Development Stack Standards

Reference for creating and assessing language-specific development stacks. Defines maturity progression and assessment criteria.

Used by:

• /stack-assess

  - Grade projects against stack standards

• /stack-guide

  - Create/validate/customize stack definitions
• Stack skills (configuring-python-stack, configuring-javascript-stack, etc.)

Five-Level Maturity Model

Level 0: Foundation (EVERY project)

8 dimensions required:

dev-install

format

lint

typecheck

test

coverage

build

clean

Additional recipes:

check-all

default

Assessment: Fresh clone can

just dev-install && just check-all

Level 1: Quality Gates (CI/CD)

Adds 4 dimensions:

coverage

lint

complexity

integration-test

test-watch

Additional recipes:

loc

Assessment: Coverage fails below 96%, complexity enforced, integration tests excluded from threshold

Level 2: Security & Compliance (Production)

Adds 4 dimensions:

vulns

lic

sbom

deps

Assessment: All four commands succeed with meaningful output

Level 3: Metrics (Large codebases)

Uses Level 1 tools (

complexity

loc

• File-by-file complexity breakdown
• Average and max metrics
• Identifies refactoring targets

Level 4: Polyglot (Multi-language)

Structure: Root justfile orchestrates language-specific subprojects

Root recipes (subset):

dev-install

check-all

clean

build

deps

vulns

lic

sbom

Each subproject: Implements Level 0+ independently, standalone

just check-all

Tool Selection by Language

Python

• Package: uv (fast, handles venv + install + lock)
• Format/Lint: ruff (handles both)
• Typecheck: mypy (strict mode)
• Test: pytest with pytest-cov
• Complexity: radon (reports), ruff (threshold)
• Security: pip-audit, pip-licenses, cyclonedx-py

JavaScript/TypeScript

• Package: pnpm (fast, efficient)
• Format: prettier
• Lint: eslint (with complexity rule)
• Typecheck: tsc (strict mode)
• Test: vitest (with coverage)
• Security: pnpm audit, license-checker, @cyclonedx/cyclonedx-npm

Java

• Package: Maven (standard)
• Format: spotless + Google Java Format
• Lint: spotbugs, checkstyle
• Typecheck: javac (warnings as errors)
• Test: JUnit 5 with JaCoCo
• Security: dependency-check, license-maven-plugin, cyclonedx-maven-plugin

Standard Settings

• Line length: 100 (balance readability vs horizontal space)
• Coverage threshold: 96% (unit tests only)
• Complexity threshold: <= 10 cyclomatic
• Strict typing: Always enabled

Assessment Criteria

Level 0

• All 8 dimensions present
• All 10 justfile recipes present

• just dev-install && just check-all

  succeeds

Level 1

• Level 0 complete
• Coverage fails below 96% for unit tests
• Complexity <= 10 enforced in lint
• Integration tests marked/tagged and excluded from coverage

Level 2

• Level 1 complete

• vulns

  ,

  lic

  ,

  sbom

  ,

  deps

  all succeed

Level 4

• Root orchestrates without duplication
• Each subproject standalone

• _run-all

  fails fast

YAGNI Enforcement

Stop at the level you need:

• Library (no deployment): 0 -> 1 -> 2 (stop)
• Web app (CI/CD + deploy): 0 -> 1 -> 2 -> maybe 3
• Solo project: 0 -> 2 (skip quality overhead, add security)
• Monorepo: 0 -> 1 -> 4 -> 2 -> 3

Don't add:

• Level 1 if no CI/CD
• Level 2 if not deploying
• Level 3 if codebase small
• Level 4 if single language