22 KiB
Engineering Constitution
This document freezes the engineering governance for ALLA OS after the Business Constitution (BU-R.0, BU-R.0.1, BU-R.1), Architecture Constitution (AR.1, AR.2), and Workspace UI Constitution are in place.
It defines how future implementation work must be designed, coded, reviewed, tested, and delivered.
1. Purpose and Precedence
Purpose
- keep implementation aligned with the Relationship-Driven Sales Workspace blueprint
- preserve current production foundations while enabling controlled extension
- prevent duplicate services, APIs, projections, UI systems, and business logic
- give engineers and AI agents one shared delivery model
Governance precedence
Future work must follow this order:
- business constitution and business blueprint documents
- architecture transition and epic technical design documents
- this Engineering Constitution
- workspace UI/UX governance
- existing approved foundations and feature implementations
If two sources conflict, the higher item in this list wins unless a newer accepted ADR explicitly replaces it.
Mandatory inputs before implementation
Every implementation task must review:
AGENTS.mddocs/standards/project-foundations.mddocs/standards/architecture-rules.mddocs/standards/ui-ux-rules.mddocs/standards/task-review-checklist.mddocs/standards/task-catalog.md- relevant
docs/adr/** - relevant
docs/business/** - relevant
docs/security/** - relevant
docs/implementation/** - relevant existing foundations under
src/features/foundation/** - relevant existing feature implementations under
src/features/**
No implementation may bypass this review-first rule.
2. Feature Architecture Rules
Feature ownership model
- each domain or shared capability must have one owning feature or foundation
- route handlers are HTTP boundaries, not business owners
- shared cross-cutting behavior must live in a foundation before a second feature reimplements it
- new CRM work must extend
src/features/crm/**orsrc/features/foundation/**instead of creating parallel top-level domains
Approved feature structure
Default structure for app-owned features:
src/features/<feature>/
api/
types.ts
service.ts
queries.ts
mutations.ts
components/
schemas/
server/
Allowed additions when justified:
adapters/for migration seams or projection adapterslib/for feature-local pure helpersconstants/for feature-local stable constantshooks/for feature-local client hooks
Layer responsibilities
api/types.ts: public TypeScript contracts for UI and service consumersapi/service.ts: client-facing API client wrappers onlyapi/queries.ts: React Query key factories and query optionsapi/mutations.ts: centralized mutation configs and invalidation behaviorcomponents/: UI composition onlyschemas/: request payload validation and form schemasserver/: business logic, persistence orchestration, scope enforcement, data shaping
Public and internal modules
- only
api/**,components/**, and explicitly shared helpers are public to outside consumers server/**is internal to the owning feature unless consciously reused by another server-side feature- client components must not import database or server-only modules
- cross-feature imports should target stable public contracts, not incidental internals
Shared module rules
- shared UI belongs in
src/components/**or an approved foundation/shared area - shared business logic belongs in the owning foundation or feature server layer
- do not create shared modules only to avoid choosing ownership
Cross-feature dependency rules
Allowed direction:
- app routes -> feature API/services/components
- route handlers -> auth/session/validation -> owning feature server services
- feature server services -> foundations and lower-level shared security/utilities
- projections/read models -> source services or approved dataset layers
Forbidden direction:
- source domains depending on projection-only domains for write behavior
- features reaching directly into another feature's UI internals
- client code importing Drizzle, server-only services, or auth enforcement modules
- projection code becoming the write owner of business lifecycle state
Feature registration rule
Before creating a new feature, confirm that the need cannot be satisfied by extending:
- an existing CRM feature
- an existing foundation
- an existing report, approval, PDF, storage, audit, or security layer
If a new feature is still required, document why reuse was insufficient.
