Securitize — Knowledge Hub¶
TL;DR — Single source of truth for Securitize technical knowledge. Each fact lives in exactly ONE file. This index tells you where.
How to use this wiki¶
- Served by MCP:
get_wiki_file(path="<category>/<file>.md")(e.g.get_wiki_file(path="organization/teams.md")). - Each page is self-contained for its topic: load ONE file and get everything on that topic.
- Strict SSOT: if a page needs info from another, it links — never copies.
- Use the Load when note on each entry below to decide what to load.
Resolving cross-references¶
| Link in a wiki page | How to fetch |
|---|---|
[text](<category>/<file>.md) from index.md or about.md (wiki root) |
get_wiki_file(path="<category>/<file>.md") |
[text](<file>.md) between pages in the same category folder |
get_wiki_file(path="<category>/<file>.md") |
[text](../<other-category>/<file>.md) between pages in different category folders |
get_wiki_file(path="<other-category>/<file>.md") (the ../ is a filesystem hint; resolve relative to the wiki root) |
[text](../workflows/<playbook>/index.md) |
get_workflow_file(path="<playbook>/index.md") (strip the ../workflows/ prefix) |
The ../ prefixes are filesystem hints for editors (VS Code, Bitbucket web). Over MCP, normalize the path relative to the wiki root and route to the correct tool.
Cross-folder ../ resolution
get_wiki_file accepts paths relative to the wiki root. When a page links to ../<other-category>/<file>.md, strip the ../ walk-up and pass the resulting wiki-root-relative path. Example: from ci-cd/bitbucket-ci.md, a link [secrets](../security/secrets.md) translates to get_wiki_file(path="security/secrets.md") — not get_wiki_file(path="../security/secrets.md"), which the tool will reject as path traversal.
Quick reference paths by use case¶
| Case | Load |
|---|---|
| Onboarding a new dev | about.md → teams.md → secrets.md |
| Setting up local development | secrets.md → mcp-and-ai-tooling.md |
| Creating a microservice | service-creation.md → ops-repos.md → bitbucket-ci.md |
| Debugging a deploy | jenkins-k8s-jobs.md → deployment-yamls.md → observability.md |
| Code review | code-reviews.md → code-insights.md |
| Configuring coverage | code-insights.md |
| Rotating the NPM token | secrets.md |
Complete index¶
Organization¶
- About Securitize — Company overview and engineering headcount (~20). Load when: onboarding, you need general business or team context.
- Teams & Projects — 8 teams (ON, ISR, TA, BC, JP, BlackOps, DevOps, SEC), Bitbucket projects, Jira projects, technical references, team leaders (Slack + email). Also covers the non-team-owned
SHARBitbucket project and theCTDCross Tech Debt Jira board. Load when: you need to know who owns a repo, contacts, or the team↔Jira↔Bitbucket mapping. - Jira Boards — Board URLs per team.
Load when: you just want the direct link to a board (NOT the mapping — that lives in
teams.md).
Infrastructure¶
- AWS Infrastructure — 2 AWS accounts (DEV
766597584338aliasSecuritize-dev, PROD137355570712viaprodCLI profile), 4 environments (dev, rc, sandbox, prod), EKS (1 cluster/env), spot vs on-demand strategy. Load when: AWS config, understanding which env maps to which account, decisions about spot instances. - Databases & External Services — Redis (AWS), MongoDB (Atlas), MySQL (RDS), Kafka (5 Confluent clusters including
sec_apac), Jenkins, Logz.io, Wiz, SendSafely — URLs, providers, how to connect. Load when: configuring access to a DB or external service, looking up a URL.
CI/CD¶
- Bitbucket Pipelines (CI) — Backend:
npm ci → lint → build → docker → coverage report. Frontend: dedicated pipeline without tests. JUnit XML test reporting. Load when: configuring a pipeline, debugging a CI failure, understanding why your PR does not build. - Jenkins K8s Jobs — Jenkins pipelines that deploy to Kubernetes (backend). Full flow: migration → docker build → ECR push →
kubectl apply→ rollout.Jenkinsfile-K8S(kops switch) vsJenkinsfile-K8S-MIG(Jenkins-based migrations). Load when: debugging a backend deploy, understanding K8S vs K8S-MIG, changing DB/migration setup. - Jenkins UI Jobs — Jenkins pipelines that deploy frontends to S3 + CloudFront. Three templates:
Jenkinsfile-UI(legacy),Jenkinsfile-UI-SST(modern React TS + Vite satellites),Jenkinsfile-UI-JP(pnpm for APAC team). Covers build, deploy, Parameter Store cascade, prod deploy queue, remote QA triggering. Load when: debugging a frontend deploy, understanding UI pipeline variants, configuring QA for a team. - Deployment YAML Patterns — Flat vs
custom/{env}/yamls; howdeploy_service_jenkins.shauto-detects. Script NOT in git. Load when: adding environments to a service, understanding why dev has different config than prod. - Code Insights & Coverage —
@securitize/coverage-insightsnpm package,coverage-merge-checkForge app, env vars (COV_IN_*), thresholds (total 60% / patch 80%). Load when: configuring coverage in a repo, adjusting thresholds, understanding the merge check.
