Engineering Playbook
Standards and best practices for engineers, tech leads, and senior ICs.
Overview
The Engineering Playbook covers the practices we follow to write great software — from the moment code is written to the moment it is deployed and monitored.
It is organised into four domains:
- System Design — How we make architecture decisions and manage technical complexity
- Code Quality — How we write, review, and maintain high-quality code
- DevOps & Tooling — How we build, deploy, and operate our systems
- AI & Automation — How we leverage AI tools and automation to move faster and safer
Each domain contains focused pages covering a specific practice — what good looks like, how to implement it, and common pitfalls to avoid.
Security across the playbook
Security is intentionally distributed across all four domains rather than isolated in a single section — because it is a property of every engineering layer, not a separate concern owned by a single team.
The primary security pages by domain:
| Layer | Page | What it covers |
|---|---|---|
| Design | Security Architecture | AuthN/AuthZ models, zero-trust, threat modeling, data classification |
| Operations | Secrets Management | Vaults, rotation policy, scoping, runtime injection |
| Code review / CI | Static Analysis | SAST tools, vulnerability gates, security hotspot review |
| AI tooling | AI Governance & Acceptable Use | Data classification for AI prompts, PII rules, agentic guardrails |
Secondary security coverage appears in Dependency Management (supply-chain hygiene), Containerisation (image scanning), CI/CD Pipelines (artifact signing, SBOM), and Git Best Practices (pre-commit secret detection).