Added ADR for architectural standards

[mrrajan]

Summary

• Add ADR-00018 proposing a CONVENTIONS.md file and documenting pattern standards for the Trustify project
• Catalogs recurring anti-patterns found across the codebase (N+1 queries, unbounded collections, sequential independent queries, missing database indexes, uncontrolled pagination, redundant deserialization) with specific file locations and severity ratings
• Presents convention options for each anti-pattern category for the team to evaluate during PR review

Rendered version https://github.com/mrrajan/trustify/blob/TC-4289/docs/adrs/00018-conventions-file.md

Summary by Sourcery

Introduce an ADR proposing a centralized CONVENTIONS.md file and cataloging key performance and coding anti‑patterns in the Trustify codebase, along with candidate standards for addressing them.

Documentation:

• Add ADR-00017 documenting the rationale, scope, and maintenance process for a repository-wide CONVENTIONS.md conventions file used by contributors and AI tools.
• Document a detailed analysis of recurring performance and coding anti-patterns across the codebase, including their locations and proposed convention options for remediation.

[sourcery-ai]

Reviewer's Guide

Adds ADR-00017 describing the introduction, purpose, and lifecycle of a repository-level CONVENTIONS.md file and documenting a detailed catalog of existing performance and coding anti-patterns in the Trustify codebase, along with convention options the team should select during review.

File-Level Changes

Change	Details	Files
Introduce ADR-00017 defining a repository-level CONVENTIONS.md file as the canonical source of coding and architectural conventions, optimized for AI-assisted development workflows.	Specify scope, content structure, and maintenance process for CONVENTIONS.md at the repo root Clarify that conventions are prescriptive, derived from existing patterns, and kept minimal and actionable Describe how AI tools (e.g., Claude Code) will consume CONVENTIONS.md and how it relates to any CLAUDE.md configuration Define governance for updating conventions via PRs and linking significant changes to ADRs	docs/adrs/00017-conventions-file.md
Document a comprehensive analysis of recurring performance anti-patterns in the existing codebase, with concrete examples and convention options to adopt.	Catalog N+1 queries, unbounded queries, in-memory filtering, app-side counting, sequential DB calls, missing bulk operations, unbounded recursion, extra round-trips vs JOINs, validation-plus-follow-on queries, and missing indexes For each category, explain what it is, why it matters, where it occurs (file/line-level references), and propose option sets (A/B/C) for conventions Summarize performance anti-patterns in a table to guide reviewers in selecting preferred options that will later be codified in CONVENTIONS.md	docs/adrs/00017-conventions-file.md
Document a comprehensive analysis of recurring coding anti-patterns in the existing codebase, with concrete examples and convention options to adopt.	Catalog swallowed errors, stringly-typed APIs, code duplication, tight module coupling, oversized functions, inconsistent tracing, missing public docs, mixed logging frameworks, magic numbers, and raw SQL patterns that defeat parameterization For each category, provide rationale, specific occurrences, and option sets (A/B/C) indicating recommended conventions versus laxer alternatives Summarize coding anti-patterns in a final table and describe how selected options should be propagated into CONVENTIONS.md in a follow-up change	docs/adrs/00017-conventions-file.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The ADR is very long and mixes the high-level decision (introducing CONVENTIONS.md) with a detailed audit of anti-patterns; consider splitting the anti-pattern catalog into a separate document (or appendix) to keep the ADR focused on the architectural decision and process.
• Many examples reference approximate line numbers and specific file locations that will quickly become stale; instead of line-based pointers, consider linking to symbols or providing higher-level file/section references that will age more gracefully.
• You define option sets (A/B/C) for many categories but the process for capturing the final choice in CONVENTIONS.md is only described informally; consider adding a concise, explicit section on how and where the selected options are recorded and how future ADRs should evolve or override them.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The ADR is very long and mixes the high-level decision (introducing CONVENTIONS.md) with a detailed audit of anti-patterns; consider splitting the anti-pattern catalog into a separate document (or appendix) to keep the ADR focused on the architectural decision and process.
- Many examples reference approximate line numbers and specific file locations that will quickly become stale; instead of line-based pointers, consider linking to symbols or providing higher-level file/section references that will age more gracefully.
- You define option sets (A/B/C) for many categories but the process for capturing the final choice in CONVENTIONS.md is only described informally; consider adding a concise, explicit section on how and where the selected options are recorded and how future ADRs should evolve or override them.

