knowzcode 0.1.0

package/knowzcode/enterprise/guidelines/security.md

@@ -0,0 +1,355 @@
+---
+guideline_id: SEC-001
+name: Security Guidelines
+version: "1.0"
+last_updated: "2025-01-29"
+enforcement: blocking
+applies_to: both
+categories:
+  - authentication
+  - authorization
+  - data-protection
+  - injection-prevention
+  - logging
+priority: critical
+owner: security-team
+---
+
+# Security Guidelines
+
+**Purpose:** Ensure all specifications and implementations meet enterprise security requirements based on industry best practices and OWASP guidelines.
+
+---
+
+## 1. Authentication Requirements
+
+### SEC-AUTH-01: Secure Password Handling
+
+**Requirement:** All passwords MUST be hashed using bcrypt (cost >= 10) or Argon2. Plaintext passwords MUST never be stored or logged.
+
+**Applies To:** implementation
+
+**Severity:** critical
+
+**ARC Verification:**
+- ARC_SEC_AUTH_01a: Verify password storage uses bcrypt with cost >= 10 OR Argon2
+- ARC_SEC_AUTH_01b: Verify plaintext passwords are never logged or stored in databases
+- ARC_SEC_AUTH_01c: Verify password comparison uses constant-time comparison function
+
+**Compliant Example:**
+```typescript
+import bcrypt from 'bcrypt';
+
+async function hashPassword(password: string): Promise<string> {
+  const saltRounds = 12; // cost factor >= 10
+  return bcrypt.hash(password, saltRounds);
+}
+
+async function verifyPassword(password: string, hash: string): Promise<boolean> {
+  return bcrypt.compare(password, hash); // constant-time comparison
+}
+```
+
+**Non-Compliant Example:**
+```typescript
+// VIOLATION: Storing plaintext password
+db.users.insert({ password: userPassword });
+
+// VIOLATION: Using weak hashing algorithm
+const hash = crypto.createHash('md5').update(password).digest('hex');
+
+// VIOLATION: Non-constant-time comparison
+if (storedPassword === inputPassword) { /* ... */ }
+```
+
+**Remediation:** Replace plaintext storage or weak hashing with bcrypt. Use library's built-in compare function for constant-time comparison.
+
+---
+
+### SEC-AUTH-02: Session Management
+
+**Requirement:** Sessions MUST have secure cookie settings and configurable expiry. Session tokens MUST be regenerated after authentication.
+
+**Applies To:** both
+
+**Severity:** high
+
+**ARC Verification:**
+- ARC_SEC_AUTH_02a: Verify session cookies have HttpOnly flag set to true
+- ARC_SEC_AUTH_02b: Verify session cookies have Secure flag in production environment
+- ARC_SEC_AUTH_02c: Verify session expiry is configurable and defaults to <= 24 hours
+- ARC_SEC_AUTH_02d: Verify session token is regenerated after successful login
+- ARC_SEC_AUTH_02e: Spec MUST document session lifecycle and security properties
+
+**Compliant Example:**
+```typescript
+app.use(session({
+  secret: process.env.SESSION_SECRET,
+  cookie: {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'strict',
+    maxAge: 24 * 60 * 60 * 1000 // 24 hours max
+  },
+  resave: false,
+  saveUninitialized: false
+}));
+
+// Regenerate session after login
+req.session.regenerate((err) => {
+  req.session.userId = user.id;
+});
+```
+
+**Non-Compliant Example:**
+```typescript
+// VIOLATION: Insecure cookie settings
+app.use(session({
+  secret: 'hardcoded-secret', // Never hardcode secrets
+  cookie: {
+    httpOnly: false,  // Allows XSS to steal session
+    secure: false,    // Allows interception over HTTP
+    // Missing maxAge = potential infinite session
+  }
+}));
+```
+
+---
+
+## 2. Authorization Requirements
+
+### SEC-AUTHZ-01: Role-Based Access Control
+
+**Requirement:** All protected resources MUST implement server-side authorization checks. Authorization MUST NOT rely solely on client-side controls.
