
-- Requires: Microphone permission
-- Best for: Communication apps
+**4.13 Input Validation & Sanitization**
 
-C) **No Microphone Access**
+```
+Input validation strategy:
 
-- No audio recording
-- Best for: Most apps
+A) ⭐ Strict validation with DTOs/Schemas (Recommended)
+   - Use validation library: [class-validator/Zod/Pydantic/Joi from Phase 3.6]
+   - Reject unknown fields: [yes/no]
+   - Type coercion: [strict/lenient]
 
-**Your answer:**
----
-### Question 4.9: Third-Party SDKs
+B) Manual validation in services
+   - Custom validation logic
+   - More flexible but error-prone
 
-**What third-party SDKs will you integrate?**
+Sanitization rules:
 
-**Analytics:**
+A) ✅ Sanitize all string inputs (XSS prevention)
+   - Strip HTML tags: [yes/no]
+   - Escape special characters: [yes/no]
+   - Library: [DOMPurify/validator.js/bleach]
 
-- A) Firebase Analytics
-- B) Mixpanel
-- C) Amplitude
-- D) None
+B) ✅ SQL Injection prevention
+   - Use parameterized queries (ORM handles this automatically)
+   - Never concatenate user input in queries
 
-**Crash Reporting:**
+Request size limits:
 
-- A) Firebase Crashlytics
-- B) Sentry
-- C) Bugsnag
-- D) None
+- Max JSON body size: __ MB (recommended: 1-10 MB)
+- Max file upload size: __ MB (recommended: 10-50 MB)
+- Max URL length: __ characters (recommended: 2048)
 
-**Authentication:**
+File upload validation (if applicable from Phase 3.9):
 
-- A) Firebase Auth
-- B) Auth0
-- C) AWS Cognito
-- D) Custom backend
+- Allowed file types: [jpg, png, pdf, etc.]
+- MIME type validation: [yes/no - verify actual content matches extension]
+- File content validation: [yes/no - check file headers]
+- Virus scanning: [yes/no - ClamAV, VirusTotal API]
+- Filename sanitization: [yes/no - remove special characters, limit length]
 
-**Maps:**
+Content-Type enforcement:
 
-- A) Google Maps
-- B) Mapbox
-- C) Apple Maps (iOS only)
-- D) None
+A) ⭐ Strict - Reject if Content-Type doesn't match body (recommended)
+B) Lenient - Accept common mismatches (application/json vs text/plain)
+C) No validation
 
-**Payments:**
+Validation approach:
 
-- A) Stripe
-- B) PayPal
-- C) Apple Pay / Google Pay
-- D) None
+A) ⭐ Whitelist - Only allow known good inputs (recommended)
+   - Define allowed values explicitly
+   - Reject everything else
 
-**Social Login:**
+B) Blacklist - Block known bad inputs (not recommended)
+   - Easy to bypass
+   - Incomplete protection
 
-- A) Firebase Auth (Google, Facebook, Apple)
-- B) Auth0 Social Connections
-- C) Custom OAuth
-- D) None
+Special character handling:
 
-**Your answer:** (Select all that apply)
----
-### Question 4.10: Permission Request Strategy
+- Allow special characters in: [names, descriptions, etc.]
+- Escape/encode for: [HTML output, SQL queries, shell commands]
+- Reject in: [IDs, slugs, filenames]
+```
 
-**How will you request permissions?**
+### Phase 4 Output
 
-A) ⭐ **Just-In-Time** (Recommended)
+```
+📋 PHASE 4 SUMMARY:
+
+Authentication: [method]
+JWT Config: [if applicable - access/refresh token lifetimes, algorithm, storage]
+Authorization: [RBAC/ABAC/etc.]
+Roles: [list]
+Permissions: [key permissions defined]
+Password Policy: [requirements and hashing algorithm]
+Rate Limiting: [yes/no + limits by endpoint type]
+CORS: [origins, methods, credentials, max-age]
+Encryption: [in-transit + at-rest + fields to encrypt]
+Security Headers: [list]
+Compliance: [requirements with specific controls]
+Audit Logging: [events logged + retention + storage]
+API Keys Management: [yes/no + format + rotation + revocation + rate limiting]
+Dependency Security: [scanning tool + frequency + vulnerability response]
+Input Validation: [strategy + sanitization rules + size limits + file upload validation + whitelist/blacklist approach]
+
+Is this correct? (Yes/No)
+```
+---
+### 📄 Generate Phase 4 Documents
 
