These mirror pk-auth-build-brief.md §12 — read that section for the full rationale.
- Phase discipline. Complete the acceptance criteria for phase N (see brief §10) before starting phase N+1. Run
./gradlew checkbetween phases. - Conventional commits. Examples:
feat(core): ...,test(jdbi): ...,docs(adr): ...,build: ...,ci: .... Keep commits small and atomic. - ADRs. Non-trivial cross-module decisions get an ADR under
docs/adr/, Nygard format. Number sequentially. - Dependencies. New libraries go through
gradle/libs.versions.tomland are justified in the commit message or an ADR. - No
TODOin main unless paired with a GitHub issue link. - SPDX header on every Java source file:
// SPDX-License-Identifier: MIT. Spotless enforces this. @sincetags on public API. Every new or modified public element (class, record, interface, method, field, or sealed-variant) gets an@since X.Y.ZJavadoc tag carrying the version it first ships in. The current target is@since 1.1.0for surfaces introduced in the in-flight 1.1 line; pre-1.1 surfaces keep the version they shipped with. When renaming a method or changing its signature in a MAJOR bump, update the@sinceon the new shape. The policy applies acrosspk-auth-core,pk-auth-admin-api,pk-auth-jwt,pk-auth-otp,pk-auth-magic-link,pk-auth-backup-codes,pk-auth-refresh-tokens, and the three adapter modules.- Don't optimize prematurely. Correct → tested → fast.
- Constructor-injection annotations. Spring and Micronaut detect a single non-default constructor automatically; do not add
@Autowired/@Injectin those adapters. Dropwizard's adapter is wired through Dagger 2, which requires@Injecton the injected constructor — keep the annotation. The asymmetry is by DI framework, not by style preference; new files in each adapter follow the conventions already present in that module.
./gradlew checkJDK 21 required (Gradle toolchain will fetch one if needed).
Module-level READMEs (added in each phase) document the "5-minute integration" snippet and per-module specifics.