Files
tfm_ainventory/AI_RULES.md
Daniel Bedeleanu ec24483eb3 security: add mandatory authentication policy - never disable auth
Auth must ALWAYS be enabled in all environments. Added comprehensive rule:
- NO auth bypass, debug mode, or dev-only disabling
- NO hardcoded credentials or weak defaults
- EVERY API endpoint requires JWT token
- Password hashing via passlib pbkdf2_sha256
- Debug strategy for auth breakages (never skip auth)

This ensures security is non-negotiable across all deployments.
2026-04-23 10:10:12 +03:00

92 lines
5.9 KiB
Markdown

# AI AGENT RULES - MANDATORY SSOT ENTRY POINT
**READ THIS ENTIRE FILE BEFORE EXECUTING ANY TASK.**
This is the **Single Source of Truth** for ALL AI agents. Refer to [PROJECT_ARCHITECTURE.md](PROJECT_ARCHITECTURE.md) for technical logic.
---
## 1. AI MEMORY, TRACEABILITY & HANDOVER
- **MANDATORY STARTUP**: Read `dev_docs/SESSION_STATE.md` immediately at session start.
- **PLAN RETIREMENT**: Mark a completed "Master Plan" as `[COMPLETED]` in the file itself. Move technical details to `dev_docs/ARCHIVE_LOGS.md` and `PLAN.md` entries to `dev_docs/PLAN_HISTORY.md`.
- **STRICT HANDOVER**: Update `dev_docs/SESSION_STATE.md` at the end of every task with: **Active AI**, **Current Status** (Stable/Broken/In-Progress), **Context**, and **Next Steps**.
- **SESSION ARCHIVE**: Move previous handover content to `dev_docs/SESSION_HISTORY.md` before writing new state.
- **NO INTERACTION OVERLAP**: Never modify a file if another AI session is explicitly working on it.
- **CONCISE COMMUNICATION**: Be concise! Do not explain a thousand details unless they are absolutely necessary.
## 2. ENGINEERING & OPERATIONAL LAWS
- **ENGLISH ONLY**: Interfaces, code, variables, and docs MUST be in English. Translate any Romanian text found in code immediately. (User conversation: Romanian/English).
- **GIT PROTOCOL**: Use `git` command from system PATH for all operations. On Linux, this is provided by the git package manager. Git operations use the fallback mechanism in `.git_path` file for cross-platform compatibility. Never push or use `--force` unless explicitly asked. Branching: `master` (stable), `dev` (active), `vX` (archive).
- **VERSIONING**: Update `VERSION.json` on every commit. Use `scripts/save_version.py` for automated releases.
- **DEPENDENCIES**: Update `backend/requirements.txt` with version constraints for every new pip package.
- **SSOT INTEGRITY**: Every feature change MUST update: `README.md`, `USER_GUIDE.md`, `PROJECT_ARCHITECTURE.md`, and `export_prod.sh`.
## 3. UI/UX "PREMIUM" FIDELITY STANDARDS
- **Aesthetics**: Density/aesthetics must remain "Premium". Use Tailwind CSS. NO simplification.
- **Typography Rules**:
- **NO UPPERCASE** or **NO ITALICS** in headers, labels, buttons, or metadata.
- **NO `tracking-widest`**. Use standard camel/Title case.
- **NO BOLD FONTS**: Use `font-normal` throughout (no `font-black`, `font-bold`, or `font-semibold`). Text hierarchy maintained through font-size and color differences.
- **Layout**: Main pages MUST use `max-w-7xl`.
- **Unified Headers**: Icon box (`p-4 bg-primary/10 border-primary/20`) + Title (`text-3xl font-normal`) + Subtitle (`text-xs text-slate-500`).
- **Iconography**: Use **Lucide Icons** exclusively (NO emojis).
- **Categories**: `Layers` (text-primary).
- **Item Types**: `Package` (text-green-500).
- **Affordance**: Dropdowns MUST have a `ChevronDown`. Passwords: `text-white/50`. Logout MUST be `text-rose-500`.
## 4. DATA INTEGRITY & AUDIT POLICY
- **RESTRICTED ACTIONS**: `DELETE /items/` and Admin settings require `auth.get_current_admin`.
- **AUDIT IMMUTABILITY**: Deleting an `Item` MUST NOT delete its `AuditLog` entries.
- **TRACEABILITY**: Log deletions to `logs/backend.log` with `USER[id]`, `ITEM[id]`, `Name`, `PN`.
- **CONFIRMATION**:
- **Triple Confirmation**: Deleting critical entities (Locations/Items) requires user confirmation 3 times.
- **Native Alerts**: Use `window.confirm` for all destructive UI actions and Logout.
## 5. MANDATORY AUTHENTICATION SECURITY POLICY
**CRITICAL**: Authentication is NEVER disabled. Not in development, not in production, not in any environment.
- **NO AUTH BYPASS**: Never implement auth bypass, debug mode to skip auth, or dev-only auth disabling.
- **NO HARDCODED CREDENTIALS**: Credentials must be initialized through proper database migrations or admin setup scripts.
- **NO WEAK DEFAULTS**: No default usernames like "admin/admin" in production deployments.
- **LOGIN ALWAYS REQUIRED**: Every API endpoint must require valid JWT token via `auth.get_current_user`.
- **CREDENTIAL MANAGEMENT**: Use proper password hashing (passlib with pbkdf2_sha256), never plain text.
- **IF AUTH BREAKS**: Debug by:
1. Verifying database contains users
2. Testing password hashing in isolation
3. Checking session/transaction isolation
4. Reviewing logs for SQL errors
5. **NEVER skip authentication** - always fix the root cause
- **DOCUMENTATION**: Auth configuration must be clearly documented in `STANDALONE_DEPLOYMENT.md` with proper setup steps.
This rule supersedes any convenience or testing shortcuts. Security is non-negotiable.
## 6. AI COMMAND SHORTCUTS
- **`save-version`**:
0. **MANDATORY**: Verify and update ALL documentation (`.md` files: README, USER_GUIDE, ARCHITECTURE, etc.) with explanations of all current changes.
1. Increment `VERSION.json`.
2. Git add/commit (`Build [vX.Y.Z]`).
3. Create branch `vX.Y.Z` (Snapshot).
4. Automatic Sync: Merge changes into `master` branch to keep it up-to-date.
5. Run `./export_prod.sh`.
(Always use `python3 scripts/save_version.py`).
## 6. Implementation Completion
- All code modifications MUST be committed in git before the task is considered finished. `VERSION.json` must be updated on EACH commit.
- **MANDATORY GIT RULE:** Never push to remote unless explicitly requested by the user. Only commit locally with proper messages. Always assume the user will handle all `git push` operations. If a task requires pushing, ask for explicit permission first.
- **MANDATORY GIT RULE**: NO AI is allowed to write in git commits that it is the author or co-author (e.g., DO NOT add texts like `Co-Authored-By: AI...`). Commits should only contain technical messages.
- After finishing an entire job, end your final response on a separate line exactly with:
```
---
✓ Done.
```
- Do not provide unnecessary summaries of the code.
---
## END OF SESSION PROTOCOL
End your final response on a separate line exactly with:
```
---
✓ Done.
```