You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .github/copilot-instructions.md
+14-2Lines changed: 14 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -228,6 +228,13 @@ Diese Regeln gelten für alle Repositories in diesem Workspace. Projektspezifisc
228
228
- Änderungen an dieser Regel erfordern ein gemeinsames Update in `constitution.md`, `.specify/memory/constitution.md`, `AGENTS.md`, `CLAUDE.md`, `GEMINI.md` und `.github/copilot-instructions.md`.
229
229
230
230
*AI-generated and human-written software architecture MUST follow secure-architecture principles. Authoritative rules: `constitution.md`, Principle XIII. Core principles: trust boundaries (validate all input at system boundaries), defense in depth (at least two independent security layers), least privilege (minimum required permissions), fail-safe defaults (deny by default), attack surface reduction (disable unused features), separation of concerns (auth/logging/validation as cross-cutting concerns), secure configuration (secrets in secret stores, never in code or Git), supply-chain security (verified registries, lock files, no known-vulnerable dependencies). Principles XII + XIII together form the complete secure-development approach: XII = tactical code-level security, XIII = strategic architecture-level security. Changes require a joint update across `constitution.md`, `.specify/memory/constitution.md`, and all four agent guidance files.*
231
+
## Allgemeine Architektur-Governance / General Architecture Governance
*Structural, interface, quality-attribute, runtime, deployment, or maintainability changes must evaluate iSAQB/arc42 architecture evidence. Default path: `docs/architecture/`; general architecture ADRs live under `docs/architecture/adr/`. Use the matching templates when the artefact applies.*
-**CRA-Anwendbarkeit / CRA Applicability** (`cra-applicability-template.md`) — EU Cyber Resilience Act Scope und Nachweise (Prinzip XIX)
244
254
- Projektspezifische Instanzen werden in `docs/security/` gepflegt; S-ADRs als einzelne Dateien in `docs/security/adr/`.
245
255
246
-
*Every Level-2 project MUST maintain security documents based on templates in `.specify/templates/`: threat model (STRIDE+CAPEC), S-ADRs, arc42 Section 8 security concepts, security checklist, dependency audit, security quality scenarios (SHOULD), ASVS verification (web/API MUST), supply-chain evidence (release-capable MUST), Zero Trust applicability note (distributed systems SHOULD), and SAMM assessment (long-lived projects SHOULD). Project-specific instances live in `docs/security/`; S-ADRs in `docs/security/adr/`. See `constitution.md`, Principles XII–XVIII for authoritative requirements.*
256
+
*Every Level-2 project MUST maintain security documents based on templates in `.specify/templates/`: threat model (STRIDE+CAPEC), S-ADRs, arc42 Section 8 security concepts, security checklist, dependency audit, MSL applicability, secure-coding language rules, security quality scenarios (SHOULD), ASVS verification (web/API MUST), supply-chain evidence (release-capable MUST), Zero Trust applicability note (distributed systems SHOULD), SAMM assessment (long-lived projects SHOULD), and CRA applicability evidence. Project-specific instances live in `docs/security/`; S-ADRs in `docs/security/adr/`. See `constitution.md`, Principles XI–XIX for authoritative requirements.*
@@ -272,9 +282,11 @@ Diese Regeln gelten für alle Repositories in diesem Workspace. Projektspezifisc
272
282
- Bei Web/API-Features den `ASVS`-Level und den Verifikationsumfang in `docs/security/` oder gleichwertiger Projektdokumentation ablegen.
273
283
- Bei Release-/Artefakt-Arbeit `SBOM`, `VEX`, Provenance/SLSA-Nachweise und gegebenenfalls `OpenSSF Scorecard` in Release- oder Sicherheitsdokumentation einplanen.
274
284
- Bei Architekturänderungen `Zero Trust`-Anwendbarkeit und bei langlebigen Projekten `SAMM`-Folgeaktionen prüfen.
