# CLAUDE.md — Development & Engineering Standards## 📘 Project Overview**Te

1. # CLAUDE.md — Development & Engineering Standards
2.  
3. ## 📘 Project Overview
4. **Tech Stack:**
5. - **Backend:** Node.js 22 with TypeScript (Fastify/Express)
6. - **Frontend:** React 18 with Next.js (App Router)
7. - **Infrastructure:** Terraform + AWS SDK v3
8. - **Testing:** Jest (unit/integration) + Playwright (UI/e2e)
9. - **Database:** PostgreSQL + Prisma ORM
10.  
11. **Goal:**
12. Maintain a clean, type-safe, test-driven, and UI-first codebase emphasizing structured planning, intelligent context gathering, automation, disciplined collaboration, and enterprise-grade security and observability.
13.  
14. ---
15.  
16. ## 🧭 Core Principles
17. - **Plan First:** Every major change requires a clear, written, reviewed plan and explicit approval before execution.
18. - **Think Independently:** Critically evaluate decisions; propose better alternatives when appropriate.
19. - **Confirm Before Action:** Seek approval before structural or production-impacting work.
20. - **UI-First & Test-Driven:** Validate UI early; all code must pass Jest + Playwright tests before merge.
21. - **Context-Driven:** Use MCP tools (Context7 + Chunkhound) for up-to-date docs and architecture context.
22. - **Security Always:** Never commit secrets or credentials; follow least-privilege and configuration best practices.
23. - **No Automated Co-Authors:** Do not include “Claude” or any AI as a commit co-author.
24.  
25. ---
26.  
27. ## 🗂️ Context Hierarchy & Intelligence
28. Maintain layered, discoverable context so agents and humans retrieve only what’s necessary.
29.  
30. ```
31. CLAUDE.md # Project-level standards
32. /src/CLAUDE.md # Module/component rules & conventions
33. /features/<name>/CLAUDE.md# Feature-specific rules, risks, and contracts
34. /plans/* # Phase plans with context intelligence
35. /docs/* # Living docs (API, ADRs, runbooks)
36. ```
37.  
38. ### Context Intelligence Checklist
39. - Architecture Decision Records (ADRs) for major choices
40. - Dependency manifests with risk ratings and owners
41. - Performance baselines and SLOs (API P95, Core Web Vitals)
42. - Data classification and data-flow maps
43. - Security posture: threat model, secrets map, access patterns
44. - Integration contracts and schema versions
45.  
46. ---
47.  
48. ## 🚨 Concurrent Execution & File Management
49.  
50. **ABSOLUTE RULES**
51. 1. All related operations MUST be batched and executed concurrently in a single message.
52. 2. Never save working files, text/mds, or tests to the project root.
53. 3. Use these directories consistently:
54. - `/src` — Source code
55. - `/tests` — Test files
56. - `/docs` — Documentation & markdown
57. - `/config` — Configuration
58. - `/scripts` — Utility scripts
59. - `/examples` — Example code
60. 4. Use Claude Code’s Task tool to spawn parallel agents; MCP coordination, Claude executes.
61.  
62. ### ⚡ Enhanced Golden Rule: Intelligent Batching
63. - **Context-Aware Batching:** Group by domain boundaries, not just operation type.
64. - **Dependency-Ordered Execution:** Respect logical dependencies within a batch.
65. - **Error-Resilient Batching:** Include rollback/compensation steps per batch.
66. - **Performance-Optimized:** Balance batch size vs. execution time and resource limits.
67.  
68. ### Claude Code Task Tool Pattern (Authoritative)
69. ```javascript
70. // Single message: spawn all agents with complete instructions
71. Task("Research agent", "Analyze requirements, risks, and patterns", "researcher")
72. Task("Coder agent", "Implement core features with tests", "coder")
73. Task("Tester agent", "Generate and execute test suites", "tester")
74. Task("Reviewer agent", "Perform code and security review", "reviewer")
75. Task("Architect agent", "Design or validate architecture", "system-architect")
76. Task("Code Expert", "Advanced code analysis & refactoring", "code-expert")
77. ```
78.  
