Engineering Best Practices
How systematic standards transform good code into great software
The 10 Engineering Commandments
These aren't suggestions — they're the non-negotiable standards that every project in this portfolio adheres to, regardless of stack or scale.
Write Tests First
Every feature ships with tests. Unit, integration, or E2E — the shape depends on the risk. "Works on my machine" is not a test.
Automate Everything Repetitive
If you do it more than twice, automate it. CI/CD, linting, formatting, dependency updates, security scanning — all automated.
Security Is Not Optional
Secrets stay out of version control. Dependencies stay audited. Headers get hardened. Zero Trust by default, not by exception.
Accessibility Is a Quality Attribute
WCAG 2.1 AA is the floor, not the ceiling. axe-core runs in CI. Keyboard navigation and screen reader support are tested, not assumed.
Document Your Decisions
Architecture Decision Records (ADRs) capture the why. README explains the what. Future-you and every future contributor will thank you.
Branch, Review, Merge
No direct pushes to main. Every change lives on a feature branch, passes CI, and gets reviewed — even solo projects build the discipline.
Observe Before You Optimize
Measure first. Structured logging, request IDs, and metrics come before premature optimization. Know what you're fixing before you fix it.
Build for Change
Modular architecture, dependency injection, and clear separation of concerns mean changes are local, not global. Design for the inevitable rewrite you won't have to do.
Ship Small, Ship Often
Small PRs merge faster, review better, and fail smaller. Continuous delivery over quarterly big-bang releases. Feature flags bridge the gap.
Enforce Standards Programmatically
Pre-commit hooks, linters, and formatters make style debates disappear. Consistent code is readable code. Automation removes the human bottleneck.
31 Practice Areas
A living library of engineering standards drawn from a 116-guide toolkit and 827 curated open-source repositories, continuously updated. Each area covers principles, patterns, and real code examples.
Security
Auth patterns, encryption standards, XSS/CSRF prevention, secrets management, OWASP Top 10 mitigations, Zero Trust architecture, and BOLA/BOPLA prevention with defense-in-depth.
Code Example
// Zod schema — validate & sanitize at every boundary
const CreateUserSchema = z.object({
email: z.string().email().max(255),
name: z.string().min(1).max(100).regex(/^[\w\s'-]+$/),
role: z.enum(['user', 'admin']).default('user'),
});
app.post('/users', async (req, res) => {
const parsed = CreateUserSchema.safeParse(req.body);
if (!parsed.success) {
return res.status(400).json({ errors: parsed.error.format() });
}
// parsed.data is now type-safe & sanitized — never trust raw req.body
await userService.create(parsed.data);
});Testing
Unit tests with Vitest, integration tests with supertest, E2E with Playwright, accessibility with axe-core, and full CI/CD automation.
Accessibility
WCAG 2.1 AA compliance, ARIA patterns, keyboard navigation, screen reader support, focus management, and VPAT documentation.
Architecture
Project structure, module design, data patterns, ADRs, component-based design, separation of concerns, and scalability principles.
Code Example
// Clean Architecture: dependencies always point inward
// Domain layer — zero external dependencies
interface UserRepository {
findById(id: string): Promise<User | null>;
save(user: User): Promise<void>;
}
// Application layer — orchestrates domain objects
class CreateUserUseCase {
constructor(private readonly users: UserRepository) {}
async execute(cmd: CreateUserCommand): Promise<string> {
const user = User.create(cmd.name, cmd.email);
await this.users.save(user);
return user.id;
}
}
// Infrastructure layer — implements the port
class PrismaUserRepository implements UserRepository { ... }Git Workflow
Branch strategies (GitFlow, trunk-based), commit conventions, PR templates, code review culture, and semantic versioning with automated changelogs.
Python
PEP 8 style, type hints with mypy, packaging with Poetry, async patterns with asyncio/aiohttp, testing with pytest, and documentation with Sphinx.
JavaScript
Naming conventions, async/await patterns, error handling, ES modules, modern APIs, performance profiling, and bundle optimization.
HTML & CSS
Semantic markup, responsive design, CSS custom properties, modern layout (Grid, Flexbox, Subgrid), performance optimizations, and design tokens.
SQL
Naming conventions, query optimization, indexing strategy, migration management, parameterized queries, and schema documentation.
Shell & Docker
Script safety (set -euo pipefail), multi-stage Docker builds, distroless base images, Trivy security scanning, multi-platform builds (amd64/arm64), and Kubernetes-ready health checks.
Compliance
GDPR privacy patterns, 21st Century IDEA Act requirements, NIST 800-53 controls, FedRAMP readiness, plain language writing, and VPAT/ACR documentation.
AI Development
Prompt engineering, hybrid RAG architecture, agentic workflows with multi-agent mesh, MCP server integration, LLM-as-judge evaluation, guardrails as infrastructure, and responsible AI deployment.
