1  ---
 2  description: SME Ops-Center rules (decoupling, Docker-first, no deprecated models, incremental build).
 3  globs:
 4    - "**/*"
 5  ---
 6  - Source of truth: follow docs/PRD.md. If a change is needed, update docs/PRD.md first, then implement.
 7  - Do not invent requirements outside docs/PRD.md. If something is missing, raise it as a question in a comment.
 8  
 9  - Docker-first: everything must run via docker compose. No host-only dependencies.
10  - Strict decoupling: the frontend must ONLY call api-gateway over HTTP. Frontend must not call GCP, Xero/MCP, Redis, or Postgres directly.
11  - API-first: all business logic lives behind api-gateway REST endpoints (stable contracts). Streamlit is a demo shell only.
12  - Incremental delivery only: Milestone 0 scaffold → Module A → Module B → Module C → hardening. Do not implement everything at once.
13  - No deprecated AI models: do NOT use Gemini 1.5. Use Gemini 2.x/2.5 via Vertex with primary+fallback model IDs in env.
14  - Xero safety: OAuth callback must be owned by mcp-bridge/api-gateway (NOT Streamlit). Enforce read-only tool allow-list for Xero at api-gateway.
15  - Secrets: never commit secrets. Use .env.example only; .env must be gitignored.
16  - Persistence: Postgres + uploads + sessions must use named volumes (data survives rebuilds).
17  - Containers must run as non-root and use slim base images.
18  - Application containers (Python/Node): Use UID 1000. Node images already have `node` user; use it directly. Python images: create user if UID 1000 doesn't exist.
19  - Postgres/Redis: Do NOT override user; official images run as non-root by default and handle initialization correctly.
20  - Node services with bind mounts: Use anonymous volume for `node_modules` (e.g., `/app/node_modules`) to preserve dependencies.
21  - Python version: Use 3.12-slim for all Python services (aligned with PRD).
22  - Node version: Pin in package.json engines field (>=20.0.0 <21.0.0).