# Project Rules

## Asset, Key, And Runtime Data Governance

These rules are mandatory for all frontend, backend, deployment, and agent-generated changes.

1. Image and media assets must be stored in OSS.
   - Do not commit product images, demo images, generated images, videos, or other large media assets into `src/assets` or other source folders.
   - Code may reference media only by OSS URL or by data returned from an API.
   - Local assets are limited to tiny build-critical files such as icons or placeholders, and require explicit justification.

2. Frontend code must not contain API keys or secrets.
   - Do not hard-code provider keys, access keys, tokens, private endpoints, passwords, or bearer tokens in TypeScript, CSS, HTML, Vite config, Nginx snippets, or checked-in docs.
   - Browser-delivered code must treat every visible value as public.

3. Provider keys are owned by the server key pool.
   - AI provider credentials are stored and managed server-side.
   - The frontend requests work through application APIs; the server leases provider keys from the concurrency/key pool and calls providers on behalf of the client.
   - Do not add direct browser-to-provider calls that require provider credentials.

4. Application data must come through APIs.
   - Do not hard-code product data, pricing, model availability, provider routing, account state, usage state, or operational configuration in the frontend.
   - Use typed API clients and server-provided payloads for runtime data.
   - Static constants are allowed only for presentation defaults that are not business-authoritative.

5. Do not use fixed environment configuration in application code.
   - Do not bake production hostnames, provider endpoints, keys, or environment-specific behavior into source code.
   - Environment-specific values belong in server deployment configuration, secret management, or runtime configuration endpoints.
   - Frontend code must not add fixed `VITE_*` or equivalent environment variables for API hosts, provider hosts, business data, or secrets.
   - If the browser needs runtime configuration, it must request that data from an application API.

6. Deployment configuration must follow the same rules.
   - Nginx and process manager configs must not embed provider API keys or long-lived credentials.
   - Reverse proxies should route application traffic to the backend, not expose third-party credentials.
   - Secrets must be rotated immediately if found in source, Git remotes, shell history, Nginx config, process manager config, or logs.

7. Reviews must reject violations.
   - Any new local media file, hard-coded key, direct provider credential path, or fixed production config is a blocking issue.
   - Prefer deleting local assets and replacing them with OSS URLs returned by APIs or server-managed config.