## ADDED Requirements ### Requirement: System architecture document The system SHALL include a document (`docs/engineering/02-architecture.md`) that describes the full system architecture: components, their responsibilities, how they communicate, and the deployment topology. #### Scenario: Component diagram present - **WHEN** a new engineer reads 02-architecture.md - **THEN** they SHALL find an ASCII or Mermaid component diagram showing all major components (API server, PostgreSQL, Redis, Vault, OPA, Web Dashboard, Prometheus, Grafana) and their connections #### Scenario: Request lifecycle explained - **WHEN** a new engineer reads 02-architecture.md - **THEN** they SHALL understand how an incoming HTTP request flows from client → Express router → middleware chain → controller → service → repository → database and back #### Scenario: Data flow for authentication described - **WHEN** a new engineer reads 02-architecture.md - **THEN** they SHALL understand the OAuth 2.0 Client Credentials flow: client presents credentials → token service validates → Redis checked for existing token → JWT signed and returned #### Scenario: Deployment topology covered - **WHEN** a new engineer reads 02-architecture.md - **THEN** they SHALL understand the multi-region deployment model (US, EU, APAC) and how Terraform provisions it ### Requirement: Technology stack and ADR document The system SHALL include a document (`docs/engineering/03-tech-stack.md`) that lists every technology in the stack and explains why it was chosen over alternatives. #### Scenario: Every major technology documented with rationale - **WHEN** a new engineer reads 03-tech-stack.md - **THEN** they SHALL find an entry for each technology (Node.js 18, TypeScript 5.3, Express 4.18, PostgreSQL 14, Redis 7, HashiCorp Vault, OPA, React 18, Vite 5, Prometheus, Grafana, Terraform) with: what it does in the system, why it was chosen, and what was considered but rejected #### Scenario: TypeScript strict mode rationale explained - **WHEN** a new engineer reads 03-tech-stack.md - **THEN** they SHALL understand why strict mode is mandatory (safety, correctness, no implicit any) and what the consequences of violating it are #### Scenario: PostgreSQL vs Redis responsibility boundary clear - **WHEN** a new engineer reads 03-tech-stack.md - **THEN** they SHALL understand what is stored in PostgreSQL (persistent state: agents, credentials, audit logs) vs Redis (ephemeral state: active tokens, rate limit counters)