backend-policylisted

# Backend & API Architecture Policy ## Activation Scope - Apply whenever the task involves API endpoints, server business logic, services, controllers, or backend request flow. - Owns server-side layering, API/request optimization, and server-side caching. Strict input validation rules live in validation-policy; persistence and query rules live in database-expert. --- ## Layered Structure (Separation of Concerns) - Separate controllers, services, repositories, and validators into distinct layers. - Controller/route handler: parse and validate input, call a service, shape the response. No business logic. - Service: business logic and orchestration. Reusable and domain-focused. No HTTP or framework details. - Repository/data access: the only layer that talks to the database (per database-expert). No business logic. - Validator/schema: input contracts via Zod or equivalent (per validation-policy). - Do not place business logic in route handlers, and do not place data access in services - go through the repository. --- ## Boundary Validation - Validate every incoming request at the controller boundary before any business logic runs, using Zod (or equivalent) schemas. - Share schemas with the frontend where possible; schemas are the single source of truth. - Full validation and error-handling rules are owned by validation-policy - apply it; do not duplicate them here. - Never expose internal errors, stack traces, or schemas to clients. --- ## API & Request Optimization