- API responses MUST NOT contain
str(e)or Python exception details. Error messages to frontend must be fixed Chinese strings (e.g."操作失敗"), with details logged server-side vialogger.error()orlogger.exception(). - No SQL injection — all database queries must use parameterized statements.
- No unvalidated user input used directly in file system operations (
open(),Path(),os.path). - No hardcoded secrets, API keys, passwords, or tokens in source code.
- All
file:///URI construction and parsing MUST go throughcore/path_utils.py. - Forbidden patterns outside
path_utils.py:path[8:]orpath[len('file:///'):](manual URI strip)f"file:///{...}"(manual URI construction)replace('/', '\\')for path conversionstartswith('file:///')+ manual handling
- If you see any of these patterns, flag as P0.
document.querySelector('[x-data]')without a scoped selector (e.g..search-container[x-data]) is a bug — it selects the sidebar instead of the page component.- Alpine methods in templates must be called with
()—:disabled="!canGoPrev"is wrong,:disabled="!canGoPrev()"is correct.
- No
console.logleft in production JavaScript (except intentional debug modes). - Python
exceptblocks should not silently swallow errors — at minimumlogger.error(). - Avoid introducing new inline
<script>blocks in templates; prefer separate.jsfiles.