This constitution establishes the inviolable principles, boundaries, and guardrails for the Oreko development project. All development decisions, implementations, and architectural choices must comply with these rules.
Oreko is exclusively a visual quote and invoice management tool. It is:
- An open-source, self-hosted solution
- A SaaS option for cloud deployment
- A tool for freelancers, small businesses, and agencies
Oreko SHALL:
- Create, manage, and send professional quotes
- Convert quotes to invoices seamlessly
- Handle e-signatures and contract attachments
- Process payments via Stripe
- Provide client-facing portals for acceptance and payment
- Offer rate card management for quick quoting
- Generate professional PDFs
Oreko SHALL NOT:
- Become a full accounting system
- Include CRM/lead management features
- Add project management capabilities
- Track time (beyond basic invoice line items)
- Manage inventory
- Handle payroll
The quote/invoice builder MUST be:
- Block-based and visual (NOT spreadsheet-like)
- Drag-and-drop enabled
- WYSIWYG (What You See Is What You Get)
- Mobile-responsive
PROHIBITION: No table-based data entry interfaces for quotes. The builder must feel like designing a document, not filling a form.
Client-facing pages MUST:
- Work without requiring an account/login
- Be mobile-first in design
- Load in under 3 seconds on 4G
- Be accessible (WCAG 2.1 AA compliant)
- Support the business's custom branding
- First quote creation MUST be achievable in under 10 minutes from signup
- Onboarding MUST be skippable (users can configure later)
- Default settings MUST be sensible (no mandatory configuration)
| Component | Technology | Rationale |
|---|---|---|
| Framework | Next.js 14+ (App Router) | Modern React, SSR, edge-ready |
| Language | TypeScript (strict) | Type safety |
| UI | Shadcn UI + Tailwind | Customizable, accessible |
| Database | PostgreSQL 15+ | Reliability, JSON support |
| ORM | Prisma 5+ | Type-safe queries |
| Auth | NextAuth.js v5 | Flexible, self-hostable |
| Payments | Stripe Connect | Industry standard |
| Package Manager | pnpm | Speed, disk efficiency |
PROHIBITION: No alternative technologies without documented justification and team approval.
-
Server Components First
- Default to React Server Components
- Client components only when interactivity required
- No unnecessary hydration
-
Database as Source of Truth
- All state that matters persists to database
- Client state for UI only (forms, modals)
- No complex client-side state management (Redux, etc.) unless proven necessary
-
Type Safety End-to-End
- Prisma types for database
- Zod schemas for validation
- TypeScript strict mode everywhere
-
Monorepo Structure
- Shared code in packages/
- Application code in apps/
- Clear dependency boundaries
| Metric | Target | Mandatory |
|---|---|---|
| Largest Contentful Paint | < 2.5s | Yes |
| First Input Delay | < 100ms | Yes |
| Cumulative Layout Shift | < 0.1 | Yes |
| API Response (95th) | < 500ms | Yes |
| PDF Generation | < 5s | Yes |
| Bundle Size (main) | < 200KB | Yes |
-
Authentication
- Session-based with secure HTTP-only cookies
- Password hashing with bcrypt (cost factor 12+)
- Email verification required for production
-
Data Protection
- TLS 1.3 for all connections
- Encryption at rest for sensitive data
- No PII in logs
-
Payment Security
- PCI compliance via Stripe (no card data handled)
- Payment intents for all transactions
- Webhook signature verification
-
API Security
- Authentication on all protected routes
- Rate limiting (100 req/min default)
- Input validation on every endpoint
- Self-hosted users OWN their data completely
- Cloud users data exportable at any time
- No vendor lock-in for data
-
Audit Trails
- All quote/invoice state changes logged
- E-signature events with timestamp, IP, user agent
- Payment events immutable
-
Soft Deletes
- Users, workspaces, clients, quotes, invoices use soft delete
- Hard delete only for compliance requests (GDPR)
-
Backups
- Self-hosted: User responsibility (documented)
- Cloud: Daily automated, 30-day retention
- Workspace isolation is mandatory
- No cross-workspace data leakage
- Row-level security patterns where applicable
-
No
anyTypes- TypeScript strict mode enforced
- Explicit types for function parameters and returns
- Generic types where appropriate
-
Testing Requirements
- Unit tests for business logic
- Integration tests for API routes
- E2E tests for critical user flows
- Minimum 70% coverage for core modules
-
Documentation
- All public APIs documented
- Complex logic commented
- README for each package
- All code changes require PR
- At least one approval required
- CI must pass (lint, types, tests)
- No force pushes to main
- Audit dependencies monthly
- No packages with known vulnerabilities
- Prefer well-maintained, widely-used packages
- Lock versions in production
| Priority | Definition | Timeline |
|---|---|---|
| P0 | Must have for MVP | Before launch |
| P1 | Should have | v1.1 (post-launch) |
| P2 | Nice to have | v1.2+ |
- Document the feature in specs
- Validate against product scope (Article I)
- Estimate complexity and impact
- Approve only if aligned with core product
A feature MUST be rejected if it:
- Conflicts with Article I scope boundaries
- Compromises Article III security requirements
- Cannot meet Article III performance targets
- Adds significant complexity without clear value
- Integrate, Don't Replicate - Partner with best-in-class tools
- Optional Dependencies - Integrations must be optional
- Graceful Degradation - System works without external services
| Category | Examples | Priority |
|---|---|---|
| Payments | Stripe | P0 (Required) |
| SMTP, SendGrid, Resend | P0 | |
| Storage | Local, S3 | P0 |
| Accounting | QuickBooks, Xero | P1 |
| Calendar | Google Calendar | P2 |
- All integrations must have disable option
- Credentials stored securely (encrypted)
- Webhook handlers must be idempotent
- Rate limits respected
MUST Support:
- Single docker-compose command deployment
- Environment variable configuration only
- No mandatory external services except database
Requirements:
- Docker image < 500MB
- Memory usage < 1GB baseline
- Works on commodity hardware (2GB RAM, 2 CPU)
- Multi-tenant architecture
- Per-workspace isolation
- Automatic scaling capability
- 99.5% uptime SLA target
| Environment | Purpose | Data |
|---|---|---|
| Development | Local development | Mock/seed data |
| Staging | Pre-production testing | Anonymized data |
| Production | Live users | Real data |
- Color contrast 4.5:1 minimum
- All interactive elements keyboard accessible
- Screen reader compatible (ARIA labels)
- Focus indicators visible
- No flashing content
- Respect
prefers-reduced-motion - Essential animations only
- Provide static alternatives
This constitution may only be amended through:
- Written proposal with justification
- Impact analysis on existing code
- Team consensus (or Product Owner approval)
- Documentation of the change
Temporary exceptions may be granted:
- Document the exception and reason
- Set expiration date
- Create ticket to resolve
- No permanent exceptions allowed
- No CSS-in-JS runtime (use Tailwind)
- No client-side routing hijacking (use Next.js navigation)
- No localStorage for sensitive data
- No inline styles (use Tailwind classes)
- No default exports (except pages/layouts)
- No console.log in production (use proper logging)
- No hardcoded credentials
- No direct DOM manipulation (use React)
- Server Actions for mutations
- Zod for all input validation
- Prisma for all database access
- Error boundaries for graceful failure
- Loading states for async operations
- Optimistic updates where appropriate
- Proper TypeScript generics where needed
This constitution was established on January 30, 2026 and governs all development activities for the Oreko project.