chore: harden generation context baseline

prompts/auth-rules.md

@@ -0,0 +1,79 @@
+# Auth Rules
+
+This repository keeps the current LLM-first CRUD generation architecture as the primary working baseline.
+
+- Auth is part of the default generation path, not a post-generation addon.
+- `server/` is the active backend target output path.
+- `client/` is the active frontend target output path.
+- The generated runtime stays SPA + API + external Keycloak + PostgreSQL only.
+
+## Frontend auth invariants
+
+- Use `keycloak-js` with redirect-based login only.
+- Initialize Keycloak before rendering the SPA.
+- Use Authorization Code Flow + PKCE (`S256`).
+- Keep `authProvider`, `dataProvider`, `getIdentity()`, `getPermissions()`, and `checkError()` as stable provider seams.
+- Derive identity from token claims already present in the parsed token.
+- Do not call `loadUserProfile()` and do not depend on `/account` for the baseline app.
+- `401` must force re-authentication; `403` must stay an authorization error.
+- Keep token handling in memory and refresh through one shared in-flight operation.
+
+## Working runtime defaults
+
+Use the already working project defaults unless a prompt explicitly overrides them.
+
+- Frontend Keycloak base URL example:
+  - `VITE_KEYCLOAK_URL=https://sso.greact.ru`
+- Frontend realm and client example:
+  - `VITE_KEYCLOAK_REALM=toir`
+  - `VITE_KEYCLOAK_CLIENT_ID=toir-frontend`
+- Backend issuer and audience example:
+  - `KEYCLOAK_ISSUER_URL=https://sso.greact.ru/realms/toir`
+  - `KEYCLOAK_AUDIENCE=toir-backend`
+- CORS example:
+  - `CORS_ALLOWED_ORIGINS=http://localhost:5173,https://toir-frontend.greact.ru`
+
+Anti-regression rule:
+
+- Do not switch the baseline Keycloak example back to `http://localhost:8080` in generated `.env.example` files unless the prompt explicitly asks for a local Keycloak runtime.
+- Localhost Keycloak values may exist in private `.env.local` or `.env` overrides, but they are not the default project examples.
+
+## Backend auth invariants
+
+- Verify JWTs with `jose`.
+- Validate issuer + audience + signature via JWKS.
+- Resolve JWKS in this order:
+  1. `KEYCLOAK_JWKS_URL`
+  2. OIDC discovery at `/.well-known/openid-configuration`
+  3. `${issuer}/protocol/openid-connect/certs`
+- Extract roles only from `realm_access.roles`.
+- Keep `/health` public and all generated CRUD routes protected by default.
+
+## Auth anti-regression invariants
+
+- The accepted JWKS resolution chain above is the only baseline truth path. Do not document one order and implement another.
+- If auth implementation changes, `prompts/auth-rules.md` and `prompts/validation-rules.md` must be updated in the same change.
+- Do not skip OIDC discovery when no explicit `KEYCLOAK_JWKS_URL` is provided.
+- Do not switch role extraction to alternative claims unless the prompt explicitly changes the baseline contract.
+- Do not reintroduce localhost Keycloak defaults into shared baseline examples.
+
+## Realm artifact contract
+
+- A physical root-level `*-realm.json` artifact is mandatory output.
+- The artifact must be importable, versioned, and aligned with generated backend/frontend env contracts.
+- It must parameterize:
+  - realm name
+  - frontend client id
+  - backend client id / audience
+  - local and production frontend URLs
+  - artifact filename
+- It must explicitly deliver:
+  - `sub`
+  - `aud`
+  - `realm_access.roles`
+- It must define:
+  - realm roles `admin`, `editor`, `viewer`
+  - a public SPA client with PKCE S256
+  - a bearer-only backend client
+  - an explicit audience client scope
+  - explicit protocol mappers for baseline identity and role claims

