40 lines
2.8 KiB
Markdown
40 lines
2.8 KiB
Markdown
# Project Rules
|
|
|
|
## Asset, Key, And Runtime Data Governance
|
|
|
|
These rules are mandatory for all frontend, backend, deployment, and agent-generated changes.
|
|
|
|
1. Image and media assets must be stored in OSS.
|
|
- Do not commit product images, demo images, generated images, videos, or other large media assets into `src/assets` or other source folders.
|
|
- Code may reference media only by OSS URL or by data returned from an API.
|
|
- Local assets are limited to tiny build-critical files such as icons or placeholders, and require explicit justification.
|
|
|
|
2. Frontend code must not contain API keys or secrets.
|
|
- Do not hard-code provider keys, access keys, tokens, private endpoints, passwords, or bearer tokens in TypeScript, CSS, HTML, Vite config, Nginx snippets, or checked-in docs.
|
|
- Browser-delivered code must treat every visible value as public.
|
|
|
|
3. Provider keys are owned by the server key pool.
|
|
- AI provider credentials are stored and managed server-side.
|
|
- The frontend requests work through application APIs; the server leases provider keys from the concurrency/key pool and calls providers on behalf of the client.
|
|
- Do not add direct browser-to-provider calls that require provider credentials.
|
|
|
|
4. Application data must come through APIs.
|
|
- Do not hard-code product data, pricing, model availability, provider routing, account state, usage state, or operational configuration in the frontend.
|
|
- Use typed API clients and server-provided payloads for runtime data.
|
|
- Static constants are allowed only for presentation defaults that are not business-authoritative.
|
|
|
|
5. Do not use fixed environment configuration in application code.
|
|
- Do not bake production hostnames, provider endpoints, keys, or environment-specific behavior into source code.
|
|
- Environment-specific values belong in server deployment configuration, secret management, or runtime configuration endpoints.
|
|
- Frontend code must not add fixed `VITE_*` or equivalent environment variables for API hosts, provider hosts, business data, or secrets.
|
|
- If the browser needs runtime configuration, it must request that data from an application API.
|
|
|
|
6. Deployment configuration must follow the same rules.
|
|
- Nginx and process manager configs must not embed provider API keys or long-lived credentials.
|
|
- Reverse proxies should route application traffic to the backend, not expose third-party credentials.
|
|
- Secrets must be rotated immediately if found in source, Git remotes, shell history, Nginx config, process manager config, or logs.
|
|
|
|
7. Reviews must reject violations.
|
|
- Any new local media file, hard-coded key, direct provider credential path, or fixed production config is a blocking issue.
|
|
- Prefer deleting local assets and replacing them with OSS URLs returned by APIs or server-managed config.
|