Using the Product Matrix for Standards Auto-Loading¶
Version: 1.0.0 Last Updated: 2025-08-23
Overview¶
The Product Matrix (config/product-matrix.yaml) provides intelligent mapping from product types to curated bundles of development standards. This enables automatic loading of relevant standards based on your project type.
Quick Start¶
1. Identify Your Product Type¶
Available Product Types:
- web-service # Full-stack web application
- api # REST/GraphQL API service
- cli # Command-line tool
- frontend-web # SPA/MPA web application
- mobile # iOS/Android app
- data-pipeline # ETL/ELT workflow
- ml-service # ML training/inference
- infra-module # IaC module
- documentation-site # Technical docs
- compliance-artifacts # Security docs
2. Load Standards Bundle¶
Use the @load directive in CLAUDE.md:
Or combine with specific overrides:
Worked Examples¶
Example 1: Python FastAPI Service¶
Scenario: Building a REST API with FastAPI, PostgreSQL, and Docker.
Product Type Detection:
Standards Loading:
Resolved Standards:
- CS:python - Python coding standards (PEP 8, type hints)
- TS:pytest - Pytest testing framework
- SEC:auth - API authentication (OAuth2, JWT)
- SEC:input-validation - Input sanitization
- DB:postgresql - PostgreSQL best practices
- CN:docker - Container standards
- DOP:ci-cd - CI/CD pipeline
- OBS:monitoring - API monitoring
- LEG:privacy - GDPR/CCPA compliance
- NIST-IG:base - NIST 800-53r5 controls (auto-included with SEC)
Implementation Steps:
- Project structure follows Python package conventions
- FastAPI router organization per
CS:python - Pytest fixtures and parametrized tests per
TS:pytest - JWT authentication with refresh tokens per
SEC:auth - Pydantic models for validation per
SEC:input-validation - Docker multi-stage builds per
CN:docker - GitHub Actions workflow per
DOP:ci-cd - Prometheus metrics per
OBS:monitoring - NIST control tags on security features per
NIST-IG:base
Example 2: React TypeScript Application¶
Scenario: Building a React SPA with TypeScript, Material-UI, and AWS deployment.
Product Type Detection:
Detected: frontend-web
Language: typescript
Framework: react
UI Library: material-ui
Deployment: aws-s3-cloudfront
Standards Loading:
Resolved Standards:
- FE:react - React component patterns
- FE:design-system - Design system architecture
- FE:accessibility - WCAG 2.1 AA compliance
- CS:typescript - TypeScript strict mode
- TS:vitest - Vitest + React Testing Library
- WD:material-design - Material Design principles
- SEC:auth-ui - Frontend authentication flow
- DOP:aws - AWS deployment patterns
- DOP:ci-cd - Build and deployment pipeline
- OBS:web-vitals - Core Web Vitals monitoring
Implementation Steps:
- Component structure:
/components,/pages,/hooks - TypeScript strict mode with no implicit any
- Material-UI theming with custom palette
- React Testing Library with user event simulation
- Auth0/Cognito integration for authentication
- Webpack optimization for code splitting
- S3 + CloudFront with cache invalidation
- Datadog RUM for performance monitoring
Example 3: Data Pipeline with Airflow¶
Scenario: Building an ETL pipeline with Apache Airflow, handling PII data.
Product Type Detection:
Detected: data-pipeline
Orchestrator: airflow
Data Sensitivity: pii
Storage: s3, redshift
Processing: spark
Standards Loading:
Resolved Standards:
- DE:orchestration - Airflow DAG best practices
- DE:data-quality - Data validation checks
- DE:airflow - Airflow-specific patterns
- SEC:secrets - AWS Secrets Manager integration
- SEC:data-classification - PII handling procedures
- SEC:encryption - Encryption at rest/in transit
- DOP:ci-cd - DAG deployment automation
- OBS:logging - Centralized logging
- LEG:data-retention - GDPR retention policies
- LEG:gdpr - GDPR compliance requirements
- NIST-IG:base - NIST privacy controls
Implementation Steps:
- DAG structure: one DAG per data source
- Idempotent tasks with proper retry logic
- Data quality checks using Great Expectations
- PII detection and masking utilities
- Encryption using AWS KMS
- Secrets rotation every 90 days
- Audit logging to CloudWatch
- Data retention: 7 years for financial, 3 years for behavioral
- GDPR data subject request automation
- NIST SC-13 for cryptographic protection
Wildcard Expansion¶
Security Wildcard (SEC:*)¶
Expands to:
- SEC:auth
- SEC:secrets
- SEC:input-validation
- SEC:encryption
- SEC:audit
- NIST-IG:base (automatically included)
Testing Wildcard (TS:*)¶
Expands to:
- TS:unit
- TS:integration
- TS:e2e
- TS:performance
- TS:security
Language Auto-Detection¶
When a language is detected, the matrix automatically maps generic codes:
Python Detection:
CS→CS:pythonTS→TS:pytestTOOL→TOOL:python
TypeScript Detection:
CS→CS:typescriptTS→TS:vitestTOOL→TOOL:nodejs
Stack Presets¶
Quick presets for common technology stacks:
MERN Stack¶
Loads: MongoDB, Express, React, Node.js standards
JAMstack¶
Loads: Static site generation, CDN, API standards
NIST Auto-Inclusion¶
When any security standard (SEC:*) is loaded, NIST-IG:base is automatically included. This ensures:
- Security features get tagged with NIST controls
- Compliance documentation is generated
- Audit trails are properly configured
- Security testing includes compliance checks
Integration with CLAUDE.md¶
The router (CLAUDE.md) resolves these directives:
# In your prompt to Claude:
@load [product:api + CS:python]
# Claude interprets this as:
- Load all standards for API product type
- Override with Python-specific coding standards
- Include NIST compliance (via SEC standards)
- Apply the combined bundle to the project
Custom Combinations¶
Mix and match for unique requirements:
This loads web-service base standards but overrides:
- Frontend framework to Vue
- Database to MongoDB
- Deployment to Kubernetes
Validation¶
To verify your standards bundle:
# Check resolved standards
npx claude-flow standards resolve --product api --language python
# Validate against your project
npx claude-flow standards validate --path ./src