gridpilot.gg/docs/architecture/api/GUARDS.md

# Guards (API Enforcement)

This document defines **Guards** as API enforcement mechanisms.

Shared contract: [`docs/architecture/shared/BLOCKERS_AND_GUARDS.md`](docs/architecture/shared/BLOCKERS_AND_GUARDS.md:1)

## 1) Definition

A Guard is an API mechanism that enforces access or execution rules.

If a Guard denies execution, the request does not reach application logic.

## 2) Responsibilities

Guards MAY:

- block requests entirely
- return HTTP errors (401, 403, 429)
- enforce authentication and authorization
- enforce rate limits
- enforce feature availability
- protect against abuse and attacks

Guards MUST:

- be deterministic
- be authoritative
- be security-relevant

## 3) Restrictions

Guards MUST NOT:

- depend on website/client state
- contain UI logic
- attempt to improve UX
- assume the client behaved correctly

## 4) Common Guards

- AuthGuard
- RolesGuard
- PermissionsGuard
- Throttler/RateLimit guards
- CSRF guards
- Feature availability guards