ModularAuth-Kit — AI Agent Rules

These rules apply to all AI agents working on this project.

Project Status — Pre-Launch (remove after v1.0 release)

This project is not yet published or launched
Breaking changes are allowed — do not worry about backwards compatibility
Always optimize for the best possible design — if something should be restructured, renamed, or rethought, do it
This rule overrides any workflow step that says "check backwards compatibility"

Always read dev-docs/ROADMAP.md first when starting any development work. Identify the current phase before writing any code.
Always read the relevant architecture docs linked in the current phase's "Depends On" section before implementing.

Always run npx tsc --noEmit after writing TypeScript files. Zero errors required before moving on. Fix all type errors immediately.
Follow dev-docs/conventions/coding-standards.md for all naming, imports, patterns, and prohibited practices. No exceptions.
Follow dev-docs/conventions/api-response-format.md for every API response. Always use sendSuccess() and sendError() helpers — never call res.json() directly.
Check dev-docs/architecture/folder-structure.md when creating new files to ensure correct location and naming.

Never expose passwordHash in any API response. If a query returns user data, ensure the passwordHash field is excluded.
Use identical error messages for auth failures — same message for "user not found" and "wrong password" to prevent account enumeration.
Follow dev-docs/references/owasp-checklist.md for all security-related decisions.

Cross-check testing/ docs after implementing each phase. Update any response examples that don't match the real code.
Write user-facing docs (docs/) alongside implementation, not after. Each phase specifies which docs to write.