cerber-core 1.1.5 → 1.1.7

package/CHANGELOG.md

@@ -5,6 +5,117 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.7] - 2026-01-04
+
+### Added
+
+#### 🩺 `npx cerber doctor` - Setup Validation Command
+- New diagnostic command validates Cerber installation
+- Checks: `CERBER.md`, schema file (strict mode), hooks, workflow
+- Returns stable exit codes: 0=OK, 2=missing contract, 3=missing schema, 4=missing hooks/workflow
+- Shows override state: DISABLED/ACTIVE/EXPIRED/INVALID
+- Prints actionable "Next Steps" for each failure scenario
+- MVP implementation (ASCII-only output for stability)
+
+#### 🛡️ `CERBER_GUARDRAILS` - Protected Assets Declaration
+- Added to `CERBER.md` template
+- Documents protected files: contract, schema, workflow, guardian, hooks, CODEOWNERS
+- Change policy: never delete/disable, never rename job IDs
+- Allowed changes: schema rules (must match contract), CI config with PR justification
+- Emergency override placeholder for TTL mechanism
+
+#### 🔐 Self-Protection Mechanisms
+
+**cerber-integrity Workflow Job:**
+- New first job (runs before `cerber-ci`)
+- Validates protected files exist
+- In strict mode: checks schema file presence
+- Verifies `cerber-ci` job ID intact (prevents sabotage)
+- **Cannot be skipped or disabled** (fail-safe)
+
+**CODEOWNERS Protection (Team Mode):**
+- Now includes all Cerber files: contract, schema, workflow, guardian, hooks
+- Self-protection: `/.github/CODEOWNERS` requires owner approval
+- Prevents unauthorized changes to enforcement infrastructure
+
+#### 🚨 Emergency Override (TTL-based, Controlled)
+
+**`CERBER_OVERRIDE` Contract Section:**
+- Time-to-live based safety fuse (NOT a power switch)
+- Required fields when enabled: `reason`, `expires` (ISO 8601), `approvedBy`
+- If expired → treated as disabled
+- If invalid (missing fields) → treated as disabled
+
+**What Override DOES:**
+- ✅ Pre-commit: Allows commit WITH WARNING (prints full metadata)
+- ✅ Post-deploy: May skip health gate (if flaky/blocking hotfix)
+
+**What Override NEVER DOES (Hard Limits):**
+- ❌ NEVER disables `cerber-integrity` job
+- ❌ NEVER disables entire CI pipeline
+- ❌ NEVER disables `cerber-ci` validation
+- ❌ NEVER bypasses CODEOWNERS (team mode)
+
+**Implementation:**
+- Guardian checks override at startup
+- Doctor shows override state
+- Override metadata printed for audit trail
+- Applied to all modes: solo, dev, team
+
+#### 🔒 Guided Schema Templates (Security Baseline)
+- Added commented security patterns to `BACKEND_SCHEMA.mjs` template
+- Categories: hardcoded secrets, dev artifacts, critical TODOs
+- Examples: `password=`, `API_KEY=`, `JWT_SECRET=`, `console.log`, `debugger`
+- Clear instruction: "Uncomment patterns that match rules in your CERBER.md"
+- Enforces "never invent rules" principle (translation only)
+
+#### 📦 Supply-Chain Security Policy
+- Updated `SECURITY.md` with comprehensive supply-chain guidance
+- npm 2FA required for all maintainers
+- CI-only publishing strongly recommended
+- No risky lifecycle scripts (`postinstall`, `preinstall`)
+- Dependencies updated only via reviewed PRs
+- Installation safety guarantees documented
+- Package verification steps provided
+- Compromise response procedures added
+
+#### 🛡️ Generator Path Safety
+- Resolves repository root via `git rev-parse --show-toplevel`
+- Writes ONLY inside repository root (fail-closed if root unknown)
+- Blocks `..` path traversal attempts
+- Whitelists allowed outputs (contract, schema, workflow, guardian, hooks, CODEOWNERS)
+- Validates every file path before write operation
+- Path traversal protection prevents security issues with malicious contracts
+
+### Changed
+
+#### 📝 Hardened "For AI Agents" Section (README)
+
+**New MUST Rules:**
+1. **Schema Generation = Translation Only**
+   - Agent can ONLY translate explicit rules from `CERBER.md`
+   - If rule not in `CERBER.md` → ask user / fail / leave empty
+   - Never invent, guess, or auto-generate architecture rules
+
+2. **NO-HEREDOC for TS/JS Files**
+   - Never create TypeScript/JavaScript files using bash `cat <<EOF`
+   - Reason: Causes `${}` template literal corruption and UTF-8 encoding issues
+   - Use editor tools, `fs.writeFile`, or proper file generation utilities
+
+### Fixed
+- Added final newline to `CODEOWNERS.tpl` (prevented last line truncation)
+
+### Security
+- **Supply-chain hardening**: No postinstall scripts, 2FA required, CI-only publish
+- **Path safety**: Generator validates all file writes (repo-root + whitelist)
+- **Self-protection**: cerber-integrity job prevents sabotage/deletion
+- **Emergency override**: Controlled bypass with TTL and audit trail (never disables integrity)
+
+### Breaking Changes
+None. All changes are backward compatible with existing Cerber installations.
+
+---
+
 ## [1.1.4] - 2026-01-04
 