3. Service Layer Standards
Service composition
The service layer owns business rules. It may be split into:
- business services
- query services
- projection services
- application/orchestration services
- domain-specific helper adapters
Frozen service rules
- route handlers stay thin
- services own business lifecycle rules
- services enforce server-side scope, pricing visibility, and permission-sensitive behavior
- services may call foundations and approved sibling services when reuse is explicit
- services must not contain UI concerns
- services must not authorize with raw role strings alone
Business ownership boundaries
Customerowns relationship anchor behaviorLeadowns early demand signal behaviorOpportunityowns project pursuit and won/lost outcome behaviorQuotationowns commercial document lifecycleApprovalowns approval workflow execution- future
Activityowns shared operational work records Timeline,Calendar,My Day,Manager, andExecutiveare read-model or workspace consumers, not primary write owners
Transaction boundary rules
- one service owns the transaction for one business mutation
- downstream side effects such as audit logging, notifications, event publishing, or artifact updates must happen from the owning service flow
- avoid multi-route, UI-driven orchestration for business-critical mutations
Query and projection service rules
- query services return read-ready data and may combine multiple foundations
- projection services are read-only and rebuildable
- projection services must not become hidden write paths
- report services must reuse the report foundation dataset and builder layers
Internal repository rule
This repo does not use a heavyweight repository architecture.
Allowed pattern:
- lightweight persistence helpers or adapters inside
server/ - Drizzle queries close to the owning service
Forbidden pattern:
- introducing a parallel abstract repository layer across the app without a project-level decision
4. Repository and Persistence Standards
Ownership
- each table or schema area must have a clear owning feature or foundation
- only the owning server service should perform write orchestration for its tables
- cross-feature readers should prefer owning services or approved read models before querying tables directly
Persistence rules
- use Drizzle ORM for database access
- keep SQL and query composition inside server services or approved dataset modules
- reuse existing dataset and export services for reporting work
- do not move domain logic into route handlers just because Drizzle is easy to call there
Backward compatibility
- preserve existing production contracts while extending them
- use additive migration patterns first
- dual-read or adapter-first strategies are preferred for high-risk transitions such as Activity and projection work
5. API Standards
Boundary
- Route Handlers under
src/app/api/**are the default HTTP boundary - new CRM APIs belong under
/api/crm/** - settings or foundation APIs belong under their existing route families
Route handler contract
Every route handler should:
- require session or organization access
- validate permissions
- parse and validate request input
- build access/security context when needed
- call the owning server service
- map response
- log audit or security events where applicable
Naming and path rules
- use plural resource names for collection routes
- use nested child routes only when the child lifecycle is truly parent-scoped
- use action routes only for explicit domain transitions such as
mark-won,submit-approval,complete,cancel - avoid generic verb-heavy route families when a resource-oriented route can express the behavior
Validation
- use Zod for request validation at the boundary
- reuse feature schemas where possible
- validation error messages should be business-readable and not leak backend detail
Response rules
- preserve current stable contract shapes inside an existing route family
- new routes should prefer predictable JSON responses with clear success, data, and meta sections when not constrained by an existing family
- list routes should return pagination metadata when pagination exists
- API responses must remain ISO-8601 UTC for datetime fields
Authorization
- use
requireSession(),requireSystemRole(), orrequireOrganizationAccess() - CRM routes must apply resolved CRM access and scope enforcement
- UI visibility never replaces server authorization
Filtering, sorting, and search
- filters should be explicit, typed, and documented in feature contracts
- use URL-driven filter state for shareable list screens
- keep filtering semantics aligned between on-screen data and exports
Versioning strategy
- preserve compatible route contracts whenever possible
- prefer additive fields and child routes over breaking replacements
- introduce a new route shape only when compatibility cannot be preserved cleanly
6. Business Event, Projection, and Timeline Rules
Event philosophy
- business events are immutable facts emitted after successful state changes
- events are not a replacement for audit logs
- events may fan out to timeline, calendar, dashboard, notification, reminder, or future automation
Publisher ownership
- source-domain services publish their own events
- do not centralize event publishing in UI or ad hoc route helpers