prompts/backend-rules.md

@@ -0,0 +1,74 @@
+# Backend Rules
+
+The backend remains derived from `domain/*.dsl` inside the existing LLM-first pipeline. No compiler platform or generator engine is introduced.
+
+## Backend scaffold baseline
+
+- Start backend initialization from the official NestJS CLI workspace, not from manually created files.
+- The backend must remain compatible with standard Nest workspace tooling such as `nest build` and `nest start`.
+- Preserve the core Nest workspace files generated by the CLI, especially:
+  - `server/tsconfig.json`
+  - `server/tsconfig.build.json`
+  - `server/nest-cli.json`
+  - `server/src/main.ts`
+  - `server/src/app.module.ts`
+- For domain resources, prefer official Nest CLI generation patterns for modules/controllers/services/resources and then adapt the generated code to Prisma and auth requirements.
+- Do not delete required Nest workspace files just because the LLM can inline a smaller custom structure.
+
+## Forbidden backend generation patterns
+
+- Do not bootstrap `server/` by hand-writing a pseudo-Nest project from memory.
+- Do not remove `tsconfig.json`, `tsconfig.build.json`, or `nest-cli.json` after generation.
+- Do not replace standard Nest package scripts with ad hoc commands that break `nest build` or `nest start`.
+- Do not continue CRUD generation on top of a degraded backend workspace without repairing the workspace first.
+
+## Domain-derived output
+
+- `domain/*.dsl` is the source of truth for entities, fields, primary keys, foreign keys, and enums.
+- `domain-summary.json` is a derived artifact used to stabilize LLM generation and validation. It must never replace the DSL as the source of truth.
+- Each entity becomes:
+  - a Prisma model
+  - a NestJS module
+  - a controller
+  - a service
+  - create/update DTOs
+
+## DTO and Prisma mapping
+
+- `decimal` -> Prisma `Decimal`, DTO/API `string`
+- `date` -> Prisma `DateTime`, DTO/API `string`
+- Enums remain string-valued in DTO/API contracts
+
+## CRUD and natural-key invariants
+
+- CRUD routes use the real primary key name in the path.
+- Every API record returned to React Admin must include `id`.
+- For entities whose primary key is not `id`, the backend must map the real key to `id`.
+- Natural-key list/sort logic must never build ORM `orderBy` against a fake physical `id`.
+
+## Service invariants
+
+- Never pass raw update DTOs into Prisma update `data`.
+- Remove `id`, the real primary key, and readonly fields from update payloads before calling Prisma.
+- Keep PrismaService lightweight:
+  - extend `PrismaClient`
+  - implement `OnModuleInit`
+  - call `$connect()`
+  - do not use `beforeExit`
+
+## Reproducibility invariants
+
+- A freshly generated backend must be bootstrappable with ordinary Nest + Prisma commands from `prompts/runtime-rules.md`.
+- Missing TypeScript or Nest workspace config is a generation failure, not an acceptable simplification.
+- The baseline backend should fail only on missing runtime dependencies or env values, not because the Nest workspace itself is incomplete.
+
+## Recovery rule if backend workspace degraded
+
+- If required Nest scaffold files are missing or broken, restore the official workspace baseline before editing Prisma models, modules, controllers, services, or DTOs.
+- Treat workspace repair as higher priority than feature generation, because generated domain code on top of a broken workspace is invalid baseline output.
+
+## Backend auth defaults
+
+- `GET` -> `viewer | editor | admin`
+- `POST`, `PATCH`, `PUT` -> `editor | admin`
+- `DELETE` -> `admin`

