d-bis/gov-portals-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c9c8d559a2d5374a29fac86e2d15b04af8b89028
gov-portals-monorepo/TECH_POLICIES.md
defiQUG f5e217efcd Initial monorepo: shared package and DBIS, ICCC, OMNL, XOM portals 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-13 10:30:56 -08:00

127 lines
4.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Tech Policies — Public Web Portals
These policies apply to **all** governmental body web portals in this repository. They define security, accessibility, quality, and operational standards.
---
## 1. Security
- **No secrets in repository**
No API keys, passwords, or tokens in source code, config files, or history. Use environment variables or a secure secrets store.
- **Dependency hygiene**
- Dependencies must be from trusted registries (npm/pnpm).
- Run vulnerability scanning (e.g. `pnpm audit`, Snyk) in CI; fix or document accepted risks.
- Prefer minimal dependency set; justify new dependencies in PRs.
- **Content Security Policy (CSP)**
Each portal must ship with a strict CSP (e.g. via Next.js headers). Nonces or hashes for inline scripts if required; avoid `unsafe-inline` where possible.
- **HTTPS only**
All environments (dev/staging/production) must use HTTPS. No mixed content.
- **Authentication**
Use the standardized OIDC/OAuth 2.0 flow. Session handling (e.g. httpOnly cookies, token storage) must follow the same security guidelines across portals.
---
## 2. Accessibility (WCAG 2.1 AA)
- **Compliance**
All user-facing content and flows must meet WCAG 2.1 Level AA unless a formal exception is documented.
- **Testing**
- Use automated tools (e.g. axe-core, Pa11y) in CI.
- Manual checks for keyboard navigation, screen reader, and zoom.
- Critical user journeys must have an accessibility sign-off before release.
- **Design**
Color contrast, focus indicators, and touch targets must meet WCAG. Use the shared design systems accessible components.
---
## 3. Browser & Device Support
- **Browsers**
Support the current and previous major versions of:
Chrome, Firefox, Safari, Edge.
Exact versions and “current” definition are set in CI (e.g. browserslist).
- **Devices**
Responsive design required; mobile and tablet are first-class. Test on real or emulated devices for critical flows.
- **Progressive enhancement**
Core content and actions must work without JavaScript where feasible; enhance with JS for better UX.
---
## 4. Code Quality & Consistency
- **TypeScript**
Strict mode. No `any` except where explicitly typed and commented. Public APIs must be fully typed.
- **Lint & format**
- ESLint and Prettier configs are shared at repo root.
- CI fails on lint or format errors.
- No disabling rules without a documented exception.
- **Naming & structure**
- Same folder conventions across portals (e.g. `app/`, `components/`, `lib/`).
- Shared glossary for common terms (e.g. “user”, “session”, “portal”) to keep copy and code consistent.
---
## 5. Testing
- **Unit / component**
Vitest + React Testing Library. Critical business logic and shared components must have tests.
- **E2E**
Playwright. Critical user journeys (e.g. login, main flows) must have E2E tests. Same browser matrix as production support.
- **Coverage**
Minimum coverage thresholds (e.g. 80% for critical paths) enforced in CI. New code should not lower coverage without approval.
---
## 6. Documentation & Onboarding
- **Per-portal README**
Each portal must have a README with: purpose, how to run locally, required env vars, and links to TECH_STACK.md and TECH_POLICIES.md.
- **API contracts**
Document public APIs (OpenAPI or tRPC schema). Keep docs in sync with code.
- **Changelog / releases**
Document breaking changes and notable updates. Use a consistent format (e.g. keep a CHANGELOG or use release notes).
---
## 7. Performance & Reliability
- **Performance budgets**
Set and enforce budgets (e.g. LCP, FID, CLS) in CI where possible. No regression without approval.
- **Error handling**
User-facing errors must be handled gracefully; no raw stack traces or internal details exposed.
- **Logging & monitoring**
Use the same approach (e.g. structured logs, same log levels). No PII in logs.
---
## 8. Governance
- **Changes to TECH_STACK.md and TECH_POLICIES.md**
Changes apply to all portals. Update stack/policies via a process that includes impact review (e.g. ADR or tech lead sign-off).
- **Exceptions**
Any exception to these policies must be documented (what, why, expiry, owner) and reviewed periodically.
- **Review cycle**
Stack and policies should be reviewed at least annually and after major incidents or audits.
---
*These policies sit alongside TECH_STACK.md. Portals must comply with both.*
Reference in New Issue View Git Blame Copy Permalink