 ### Fixed

package/README.md

@@ -25,13 +25,47 @@ It's a contract that everything else must obey.
 
 ```bash
 npm install cerber-core --save-dev
-npx cerber-guardian --help
+npx cerber init
+# Follow prompts to generate CERBER.md contract + guardian hooks
 ```
 
 ⭐ **Like what you see?** [Star the repo](https://github.com/Agaslez/cerber-core) and share with your team!
 
 ---
 
+## 🤖 For AI Agents (Copilot, Cursor, Windsurf, Claude, etc.)
+
+**Cerber's one rule:** `CERBER.md` is the single source of truth.
+
+- If `CERBER.md` is missing → generate template and **STOP**. User must fill the contract.
+- If `CERBER.md` exists → execute contract exactly as specified.
+- **Never guess architecture.** Never invent rules. Never auto-design.
+
+**Schema modes:**
+- `schema.mode: template_only` → Generate minimal starter with "NOT SOURCE OF TRUTH" header
+- `schema.mode: strict` → Require existing schema file, never generate
+
+**Three enforcement points:**
+1. **Pre-commit** (Guardian) - Blocks violating commits
+2. **CI** (GitHub Actions) - Validates on push
+3. **Post-deploy** - Health gate checks production
+
+**Working with Cerber:** Read `CERBER.md` first. It tells you what's allowed and what's protected.
+
+### MUST (Non-Negotiable Rules for AI Agents)
+
+**Rule 1: Schema Generation = Translation Only**
+- Agent can **only translate** explicit rules from `CERBER.md` into `BACKEND_SCHEMA.*` format
+- If a rule is **not in CERBER.md** → ask user / fail / leave empty
+- **Never invent**, guess, or auto-generate architecture rules
+
+**Rule 2: NO-HEREDOC for TS/JS Files**
+- **Never** create TypeScript/JavaScript files using bash `cat <<EOF` or heredoc syntax
+- Reason: Causes `${}` template literal corruption and UTF-8 encoding issues
+- Use editor tools, `fs.writeFile`, or proper file generation utilities instead
+
+---
+
 ## 📊 Real Production Metrics
 
 > From Eliksir SaaS Backend (2026-01-02 session)
@@ -228,7 +262,7 @@ In `CERBER.md` contract, you control schema generation:
 ```yaml
 schema:
   enabled: true
-  file: BACKEND_SCHEMA.ts
+  file: BACKEND_SCHEMA.mjs
   mode: strict  # or template_only
 ```
 
@@ -236,7 +270,7 @@ schema:
 - ✅ Cerber NEVER creates schema file
 - ✅ You create schema based on YOUR architecture
 - ✅ Full control, no helpers, no assumptions
-- ✅ `npx cerber init` shows: "You must create BACKEND_SCHEMA.ts"
+- ✅ `npx cerber init` shows: "You must create BACKEND_SCHEMA.mjs"
 
