Capture security and privacy implications

Related rules

From the same buckets as this rule.

• Critical

  Require an ADR for any architectural or cross-team decision

  For changes that affect architecture, data models, external APIs, security posture, deployment topology, or cost (>10%), create an ADR in docs/adr/ using the standard template (Context, Decision, Consequences) and link the PR and issue IDs.

  docs-adrsmodule-architecture+1
• High

  Call out breaking changes explicitly

  If an API/contract or behavior is breaking, add a 'BREAKING CHANGE' section detailing what breaks, migration steps, and affected consumers.

  pr-hygieneapi-contracts-versioning+1
• High

  De-identify analytics and block PHI egress to third parties

  Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.

  compliance-hipaaprivacy-pii+2