Standards & Reference
Compliance
This document outlines the compliance requirements and standards for the Flowstate application development process.
Table of Contents
- Overview
- FlowState Standard
- Development Compliance
- Documentation Compliance
- Testing Compliance
- Security Compliance
- Accessibility Compliance
- Audit Process
- Compliance Checklist
Overview
All development activities must adhere to the FlowState Standard, ensuring consistent quality, maintainability, and auditability across the project.
Compliance Objectives
- Quality Assurance: Maintain high code quality standards
- Traceability: Track all changes and decisions
- Security: Protect data and prevent vulnerabilities
- Accessibility: Ensure inclusive user experience
- Documentation: Maintain comprehensive documentation
Governance
| Role | Responsibility |
|---|---|
| Project Lead | Overall compliance oversight |
| Tech Lead | Technical standards enforcement |
| QA Lead | Testing compliance verification |
| Security Lead | Security review and approval |
FlowState Standard
The FlowState Standard defines the minimum requirements for software development on this project.
Required Documents
Every project must maintain the following documentation:
| Document | Purpose | Review Frequency |
|---|---|---|
| TDD.md | Test-driven development process | Per release |
| BAT.md | Browser automation testing | Per release |
| DOCUMENTATION.md | User documentation standards | Quarterly |
| CHANGELOG.md | Change tracking | Continuous |
| QUALITY.md | Code quality standards | Quarterly |
| PROCESS.md | Development process | Quarterly |
| SECURITY.md | Security standards | Quarterly |
| ARCHITECTURE.md | System architecture | Per major release |
Compliance Verification
// scripts/verify-compliance.ts
interface ComplianceCheck {
document: string;
exists: boolean;
lastUpdated: Date;
isStale: boolean;
issues: string[];
}
async function verifyFlowStateCompliance(): Promise<ComplianceCheck[]> {
const requiredDocs = [
'TDD.md',
'BAT.md',
'DOCUMENTATION.md',
'CHANGELOG.md',
'QUALITY.md',
'PROCESS.md',
'SECURITY.md',
'ARCHITECTURE.md',
];
const checks: ComplianceCheck[] = [];
for (const doc of requiredDocs) {
const check = await verifyDocument(`docs/${doc}`);
checks.push(check);
}
return checks;
}
Development Compliance
Code Review Requirements
All code changes must pass review before merging:
| Criteria | Requirement | Verification |
|---|---|---|
| Peer Review | Minimum 1 approving review | GitHub PR settings |
| Test Coverage | Minimum 80% coverage | CI pipeline |
| Linting | Zero errors | Pre-commit hook |
| Type Safety | No TypeScript errors | Build process |
| Documentation | JSDoc for public APIs | Review checklist |
Commit Standards
type(scope): description
[optional body]
[optional footer]
Required Elements:
- Type prefix (feat, fix, docs, etc.)
- Concise description
- Issue reference (when applicable)
Validation:
# .husky/commit-msg
npx commitlint --edit $1
Branch Protection Rules
| Branch | Requirements |
|---|---|
main | 2 approvals, passing CI, no force push |
dev | 1 approval, passing CI |
feature/* | Passing CI |
hotfix/* | 1 approval, passing CI |
Pull Request Template
## Description
[Describe the changes]
## Type of Change
- [ ] Bug fix
- [ ] New feature
- [ ] Breaking change
- [ ] Documentation update
## Checklist
- [ ] Tests added/updated
- [ ] Documentation updated
- [ ] No new warnings
- [ ] Self-reviewed
- [ ] Linked to issue
## Testing Instructions
[How to test these changes]
## Screenshots (if applicable)
Documentation Compliance
Required Documentation
| Component Type | Documentation Required |
|---|---|
| View/Page | Help article, workflow guide |
| Component | Props documentation, usage examples |
| Hook | JSDoc, usage examples |
| Service | API documentation |
| Utility | JSDoc, examples |
Documentation Standards
/**
* Filters events by status.
