Files
breadcrumb-the-shire/.agents/skills/core-guardrails/references/boundaries-core.md
fs 545bcc789b docs: replace ASCII umlaut fallbacks with proper äöüß across all .md
Most German docs were written with `ue`/`ae`/`oe`/`ss` ASCII fallbacks
(`fuer`, `aenderung`, `koennen`, `gemaess`) — relic from older toolchain
constraints. Replaced 237 occurrences across 38 .md files with proper
umlauts and ß so the docs read naturally.

Substitutions are constrained to plain prose: fenced code blocks
(```...```), inline code spans (`...`), markdown link targets `[..](..)`,
and HTML comments are preserved verbatim. Path references like
`docs/howto-erste-aenderung.md` keep their original (umlaut-replaced)
filenames — only the surrounding prose is normalised.

Tool: bin/fix-md-umlauts.py (idempotent — no-op on already-clean files).
Re-runnable if ASCII fallbacks creep back in via copy-paste.

Doc-link-check + doc-drift-check stay green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 09:57:22 +02:00

2.0 KiB

Core Boundaries (MUST / MUST NOT)

Schichtgrenzen

  1. MUST SQL nur in core/Repository/** halten.
  2. MUST Business-Logik in core/Service/** halten.
  3. MUST pages/** auf Input, Auth/AuthZ, Orchestrierung, Response begrenzen.
  4. MUST NOT Business- oder Permission-Logik in templates/** legen.

Instanziierung

  1. MUST in Actions/Helpern/Templates nur app(Foo::class) verwenden.
  2. MUST NOT in pages/** direkt new ...Service|Gateway|Repository nutzen.
  3. MUST NOT in core/Service/** (ausser *Factory.php) direkt new ...Factory|Service|Gateway|Repository nutzen.
  4. MUST NOT in pages/admin/** Factory::class referenzieren oder app(...Factory::class)->create... nutzen.

Input / Validation

  1. MUST Input in pages/** über requestInput() lesen.
  2. MUST NOT $_POST, $_GET, $_FILES, REQUEST_METHOD in pages/** verwenden.
  3. MUST NOT $_SESSION, $_SERVER, $_COOKIE, $_ENV in pages/** direkt verwenden.
  4. MUST Form-Validation über FormErrors führen.
  5. MUST API-Validation-Fehler über ApiResponse::validationFromFormErrors(...) ausgeben.
  6. MUST NOT ApiResponse::readJsonBody(...) in pages/api/v1/** verwenden.

List-Data Endpoints

  1. MUST pages/**/data().php als GET-only Endpunkte umsetzen (gridRequireGetRequest()).
  2. MUST Query-Filter über gridParseFilters(...) + filter-schema.php normalisieren.
  3. MUST NOT Query-Filter inline/parallele Alias-Parser in data().php neu einführen.

Security / API

  1. MUST AuthZ serverseitig erzwingen.
  2. MUST Tenant-Scope serverseitig erzwingen.
  3. MUST CSRF auf POST-Endpunkten vor Body-Verarbeitung verifizieren.
  4. MUST NOT PII/Secrets unredacted in Logs oder Audit-Metadata schreiben.
  5. MUST SQL nur über Repository mit prepared statements ausführen.
  6. MUST extern UUID-first bleiben.
  7. MUST API-Fehler konsistent halten (error, optional errors).
  8. MUST OpenAPI im selben Merge aktualisieren, wenn API geändert wird.

Prüf-Hinweis

  • Harte Repo-Gates: tests/Architecture/CoreStarterkitContractTest.php