CLARITY COMMISSION OS
ENTERPRISE ENGINEERING & GOVERNANCE CHARTER
I. SYSTEM CLASSIFICATION
Clarity is classified as:- Financial processing system
- Multi-tenant SaaS
- Commission calculation engine
- Audit-bound data pipeline
- Data integrity > velocity
- Determinism > convenience
- Explicit failure > silent fallback
- Traceability > abstraction elegance
II. CHANGE CONTROL FRAMEWORK
Every change must be classified before implementation.Change Risk Levels
Level 0 — Cosmetic / UI only
- Styling
- Copy
- Non-functional UX changes
Level 1 — UX Logic / Wizard Semantics
- Gating logic
- Readiness display
- Draft store behavior
- Regression tests
- Network proof validation
Level 2 — Backend Orchestration
- Readiness logic
- Scope derivation
- Materialization
- Preflight classification
/processorchestration
- Test updates
- Invariant validation
- Structured error consistency
- BigQuery verification proof
Level 3 — Money Engine / Stage Writes
- Commission calculation logic
- Stage1/Stage2/Stage3 write behavior
- Idempotency logic
- Deterministic proof
- Replay test
- Double-run test (must produce identical outputs)
- Decimal verification
- Snapshot diff check
Level 4 — Schema / Contract Change
- BigQuery schema modifications
- API contract changes
- Batch ID semantics
- Scope semantics
- ADR document
- Migration plan
- Backfill plan
- Rollback strategy
- Explicit approval
III. ARCHITECTURAL DECISION RECORD (ADR) REQUIREMENT
An ADR must be created when:- Changing scope semantics
- Changing readiness behavior
- Changing
/processbehavior - Modifying batch_id lifecycle
- Introducing new money math logic
- Changing idempotency guarantees
- Problem statement
- Invariants affected
- Alternative solutions considered
- Risk analysis
- Rollback plan
- Test strategy
IV. DEPLOYMENT GATES (ENFORCED)
Backend Gate
Must pass:- All readiness tests
- Scope mismatch tests
- Mixed scope tests
- Materialization failure tests
- Idempotency tests (if
/processtouched)
- Cloud Run revision SHA
- Debug proof (if readiness involved)
- BigQuery proof when writes involved
Frontend Gate
Must pass:- Smoke suite
- Gating regression tests
- No removed endpoints still being called
- Production build hides dev panels
V. MONEY ENGINE CONTROL REQUIREMENTS
The commission engine must:- Use Decimal exclusively.
- Produce deterministic outputs across re-runs.
- Produce identical outputs across environment replay.
- Be able to reprocess historical periods without drift.
- Never depend on real-time system clock.
- Never compute commissions without effective-dated config resolution.
VI. READINESS GOVERNANCE
Readiness exists in exactly two domains:- Batch readiness (wizard gate)
- Tenant readiness (admin informational)
- Severity: High UX + Medium data risk
VII. CONFIGURATION GOVERNANCE
Configuration must:- Be effective-dated where appropriate.
- Never require reconfiguration for future periods unless intentionally superseded.
- Be traceable with created_by + timestamp.
VIII. IDENTITY & SCOPE ENFORCEMENT
All queries must include:- tenant_id filter
- org_id filter when ORG_SCOPED
IX. INCIDENT RESPONSE PROTOCOL
If production issue occurs involving:- Scope mismatch
- Materialization failure
- Duplicate stage rows
- Commission miscalculation
- Freeze deployment.
- Capture failing batch_id + period_label.
- Capture readiness debug output.
- Capture stage snapshot row count.
- Replay locally.
- Diff outputs.
- Create ADR before fix.
X. QUALITY BAR FOR “DONE”
A feature is not “done” unless:- Deterministic behavior is proven.
- Tests exist covering the invariant.
- Deploy surface is identified.
- Network + DB + UI proof captured.
- Documentation updated if semantics changed.
XI. ROADMAP CONTROL (LOCKED ORDER)
Phase 8 — Wizard Completion Phase 9 — Deterministic Math Engine Phase 10 — Audit Outputs Phase 11 — Performance Hardening + Multi-Vertical Scaling No skipping ahead without closing invariants.XII. CURSOR EXECUTION PROTOCOL
Before any change, Cursor must:- Identify deploy surface (Frontend / Backend / Data / Pipeline).
- Identify risk level (0–4).
- Identify invariants affected.
- Perform red-flag scan with file references.
- Implement minimum diff.
- Add tests.
- Provide deploy + validation proof checklist.
