Governance
Constitutions define generation, validation, and quality policies that govern how specifications are compiled and implemented. They encode tech stack choices, security defaults, testing expectations, and code style - all as code. This means governance travels with the spec and is enforced automatically in every build.
Constitution Example
platform.prd
constitution default_product {
use: [
registry/web/angular@1.2,
registry/backend/nestjs@1.1
]
policies {
stack {
frontend: angular
backend: nestjs
database: postgres
}
security {
authentication: required
authorization: required
encryption: aes_256
}
privacy {
pii_encryption: required
data_retention: "7 years"
consent_required: true
}
testing {
tests_required: true
review_fix_loop: true
}
style {
indentation: 2
naming: camelCase
}
architecture {
modules: required
coupling_limits: 5
}
}
}Policy Sections
| Section | Purpose | Common Keys |
|---|---|---|
| stack | Technology choices | frontend, backend, database, runtime |
| security | Auth and encryption | authentication, authorization, encryption, mfa |
| privacy | Data handling | pii_encryption, data_retention, consent_required |
| testing | Quality gates | tests_required, review_fix_loop, coverage_threshold |
| generation | Code generation rules | patterns, templates, output_format |
| style | Code conventions | indentation, naming, formatting |
| architecture | Structural patterns | modules, boundaries, coupling_limits |
Security & Privacy Constructs
Beyond constitutions, Prodara provides dedicated constructs for security and privacy that attach to specific entities:
security billing_security {
applies_to: [invoice, payment]
requires: [encryption, audit_logging, access_control]
description: "Financial data must be encrypted at rest and in transit"
}
privacy customer_privacy {
applies_to: [customer]
classification: personal_data
retention: "7 years"
erasable: true
}
validation invoice_validation {
applies_to: [invoice]
rules {
total_positive: "total > 0"
customer_exists: "customer != null"
}
}Constitution Layering
Constitutions stack in three layers, with more specific layers overriding general ones:
- 1. Registry packages - Community or organization-wide defaults pulled from the registry. These provide a shared baseline across teams and projects.
- 2. Product-wide - Your product's global policies defined at the top level. Set your tech stack, security posture, and quality gates here.
- 3. Module-specific - Overrides for individual modules using
applies_to. Use this when a specific module has different requirements (e.g., stricter PCI compliance for billing).
Registry Packages
Constitutions can reference shared packages from the registry using use blocks. This lets teams share and version governance policies like code:
constitution hipaa_compliant {
use: [
registry/compliance/hipaa@2.0,
registry/security/encryption@1.5
]
policies {
privacy {
phi_encryption: required
audit_trail: required
access_logging: required
}
}
}