# SME SaaS Suite Constitution ## Core Principles ### I. Modular-First Every feature is implemented as a standalone **module** (POS, Booking, CRM, etc.). * Modules must be self-contained, testable, and well-documented. * Modules can be enabled/disabled per tenant based on subscription. * No feature should hard-depend on another module except via well-defined contracts. ### II. Multi-Tenant by Design Tenant data must always be isolated and protected. * All services enforce `tenant_id` checks at DB and API layers. * Multi-tenancy is implemented with row-level security in PostgreSQL. * No cross-tenant data leakage tolerated. ### III. Test-First Development (Non-Negotiable) * TDD is mandatory: write failing test → implement feature → pass test → refactor. * Red-Green-Refactor cycle enforced. * Each module requires: * Unit tests (≥ 80% coverage) * Integration tests for inter-module APIs * End-to-end tests for user workflows ### IV. Observability & Debuggability * Structured logging with `tenant_id`, `user_id`, `module` metadata required. * Metrics (latency, error rate, DB queries) collected per module. * Errors must include clear context (trace ID + tenant info). * Debug mode outputs JSON + human-readable logs. ### V. Simplicity & Maintainability * Prefer minimal solutions (YAGNI principle: *You Aren’t Gonna Need It*). * UI/UX designed for low digital literacy users (SMEs). * No hidden complexity: every architectural decision must be justified in writing. --- ## Security & Compliance * All API calls require JWT auth with tenant scope. * Role-based access control: Owner, Manager, Staff. * Data encrypted at rest (Postgres, S3 storage) and in transit (HTTPS/TLS). * Payment integration (Stripe/Midtrans) must meet PCI-DSS compliance. * Regular security audits + penetration testing required before major releases. --- ## Development Workflow * **Branches:** `main` (stable), `dev` (integration), `feature/*` (modules). * **Reviews:** All PRs require at least 1 reviewer approval. * **CI/CD Gates:** * Unit + integration tests must pass. * Linting + type checks required. * Vulnerability scan required. * **Deployment:** Automated via Docker + Kubernetes. Canary releases before full rollout. * **Release Cycle:** Monthly minor releases, quarterly major releases. --- ## Governance * This Constitution supersedes all coding styles and practices. * Amendments require documentation + team approval. * No module may ship without compliance to principles. * Exceptions must be documented with expiration date. **Version**: 1.0.0 | **Ratified**: 2025-10-04 | **Last Amended**: 2025-10-04