24 lines
1.4 KiB
Markdown
24 lines
1.4 KiB
Markdown
---
|
|
trigger: always_on
|
|
---
|
|
|
|
# 🛡️ Security Rules (Non-Negotiable)
|
|
|
|
1. **Idempotency:** All critical `POST`/`PUT`/`PATCH` MUST validate `Idempotency-Key` header
|
|
2. **Two-Phase File Upload:** Upload → Temp → Commit → Permanent
|
|
3. **Race Conditions:** Redis Redlock + TypeORM `@VersionColumn` for Document Numbering
|
|
4. **Validation:** Zod (frontend) + class-validator (backend DTO)
|
|
5. **AI Isolation (ADR-018):** Ollama on Admin Desktop ONLY — NO direct DB/storage access
|
|
|
|
## 🚫 Forbidden Actions
|
|
|
|
| ❌ Forbidden | ✅ Correct Approach |
|
|
| ----------------------------------------------- | --------------------------------------------- |
|
|
| SQL Triggers for business logic | NestJS Service methods |
|
|
| TypeORM migration files | Edit schema SQL directly (ADR-009) |
|
|
| `any` TypeScript type | Proper types / generics |
|
|
| `console.log` in committed code | NestJS Logger (backend) / remove (frontend) |
|
|
| Direct file operations bypassing StorageService | `StorageService` for all file moves |
|
|
| Inline email/notification sending | BullMQ queue job |
|
|
| `parseInt()` on UUID values | Use UUID string directly (ADR-019) |
|