 **For beginners → `mode: template_only`**
 - ✅ Cerber creates minimal template if file missing
@@ -307,11 +341,11 @@ mode: dev  # solo | dev | team
 
 guardian:
   enabled: true
-  schemaFile: BACKEND_SCHEMA.ts
+  schemaFile: BACKEND_SCHEMA.mjs
 
 schema:
   enabled: true
-  file: BACKEND_SCHEMA.ts
+  file: BACKEND_SCHEMA.mjs
   mode: template_only  # strict (mature teams) | template_only (beginners)
   # strict = You create schema, Cerber never generates
   # template_only = Cerber creates minimal helper if missing
@@ -370,18 +404,13 @@ npm install cerber-core --save-dev
 #### 🎨 **Frontend Developer (React/Vue/Angular)**
 
 ```bash
-# 1. Copy frontend schema example (then customize!)
-cp node_modules/cerber-core/examples/frontend-schema.ts ./FRONTEND_SCHEMA.ts
-
-# 2. Copy validation script
-mkdir -p scripts
-cp node_modules/cerber-core/guardian/templates/validate-schema.mjs scripts/
+# 1. Initialize Cerber (generates CERBER.md + templates)
+npx cerber init --mode=solo
 
-# 3. Install pre-commit hook
-npx husky-init
-npx husky add .husky/pre-commit "node scripts/validate-schema.mjs"
+# 2. Customize your schema for frontend
+# Edit BACKEND_SCHEMA.mjs (rename to FRONTEND_SCHEMA.mjs if you prefer)
 
-# 4. Test it!
+# 3. Test it!
 git commit -m "test"
 # Guardian will validate automatically (<1s)
 ```
@@ -392,26 +421,21 @@ git commit -m "test"
 - ✅ Required imports (`react`, `react-dom`)
 - ✅ Required files (`tsconfig.json`, `vite.config.ts`)
 
-**Then customize:** Edit FRONTEND_SCHEMA.ts to match YOUR folder structure, YOUR rules, YOUR tech stack.
+**Then customize:** Edit BACKEND_SCHEMA.mjs (rename to FRONTEND_SCHEMA.mjs if you prefer) to match YOUR folder structure, YOUR rules, YOUR tech stack.
 
 #### ⚙️ **Backend Developer (Node.js/Express/NestJS)**
 
 ```bash
-# 1. Copy backend schema example (then customize!)
-cp node_modules/cerber-core/examples/backend-schema.ts ./BACKEND_SCHEMA.ts
+# 1. Initialize Cerber (generates CERBER.md + guardian + health templates)
+npx cerber init --mode=dev
 
-# 2. Copy validation script
-mkdir -p scripts
-cp node_modules/cerber-core/guardian/templates/validate-schema.mjs scripts/
+# 2. Customize BACKEND_SCHEMA.mjs
+# Edit to match YOUR routes, YOUR layers, YOUR security rules
 
-# 3. Install pre-commit hook
-npx husky-init
-npx husky add .husky/pre-commit "node scripts/validate-schema.mjs"
-
-# 4. Add health endpoint
+# 3. Add health endpoint (see example below)
 ```
 
-**Then customize:** Edit BACKEND_SCHEMA.ts to match YOUR routes, YOUR layers, YOUR security rules.
+**Then customize:** Edit BACKEND_SCHEMA.mjs to match YOUR routes, YOUR layers, YOUR security rules.
 
 ```javascript
 // server.js (ESM)
@@ -499,6 +523,9 @@ cat .cerber/FOCUS_CONTEXT.md
 All features available through unified CLI:
 
 ```bash
+# Doctor - Setup validation (new in v1.1.7)
+npx cerber doctor              # Validate CERBER.md, schema, hooks, CI
+
 # Guardian - Pre-commit validation
 cerber guardian --schema ./SCHEMA.ts
 
