## Cursor Rules (Project Standards)

### Non-negotiables
- Never commit secrets. Never paste credentials into code, docs, or logs.
- Prefer env vars over hardcoding (see `.env.example`).
- Add/extend tests for any behavior change.

### Backend standards
- Use the provider abstraction (`backend/llm_client.py`) for all model calls.
- Keep request/response payloads explicit and logged safely (no secrets).
- Treat uploaded documents as untrusted input:
  - enforce `.md` extension
  - enforce size limits
  - never execute content

### Frontend standards
- Keep API calls in `frontend/src/api.js`.
- Keep app state + orchestration in `frontend/src/App.jsx`.
- Components should be readable and small.

### Testing
- Backend: `make test-backend`
- Frontend: `make test-frontend`

### Architecture
- The app runs locally; the GPU VM runs an OpenAI-compatible inference server.
- The app calls the VM over HTTP (or via SSH tunnel) and does not "use the GPU" directly.