---
description: Keep business logic in the backend to ensure security and compatibility
globs: **/*.{ts,js,go}
---
<rule>
When implementing features that involve business logic:

1. Keep critical business logic in the backend:
   - Data validation and sanitization
   - ID/UUID generation
   - Timestamp management
   - Access control and authorization
   - Complex calculations or data transformations
   - Relationship management and graph traversal
   - Link extraction and validation

2. Frontend should only handle:
   - UI state management
   - User input collection
   - Data display and formatting
   - Basic input validation for UX
   - UI-specific transformations
   - Relationship visualization

3. Security-sensitive operations must always be in backend:
   - Cryptographic operations
   - Token generation/validation
   - Password handling
   - Session management

4. When in doubt about where to place logic:
   - If it affects data integrity → backend
   - If it requires secure execution → backend
   - If it needs to work without JavaScript → backend
   - If it's purely for display/interaction → frontend

5. Data synchronization guidelines:
   - Backend owns the source of truth for relationships
   - Frontend should never compute relationships locally
   - Use backend-provided relationship data for display
   - Cache relationship data in frontend stores
   - Update relationship cache on mutations
   - Preload relationships when beneficial for UX

metadata:
  priority: high
  version: 1.1
</rule>

examples:
  - input: |
      # Bad: Generating UUIDs in frontend
      const id = crypto.randomUUID();
    output: |
      // Backend generates ID
      const response = await api.createResource(data);
      const { id } = response;

  - input: |
      # Bad: Validating permissions in frontend
      if (user.hasPermission('edit')) { ... }
    output: |
      // Let backend handle authorization
      const response = await api.updateResource(id, data);
      if (response.status === 403) {
        showError('Not authorized');
      }

  - input: |
      # Bad: Computing relationships in frontend
      const links = content.match(/\[\[(.*?)\]\]/g);
    output: |
      // Use backend-provided relationships
      const { linksTo, linkedBy } = await api.getNote(id);