@@ -525,11 +552,59 @@ cerber-focus
 
 ---
 
+## 🩺 npx cerber doctor (New in v1.1.7)
+
+Validate your Cerber setup before commits or deploys:
+
+```bash
+npx cerber doctor
+```
+
+**Exit codes:**
+- `0` ✅ All checks pass
+- `2` ❌ Missing CERBER.md
+- `3` ❌ Missing schema (strict mode only)
+- `4` ❌ Missing pre-commit hook or CI workflow
+
+**What it checks:**
+- CERBER.md present + valid YAML
+- Schema file exists (if `schema.mode: strict`)
+- `.husky/pre-commit` hook installed (if `guardian.enabled: true`)
+- GitHub Actions workflow present (if `ci.provider: github`)
+- Emergency override state (DISABLED | ACTIVE | EXPIRED | INVALID)
+
+**Example output:**
+
+```
+🩺 Cerber Doctor - Setup Validation
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+✓ CERBER.md: Found and valid
+✓ Schema: BACKEND_SCHEMA.mjs exists
+✓ Pre-commit hook: Installed (.husky/pre-commit)
+✓ CI workflow: Found (.github/workflows/cerber.yml)
+  Override: DISABLED
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+✅ All checks passed (exit 0)
+```
+
+**Use in CI:**
+
+```yaml
+- name: Validate Cerber setup
+  run: npx cerber doctor
+```
+
+If doctor fails → build fails → prevents incomplete Cerber deployments.
+
+---
+
 ## ⚠️ Important: Schema Files Are NOT Source of Truth
 
 Before diving into examples below, understand this:
 
-**📋 Schema files (BACKEND_SCHEMA.ts, FRONTEND_SCHEMA.ts):**
+**📋 Schema files (BACKEND_SCHEMA.mjs, FRONTEND_SCHEMA.mjs):**
 - Are **examples** and **optional templates**
 - Mirror YOUR architecture decisions from CERBER.md
 - Are user-owned and user-created (in strict mode)
@@ -548,8 +623,8 @@ Before diving into examples below, understand this:
 
 **1. Create architecture schema:**
 
-```typescript
-// BACKEND_SCHEMA.ts
+```javascript
+// BACKEND_SCHEMA.mjs
 export const BACKEND_SCHEMA = {
   version: '1.0.0',
   rules: [
@@ -573,7 +648,9 @@ export const BACKEND_SCHEMA = {
 **2. Add pre-commit hook:**
 
 ```bash
-npx husky add .husky/pre-commit "node scripts/validate-schema.mjs"
+# Pre-commit hook is automatically installed by npx cerber init
+# Or manually:
+npx husky add .husky/pre-commit "npm run cerber:guardian"
 ```
 
 **3. Done!** Guardian now blocks commits that violate architecture rules.
@@ -707,8 +784,8 @@ curl https://your-api.com/api/health
 
 ### Example 1: Enforce Express Router in routes
 
-```typescript
-// BACKEND_SCHEMA.ts
+```javascript
+// BACKEND_SCHEMA.mjs
 {
   name: 'Route files must import Router',
   pattern: /routes\/.*\.ts$/,
@@ -840,8 +917,8 @@ export const cloudinaryCheck = async () => {
 
 ### Guardian Configuration
 
-```typescript
-// BACKEND_SCHEMA.ts
+```javascript
+// BACKEND_SCHEMA.mjs
 export const BACKEND_SCHEMA = {
   version: '1.0.0',
   
@@ -1575,12 +1652,103 @@ Include:
 
