To protect the platform from liability, fraud, and rot by strictly adhering to the "Big 5" industrial standards (Finance, Security, Arch, Privacy, A11y).
2. The Standard (The Floor)
[MUST] Financial Integrity (GAAP): Ledger entries MUST be immutable. Deletions are forbidden; use Reverse Entries.
[MUST] Security (OWASP): All Server Actions MUST use Zod Codecs for Input/Output sanitization. ReBAC MUST be enforced per action.
[MUST] Architecture (Clean): Client Components MUST NOT import Server Modules. Business logic MUST reside in packages/modules.
[MUST] Privacy (GDPR): PII MUST be anonymizable ("Soft Delete") while preserving Financial Records (7-year retention).
[MUST] Accessibility (WCAG): All interactive elements MUST be keyboard navigable.
3. Best Practices (The Path)
[SHOULD] Audit Trail: Write to system_audit_log in the same atomic batch as the mutation.
[SHOULD] Data Minimization: Only query fields required for the view (use Projections).
[SHOULD] Semantic HTML: Use native elements (<button>) over divs.