Governance Basics
8 examples for governance across dozens of Node.js services - 6 basic and 2 intermediate. Goal: predictable quality without every PR waiting on one staff engineer.
Prerequisites
- Platform or architecture team with mandate
- Internal template repo or Backstage software template
- Executive sponsor for enforced standards (not optional guidelines)
Basic Examples
1. What to Govern
| Area | Minimum standard |
|---|---|
| Runtime | Node 24 LTS, engines in package.json |
| Framework | Approved list or ADR per service |
| Observability | OTel SDK, structured logs, health probes |
| Security | Dependabot/Renovate, npm audit gate |
| Delivery | PR + release pipeline template |
| Data | Migration review for expand-contract |
- Govern outcomes (SLO, CVE SLA), not every import choice
2. Golden Path Scaffold
npm create @acme/node-service
→ Fastify 5 + Prisma + OTel + GitHub Actions template
→ docs/adr/000-template.md included
→ .nvmrc = 24.18.0- New services start compliant; brownfield adopts via backlog
- See API Scaffold Skill
Related: Coding Standards
3. Automate Before Mandate
Policy: no critical CVE in prod
Enforcement: CI fails on npm audit --audit-level=critical
Not: email reminder to 40 teams| Policy | Automation |
|---|---|
| Node version | engines + CI matrix check |
| Lint style | ESLint in PR pipeline |
| Secret leak | gitleaks |
| API breaking change | OpenAPI diff breaking gate |
4. Exception Process
## Exception EX-014: legacy-webhook on Node 20
**Reason:** Vendor TLS not upgraded until 2026-10-01
**Owner:** @bob
**Expiry:** 2026-10-15 (auto-fail CI if not renewed)
**Risk accepted by:** EM + Security- Exceptions without expiry become permanent debt
5. Service Maturity Tiers
| Tier | Services | Bar |
|---|---|---|
| Tier 1 | Revenue critical | SLO, canary, on-call, OTel |
| Tier 2 | Internal APIs | CI + health + logs |
| Tier 3 | Experiments | Engines + README |
- Governance effort proportional to blast radius
6. RFC and Standards Calendar
Monthly: Node RFC review (30 min platform guild)
Quarterly: coding standard bump (ESLint major)
Annual: LTS upgrade wave planningIntermediate Examples
7. Compliance Dashboard
Fleet dashboard:
- % on Node 24 LTS
- % with OTel exporter configured
- Open critical CVE count
- ADR age > 2 years (stale review)- Red metrics create sprint items, not shame posts
8. Guild vs Police
Platform guild: proposes standards, maintains templates
Squad tech lead: adopts in service, files exceptions
Security: veto on auth/PII policy- Governance succeeds when squads see faster delivery, not slower
FAQs
How many microservices before governance matters?
Above ~8 services without templates, inconsistency costs more than governance overhead.
Who enforces?
CI and bots enforce; architects resolve exceptions; not manual PR nagging.
Related
- Coding Standards - style enforcement
- Dependency Governance - supply chain
- Node Upgrade Policy - LTS calendar
- Governance Best Practices - condensed list
- Technical Leadership Best Practices - squad role
Stack versions: This page was written for Node.js 24.18.0 (Active LTS), npm 10+, TypeScript 5.6+, Express 5, Fastify 5, and NestJS 11.