-- Request when feature is needed
-- Explain why permission is needed
-- Best for: Better user experience
+**Before starting generation:**
 
-B) **On First Launch**
+```
+📖 Loading context from previous phases...
+✅ Re-reading project-brief.md
+✅ Re-reading docs/data-model.md
+✅ Re-reading docs/architecture.md
+✅ Re-reading ai-instructions.md
+```
 
-- Request all permissions upfront
-- Less ideal (can overwhelm users)
-- Best for: Apps that need all permissions
+**Generate documents automatically:**
 
-C) **Progressive**
+**1. `specs/security.md`**
 
-- Request permissions as features are discovered
-- Best for: Apps with optional features
+- Use template: `.ai-flow/templates/specs/security.template.md`
+- Fill with all security policies, authentication, authorization
+- Write to: `specs/security.md`
 
-**Your answer:**
----
-### Question 4.11: Permission Denial Handling
+**2. Update `ai-instructions.md`**
 
-**How will you handle denied permissions?**
+- Add security rules to NEVER/ALWAYS sections
+- Add authentication/authorization patterns
 
-A) ⭐ **Graceful Degradation** (Recommended)
+```
+✅ Generated: specs/security.md
+✅ Updated: ai-instructions.md (security rules added)
 
-- App works without permission
-- Show alternative options
-- Best for: Better UX
+Documents have been created with all Phase 4 information.
 
-B) **Show Settings Prompt**
+📝 Would you like to make any corrections before continuing?
 
-- Guide user to enable in settings
-- Best for: Critical permissions
+→ If yes: Edit the files and type "ready" when done. I'll re-read them.
+→ If no: Type "continue" to proceed to Phase 5.
+```
 
-C) **Block Feature**
+**If user edits files:**
+Re-read files to refresh context before continuing.
+---
+**Proceed to Phase 5 only after documents are validated.**
 
-- Feature unavailable if permission denied
-- Best for: Core features
+> ⚠️ **CRITICAL:** DO NOT generate README.md in this phase. README.md is ONLY generated in Phase 8 (step 8.5) after framework initialization.
+---
+---
 
-**Your answer:**
----
-## ✅ Phase 4 Completion
+---
 
-After answering all questions, summarize:
+## 📝 Generated Documents
 
-```
----
-✅ Phase 4 Complete: Permissions & Native Features
----
-Selected Permissions:
-- Camera: Photo capture (react-native-vision-camera)
-- Location: When in use (@react-native-community/geolocation)
-- Push Notifications: Yes (Firebase Cloud Messaging)
-- Photo Library: Read only
-- Biometric Auth: Face ID / Touch ID
+After Phase 4, generate/update:
+- `specs/security.md` - Security policies and authentication details
 
-Third-Party SDKs:
-- Analytics: Firebase Analytics
-- Crash Reporting: Firebase Crashlytics
-- Maps: Google Maps
-- Authentication: Firebase Auth
+---
 
-Permission Strategy: Just-In-Time requests with graceful degradation
+**Next Phase:** Phase 5 - Development Standards (15-20 min)
 
-Proceed to Phase 5 (Code Standards)? (Y/n)
-```
----
-## 📝 Generated Documents
+Read: `.ai-flow/prompts/backend/flow-build-phase-5.md`
 
-After Phase 4, generate/update:
+---
 
-- `docs/permissions.md` - Permission handling guide
-- `docs/native-features.md` - Native features integration guide
-- `ai-instructions.md` - Add permission and native feature rules
----
-**Next Phase:** Phase 5 - Code Standards
+**Last Updated:** 2025-12-20
+**Version:** 2.1.8
 
-Read: `.ai-flow/prompts/mobile/flow-build-phase-5-standards.md`
----
-**Last Updated:** 2025-01-XX
+---
 
-**Version:** 1.4.0
+## PHASE 5: Development Standards (15-20 min)