Repositories¶
- Ops Repositories — Main ops- repos: ops-scripts (K8s configs ~231 services), ops-manifest (Jenkinsfile library), ops-k8s-infra (GitOps/ArgoCD), ops-infra (Terraform IaC), ops-deployments, ops-terraform-modules. Relationship map included. Load when: infrastructure changes, PRs on ops-, understanding the deploy pipeline.
- Shared Libraries — 4 monorepos (nestjs-shared, reactjs-shared, commons-shared, bc-shared) + Turborepo publishing to private npm.
Load when: using a
@securitize/*package, publishing a new version, finding reusable code.
Frontend¶
- Frontend Architecture — Investor Experience (React JS legacy container) + Control Panel (Vue); per-team React TypeScript MicroFrontends; S3 + CloudFront; two deploy paths (modern SST/CDK via
Jenkinsfile-UI-SST, legacy viaJenkinsfile-UI); limited frontend test coverage. Also documents how to change env vars for a frontend per environment (SST vs legacy Parameter Store). Load when: working with frontends, MFE, SST/CDK IaC, S3/CloudFront deploy, legacy frontend deploys, changing env vars for a frontend per environment (dev/rc/sandbox/prod).
Security & Secrets¶
- Secrets — K8s Secrets per env (
aws-secret,mongodb-secret,mysql-secret,kafka-secret). NPM token (SECURITIZE_READ_NPM_TOKEN) in 4 locations (Parameter Store DEV + PROD, Bitbucket workspace, dev shells). Rotation runbook. Load when: onboarding (configure local NPM token), rotating the token, debugging "cannot install @securitize/*", adding a new secret.
Engineering Practices¶
- Code Reviews — PR to
dev: 1–2 approvals (varies by team). PR tomaster: 1 mandatory. Ownership by team, no CODEOWNERS. Load when: questions about merge rules, PR approval policy, or repo ownership. - QA & Automation — Selenium (E2E + API), daily runs on RC, tests gap on frontends and microservices. Load when: context for the testing-strategy skill, understanding the current QA state.
- Feature Flags — Dedicated feature-flags microservice and the common alternatives in use (frontend/backend env vars, per-team config microservices). Load when: deciding how to implement a new feature flag.
- Rollback & Incidents — Manual rollback options (revert code + redeploy, or ask DevOps to re-tag the image). Incident management process is not formally documented. Load when: oncall, post-mortem, debugging a failed deploy.
- Service Creation — Internal CLI scaffolding, Jenkins job for new service, remaining manual steps (K8s secrets, configmaps, ingress), skill + Bitbucket MCP WIP. Load when: creating a new microservice or MFE.
Observability¶
- Observability Stack — Logz.io (logs + errors + alerts), Correlation IDs via shared package, alerts → Slack. Load when: debugging a prod error, searching logs, configuring alerts.
AI Tooling¶
- MCP Servers & AI Tooling — 5 MCPs (Atlassian Rovo, Jenkins, Slack, cerebro, Playwright; Atlassian Rovo covers Jira + Confluence + Bitbucket via two registration entries), direct CLIs (AWS, kubectl, Confluent), AI adoption, Cortex app, cerebro-knowledge repo. Load when: onboarding setup, configuring a new MCP, understanding current AI adoption.
- cerebro-knowledge repo — The Bitbucket repo behind the
cerebroMCP: folder structure (skills/workflows/wiki/services), the fullcerebroMCP config block + env vars, theSEC_MCP_BITBUCKET_BRANCHoverride for testing PRs locally before merging, and pointers to AGENTS.md (conventions) and theupdate-cerebro-knowledgeworkflow (procedure). Load when: contributing a change to cerebro-knowledge, configuring the cerebro MCP, or testing an unmerged branch through the MCP.
External references¶
Canonical Securitize technical documentation lives in the Confluence Technical Guidelines (TBP) space:
https://securitize.atlassian.net/wiki/spaces/TBP
Direct links to specific Confluence pages are embedded in the relevant reference pages (e.g. Bitbucket Pipelines configuration → bitbucket-ci.md; Securitize CLI → service-creation.md).