Archetypes
Three ready-made contracts for the most common engagement types. Copy the archetype closest to your situation and edit the fields that need to change. Remove the _comment field before use.
These archetypes are also available as files in
demos/ticketyboo/contracts/ in the ticketyboo.dev repository and on the API at GET /v1/archetypes.
1. free_tier_python
For any AWS serverless Python project that must stay within AWS Free Tier. The strictest cost constraints — no NAT gateways, no RDS, no Secrets Manager, no KMS CMKs. Uses SSM Parameter Store for all secrets. GDPR applied.
Use when: Solo projects, startup MVPs, demo environments, ticketyboo.dev itself.
{
"contract_version": "1.0",
"project": "my-python-project",
"parties": {"client": "your-name", "contractor": "claude-code"},
"stack": {
"language": "python", "language_version": "3.12",
"runtime": "aws_lambda", "region": "eu-north-1",
"forbidden_services": ["ec2", "fargate", "rds", "lightsail"]
},
"architecture": {
"required_patterns": ["single_table_dynamodb", "handler_delegates_to_domain"],
"forbidden_patterns": ["fat_handler", "orm_layer"],
"module_boundaries": {"handler.py": "routing_only", "db.py": "data_access_only"}
},
"cost": {
"budget_envelope": "aws_free_tier",
"forbidden_resources": [
"nat_gateway", "rds", "secrets_manager", "kms_cmk", "elastic_ip"
]
},
"security": {
"auth_mechanism": "cognito_jwt",
"secrets_store": "ssm_parameter_store",
"forbidden_secrets_locations": ["env_vars", "source_code", "config_files"],
"owasp_compliance": true, "production_deploy_gate": true
},
"quality": {
"type_hints": "required", "docstrings": "public_only",
"test_coverage_min": 80, "logging_standard": "module_logger_only",
"forbidden_patterns": ["print_statements", "bare_except"]
},
"compliance": {"frameworks": ["gdpr"], "right_to_erasure": "hard_delete_only"},
"audit": {"evidence_required": true, "evidence_signed": true, "pr_comment_required": true},
"definition_of_done": {
"tests_pass": true, "no_contract_violations": true,
"coverage_met": true, "evidence_generated": true,
"scan_gates": [
{"category": "secret", "severity": "critical", "blocking": true},
{"category": "sast", "severity": "high", "blocking": true},
{"category": "dependency", "severity": "critical", "blocking": true}
]
}
}2. gdpr_saas
For any product handling EU personal data under GDPR. Adds ISO 27001, immutable audit trail, DPO review gate, 7-year evidence retention, and data residency constraints. Uses Secrets Manager (approved as the right tool at SaaS scale).
Use when: Customer-facing SaaS, HR platforms, healthcare, any product with personal data at scale.
{
"contract_version": "1.0",
"project": "regulated-saas",
"parties": {"client": "your-organisation", "contractor": "claude-code"},
"stack": {
"language": "python", "language_version": "3.12",
"runtime": "aws_lambda", "region": "eu-west-1"
},
"architecture": {
"required_patterns": [
"defence_in_depth", "least_privilege_iam",
"vpc_private_subnets", "encrypted_at_rest"
],
"forbidden_patterns": [
"public_endpoints_without_auth", "shared_service_accounts", "unencrypted_pii_storage"
]
},
"cost": {
"budget_envelope": "business",
"approved_exceptions": ["aws_secrets_manager", "kms_cmk", "vpc_interface_endpoints"]
},
"security": {
"auth_mechanism": "oidc_saml",
"secrets_store": "aws_secrets_manager",
"forbidden_secrets_locations": ["env_vars", "source_code", "config_files", "logs"],
"pii_handling": "redact_before_llm",
"owasp_compliance": true, "production_deploy_gate": true
},
"quality": {
"type_hints": "required", "docstrings": "all",
"test_coverage_min": 85, "logging_standard": "module_logger_only",
"forbidden_patterns": ["print_statements", "bare_except", "pii_in_logs"]
},
"compliance": {
"frameworks": ["gdpr", "iso27001"],
"data_classification": true, "audit_trail": true,
"right_to_erasure": "hard_delete_only", "data_residency": "eu_only"
},
"audit": {
"evidence_required": true, "evidence_signed": true,
"pr_comment_required": true, "retention_years": 7
},
"definition_of_done": {
"tests_pass": true, "no_contract_violations": true, "coverage_met": true,
"evidence_generated": true, "security_scan_pass": true,
"dpo_review_gate": true,
"scan_gates": [
{"category": "secret", "severity": "critical", "blocking": true},
{"category": "sast", "severity": "high", "blocking": true},
{"category": "dependency", "severity": "critical", "blocking": true},
{"category": "iac", "severity": "high", "blocking": true},
{"category": "license", "severity": "high", "blocking": true}
]
}
}3. iso27001_enterprise
For enterprise or government platforms under ISO 27001, Cyber Essentials, and WCAG 2.1 AA. Adds architecture board review gate, change management (CRQ required), penetration test gate, and accessibility audit gate. Strictest scan gates — medium severity findings block.
