MIT LICENSED · ENGINEERING METHODOLOGY

Pre-Engineering Framework

Threat vectors registered before sprint one. The 106-issue methodology in 11 categories. Severity taxonomy, sprint ordering by dependency, application to any enterprise system.

Part of the charleskjohnson.com governance framework
THE PRINCIPLE

Enterprise systems that handle material data fail in a predictable pattern: not from a single catastrophic bug, but from the slow accumulation of small undetected issues that compound until the system can no longer be trusted to produce accurate outputs. Each issue is individually trivial. The aggregate is fatal.

The pattern is not "use AI to write code faster." The pattern is: register the threat vectors at specification time, then build with discipline that matches the threat profile. The pre-engineering issue register is the artifact that makes the discipline operational.

This is not vibe coding. This is systems design with a clear understanding of threat vectors. The 106-issue register is not the artifact. The methodology is the artifact.
THE 11 CATEGORIES

Threat vectors organize into eleven categories. Each enterprise system will have its own distribution; the categories themselves are stable.

THREAT VECTOR CATEGORIES
CAT 01
Schema
Data model integrity. Foreign key validity. Nullability. Default values. Constraints. Migration safety.
CAT 02
Authentication
Identity verification at every entry point. Session lifecycle. Credential storage. Cross-system identity propagation.
CAT 03
Authorization / Permissions
Permission scopes. Row-level access. Cross-tenant isolation. Privilege escalation surfaces. Default-deny vs. default-allow boundaries.
CAT 04
Business logic — commission / scoring
The financial / ranking logic that the system exists to compute. Edge cases. Tie-breaking. Retroactive recomputation.
CAT 05
Business logic — quota / attainment
Aggregation rules. Time-window handling. Adjustments. Overrides. Audit trail of changes.
CAT 06
Concurrency
Race conditions. Optimistic vs. pessimistic locking. Idempotency. Replay safety. Distributed consistency.
CAT 07
Data integrity
Referential consistency. Soft-delete vs. hard-delete. Orphan detection. Cascade behavior. Backup completeness.
CAT 08
Audit
Action attribution. Immutable event log. Query surface for compliance. Retention policy. Tamper detection.
CAT 09
Performance
Query plans at scale. Index strategy. Pagination. Caching invalidation. Background job throughput.
CAT 10
Observability
Metrics. Structured logs. Trace correlation. Alert thresholds. Dashboard coverage. Failure-mode visibility.
CAT 11
Operational handoff
Runbooks. On-call playbook. Recovery procedures. Migration cutover. Decommissioning steps. Documentation completeness.
SEVERITY TAXONOMY

Each registered issue gets a severity classification. The taxonomy is three-tier:

Severity Definition Sprint behavior
BLOCKER If this issue is not resolved before sprint one starts, the system cannot be safely operated regardless of feature completeness. Resolved first. No feature work begins until all blockers clear.
CRITICAL If this issue is not resolved before launch, the system will degrade in production in a way that erodes trust. Sprint priority above features. Tracked to launch gate.
STANDARD Known issue with a defined remediation path. Acceptable to ship and remediate post-launch with explicit tracking. Backlog ordered by dependency. Visible in roadmap.
SPRINT ORDERING

Sprint ordering is determined by dependency graph, not by feature priority. The register identifies which issues block which features, and the resolution sequence honors the graph.

  1. All blockers, in dependency order. If blocker A enables blocker B, A is resolved first.
  2. Foundational schema / auth / permissions critical issues. These are the backbone that subsequent work assumes.
  3. Business logic critical issues. Once the foundation is sound, the value-creating logic can be built against it.
  4. Feature work, in priority order. Standard-severity issues are interleaved with feature work, with explicit tracking.
  5. Performance / observability hardening. Late-sprint, once feature surface is stable.
APPLICATION TO ANY ENTERPRISE SYSTEM

The methodology applies to any enterprise system that handles material data — financial systems, sales platforms, clinical systems, compliance tooling, decision-support engines. The categories may need adaptation (e.g., a healthcare system adds Privacy as its own category), but the structure is portable.

The threat-vector count is not fixed. A small system might have 30. A large system might have 250. The right count is whatever produces a register that the engineering team trusts as a complete enumeration of what could go wrong.

THE DISCIPLINE
  1. Before the first sprint: enumerate threat vectors by category.
  2. Classify each by severity (Blocker / Critical / Standard).
  3. Build dependency graph linking issues to features.
  4. Clear all blockers first, before feature work begins.
  5. Order remaining work by dependency, not by feature priority alone.
  6. Track resolution against the register; the register is the source of truth, not the project board.
  7. Add newly discovered issues to the register with the same discipline; never let unstructured "small fixes" accumulate.

The cost is the up-front work. The return is the absence of the v5 failure pattern.