Universal Software Quality Framework (USQF) v7.1

A 26-pillar, 53,000-word standards document covering OWASP, NIST SSDF, ISO 25010, WCAG 2.2 AA, CWE Top 25, and Build-Gate v2. Derived from real production incidents. The standards foundation behind every Reviewwise bundle.

The 26 pillars

  1. Pillar 1 — Code Quality: Maintainability, readability, and structural quality standards.
  2. Pillar 2 — Security: OWASP Top 10, CWE Top 25, NIST SSDF compliance.
  3. Pillar 3 — Testing: Unit, integration, and end-to-end test coverage standards.
  4. Pillar 4 — Error Handling: Structured error taxonomy, RFC 9457 problem details.
  5. Pillar 5 — Accessibility: WCAG 2.2 AA compliance, keyboard navigation, screen reader support.
  6. Pillar 6 — Data Integrity: FK constraints, optimistic locking, schema validation.
  7. Pillar 7 — Observability: Structured logging, distributed tracing, error monitoring.
  8. Pillar 8 — API Design: REST/tRPC standards, versioning, pagination, OpenAPI spec.
  9. Pillar 9 — Database: Schema design, migration safety, query performance.
  10. Pillar 10 — CI/CD: Build gates, automated testing, deployment pipelines.
  11. Pillar 11 — SEO: Crawlability, structured data, canonical URLs, sitemap.
  12. Pillar 12 — Core Web Vitals: LCP < 2.5s, INP < 200ms, CLS < 0.1.
  13. Pillar 13 — Design System: Design tokens, component patterns, no raw hex colors.
  14. Pillar 14 — Documentation: API docs, JSDoc, README, architecture decisions.
  15. Pillar 15 — Dependency Management: Audit, Dependabot, license compliance.
  16. Pillar 16 — Configuration: Environment variables, secrets management, 12-factor app.
  17. Pillar 17 — Performance: Caching, compression, lazy loading, bundle optimization.
  18. Pillar 18 — Resilience: Retry logic, circuit breakers, graceful degradation.
  19. Pillar 19 — Compliance: GDPR, data retention, privacy policy, terms of service.
  20. Pillar 20 — Monitoring: Uptime monitoring, alerting, SLA tracking.
  21. Pillar 21 — Backup & Recovery: Backup strategy, RTO/RPO targets, restore testing.
  22. Pillar 22 — Incident Response: Runbook, escalation paths, post-mortem process.
  23. Pillar 23 — Threat Modeling: STRIDE-lite per-feature threat assessment.
  24. Pillar 24 — Supply Chain: SBOM, dependency provenance, CycloneDX.
  25. Pillar 25 — Design Governance: Design system, token drift ratchet, component audit.
  26. Pillar 26 — Build Identity: Monotonic build versioning, stamp guard, deployment sync.

Build-Gate v2

Build-Gate v2 is the mandatory CI enforcement mechanism introduced in USQF v7.0. It defines 10 blocking gates that must all pass before a build is considered production-ready:

  1. TypeScript strict mode — zero errors
  2. ESLint — zero warnings
  3. Vitest — all tests passing at 80% coverage threshold
  4. Dependency audit — no high/critical vulnerabilities
  5. Production build — must complete without errors
  6. Stamp guard — build identity must be real (no placeholder values)
  7. Secret scan — Gitleaks, no secrets in source
  8. SBOM generation — CycloneDX on release tags
  9. Commitlint — Conventional Commits on all PRs
  10. Design token drift ratchet — no unauthorized token changes

Lessons Learned register

L-01 — SPA crawlability
Client-side-only React SPAs return empty HTML to crawlers. All marketing pages must have server-rendered body content.
L-02 — Build identity drift
Without a stamped build identity, deployed versions cannot be traced. Pillar 26 requires monotonic versioning at every deploy.
L-03 — Console.log in production
Unstructured console.log leaks internal state. All server logging must use a structured logger (Pino) with namespace and level.
L-04 — Missing FK constraints
Relational columns without FK references() allow orphaned records. All foreign keys must be declared in the schema.
L-05 — Placeholder meta tags
Verification tokens left as GOOGLE_VERIFICATION_CODE block Search Console indexing. Real tokens must be in place before launch.
L-06 — No coverage threshold
Tests without a coverage gate can pass at 0% coverage. An 80% threshold must be enforced in CI.
L-07 — Inline footers
Duplicated footer HTML across 6 pages creates maintenance debt. A shared Footer component is required.
L-08 — Static sitemap
A static sitemap.xml goes stale as pages are added. The sitemap must be generated server-side from the route registry.
L-09 — Missing OpenAPI spec
An undocumented REST API cannot be integrated by third parties. An OpenAPI 3.1 spec must be served at /api/openapi.json.
L-10 — No STRIDE-lite threat model
Features without a threat model have unknown attack surface. Every integration must have a STRIDE-lite assessment in INTEGRATIONS_REGISTER.md.

Reviewwise bundles are built on this framework

Every Reviewwise code review bundle maps directly to one or more USQF v7.1 pillars. When you use Reviewwise, you're applying the same standards framework used to build and audit the product itself.

Get started — $1/month View API documentation