Enterprise Example¶
Complete enterprise PromptScript deployment with central governance.
Architecture¶
flowchart TB
subgraph Central["Central Registry (GitHub)"]
org["@acme/base<br/>Organization standards"]
sec["@acme/security<br/>Security policies"]
comp["@acme/compliance<br/>Compliance rules"]
end
subgraph Teams["Team Registries"]
fe["@acme/frontend"]
be["@acme/backend"]
mobile["@acme/mobile"]
data["@acme/data"]
end
subgraph Projects["100+ Projects"]
p1["web-app"]
p2["api-gateway"]
p3["mobile-app"]
p4["data-pipeline"]
end
org --> fe
org --> be
org --> mobile
org --> data
sec --> fe
sec --> be
sec --> mobile
sec --> data
comp --> fe
comp --> be
fe --> p1
be --> p2
mobile --> p3
data --> p4Central Registry¶
Repository Structure¶
acme-promptscript-registry/
├── README.md
├── CHANGELOG.md
├── CODEOWNERS
├── @acme/
│ ├── base.prs # Organization base
│ ├── security.prs # Security standards
│ └── compliance.prs # Compliance (SOC2, GDPR)
├── @frontend/
│ ├── base.prs # Frontend team base
│ ├── react.prs # React-specific
│ └── vue.prs # Vue-specific
├── @backend/
│ ├── base.prs # Backend team base
│ ├── node.prs # Node.js
│ └── python.prs # Python
├── @mobile/
│ ├── base.prs
│ ├── ios.prs
│ └── android.prs
├── @data/
│ └── base.prs
└── @fragments/
├── testing.prs
├── documentation.prs
└── ci-cd.prs
acme/base.prs¶
@meta {
id: "@acme/base"
syntax: "1.0.0"
org: "ACME Corporation"
}
@identity {
"""
You are an AI coding assistant at ACME Corporation.
## Core Values
- **Quality First**: Write production-ready code
- **Security Always**: Security is not optional
- **User Focus**: Consider the end user
- **Team Player**: Write code others can maintain
## Standards
Follow ACME Engineering Standards v3.0
(https://wiki.acme.com/engineering-standards)
"""
}
@standards {
code: {
review: {
required: true
minApprovers: 2
}
documentation: {
publicApi: required
inlineComments: "for complex logic"
}
testing: {
required: true
coverage: 80
}
}
git: {
conventionalCommits: true
branchNaming: "type/TICKET-description"
signedCommits: required
}
deployment: {
environments: ["dev", "staging", "prod"]
approvals: {
prod: ["team-lead", "security"]
}
}
}
@restrictions {
- "Never commit secrets, credentials, or API keys"
- "Never bypass code review for production changes"
- "Never deploy without passing CI/CD"
- "Never ignore security scanner findings"
- "Never use deprecated dependencies with known CVEs"
- "Never store PII in logs"
}
@shortcuts {
"/standards": "Review against ACME standards"
"/security": "Security review"
"/perf": "Performance review"
}
acme/security.prs¶
@meta {
id: "@acme/security"
syntax: "1.0.0"
}
@identity {
"""
Apply ACME security standards to all code.
Security is everyone's responsibility.
"""
}
@standards {
authentication: {
method: "OAuth 2.0 / OIDC"
mfa: {
required: true
methods: ["TOTP", "WebAuthn"]
}
session: {
timeout: 3600
refreshToken: true
}
}
authorization: {
model: "RBAC with ABAC extensions"
principle: "least privilege"
audit: required
}
dataProtection: {
encryption: {
atRest: "AES-256"
inTransit: "TLS 1.3"
}
pii: {
masking: required
retention: "per data classification"
}
}
dependencies: {
scanning: "daily"
vulnerabilities: {
critical: "block deployment"
high: "fix within 7 days"
medium: "fix within 30 days"
}
}
secrets: {
storage: "HashiCorp Vault"
rotation: "90 days"
neverInCode: true
}
}
@restrictions {
- "Never store passwords in plain text"
- "Never log sensitive data (passwords, tokens, PII)"
- "Never use MD5 or SHA1 for security purposes"
- "Never disable TLS certificate verification"
- "Never use eval() or similar unsafe functions"
- "Never trust user input without validation"
- "Never expose stack traces in production"
- "Always use parameterized queries (no SQL concatenation)"
- "Always validate and sanitize file uploads"
- "Always implement rate limiting for APIs"
}
@knowledge {
"""
## Security Resources
- Security Guidelines: https://wiki.acme.com/security
- Incident Response: https://wiki.acme.com/incident-response
- Security Training: https://learn.acme.com/security
- Bug Bounty: https://hackerone.com/acme
## Contacts
- Security Team: security@acme.com
- Incident Hotline: +1-800-SEC-ACME
- Slack: #security-help
"""
}
@shortcuts {
"/threat-model": "Help create a threat model"
"/vuln-check": "Check for common vulnerabilities"
"/secure-code": "Review code for security issues"
}
acme/compliance.prs¶
@meta {
id: "@acme/compliance"
syntax: "1.2.0"
}
@identity {
"""
Ensure code meets ACME compliance requirements.