## Individual Comments

### Comment 1
<location path="docs/adrs/00017-conventions-file.md" line_range="107" />
<code_context>
+
+## Anti-Pattern Analysis
+
+Analysis of the trustify codebase has identified recurring anti-patterns across
+multiple modules. This section catalogs each category, lists the occurrences found, and
+presents convention options for the team to evaluate. The selected conventions will be
</code_context>
<issue_to_address>
**nitpick (typo):** Capitalize the project name "Trustify" for consistency.

This line uses lowercase "trustify" while earlier references use "Trustify"; update this occurrence to match the proper noun capitalization.

```suggestion
Analysis of the Trustify codebase has identified recurring anti-patterns across
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[PhilipCattanach]

Thanks @mrrajan Very interesting reading
I would suggest choosing the appropriate convention for some of the performance issue will probably need tests at scale. I'm concerned that some of the potential solutions might make things worse at scale.

I'd like us to come up with a way of prioritizing our next steps. As I would like to think there is some non contentious conventions we can adopt that will address some of these things.

And we might need some Spikes to evaluate the best convention for some of the issues highlighted.

[mrizzi]

A first review of the methodology before getting into the anti-patterns analysis with the maintainers.

[mrizzi]

Maybe the initial version but not once stable because, once fully adopted, it should be other way around, i.e. code should be derived from existing conventions

[ctron]

Question is, how do we deal with current code that doesn't align to those newly defined patterns?

[helio-frota]

Good question 👍

Sending random and sometimes partial PRs without JIRAs?

side note: Yesterday I asked AI to read the instrumentation section and to produce a checklist for me, not changed the code yet as some parts are subjective (example -> the size of returned struct data) + still need to validate if all the checklist is 100% correct. Imagining all this checklist is correct, all the instrumentation-related-code from all files should be updated via a single PR? Should this initiative be separated by our current workspace-crates to avoid git conflicts and long PR reviews?

[mrizzi]

Question is, how do we deal with current code that doesn't align to those newly defined patterns?

It will mean having tech debt initiatives to enforce consistency in current code not yet aligned with expected patterns and code conventions.

[mrizzi]

I don't think this exists because, as described in the above Maintenance Process, when a convention has to change, then an ADR arrives. Once merged, the impacted code has to refactored to be aligned with the new code convention. I don't see how "stale conventions" could happen other than implementing code not aligned with the conventions, which should be considered a mistake to prevent.

[ctron]

To my understanding, feedback from reviews might turn in PR changing the conventions file? If that's the case, then this scenario may happen. Unless of course, a change in the conventions file is accompanied by reworking the code base.

[mrizzi]

Changes from PRs are meant to be additive to improve code conventions for identified lacks. Changing them to "adhere" to the code in a PR should be blocked otherwise code will drift from conventions.

[mrizzi]

@jcrossley3 @ctron @ruromero @queria please review this

[ctron]

I'm not sure an ADR is the right approach to this. We already have the conventions file, and this ADR would need to be copied over to that file in a second step.

Why no simply make the modifications to the conventions file and discuss this on a PR? Because what would we review on that second PR (moving content over to the conventions file)? Feels like doppelmoppel.

[ctron]

As we do have some documentation (for less then we should have) for humans. I believe that this file should be usable by humans as well. Replacing the existing documents. Which means, that this file should be structured and written to serve both.

[mrrajan]

Agree! Rephrased to,

Trustify needs a single, explicit reference for coding patterns, naming rules, error-handling idioms, testing practices, and architectural norms. Contributors and reviewers use it during implementation and review; the same clarity also helps AI-assisted workflows (Claude Code, Copilot, and similar tools) when those tools load project context.

[ctron]

IntoIterator wouldn't be a SeaORM thing, but a Rust thing.

[mrrajan]

Agree - Removed

[ctron]

Not sure I understand the scope of this section. I'd prefer to have some "database" section maybe. Defining how database resources/entities are created, column types, tables, enums, indexes, ...

[mrrajan]

Agree! We should have a dedicated database section.

[ctron]

I think that may be tricky. As those code locations will change over time. And that would mean updating the conventions file, or dead links.

[mrrajan]

