Mark Hazleton
Back to blog
UISampleSpark

UISampleSpark: Constitution-Driven Development

February 4, 202612 min read

For nearly seven years, UISampleSpark operated on implicit rules. In February 2026, a constitution-driven approach powered by AI agents analyzed the codebase, surfaced unwritten conventions, formalized 11 principles with 30 enforceable requirements, and resolved three critical compliance gaps.

UISampleSpark: Constitution-Driven Development

Part 3 of the UISampleSpark Series — Governance and AI

From Implicit Rules to Explicit Governance

For nearly seven years, UISampleSpark operated on implicit rules. Experienced contributors knew that all data access went through repository interfaces. They knew that 

FromSqlRaw
was forbidden. They knew that nullable reference types were enabled in every project. But these rules lived in the minds of contributors and in scattered code comments — not in any authoritative document that could be referenced, enforced, or evolved.

In early February 2026, that changed. Over the course of roughly 48 hours, the project underwent its most significant transformation since its founding — not in features or framework versions, but in governance, compliance, and development workflow. The catalyst was a new approach called Constitution-Driven Development, powered by AI agents that could analyze a codebase and surface its unwritten rules.

Discovering the Constitution

The transformation began with a fundamental question: "What are the implicit rules governing this codebase?"

Using the 

speckit.discover-constitution
agent from SpecKit Spark, an automated analysis scanned the entire codebase:

  • 94 C# source files across 6 projects
  • 10 configuration files (
    .csproj
    , 
    global.json
    , 
    .editorconfig
    )
  • 5 GitHub Actions workflows
  • 4 documentation files (README, CHANGELOG, CONTRIBUTING, SECURITY)

The analysis identified 16 high-confidence patterns — conventions the codebase followed with 100% consistency:

PatternConsistency
Nullable reference types enabled100%
ConfigureAwait(false)
in library code		100%
Repository pattern for data access100%
DTO/Entity separation100%
No raw SQL (EF Core LINQ only)100%
Async/await for all I/O100%
Code analysis at strictest level100%
Dependency injection everywhere100%

But the analysis also revealed gaps. Two stood out:

  • ILogger usage: 0% of service classes used structured logging. They operated silently, with no way to trace execution flow in production.
  • XML documentation: Only about 40% of public APIs had XML doc comments, leaving Swagger UI incomplete.

The Educational Scope Decision

One of the most consequential discoveries was what the analysis initially flagged as a deficiency: the project had no authentication or authorization.

Through interactive discussion, this was reframed not as a bug but as a feature. The project's educational mission required that authentication be absent — its presence would obscure the CRUD patterns that were the project's reason for existing. This decision was formalized as Principle IV: Security Posture (Educational Scope):

"This is an educational/reference project demonstrating ASP.NET Core patterns. It intentionally omits authentication, authorization, and other production-hardening features to focus on core CRUD patterns."

The Eleven Principles

From 16 discovered patterns and 10 interactive questions, the team synthesized 11 Core Principles into a formal constitution document:

  1. Code Quality and Safety — Nullable types enabled, latest C# language version, strictest analysis level.
  2. Architecture and Design Patterns — Repository pattern, dependency injection, async/await, 
    ConfigureAwait(false)
    in libraries, no raw SQL.
  3. Error Handling and API Contracts — Global exception handler, RFC 7807 ProblemDetails, proper HTTP status codes.
  4. Security Posture — Educational scope with explicit limitations documented. HTTPS in non-development environments.
  5. Testing Standards — MSTest framework, Arrange-Act-Assert pattern, 25% code coverage baseline.
  6. CI/CD and DevOps — Three required GitHub Actions workflows: test-and-build, security scanning, Docker build-and-push.
  7. Observability and Health — Structured logging with 
    ILogger<T>
    , health checks at 
    /health
    , Swagger/OpenAPI documentation.
  8. Documentation Standards — README maintained, CHANGELOG updated, XML documentation on public APIs.
  9. Dependency Management — Latest .NET version adopted, quarterly package audits, 
    global.json
    enforces SDK version.
  10. Docker and Containerization — Multi-stage builds, Alpine base images, non-root user, Hadolint compliance.
  11. AI-Assisted Development — Session work organized under 
    /.documentation/copilot/
    , drafts and audit reports structured.

Each principle was classified by enforcement level: MUST (mandatory, blocking), SHOULD (strongly recommended), or MAY (optional best practice). The constitution contained 30 MUST requirements in total.

The Compliance Gap

With the constitution formalized, an audit revealed the codebase was at 82% compliance. Twenty-seven of 30 MUST requirements were met. Three critical violations were identified:

Violation 1: Missing Test/Build CI Workflow

Despite having Docker and CodeQL workflows, the project had no GitHub Actions workflow that ran 

dotnet test
on pull requests. This violated Principle VI (CI/CD and DevOps).

Violation 2: No Global Exception Handler

The project lacked an 

IExceptionHandler
implementation. Unhandled exceptions could return raw HTML error pages instead of structured JSON responses, violating Principle III.

Violation 3: Insufficient Security Documentation

The existing 

SECURITY.md
was just 10 lines long — a boilerplate notice. For a project that intentionally omitted authentication, this was dangerously inadequate.