79. ---
80.  
81. ## 🤖 AI Development Patterns
82.  
83. ### Specification-First Development
84. - Write executable specifications before implementation.
85. - Derive test cases from specs; bind coverage to spec items.
86. - Validate AI-generated code against specification acceptance criteria.
87.  
88. ### Progressive Enhancement
89. - Ship a minimal viable slice first; iterate in safe increments.
90. - Maintain backward compatibility for public contracts.
91. - Use feature flags for risky changes; default off until validated.
92.  
93. ### AI Code Quality Gates
94. - AI-assisted code review required for every PR.
95. - SAST/secret scanning in CI for all changes.
96. - Performance impact analysis for significant diffs.
97.  
98. ### Task tracking in implementation plans and phase plans
99. - Mark incomplete tasks or tasks that have not started [ ]
100. - Mark tasks completed with [✅]
101. - Mark partially complete tasks that requires user action or changes with with [⚠️]
102. - Mark tasks that cannot be completed or marked as do not do with [❌]
103. - Mark deferred tasks with [⏳], and specify the phase it will be deferred to.
104.  
105. ---
106.  
107. ## 🧪 Advanced Testing Framework
108.  
109. ### AI-Assisted Test Generation
110. - Auto-generate unit tests for new/changed functions.
111. - Produce integration tests from OpenAPI/contract specs.
112. - Generate edge-case and mutation tests for critical paths.
113.  
114. ### Test Quality Metrics
115. - ≥ 85% branch coverage project-wide.
116. - 100% coverage for critical paths and security-sensitive code.
117. - Mutation score thresholds enforced for core domains.
118.  
119. ### Continuous Testing Pipeline
120. - Pre-commit: lint, type-check, unit tests.
121. - Pre-push: integration tests, SAST/secret scans.
122. - CI: full tests, performance checks, cross-browser/device (UI).
123. - CD: smoke tests, health checks, observability validation.
124.  
125. ---
126.  
127. ## 📚 Documentation as Code
128.  
129. ### Automation
130. - Generate API docs from OpenAPI/GraphQL schemas.
131. - Update architecture diagrams from code (e.g., TS AST, Prisma ERD).
132. - Produce changelogs from conventional commits.
133. - Build onboarding guides from project structure and runbooks.
134.  
135. ### Quality Gates
136. - Lint docs for spelling, grammar, links, and anchors in CI.
137. - Track documentation coverage (e.g., exported symbols with docstrings).
138. - Ensure accessibility compliance for docs (WCAG 2.1 AA).
139.  
140. ---
141.  
142. ## 📊 Performance & Observability
143.  
144. ### Budgets & SLOs
145. - Core Web Vitals: LCP < 2.5s, INP < 200ms, CLS < 0.1 on P75.
146. - API: P95 < 200ms for critical endpoints; P99 error rate < 0.1%.
147. - Build: end-to-end pipeline < 5 min; critical path bundles < 250KB gz.
148.  
149. ### Observability Requirements
150. - Structured logging with correlation/trace IDs.
151. - Distributed tracing for all external calls.
152. - Metrics and alerting for latency, errors, saturation.
153. - Performance regression detection on CI-controlled environments.
154.  
155. ---
156.  
157. ## 🔐 Security Standards (Enterprise)
158.  
159. ### Supply Chain & Secrets
160. - Lockfiles required; run `npm audit --audit-level=moderate` in CI.
161. - Enable Dependabot/Renovate with weekly grouped upgrades.
162. - Store secrets in vault; rotate at least quarterly; no secrets in code.
163.  
164. ### Access & Data
165. - Principle of least privilege for services and developers.
166. - Data classification: public, internal, confidential, restricted.
167. - Document data flows and apply encryption in-transit and at-rest.
168. - Enable Row Level Security (RLS) on all tables where applicable.
169.  
170. ### Vulnerability Response
171. - Critical CVEs patched within 24 hours; high within 72 hours.
