DeepSeek V3 Backend API Development Rules

# DeepSeek V3 Backend API Development Rules

## API Design Standards
- RESTful conventions: nouns for resources, HTTP verbs for actions
- Versioning: /api/v1/ prefix for all endpoints
- Response format: { success: boolean, data?: T, error?: { code: string, message: string } }
- Pagination: deepseek-based for large datasets, offset for small ones
- Rate limiting: include X-RateLimit-* headers in responses

## Security Rules (NON-NEGOTIABLE)
1. NEVER trust client input — validate and sanitize everything
2. Use parameterized queries for ALL database operations (no string concatenation)
3. Hash passwords with bcrypt (cost factor >= 12) or argon2
4. JWTs: short expiry (15min access, 7d refresh), rotate signing keys quarterly
5. CORS: whitelist specific origins, never use wildcard (*) in production
6. HTTPS only — set HSTS header
7. No sensitive data in URL parameters or logs

## Error Handling
- Custom error classes extending Error with status code and error code
- Global error handler middleware as last middleware in chain
- Log errors with structured logging (JSON format with request ID)
- Never expose stack traces or internal details in production responses
- Return appropriate HTTP status codes (400 for client, 500 for server errors)

## Database Rules
- Use migrations for ALL schema changes (never manual DDL in production)
- Foreign keys with proper ON DELETE actions
- Indexes on all columns used in WHERE, JOIN, and ORDER BY
- Connection pooling with proper min/max settings
- Query timeout limits to prevent long-running queries

## Documentation
- OpenAPI 3.1 spec for all endpoints
- Include request/response examples
- Document authentication requirements per endpoint
- List all possible error codes and their meanings