Collaboration Readiness

This page points engineers to the source guardrails that keep OneProtect safe for parallel work.

Branch And Deployment Guardrails

• Work on scoped feature/, fix/, or docs/ branches.
• Install local hooks with make install-git-guardrails.
• Do not push directly to main, develop, or demo.
• GitLab protected branch settings must enforce no-direct-push server-side.
• Feature branches validate, test, and build images only.
• Only main, develop, and demo may run ECR publish, Terraform plan/apply, Helm deploy, docs deploy, or AWS smoke jobs.

Source: docs/engineering/git-branch-guardrails.md.

Current Stability

• docs/engineering/stability-matrix.md classifies platform areas as stable, evolving, scaffolded/planned, or demo-only/local.
• docs/adr/ADR-0005-phase1-platform-stack.md locks the Phase 1 runtime choices.
• docs/engineering/phase1-contract-backlog.md lists contracts that must be designed before asset discovery, SIEM ingestion, or compliance catalog implementation.

Working Rules

• docs/engineering/contribution-rules.md defines PR expectations for tenancy, contracts, audit, docs, dependencies, and secrets.
• docs/engineering/developer-handoff.md explains how to add events, APIs, tenant-owned tables, integrations, frontend UI, and docs safely.
• docs/engineering/workstream-plan.md splits safe parallel work for platform hardening, frontend operational readiness, and pre-implementation contracts.

Non-Negotiables

• No tenant-owned table without RLS migration and RLS tests.
• No new event without JSON Schema and AsyncAPI updates.
• No API change without OpenAPI updates.
• No material action without audit behavior.
• No secret value in API responses, logs, audit payloads, UI, docs, or fixtures.
• No asset discovery, SIEM ingestion, or compliance catalog implementation until the relevant contracts are reviewed.