Code Example
# LangGraph: typed state machine for reliable agents
from langgraph.graph import StateGraph, END
from typing import TypedDict, Annotated
import operator
class AgentState(TypedDict):
messages: Annotated[list, operator.add]
tool_calls: list
builder = StateGraph(AgentState)
builder.add_node("reason", reasoning_node)
builder.add_node("act", tool_execution_node)
builder.add_conditional_edges(
"reason",
lambda s: "act" if s["tool_calls"] else END
)
builder.add_edge("act", "reason") # loop until done
graph = builder.compile(checkpointer=memory_saver)Performance Engineering
Core Web Vitals optimization (LCP, INP, CLS), JavaScript bundle budgets with code splitting, database query optimization with N+1 prevention, caching strategies, and Lighthouse CI gates.
Observability
Structured JSON logging, distributed tracing with OpenTelemetry, Prometheus metrics collection, SLO/SLI-based alerting, and log aggregation for production debugging.
API Design
RESTful URL conventions, cursor-based pagination, OAuth 2.0 + PKCE authentication, tiered rate limiting, OpenAPI 3.1 specs, input validation with Zod, and OWASP API Security Top 10 mitigations.
Code Example
# OpenAPI 3.1 — cursor pagination + rate-limit headers
paths:
/api/v1/items:
get:
operationId: listItems
security: [{ bearerAuth: [] }]
parameters:
- { name: cursor, in: query, schema: { type: string } }
- { name: limit, in: query, schema: { type: integer,
minimum: 1, maximum: 100, default: 20 } }
responses:
'200':
headers:
X-RateLimit-Remaining:
schema: { type: integer }
content:
application/json:
schema: { $ref: '#/components/schemas/ItemPage' }
'429':
description: Rate limit exceeded
headers:
Retry-After: { schema: { type: integer } }Supply Chain Security
SBOM generation (CycloneDX/SPDX), SLSA framework implementation, artifact signing with Sigstore Cosign, dependency pinning, pre-commit secret detection with gitleaks, and SCA with Snyk.
Developer Experience
DORA metrics tracking (deployment frequency, lead time, MTTR), 5-minute onboarding rule, PR size limits (<400 lines), pre-commit/pre-push automation, and CI feedback loops under 10 minutes.
DevOps / CI-CD
7-stage DevSecOps pipelines, GitHub Actions workflows, SAST (CodeQL/Semgrep), DAST (OWASP ZAP), IaC scanning (Checkov), Policy as Code with OPA/Rego, and SLSA provenance.
Code Example
# 7-stage DevSecOps pipeline (GitHub Actions)
jobs:
sast:
steps:
- uses: github/codeql-action/analyze@v3
- run: semgrep --config=auto --sarif -o semgrep.sarif
deps-audit:
steps:
- run: npm audit --audit-level=high
- uses: snyk/actions/node@master
container-scan:
steps:
- uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ env.IMAGE_TAG }}'
severity: 'CRITICAL,HIGH'
exit-code: '1'
provenance:
needs: [sast, deps-audit, container-scan]
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2Agent Engineering
Multi-agent orchestration with LangGraph and CrewAI, MCP server integration, tool-use with pydantic schemas, memory management via vector stores, guardrails-as-infrastructure, and LLM-as-judge evaluation pipelines. Drawn from 286 repos including LangChain (133k★), dify (138k★), and AutoGen.
Code Example
# Typed agent tool with validated inputs (LangChain)
from langchain.tools import BaseTool
from pydantic import BaseModel, Field
class SearchInput(BaseModel):
query: str = Field(description="Semantic search query")
k: int = Field(default=5, ge=1, le=20)
class VectorSearchTool(BaseTool):
name = "vector_search"
description = "Semantic search over knowledge base"
args_schema = SearchInput
def _run(self, query: str, k: int = 5) -> list[dict]:
results = self.retriever.invoke(query, k=k)
return [{"content": r.page_content,
"score": r.metadata.get("score", 0)}
for r in results]Clean Architecture & Design Patterns
SOLID principles, DDD aggregates, ports-and-adapters (hexagonal), CQRS with event sourcing, repository and factory patterns, and system design at scale. From 78 repos including system-design-primer (283k★), java-design-patterns (93k★), and CleanArchitecture (19k★).
