Version: 2.1
Purpose: Fast and consistent selection of checklists based on project type.

• MUST: Apply these checklists by default
• IF RELEVANT: Apply when the changeset touches the area
• NOTES: Typical pitfalls and review focus

MUST

• Core
• Security KRITIS/NIS2
• Crypto
• Logging
• Configuration
• Build Metadata
• Documentation
• Project Documentation

IF RELEVANT

• Performance
• Crossplatform

NOTES

• Misuse resistance beats „clean API“. Design for correct-by-default.
• Treat logs and errors as potential oracles.

MUST

• Core
• Security KRITIS/NIS2
• Logging
• Configuration
• Build Configuration
• Documentation
• Project Documentation

IF RELEVANT

• Performance
• Crossplatform
• SQL (if DB access)
• Crypto (if auth/crypto/custom tokens)

NOTES

• Require parameterization for DB access; treat every input as hostile.
• Availability: rate limits, timeouts, bounded memory, predictable error mapping.

MUST

• Core
• Naming
• Functions
• Build Metadata
• Documentation
• Project Documentation

IF RELEVANT

• Security KRITIS/NIS2
• Performance
• Crossplatform

NOTES

• Public API stability and semantic versioning are primary.
• Avoid transitive dependency surprises.

MUST

• Core
• Build Configuration
• Logging
• Configuration
• Documentation

IF RELEVANT

• i18n (user-facing strings)
• Security KRITIS/NIS2 (network/crypto/licensing)
• Crossplatform (if multi-OS)

NOTES

• UI threading rules and resource cleanup are frequent defect sources.
• Check settings paths and per-user data handling.

MUST

• Core
• Crossplatform
• Build Metadata
• Documentation
• VSCode Extension Stack

IF RELEVANT

• Security KRITIS/NIS2 (remote calls, auth, downloads)
• Logging
• Configuration

NOTES

• Activation events, contribution points, and settings schema must remain coherent.
• Never block the extension host; long work must be cancellable.

MUST

• Core
• Security KRITIS/NIS2
• Logging
• Configuration
• Outlook AddIn Stack

IF RELEVANT

• Crypto (sign/encrypt workflows)
• Crossplatform (Office.js multi-platform)

NOTES

• COM lifetime (release), Explorer vs Inspector context, UI state sync are critical.
• Avoid sensitive data leakage into Outlook item properties and logs.

MUST

• Core
• CLI/TUI
• Crossplatform
• Logging
• Configuration

IF RELEVANT

• Security KRITIS/NIS2
• Performance

NOTES

• Exit codes, stdout vs stderr, pipe-friendly output, and deterministic behavior matter.

MUST

• Core
• SQL Stack
• Security KRITIS/NIS2

IF RELEVANT

• Performance
• Documentation

NOTES

• Query plans, indexing strategy, transaction semantics, and parameterization are core review targets.

MUST

• Core
• InnoSetup Stack
• Build Metadata
• Security KRITIS/NIS2

IF RELEVANT

• Logging
• Configuration

NOTES

• Upgrade/uninstall behavior and code signing are common failure points.

MUST

• Core
• Access VBA Stack
• Security KRITIS/NIS2
• Documentation

IF RELEVANT

• Build Metadata

NOTES

• Deterministic builds (ACCDE), references, and robust error handling are key.

MUST

• Core
• DokuWiki/PHP Security
• Security KRITIS/NIS2
• Logging
• Configuration
• Documentation

NOTES

• Treat all page/user content as hostile; follow DokuWiki APIs for escaping/ACL.

Version: 2.1 (Split)
Author: Wolfgang van der Stille