docs(policy): enforce server-side data ownership and backend LLM mediation
- clarify frontend may only rely on backend-issued session token cookie for auth - forbid frontend browser storage for domain/business data - require backend-mediated LLM calls across agent workflows
This commit is contained in:
5
.github/agents/frontend.agent.md
vendored
5
.github/agents/frontend.agent.md
vendored
@@ -39,6 +39,8 @@ frontend/src/
|
||||
7. **Routes:** new pages go in `src/pages/`, registered in `src/router/index.tsx`, lazy-loaded.
|
||||
8. **Strings:** no hardcoded user-facing strings outside of constants.
|
||||
9. **No over-engineering:** only add what is explicitly needed — no extra abstractions, helpers, or features.
|
||||
10. **Data ownership:** domain/business data must stay server-side; frontend never persists entities, tasks, generated messages, logs, or similar domain data in `localStorage`, `sessionStorage`, or `IndexedDB`.
|
||||
11. **LLM calls:** frontend must never call OpenAI/Ollama/Llama directly; use backend APIs only.
|
||||
|
||||
## TDD Cycle
|
||||
|
||||
@@ -59,4 +61,5 @@ frontend/src/
|
||||
- DO NOT store server data in `useState`.
|
||||
- DO NOT build custom UI primitives when a shadcn/ui component exists.
|
||||
- DO NOT write implementation code before the failing test exists.
|
||||
- DO NOT modify backend code — your scope is `frontend/` only.
|
||||
- DO NOT modify backend code — your scope is `frontend/` only.
|
||||
- DO NOT store business/domain data in browser storage; only the backend-issued `httpOnly` session cookie is allowed for auth state.
|
||||
Reference in New Issue
Block a user