From 11f80b9dd7227e2f45dfd424c8ef78d5b27c5aa7 Mon Sep 17 00:00:00 2001 From: Gabriel Sancho Date: Fri, 27 Mar 2026 02:49:16 -0300 Subject: [PATCH] docs(policy): enforce server-side data ownership and backend LLM mediation - clarify frontend may only rely on backend-issued session token cookie for auth - forbid frontend browser storage for domain/business data - require backend-mediated LLM calls across agent workflows --- .github/agents/backend.agent.md | 2 ++ .github/agents/frontend.agent.md | 5 ++++- .github/agents/orchestrator.agent.md | 2 ++ .github/agents/planner.agent.md | 2 ++ CLAUDE.md | 13 +++++++++++++ 5 files changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/agents/backend.agent.md b/.github/agents/backend.agent.md index 3be64d7..bcd3f5c 100644 --- a/.github/agents/backend.agent.md +++ b/.github/agents/backend.agent.md @@ -98,3 +98,5 @@ cd backend - DO NOT put business logic in controllers. - DO NOT put prompt construction logic outside `PromptBuilderService`. - DO NOT modify frontend code — your scope is `backend/` only. +- DO enforce server-side persistence for all business/domain data; frontend must not be required to persist domain data. +- DO model generated test-message history as backend-owned task-related data with referential integrity and cleanup on task deletion. diff --git a/.github/agents/frontend.agent.md b/.github/agents/frontend.agent.md index 87af804..106c573 100644 --- a/.github/agents/frontend.agent.md +++ b/.github/agents/frontend.agent.md @@ -39,6 +39,8 @@ frontend/src/ 7. **Routes:** new pages go in `src/pages/`, registered in `src/router/index.tsx`, lazy-loaded. 8. **Strings:** no hardcoded user-facing strings outside of constants. 9. **No over-engineering:** only add what is explicitly needed — no extra abstractions, helpers, or features. +10. **Data ownership:** domain/business data must stay server-side; frontend never persists entities, tasks, generated messages, logs, or similar domain data in `localStorage`, `sessionStorage`, or `IndexedDB`. +11. **LLM calls:** frontend must never call OpenAI/Ollama/Llama directly; use backend APIs only. ## TDD Cycle @@ -59,4 +61,5 @@ frontend/src/ - DO NOT store server data in `useState`. - DO NOT build custom UI primitives when a shadcn/ui component exists. - DO NOT write implementation code before the failing test exists. -- DO NOT modify backend code — your scope is `frontend/` only. \ No newline at end of file +- DO NOT modify backend code — your scope is `frontend/` only. +- DO NOT store business/domain data in browser storage; only the backend-issued `httpOnly` session cookie is allowed for auth state. \ No newline at end of file diff --git a/.github/agents/orchestrator.agent.md b/.github/agents/orchestrator.agent.md index 9b5f042..f1cf12f 100644 --- a/.github/agents/orchestrator.agent.md +++ b/.github/agents/orchestrator.agent.md @@ -159,6 +159,8 @@ Read the new version from `frontend/package.json` after bumping. - ALWAYS verify `git status` is clean before creating the branch. - ALWAYS use `gh pr create` (GitHub CLI) for pull requests — never instruct the user to open one manually unless `gh` is unavailable. - If `gh` is not installed, clearly tell the user and provide the exact PR title and body to paste into the GitHub UI. +- ALWAYS enforce backend ownership of business/domain data; do not accept frontend browser storage solutions for domain persistence. +- ALWAYS enforce backend-mediated LLM calls; frontend must never call LLM providers directly. --- diff --git a/.github/agents/planner.agent.md b/.github/agents/planner.agent.md index f86c692..c631871 100644 --- a/.github/agents/planner.agent.md +++ b/.github/agents/planner.agent.md @@ -52,6 +52,8 @@ For each step output: - DO reference specific existing files by path when relevant (e.g., `backend/src/main/kotlin/.../EntityService.kt`). - ALWAYS check the existing codebase before planning — never assume something doesn't exist. - ALWAYS respect the architecture: business logic in services, thin controllers, API layer in `src/api/`, React Query for server state. +- ALWAYS enforce backend-first data ownership in plans: domain/business data persistence belongs to backend/database, not browser storage. +- NEVER plan frontend direct LLM calls; all LLM interactions must be backend-mediated endpoints. ## Delegation Hint diff --git a/CLAUDE.md b/CLAUDE.md index 6a69f4d..254290b 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -363,6 +363,19 @@ docker compose down --- +## Data Ownership Policy (Critical) + +- **All business data must be persisted server-side** (PostgreSQL via backend APIs). +- The frontend must treat the backend as the single source of truth for entities, tasks, + generated preview messages/history, logs, and any other domain data. +- The frontend must **not** persist business/domain data in browser storage (`localStorage`, + `sessionStorage`, `IndexedDB`) or call LLM providers directly. +- The only browser-stored auth state is the backend-issued session token cookie (`httpOnly` JWT). +- If a required endpoint does not exist yet, implement it in the backend first; do not add + frontend-side persistence workarounds. + +--- + ## Naming Conventions ### Backend