- preserve current approval notification compatibility while expanding the event model
Event contract rules
- use lowercase dot-separated event names
- include
schemaVersion - include organization, entity, actor, primary record, related records, and visibility context
- event payloads must avoid leaking pricing-sensitive or unauthorized commercial data
Projection rules
TimelineandCalendarare generated projections only- projections are read-only and rebuildable
- projections never own lifecycle state
- phase 1 projection services should favor query-time generation or cacheable read models before new authoritative tables
Projection ownership
- activity projections belong to the Activity and projection layers
- milestone projections remain owned by their source domain semantics
- dashboard and reports consume projections or source datasets but do not become source-of-truth mutations
Idempotency and dedupe
- event publication and subscribers must support safe retry behavior
- notification or projection consumers must guard against duplicate fan-out
- approval events require extra care because notification publishing already exists
7. UI Engineering Rules
Required UI inputs
All user-facing work must review:
layout.mddocs/standards/ui-ux-rules.md- relevant business terminology docs
- nearby production screens in the same route family
Major workspace surfaces must also reference:
BU-R.0BU-R.0.1BU-R.1AR.1AR.2- the latest workspace UI/UX design note
Frozen UI rules
- preserve the existing dashboard shell
- use
PageContainerfor dashboard page framing - reuse shadcn/ui primitives and app wrappers
- reuse existing table, form, filter, dialog, sheet, badge, and status patterns before creating new ones
- new business-role workspaces live under
/dashboard/crm/*, not/dashboard/workspaces - no code-first implementation for major new workspace surfaces without an approved design note
Data and state rules
- server components first
- use React Query for server-state fetching
- use server prefetch plus
HydrationBoundaryfor data-heavy app pages - use
nuqsfor shareable URL state - use TanStack Form plus Zod for new forms
UX state rules
Every surface must define:
- loading states
- empty states
- error states
- disabled and pending action states
- permission-aware visibility behavior
- responsive behavior
Accessibility rules
- semantic controls and accessible names are required
- keyboard navigation must remain usable for tables, dialogs, sheets, tabs, and menus
- focus behavior must be predictable
- status cannot be conveyed by color alone
8. Code Quality Standards
Naming
- use business terms frozen by the business and architecture constitutions
- keep active production terminology aligned with
opportunity, not historicalenquiry, unless touching historical-only documentation - use clear, explicit function and file names over vague generic helpers
File and folder naming
- keep file names lowercase kebab-case unless a framework convention requires otherwise
- use stable feature-local names such as
service.ts,queries.ts,mutations.ts,types.ts - avoid creating near-duplicate files with ambiguous suffixes like
service2,new, orfinal
TypeScript rules
- strict typing is required
- avoid
any - define public contracts explicitly in
api/types.tsor equivalent shared contracts - keep server-only and client-safe types clearly separated when necessary
Error handling
- expected business or authorization failures should produce explicit typed or status-aware errors
- do not leak SQL or infrastructure internals to business-facing surfaces
- centralize reusable failure behavior where patterns already exist
Logging and audit
- use the audit foundation for business mutations, exports, and sensitive denials
- use ordinary console logging only for operational debugging or unexpected failures
- logs must not become a substitute for governed audit events
Validation
- validate at the boundary
- revalidate critical business invariants inside services when necessary
- do not trust client-side validation alone
Comments
- comments should explain non-obvious business or security rules
- avoid comments that restate the code
Technical debt policy
- prefer preserve -> extend -> controlled refactor -> replace
- small cleanup is encouraged when it improves safety or clarity
- unrelated rewrites are prohibited
9. Database and Migration Standards
Migration strategy
- additive, backward-compatible migrations are preferred
- schema changes must preserve current production behavior until replacement paths are proven
- high-risk data model changes must document migration and coexistence strategy first
Schema ownership
- schema changes must be owned by the relevant feature or foundation
- projection schemas, if introduced later, must remain clearly separate from source-of-truth tables
Rollback strategy
- every risky migration must define rollback or safe-disable behavior
- do not require emergency manual data surgery as the normal rollback path
Seed strategy
- foundation seeds remain the source for governed options and bootstrap records where already used
- new seed data must be deterministic and documented
Explicit non-changes rule
Documentation-only tasks must not silently modify schema, migrations, or runtime persistence behavior.
