WellnessBox Guardrails (Codex)
Source of truth modules (do not bypass)
- •Order integrity:
lib/order/mutations.ts(transaction + stock decrement + duplicatepaymentIdhandling) - •Auth/ownership:
lib/server/route-auth.ts(userequireAdminSession,requireAnySession,requirePharmSession,requireRiderSession,requireCustomerOrderAccess) - •Prisma singleton:
lib/db.ts(do NOT instantiate newPrismaClientin feature modules) - •Admin token rules:
lib/admin-token.ts+middleware.ts+/api/verify-password
Non-Negotiable Guardrails
- •Do not expose operational routes without auth.
- •Admin-only routes:
app/api/admin/model,app/api/agent-playground/run,app/api/rag/* - •Use
requireAdminSessionfromlib/server/route-auth.ts
- •Admin-only routes:
- •Do not modify push routes without ownership checks.
- •Customer routes must use
requireCustomerOrderAccess - •Pharmacy/rider routes must use
requirePharmSession/requireRiderSession
- •Customer routes must use
- •Never store admin plaintext password in cookies.
- •Keep the flow aligned across:
- •
app/api/verify-password/route.ts - •
lib/admin-token.ts - •
middleware.ts
- •
- •Keep the flow aligned across:
- •Keep stock decrement inside order transaction only.
- •
lib/order/mutations.tsmust remain the source of truth for create-order stock mutation - •Do not re-introduce client-side stock decrement after order creation
- •
- •Keep Prisma singleton pattern in
lib/db.ts
R&D Docs (TIPS Extension) — Read Rules
- •Doc layers:
- •
docs/rnd/*= REQUIREMENTS / objective spec (must satisfy; includes KPI/eval) - •
docs/rnd_impl/*= IMPLEMENTATION NOTES / optional (use only if needed)
- •
- •Priority / conflict resolution:
- •This skill's guardrails
- •
docs/rnd/* - •
docs/rnd_impl/*
- •Context-minimizing (token budget):
- •Always read:
AGENTS.md,docs/rnd/01_kpi_and_evaluation.md - •Read exactly ONE module spec:
docs/rnd/02~07_*.md - •Optional: matching
docs/rnd_impl/02~07_*_impl_notes.md
- •Always read:
Recommended Work Order (changes)
- •Scope impact first with
rg - •Check auth/access paths first (
route-auth,middleware, session usage) - •Apply change with explicit input validation + type safety
- •Run:
npm run lint->npm run build(fix everything) - •For order/push/auth changes: manual flow check (login, checkout complete, push subscribe/status)