gridpilot.gg/docs/architecture/api/GUARDS.md

Guards (API Enforcement)

This document defines Guards as API enforcement mechanisms.

Shared contract: docs/architecture/shared/BLOCKERS_AND_GUARDS.md

1) Definition

A Guard is an API mechanism that enforces access or execution rules.

If a Guard denies execution, the request does not reach application logic.

2) Responsibilities

Guards MAY:

• block requests entirely
• return HTTP errors (401, 403, 429)
• enforce authentication and authorization
• enforce rate limits
• enforce feature availability
• protect against abuse and attacks

Guards MUST:

• be deterministic
• be authoritative
• be security-relevant

3) Restrictions

Guards MUST NOT:

• depend on website/client state
• contain UI logic
• attempt to improve UX
• assume the client behaved correctly

4) Common Guards

• AuthGuard
• RolesGuard
• PermissionsGuard
• Throttler/RateLimit guards
• CSRF guards
• Feature availability guards