10. Testing Standards
Minimum testing lens
Each implementation must define the right mix of:
- unit tests
- service tests
- route handler or API tests
- permission and scope tests
- projection and event tests where applicable
- regression tests for preserved behavior
- manual verification scenarios
Required test themes
- happy path behavior
- permission denial behavior
- scope enforcement behavior
- pricing visibility behavior for quotation-derived outputs
- audit/event side effects when applicable
- cache freshness after CRUD mutations
Projection and event testing
- timeline and calendar work must verify ordering, filtering, visibility, and dedupe behavior
- event-driven work must verify idempotency and compatibility with existing notification flows
UAT checklist baseline
- loading state visible
- empty state helpful
- error state actionable
- successful mutation refreshes the affected UI without manual browser refresh
- mobile and desktop layouts remain usable
11. Delivery Rules
Epic lifecycle
Each epic must define:
- objective
- non-goals
- reviewed history and foundations
- API and service boundaries
- security and pricing rules
- audit and event behavior
- verification plan
- rollout and rollback notes when risk is non-trivial
Feature lifecycle
For feature implementation:
- review requirements and historical context
- identify reuse targets
- confirm architecture and security boundaries
- define smallest viable extension
- implement in the owning layer
- self-review architecture, UI, data freshness, and security
- validate
- document results
Review gates
- architecture review
- business rule review
- security and permission review
- UI consistency review for user-facing work
- regression and backward-compatibility review
Release and rollback baseline
- document migrations and toggles when present
- document impacted routes or surfaces
- document known compatibility seams
- document rollback or safe-disable path for non-trivial changes
12. Definition of Done
Feature
- required review completed
- foundations reused or non-reuse rationale documented
- implementation stays within approved architecture
- permissions, scope, and pricing visibility enforced server-side where applicable
- audit and event behavior handled where required
- loading, empty, error, disabled, and success states covered for user-facing work
- validation completed and recorded
- documentation updated if governance or reusable patterns changed
Epic
- feature-level done conditions met for each delivered slice
- sequence and dependency assumptions remain compatible with
AR.2 - cross-feature duplication was not introduced
- migration or rollout notes recorded for future slices
Bug Fix
- root cause identified
- fix scoped to the owning layer
- regression risk checked
- validation performed against the failing scenario
Refactor
- ownership and behavior preserved unless explicitly approved otherwise
- backward compatibility risks documented
- no unrelated behavior churn introduced
13. AI Engineering Rules
AI contributors must follow the same governance as human contributors.
Mandatory AI rules
- review before implementation
- reuse before creation
- preserve before refactor
- never duplicate business logic, lifecycle logic, projection logic, or permission logic
- identify existing services, routes, and components before adding new ones
- keep route handlers thin
- keep business logic in services
- keep projections read-only
- record assumptions and validation results
AI implementation checklist
Before writing code, confirm:
- business constitution reviewed
- architecture constitution reviewed
- engineering constitution reviewed
- workspace UI constitution reviewed when UI is involved
- relevant ADRs reviewed
- related implementation history reviewed
- relevant foundations inspected
- existing pattern search completed
- reuse plan chosen
- validation plan defined
14. Code Review Checklist
Architecture
- does the change extend the right owning feature or foundation?
- does it avoid parallel services, APIs, or UI systems?
- does it preserve route-handler-thin and service-owned business logic?
Business
- does it follow frozen domain ownership and terminology?
- does it avoid moving responsibility into the wrong layer?
Security
- are permission, scope, and pricing rules enforced server-side?
- are raw role-string checks avoided?
- are denials audited when needed?
Performance and data freshness
- are query keys and invalidation complete?
- are projections or datasets using the approved read paths?
- does the UI refresh correctly after mutation?
Accessibility and UI consistency
- does the surface reuse approved page, table, form, dialog, and state patterns?
- are loading, empty, error, and responsive states covered?
Maintainability and backward compatibility
- are contracts explicit?
- does the change avoid hidden coupling and duplicate logic?
- are compatibility seams, rollout notes, or follow-up risks documented?
15. Engineering Decision Matrix
Use this matrix before choosing implementation strategy.
Preserve
Use when:
- the existing module already owns the behavior
- the change is additive or corrective
- replacement would create unnecessary migration risk
Extend
Use when:
- the existing module is the correct owner
- new capability fits the current architecture
- a controlled addition avoids parallel systems
Controlled Refactor
Use when:
- current ownership is correct but the structure blocks safe extension
- refactor reduces duplication or clarifies a reusable seam
- compatibility can be preserved during the change
Replace
Use only when:
- preserve, extend, and controlled refactor are insufficient
- replacement rationale is explicit
- migration and rollback strategy are documented
- governance review accepts the risk
Explicit rule
If a task cannot explain why it is preserving, extending, refactoring, or replacing, it is not ready for implementation.
16. Official ENG.0 Outcome
ENG.0 freezes one engineering model for future ALLA OS implementation:
- review-first
- reuse-first
- service-owned business logic
- route-handler-thin API boundaries
- resolved-access security enforcement
- projection-as-read-model, not source-of-truth
- shared UI shell preservation
- explicit validation, audit, and delivery discipline
No future implementation epic may bypass this constitution.