Agree! We should have just the examples not the references to the specific files. Rephrased to share canonical examples on the conventions file.

[ctron]

I wonder how that aligns with review tools? like sourcery.ai?

[mrrajan]

Sourcery.ai applies generic best practices and CONVENTIONS.md captures project specific ones. So, project specific practices might called out by the review tools. We have to explore how to align review tools to use CONVENTIONS.md file as reference.

[ctron]

I see the same problem as before. If we "point" to those locations, and those locations will be gone over time (which should be the case with anti-patterns) we have a document of dead links.

[mrrajan]

Agree! The references should use function/ symbol names or example snippets in the CONVENTIONS.md file

[ctron]

I assume "performance impact" is an example. But in general, "why" can be all kind of reasons.

[mrrajan]

Agree! rephrased to performance impact, maintainability, consistency

[ctron]

See my comment about links above.

[mrrajan]

Agree! This should be references not specific locations in codebase.

[ctron]

On the "pro" side, it may reduce code complexity. In some cases dramatically. And when it is known that "N" will always be a small number, and the operation itself is fast. Then keeping the N+1 pattern would be a good thing IMHO. It depends on the case.

[ctron]

I think there are a lot more in, especially in the "analysis" module.

[ctron]

How is "severity" evaluated here?

[mrrajan]

Severity is based on,

• Whether the N is bounded or not
• Code path is API or internal

[ctron]

Maybe we should consider this: https://pganalyze.com/blog/5mins-postgres-performance-in-vs-any

[ctron]

I would say "Option D": prefer option A, but fall back to "N+1" if there are good reasons.

"C" doesn't seem to cover this, as it says "no convention". I think the should try, and try hard to remediate N+1 patterns. But not at all cost.

[mrrajan]

Sounds good! Added option D

- **Option D — Prefer batch, allow exceptions**: Default to Option A — batch loading on
  collection paths and remediate existing N+1 patterns as tech debt. Per-entity DB calls
  inside loops are permitted only when batching is impractical or costly. 

[ctron]

Which I don't see as a problem, as the number of importers is considered small (below 50). Sure it may be an improvement. But in some cases it's not. Having pagination on the HTTP API would be beneficial.

[ctron]

Again, there is more. Especially in the analysis module.

[ctron]

In some cases we load all data, and then keep in memory to process it. Especially as mentioned above to do things like batch loading, pre-loading, ...

In such cases it doesn't seem to make sense to use limits, as we load and store the data in-memory anyway. In fact, it would be counter productive (even batch loading). Batch loading only makes sense to limit the number of postgres parameters. Having to page through data would mean to execute the query multiple times. Compared to one single query.

[mrrajan]

Agree! lets limit only for the public API endpoints

[ctron]

Option B 👍

[ctron]

I'd say that's a false positive. As the code does re-use that data. But eliminates a second query by re-using that data and manually filtering out information for the first use case of the data.

[mrrajan]

Agree! It is a false positive. I will remove this example section - But as a convention for this issue, shall we suggest option B?

[ctron]

In this case, this provides additional diagnostic information, if possible. If the serialization of that fails, that would just not be possible. Logging would be fine, but throwing an error not.

[mrrajan]

Agree! It is additional noise

[ctron]

In this case it would actually be beneficial to add this to the instrumentation. Rather than an explicit log call.

[mrrajan]

Agree!

[ctron]

Here it might actually be beneficial to remove the root cause of this. Using a proper timestamp in the database, if possible.

[mrrajan]

Agree! we should fix the root cause instead!

[ctron]

In this case it would be beneficial to report this back to the user, as we do have a mechanism for reporting such things as "warning" during the upload. This would also end up in the report. Logging this, or failing, wouldn't help.

[ctron]

Same for the other CSAF related ones.

[mrrajan]

Sounds good!

[ctron]

Option D:

• if we have instrumentation wrapping it, that's ok, no need for extra processing
• if we have a way to report this case back to the user, leverage this, but don't extra log it
• if that case prevents us from processing the data, and the data is essential, propagate the error
• if running into an error is an acceptable and expected case, that's fine, do nothing
• if we can ignore the error, but have no other way to handle it, log it, but try to be compact doing it, e.g. like .inspect_err() rather than a full blown match.

[ctron]

Option A

[ctron]

Option A

[ctron]

Option C

[ctron]

Option B. And I'd say it is ok to use inner strucs, fns, ... for doing this.

[ctron]