We are SOC 2 Type II and GDPR compliant.
"""
}
@standards {
soc2: {
logging: {
required: true
retention: "1 year"
tamperProof: true
}
accessControl: {
documented: true
reviewed: "quarterly"
}
changeManagement: {
documented: true
approved: true
tested: true
}
}
gdpr: {
dataMinimization: true
purposeLimitation: true
consentManagement: required
rightToErasure: required
dataPortability: required
breachNotification: "72 hours"
}
pci: {
applicable: "payment services only"
cardDataStorage: "never store full PAN"
encryption: required
}
}
@restrictions {
- "Never process data beyond stated purpose"
- "Never retain data longer than necessary"
- "Always document data processing activities"
- "Always provide data subject rights mechanisms"
- "Never transfer data to non-approved regions"
}
@knowledge {
"""
## Compliance Resources
- Compliance Portal: https://compliance.acme.com
- Data Classification: https://wiki.acme.com/data-classification
- Privacy Policy: https://acme.com/privacy
## Data Classification
- **Public**: Marketing materials, public docs
- **Internal**: Internal communications, non-sensitive
- **Confidential**: Business data, customer info
- **Restricted**: PII, financial data, credentials
## Regional Requirements
- EU: GDPR compliance required
- California: CCPA compliance required
- Healthcare: HIPAA where applicable
"""
}
frontend/base.prs¶
@meta {
id: "@frontend/base"
syntax: "3.0.0"
team: "Frontend Platform"
}
@inherit @acme/base
@use @acme/security
@use @acme/compliance
@identity {
"""
You are a frontend developer at ACME.
## Expertise
- Modern JavaScript/TypeScript
- React ecosystem
- Web performance optimization
- Accessibility (WCAG 2.1 AA)
- Design systems
"""
}
@context {
"""
## Frontend Platform Stack
- **Framework**: React 18
- **Language**: TypeScript 5
- **Build**: Vite 5
- **Styling**: TailwindCSS + @acme/design-tokens
- **State**: React Query + Zustand
- **Testing**: Vitest + Testing Library + Playwright
- **Components**: @acme/ui (shared design system)
## Architecture
- Feature-based folder structure
- Micro-frontends for large apps
- Module federation for sharing
- API client generation from OpenAPI
## Key Resources
- Design System: https://design.acme.com
- Component Library: https://ui.acme.com
- Frontend Wiki: https://wiki.acme.com/frontend
"""
}
@standards {
code: {
framework: "React 18+"
language: "TypeScript (strict mode)"
components: {
style: "functional"
patterns: ["hooks", "composition"]
}
state: {
server: "React Query"
client: "Zustand (when needed)"
}
styling: {
method: "TailwindCSS"
designTokens: "@acme/design-tokens"
}
}
performance: {
bundleSize: {
initial: "< 200KB gzipped"
lazy: "per-route code splitting"
}
coreWebVitals: {
lcp: "< 2.5s"
fid: "< 100ms"
cls: "< 0.1"
}
}
accessibility: {
standard: "WCAG 2.1 AA"
testing: {
automated: "axe-core"
manual: "required for new features"
}
requirements: [
"keyboard navigation",
"screen reader support",
"color contrast",
"focus management"
]
}
testing: {
unit: {
framework: "Vitest"
coverage: 80
}
integration: {
framework: "Testing Library"
coverage: "critical paths"
}
e2e: {
framework: "Playwright"
coverage: "happy paths"
}
}
}
@restrictions {
- "Never use class components"
- "Never use any type without documentation"
- "Never ignore accessibility requirements"
- "Never skip loading/error states"
- "Never hardcode URLs or config values"
- "Never use inline styles (use Tailwind)"
}
@shortcuts {
"/component": """
Create a new React component with:
- TypeScript interface for props
- Unit tests
- Storybook story
- Accessibility considerations
"""
"/hook": "Create a custom React hook with tests"
"/test": """
Write tests using:
- Vitest for unit tests
- Testing Library for integration
- Proper mocking patterns
"""
"/a11y": "Review for accessibility issues"
"/perf": "Review for performance issues"
}
Project Configuration¶
Example Project¶
# checkout-app/promptscript/project.prs
@meta {
id: "checkout-app"
syntax: "2.1.0"
}
@inherit @frontend/base
@context {
project: "Checkout Application"
repository: "github.com/acme/checkout-app"
team: "Commerce"
productOwner: "Jane Smith"
techLead: "John Doe"
"""
## Overview
Multi-step checkout flow for ACME e-commerce platform.
Handles cart review, shipping, payment, and confirmation.