Code Example
// Hexagonal Architecture: ports define the domain boundary
// Port lives in domain — no framework imports
interface OrderRepository { // port
findById(id: OrderId): Promise<Order | null>;
save(order: Order): Promise<void>;
}
// Adapter lives in infrastructure
class PostgresOrderRepository implements OrderRepository {
async findById(id: OrderId) {
const row = await db.query(
'SELECT * FROM orders WHERE id = $1', [id.value]
);
return row ? OrderMapper.toDomain(row) : null;
}
}
// Application layer command — no DB dependency
class PlaceOrderHandler {
constructor(private readonly orders: OrderRepository) {}
async handle(cmd: PlaceOrderCommand): Promise<void> {
const order = Order.place(cmd.items, cmd.userId);
await this.orders.save(order);
}
}MLOps & Vector Engineering
Model serving with versioned endpoints, vector databases for RAG (Qdrant, Weaviate), pipeline orchestration with Apache Airflow, experiment tracking with MLflow, data drift detection, and feature store patterns. From 44 data/ML repos including Airflow (45k★) and Qdrant (21k★).
Code Example
# Qdrant: hybrid vector + metadata filtered search
from qdrant_client import QdrantClient
from qdrant_client.models import Filter, FieldCondition, Range
client = QdrantClient(url="http://localhost:6333")
results = client.search(
collection_name="knowledge_base",
query_vector=embedder.embed("API design best practices"),
query_filter=Filter(
must=[FieldCondition(
key="metadata.trust_score",
range=Range(gte=0.7)
)]
),
limit=10,
with_payload=True,
)
# results[0].payload["content"], results[0].scoreGitOps & Platform Engineering
Declarative infrastructure with ArgoCD and Flux, progressive delivery with canary deployments, internal developer portals, Argo Workflows for pipeline DAGs, and platform-as-product principles. Drawn from 56 DevOps/SRE repos including argo-cd (22k★) and argo-workflows (16k★).
Code Example
# ArgoCD Application — fully declarative GitOps deployment
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: structured-for-growth
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/org/k8s-manifests
targetRevision: main
path: apps/structured-for-growth
destination:
server: https://kubernetes.default.svc
namespace: production
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=trueMobile Security
OWASP Mobile Top 10 mitigations, certificate pinning, biometric authentication, secure local storage, anti-tampering checks, and automated static analysis with MobSF. Covers React Native, Flutter, and native iOS/Android patterns. Source: MobSF (17k★) and OWASP MASTG.
Code Example
// React Native: biometric auth before secure storage access
import * as SecureStore from 'expo-secure-store';
import * as LocalAuthentication from 'expo-local-authentication';
async function getTokenSecurely(key: string): Promise<string | null> {
const auth = await LocalAuthentication.authenticateAsync({
promptMessage: 'Authenticate to continue',
disableDeviceFallback: false,
cancelLabel: 'Cancel',
});
if (!auth.success) throw new Error('Biometric auth failed');
return SecureStore.getItemAsync(key, {
requireAuthentication: true,
keychainAccessible:
SecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
});
}Threat Modeling
STRIDE decomposition of every trust boundary, data-flow diagrams, attack-surface enumeration, abuse-case design, and a risk-ranked mitigation backlog tracked as engineering work — not a one-time document.
Applied in production: Fernhill and Vet-Rate each ship a STRIDE threat model with row-level security on every table and documented mitigations — modeled at design time, then re-run as the attack surface grows.
Red Team & Adversarial AI
Adversarial testing for LLM features: a prompt-injection attack corpus replayed in CI, dual-LLM privilege separation, output filtering, and the lethal-trifecta rule — private data, untrusted input, and external comms never share one context.
Applied in production: Vet-Rate gates every build with a red-team CI job that replays a corpus spanning 7 prompt-injection attack classes, backed by a dual-LLM split defense and a hash-chained, tamper-evident AI audit log.
Zero Trust Architecture
Never trust, always verify: per-request trust scoring, route-level micro-segmentation, step-up authentication below a risk threshold, short-lived tokens, and continuous signal-based evaluation instead of a one-time login gate.
Code Example
// Per-request trust score (0–100) from layered signals
function computeTrustScore(req) {
let score = 0;
const factors = [];
if (hasValidSession(req)) { score += 30; factors.push('session'); }
if (knownDevice(req)) { score += 20; factors.push('device'); }
if (expectedGeo(req)) { score += 15; factors.push('geo'); }
score += anomalyScore(req); // behavioural deviation
return { score: Math.min(score, 100), factors };
}
// Micro-segmentation: deny or step-up below the route threshold
if (computeTrustScore(req).score < ROUTE_MIN_TRUST) {
return requireStepUp(res); // not a one-time login gate
}Applied in production: this site's own zeroTrust.js middleware scores each request from session, device, and anomaly signals, then enforces route-level micro-segmentation — denying or stepping up when the score drops below threshold.
MCP Server Design
Model Context Protocol servers that expose tools to agents safely: typed tool schemas, least-privilege per-tool scopes, input validation at the boundary, structured error returns, and read/write separation so an agent can't exceed its mandate.