The Sprint to 100%

Each fix was implemented with the rigor the constitution demanded:

Fix 1: Test and Build Workflow

A new 

.github/workflows/test-build.yml
workflow ran on every push and pull request. It restored dependencies, built in Release configuration, ran tests with code coverage, and enforced the 25% coverage threshold.

Fix 2: Global Exception Handler

A new 

GlobalExceptionHandler
class mapped common exception types to appropriate HTTP status codes, produced RFC 7807-compliant ProblemDetails responses, and adjusted detail levels based on environment.

Fix 3: Security Documentation

The 

SECURITY.md
was rewritten from scratch with a prominent warning about educational scope, documentation of what was and wasn't secured, and a 27-item production hardening checklist.

Bonus: Structured Logging

ILogger<T>
was added to four service classes. This change had a cascading effect: adding a logger parameter to constructors broke all 240 tests. The resolution required updating 
GlobalUsings.cs
in both production and test projects and systematically replacing every service instantiation with versions that passed 
NullLogger<T>.Instance
.

All 240 tests passed after the update.

SpecKit Spark: AI Agents for Lifecycle Management

The constitution work revealed gaps in AI-assisted development tooling. Three new agents were created:

The Evolve Constitution Agent

Analyzes pull request review patterns for recurring violations. When multiple PRs show an uncovered pattern, it generates a Constitution Amendment Proposal with change history tracking.

The Quick Fix Agent

Provides a lightweight workflow for small changes that don't justify full specification overhead. Bug fixes and configuration changes receive constitution compliance validation without the full spec/plan/tasks ceremony.

The Release Agent

Archives completed development artifacts, generates Architecture Decision Records from key decisions, creates CHANGELOG entries, and prepares a clean slate for the next development cycle.

These three agents expanded SpecKit Spark from 13 to 16 specialized agents, covering the complete project lifecycle.

The Final Audit

After all fixes were implemented, a final compliance audit confirmed:

MetricBeforeAfter
Constitution Compliance82% (27/30)100% (30/30)
Critical Violations30
Build Warnings00
Test Pass Rate100% (240/240)100% (240/240)
Line Coverage93.2%94.1%
Branch CoverageN/A77.3%
Method CoverageN/A95.9%

Lessons from the Transformation

Constitution First, Implementation Second

Having a formal constitution revealed gaps that would have remained as technical debt indefinitely. The codebase already exhibited 80%+ consistency across most patterns — formalization made implicit rules explicit and exposed the critical gaps.

Educational Scope Is a Feature, Not a Bug

Authentication omission was initially flagged as incomplete. Reframing it as an intentional design decision, prominently documented, transformed a perceived weakness into a governance strength.

ILogger Breaks Tests — Plan for It

Adding 

ILogger<T>
to four classes broke all 240 tests. When adding cross-cutting concerns to service constructors, the impact on test fixtures must be planned for.

AI Agents Need Lifecycle Support

Feature development workflows (spec, plan, tasks) are necessary but insufficient. Projects also need support for quick fixes, constitution evolution, and release management.

What Changed in 48 Hours

  • 1 formal constitution with 11 principles and 30 MUST requirements
  • 3 critical fixes (CI workflow, exception handler, security docs)
  • 4 service classes updated with structured logging
  • 3 new AI agents for lifecycle management
  • 14 files changed with +12,600 lines added
  • 0 regressions — all 240 tests passing throughout

Additional Resources

UISampleSpark Series

This is part 3 of a five-part series tracing the evolution of UISampleSpark from a simple CRUD tutorial to a comprehensive web UI exploration platform.

  1. A Developer's Swiss Army Knife — The founding philosophy and core architecture
  2. Seven Years of .NET Modernization — Navigating the annual .NET upgrade cycle
  3. Constitution-Driven Development (this article) — How governance and AI transformed project quality
  4. Seven UI Paradigms, One Backend — Comparing seven frontend approaches side by side
  5. Modern DevOps as a Living Reference — Containerization, CI/CD, and cloud deployment

Project Links: GitHub | Live Demo | Docker Hub

Related posts

UISampleSpark: Modern DevOps as a Living Reference
UISampleSpark

UISampleSpark: Modern DevOps as a Living Reference

Writing code is only half the story. This final article in the UISampleSpark series traces the operational journey from manual builds to fully automated pipelines spanning Docker containerization, three-workflow CI/CD, security scanning, and multi-platform cloud deployment.

Feb 6, 202610 min
UISampleSpark: Seven UI Paradigms, One Backend
UISampleSpark

UISampleSpark: Seven UI Paradigms, One Backend

Most tutorial projects demonstrate one way to build a web interface. UISampleSpark asks a different question — what if we demonstrated all of them? Seven radically different frontend approaches, the same backend API, the same data model, compared side by side.

Feb 5, 202613 min
UISampleSpark: Seven Years of .NET Modernization
UISampleSpark

UISampleSpark: Seven Years of .NET Modernization

Since Microsoft unified .NET under a single platform, a new major version ships every November. UISampleSpark adopted every release deliberately, documenting the friction points and upgrade strategies that real-world teams encounter across seven major migrations.

Feb 3, 202611 min