Use when: Government services, NHS, financial services, any platform with ISO 27001 certification or Cyber Essentials Plus.
{
"contract_version": "1.0",
"project": "government-platform",
"parties": {"client": "your-enterprise", "contractor": "claude-code"},
"stack": {
"language": "python", "language_version": "3.12",
"runtime": "aws_lambda", "region": "eu-west-2"
},
"architecture": {
"required_patterns": [
"defence_in_depth", "least_privilege",
"zero_trust_network", "immutable_audit_log"
],
"forbidden_patterns": [
"shared_credentials", "overprivileged_iam_roles", "unencrypted_storage"
],
"review_gate": "architecture_board_required"
},
"cost": {
"budget_envelope": "enterprise",
"approved_exceptions": [
"aws_secrets_manager", "kms_cmk", "waf",
"vpc_interface_endpoints", "cloudtrail_organization"
]
},
"security": {
"auth_mechanism": "mfa_required",
"secrets_store": "hsm_or_secrets_manager",
"forbidden_secrets_locations": ["env_vars", "source_code", "config_files", "logs", "error_messages"],
"pii_handling": "redact_before_llm",
"owasp_compliance": true, "production_deploy_gate": true, "pen_test_gate": true
},
"quality": {
"type_hints": "required", "docstrings": "all",
"test_coverage_min": 90, "logging_standard": "module_logger_only",
"forbidden_patterns": [
"print_statements", "bare_except", "pii_in_logs",
"credentials_in_code", "disabled_tls_verification"
]
},
"compliance": {
"frameworks": ["iso27001", "cyber_essentials", "wcag_2.1_aa"],
"data_classification": true, "audit_trail": true,
"right_to_erasure": "hard_delete_only",
"data_residency": "uk_or_eu_only", "change_management": "crq_required"
},
"audit": {
"evidence_required": true, "evidence_signed": true,
"pr_comment_required": true, "retention_years": 7
},
"definition_of_done": {
"tests_pass": true, "no_contract_violations": true, "coverage_met": true,
"evidence_generated": true, "security_scan_pass": true,
"pen_test_pass": true, "accessibility_audit_pass": true,
"change_management_approved": true,
"scan_gates": [
{"category": "secret", "severity": "critical", "blocking": true},
{"category": "sast", "severity": "medium", "blocking": true},
{"category": "dependency", "severity": "high", "blocking": true},
{"category": "iac", "severity": "high", "blocking": true},
{"category": "license", "severity": "high", "blocking": true},
{"category": "governance", "severity": "medium", "blocking": true}
]
}
}Comparison
| Feature | free_tier_python | gdpr_saas | iso27001_enterprise |
|---|---|---|---|
| Secrets store | SSM Parameter Store | Secrets Manager | HSM or Secrets Manager |
| Compliance | GDPR | GDPR + ISO 27001 | ISO 27001 + Cyber Essentials + WCAG |
| Coverage minimum | 80% | 85% | 90% |
| Evidence retention | Not specified | 7 years | 7 years |
| DPO review gate | No | Yes | No (covered by arch board) |
| Pen test gate | No | No | Yes |
| Architecture board | No | No | Yes |
| Change management | No | No | CRQ required |
| Blocking scan severity | critical / high | critical / high | medium and above |