Architecture Overview

Layers
- Domain: Types in `shared/` reused by backend/frontend.
- Use-Cases: `backend/src/usecases` (e.g., auth/loginUser, employees CRUD, users management).
- Repositories: `backend/src/repositories` do all DB access; controllers do not use SQL.
- Adapters/HTTP: `backend/src/routes/*` map HTTP <-> use-cases and validate inputs.
- Infra/Services: encryption, email, sync components, logger.

Security
- JWT required; in production `JWT_SECRET` must be set.
- Field-level encryption (AES) for sensitive data + deterministic hashes for lookups.
- Error redaction: sensitive fields are redacted in logs.

Sync
- Modular components under `backend/src/services/sync`:
  - `queueStore`: DB interactions (pending, status, metadata)
  - `transport`: HTTP communication between nodes
  - `applier`: applies changes entity-wise
  - `SyncService`: orchestrates and exposes routes

Migrations
- Simple runner: `npm run migrate` in `backend`
- Tracks applied migrations in `schema_version`; add files to `backend/scripts/migrations`.

Frontend
- API abstraction with normalized error handling
- ErrorBoundary wraps the app