+
+**Applies To:** both
+
+**Severity:** critical
+
+**ARC Verification:**
+- ARC_SEC_AUTHZ_01a: Verify all API endpoints have authorization middleware
+- ARC_SEC_AUTHZ_01b: Verify authorization is enforced server-side, not client-only
+- ARC_SEC_AUTHZ_01c: Verify Spec documents required roles/permissions per endpoint
+- ARC_SEC_AUTHZ_01d: Verify authorization failures return 403 Forbidden (not 404)
+
+**Compliant Example:**
+```typescript
+// Server-side authorization middleware
+const authorize = (roles: string[]) => (req, res, next) => {
+  if (!req.user || !roles.includes(req.user.role)) {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+  next();
+};
+
+router.delete('/users/:id',
+  authenticate,
+  authorize(['admin']), // Server-side role check
+  deleteUserHandler
+);
+```
+
+**Non-Compliant Example:**
+```typescript
+// VIOLATION: No server-side authorization
+router.delete('/users/:id', deleteUserHandler); // Anyone can delete!
+
+// VIOLATION: Client-only authorization (easily bypassed)
+// Frontend: if (user.role === 'admin') showDeleteButton()
+// Backend: router.delete('/users/:id', deleteUserHandler); // No check!
+```
+
+---
+
+### SEC-AUTHZ-02: IDOR Prevention
+
+**Requirement:** Resource access MUST verify the requesting user has permission to access the specific resource, not just the resource type.
+
+**Applies To:** implementation
+
+**Severity:** critical
+
+**ARC Verification:**
+- ARC_SEC_AUTHZ_02a: Verify resource ownership is checked before returning data
+- ARC_SEC_AUTHZ_02b: Verify users cannot access other users' data by changing IDs in requests
+
+**Compliant Example:**
+```typescript
+// Check ownership before returning resource
+async function getDocument(req, res) {
+  const doc = await Document.findById(req.params.id);
+  if (!doc) return res.status(404).json({ error: 'Not found' });
+
+  // IDOR prevention: verify ownership
+  if (doc.ownerId !== req.user.id && !req.user.isAdmin) {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+
+  res.json(doc);
+}
+```
+
+---
+
+## 3. Data Protection Requirements
+
+### SEC-DATA-01: Sensitive Data Handling
+
+**Requirement:** PII and sensitive data MUST be encrypted at rest and in transit. Data classification MUST be documented in specs.
+
+**Applies To:** both
+
+**Severity:** critical
+
+**ARC Verification:**
+- ARC_SEC_DATA_01a: Verify database connections use TLS/SSL
+- ARC_SEC_DATA_01b: Verify PII fields are encrypted or appropriately protected
+- ARC_SEC_DATA_01c: Verify Spec includes data classification (Public/Internal/Confidential/Secret)
+- ARC_SEC_DATA_01d: Verify sensitive data is not included in logs or error messages
+
+**Compliant Example:**
+```typescript
+// TLS connection to database
+const pool = new Pool({
+  connectionString: process.env.DATABASE_URL,
+  ssl: { rejectUnauthorized: true }
+});
+
+// Encrypt sensitive fields
+const encryptedSSN = encrypt(user.ssn, process.env.ENCRYPTION_KEY);
+```
+
+---
+
+## 4. Injection Prevention
+
+### SEC-INJ-01: SQL Injection Prevention
+
+**Requirement:** All database queries MUST use parameterized queries, prepared statements, or ORM methods. String concatenation in queries is PROHIBITED.
+
+**Applies To:** implementation
+
+**Severity:** critical
+
+**ARC Verification:**
+- ARC_SEC_INJ_01a: Verify no string concatenation or template literals in SQL queries
+- ARC_SEC_INJ_01b: Verify ORM is used OR parameterized queries exclusively
+
+**Compliant Example:**
+```typescript
+// Using ORM (Prisma)
+const user = await prisma.user.findUnique({ where: { id: userId } });
+
+// Using parameterized query
+const result = await db.query('SELECT * FROM users WHERE id = $1', [userId]);
+
+// Using prepared statement
+const stmt = db.prepare('SELECT * FROM users WHERE email = ?');
+const user = stmt.get(email);
+```
+
+**Non-Compliant Example:**
+```typescript
+// VIOLATION: SQL Injection vulnerable - string concatenation
+const result = await db.query(`SELECT * FROM users WHERE id = ${userId}`);
+
+// VIOLATION: SQL Injection vulnerable - template literal
+const query = `SELECT * FROM users WHERE name = '${userName}'`;
+```
+
+---
+
+### SEC-INJ-02: XSS Prevention
+
+**Requirement:** All user input displayed in HTML MUST be properly escaped or sanitized. Framework auto-escaping should not be bypassed without explicit security review.