172. - Security runbooks for incident triage and communications.
173. - Mandatory SAST/DAST and dependency scanning on every PR.
174.  
175. ---
176.  
177. ## 👥 Collaboration & Workflow
178.  
179. ### Planning & Phase Files
180. - Divide work into phases under `/plans/PHASE_*`. Each phase includes:
181. - Context Intelligence, scope, risks, dependencies.
182. - High-level tasks → subtasks → atomic tasks.
183. - Exit criteria and verification plan.
184.  
185. ### Commit Strategy
186. - Commit atomic changes with clear intent and rationale.
187. - Conventional commits required; no AI co-authors.
188. - Example: `feat(auth): implement login validation (subtask complete)`
189.  
190. ### Pull Requests
191. - Link phase/TODO files, summarize changes, include verification steps.
192. - Attach UI evidence for user-facing work.
193. - Document breaking changes and DB impacts explicitly.
194.  
195. ### Reviews
196. - Address comments with a mini-plan; confirm before major refactors.
197. - Merge only after approvals and green CI.
198. - Tag releases by phase completion.
199.  
200. ---
201.  
202. ## 🎨 UI Standards
203. - Prototype screens as static components under `UI_prototype/`.
204. - Use shadcn/ui; prefer composition over forking.
205. - Keep state minimal and localized; heavy state in hooks/stores.
206. - Validate key flows with Playwright; include visual regression where useful.
207.  
208. ---
209.  
210. ## 🧭 Backend, Database & Infra
211.  
212. ### Prisma & PostgreSQL
213. - Keep schema in `prisma/schema.prisma` and commit all migrations.
214. - Use isolated test DB; reset with `prisma migrate reset --force` in tests.
215. - Never hardcode connection strings; use `DATABASE_URL` via env.
216.  
217. ```
218. prisma/
219. ├─ schema.prisma
220. ├─ migrations/
221. └─ seed.ts
222. ```
223.  
224. ### Terraform & AWS
225. - Plan → review → apply for infra changes; logs kept for audits.
226. - Use least privilege IAM; rotate and scope credentials narrowly.
227. - Maintain runbooks in `/docs/runbooks/*` and keep diagrams up to date.
228.  
229. ---
230.  
231. ## 🧠 Coding Standards
232. - TypeScript strict mode; two-space indentation.
233. - camelCase (variables/functions), PascalCase (components/classes), SCREAMING_SNAKE_CASE (consts).
234. - Prefer named exports, colocate tests and styles when logical.
235. - Format on commit: `prettier --write .` and `eslint --fix`.
236.  
237. ---
238.  
239. ## 🧩 Commands
240. - Development: `npm run dev` (site), `npm run dev:email` (email preview)
241. - Build: `npm run build`
242. - Lint/Format: `npm run lint:fix`
243. - Tests:
244. - Unit/Integration: `npm test` or `npx jest tests/<file>`
245. - E2E: `npm run test:e2e` or `npx playwright test tests/<file>`
246. - Database: `npm run db:migrate`, `npm run db:seed`
247. - Automate setup with scripts:
248. - `scripts/start.sh` → start dependencies then app.
249. - `scripts/stop.sh` → gracefully stop app then dependencies.
250.  
251. ---
252.  
253. ## ✅ Standard Development Lifecycle
254. 1. Plan: gather context (Context7, Chunkhound), define risks and ADRs.
255. 2. Prototype: build and validate UI.
256. 3. Implement: backend + frontend with incremental, tested commits.
257. 4. Verify: green Jest + Playwright + security scans.
258. 5. Review & Merge: structured PR; tag phase completion.
259.  
260. ---
261.  
262. ## 📌 Important Notes
263. - All changes must be tested; if tests weren’t run, the code does not work.
264. - Prefer editing existing files over adding new ones; create files only when necessary.
265. - Use absolute paths for file operations.
266. - Keep `files.md` updated as a source-of-truth index.
267. - Be honest about status; do not overstate progress.
268. - Never save working files, text/mds, or tests to the root folder.