Global Mandates
All 50 global mandates are active on every project regardless of vertical. They cover security, code quality, compliance, architecture, and process.
mandate_1: AI-native baseline
id: mandate_1name: AI-native baselineversion: 1.0.0category: processseverity: blocking
rules: - id: agent-executable description: Every feature must be implementable by an AI agent without human intervention. check: custom checker: checks/agent-executable.js action: block message: "Feature requires human-only action. Redesign so an agent can execute it."mandate_7: Security baseline
id: mandate_7name: Security Baselineversion: 1.2.0category: securityseverity: blockingapplies_to: [builder, reviewer, guardian]
rules: - id: no-raw-sql description: All DB queries must use parameterized statements or an ORM. check: ast-pattern pattern: '\.(query|exec)\(`' file_pattern: "src/**/*.ts" action: block
- id: security-headers description: HTTP responses must include standard security headers. check: file-contains file: "src/**/*server*.ts" pattern: "helmet|Content-Security-Policy" action: block
- id: no-eval description: No eval() or Function() constructor. check: ast-pattern pattern: "CallExpression[callee.name=eval]" action: block
- id: rate-limit description: All public endpoints must have rate limiting middleware. check: custom checker: checks/rate-limit-coverage.js action: blockmandate_8: Dependency hygiene
id: mandate_8name: Dependency Hygieneversion: 1.1.0category: complianceseverity: blocking
rules: - id: no-gpl description: GPL-licensed dependencies are prohibited. check: custom checker: checks/license-scan.js config: forbidden: [GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-3.0, AGPL-3.0] allowed: [MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD] action: block
- id: no-abandoned description: Dependencies must have been published within 24 months. check: custom checker: checks/package-freshness.js config: maxMonthsSincePublish: 24 action: warn
- id: no-known-cve description: Dependencies must not have known critical CVEs. check: custom checker: checks/cve-scan.js config: minimumSeverity: critical action: blockmandate_10: TypeScript strict mode
id: mandate_10name: TypeScript Strict Modeversion: 1.0.0category: qualityseverity: blocking
rules: - id: strict-tsconfig description: tsconfig.json must have strict: true. check: json-schema file: "tsconfig.json" schema: properties: compilerOptions: properties: strict: { const: true } required: [strict] action: block
- id: typecheck-clean description: tsc --noEmit must exit 0. check: shell-command command: "pnpm tsc --noEmit" action: blockmandate_12: Completion certificate
id: mandate_12name: Completion Certificateversion: 1.0.0category: processseverity: blocking
rules: - id: cert-required description: Every agent task must produce a completion certificate before advancing. check: custom checker: checks/certificate-present.js action: block
- id: cert-valid description: The certificate must validate against the CompletionCertificate schema. check: json-schema file: ".defiant/certificate.json" schema: required: [agentId, sprintId, state, typecheckPassed, testsPassed, mandateViolations] properties: typecheckPassed: { const: true } testsPassed: { const: true } mandateViolations: { maxItems: 0 } action: blockmandate_15: No debug artifacts
id: mandate_15name: No Debug Artifactsversion: 1.0.0category: qualityseverity: blocking
rules: - id: no-console-log description: No console.log in committed code. check: regex-match pattern: "console\\.log\\(" file_pattern: "src/**/*.ts" action: block message: "console.log found at {{ file }}:{{ line }}. Remove before committing."
- id: no-todo-comments description: No TODO or FIXME comments in committed code. check: regex-match pattern: "//\\s*(TODO|FIXME|HACK|XXX)" file_pattern: "src/**/*.ts" action: block
- id: no-commented-code description: No large blocks of commented-out code. check: custom checker: checks/commented-code-density.js config: maxCommentedLinesInBlock: 5 action: warnmandate_25: No hardcoded secrets
id: mandate_25name: No Hardcoded Secretsversion: 1.0.0category: securityseverity: blocking
rules: - id: no-api-keys description: No API keys, passwords, or tokens in source files. check: custom checker: checks/secret-scan.js config: patterns: - name: Generic API Key regex: '[a-zA-Z0-9]{32,}' context: '(api[_-]?key|apikey|secret|password|token)' - name: Anthropic API Key regex: 'sk-ant-[a-zA-Z0-9-]+' - name: GitHub Token regex: 'gh[ps]_[a-zA-Z0-9]+' - name: Stripe Secret Key regex: 'sk_live_[a-zA-Z0-9]+' action: blockmandate_44: Row-level security on user data tables
id: mandate_44name: RLS on User Data Tablesversion: 1.0.0category: securityseverity: blockingapplies_to: [builder, reviewer, guardian]
rules: - id: rls-enabled description: All tables containing user data must have RLS enabled. check: custom checker: checks/rls-coverage.js config: userDataTablePattern: "(user|profile|account|payment|session)" action: block message: "Table '{{ table }}' contains user data but has no RLS policy. Add RLS."
- id: rls-policy-present description: RLS-enabled tables must have at least one policy. check: regex-match file_pattern: "supabase/migrations/*.sql" pattern: "CREATE POLICY" action: blockmandate_47: Immutable event log
id: mandate_47name: Immutable Event Logversion: 1.0.0category: architectureseverity: blocking
rules: - id: no-event-update description: The event log must be append-only. No UPDATE or DELETE on events table. check: regex-match pattern: "(UPDATE|DELETE).*events" file_pattern: "src/**/*.ts" action: block message: "Found mutation of events table. The event log is append-only."For the complete set of 50 mandate YAML files, see the mandate-library/ directory in the repository.