fs-lawrisk/docs/AGENTS.md

# Repository Guidelines

## Project Structure & Module Organization
- Root scripts: smart_cors_middleware.py (Flask CORS add-on), export_risk_json.py (PostgreSQL export).
- Data/outputs: risk_tables_export.json (generated by export script).
- Docs: PRD.md.
- Python 3.10+ is required (uses PEP 604 unions like str | None).

## Build, Test, and Development Commands
- Create venv (Windows):
  ~~~powershell
  python -m venv .venv; .venv\Scripts\activate; pip install Flask pg8000 black ruff pytest
  ~~~
- Run DB export (writes risk_tables_export.json):
  ~~~bash
  python export_risk_json.py
  ~~~
- Verify CORS middleware in your Flask app (diagnosis endpoint):
  ~~~bash
  curl -i http://localhost:5000/api/cors-diagnosis
  ~~~
- Lint/format (optional tools): ruff .  and  black .
- Tests (when added): pytest -q

## Coding Style & Naming Conventions
- Python: 4-space indents, UTF-8 files, snake_case for functions/vars, SCREAMING_SNAKE_CASE for constants.
- Prefer type hints; keep functions small and side-effect free.
- Formatting: black (line length 100). Linting: ruff (default rules).
- Filenames: modules like smart_cors_middleware.py; tests as test_*.py under tests/.

## Testing Guidelines
- Framework: pytest with Flask test client for middleware behavior.
- Target cases: origin matching (wildcard, exact, subdomains), preflight handling, X-CORS-Decision header, NGINX_CORS_MODE behavior.
- Coverage: prioritize core branches in _origin_matches, preflight (OPTIONS), and after_request logic.

## Commit & Pull Request Guidelines
- No Git history found here; use Conventional Commits (e.g., feat: add CORS diagnosis endpoint).
- PRs should include: purpose, concise summary, screenshots or curl examples for HTTP changes, and any config/env notes.
- Link related issues; keep PRs focused and under ~300 changed lines when possible.

## Security & Configuration Tips
- Do NOT hardcode secrets. Move DB credentials in export_risk_json.py to env vars and load via os.getenv() or a .env file.
- CORS env vars supported by middleware: ALLOWED_ORIGINS, CORS_STRICT, CORS_DEBUG, NGINX_CORS_MODE, CORS_MAX_AGE, CORS_EXPOSE_HEADERS.
- Validate inputs from the DB export; avoid writing outside the repo.
chore: initial commit 2025-10-22 19:59:48 +08:00			`# Repository Guidelines`

			`## Project Structure & Module Organization`
			`- Root scripts: smart_cors_middleware.py (Flask CORS add-on), export_risk_json.py (PostgreSQL export).`
			`- Data/outputs: risk_tables_export.json (generated by export script).`
			`- Docs: PRD.md.`
			`- Python 3.10+ is required (uses PEP 604 unions like str \| None).`

			`## Build, Test, and Development Commands`
			`- Create venv (Windows):`
			`~~~powershell`
			`python -m venv .venv; .venv\Scripts\activate; pip install Flask pg8000 black ruff pytest`
			`~~~`
			`- Run DB export (writes risk_tables_export.json):`
			`~~~bash`
			`python export_risk_json.py`
			`~~~`
			`- Verify CORS middleware in your Flask app (diagnosis endpoint):`
			`~~~bash`
			`curl -i http://localhost:5000/api/cors-diagnosis`
			`~~~`
			`- Lint/format (optional tools): ruff . and black .`
			`- Tests (when added): pytest -q`

			`## Coding Style & Naming Conventions`
			`- Python: 4-space indents, UTF-8 files, snake_case for functions/vars, SCREAMING_SNAKE_CASE for constants.`
			`- Prefer type hints; keep functions small and side-effect free.`
			`- Formatting: black (line length 100). Linting: ruff (default rules).`
			`- Filenames: modules like smart_cors_middleware.py; tests as test_*.py under tests/.`

			`## Testing Guidelines`
			`- Framework: pytest with Flask test client for middleware behavior.`
			`- Target cases: origin matching (wildcard, exact, subdomains), preflight handling, X-CORS-Decision header, NGINX_CORS_MODE behavior.`
			`- Coverage: prioritize core branches in _origin_matches, preflight (OPTIONS), and after_request logic.`

			`## Commit & Pull Request Guidelines`
			`- No Git history found here; use Conventional Commits (e.g., feat: add CORS diagnosis endpoint).`
			`- PRs should include: purpose, concise summary, screenshots or curl examples for HTTP changes, and any config/env notes.`
			`- Link related issues; keep PRs focused and under ~300 changed lines when possible.`

			`## Security & Configuration Tips`
			`- Do NOT hardcode secrets. Move DB credentials in export_risk_json.py to env vars and load via os.getenv() or a .env file.`
			`- CORS env vars supported by middleware: ALLOWED_ORIGINS, CORS_STRICT, CORS_DEBUG, NGINX_CORS_MODE, CORS_MAX_AGE, CORS_EXPOSE_HEADERS.`
			`- Validate inputs from the DB export; avoid writing outside the repo.`