--- meta: version: "2.0" enforcement_level: "BLOCK" last_updated: "2026-01-19" ticket_requirements: required: true pattern: "PB-\\d+" enforcement: "BLOCK" message: "PR must reference a Jira ticket (e.g., PB-123)" # Conditional requirements for Performance tickets performance: triggers: - ticket_type: "Performance" required_fields: - "baseline_metrics" - "target_sla" enforcement: "BLOCK" message: "Performance tickets must include baseline metrics and target SLA" mr_structure: title: min_length: 10 pattern: "^(feat|fix|docs|refactor|test|chore):\\s.+" enforcement: "BLOCK" message: "Title must follow conventional commits format" description: min_total_length: 50 enforcement: "BLOCK" required_sections: - name: "## What Changed" min_length: 20 enforcement: "BLOCK" - name: "## Why" min_length: 20 enforcement: "WARN" - name: "## Testing" min_length: 10 enforcement: "BLOCK" branch_naming: pattern: "^(feature|bugfix|hotfix)\\/[a-z0-9-]+$" enforcement: "WARN" examples: - "feature/add-user-api" - "bugfix/fix-login-error" - "hotfix/security-patch" file_rules: # Migration rollback requirement - name: "migration-rollback-required" when: pattern: "migrations/.*\\.sql" then: content_must_include: - "-- UP" - "-- DOWN" or_fail: "Database migrations must include rollback (-- DOWN) section" enforcement: "BLOCK" message: "Migration file must have rollback capability" reference: "docs/adr/ADR-003-database-standards.md" # Package.json changes require lock file - name: "package-lock-required" when: pattern: "package\\.json" then: require: - "package-lock.json" enforcement: "BLOCK" message: "Changes to package.json must include package-lock.json" # Schema changes require ADR - name: "schema-changes-require-adr" when: any: - "migrations/.*" - "schema/.*" then: require_adr: true adr_pattern: "docs/adr/.*\\.md" enforcement: "WARN" message: "Database schema changes should be documented with an ADR" code_rules: anti_patterns: # SQL Injection - name: "no-sql-injection" pattern: '\w+\.query\(`[\s\S]*?\$\{[\s\S]*?\}`\)' files: "**/*.ts" severity: "block" message: "Potential SQL injection vulnerability detected" reference: "docs/adr/ADR-004-security-standards.md" # Password exposure - name: "no-password-exposure" pattern: "[Ss][Ee][Ll][Ee][Cc][Tt].*[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]" files: "**/*.ts" severity: "block" message: "Do not select password fields" reference: "docs/adr/ADR-004-security-standards.md" # Hardcoded secrets - name: "no-hardcoded-secrets" pattern: "([Aa][Pp][Ii][_-]?[Kk][Ee][Yy]|[Ss][Ee][Cc][Rr][Ee][Tt]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]|[Tt][Oo][Kk][Ee][Nn])\\s*[=:]\\s*['\"]\\w+" files: "**/*" severity: "block" message: "Hardcoded secrets detected - use environment variables" size_limits: max_files_changed: 20 max_lines_changed: 500 enforcement: "WARN" message: "PR is too large - consider breaking into smaller PRs" --- # Engineering Code Review Policy This policy defines our code review standards and requirements. ## Purpose Ensure consistent, high-quality code reviews across all repositories. ## Enforcement This policy is enforced through automated validation in our CI/CD pipeline.