docs(policy): enforce server-side data ownership and backend LLM mediation
- clarify frontend may only rely on backend-issued session token cookie for auth - forbid frontend browser storage for domain/business data - require backend-mediated LLM calls across agent workflows
This commit is contained in:
2
.github/agents/planner.agent.md
vendored
2
.github/agents/planner.agent.md
vendored
@@ -52,6 +52,8 @@ For each step output:
|
||||
- DO reference specific existing files by path when relevant (e.g., `backend/src/main/kotlin/.../EntityService.kt`).
|
||||
- ALWAYS check the existing codebase before planning — never assume something doesn't exist.
|
||||
- ALWAYS respect the architecture: business logic in services, thin controllers, API layer in `src/api/`, React Query for server state.
|
||||
- ALWAYS enforce backend-first data ownership in plans: domain/business data persistence belongs to backend/database, not browser storage.
|
||||
- NEVER plan frontend direct LLM calls; all LLM interactions must be backend-mediated endpoints.
|
||||
|
||||
## Delegation Hint
|
||||
|
||||
|
||||
Reference in New Issue
Block a user