ALWAYS read at the start of EVERY task:
- README.md — Project overview, features, docs
- copilot-setup-steps.yml — Build environment (Java 26, Maven 3.9.15, PostgreSQL 18)
- copilot-mcp-config.json — MCP servers (GitHub, filesystem, memory, sequential-thinking, playwright)
- skills/ — 80 skills for security, testing, architecture, compliance (see skills/README.md)
- agents/ — 6 specialized agents (see agents/README.md)
- Hack23 Information Security Policy — apex ISMS policy (via
hack23-information-security-policyskill)
Citizen Intelligence Agency — volunteer-driven OSINT platform analyzing Swedish political activities. Monitors politicians and institutions with financial metrics, risk analytics, trend analysis, and transparency insights. Strictly independent and non-partisan.
| Component | Version/Detail |
|---|---|
| Backend | Java 26 (source 21), Spring Framework 5.x, Hibernate/JPA |
| UI | Vaadin |
| Database | PostgreSQL 18 (pgaudit, pgcrypto, pg_stat_statements) |
| Build | Maven 3.9.15, 49+ modules |
| External APIs | Riksdagen, Swedish Election Authority, World Bank, ESV |
| Security | OpenSSF 7.2/10, SLSA 3, CII Best Practices, zero critical CVEs 5+ years |
mvn clean install # Full build with tests
mvn clean install -DskipTests # Build without tests
mvn test -Dtest='!**ITest*,!**/XmlDateTypeAdapterTest,!**/XmlTimeTypeAdapterTest,!**/XmlDateTimeTypeAdapterTest' # Tests only (excludes integration and Xml*TypeAdapterTest)
mvn clean test jacoco:report # Tests with coverage
mvn dependency-check:check # OWASP dependency scan
mvn site # Generate site documentationDatabase changes: Follow service.data.impl/README-SCHEMA-MAINTENANCE.md. Never manually edit full_schema.sql — always regenerate via pg_dump.
- Java: Source level 21, runtime 26. Constructor injection preferred.
@Service,@Repository,@Controllerannotations.@Transactionalfor DB operations. - JPA: Entities in
model.*packages. Proper annotations. Appropriate fetch types. Avoid N+1 queries. - Style: Meaningful names. JavaDoc for public APIs. Minimal comments. Follow existing patterns.
- Security: Never commit secrets. Parameterized queries. Input validation. Output encoding. Spring Security for access control. GDPR compliance.
| Metric | Threshold |
|---|---|
| Line coverage | ≥ 80% |
| Branch coverage | ≥ 70% |
| Cyclomatic complexity | < 10 |
| Code duplication | < 3% |
| Critical SonarCloud issues | 0 |
| Critical/High CVEs | 0 |
Change only what's needed. Don't refactor unrelated code. Review impact before committing.
Compile (mvn clean compile), test relevant areas, check git diff, verify no secrets.
Pass CodeQL + OWASP checks. Validate all inputs. Parameterized queries. Encode outputs. Update SECURITY_ARCHITECTURE.md and THREAT_MODEL.md when relevant.
Align with ISO 27001:2022, NIST CSF 2.0, CIS Controls v8, GDPR. Update security documentation for security-related changes.
The Hack23 Information Security Policy (ISP) is the apex policy — every change must defer to it. It is implemented through the supporting policies below; consult the ones relevant to your task. See the hack23-information-security-policy skill for a developer-facing mapping.
| Concern | Policy | Primary Skill |
|---|---|---|
| Apex (everything) | Information Security Policy | hack23-information-security-policy |
| SDLC / code / build | Secure Development Policy | secure-development-policy |
| Open-source posture | Open Source Policy | open-source-policy |
| Secrets / tokens | Secrets Management | secrets-management |
| TLS / crypto / hashing | Cryptography Policy | cryptography-policy / crypto-best-practices |
| AuthN / AuthZ | Access Control | access-control-policy |
| Data labelling | CLASSIFICATION | classification-framework-enforcement |
| Personal data | Data Protection, Privacy Policy | data-protection, gdpr-compliance |
| CVE triage | Vulnerability Management | vulnerability-management |
| Releases / migrations | Change Management | change-management |
| Backup / DR | Backup Recovery | backup-recovery-policy |
| Incidents | Incident Response Plan | incident-response |
| Threat modelling | Threat Modeling | threat-modeling |
| Third-party / deps | Third Party Management | open-source-policy |
| AI / Copilot agents | AI Policy | ai-governance |
| Strategy | Information Security Strategy | information-security-strategy |
Unit tests for all new functionality. Maintain or improve coverage. JUnit 5, Mockito. Follow existing test patterns.
Check relevant skills before implementing. Delegate to specialized agents when appropriate:
- ISMS / policy: hack23-information-security-policy (apex), hack23-isms-compliance, compliance-frameworks
- Security: secure-code-review, security-by-design, input-validation, threat-modeling, vulnerability-management
- Architecture: spring-framework-patterns, jpa-hibernate-optimization, vaadin-component-design
- Testing: unit-testing-patterns, testing-strategy-enforcement, playwright-ui-testing
- CI/CD: github-actions-workflows, github-agentic-workflows, ci-cd-security
- AI governance: ai-governance (AI Policy + OWASP LLM + EU AI Act)
Format: <type>: <description> — Types: feat, fix, docs, style, refactor, test, chore
Every repository maintains C4 model documentation:
Current: ARCHITECTURE.md, DATA_MODEL.md, FLOWCHART.md, STATEDIAGRAM.md, MINDMAP.md, SWOT.md Future: FUTURE_ARCHITECTURE.md, FUTURE_DATA_MODEL.md, FUTURE_FLOWCHART.md, FUTURE_STATEDIAGRAM.md, FUTURE_MINDMAP.md, FUTURE_SWOT.md Security: SECURITY_ARCHITECTURE.md, FUTURE_SECURITY_ARCHITECTURE.md, THREAT_MODEL.md
When uncertain:
- Check relevant skill in
.github/skills/ - Review similar code patterns in the repository
- Consult ARCHITECTURE.md, SECURITY_ARCHITECTURE.md
- Apply security-by-design (deny by default, validate input, encrypt data)
- Follow ISMS requirements
- Only then ask for clarification