prompts/frontend-rules.md

@@ -0,0 +1,56 @@
+# Frontend Rules
+
+The frontend stays a React Admin SPA generated from `domain/*.dsl` and anchored to the existing auth seams.
+
+## Frontend scaffold baseline
+
+- Start frontend initialization from the official Vite React TypeScript scaffold, not from manually assembled files.
+- Preserve a valid Vite workspace baseline, including:
+  - `client/index.html`
+  - `client/tsconfig.json`
+  - `client/vite.config.*`
+  - `client/src/main.tsx`
+- Add React Admin and auth seams on top of that baseline instead of replacing the workspace with a hand-written minimal shell.
+- Do not delete required Vite entry/config files just because the LLM can write a shorter custom setup.
+
+## Forbidden frontend generation patterns
+
+- Do not bootstrap `client/` by hand-writing a pseudo-Vite project from memory.
+- Do not remove `index.html`, `tsconfig*`, or `vite.config.*` after generation.
+- Do not replace standard Vite package scripts with ad hoc commands that break `vite build`, `vite dev`, or `vite preview`.
+- Do not continue React Admin resource generation on top of a degraded frontend workspace without repairing the workspace first.
+
+## Resource generation
+
+- Each entity becomes a React Admin resource with list/create/edit/show views.
+- Resource names must stay aligned with backend path segments.
+- Foreign keys must use `ReferenceInput` / `ReferenceField`.
+
+## Provider seams
+
+- `client/src/dataProvider.ts` is the single authenticated request seam.
+- `client/src/auth/authProvider.ts` is the single React Admin auth seam.
+- Auth logic must not leak into resource components.
+
+## Identity and permissions
+
+- `getIdentity()` must resolve from parsed token claims.
+- `getPermissions()` may expose realm roles for UI awareness.
+- Backend enforcement remains authoritative.
+
+## React Admin compatibility
+
+- Every resource record must include `id`.
+- Natural-key resources must preserve route, update, and sort compatibility with React Admin contracts.
+- Frontend requests must continue to work when the real primary key is not named `id`.
+
+## Reproducibility invariants
+
+- A freshly generated frontend must remain compatible with standard Vite commands such as `npm run dev` and `npm run build`.
+- Missing Vite workspace files or missing local Vite executable wiring is a generation failure, not an acceptable simplification.
+- The generated frontend should fail only on missing installation/env/runtime backend availability, not because the Vite app structure itself is incomplete.
+
+## Recovery rule if frontend workspace degraded
+
+- If required Vite scaffold files are missing or broken, restore the official workspace baseline before editing resources, auth seams, or UI code.
+- Treat workspace repair as higher priority than feature generation, because generated React Admin code on top of a broken Vite workspace is invalid baseline output.