 **Response time:** 24-48 hours acknowledgment, 7-14 days for fix.
 
+---
+
+## 🚨 Emergency Override (New in v1.1.7)
+
+For **critical production hotfixes only** (P0 incidents), Cerber provides a **controlled safety fuse** with strict time limits.
+
+### What Override DOES ✅
+
+- Allows pre-commit to pass **WITH WARNING** (audit trail logged)
+- Can skip `postDeploy` gate if configured
+- Requires: reason, expiry timestamp (TTL), approver name
+- Automatically expires (guardian validates TTL)
+
+### What Override NEVER DOES ❌
+
+Override is a **safety fuse**, NOT a power switch. It **NEVER** disables:
+
+- ❌ `cerber-integrity` job (self-protection always runs)
+- ❌ Entire CI pipeline (build, test, lint must pass)
+- ❌ `cerber-ci` workflow job (contract validation always runs)
+- ❌ CODEOWNERS enforcement (team mode protection)
+
+### Example: P0 Hotfix
+
+```yaml
+## CERBER_OVERRIDE
+enabled: true
+reason: "P0 - Payment API down, emergency rollback required"
+expires: "2026-01-04T18:00:00Z"  # 6-hour TTL
+approvedBy: "CTO Stefan"
+```
+
+**Guardian behavior:**
+
+```bash
+git commit -m "fix: rollback payment API to v1.2.3"
+
+⚠️  CERBER EMERGENCY OVERRIDE ACTIVE
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+Reason:     P0 - Payment API down, emergency rollback required
+Expires:    2026-01-04T18:00:00Z (5h 23m remaining)
+Approved:   CTO Stefan
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+Guardian checks: BYPASSED WITH WARNING
+Self-protection: STILL ACTIVE (cerber-integrity runs)
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+[main 3a7f2e9] fix: rollback payment API to v1.2.3
+```
+
+**CI behavior:**
+
+- ✅ `cerber-integrity` job **runs** (validates CERBER.md, override metadata)
+- ✅ Build, test, lint jobs **run**
+- ✅ `cerber-ci` job **runs** (contract validation)
+- ⚠️ Override warning shown in CI logs (audit trail)
+
+**After expiry:**
+
+```bash
+git commit -m "feat: add new feature"
+
+❌ CERBER EMERGENCY OVERRIDE EXPIRED
+Override expired at: 2026-01-04T18:00:00Z
+Proceeding with normal validation...
+
+❌ Schema validation failed: Missing type annotation for handlePayment()
+```
+
+### Verification
+
+```bash
+npx cerber doctor
+# Shows: Override: ACTIVE (expires 2026-01-04T18:00:00Z)
+# Or: Override: EXPIRED (expired 2h ago)
+# Or: Override: DISABLED
+```
+
+### Rules
+
+1. **All fields required:** enabled, reason, expires, approvedBy (missing = invalid = disabled)
+2. **TTL enforced:** Guardian checks expiry timestamp (expired = proceeds with normal validation)
+3. **Audit trail:** All commits with active override logged with full metadata
+4. **No carte blanche:** Hard limits enforced (integrity, CI, CODEOWNERS never bypassed)
+
+**Use sparingly.** Override is for emergencies, not convenience.
+
+---
+
 ### Security Features
 
 ✅ **No External Calls:** Guardian and Cerber run locally, no data sent externally  
 ✅ **Open Source:** Full transparency - audit the code yourself  
 ✅ **No Telemetry:** No tracking, no analytics, no data collection  
 ✅ **MIT Licensed:** Safe for commercial use  
+✅ **Supply-Chain Hardened:** 2FA, CI-only publishing, no risky lifecycle scripts (v1.1.7)  
+✅ **Path Safety:** Generator writes only to repo root, whitelist-validated paths (v1.1.7)  
 
 ### Best Practices
 
@@ -1589,8 +1757,10 @@ Include:
 - Update regularly: `npm update cerber-core`
 - Enable Dependabot for automated security updates
 - Run `npm audit` regularly
+- Review CERBER.md changes in PRs (protected by CODEOWNERS in team mode)
+- Use emergency override sparingly (P0 incidents only)
 
-**Full security policy:** [SECURITY.md](SECURITY.md)
+**Full security policy:** [SECURITY.md](SECURITY.md) (includes supply-chain security, vulnerability reporting, supported versions)
 
 ---
 

package/bin/cerber

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 
 /**
  * Cerber Core - Unified CLI
@@ -118,4 +118,17 @@ program
     execSync('node solo/scripts/cerber-dashboard.js', { stdio: 'inherit' });
   });
 
+
+program
+  .command('doctor')
+  .description('Validate Cerber setup (checks for missing files)')
+  .action(async () => {
+    const { runDoctor, printDoctorReport } = await import('../dist/cli/doctor.js');
+    const result = await runDoctor(process.cwd());
+    printDoctorReport(result);
+    process.exit(result.exitCode);
+  });
+
+program.parse();
+
 program.parse();