INVARIANT ENFORCEMENT LAYER
What we’re adding
A) Static Invariant Checks (fast, deterministic)
Runs on every PR/push:- No float math in backend money paths (Python)
- Every BigQuery query must filter by tenant_id (Python SQL strings)
- Readiness endpoints must require
period_label(FastAPI route signatures) - Wizard UI must not call tenant-wide readiness (Frontend network call guard)
- No dev-only panels in prod build (frontend build guard)
B) Deterministic Replay Tests (critical, slower)
Runs nightly or on-demand (or blocking once stable):- Re-run
/processtwice for the same(tenant, org, period, batch)→ identical stage outputs - Snapshot diffs / row-count invariants / checksum invariants
Repo Additions (Concrete Files)
1) Create tools/invariants/ folder
Add:
tools/invariants/run_all.py
Orchestrator that runs all checks and exits non-zero if any blocking invariant fails.
tools/invariants/python_no_float.py
AST-based scan (real enforcement, not grep):
- Blocks
float(...),math.*operations in money modules,/process, stage writers, commission calculators - Blocks literal floats like
1.23in selected directories
api/**- especially
api/math/**,api/commissions/**,api/bigquery/**,api/routes/**(or wherever money logic lives)
tools/invariants/bq_tenant_filter.py
Heuristic enforcement:
- Find BigQuery query strings (f-strings / triple-quoted strings passed to
client.query) - Require presence of either:
tenant_id = @tenant_id- OR
WHERE tenant_id+ parameter usage
- Allow explicit exceptions via inline comment tag:
# INVARIANT_ALLOW: tenant_filter(must include justification text)
tools/invariants/readiness_requires_period.py
AST scan for FastAPI routes:
- Ensure readiness endpoints require
period_labelin signature - Specifically:
/api/v1/intake/ingestion-wizard/readiness/api/v1/admin/onboarding/businesses/readiness(if exists)
- Reject defaults like
period_label: str = Query("...")(must be required)
tools/invariants/frontend_no_tenant_readiness_in_wizard.py
Scan for forbidden endpoint usage in wizard pages/components:
- Forbid strings:
/api/v1/admin/onboarding/businesses/readinessadmin/onboarding/businesses/readinessinside:dashboard/src/pages/ingestion/**dashboard/src/components/intake/**
tools/invariants/frontend_no_dev_panels_prod.py
Simple check ensuring debug panels are guarded:
- Search for
DebugPanelcomponents and assert they’re wrapped in:process.env.NODE_ENV !== "production"
- Or enforce a single
DEV_ONLYhelper component
CI Wiring (GitHub Actions)
2) Add workflow: .github/workflows/invariants.yml
Runs:
- python invariant suite (fast)
- frontend invariant suite (fast)
- optionally: backend unit tests subset
pull_requestpushtomain
- Invariants are blocking (fail workflow)
- Deterministic replay can be non-blocking initially.
Deterministic Replay (Stage Output Proof)
3) Add a replay test harness
Goal: if we run/process twice, outputs are identical.
Option A (best): pure BigQuery replay test
Createapi/tests/test_deterministic_replay_stage1.py that:
- Seeds a small synthetic batch input (or uses a fixture table)
- Calls the internal stage writer function twice
- Compares:
- row count
- stable checksum of ordered rows (e.g., hash of concatenated stable columns)
Option B: API integration replay test (nightly)
api/tests/integration/test_process_replay_deterministic.py:
- Requires env vars & credentials → run nightly or manual
stage1_bridge_rowsfor batch_id unchanged after second runingestion_batches.statusstable- Any derived snapshots match checksum
What “Enterprise Grade” Means Here (Enforcement Levels)
We implement in phases so you don’t stall delivery:Phase 1 (now) — Block merges on catastrophic invariants
Blocking:- tenant filter presence
- period_label required in readiness routes
- forbidden tenant-wide readiness call in wizard
- no float scan (until tuned)
- dev panel guard (until tuned)
Phase 2 — Block merges on money integrity
Blocking:- no float usage in money paths
- explicit rounding policy tests
Phase 3 — Block merges on deterministic replay
Blocking:- deterministic replay test for stage outputs
Cursor Implementation Order
Objective
Add an automated invariant gate so we stop relying on human memory. This must be deterministic and auditable.Step 0 — Red-flag scan (required)
Confirm:- where money math lives (
api/**paths) - where BigQuery queries are built
- exact readiness route files
- wizard file locations (already known from PR2)
Step 1 — Add tools
Create foldertools/invariants/ with:
run_all.pypython_no_float.py(AST)bq_tenant_filter.pyreadiness_requires_period.pyfrontend_no_tenant_readiness_in_wizard.pyfrontend_no_dev_panels_prod.py
- print violations with file:line
- exit 1 if violations found (for blocking checks)
- support
--pathsand--allow-tag(optional but preferred)
Step 2 — Add GitHub Actions workflow
Add.github/workflows/invariants.yml that runs:
python tools/invariants/run_all.py- optionally
npm run test:smokefor dashboard (already exists)
Step 3 — Add initial deterministic replay test (Stage1)
Add one unit-level deterministic replay test for Stage1 writer logic (no HTTP). Pass criteria:- running the same computation twice yields identical row checksums.
Step 4 — Docs
Adddocs/INVARIANT_ENFORCEMENT.md describing:
- invariants
- allow-tags + justification policy
- how to run locally
- escalation process
Step 5 — Ship
Merge to main and confirm the invariants workflow runs on PR. STOP if:- the invariant checks produce too many false positives; in that case, narrow scopes and mark non-blocking until tuned.