*
* @param events - Array of events to filter
* @param status - Status to filter by ('on-track', 'at-risk', 'delayed')
* @returns Filtered array of events
*
* @example
* ```ts
* const filtered = filterEventsByStatus(events, 'on-track');
* ```
*
* @see {@link EventStatus} for valid status values
*/
export function filterEventsByStatus(
events: Event[],
status: EventStatus
): Event[] {
return events.filter(e => e.status === status);
}
Help Center Coverage
Every user-facing feature must have:
- Overview documentation
- Step-by-step workflow guide
- Screenshots (current version)
- FAQ entries (as needed)
- Troubleshooting section
Testing Compliance
Test Coverage Requirements
| Category | Minimum Coverage | Target Coverage |
|---|---|---|
| Statements | 80% | 90% |
| Branches | 75% | 85% |
| Functions | 80% | 90% |
| Lines | 80% | 90% |
Test Types Required
| Test Type | Scope | Frequency |
|---|---|---|
| Unit Tests | Functions, components | Every change |
| Integration Tests | Component interactions | Every feature |
| E2E Tests | Critical user flows | Every release |
| Visual Regression | UI consistency | Every UI change |
| Performance Tests | Load times, bundle size | Weekly |
| Accessibility Tests | WCAG compliance | Every UI change |
Test Quality Standards
// Example: Well-structured test
describe('EventCard', () => {
describe('when status is delayed', () => {
it('displays red border indicator', () => {
// Arrange
const event = createTestEvent({ status: 'delayed' });
// Act
render(<EventCard event={event} />);
// Assert
expect(screen.getByTestId('event-card')).toHaveClass('border-l-red-500');
});
});
});
CI Pipeline Requirements
# Required CI checks
jobs:
lint:
- ESLint (zero errors)
- TypeScript (zero errors)
- Prettier (formatted)
test:
- Unit tests (passing)
- Coverage threshold (met)
build:
- Production build (successful)
- Bundle size (within limits)
e2e:
- Critical path tests (passing)
- Visual regression (no unexpected changes)
Security Compliance
Security Requirements
| Requirement | Implementation | Verification |
|---|---|---|
| Input Validation | Zod schemas | Code review |
| XSS Prevention | React escaping, DOMPurify | Security scan |
| CSRF Protection | Token-based | Penetration test |
| Authentication | Azure AD / MSAL | Security audit |
| Authorization | Role-based access | Integration tests |
| Data Encryption | HTTPS, encrypted storage | Configuration audit |
Dependency Security
// package.json
{
"scripts": {
"audit": "npm audit",
"audit:fix": "npm audit fix",
"security:check": "snyk test"
}
}
Requirements:
- No critical vulnerabilities
- No high vulnerabilities (without mitigation plan)
- Weekly dependency audit
- Automated Dependabot updates
Sensitive Data Handling
| Data Type | Handling | Storage |
|---|---|---|
| Credentials | Never in code | Environment variables |
| API Keys | Never in code | Secure vault |
| PII | Encrypted | Server-side only |
| Session Data | Secure cookies | HttpOnly, Secure flags |
Security Review Checklist
- [ ] No hardcoded secrets
- [ ] Input validation on all forms
- [ ] Output encoding for dynamic content
- [ ] Authentication required for protected routes
- [ ] Authorization checked for actions
- [ ] Secure headers configured
- [ ] HTTPS enforced
- [ ] Dependencies audited
Accessibility Compliance
WCAG 2.1 Requirements
Target: Level AA Compliance
| Principle | Requirements |
|---|---|
| Perceivable | Text alternatives, captions, adaptable content |
| Operable | Keyboard accessible, sufficient time, no seizures |
| Understandable | Readable, predictable, input assistance |
| Robust | Compatible with assistive technologies |
Implementation Standards
// Accessible component example
const EventCard: React.FC<EventCardProps> = ({ event, onClick }) => {
return (
<article
role="article"
aria-label={`Event: ${event.name}`}
tabIndex={0}
onClick={onClick}
onKeyDown={(e) => e.key === 'Enter' && onClick?.()}
className="..."