prompts/general-prompt.md

@@ -0,0 +1,146 @@
+ROLE
+
+You are a Staff-level Fullstack Platform Engineer working inside the established LLM-first CRUD generation baseline.
+
+Use context7 when official framework guidance is needed.
+
+This repository is not a new generator engine. Do not redesign it into a planner/emitter/runtime platform.
+
+GOAL
+
+Strengthen and use the existing LLM-first CRUD generation pipeline.
+
+- Keep `domain/*.dsl` as the source of truth for the domain model.
+- Keep `server/` as the active backend target output path.
+- Keep `client/` as the active frontend target output path.
+- Keep Keycloak auth in the default generation path.
+- Keep PostgreSQL as the only Dockerized runtime dependency.
+- Generate and maintain:
+  - `domain-summary.json`
+  - a root-level `*-realm.json`
+  - backend/frontend auth seams
+  - runtime/env/bootstrap artifacts
+  - validation-gate-compatible output
+
+Use the already working runtime defaults for this project unless the prompt explicitly overrides them:
+
+- frontend Keycloak URL example: `https://sso.greact.ru`
+- frontend realm/client examples: `toir`, `toir-frontend`
+- backend issuer/audience examples: `https://sso.greact.ru/realms/toir`, `toir-backend`
+- production frontend origin example: `https://toir-frontend.greact.ru`
+
+Do not silently regress these examples to localhost Keycloak defaults.
+
+ACTIVE KNOWLEDGE BLOCKS
+
+Read in this order:
+
+1. `domain/dsl-spec.md`
+2. `domain/*.dsl`
+3. `domain-summary.json` if present
+4. `prompts/auth-rules.md`
+5. `prompts/backend-rules.md`
+6. `prompts/frontend-rules.md`
+7. `prompts/runtime-rules.md`
+8. `prompts/validation-rules.md`
+
+Interpretation rules:
+
+- `domain/*.dsl` is authoritative.
+- `domain-summary.json` is derived. Regenerate or validate it against the DSL; never treat it as the source of truth.
+INPUT CONTRACT
+
+Required:
+
+- `domain/*.dsl`
+
+Optional:
+
+- `overrides/api-overrides.dsl`
+- `overrides/ui-overrides.dsl`
+
+Rules:
+
+- Do not require DTO/API/UI DSL files.
+- Do not resurrect multi-DSL source-of-truth behavior.
+- Optional overrides may refine derived API/UI behavior but must not redefine the domain model.
+
+PIPELINE CONTRACT
+
+1. Parse `domain/*.dsl`.
+2. Generate or refresh `domain-summary.json`.
+3. Scaffold with official framework CLI conventions where scaffolding is needed.
+4. Generate or maintain backend/frontend code in `server/` and `client/`.
+5. Generate or maintain the root-level realm artifact.
+6. Generate or maintain env/bootstrap/runtime artifacts.
+7. Run the lightweight validation gate.
+
+REPAIR-BEFORE-GENERATE ORDER
+
+1. Inspect whether `server/` and `client/` are still valid framework workspaces.
+2. If either workspace is degraded, repair the official scaffold baseline first.
+3. Only after workspace repair, generate or update domain-derived feature code.
+4. Only after generation, run validation and buildability checks.
+
+CLI-FIRST SCAFFOLDING CONTRACT
+
+- Never hand-write a fresh framework workspace from scratch when an official CLI exists for that framework.
+- For `server/`, initialize the workspace from the official NestJS CLI baseline first, then generate/adapt modules/resources inside that workspace.
+- For `client/`, initialize the workspace from the official Vite React TypeScript baseline first, then add React Admin, auth seams, and generated resources.
+- Treat CLI scaffolding as the required baseline for compiler config, package scripts, workspace metadata, and default entry files.
+- Manual creation is allowed only for domain-derived feature code after the official workspace exists.
+- If a workspace already exists but is missing required CLI baseline files, repair it back to a valid official-style workspace before adding more generated code.
+
+ANTI-REGRESSION FAILURES
+
+Treat the following as baseline violations, not acceptable improvisations:
+
+- creating a NestJS workspace by manually writing `package.json`, `tsconfig*`, `nest-cli.json`, and `src/*` from memory instead of starting from official CLI conventions
+- creating a Vite React TypeScript workspace by manually writing `package.json`, `index.html`, `tsconfig*`, `vite.config.*`, and `src/*` from memory instead of starting from official scaffold conventions
+- deleting required framework scaffold files after generation because the app appears to work with a smaller custom structure
+- declaring generation successful when workspace validity or buildability is broken or unverified
+- letting prompts promise an auth/runtime contract that validation does not enforce
+- treating one project-specific DSL filename as the only allowed source instead of supporting `domain/*.dsl`
+
+OUTPUT CONTRACT
+
+The baseline output must include:
+
+- `server/prisma/schema.prisma`
+- `server/.env.example`
+- `client/.env.example`
+- `client/src/auth/keycloak.ts`
+- `client/src/auth/authProvider.ts`
+- `client/src/dataProvider.ts`
+- `server/src/auth/*`
+- `docker-compose.yml`
+- `domain-summary.json`
+- root-level `*-realm.json`
+
+The baseline output must also remain a real framework workspace, not a prompt-only file collection:
+
+- `server/tsconfig.json`
+- `server/tsconfig.build.json`
+- `server/nest-cli.json`
+- `client/index.html`
+- `client/tsconfig.json`
+- `client/vite.config.*`
+
+NON-GOALS
+
+- No new generator engine
+- No compiler/IR platform
+- No heavy codegen redesign
+- No replacement of the old LLM-first architecture
+
+COMPLETION INVARIANTS
+
+- Generation is incomplete if `server/` is not a valid NestJS workspace.
+- Generation is incomplete if `client/` is not a valid Vite React TypeScript workspace.
+- Generation is incomplete if auth rules, runtime rules, and validation rules describe different truth paths.
+- Generation is incomplete if buildability is broken.
+- If buildability cannot be checked because dependencies are missing, report that state explicitly; do not report a green result for buildability.
+
+VALIDATION
+
+Before considering the output complete, satisfy `prompts/validation-rules.md`.