Option D: Option A, but with a twist. I think this is already well described in the tracing/logging markdown file. In a nutshell, everything that is calling out to external things (DB, storage, ... ) should be wrapped in instrumentation. Everything that does not, as long as it is considered trivial, must not be wrapped. Even if things cannot be wrapped (multiple sections of loading where loading functions don't have instrumentation) use .instrument or other constructs amending this. But don't do it twice (inner vs outer). Not limited to pub, but based on logic blocks and the fact that external factors are in play.

[ctron]

Option A.

In addition, also add non-verbose comments inside functions.

[ctron]

Not sure this is true, as log actually forwards to tracing.

[mrrajan]

Referring to https://docs.rs/tracing-log/latest/tracing_log/, we need logTracer::init() to have logs and tracing connected. But in our project only the test file, test-context/src/flame.rs has this configuration for setup_global_subscriber.

[helio-frota]

we are using a tracing-log feature here: https://github.com/guacsec/trustify/blob/main/common/infrastructure/Cargo.toml#L33

log actually forwards to tracing

this explains why even using log::info here https://gist.github.com/helio-frota/171ac4ac8d362827e22b66ce165f32cf?permalink_comment_id=6121576#gistcomment-6121576, I was able to see the correlation with traces using opentelemetry-appender-tracing instead of opentelemetry-appender-log 👍

[mrrajan]

Thanks for the clarification @helio-frota! updated this section.

[ctron]

Option A sounds reasonable.

[ctron]

Option D: It depends. In general we should have Option A. However, there are cases where it causes confusion or has other side effects.

Assume the example from above. Having 13 replaced by a const value, would require to render the string every time used. Rather than having a const struct. This seems counter productive. It would be better to keep that 13 in the string, but document around it "why" there's a 13 in there.

Same for structs:

        ImporterConfiguration::Cve(CveImporter {
            common: CommonImporter {
                disabled: true,
                period: Duration::from_secs(300),
                description: Some(description.into()),
                labels: Default::default(),
            },
            source: DEFAULT_SOURCE_CVEPROJECT.into(),
            years: HashSet::default(),
            start_year,
        }),

Having DEFAULT_SOURCE_CVEPROJECT here, imported from another module. Only being used once. Doesn't make much sense to me. It would be clearer if that would be in the same file. Unless, it would indeed be re-used. Then it could be refactored.

[ctron]

This example might not be ideal. But it seems like a decent trade off handling the complexity. Having that replaced by something else, the question would be if the alternative is actually better,

There is no SQL injection in play here, as that's gets sorted out before.

[mrrajan]

Sounds good!

[ctron]

Option B: There should be a good reason to not use Option A, and a discussion around that. But to me the example shows a valid reason to deviate from the norm.

[mrrajan]

Sounds good!

[mrrajan]

Thanks @ctron for your review, I have added a new section for database and addressed the review comments. I have added a new section Preferred option: under each category based on the review.

[mrrajan]

Agree - Removed

[mrrajan]

Agree! We should have a dedicated database section.

[mrrajan]

Agree! We should have just the examples not the references to the specific files. Rephrased to share canonical examples on the conventions file.

[mrrajan]

Sourcery.ai applies generic best practices and CONVENTIONS.md captures project specific ones. So, project specific practices might called out by the review tools. We have to explore how to align review tools to use CONVENTIONS.md file as reference.

[mrrajan]

Sounds good!

[mrrajan]

Agree! Rephrased to,

Trustify needs a single, explicit reference for coding patterns, naming rules, error-handling idioms, testing practices, and architectural norms. Contributors and reviewers use it during implementation and review; the same clarity also helps AI-assisted workflows (Claude Code, Copilot, and similar tools) when those tools load project context.

[mrrajan]

Agree! lets limit only for the public API endpoints

[mrrajan]

Agree!

[mrrajan]

Referring to https://docs.rs/tracing-log/latest/tracing_log/, we need logTracer::init() to have logs and tracing connected. But in our project only the test file, test-context/src/flame.rs has this configuration for setup_global_subscriber.

[helio-frota]

informational only:

I quickly modified my personal duplicate code segment tool to focus on 20+ lines and found only these: https://gist.github.com/helio-frota/87f1a9ab12fe84480f2574bc7b92e8a7
( I'm skipping tests,test,entity,migration,benches )

[ctron]

Looks good to me. With the exception that I still see the actual content (AP, …) My understanding was, that his would be removed from this ADR, but then added in another PR to the conventions file.