+
+**Applies To:** implementation
+
+**Severity:** high
+
+**ARC Verification:**
+- ARC_SEC_INJ_02a: Verify user input is escaped before rendering in HTML
+- ARC_SEC_INJ_02b: Verify dangerouslySetInnerHTML (React) or v-html (Vue) usage is justified and sanitized
+- ARC_SEC_INJ_02c: Verify Content-Security-Policy headers are configured
+
+**Compliant Example:**
+```typescript
+// React auto-escapes by default
+return <div>{userInput}</div>; // Safe
+
+// If HTML is required, sanitize first
+import DOMPurify from 'dompurify';
+const sanitized = DOMPurify.sanitize(userInput);
+return <div dangerouslySetInnerHTML={{ __html: sanitized }} />;
+```
+
+**Non-Compliant Example:**
+```typescript
+// VIOLATION: Unsanitized HTML injection
+return <div dangerouslySetInnerHTML={{ __html: userInput }} />;
+```
+
+---
+
+## 5. Logging Requirements
+
+### SEC-LOG-01: Security Event Logging
+
+**Requirement:** Authentication events (login success/failure, logout, password changes) MUST be logged with audit trail. Logs MUST NOT contain passwords, tokens, or other secrets.
+
+**Applies To:** implementation
+
+**Severity:** high
+
+**ARC Verification:**
+- ARC_SEC_LOG_01a: Verify login attempts (success and failure) are logged
+- ARC_SEC_LOG_01b: Verify logs do NOT contain passwords, tokens, or API keys
+- ARC_SEC_LOG_01c: Verify log entries include timestamp, user ID, event type, IP address
+- ARC_SEC_LOG_01d: Verify password change events are logged
+
+**Compliant Example:**
+```typescript
+// Structured security logging
+logger.info({
+  event: 'login_success',
+  userId: user.id,
+  email: user.email,
+  ip: req.ip,
+  userAgent: req.headers['user-agent'],
+  timestamp: new Date().toISOString()
+});
+
+// Never log sensitive data
+logger.info({ event: 'login_attempt', email }); // Good
+logger.info({ event: 'login_attempt', email, password }); // NEVER!
+```
+
+**Non-Compliant Example:**
+```typescript
+// VIOLATION: Logging sensitive data
+logger.info(`User ${email} logged in with password ${password}`);
+logger.debug({ user, token: authToken }); // Leaking token
+```
+
+---
+
+## Compliance Summary
+
+| ID | Requirement | Severity | Scope | Category |
+|:---|:------------|:---------|:------|:---------|
+| SEC-AUTH-01 | Secure Password Handling | critical | implementation | authentication |
+| SEC-AUTH-02 | Session Management | high | both | authentication |
+| SEC-AUTHZ-01 | Role-Based Access Control | critical | both | authorization |
+| SEC-AUTHZ-02 | IDOR Prevention | critical | implementation | authorization |
+| SEC-DATA-01 | Sensitive Data Handling | critical | both | data-protection |
+| SEC-INJ-01 | SQL Injection Prevention | critical | implementation | injection-prevention |
+| SEC-INJ-02 | XSS Prevention | high | implementation | injection-prevention |
+| SEC-LOG-01 | Security Event Logging | high | implementation | logging |
+
+---
+
+## References
+
+- [OWASP Top 10](https://owasp.org/Top10/)
+- [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html)
+- [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)

package/knowzcode/enterprise/templates/guideline-template.md

@@ -0,0 +1,55 @@
+---
+guideline_id: CUSTOM-001
+name: "[Guideline Name]"
+enforcement: advisory
+applies_to: both
+priority: medium
+---
+
+# [Guideline Name]
+
+**Purpose:** [Brief description of what this guideline ensures]
+
+> **Instructions:**
+> 1. Copy this template to `knowzcode/enterprise/guidelines/` or `guidelines/custom/`
+> 2. Fill in sections relevant to your organization
+> 3. Add to `compliance_manifest.md` Active Guidelines table
+> 4. Set `Active` to `true` in the manifest
+
+---
+
+## 1. [Category Name]
+
+### [ID]: [Requirement Title]
+
+**Requirement:** [Clear statement of what MUST/SHOULD be done]
+
+**Applies To:** [spec | implementation | both]
+