## Key Integrations
- Payment: Stripe Elements
- Shipping: ShipEngine API
- Tax: Avalara
- Analytics: Segment + Mixpanel
## Architecture
- Micro-frontend (Module Federation)
- Shared shell: @acme/commerce-shell
- Feature flags: LaunchDarkly
"""
}
@extend standards {
payment: {
provider: "Stripe"
pciCompliance: true
neverStoreCardData: true
}
}
@knowledge {
"""
## API Endpoints
### Cart Service (cart.acme.com)
- GET /cart - Get current cart
- PUT /cart/items/:id - Update item
- DELETE /cart/items/:id - Remove item
### Checkout Service (checkout.acme.com)
- POST /checkout/start - Initialize checkout
- PUT /checkout/:id/shipping - Set shipping
- PUT /checkout/:id/payment - Process payment
- POST /checkout/:id/complete - Complete order
## Feature Flags
- checkout-apple-pay: Apple Pay integration
- checkout-express: One-click checkout
- checkout-affirm: Affirm financing
## Error Codes
- CART_EMPTY: Cart has no items
- SHIPPING_UNAVAILABLE: Cannot ship to address
- PAYMENT_DECLINED: Payment failed
- INVENTORY_ERROR: Item out of stock
"""
}
@shortcuts {
"/checkout-flow": "Help with checkout flow implementation"
"/payment": "Help with Stripe payment integration"
"/shipping": "Help with shipping calculation"
"/cart": "Help with cart management"
}
Project Config¶
# checkout-app/promptscript.yaml
input:
entry: promptscript/project.prs
registry:
url: https://github.com/acme/promptscript-registry
auth:
token: ${GITHUB_TOKEN}
targets:
github:
enabled: true
output: .github/copilot-instructions.md
claude:
enabled: true
output: CLAUDE.md
cursor:
enabled: true
output: .cursor/rules/project.mdc
validation:
strict: true
rules:
require-knowledge: warning
watch:
debounce: 300
Governance¶
CODEOWNERS¶
# Registry CODEOWNERS
* @acme/platform-team
# Organization base requires security review
@acme/base.prs @acme/security-team @acme/platform-team
@acme/security.prs @acme/security-team
@acme/compliance.prs @acme/compliance-team @acme/legal
# Team bases require team lead approval
@frontend/ @acme/frontend-leads
@backend/ @acme/backend-leads
@mobile/ @acme/mobile-leads
PR Template¶
## PromptScript Registry Change
### Type
- [ ] Organization policy update
- [ ] Team configuration update
- [ ] New fragment
- [ ] Bug fix
### Breaking Change?
- [ ] Yes - includes migration guide
- [ ] No
### Checklist
- [ ] Updated version in @meta
- [ ] Added CHANGELOG entry
- [ ] Tested with sample project
- [ ] Notified affected teams
CI/CD¶
Registry CI¶
# .github/workflows/registry-ci.yml
name: Registry CI
on:
push:
branches: [main]
pull_request:
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install PromptScript
run: npm install -g @promptscript/cli
- name: Validate all files
run: |
for file in $(find . -name "*.prs"); do
echo "Validating $file..."
prs validate "$file" --strict
done
- name: Check for circular dependencies
run: ./scripts/check-circular-deps.sh
test-projects:
runs-on: ubuntu-latest
needs: validate
strategy:
matrix:
project: [sample-frontend, sample-backend, sample-mobile]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: acme/${{ matrix.project }}
path: test-project
- name: Install PromptScript
run: npm install -g @promptscript/cli
- name: Compile test project
working-directory: test-project
run: prs compile
env:
PROMPTSCRIPT_REGISTRY: ${{ github.workspace }}
Project CI¶
# Project .github/workflows/promptscript.yml
name: PromptScript
on:
push:
paths:
- 'promptscript/**'
- 'promptscript.yaml'
pull_request:
paths:
- 'promptscript/**'
- 'promptscript.yaml'
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install PromptScript
run: npm install -g @promptscript/cli
- name: Validate
run: prs validate --strict
env:
GITHUB_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
- name: Ensure compiled files are up to date
run: |
prs compile
if ! git diff --exit-code; then
echo "::error::Generated files are out of date"
echo "Run 'prs compile' and commit the changes"
exit 1
fi
env:
GITHUB_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
Metrics & Monitoring¶
Adoption Dashboard¶
Track across the organization:
# metrics-config.yaml
metrics:
- name: projects_with_promptscript
query: count(repos with promptscript.yaml)
- name: registry_update_frequency
query: commits per week to registry
- name: validation_error_rate
query: CI failures due to promptscript validation
- name: average_inheritance_depth
query: avg(@inherit chain length)
Best Practices Summary¶
Organization Base
Keep @acme/base focused on universal policies that apply everywhere.
Security Integration
Always @use @acme/security in team bases, never skip security.
Version Management
Tag registry releases and pin versions in production projects.
Breaking Changes
Major version bumps require migration guides and team notification.
Review Process
All registry changes need appropriate CODEOWNER approval.
Rollout Timeline¶
| Phase | Duration | Goals |
|---|---|---|
| Pilot | 4 weeks | 3 teams, feedback collection |
| Team Rollout | 8 weeks | All teams onboarded |
| Mandatory | Ongoing | Required for new projects |
| Full Migration | 6 months | All existing projects migrated |