# CLAUDE.md - API Backend ## Service Overview **API Backend** for Code of Conquest - The single source of truth for all business logic, game mechanics, and data operations. **Tech Stack:** Flask + Appwrite + RQ + Redis + Replicate API (Llama-3/Claude models) **Port:** 5000 (development), 5000 (production internal) **Location:** `/api` --- ## Architecture Role This API backend is the **single source of truth** for all game logic: - ✅ All business logic - ✅ Data models and validation - ✅ Database operations (Appwrite) - ✅ Authentication & authorization - ✅ Game mechanics calculations - ✅ AI orchestration (all models via Replicate API) - ✅ Background job processing (RQ) **What this service does NOT do:** - ❌ No UI rendering (that's `/public_web` and `/godot_client`) - ❌ No direct user interaction (only via API endpoints) --- ## Documentation Index **API Backend Documentation:** - **[API_REFERENCE.md](docs/API_REFERENCE.md)** - API endpoints and response formats - **[DATA_MODELS.md](docs/DATA_MODELS.md)** - Character system, items, skills, effects - **[GAME_SYSTEMS.md](docs/GAME_SYSTEMS.md)** - Combat mechanics, marketplace, NPCs - **[QUEST_SYSTEM.md](docs/QUEST_SYSTEM.md)** - Quest mechanics and data structures - **[STORY_PROGRESSION.md](docs/STORY_PROGRESSION.md)** - Story progression system - **[MULTIPLAYER.md](docs/MULTIPLAYER.md)** - Multiplayer session backend logic - **[API_TESTING.md](docs/API_TESTING.md)** - API testing guide with examples - **[APPWRITE_SETUP.md](docs/APPWRITE_SETUP.md)** - Database setup guide - **[PHASE4_IMPLEMENTATION.md](docs/PHASE4_IMPLEMENTATION.md)** - Phase 4 detailed implementation tasks **Project-Wide Documentation:** - **[../docs/ARCHITECTURE.md](../docs/ARCHITECTURE.md)** - System architecture overview - **[../docs/ROADMAP.md](../docs/ROADMAP.md)** - Development roadmap and progress tracking - **[../docs/DEPLOYMENT.md](../docs/DEPLOYMENT.md)** - Deployment guide - **[../docs/WEB_VS_CLIENT_SYSTEMS.md](../docs/WEB_VS_CLIENT_SYSTEMS.md)** - Feature distribution between frontends **Documentation Hierarchy:** - `/docs/` = Project-wide roadmap, architecture, and cross-service documentation - `/api/docs/` = API-specific implementation details (endpoints, data models, game systems) > **Note:** For overall project progress, always check `/docs/ROADMAP.md`. Service-specific docs contain implementation details. --- ## Development Guidelines ### Project Structure ``` api/ ├── app/ # Application code │ ├── api/ # API endpoint blueprints │ ├── models/ # Data models (dataclasses) │ ├── services/ # Business logic & integrations │ ├── utils/ # Utilities │ ├── tasks/ # Background jobs (RQ) │ ├── ai/ # AI integration │ ├── game_logic/ # Game mechanics │ └── data/ # Game data (YAML) ├── config/ # Configuration files ├── tests/ # Test suite ├── scripts/ # Utility scripts └── docs/ # API documentation ``` ### Coding Standards **Style & Structure** - Prefer longer, explicit code over compact one-liners - Always include docstrings for functions/classes + inline comments - Strongly prefer OOP-style code (classes over functional/nested functions) - Strong typing throughout (dataclasses, TypedDict, Enums, type hints) - Value future-proofing and expanded usage insights **Data Design** - Use dataclasses for internal data modeling - Typed JSON structures - Functions return fully typed objects (no loose dicts) - Snapshot files in JSON or YAML - Human-readable fields (e.g., `scan_duration`) **Logging** - Use structlog (pip package) - Setup logging at app start: `logger = structlog.get_logger(__file__)` **Preferred Pip Packages** - API/Web Server: Flask - HTTP: Requests - Logging: Structlog - Job Queue: RQ - Testing: Pytest ### API Design Standards **RESTful Conventions:** - Use proper HTTP methods (GET, POST, PUT, DELETE) - Resource-based URLs: `/api/v1/characters`, not `/api/v1/get_character` - Versioning: `/api/v1/...` **Standardized Response Format:** ```json { "app": "Code of Conquest API", "version": "0.1.0", "status": 200, "timestamp": "2025-01-15T10:30:00Z", "request_id": "optional-request-id", "result": { "data": "..." }, "error": null, "meta": {} } ``` **Error Responses:** ```json { "app": "Code of Conquest API", "version": "0.1.0", "status": 400, "timestamp": "2025-01-15T10:30:00Z", "result": null, "error": { "code": "VALIDATION_ERROR", "message": "Invalid character name", "details": { "field": "name", "issue": "Name must be between 3 and 50 characters" } } } ``` ### Error Handling - Custom exception classes for domain-specific errors - Consistent error response formats (use `app.utils.response`) - Logging severity levels (ERROR vs WARNING) - Never expose internal errors to clients (sanitize stack traces) ### Security Standards **Authentication & Authorization** - Use Appwrite Auth for user management - HTTP-only cookies for session storage - Session validation on every protected API call - User ID verification (users can only access their own data) - Use `@require_auth` decorator for protected endpoints **Input Validation** - Validate ALL JSON payloads against schemas - Sanitize user inputs (character names, chat messages) - Prevent injection attacks (SQL, NoSQL, command injection) - Use bleach for HTML sanitization **Rate Limiting** - AI endpoint limits based on subscription tier - Use Flask-Limiter with Redis backend - Configure limits in `config/*.yaml` **API Security** - CORS properly configured (only allow frontend domains) - API keys stored in environment variables (never in code) - Appwrite permissions set correctly on all collections - HTTPS only in production **Cost Control (AI)** - Daily limits on AI calls per tier - Max tokens per request type - Cost logging for analytics and alerts - Graceful degradation if limits exceeded ### Configuration - Environment-specific configs in `/config/*.yaml` - `development.yaml` - Local dev settings - `production.yaml` - Production settings - `.env` for secrets (never committed) - Maintain `.env.example` for documentation - Typed config loaders using dataclasses - Validation on startup ### Testing Standards **Unit Tests (Pytest):** - Test all models, services, game logic - Test files in `/tests` - Run with: `pytest` - Coverage: `pytest --cov=app tests/` **Integration Tests:** - Test API endpoints end-to-end - Use test database/fixtures - Example: `tests/test_api_characters_integration.py` **API Testing:** - Maintain `docs/API_TESTING.md` with curl/httpie examples - Document expected responses - Test all endpoints manually before commit ### Dependency Management - Use `requirements.txt` in `/api` directory - Use virtual environment: `python3 -m venv venv` - Pin versions to version ranges - Activate venv before running: `source venv/bin/activate` ### Background Jobs (RQ) **Queue Types:** - `ai_tasks` - AI narrative generation - `combat_tasks` - Combat processing - `marketplace_tasks` - Auction cleanup, periodic tasks **Job Implementation:** - Define jobs in `app/tasks/` - Use `@job` decorator from RQ - Jobs should be idempotent (safe to retry) - Log job start, completion, errors **Running Workers:** ```bash rq worker ai_tasks combat_tasks marketplace_tasks --url redis://localhost:6379 ``` --- ## Workflow for API Development When implementing new API features: 1. **Start with models** - Define dataclasses in `app/models/` 2. **Write tests** - TDD approach (test first, then implement) 3. **Implement service** - Business logic in `app/services/` 4. **Create endpoint** - API blueprint in `app/api/` 5. **Test manually** - Use curl/httpie, update `docs/API_TESTING.md` 6. **Security review** - Check auth, validation, rate limiting 7. **Document** - Update `docs/API_REFERENCE.md` **Example Flow:** ```bash # 1. Create model # app/models/quest.py - Define Quest dataclass # 2. Write test # tests/test_quest.py - Test quest creation, validation # 3. Implement service # app/services/quest_service.py - Quest CRUD operations # 4. Create endpoint # app/api/quests.py - REST endpoints # 5. Test curl -X POST http://localhost:5000/api/v1/quests \ -H "Content-Type: application/json" \ -d '{"title": "Find the Ancient Relic"}' # 6. Document # Update docs/API_REFERENCE.md and docs/API_TESTING.md ``` --- ## Running the API Backend ### Development **Prerequisites:** - Python 3.11+ - Redis running (via Docker Compose) - Appwrite instance configured **Setup:** ```bash cd api python3 -m venv venv source venv/bin/activate pip install -r requirements.txt cp .env.example .env # Edit .env with your credentials ``` **Initialize Database:** ```bash python scripts/init_database.py ``` **Run Development Server:** ```bash # Terminal 1: Redis docker-compose up # Terminal 2: API Server source venv/bin/activate export FLASK_ENV=development python wsgi.py # → http://localhost:5000 # Terminal 3: RQ Worker (optional) source venv/bin/activate rq worker ai_tasks --url redis://localhost:6379 ``` ### Production **Run with Gunicorn:** ```bash gunicorn --bind 0.0.0.0:5000 --workers 4 wsgi:app ``` **Environment Variables:** ``` FLASK_ENV=production APPWRITE_ENDPOINT=https://cloud.appwrite.io/v1 APPWRITE_PROJECT_ID=... APPWRITE_API_KEY=... APPWRITE_DATABASE_ID=... ANTHROPIC_API_KEY=... REPLICATE_API_TOKEN=... REDIS_URL=redis://redis:6379 SECRET_KEY=... ``` --- ## Git Standards **Commit Messages:** - Use conventional commit format: `feat:`, `fix:`, `docs:`, `refactor:`, etc. - Examples: - `feat(api): add quest endpoints` - `fix(models): character stat calculation bug` - `docs(api): update API_REFERENCE with quest endpoints` **Branch Strategy:** - Branch off `dev` for features - Merge back to `dev` for testing - Promote to `master` for production --- ## Notes for Claude Code When working on the API backend: 1. **Business logic lives here** - This is the single source of truth 2. **No UI code** - Don't create templates or frontend code in this service 3. **Security first** - Validate inputs, check permissions, sanitize outputs 4. **Cost conscious** - Monitor AI usage, implement limits 5. **Test thoroughly** - Use pytest, write integration tests 6. **Document as you go** - Update API_REFERENCE.md and API_TESTING.md 7. **Think about frontends** - Design endpoints that work for both web and Godot clients **Remember:** - Developer has strong security expertise (don't compromise security for convenience) - Developer has extensive infrastructure experience (focus on application logic) - This API serves multiple frontends (web and Godot) - keep it generic