+**Severity:** [critical | high | medium | low]
+
+**ARC Verification:**
+- ARC_[ID]_a: Verify that [specific testable condition]
+- ARC_[ID]_b: Verify that [specific testable condition]
+
+**Compliant Example:**
+```
+// Example of code/spec that meets the requirement
+```
+
+**Non-Compliant Example:**
+```
+// VIOLATION: [Explain why this violates the requirement]
+```
+
+**Remediation:** [Steps to fix violations]
+
+---
+
+## Compliance Summary
+
+| ID | Requirement | Severity | Scope |
+|:---|:------------|:---------|:------|
+| [ID] | [Title] | [severity] | [scope] |
+
+---

package/knowzcode/gitignore.template

@@ -0,0 +1,13 @@
+# KnowzCode Environment-Specific Files
+# These files contain local development environment details
+# and should remain purely local to each checkout
+
+# Environment context (filled during init, unique per dev environment)
+environment_context.md
+
+# Session-specific WorkGroup data
+workgroups/
+
+# Personal notes and scratch files
+*.local.md
+.scratch/

package/knowzcode/knowzcode_architecture.md

@@ -0,0 +1,51 @@
+# ◆ KnowzCode - Architectural Flowchart
+
+**Purpose:** This document contains the Mermaid flowchart defining the architecture, components (NodeIDs), and their primary interactions for this project. This visual map is the source of truth for all implementable components tracked in `knowzcode_tracker.md`.
+
+---
+
+```mermaid
+graph TD
+    %% =================================================================
+    %%  Legend - Defines the shapes and conventions used in this diagram
+    %% =================================================================
+    subgraph Legend
+        direction LR
+        L_IDConv(NodeID Convention: TYPE_Name)
+        L_Proc([Process/Backend Logic])
+        L_UI[/UI Component/]
+        L_Decision{Decision Point}
+        L_DB[(Database/Data Store)]
+        L_ExtAPI{{External API}}
+    end
+
+    %% =================================================================
+    %%  High-Level Application Flow
+    %%  This is a placeholder. Replace with your project's actual architecture.
+    %% =================================================================
+    User((User)) --> UI_LoginPage[/Login Page/]
+
+    subgraph "Authentication Feature"
+        direction TB
+        UI_LoginPage -- Credentials --> API_Auth[API: Authenticate User]
+        API_Auth --> DB_Users[(User Database)]
+        API_Auth --> Auth_Decision{Is Valid?}
+    end
+
+    Auth_Decision -- Yes --> UI_Dashboard[/User Dashboard/]
+    Auth_Decision -- No --> UI_LoginPage
+
+    subgraph "Dashboard Feature"
+        direction TB
+        UI_Dashboard -- Request Data --> API_GetData[API: Get User Data]
+        API_GetData --> SVC_DataAggregator[Service: Aggregate Data]
+        SVC_DataAggregator --> DB_Products[(Product DB)]
+        SVC_DataAggregator --> DB_Orders[(Order DB)]
+        SVC_DataAggregator -- Aggregated Data --> API_GetData
+        API_GetData -- Formatted Data --> UI_Dashboard
+    end
+```
+
+---
+
+(This is a template showing a sample application structure. Replace the entire Mermaid content above with the specific flowchart for your project. Use the architecture_generator.md guide for assistance in creating a new flowchart from a project idea.)

package/knowzcode/knowzcode_log.md

@@ -0,0 +1,142 @@
+# ◆ KnowzCode - Operational Record
+
+**Purpose:** This document serves two primary functions for KnowzCode:
+1.  **Operational Log**: A chronological, structured record of significant events, decisions, verification outcomes, and artifact changes during the project lifecycle. Maintained by the KnowzCode AI Agent as per `knowzcode_loop.md`.
+2.  **Reference Quality Criteria**: A standard list of code quality principles referenced during ARC (Attentive Review & Compliance)-Based Verification.