prompts/runtime-rules.md

@@ -0,0 +1,96 @@
+# Runtime Rules
+
+This repository keeps the current LLM-first CRUD generation architecture as the primary working baseline and strengthens the existing pipeline instead of replacing it.
+
+## Baseline runtime topology
+
+- `server/` is the active backend target output path.
+- `client/` is the active frontend target output path.
+- Docker scope remains PostgreSQL only.
+- Keycloak remains external to the repository runtime.
+- The project remains LLM-first: markdown knowledge blocks in `prompts/` orchestrate generation, while active generated/maintained code lives in `server/` and `client/`.
+
+## Required input and derived artifacts
+
+- Source of truth:
+  - `domain/*.dsl`
+- Required derived artifacts:
+  - `domain-summary.json`
+  - root-level `*-realm.json`
+
+`domain-summary.json` exists to stabilize generation and validation; it must be regenerated from the DSL and treated as non-authoritative.
+
+## Output contract
+
+The strengthened baseline must produce and keep aligned:
+
+- `server/prisma/schema.prisma`
+- backend/frontend env examples
+- backend/frontend auth seams
+- root `.gitignore`, `server/.gitignore`, `client/.gitignore`
+- `docker-compose.yml`
+- `domain-summary.json`
+- root-level realm import artifact
+
+## Concrete runtime examples
+
+Use these as the baseline examples for this project unless the prompt explicitly overrides them:
+
+- Backend:
+  - `PORT=3000`
+  - `DATABASE_URL="postgresql://postgres:postgres@localhost:5432/toir"`
+  - `CORS_ALLOWED_ORIGINS="http://localhost:5173,https://toir-frontend.greact.ru"`
+  - `KEYCLOAK_ISSUER_URL="https://sso.greact.ru/realms/toir"`
+  - `KEYCLOAK_AUDIENCE="toir-backend"`
+- Frontend:
+  - `VITE_API_URL=http://localhost:3000`
+  - `VITE_KEYCLOAK_URL=https://sso.greact.ru`
+  - `VITE_KEYCLOAK_REALM=toir`
+  - `VITE_KEYCLOAK_CLIENT_ID=toir-frontend`
+
+These example values come from the already working runtime shape and are preferred over local-only Keycloak placeholders.
+
+## Runtime bootstrap
+
+1. Import the root-level realm artifact into Keycloak.
+2. Start PostgreSQL with `docker compose up -d`.
+3. From `server/` run:
+   - initialize or repair the workspace with official Nest CLI scaffolding if required before generating domain code
+   - `npm install`
+   - `npx prisma generate`
+   - `npx prisma migrate dev`
+   - `npx prisma db seed`
+   - `npm run build`
+   - `npm run start`
+4. From `client/` run:
+   - initialize or repair the workspace with official Vite React TypeScript scaffolding if required before generating app code
+   - `npm install`
+   - `npm run build`
+   - `npm run dev`
+
+## Recovery and completion rules
+
+- Repair degraded framework workspaces before applying any new domain-derived generation changes.
+- Do not mark generation complete while `server/` or `client/` remains non-buildable.
+- If dependency installation has not happened yet, buildability may be reported as skipped, but it must never be reported as green without verification.
+- Runtime/bootstrap instructions are reusable project baseline rules; TOiR names remain examples, not the only supported domain project.
+
+## Scaffold expectations
+
+- NestJS workspace creation should follow the official Nest CLI path for new applications and resource scaffolding.
+- Vite frontend creation should follow the official Vite `create-vite` path for React TypeScript applications.
+- The LLM may customize generated code after scaffold creation, but must not replace official workspace initialization with ad hoc file creation.
+
+## Common generation failures to avoid
+
+- starting feature generation before scaffold repair
+- leaving deleted framework config files unrepaired because the current diff looks smaller
+- accepting a form-only validation pass while buildability is unknown
+- binding runtime rules to one project-specific DSL filename instead of `domain/*.dsl`
+
+## Baseline intent
+
+- No new generator engine
+- No compiler platform
+- No planner/emitter/runtime redesign
+- Only the current LLM-first pipeline, strengthened by summary, realm, and validation artifacts

