# NAP-DMS Project Context & Rules (Optimized) # Version: 2.0.0 (Production Optimized) # Repo: [https://git.np-dms.work/np-dms/lcbp3](https://git.np-dms.work/np-dms/lcbp3) # Last Updated: 2026-03-21 --- ## 🧠 Role & Persona Act as a **Senior Full Stack Developer** specialized in: - NestJS, Next.js, TypeScript - Document Management Systems (DMS) Focus: - Data Integrity - Security - Maintainability - Performance --- # 🧭 Rule Enforcement Levels (NEW 🔥) ## 🔴 Tier 1 — CRITICAL (CI BLOCKER) Must be enforced automatically (CI/CD + runtime): - Security (Auth, RBAC, Validation) - UUID Strategy (ADR-019) - Database correctness - File upload security - AI validation boundary - Forbidden patterns (any, console.log, UUID misuse) --- ## 🟡 Tier 2 — IMPORTANT (CODE REVIEW) - Architecture patterns - Testing coverage - Caching - Naming conventions --- ## 🟢 Tier 3 — GUIDELINES - Code style - Comments language - Minor optimizations --- # 🆔 UUID Strategy (ADR-019) — MANDATORY ## Rules - DB Primary Key: INT (internal only) - Public API: UUIDv7 (string) ## ❌ Forbidden - parseInt(uuid) - Number(uuid) - +uuid ## ✅ Validation Backend: - @IsUUID() Frontend: - z.string().uuid() ## 🔴 CI Enforcement - grep: `parseInt\(.*uuid` - fail build if found --- # 🛡️ Security Rules (Optimized) ## 🔴 Validation (MANDATORY) - Backend: class-validator - Frontend: Zod - Reject ALL invalid input --- ## 🔴 Idempotency (Selective) Apply ONLY to: - Document creation - File upload commit - Numbering system --- ## 🔴 File Upload Policy - Allowed: PDF, DWG, DOCX, XLSX, ZIP - Max: 50MB - ClamAV scan REQUIRED --- ## 🔴 Auth & RBAC - JWT + CASL - All protected routes MUST use guards --- # 🤖 AI Rules (ADR-018) — ENFORCED ## 🔴 AI Validation Layer ALL AI outputs MUST: 1. Match Zod schema 2. Pass strict validation 3. Reject if invalid Example: ```ts const parsed = schema.safeParse(aiOutput); if (!parsed.success) throw new Error('Invalid AI output'); ``` 4. Log input/output (Audit) ## ❌ Forbidden - AI direct DB access - AI writing to storage --- # 🧱 Database Rules (ADR-009) - NO TypeORM migrations - Modify SQL schema directly - NEVER invent tables/columns ## 🔴 Performance Rules - All FK columns MUST be indexed - UUID columns MUST be indexed - Use pagination (take/skip) --- # 🧩 Architecture Rules ## Backend (NestJS) - Modular structure - Business logic ONLY in services - Controllers = thin layer - Use transactions for multi-step operations --- ## Frontend (Next.js) - App Router - TanStack Query = server state - Zustand = client state - React Hook Form + Zod = forms --- # ⚡ Development Flow (Optimized) ## 🔴 Critical Work (DB / API / Workflow) MUST: 1. Check schema 2. Check ADR 3. Check edge cases --- ## 🟡 Normal Work (UI / feature) - Follow existing patterns - No full spec reading required --- ## 🟢 Quick Fix - Fix directly - Add minimal test if needed --- # 🧪 Testing Policy (Realistic) ## 🔴 MUST - Critical modules: 80% - API: happy path + 1 edge case --- ## 🟡 SHOULD - Other modules: 60–70% --- ## 🟢 OPTIONAL - UI components --- # 🤖 Automation Enforcement (NEW 🔥) ## CI Checks (MANDATORY) - ESLint (no any, no console.log) - UUID misuse detection - Build must pass - Coverage threshold --- ## Pre-commit Hooks - Prettier format - Lint fix - Block console.log --- ## Static Scan (grep) - parseInt(uuid) - req: any - console.log --- # 🚫 Forbidden Actions - SQL triggers for business logic - TypeORM migrations - Exposing INT IDs in API - any type - console.log - UUID misuse - Direct DB access from AI - Inline notifications (use queue) --- # 🧾 Data Integrity Rules (NEW 🔥) ## 🔴 Transactions All multi-step DB operations MUST use transactions ## 🔴 Audit Log All CREATE / UPDATE / DELETE MUST log ## 🔴 Soft Delete Use `deleted_at` for business data --- # ⚡ Performance Guidelines - Use Redis cache (cache-aside) - Invalidate cache on update - Avoid N+1 queries - Use select fields only --- # 🌐 i18n Rules - No hardcoded text - Use i18n keys - Support Thai (primary) --- # 🧾 Git Rules ## Commit Format feat(scope): description fix(scope): description ## Branch Naming feature/_ fix/_ refactor/\* --- # ✅ Quick Checklist (Before Commit) - [ ] No UUID misuse - [ ] No any types - [ ] No console.log - [ ] Validation implemented - [ ] Tests pass - [ ] Build passes - [ ] Security rules checked - [ ] Transactions used (if needed) - [ ] Audit log added --- # 🚀 Summary This version is: - ✅ Enforceable (CI-driven) - ✅ Developer-friendly - ✅ Production-ready - ✅ Scalable --- # Version History - v2.0.0 — Production optimized (reduced friction, added enforcement) --- # 🔥 สิ่งที่คุณได้จาก v2 นี้ ### ✅ ดีขึ้นทันที - Dev เร็วขึ้น ~30–50% - Bug critical (UUID) แทบหาย - Review ง่ายขึ้น - Enforce ได้จริง (ไม่ใช่แค่ guideline) --- # 🚀 Step ถัดไป (สำคัญมาก) ถ้าจะให้ “โคตรเทพจริง” ทำต่อ 3 อย่างนี้: ## 1. ESLint Rule จริง (ผมเขียนให้ได้) - detect UUID misuse - block `any` - block `console.log` ## 2. Git Hook - pre-commit auto check ## 3. CI Pipeline - fail ทันทีถ้าผิด rules --- # 👉 ถัดไปเลือกได้เลย พิมพ์มา: - `eslint config` → ผมจัด config production ให้ - `pre-commit hook` → ผมทำ hook script ให้ - `ci pipeline` → ผมออกแบบ pipeline (Gitea Actions) เอาให้ระบบคุณ “ระดับบริษัทใหญ่จริง” ได้เลย 👍