+
+---
+
+## Section 1: Operational Log
+
+**(Instructions for AI Agent: New entries are to be PREPENDED to this section. Use the file modification command specified in your `environment_context.md`. Each entry MUST be separated by `---`, and its `Timestamp` MUST be generated using the timestamp command from your `environment_context.md`.)**
+---
+**[NEWEST ENTRIES APPEAR HERE - DO NOT REMOVE THIS MARKER]**
+---
+**Type:** SystemInitialization
+**Timestamp:** [Generated Timestamp]
+**NodeID(s):** Project-Wide
+**Logged By:** KnowzCodeSetup
+**Details:**
+KnowzCode project structure and core files initialized.
+- `knowzcode/knowzcode_project.md` (template created)
+- `knowzcode/knowzcode_architecture.md` (template created)
+- `knowzcode/knowzcode_tracker.md` (template created)
+- `knowzcode/knowzcode_loop.md` (created)
+- `knowzcode/knowzcode_log.md` (this file - initialized)
+- `knowzcode/specs/` directory (created)
+---
+**Type:** SpecApproved
+**Timestamp:** [Generated Timestamp]
+**NodeID(s):** [ExampleNodeID]
+**Logged By:** AI-Agent (via Orchestrator)
+**Details:**
+Specification for `[ExampleNodeID]` has been reviewed and approved by the Orchestrator.
+- Key requirements confirmed: [Brief summary or reference to spec version if applicable]
+- Agent will now proceed with ARC-Principle-Based Planning for implementation.
+---
+**Type:** ◆ ARC-Completion
+**Timestamp:** [Generated Timestamp]
+**WorkGroupID:** kc-[The ID for this Change Set]
+**NodeID(s):** [List ALL NodeIDs in the Change Set]
+**Logged By:** KnowzCode AI-Agent
+**Details:**
+◆ Successfully implemented and verified the Change Set for [PrimaryGoal].
+- **ARC Verification Summary:** All ARC Criteria met for all nodes in the WorkGroupID. [Mention key checks performed].
+- **Architectural Learnings:** [Any discoveries about the overall architecture or patterns].
+- **Unforeseen Ripple Effects:** [NodeIDs (outside of this WorkGroupID) whose specs may now need review: None | List affected nodes and reason].
+- **Specification Finalization:** All specs for the listed NodeIDs updated to "as-built" state.
+- **Flowchart Consistency Check Outcome:** [e.g., 'No discrepancies found.', 'Applied simple update: Added link X->Y.', 'Discrepancy noted for Orchestrator review: Node Z interaction requires flowchart restructuring.'].
+---
+**Type:** MicroFix
+**Timestamp:** [Generated Timestamp]
+**NodeID(s)/File:** [TargetNodeID or file_path]
+**Logged By:** AI-Agent (via Orchestrator)
+**Details:**
+- **User Request:** [Orchestrator's brief issue description].
+- **Action Taken:** [Brief description of change made].
+- **Verification:** [Brief verification method/outcome, e.g., "Confirmed visually", "Ran specific test X"].
+---
+**Type:** Decision
+**Timestamp:** [Generated Timestamp]
+**NodeID(s):** [Relevant NodeID(s) or 'Project-Wide']
+**Logged By:** Orchestrator (or AI-Agent if relaying)
+**Details:**
+[Record of significant decision made, e.g., "User approved deviation X for NodeID Y.", "Tech stack choice for Z confirmed as ABC."].
+- Rationale: [Brief reason for the decision, if applicable].
+---
+**Type:** Issue
+**Timestamp:** [Generated Timestamp]
+**NodeID(s):** [Relevant NodeID(s) or 'Project-Wide']
+**Logged By:** AI-Agent or Orchestrator
+**Details:**
+An issue has been identified: [Description of the issue].
+- Current Status: [e.g., 'Under Investigation', 'Blocked until X', 'Awaiting user feedback'].
+- Proposed Next Steps: [If any].
+---
+**Type:** RefactorCompletion
+**Timestamp:** [Generated Timestamp]
+**WorkGroupID:** [The WorkGroupID for this refactor]
+**NodeID(s):** [TargetNodeID]
+**Logged By:** AI-Agent
+**Details:**
+Technical debt resolved via refactoring.
