name: development-stack-standards description: Development stack standards - five-level maturity model, dimension specs, assessment criteria, tool guidance

Development Stack Standards

Reference for creating and assessing language-specific development stacks. Defines maturity progression and assessment criteria.

Used by:

• /stack-assess - Grade projects against stack standards
• /stack-guide - Create/validate/customize stack definitions
• Stack skills (configuring-python-stack, configuring-javascript-stack, etc.)

Five-Level Maturity Model

Level 0: Foundation (EVERY project)

8 dimensions required:

Additional recipes: check-all (format -> lint -> typecheck -> coverage), default

Assessment: Fresh clone can just dev-install && just check-all

Level 1: Quality Gates (CI/CD)

Adds 4 dimensions:

Additional recipes: loc (largest files)

Assessment: Coverage fails below 96%, complexity enforced, integration tests excluded from threshold

Level 2: Security & Compliance (Production)

Adds 4 dimensions:

Assessment: All four commands succeed with meaningful output

Level 3: Metrics (Large codebases)

Uses Level 1 tools (complexity, loc) for detailed analysis:

• File-by-file complexity breakdown
• Average and max metrics
• Identifies refactoring targets

Level 4: Polyglot (Multi-language)

Structure: Root justfile orchestrates language-specific subprojects

Root recipes (subset): dev-install, check-all, clean, build, deps, vulns, lic, sbom

Each subproject: Implements Level 0+ independently, standalone just check-all

Tool Selection by Language

Python

• Package: uv (fast, handles venv + install + lock)
• Format/Lint: ruff (handles both)
• Typecheck: mypy (strict mode)
• Test: pytest with pytest-cov
• Complexity: radon (reports), ruff (threshold)
• Security: pip-audit, pip-licenses, cyclonedx-py

JavaScript/TypeScript

• Package: pnpm (fast, efficient)
• Format: prettier
• Lint: eslint (with complexity rule)
• Typecheck: tsc (strict mode)
• Test: vitest (with coverage)
• Security: pnpm audit, license-checker, @cyclonedx/cyclonedx-npm

Java

• Package: Maven (standard)
• Format: spotless + Google Java Format
• Lint: spotbugs, checkstyle
• Typecheck: javac (warnings as errors)
• Test: JUnit 5 with JaCoCo
• Security: dependency-check, license-maven-plugin, cyclonedx-maven-plugin

Standard Settings

• Line length: 100 (balance readability vs horizontal space)
• Coverage threshold: 96% (unit tests only)
• Complexity threshold: <= 10 cyclomatic
• Strict typing: Always enabled

Assessment Criteria

Level 0

• All 8 dimensions present
• All 10 justfile recipes present
• just dev-install && just check-all succeeds

Level 1

• Level 0 complete
• Coverage fails below 96% for unit tests
• Complexity <= 10 enforced in lint
• Integration tests marked/tagged and excluded from coverage

Level 2

• Level 1 complete
• vulns, lic, sbom, deps all succeed

Level 4

• Root orchestrates without duplication
• Each subproject standalone
• _run-all fails fast

YAGNI Enforcement

Stop at the level you need:

• Library (no deployment): 0 -> 1 -> 2 (stop)
• Web app (CI/CD + deploy): 0 -> 1 -> 2 -> maybe 3
• Solo project: 0 -> 2 (skip quality overhead, add security)
• Monorepo: 0 -> 1 -> 4 -> 2 -> 3

Don't add:

• Level 1 if no CI/CD
• Level 2 if not deploying
• Level 3 if codebase small
• Level 4 if single language