Context
Frontend audit confirmed all backend API calls go through the SDK correctly. However, there is no enforcement mechanism to prevent future direct fetch() calls bypassing the SDK.
Current state (GOOD)
- All backend calls use openapi-fetch via services/api.ts
- All components import from services/api, never from api-client directly
- All WebSocket connections go through websocketClient SDK
- Only 2 justified direct fetch() calls (Azure Realtime SDP exchange, health check)
Proposed enforcement
1. Biome lint rule to flag direct fetch() to backend
Add a custom lint rule or code review checklist item that flags:
- fetch() calls containing the API base URL pattern
- Direct imports from api-client/client.ts in component files
2. Architecture documentation
Document the API access pattern in CLAUDE.md or a frontend architecture doc:
- All backend calls MUST go through services/api.ts
- services/api.ts wraps the openapi-fetch SDK client
- Components import from services/api.ts, never directly from api-client/
- Only exception: Azure external service calls (realtime voice)
3. CI check (optional)
A simple grep in CI:
```bash
Fail if any component file imports from api-client directly
! rg 'from.*api-client/(client|schema)' src/components/ src/pages/
```
Tasks
Context
Frontend audit confirmed all backend API calls go through the SDK correctly. However, there is no enforcement mechanism to prevent future direct fetch() calls bypassing the SDK.
Current state (GOOD)
Proposed enforcement
1. Biome lint rule to flag direct fetch() to backend
Add a custom lint rule or code review checklist item that flags:
2. Architecture documentation
Document the API access pattern in CLAUDE.md or a frontend architecture doc:
3. CI check (optional)
A simple grep in CI:
```bash
Fail if any component file imports from api-client directly
! rg 'from.*api-client/(client|schema)' src/components/ src/pages/
```
Tasks