+- **Goal:** [Original refactoring goal].
+- **Summary of Improvements:** [List of specific improvements made].
+- **Verification:** Confirmed that all original ARC Verification Criteria still pass.
+---
+**Type:** FeatureAddition
+**Timestamp:** [Generated Timestamp]
+**NodeID(s):** [List ALL new NodeIDs added]
+**Logged By:** AI-Agent
+**Details:**
+Major new feature added mid-project.
+- **Feature Added:** [Name of the new feature].
+- **Scope Change:** Project scope expanded from [Old Total] to [New Total] nodes.
+- **Architectural Impact:** [Brief description of changes].
+- **Implementation Plan:** [Recommended build order for new nodes].
+---
+**Type:** IssueUpdate
+**Timestamp:** [Generated Timestamp]
+**NodeID(s):** [Affected NodeIDs]
+**Logged By:** AI-Agent
+**Details:**
+Critical issue status change.
+- **Previous Status:** [e.g., 'Under Investigation'].
+- **New Status:** [e.g., 'Resolved', 'Workaround Applied'].
+- **Action Taken:** [Brief description of resolution or change].
+---
+
+**(New log entries will be added above the `[NEWEST ENTRIES APPEAR HERE...]` marker following the `---` separator format.)**
+
+---
+
+## Section 2: Reference Quality Criteria (ARC-Based Verification)
+
+**(Instructions for AI Agent: This section is read-only. Refer to these criteria during the "ARC-Based Verification" step (Step 6) and the "ARC-Principle-Based Planning" step (Step 4) as outlined in `knowzcode_loop.md`. Specific project priorities are set in `knowzcode_project.md`.)**
+
+### Core Quality Criteria
+1.  **Maintainability:** Ease of modification, clarity of code and design, quality of documentation (specs, code comments), low coupling, high cohesion.
+2.  **Reliability:** Robustness of error handling, fault tolerance, stability under expected load, data integrity.
+3.  **Testability:** Adequacy of unit test coverage (especially for core logic), ease of integration testing, clear separation of concerns enabling testing.
+4.  **Performance:** Responsiveness, efficiency in resource utilization (CPU, memory, network) appropriate to project requirements.
+5.  **Security:** Resistance to common vulnerabilities (as applicable to project type), secure authentication/authorization, protection of sensitive data, secure handling of inputs.
+
+### Structural Criteria
+6.  **Readability:** Code clarity, adherence to naming conventions (from `knowzcode_project.md`), consistent formatting, quality and necessity of comments.
+7.  **Complexity Management:** Avoidance of overly complex logic (e.g., low cyclomatic/cognitive complexity), manageable size of functions/methods/classes.
+8.  **Modularity:** Adherence to Single Responsibility Principle, clear interfaces between components, appropriate use of abstraction.
+9.  **Code Duplication (DRY - Don't Repeat Yourself):** Minimization of redundant code through effective use of functions, classes, or modules.
+10. **Standards Compliance:** Adherence to language best practices, project-defined coding standards (from `knowzcode_project.md`), and platform conventions (from `environment_context.md`).
+
+### Functional Criteria (Primarily verified via `specs/[NodeID].md` ARC Verification Criteria)
+11. **Completeness:** All specified requirements in `specs/[NodeID].md` are met.
+12. **Correctness:** The implemented functionality behaves as specified in `specs/[NodeID].md` under various conditions.
+13. **Effective Error Handling:** As defined in specs, errors are handled gracefully, appropriate feedback is provided, and the system remains stable.
+14. **Dependency Management:** Correct versions of libraries (from `knowzcode_project.md`) are used; unnecessary dependencies are avoided.
+
+### Operational Criteria
+15. **Configuration Management:** Proper use of environment variables for sensitive data; configurations are clear and manageable.
+16. **Resource Usage:** Efficient use of environment resources. Code is written considering the target execution environment.
+17. **API Design (If applicable):** Consistency, usability, and clear contracts for any APIs developed or consumed by the node.
+
+*(This list guides the ARC-Based Verification process. The ARC Verification Criteria within each `specs/[NodeID].md` file provide specific, testable points derived from these general principles and the node's requirements.)*