Skip to content

Coding Agent Enforcement Framework

1. Purpose

Define non-negotiable rules so coding agents generate production-safe, standards-compliant code.

2. Contract-First Rules

  • Agents MUST read OpenAPI/AsyncAPI contracts before writing application code.
  • Agents MUST NOT create UI-only logic without a corresponding API contract.
  • Agents MUST update specs first for any API change.

3. Security Rules

  • No hardcoded secrets, tokens, passwords, or keys.
  • No insecure auth shortcuts (query-token auth for sensitive operations is forbidden).
  • All privileged operations require explicit authZ checks and audit events.
  • Input validation required on every boundary.
  • No direct control-plane SSH provisioning flows in MVP; node operations must go through node-agent internal APIs.
  • Provisioning lifecycle state changes must be Temporal-governed. Agents must not implement direct handler/service shortcuts that bypass workflow/event progression.

4. Data Integrity Rules

  • Monetary operations must be immutable ledger entries.
  • Mutation endpoints must support idempotency keys.
  • Async side effects must use queue/outbox patterns.

5. Code Generation Rules

  • Generate typed clients/SDK from OpenAPI only.
  • Use stable operationIds and versioned API docs.
  • Preserve backward compatibility unless version bump is explicitly requested.

6. Testing and Verification Rules

  • Agents must generate/update unit + integration tests for changed behavior.
  • API contract tests must pass in CI.
  • Any task touching packages/web/** MUST pass make verify-web before it can be marked done.
  • Security lint and dependency scan must pass before merge.

7. Review Gates (Required)

  • Gate 1: Contract compliance
  • Gate 2: Security compliance
  • Gate 3: Observability compliance
  • Gate 4: Backward compatibility check

8. Definition of Done for Agent-Generated PRs

  • Spec updated and validated.
  • Code + tests updated.
  • Migration impact documented.
  • Changelog and compatibility notes updated.