---
description: Keep business logic in the backend to ensure security and compatibility
globs: **/*.{ts,js,go}
---
<rule>
When implementing features that involve business logic:

1. Keep critical business logic in the backend:
   - Data validation and sanitization
   - ID/UUID generation
   - Timestamp management
   - Access control and authorization
   - Complex calculations or data transformations

2. Frontend should only handle:
   - UI state management
   - User input collection
   - Data display and formatting
   - Basic input validation for UX
   - UI-specific transformations

3. Security-sensitive operations must always be in backend:
   - Cryptographic operations
   - Token generation/validation
   - Password handling
   - Session management

4. When in doubt about where to place logic:
   - If it affects data integrity → backend
   - If it requires secure execution → backend
   - If it needs to work without JavaScript → backend
   - If it's purely for display/interaction → frontend

metadata:
  priority: high
  version: 1.0
</rule>

examples:
  - input: |
      # Bad: Generating UUIDs in frontend
      const id = crypto.randomUUID();
    output: |
      // Backend generates ID
      const response = await api.createResource(data);
      const { id } = response;

  - input: |
      # Bad: Validating permissions in frontend
      if (user.hasPermission('edit')) { ... }
    output: |
      // Let backend handle authorization
      const response = await api.updateResource(id, data);
      if (response.status === 403) {
        showError('Not authorized');
      }