front-end-dev-standards 1.0.0 → 1.1.0

package/standards//360/237/224/220 security.md"

@@ -0,0 +1,432 @@
+# Security Standards
+
+Version: 1.0
+Applies To: All Frontend Applications
+Compliance: OWASP Top 10, Secure SDLC
+
+---
+
+# 1. Security Principles
+
+## Core Principles
+
+1. Secure by Default
+2. Least Privilege
+3. Defense in Depth
+4. Zero Trust
+5. Fail Securely
+6. Never Trust User Input
+7. Protect Sensitive Data
+8. Security is Everyone's Responsibility
+
+---
+
+# 2. Secrets Management
+
+## Never Commit
+
+❌ API Keys
+
+❌ JWT Tokens
+
+❌ Client Secrets
+
+❌ Database Credentials
+
+❌ Encryption Keys
+
+❌ Private Certificates
+
+Example:
+
+```typescript
+const API_KEY = 'secret';
+```
+
+Forbidden.
+
+---
+
+## Allowed
+
+```typescript
+export const environment = {
+  apiBaseUrl: '',
+};
+```
+
+Secrets must come from:
+
+* CI/CD Variables
+* Secret Manager
+* Vault
+* Environment Injection
+
+---
+
+# 3. Authentication Standards
+
+## Requirements
+
+All authenticated requests must:
+
+* Use HTTPS
+* Use Secure Tokens
+* Expire Sessions
+* Support Logout
+
+---
+
+## Token Storage
+
+Preferred:
+
+```text
+HttpOnly Secure Cookies
+```
+
+Avoid:
+
+```typescript
+localStorage
+sessionStorage
+```
+
+for sensitive tokens.
+
+---
+
+# 4. Authorization Standards
+
+Never trust UI permissions.
+
+Bad:
+
+```typescript
+if (user.isAdmin) {
+  deleteEmployee();
+}
+```
+
+Server must validate authorization.
+
+Frontend permissions are UX only.
+
+---
+
+# 5. Input Validation
+
+Treat all input as untrusted.
+
+Validate:
+
+* Forms
+* Query Params
+* Route Params
+* API Responses
+* File Uploads
+
+Example:
+
+```typescript
+if (!employeeId) {
+  return;
+}
+```
+
+---
+
+# 6. XSS Prevention
+
+## Never
+
+```typescript
+element.innerHTML = value;
+```
+
+```typescript
+document.write(value);
+```
+
+---
+
+## Avoid
+
+```typescript
+bypassSecurityTrustHtml()
+```
+
+Requires security review.
+
+---
+
+## Use
+
+Angular template binding:
+
+```html
+{{ employeeName }}
+```
+
+Angular automatically sanitizes output.
+
+---
+
+# 7. CSRF Protection
+
+All state-changing requests must support:
+
+* CSRF Tokens
+* SameSite Cookies
+* Backend Validation
+
+---
+
+# 8. API Security
+
+All APIs must:
+
+* Use HTTPS
+* Validate Authentication
+* Validate Authorization
+* Rate Limit Sensitive Endpoints
+
+Never expose internal API URLs.
+
+---
+
+# 9. File Upload Security
+
+Validate:
+
+* File Type
+* File Extension
+* File Size
+
+Example:
+
+```typescript
+const allowedTypes = [
+  'image/png',
+  'image/jpeg',
+];
+```
+
+Reject executable files.
+
+---
+
+# 10. Dependency Security
+
+Run regularly:
+
+```bash
+npm audit
+```
+
+```bash
+npm outdated
+```
+
+Critical vulnerabilities must be fixed immediately.
+
+---
+
+# 11. Third Party Libraries
+
+Before adding:
+
+✓ Active Maintenance
+
+✓ Security Review
+
+✓ License Review
+
+✓ Community Adoption
+
+Avoid abandoned packages.
+
+---
+
+# 12. Logging Security
+
+Never log:
+
+* Passwords
+* Tokens
+* SSNs
+* Personal Data
+
+Forbidden:
+
+```typescript
+console.log(user.password);
+```
+
+---
+
+# 13. Sensitive Data Protection
+
+Sensitive data includes:
+
+* Personal Information
+* Payroll Data
+* Banking Details
+* Tax Information
+
+Never store sensitive data unnecessarily.
+
+---
+
+# 14. Browser Storage Rules
+
+Allowed:
+
+```typescript
+theme
+language
+uiPreferences
+```
+
+Avoid:
+
+```typescript
+tokens
+passwords
+salaryData
+```
+
+---
+
+# 15. Security Headers
+
+Backend should enable:
+
+* CSP
+* HSTS
+* X-Frame-Options
+* X-Content-Type-Options
+* Referrer-Policy
+
+Frontend must be compatible.
+
+---
+
+# 16. Route Security
+
+Protected routes require:
+
+```typescript
+canActivate: [authGuard]
+```
+
+Never rely on hidden menu items.
+
+---
+
+# 17. Error Handling
+
+Never expose:
+
+```typescript
+stackTrace
+databaseError
+sqlError
+```
+
+Users should see:
+
+```typescript
+'Something went wrong.'
+```
+
+Detailed errors go to logs.
+
+---
+
+# 18. Secure Coding Rules
+
+Never use:
+
+```typescript
+eval()
+```
+
+```typescript
+new Function()
+```
+
+```typescript
+setTimeout(string)
+```
+
+---
+
+# 19. CI/CD Security Gates
+
+Pull Requests must pass:
+
+✓ Lint
+
+✓ Tests
+
+✓ Security Scan
+
+✓ Dependency Audit
+
+✓ Code Review
+
+---
+
+# 20. AI Generated Code Security
+
+AI-generated code must not:
+
+✗ Hardcode Secrets
+
+✗ Disable Security Checks
+
+✗ Bypass Sanitization
+
+✗ Store Tokens in Local Storage
+
+✗ Use Unsafe DOM Manipulation
+
+---
+
+# 21. Security Review Checklist
+
+Before Release:
+
+□ No secrets committed
+
+□ HTTPS only
+
+□ Auth validated
+
+□ Permissions validated
+
+□ Inputs validated
+
+□ XSS reviewed
+
+□ Dependencies scanned
+
+□ Error messages sanitized
+
+□ Logs reviewed
+
+□ Security testing completed
+
+---
+
+# 22. Security Incident Response
+
+When vulnerability is discovered:
+
+1. Assess severity
+2. Notify engineering lead
+3. Patch immediately
+4. Verify fix
+5. Document incident
+6. Conduct postmortem

