Project Instructions

Endpoints

• Keep route handlers thin. Business logic belongs in service modules, not route files.
• Validate all incoming data at the boundary. Don’t trust client input.
• Return consistent error responses with status code, error type, and message.

Database

• Always use parameterized queries. Never interpolate user input into SQL.
• Write migrations for schema changes. Don’t modify the database manually.
• Add indexes for columns used in WHERE clauses and JOINs.

Error Handling

• Catch errors at the boundary (middleware), not in every function.
• Log errors with enough context to debug — request ID, user context, input that triggered it.
• Don’t swallow errors silently. If you catch it, log it or re-throw it.

Security

• No secrets in code. Use environment variables.
• Authenticate before authorizing. Check permissions on every protected route.
• Rate limit public endpoints.

Testing

• Integration tests for endpoints. Unit tests for business logic.
• Test error paths, not just happy paths.

Git

• Write short commit messages. One feature or fix per commit.