package/dev/templates/BACKEND_SCHEMA.ts.tpl

@@ -1,50 +1,87 @@
-/**
- * ⚠️  CERBER TEMPLATE (NOT SOURCE OF TRUTH)
- * 
- * This file is a starting point. Edit it to match YOUR architecture.
- * The source of truth is CERBER.md.
- * 
- * Generated by: npx cerber init
- * Project: {{PROJECT_NAME}}
- * 
- * See: https://github.com/Agaslez/cerber-core#guardian-configuration
- */
-
-export const BACKEND_SCHEMA = {
-  version: "1.0.0",
-  
-  // Your architecture rules (customize)
-  rules: [],
-  
-  // Patterns that should never appear in your code
-  forbiddenPatterns: [
-    // Uncomment and customize based on your tech stack:
-    // {
-    //   pattern: "password\\s*=\\s*['\"][^'\"]+['\"]",
-    //   flags: "i",
-    //   name: "Hardcoded passwords",
-    //   severity: "error"
-    // },
-    // {
-    //   pattern: "api[_-]?key\\s*=\\s*['\"][^'\"]+['\"]",
-    //   flags: "i",
-    //   name: "Hardcoded API keys",
-    //   severity: "error"
-    // }
-  ]
-};
-
-export default BACKEND_SCHEMA;
-
-/**
- * 💡 Next Steps:
- * 
- * 1. Define your project structure in CERBER.md (single source of truth)
- * 2. Add forbiddenPatterns for your tech stack
- * 3. Add requiredImports rules for your architecture layers
- * 4. Test with: npx cerber-guardian
- * 
- * Full examples:
- * - node_modules/cerber-core/examples/backend-schema.ts
- * - node_modules/cerber-core/examples/frontend-schema.ts
- */
+/**
+ * ⚠️  CERBER TEMPLATE (NOT SOURCE OF TRUTH)
+ * 
+ * This file is a starting point. Edit it to match YOUR architecture.
+ * The source of truth is CERBER.md.
+ * 
+ * Generated by: npx cerber init
+ * Project: {{PROJECT_NAME}}
+ * 
+ * See: https://github.com/Agaslez/cerber-core#guardian-configuration
+ */
+
+export const BACKEND_SCHEMA = {
+  version: "1.0.0",
+  
+  // Your architecture rules (customize)
+  rules: [],
+  
+  // Patterns that should never appear in your code
+  forbiddenPatterns: [
+    // ──────────────────────────────────────────────────────────────────────
+    // 🔐 SECURITY BASELINE (Uncomment and adapt to your CERBER.md contract)
+    // ──────────────────────────────────────────────────────────────────────
+    
+    // Hardcoded secrets (common examples - adapt to your stack):
+    // {
+    //   pattern: "password\\s*=\\s*['\"][^'\"]+['\"]"  ,
+    //   flags: "i",
+    //   name: "Hardcoded passwords (e.g., password='admin123')",
+    //   severity: "error"
+    // },
+    // {
+    //   pattern: "api[_-]?key\\s*=\\s*['\"][^'\"]+['\"]"  ,
+    //   flags: "i",
+    //   name: "Hardcoded API keys (e.g., API_KEY='xyz')",
+    //   severity: "error"
+    // },
+    // {
+    //   pattern: "JWT_SECRET\\s*=\\s*['\"][^'\"]+['\"]"  ,
+    //   flags: "i",
+    //   name: "Hardcoded JWT secrets",
+    //   severity: "error"
+    // },
+    
+    // Development artifacts (should not reach production):
+    // {
+    //   pattern: "console\\.log\\(",
+    //   flags: "g",
+    //   name: "console.log (use proper logging)",
+    //   severity: "warning"
+    // },
+    // {
+    //   pattern: "debugger;",
+    //   flags: "g",
+    //   name: "debugger statement",
+    //   severity: "warning"
+    // },
+    
+    // TODOs that should be resolved before commit:
+    // {
+    //   pattern: "TODO_REMOVE|FIXME_REMOVE",
+    //   flags: "i",
+    //   name: "Unresolved critical TODOs",
+    //   severity: "error"
+    // },
+    
+    // ──────────────────────────────────────────────────────────────────────
+    // ⚠️  IMPORTANT: Uncomment patterns that match rules in your CERBER.md
+    // Never invent rules. Only translate what's documented in your contract.
+    // ──────────────────────────────────────────────────────────────────────
+  ]
+};
+
+export default BACKEND_SCHEMA;
+
+/**
+ * 💡 Next Steps:
+ * 
+ * 1. Define your project structure in CERBER.md (single source of truth)
+ * 2. Add forbiddenPatterns for your tech stack
+ * 3. Add requiredImports rules for your architecture layers
+ * 4. Test with: npx cerber-guardian
+ * 
+ * Full examples:
+ * - node_modules/cerber-core/examples/backend-schema.ts
+ * - node_modules/cerber-core/examples/frontend-schema.ts
+ */