moai-foundation-trust

jg-chalk-io/moai-foundation-trust

Coding

About

SKILL.md

moai-foundation-trust

jg-chalk-io/moai-foundation-trust

Coding

About

TRUST 4 principles - Test First, Readable, Unified, Secured

SKILL.md

TRUST 4 Principles

Foundation of Code Quality

Principles: Test First, Readable, Unified, Secured
Standards: ≥85% Coverage, Pylint ≥8.0, OWASP Top 10

Overview

TRUST 4 defines non-negotiable quality requirements for all code.

The Four Principles

Test First: Write tests before implementation.
Readable: Clarity over cleverness.
Unified: Consistent patterns across codebase.
Secured: OWASP compliance by design.

Principle 1: Test First (T)

TDD Cycle

RED: Write failing test.
GREEN: Implement minimal code to pass.
REFACTOR: Improve without breaking tests.

Coverage Targets

Unit Tests: 70% (fast, specific)
Integration Tests: 20% (cross-component)
E2E Tests: 10% (full workflow)
Total: ≥85%

Example

# 1. RED: Write test (fails)
def test_password_hash_unique():
    hash1 = hash_password("TestPass123")
    hash2 = hash_password("TestPass123")
    assert hash1 != hash2

# 2. GREEN: Implement
def hash_password(plaintext: str) -> str:
    import bcrypt
    salt = bcrypt.gensalt(rounds=12)
    return bcrypt.hashpw(plaintext.encode(), salt).decode()

# 3. REFACTOR: Add security docs

Principle 2: Readable (R)

Metrics

Cyclomatic Complexity: ≤10
Function Length: ≤50 lines
Nesting Depth: ≤3 levels

Rules

Clear naming (validate_password not vp)
Single responsibility per function
Docstrings for all functions
Consistent style (PEP 8, Black, Prettier)

Example

# Bad
def f(x, y):
    return sum([i*x for i in y if i]) / len(y) if y else 0

# Good
def calculate_weighted_average(weight: float, values: List[float]) -> float:
    """Calculate weighted average, excluding None values."""
    valid = [v for v in values if v is not None]
    if not valid:
        return 0.0
    return sum(v * weight for v in valid) / len(valid)

Principle 3: Unified (U)

Consistency Rules

Same file structure across modules
Same naming for same concepts (user_id everywhere, not uid)
Same error handling patterns
Same logging approach

Example Pattern

# Unified error handling
try:
    result = process_payment(order)
except PaymentError as e:
    logger.error(f"Payment failed: {e}", extra={"order_id": order.id})
    raise ApplicationError("Payment processing failed") from e

Principle 4: Secured (S)

OWASP Top 10 (2024)

Broken Access Control: Implement RBAC
Cryptographic Failures: Use bcrypt (not MD5), TLS 1.3+
Injection: Parameterized queries
Insecure Design: Threat modeling
Security Misconfiguration: Secrets management
Vulnerable Components: Regular updates (pip audit)
Auth Failures: MFA, rate limiting
Data Integrity: Code signing
Logging Failures: Comprehensive logs
SSRF: Input validation

Example

def hash_password(plaintext: str) -> str:
    """
    OWASP A02:2021 compliant password hashing.
    Uses bcrypt with 12 rounds (2025 standard).
    """
    import bcrypt
    if not plaintext:
        raise ValueError("Password required")

    salt = bcrypt.gensalt(rounds=12)
    return bcrypt.hashpw(plaintext.encode(), salt).decode()

Validation Checklist

Test: Coverage ≥85%?
Readable: Pylint ≥8.0?
Unified: Patterns consistent?
Secured: OWASP scan passed (bandit, pip audit)?

