Architecture Overview

Layers
- Domain: Types in `shared/` reused by backend/frontend.
- Use-Cases: `backend/src/usecases` (e.g., auth/loginUser, employees CRUD, users management).
- Repositories: `backend/src/repositories` do all DB access; controllers do not use SQL.
- Adapters/HTTP: `backend/src/routes/*` map HTTP <-> use-cases and validate inputs.
- Infra/Services: encryption, email, sync components, logger.

Database Ownership
- Canonical core schema lives in `backend/src/config/secureDatabase.ts` (users, employees, skills + junctions, language_skills, specializations, controlled_vocabulary, system_settings, security_audit_log). These include field encryption and hash indexes.
- Extended, non-sensitive schema lives in `backend/src/config/database.ts` (profiles + facets, workspaces/bookings, analytics, organizational structure, deputies, reminders, audit_log).
- Initialization order: `initializeSecureDatabase()` runs before `initializeDatabase()`. Routes import `db` from either module, but both resolve to the same secure DB instance.

Security
- JWT required; in production `JWT_SECRET` must be set.
- Field-level encryption (AES) for sensitive data + deterministic hashes for lookups.
- Error redaction: sensitive fields are redacted in logs.

Sync
- Modular components under `backend/src/services/sync`:
  - `queueStore`: DB interactions (pending, status, metadata)
  - `transport`: HTTP communication between nodes
  - `applier`: applies changes entity-wise
  - `SyncService`: orchestrates and exposes routes

Migrations
- Simple runner: `npm run migrate` in `backend`
- Tracks applied migrations in `schema_version`; add files to `backend/scripts/migrations`.

Frontend
- API abstraction with normalized error handling
- ErrorBoundary wraps the app