project initialization

.specify/memory/constitution.md

@@ -1,50 +1,77 @@
-# [PROJECT_NAME] Constitution
-<!-- Example: Spec Constitution, TaskFlow Constitution, etc. -->
+# SME SaaS Suite Constitution
 
 ## Core Principles
 
-### [PRINCIPLE_1_NAME]
-<!-- Example: I. Library-First -->
-[PRINCIPLE_1_DESCRIPTION]
-<!-- Example: Every feature starts as a standalone library; Libraries must be self-contained, independently testable, documented; Clear purpose required - no organizational-only libraries -->
+### I. Modular-First
 
-### [PRINCIPLE_2_NAME]
-<!-- Example: II. CLI Interface -->
-[PRINCIPLE_2_DESCRIPTION]
-<!-- Example: Every library exposes functionality via CLI; Text in/out protocol: stdin/args → stdout, errors → stderr; Support JSON + human-readable formats -->
+Every feature is implemented as a standalone **module** (POS, Booking, CRM, etc.).
 
-### [PRINCIPLE_3_NAME]
-<!-- Example: III. Test-First (NON-NEGOTIABLE) -->
-[PRINCIPLE_3_DESCRIPTION]
-<!-- Example: TDD mandatory: Tests written → User approved → Tests fail → Then implement; Red-Green-Refactor cycle strictly enforced -->
+* Modules must be self-contained, testable, and well-documented.
+* Modules can be enabled/disabled per tenant based on subscription.
+* No feature should hard-depend on another module except via well-defined contracts.
 
-### [PRINCIPLE_4_NAME]
-<!-- Example: IV. Integration Testing -->
-[PRINCIPLE_4_DESCRIPTION]
-<!-- Example: Focus areas requiring integration tests: New library contract tests, Contract changes, Inter-service communication, Shared schemas -->
+### II. Multi-Tenant by Design
 
-### [PRINCIPLE_5_NAME]
-<!-- Example: V. Observability, VI. Versioning & Breaking Changes, VII. Simplicity -->
-[PRINCIPLE_5_DESCRIPTION]
-<!-- Example: Text I/O ensures debuggability; Structured logging required; Or: MAJOR.MINOR.BUILD format; Or: Start simple, YAGNI principles -->
+Tenant data must always be isolated and protected.
 
-## [SECTION_2_NAME]
-<!-- Example: Additional Constraints, Security Requirements, Performance Standards, etc. -->
+* All services enforce `tenant_id` checks at DB and API layers.
+* Multi-tenancy is implemented with row-level security in PostgreSQL.
+* No cross-tenant data leakage tolerated.
 
-[SECTION_2_CONTENT]
-<!-- Example: Technology stack requirements, compliance standards, deployment policies, etc. -->
+### III. Test-First Development (Non-Negotiable)
 
-## [SECTION_3_NAME]
-<!-- Example: Development Workflow, Review Process, Quality Gates, etc. -->
+* TDD is mandatory: write failing test → implement feature → pass test → refactor.
+* Red-Green-Refactor cycle enforced.
+* Each module requires:
 
-[SECTION_3_CONTENT]
-<!-- Example: Code review requirements, testing gates, deployment approval process, etc. -->
+  * Unit tests (≥ 80% coverage)
+  * Integration tests for inter-module APIs
+  * End-to-end tests for user workflows
+
+### IV. Observability & Debuggability
+
+* Structured logging with `tenant_id`, `user_id`, `module` metadata required.
+* Metrics (latency, error rate, DB queries) collected per module.
+* Errors must include clear context (trace ID + tenant info).
+* Debug mode outputs JSON + human-readable logs.
+
+### V. Simplicity & Maintainability
+
+* Prefer minimal solutions (YAGNI principle: *You Aren’t Gonna Need It*).
+* UI/UX designed for low digital literacy users (SMEs).
+* No hidden complexity: every architectural decision must be justified in writing.
+
+---
+
+## Security & Compliance
+
+* All API calls require JWT auth with tenant scope.
+* Role-based access control: Owner, Manager, Staff.
+* Data encrypted at rest (Postgres, S3 storage) and in transit (HTTPS/TLS).
+* Payment integration (Stripe/Midtrans) must meet PCI-DSS compliance.
+* Regular security audits + penetration testing required before major releases.
+
+---
+
+## Development Workflow
+
+* **Branches:** `main` (stable), `dev` (integration), `feature/*` (modules).
+* **Reviews:** All PRs require at least 1 reviewer approval.
+* **CI/CD Gates:**
+
+  * Unit + integration tests must pass.
+  * Linting + type checks required.
+  * Vulnerability scan required.
+* **Deployment:** Automated via Docker + Kubernetes. Canary releases before full rollout.
+* **Release Cycle:** Monthly minor releases, quarterly major releases.
+
+---
 
 ## Governance
-<!-- Example: Constitution supersedes all other practices; Amendments require documentation, approval, migration plan -->
 
-[GOVERNANCE_RULES]
-<!-- Example: All PRs/reviews must verify compliance; Complexity must be justified; Use [GUIDANCE_FILE] for runtime development guidance -->
+* This Constitution supersedes all coding styles and practices.
+* Amendments require documentation + team approval.
+* No module may ship without compliance to principles.
+* Exceptions must be documented with expiration date.
 
-**Version**: [CONSTITUTION_VERSION] | **Ratified**: [RATIFICATION_DATE] | **Last Amended**: [LAST_AMENDED_DATE]
-<!-- Example: Version: 2.1.1 | Ratified: 2025-06-13 | Last Amended: 2025-07-16 -->
+**Version**: 1.0.0 | **Ratified**: 2025-10-04 | **Last Amended**: 2025-10-04