285
+
- Bei allgemeinen Architekturänderungen iSAQB/arc42-Evidenz unter `docs/architecture/` prüfen.
286
+
- Bei A11Y-relevanten Artefakten `docs/accessibility/`-Evidenz und Sprach-Tags fuer Markdown-Codebloecke pruefen.
275
287
- Default-Evidenzpfad: `docs/security/asvs-verification.md`, `docs/security/supply-chain-evidence.md`, `docs/security/zero-trust-applicability.md`, `docs/security/samm-assessment.md`; Abweichungen nur mit lokal dokumentierter Begründung.
276
288
277
-
*Capture the applicable standards and the evidence path in `spec.md`, `plan.md`, and `tasks.md`. Use `STRIDE` as the base for threat modeling and add relevant `CAPEC` patterns for the highest-risk flows. For web/API work, record the chosen `ASVS` level and verification scope in `docs/security/` or equivalent project documentation. For release and artefact work, plan `SBOM`, `VEX`, provenance/SLSA evidence, and `OpenSSF Scorecard` review where applicable. For architectural changes, evaluate `Zero Trust`; for long-lived projects, consider `OWASP SAMM` follow-up actions. The default evidence path is `docs/security/asvs-verification.md`, `docs/security/supply-chain-evidence.md`, `docs/security/zero-trust-applicability.md`, and `docs/security/samm-assessment.md`, unless the repository documents a justified equivalent location.*
289
+
*Capture the applicable standards and the evidence path in `spec.md`, `plan.md`, and `tasks.md`. Use `STRIDE` as the base for threat modeling and add relevant `CAPEC` patterns for the highest-risk flows. For web/API work, record the chosen `ASVS` level and verification scope in `docs/security/` or equivalent project documentation. For release and artefact work, plan `SBOM`, `VEX`, provenance/SLSA evidence, and `OpenSSF Scorecard` review where applicable. For security architecture, evaluate `Zero Trust`; for long-lived projects, consider `OWASP SAMM` follow-up actions. For general architecture changes, evaluate iSAQB/arc42 evidence under `docs/architecture/`. For A11Y-relevant artefacts, check `docs/accessibility/` evidence and language-tagged Markdown code blocks. The default evidence path is `docs/security/asvs-verification.md`, `docs/security/supply-chain-evidence.md`, `docs/security/zero-trust-applicability.md`, and `docs/security/samm-assessment.md`, unless the repository documents a justified equivalent location.*
278
290
279
291
<!-- SPECKIT START -->
280
292
For additional context about technologies to be used, project structure,
@@ -80,9 +105,11 @@ synchronized across devices without exposing any credentials.
80
105
81
106
### II. Cross-Platform Parity & Documentation
82
107
83
-
Every critical script MUST exist in two variants:
84
-
- Bash (`.sh`) for macOS/Linux
85
-
- PowerShell Core 7+ (`.ps1`) for Windows
108
+
Every critical script-shaped tool MUST exist in two variants:
109
+
- Bash 3.x-compatible (`.sh`) for macOS/Linux unless a higher Bash version is
110
+
documented as a hard project requirement.
111
+
- PowerShell Core 7+ (`.ps1`) for Windows and as a portable shell on other
112
+
platforms.
86
113
87
114
Both variants MUST provide identical functionality and produce equivalent output.
88
115
A new script is not considered complete until:
@@ -94,6 +121,18 @@ A new script is not considered complete until:
94
121
95
122
All files MUST be committed together in the same commit.
96
123
124
+
Implementation discipline:
125
+
- Bash scripts SHOULD use `set -euo pipefail` or document the exception.
126
+
- Bash scripts MUST quote variable expansions and MUST NOT use `eval` on
127
+
untrusted input.
128
+
- PowerShell scripts MUST use `Set-StrictMode -Version Latest` and SHOULD use
129
+
`-NoProfile` for non-interactive subprocess calls.