CI/CD Quality Gates

# Automated quality gate
pytest --cov=src --cov-fail-under=85  # T: Test
pylint src/ --fail-under=8.0           # R: Readable
bandit -r src/ -ll                     # S: Secured

Related Skills

moai-core-rules: Core development guidelines
moai-security-devsecops: Security testing
moai-project-documentation: Documentation standards

Last Updated: 2025-11-20

About

SKILL.md

About

TRUST 4 principles - Test First, Readable, Unified, Secured

SKILL.md

TRUST 4 Principles

Foundation of Code Quality

Principles: Test First, Readable, Unified, Secured
Standards: ≥85% Coverage, Pylint ≥8.0, OWASP Top 10

Overview

TRUST 4 defines non-negotiable quality requirements for all code.

The Four Principles

Test First: Write tests before implementation.
Readable: Clarity over cleverness.
Unified: Consistent patterns across codebase.
Secured: OWASP compliance by design.

Principle 1: Test First (T)

TDD Cycle

RED: Write failing test.
GREEN: Implement minimal code to pass.
REFACTOR: Improve without breaking tests.

Coverage Targets

Unit Tests: 70% (fast, specific)
Integration Tests: 20% (cross-component)
E2E Tests: 10% (full workflow)
Total: ≥85%

Example

# 1. RED: Write test (fails)
def test_password_hash_unique():
    hash1 = hash_password("TestPass123")
    hash2 = hash_password("TestPass123")
    assert hash1 != hash2

# 2. GREEN: Implement
def hash_password(plaintext: str) -> str:
    import bcrypt
    salt = bcrypt.gensalt(rounds=12)
    return bcrypt.hashpw(plaintext.encode(), salt).decode()

# 3. REFACTOR: Add security docs

Principle 2: Readable (R)

Metrics

Cyclomatic Complexity: ≤10
Function Length: ≤50 lines
Nesting Depth: ≤3 levels

Rules

Clear naming (validate_password not vp)
Single responsibility per function
Docstrings for all functions
Consistent style (PEP 8, Black, Prettier)

Example

# Bad
def f(x, y):
    return sum([i*x for i in y if i]) / len(y) if y else 0

# Good
def calculate_weighted_average(weight: float, values: List[float]) -> float:
    """Calculate weighted average, excluding None values."""
    valid = [v for v in values if v is not None]
    if not valid:
        return 0.0
    return sum(v * weight for v in valid) / len(valid)

Principle 3: Unified (U)

Consistency Rules

Same file structure across modules
Same naming for same concepts (user_id everywhere, not uid)
Same error handling patterns
Same logging approach

Example Pattern

# Unified error handling
try:
    result = process_payment(order)
except PaymentError as e:
    logger.error(f"Payment failed: {e}", extra={"order_id": order.id})
    raise ApplicationError("Payment processing failed") from e

Principle 4: Secured (S)

OWASP Top 10 (2024)

Broken Access Control: Implement RBAC
Cryptographic Failures: Use bcrypt (not MD5), TLS 1.3+
Injection: Parameterized queries
Insecure Design: Threat modeling
Security Misconfiguration: Secrets management
Vulnerable Components: Regular updates (pip audit)
Auth Failures: MFA, rate limiting
Data Integrity: Code signing
Logging Failures: Comprehensive logs
SSRF: Input validation

Example

def hash_password(plaintext: str) -> str:
    """
    OWASP A02:2021 compliant password hashing.
    Uses bcrypt with 12 rounds (2025 standard).
    """
    import bcrypt
    if not plaintext:
        raise ValueError("Password required")

    salt = bcrypt.gensalt(rounds=12)
    return bcrypt.hashpw(plaintext.encode(), salt).decode()

Validation Checklist

Test: Coverage ≥85%?
Readable: Pylint ≥8.0?
Unified: Patterns consistent?
Secured: OWASP scan passed (bandit, pip audit)?

CI/CD Quality Gates

# Automated quality gate
pytest --cov=src --cov-fail-under=85  # T: Test
pylint src/ --fail-under=8.0           # R: Readable
bandit -r src/ -ll                     # S: Secured

Related Skills

moai-core-rules: Core development guidelines
moai-security-devsecops: Security testing
moai-project-documentation: Documentation standards

Last Updated: 2025-11-20