docs(policy): enforce server-side data ownership and backend LLM mediation

- clarify frontend may only rely on backend-issued session token cookie for auth - forbid frontend browser storage for domain/business data - require backend-mediated LLM calls across agent workflows
2026-03-27 02:49:16 -03:00
parent ebcea643c4
commit 11f80b9dd7
5 changed files with 23 additions and 1 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -363,6 +363,19 @@ docker compose down

 ---

+## Data Ownership Policy (Critical)
+
+- **All business data must be persisted server-side** (PostgreSQL via backend APIs).
+- The frontend must treat the backend as the single source of truth for entities, tasks,
+  generated preview messages/history, logs, and any other domain data.
+- The frontend must **not** persist business/domain data in browser storage (`localStorage`,
+  `sessionStorage`, `IndexedDB`) or call LLM providers directly.
+- The only browser-stored auth state is the backend-issued session token cookie (`httpOnly` JWT).
+- If a required endpoint does not exist yet, implement it in the backend first; do not add
+  frontend-side persistence workarounds.
+
+---
+
 ## Naming Conventions

 ### Backend