package/standards//360/237/232/200 ci-cd.md"

@@ -0,0 +1,134 @@
+# CI/CD Standards
+
+Version: 1.0
+Goal: Reliable, Automated, Secure Delivery Pipeline
+
+---
+
+# 1. Pipeline Principles
+
+1. Every Commit is Verifiable
+2. No Manual Deployments
+3. Quality Gates Must Pass
+4. Fail Fast
+5. Secure by Default
+
+---
+
+# 2. Branch Strategy
+
+```text
+main → production
+develop → integration
+feature/* → development
+hotfix/* → urgent fixes
+```
+
+---
+
+# 3. Pipeline Stages
+
+```text
+Lint → Test → Build → Security Scan → Deploy
+```
+
+---
+
+# 4. Quality Gates
+
+Required before merge:
+
+✓ Lint passed
+✓ Unit tests passed
+✓ Integration tests passed
+✓ Coverage threshold met
+
+---
+
+# 5. Build Standards
+
+* Production build must be optimized
+* Source maps disabled in production
+* Environment-specific builds required
+
+---
+
+# 6. Deployment Strategy
+
+Supported:
+
+✓ Blue-Green Deployment
+✓ Rolling Deployment
+
+Avoid:
+
+❌ Manual FTP deployments
+
+---
+
+# 7. Environment Strategy
+
+| Environment | Purpose        |
+| ----------- | -------------- |
+| Dev         | Development    |
+| QA          | Testing        |
+| Staging     | Pre-production |
+| Prod        | Live           |
+
+---
+
+# 8. Secrets Management
+
+Never store secrets in:
+
+❌ Code
+❌ Git
+
+Use:
+
+✓ CI secrets vault
+✓ Environment variables
+
+---
+
+# 9. Rollback Strategy
+
+Every deployment must support rollback.
+
+---
+
+# 10. Security Scanning
+
+Must include:
+
+✓ Dependency scan
+✓ SAST scan
+✓ Vulnerability checks
+
+---
+
+# 11. Performance Checks
+
+Build must verify:
+
+* Bundle size limits
+* Lighthouse score thresholds
+
+---
+
+# 12. Approval Rules
+
+Production deploy requires:
+
+✓ At least 1 reviewer
+✓ Successful pipeline
+
+---
+
+# 13. AI Pipeline Rules
+
+AI-generated code must pass:
+
+✓ Tests
+✓ Lint
+✓ Security scan