prompts/validation-rules.md

@@ -0,0 +1,85 @@
+# Validation Rules
+
+Validation is now a lightweight automated gate instead of a prose-only checklist.
+
+## Commands
+
+- `npm run generate:domain-summary`
+- `npm run validate:generation`
+- `npm run validate:generation:runtime`
+
+## Prompt-Gate Alignment Rule
+
+- Every invariant described as required in the active prompt corpus must either be enforced by this gate or be called out explicitly as a manual/runtime-only check.
+- Validation must not stay silent about a violation that the prompts describe as forbidden.
+- Validation must not report green buildability when build verification was skipped.
+
+## Gate groups
+
+### Build checks
+
+- at least one `domain/*.dsl` file exists
+- required artifacts exist
+- Prisma schema exists
+- frontend/backend env contracts exist
+- frontend/backend framework workspace files exist
+- `domain-summary.json` matches the current DSL
+- project `.env.example` files keep the working domain-based Keycloak examples unless explicitly overridden
+- `server/` remains a valid Nest workspace
+- `client/` remains a valid Vite workspace
+- generation must not pass validation if framework scaffolding files were deleted and replaced by a hand-written minimal skeleton
+- if dependencies are installed, build verification runs for `server/` and `client/`
+- if dependencies are missing, build verification is reported as skipped with reason instead of green
+
+### Auth checks
+
+- frontend auth seam files exist
+- backend auth seam files exist
+- `401` and `403` semantics stay split
+- auth code keeps the required Keycloak/JWT contracts
+- JWKS resolution chain matches the contract:
+  1. explicit `KEYCLOAK_JWKS_URL`
+  2. OIDC discovery
+  3. certs fallback
+
+### Natural-key checks
+
+- response records expose `id`
+- route/update contracts use the real primary key
+- natural-key sort/update paths do not regress to a fake physical `id`
+
+### Realm checks
+
+- a root `*-realm.json` artifact exists
+- realm roles exist
+- audience delivery exists
+- required claims are explicit
+- SPA/backend client structure is explicit
+
+### Runtime checks
+
+- compose topology stays PostgreSQL-only
+- Prisma lifecycle scripts remain in place
+- `/health` stays public
+- backend can execute `npm run build` inside `server/`
+- frontend can execute `npm run build` inside `client/` after dependencies are installed
+- client/server `.env.example` stay aligned with the working runtime defaults:
+  - `https://sso.greact.ru`
+  - `toir`
+  - `toir-frontend`
+  - `toir-backend`
+  - `https://toir-frontend.greact.ru`
+- optional runtime execution mode runs:
+  - `npx prisma generate`
+  - `npx prisma migrate dev`
+  - `npx prisma db seed`
+
+### Scaffold checks
+
+- backend initialization starts from official Nest CLI scaffolding
+- frontend initialization starts from official Vite React TypeScript scaffolding
+- feature generation happens after scaffold creation, not instead of scaffold creation
+- repair happens before generation when workspace is degraded
+- required framework configs and entry files must survive subsequent LLM edits
+
+The automated gate is intentionally small. It enforces the critical reproducibility contract without turning the repository into a test platform or a generator engine.