130
+
- Both variants MUST behave equivalently in dry-run mode (`--dry-run` /
131
+
`-WhatIf`) where the tool mutates state.
132
+
- Script-parity evidence SHOULD use `script-parity-checklist-template.md`;
133
+
Bash man pages and PowerShell help SHOULD use the matching templates in
134
+
`.specify/templates/`.
135
+
97
136
**Rationale**: The workspace is used on macOS and Windows. Bash-only or PowerShell-only scripts create a second-class experience. Professional documentation ensures maintainability and ease of use across platforms.
98
137
99
138
### III. Bootstrap Automation
@@ -211,6 +250,15 @@ Mandatory rules:
211
250
- WCAG 2.2 Level AA is the default accessibility baseline wherever the criteria are applicable.
212
251
- User-facing artefacts MUST remain usable with keyboard-only interaction, screen readers, Braille displays, and text browsers.
213
252
- Text-first fallbacks MUST be preferred for status reporting, diagrams, and operational guidance.
253
+
- Every Markdown code block in user-facing or learner-facing documentation MUST
254
+
carry a language tag such as `bash`, `powershell`, `csharp`, `json`, or
255
+
`text`; bare fenced code blocks are not allowed.
256
+
- Non-decorative images, diagrams, and ASCII charts MUST include adjacent
257
+
text alternatives or DE-first/EN-second explanations at CEFR B2 readability.
258
+
- Accessibility evidence defaults to `docs/accessibility/` using
`cli-a11y-review-template.md`, and `bilingual-content-check-template.md`
261
+
where applicable.
214
262
- Accessibility review is part of completion, not post-processing.
215
263
216
264
**Rationale**: Inclusive delivery improves quality for everyone, reduces retrofit work, and makes the repositories usable in real assistive-technology workflows from the start.
@@ -387,6 +435,12 @@ Mandatory security documentation (Principle XII extensions):
387
435
(`dependency-audit-template.md`) that is updated before each release and at
388
436
least monthly. The audit MUST cover CVE status, license compliance, registry
389
437
verification, lock-file status, and supply-chain risks.
438
+
- Every Level-2 project MUST maintain or cite a **Memory-Safe Language
439
+
Applicability** record (`msl-applicability-template.md`) when runtime or
440
+
language choice is part of the feature or project setup.
441
+
- Every Level-2 project MUST maintain language-specific secure-coding evidence
442
+
using `secure-coding-language-rules-template.md` or an equivalent checklist
443
+
when new language/runtime rules are introduced.
390
444
- Every Level-2 project SHOULD maintain **Security Quality Scenarios**
391
445
(`security-quality-scenarios-template.md`) following iSAQB CPSA-F quality
392
446
attribute scenario methodology to make security requirements testable and
@@ -503,6 +557,7 @@ MUST use this matrix to determine which standards apply.
503
557
| OWASP SAMM | SHOULD | Long-lived Level-1 and Level-2 workspaces/projects | Periodic self-assessment with prioritized improvement actions |
504
558
| CAPEC | SHOULD | Threat modeling of material attack paths | Reference relevant attack patterns for high-risk flows and abuse cases |
505
559
| NIST Zero Trust (SP 800-207) | Project-type-dependent | Distributed, service-based, cloud, remote-managed, or multi-device systems | Explicit applicability decision with controls or justified N/A |
560
+
| iSAQB / arc42 architecture governance | SHOULD | Structural, interface, quality-attribute, deployment, or long-term maintainability changes | Architecture evidence under `docs/architecture/` or justified N/A |
506
561
| OWASP Cheat Sheet Series / Proactive Controls | SHOULD | All developer-facing projects | Use as day-to-day implementation guidance below the constitution |
507
562
| OpenSSF Scorecard | Project-type-dependent | Public OSS repositories or high-impact external dependencies | Review repository/dependency security posture before adoption or release |
0 commit comments