What NOT to Do

Code

Don't add features or refactoring beyond what's asked.
Don't add error handling for scenarios that can't happen.
Don't create abstractions for one-time operations.
Don't add docstrings, comments, or type annotations to code you didn't change.
Don't create documentation files unless explicitly asked.
Don't use go vet suppressions or //nolint without explicit approval.
Don't duplicate helper functions -- check shared.go and helpers.go first.
Don't use http.Error() -- always use jsonError() or internalError().
Don't pass r.Context() to goroutines -- use context.Background().
Don't define sanitizeID or generatePassword locally in engine packages -- use engine.shared.go.
Don't import internal/ packages from the sdk/ module.
Don't create circular dependencies between packages.

Don't store the master key on disk in plaintext. KMS references only.
Don't log secret values, tokens, passwords, or key material.
Don't trust plugin packages without signature verification.
Don't allow plugins to access other plugins' data.
Don't give plugins direct network or filesystem access -- all through host functions.
Don't expose internal error details to HTTP clients.
Don't store tokens in plaintext -- SHA-256 hash only.
Don't use http.Error() for auth failures -- use jsonError() with specific guidance.
Don't skip TLS -- required in all modes (Standalone and Multi-node).

Don't put business logic in middleware -- middleware handles cross-cutting concerns only.
Don't call store methods from internal/engine/ -- engines are stateless, core owns data.
Don't hardcode engine-specific logic in handlers -- use the engine registry.
Don't build plugin management into the server process -- use separate CLI commands.
Don't skip migrations -- always create a new numbered migration for schema changes.
Don't give plugins their own database connections -- core manages all connections via internal/connection/.
Don't assume Go-only SDK -- design contracts that work across languages.