61 lines
3.2 KiB
Markdown
61 lines
3.2 KiB
Markdown
# Rules for developing software deliverables at TSYS Group
|
|
*Adopt these principles and checklist items for every TSYS Group software deliverable—clear, testable, and production-ready.*
|
|
|
|
**Core Constraints**
|
|
- Only perform host operations for:
|
|
- git workflows (clone, fetch, commit, push, branch, tag)
|
|
- Docker and Docker Compose (build, run, compose up/down, network operations)
|
|
- All development and runtime tasks must be performed inside Docker containers.
|
|
- Expose only the main application web interface to external networks; all other services/ports remain internal to the per-stack Docker network.
|
|
|
|
**Containerization & Deployment**
|
|
- Ship the application as a Docker container image.
|
|
- Provide and maintain a canonical docker-compose.yml that describes service dependencies, networks, volumes, and healthchecks.
|
|
- Ensure the container:
|
|
- builds reproducibly
|
|
- starts reliably
|
|
- passes automated smoke tests before any release or QA signoff
|
|
|
|
**Testing, QA & Reliability**
|
|
- Follow Test-Driven Development (TDD) for all new features and bug fixes.
|
|
- Create comprehensive automated test suites (unit, integration, E2E where applicable).
|
|
- Maintain very high test coverage and ensure all tests pass in CI before merging.
|
|
- Treat all warnings as errors; configure CI to fail on warnings where practical.
|
|
- Include CI jobs that:
|
|
- build the container
|
|
- run linting
|
|
- run tests
|
|
- perform smoke/startup checks
|
|
|
|
**Security & Compliance**
|
|
- Adhere to best practices for security, QA, engineering, and SRE/DevOps.
|
|
- Ensure compliance with applicable regimes (PCI, GDPR, SOC, FedRAMP, accessibility standards).
|
|
- Design for least privilege in containers and networks; avoid exposing credentials/secrets in images or source.
|
|
- Integrate static analysis, dependency scanning, and container image vulnerability scanning into CI.
|
|
|
|
**Accessibility**
|
|
- Prioritize accessibility from the start; satisfy applicable accessibility guidelines required by US Government contracts.
|
|
- Include accessibility checks in test and QA processes.
|
|
|
|
**Code Quality & Maintainability**
|
|
- Lint all artifacts (code, configuration, Dockerfiles, YAML).
|
|
- Do not incur technical debt; add required tests, docs, and refactors as part of the change.
|
|
- Maintain clear, organized repository and docs. Keep docker-compose.yml and runbooks up to date.
|
|
|
|
**Operational/SRE Requirements**
|
|
- Provide healthchecks and metrics-friendly endpoints where applicable.
|
|
- Document startup, configuration, and rollback procedures.
|
|
- Ensure containers start quickly and deterministically for orchestration and smoke tests.
|
|
|
|
**Acceptance Checklist (must be satisfied before “done”)**
|
|
- [ ] Code follows TDD and has adequate tests
|
|
- [ ] Linting passes with zero warnings
|
|
- [ ] Container image builds reproducibly
|
|
- [ ] Container starts and passes smoke tests locally and in CI
|
|
- [ ] docker-compose.yml reflects current service topology
|
|
- [ ] Vulnerability and dependency scans show no critical issues
|
|
- [ ] Accessibility and applicable compliance checks pass
|
|
- [ ] Documentation and runbooks updated
|
|
- [ ] No outstanding technical debt items left untracked
|
|
|
|
Follow this checklist and principles for every change to ensure secure, testable, and production-ready deliverables. |