package/standards//360/237/244/226 ai-development.md"

@@ -0,0 +1,142 @@
+# AI Development Standards
+
+Version: 1.0
+Goal: Safe, Controlled, High-Quality AI-Assisted Development
+
+---
+
+# 1. AI Usage Principles
+
+1. AI is a Developer Assistant, Not an Architect
+2. Human Review is Mandatory
+3. Security Overrides AI Suggestions
+4. Architecture Rules Always Apply
+5. No Blind Copy-Paste
+
+---
+
+# 2. Allowed AI Usage
+
+AI can generate:
+
+✓ Components
+✓ Services
+✓ Tests
+✓ DTOs
+✓ Boilerplate code
+
+---
+
+# 3. Restricted AI Usage
+
+AI must NOT autonomously decide:
+
+❌ Architecture changes
+❌ Security logic
+❌ Authentication flow
+❌ Authorization rules
+❌ Database structure
+
+---
+
+# 4. Code Review Rules for AI Code
+
+All AI-generated code must be checked for:
+
+✓ Type safety
+✓ Security compliance
+✓ Performance impact
+✓ Architecture compliance
+
+---
+
+# 5. Prompt Standards
+
+Good prompt:
+
+```text
+Generate Angular standalone component using signals
+```
+
+Bad prompt:
+
+```text
+Build entire app
+```
+
+---
+
+# 6. AI Security Rules
+
+AI must NOT generate:
+
+❌ Hardcoded secrets
+❌ Unsafe DOM manipulation
+❌ eval usage
+❌ bypassSecurityTrustHtml without review
+
+---
+
+# 7. AI Architecture Rules
+
+AI must follow:
+
+✓ Feature-based architecture
+✓ Standalone components
+✓ Signal-based state
+
+---
+
+# 8. AI Testing Rules
+
+AI-generated tests must:
+
+✓ Cover success + failure
+✓ Use factories
+✓ Avoid implementation details
+
+---
+
+# 9. AI Performance Rules
+
+AI must:
+
+✓ Avoid heavy computations in templates
+✓ Use computed signals
+✓ Avoid unnecessary subscriptions
+
+---
+
+# 10. AI Anti Patterns
+
+Never accept AI output with:
+
+❌ any types
+❌ constructor injection
+❌ NgModules
+❌ inline API URLs
+❌ console.log in production
+
+---
+
+# 11. AI Review Checklist
+
+Before accepting AI code:
+
+□ Type-safe
+□ Secure
+□ Performant
+□ Testable
+□ Architecture compliant
+
+---
+
+# 12. Definition of Safe AI Code
+
+AI code is safe when:
+
+✓ Reviewed
+✓ Typed
+✓ Secure
+✓ Tested
+✓ Aligned with standards