CI/CD & Build Hygiene rules

All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.

Add a CI step that fails builds if secret patterns (JWT, AWS keys) or high-entropy strings are detected in diffs.

Root package.json must define the packageManager field (e.g., "pnpm@9.x") and the repo must not contain other lockfiles or tool config (e.g., yarn.lock, package-lock.json) conflicting with that choice.

CI must fail the build when line coverage drops below the project threshold (e.g., 80%); publish coverage reports as artifacts.

Produce an SBOM (e.g., SPDX/CycloneDX) during CI and block releases if SCA finds CVEs ≥ High severity or disallowed licenses.

Permit exactly one lockfile at the monorepo root (pnpm-lock.yaml, yarn.lock, or package-lock.json). Forbid lockfiles inside workspace packages. Validate against PR changes and existing tree.

Use version constraints for required_providers and modules, and include .terraform.lock.hcl in PRs that change dependencies.

CI logs must redact secrets and CHD; disable shell xtrace, and add a job that fails if PAN regex (e.g., [0-9]{13,19} with Luhn) appears in logs/artifacts. (PCI DSS 4.0 Req. 10 & CI hygiene)

CI must run fmt/validate, produce and upload a plan artifact (e.g., terraform plan -out plan.bin), run policy-as-code (e.g., tfsec/checkov/conftest), and gate apply on manual approval for prod.

Configure a remote backend with state locking (e.g., S3 + DynamoDB table or AzureRM blob with leases). Do not use local backend for shared environments.

When a PR changes dependency manifests (e.g., package.json, yarn.lock, requirements.txt, composer.json), check for known vulnerabilities and risky packages. - If an OSV/SCA MCP is available: query it for the new package versions and flag recent CVEs. - Otherwise: require evidence (audit output, advisory links) in the PR description. Also flag suspicious packages (typosquats, low-maintenance critical libs, unexpected transitive jumps) and require lockfile updates.

Add a CI job that validates docs/adr/ files: filename pattern, required sections, valid Status, presence of PR/issue links, and optional schema (YAML front matter).

Implement a scheduled worker to delete or anonymize records past expires_at, with metrics on deletions and failures. Dry-run mode allowed only in non-prod.

Establish maintenance windows and freeze periods; emergency overrides require incident_id, approver, and post-facto review logged in the audit trail.

List all included builds/modules in settings.gradle and manage versions via gradle/libs.versions.toml (version catalogs). Forbid hardcoded versions and repo declarations in module build.gradle files.

Changes that create new ePHI stores must also include retention configuration and a scheduled purge job aligned to policy (e.g., 6 years). Document tables/collections covered and add tests for TTL behavior.

Define scalaVersion and library versions in version.sbt or ThisBuild in build.sbt; modules must not override scalaVersion or pin conflicting dependency versions locally.

In turbo.json, each task must set dependsOn (e.g., "^build") and outputs (e.g., "dist/"). Require cache:true for build/test/lint pipelines unless explicitly justified.