Dependency & Supply Chain rules

Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.

Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.

Registry configuration (e.g., .npmrc, .yarnrc.yml) must live at the monorepo root. Forbid .npmrc files inside workspace packages overriding registry auth or URL.

Produce an SBOM (e.g., SPDX/CycloneDX) during CI and block releases if SCA finds CVEs ≥ High severity or disallowed licenses.

Before sending PII to processors, verify the destination region is approved (e.g., BR/EEA with SCC/DPA). Block requests that include personal data and target non-approved regions.

Permit exactly one lockfile at the monorepo root (pnpm-lock.yaml, yarn.lock, or package-lock.json). Forbid lockfiles inside workspace packages. Validate against PR changes and existing tree.

Access tokens, HMAC salts, and KMS keys for PHI flows must come from a secret manager or encrypted credentials store; forbid committing secrets or .env files to the repo.

Use immutable image digests (repo@sha256:...) instead of mutable tags for production workloads.

Base images must be pinned to an exact version and content digest (@sha256) to guarantee reproducible builds and supply-chain integrity.

Use version constraints for required_providers and modules, and include .terraform.lock.hcl in PRs that change dependencies.

When a PR changes dependency manifests (e.g., package.json, yarn.lock, requirements.txt, composer.json), check for known vulnerabilities and risky packages. - If an OSV/SCA MCP is available: query it for the new package versions and flag recent CVEs. - Otherwise: require evidence (audit output, advisory links) in the PR description. Also flag suspicious packages (typosquats, low-maintenance critical libs, unexpected transitive jumps) and require lockfile updates.

Use Directory.Packages.props at the repo root to declare PackageVersion entries. Workspace .csproj files must reference packages without embedding Version attributes.

In the root Cargo.toml, define [workspace] members and manage shared versions under [workspace.dependencies]. Member Cargo.toml files must not pin versions for crates declared centrally.

Use `npm ci` for reproducible installs in build stages; in runtime, run `npm prune --omit=dev` or install with `--omit=dev`.

When configuring processors outside the EEA, annotate the config with transfer_mechanism (e.g., SCCs) and link to the signed SCC document; prevent enablement without this metadata. (GDPR Art. 46)

Avoid functions or extensions deprecated in recent PHP versions (e.g., mysql_* or preg_replace without proper delimiters). Use modern supported alternatives like PDO/MySQLi for DB or PCRE functions (preg_match, preg_replace with correct syntax).

Pin cryptography libraries to vetted versions (e.g., BouncyCastle FIPS) and generate a CycloneDX SBOM as part of the build. Reject PRs introducing floating or insecure versions. (PCI DSS 4.0 Req. 6 & supply chain)

Use a fully qualified Node.js tag including major.minor.patch, not floating majors/minors.