>
<h3 id={`event-${event.id}-title`}>{event.name}</h3>
<div aria-labelledby={`event-${event.id}-title`}>
{/* Content */}
</div>
</article>
);
};
Accessibility Testing
// e2e/tests/accessibility.spec.ts
import { test, expect } from '@playwright/test';
import AxeBuilder from '@axe-core/playwright';
test.describe('Accessibility', () => {
test('dashboard has no accessibility violations', async ({ page }) => {
await page.goto('/dashboard');
const results = await new AxeBuilder({ page })
.withTags(['wcag2a', 'wcag2aa'])
.analyze();
expect(results.violations).toEqual([]);
});
});
Accessibility Checklist
- [ ] All images have alt text
- [ ] Form fields have labels
- [ ] Color contrast meets AA standards
- [ ] Focus indicators visible
- [ ] Keyboard navigation works
- [ ] Screen reader compatible
- [ ] No content depends solely on color
- [ ] Error messages are descriptive
Audit Process
Audit Schedule
| Audit Type | Frequency | Scope |
|---|---|---|
| Code Quality | Per PR | Changed files |
| Security | Monthly | Full codebase |
| Accessibility | Per release | UI changes |
| Documentation | Quarterly | All docs |
| Compliance | Quarterly | Full review |
Audit Report Template
# Compliance Audit Report
**Date**: YYYY-MM-DD
**Auditor**: [Name]
**Scope**: [Description]
## Summary
Overall compliance status: [Compliant/Non-Compliant/Partial]
## Findings
### Critical
- [Finding 1]
### High
- [Finding 2]
### Medium
- [Finding 3]
### Low
- [Finding 4]
## Recommendations
1. [Recommendation 1]
2. [Recommendation 2]
## Action Items
| Item | Owner | Due Date | Status |
|------|-------|----------|--------|
| Fix critical issue | @dev | YYYY-MM-DD | Open |
## Sign-off
- [ ] Project Lead
- [ ] Tech Lead
- [ ] Security Lead
Non-Compliance Handling
- Critical Issues: Immediate resolution required, block release
- High Issues: Resolution within 1 sprint, may block release
- Medium Issues: Resolution within 2 sprints
- Low Issues: Resolution within 1 quarter
Compliance Checklist
Pre-Development
- [ ] Requirements documented
- [ ] User stories written
- [ ] Acceptance criteria defined
- [ ] Security considerations identified
- [ ] Accessibility requirements noted
During Development
- [ ] TDD approach followed
- [ ] Code review requested
- [ ] Tests written and passing
- [ ] Documentation updated
- [ ] No linting errors
- [ ] No TypeScript errors
Pre-Release
- [ ] All tests passing
- [ ] Coverage thresholds met
- [ ] E2E tests passing
- [ ] Accessibility audit passed
- [ ] Security scan passed
- [ ] Documentation complete
- [ ] Changelog updated
- [ ] Release notes prepared
Post-Release
- [ ] Production verified
- [ ] Monitoring enabled
- [ ] Documentation published
- [ ] Stakeholders notified
- [ ] Retrospective scheduled
Automation
Compliance CI Checks
# .github/workflows/compliance.yml
name: Compliance Check
on: [push, pull_request]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Verify required documents
run: npm run compliance:docs
- name: Check test coverage
run: npm run test:coverage -- --threshold 80
- name: Security audit
run: npm audit --audit-level=high
- name: Accessibility check
run: npm run test:a11y
- name: Generate compliance report
run: npm run compliance:report
Compliance Dashboard
Track compliance metrics over time:
- Test coverage trends
- Security vulnerability counts
- Accessibility issue counts
- Documentation coverage
- Audit findings resolution rate
Related Documents
- FLOWSTATE.md - Standards index
- QUALITY.md - Code quality standards
- SECURITY.md - Security requirements
- TDD.md - Testing standards
- BAT.md - E2E testing standards