Back to skills
extension
Category: Development & EngineeringNo API key required

development-stack-standards

Development stack standards - five-level maturity model, dimension specs, assessment criteria, tool guidance

personAuthor: jakexiaohubgithub

Development Stack Standards

Reference for creating and assessing language-specific development stacks. Defines maturity progression and assessment criteria.

Used by:

  • /stack-assess - Grade projects against stack standards
  • /stack-guide - Create/validate/customize stack definitions
  • Stack skills (configuring-python-stack, configuring-javascript-stack, etc.)

Five-Level Maturity Model

Level 0: Foundation (EVERY project)

8 dimensions required:

| Dimension | Purpose | Justfile Recipe | |-----------|---------|-----------------| | Package manager | Reproducible builds (lockfile, isolation) | dev-install | | Format | Consistent style (auto-fix) | format | | Lint | Catch bugs (auto-fix safe changes) | lint | | Typecheck | Static correctness | typecheck | | Test | Verify behavior | test | | Coverage | Measure testing | coverage | | Build | Create artifacts | build | | Clean | Reset state | clean |

Additional recipes: check-all (format -> lint -> typecheck -> coverage), default

Assessment: Fresh clone can just dev-install && just check-all

Level 1: Quality Gates (CI/CD)

Adds 4 dimensions:

| Dimension | Requirement | Justfile Recipe | |-----------|-------------|-----------------| | Coverage threshold | 96% for unit tests | coverage (updated) | | Complexity | <= 10 cyclomatic | lint checks, complexity reports | | Test separation | Unit (fast) vs integration (slow) | integration-test | | Test watch | Continuous on file changes | test-watch |

Additional recipes: loc (largest files)

Assessment: Coverage fails below 96%, complexity enforced, integration tests excluded from threshold

Level 2: Security & Compliance (Production)

Adds 4 dimensions:

| Dimension | Purpose | Justfile Recipe | |-----------|---------|-----------------| | Vulnerability scanning | CVE detection | vulns | | License analysis | Compliance (flag GPL/restrictive) | lic | | SBOM | Supply chain (CycloneDX) | sbom | | Dependency tracking | Show outdated packages | deps |

Assessment: All four commands succeed with meaningful output

Level 3: Metrics (Large codebases)

Uses Level 1 tools (complexity, loc) for detailed analysis:

  • File-by-file complexity breakdown
  • Average and max metrics
  • Identifies refactoring targets

Level 4: Polyglot (Multi-language)

Structure: Root justfile orchestrates language-specific subprojects

Root recipes (subset): dev-install, check-all, clean, build, deps, vulns, lic, sbom

Each subproject: Implements Level 0+ independently, standalone just check-all

Tool Selection by Language

Python

  • Package: uv (fast, handles venv + install + lock)
  • Format/Lint: ruff (handles both)
  • Typecheck: mypy (strict mode)
  • Test: pytest with pytest-cov
  • Complexity: radon (reports), ruff (threshold)
  • Security: pip-audit, pip-licenses, cyclonedx-py

JavaScript/TypeScript

  • Package: pnpm (fast, efficient)
  • Format: prettier
  • Lint: eslint (with complexity rule)
  • Typecheck: tsc (strict mode)
  • Test: vitest (with coverage)
  • Security: pnpm audit, license-checker, @cyclonedx/cyclonedx-npm

Java

  • Package: Maven (standard)
  • Format: spotless + Google Java Format
  • Lint: spotbugs, checkstyle
  • Typecheck: javac (warnings as errors)
  • Test: JUnit 5 with JaCoCo
  • Security: dependency-check, license-maven-plugin, cyclonedx-maven-plugin

Standard Settings

  • Line length: 100 (balance readability vs horizontal space)
  • Coverage threshold: 96% (unit tests only)
  • Complexity threshold: <= 10 cyclomatic
  • Strict typing: Always enabled

Assessment Criteria

Level 0

  • [ ] All 8 dimensions present
  • [ ] All 10 justfile recipes present
  • [ ] just dev-install && just check-all succeeds

Level 1

  • [ ] Level 0 complete
  • [ ] Coverage fails below 96% for unit tests
  • [ ] Complexity <= 10 enforced in lint
  • [ ] Integration tests marked/tagged and excluded from coverage

Level 2

  • [ ] Level 1 complete
  • [ ] vulns, lic, sbom, deps all succeed

Level 4

  • [ ] Root orchestrates without duplication
  • [ ] Each subproject standalone
  • [ ] _run-all fails fast

YAGNI Enforcement

Stop at the level you need:

  • Library (no deployment): 0 -> 1 -> 2 (stop)
  • Web app (CI/CD + deploy): 0 -> 1 -> 2 -> maybe 3
  • Solo project: 0 -> 2 (skip quality overhead, add security)
  • Monorepo: 0 -> 1 -> 4 -> 2 -> 3

Don't add:

  • Level 1 if no CI/CD
  • Level 2 if not deploying
  • Level 3 if codebase small
  • Level 4 if single language