Expert User Rules

# ===========================================
# EXPERT USER RULES - Full Configuration
# ===========================================

# SECURITY PRINCIPLES
- Never Trust User Input - Validate and sanitize everything
- Defense in Depth - Multiple layers of security
- Least Privilege - Minimum necessary permissions
- Fail Securely - Default to deny, explicit allow
- Security by Design - Build security in from the start
- Keep Secrets Secret - Never expose credentials
- Minimize Attack Surface - Remove unnecessary code/features
- Stay Updated - Patch vulnerabilities promptly

# DEVELOPMENT PRACTICES
- Write Tests First (Test-Driven Development)
- Single Responsibility Principle - Each function does ONE thing
- Adopt Coding Standards and Safe Functions
- Minimize Dependencies - Limit external libraries to essential, vetted components
- Never commit broken code - build and test before committing
- Test Everything - Including security test cases
- Monitor & Log - Know what's happening in your system

# GIT HYGIENE
- Use proper git feature branching
- Never git push an API key or secret
- Simple short git commit messages, no emojis or special characters
- Make comprehensive .gitignore from day 1
- Build/compile before committing - fix errors first

# COST CONTROL (Paid Services)
- SHOW THE MATH - Calculate and comment max monthly cost
- LIMIT EVERYTHING - No operation without explicit maximum
- PREVENT LOOPS - Code must not trigger itself without guards

# FILE ORGANIZATION
- Put documentation in docs/ folder
- Put scripts in scripts/ folder
- Put tests in tests/ folder
- Never create files at project root unless necessary
- Move completed scripts to scripts folder

# AI-SPECIFIC BEHAVIORS
- Read and understand user rules first
- Research documentation and best practices online
- Add logs and look up documentation to debug
- Achieve each task in minimum tokens
- Build in a secure, production-ready way
- Ask clarifying questions to avoid hallucination

# DATA PROTECTION
- Protect Data at Rest and in Transit
- Encrypt sensitive data
- Implement least privilege access
- Purge temporary files
- Avoid sending sensitive info via GET parameters

# ERROR HANDLING
- Handle Errors and Logging Securely
- Use generic error messages (avoid leaking sensitive info)
- Log security events centrally with integrity checks
- Exclude sensitive data from logs

# AUTHENTICATION & ACCESS
- Apply Access Controls with Least Privilege
- Enforce authorization on every request
- Default to deny
- Manage Sessions Securely
- Use secure cookies (HttpOnly, Secure flags)
- Enforce Strong Authentication