App Maker — Constitution

Hard-Stop Rules

These rules must never be violated. Violations require immediate halt and review.

• Never hardcode secrets or credentials in application code
• Never deploy UI components without accessibility compliance verification
• Never expose endpoints without input validation and security headers

Mandatory Rules

These rules must be followed in all circumstances.

• Input validation required on all user-facing and API endpoints
• Accessibility compliance (WCAG 2.2 AA) mandatory for all UI components
• Security headers and CSRF/XSS protections required for all endpoints
• Test coverage must meet defined thresholds before merge

Preferred Practices

Best practices that should be followed when possible.

• Use component-driven development with storybook-style documentation
• Implement typed interfaces for all API contracts
• Include performance budgets for frontend bundle sizes