Code Example
# MCP tool: typed input, least-privilege, structured errors
@mcp.tool()
def query_control(framework: str, control_id: str) -> dict:
"""Read-only lookup of a single compliance control."""
if framework not in ALLOWED_FRAMEWORKS: # boundary validation
return {"error": "unknown framework", "code": "E_SCOPE"}
control = catalog.get(framework, control_id)
if control is None:
return {"error": "not found", "code": "E_404"}
return {"id": control.id, "text": control.text,
"family": control.family} # no write path exposedApplied in production: Midnight Agentic exposes 674 MCP tools across 94 specialized agents in an air-gapped orchestrator; Compliance-as-Code ships an OSCAL MCP server so an AI reviewer can query NIST and CMMC controls directly.
RAG & Retrieval Architecture
Retrieval that grounds answers in real sources: hybrid lexical + dense search, deliberate chunking, reranking, citation-backed responses, and retrieval-quality evaluation so the model answers from evidence rather than memory.
Code Example
# Hybrid retrieval: fuse BM25 lexical + dense, then rerank
def retrieve(query, k=10):
lexical = bm25.search(query, k=k * 3) # exact-term recall
dense = vectors.search(embed(query), k=k * 3) # semantic recall
fused = reciprocal_rank_fusion(lexical, dense)
ranked = trust_score(fused) # reliability of source
return ranked[:k] # grounded, cited contextApplied in production: TIP Toolkit runs a hybrid RAG pipeline — BM25 keyword search fused with sentence-transformer embeddings — and layers a trust-scoring pass so retrieved sources are ranked by reliability before they reach the model.
Token Optimization & Cost Routing
Treating inference cost as an engineering budget: route each request to the cheapest viable model by difficulty, cascade from cheap to expensive only on failure, compress context, and cache stable prefixes to cut spend without losing quality.
Code Example
# FrugalGPT-style cascade: escalate only when cheap output fails
def route(prompt):
load = score_cognitive_load(prompt) # 1–10: heuristic or ~$0.001 Haiku
for model in TIERS[tier_for(load):]: # cheapest viable model first
answer = model.complete(compress(prompt))
if passes_quality_gate(answer):
return answer # stop at first good-enough tier
return answer # top tier is the fallbackApplied in production: ORC scores each prompt's cognitive load on a 1–10 scale, maps it to one of five model tiers, and layers a FrugalGPT-style quality cascade, Haiku-based context compression, and ephemeral prompt caching — escalating to pricier models only when cheap output fails a quality check.
Agentic Testing & Evaluation
Verifying non-deterministic systems: LLM-as-judge scoring, golden-set regression suites, deterministic tool-call unit tests, eval gates wired into CI, and adversarial corpora that must pass before a change can merge.
Applied in production: Vet-Rate wires an adversarial eval corpus into a merge-blocking CI gate, while ORC backs its routing logic with a Vitest suite so a quality-cascade change can't ship without passing deterministic cost-and-correctness checks.
SaaS Payments
Marketplace-grade payments: Stripe Connect for multi-party payouts, webhook idempotency, PCI-conscious tokenization (no raw card data on your servers), dunning and proration logic, and reconciliation against the ledger.
Applied in production: Fernhill runs Stripe Connect Express payouts for event fees and memberships; Minstrel.me pairs Stripe Connect with DDEX distribution to route 100% of revenue to artists.
Portfolio Evidence
Engineering excellence is measurable. Here's what systematic standards look like in practice.
Before → After
Grade Distribution
Project Scorecard
All 17 projects evaluated against the same rubric. Filter by grade, sort by column.
| Project | Stack | Tests | CI | Hooks | Grade |
|---|
Showing 17 projects
Grading Rubric
What it takes to earn each grade tier — objective, measurable, reproducible.
- Tests present (unit + integration or E2E)
- CI/CD pipeline with full test matrix
- Pre-commit hooks (lint, format, type-check)
- Security scanning (SAST + DAST or npm audit)
- Accessibility testing automated
- Semantic versioning + CHANGELOG
- ADRs and comprehensive documentation
- SBOM generation + SLSA provenance
- Structured logging / observability
- Tests present (unit or integration)
- CI pipeline (lint + test)
- Pre-commit hooks
- Security: npm audit + dependency pinning in CI
- README with setup instructions
- Semantic commits
- Basic structured logging
- Some tests present
- Basic CI (lint or test, not both)
- No pre-commit hooks
- README present
- .gitignore properly configured
- Minimal or no tests
- No CI pipeline
- Basic documentation only
- Working code, poor automation
- No tests
- No CI/CD
- Missing or minimal docs
- No pre-commit automation
- No tests, no CI, no docs
- Secrets potentially in version control
- No .gitignore
- Uncommitted changes or broken build
Engineering Excellence, Built In
Every project in this portfolio was built to these standards. Not aspirationally — actually. Let's bring the same systematic discipline to yours.
Get in Touch