Add 3 new rules (20 total), upgrade landing page with 6 features + stats

Author: vibestackdev

.cursor/rules/database-design.mdc

@@ -0,0 +1,65 @@
+---
+description: Database schema design patterns for Supabase with proper types and relationships
+globs: ["**/*.sql", "**/supabase/**", "**/types/**"]
+alwaysApply: false
+---
+
+# Database Design Patterns
+
+## Table Naming
+- Use `snake_case` for tables and columns: `user_profiles`, `created_at`
+- NEVER use camelCase in SQL: `userId` → WRONG, `user_id` → CORRECT
+- Use plural table names: `profiles`, `posts`, `comments`
+
+## Required Columns (Every Table)
+```sql
+CREATE TABLE public.example (
+  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+  -- your columns here
+  created_at TIMESTAMPTZ DEFAULT NOW() NOT NULL,
+  updated_at TIMESTAMPTZ DEFAULT NOW() NOT NULL
+);
+```
+ALWAYS include `id`, `created_at`, and `updated_at`.
+ALWAYS use UUID for primary keys (not serial/integer).
+ALWAYS use TIMESTAMPTZ (not TIMESTAMP) for timezone safety.
+
+## Foreign Key Pattern
+```sql
+-- Always reference auth.users for user ownership
+user_id UUID REFERENCES auth.users(id) ON DELETE CASCADE NOT NULL
+```
+Use `ON DELETE CASCADE` for user-owned data.
+Use `ON DELETE SET NULL` for optional relationships.
+
+## RLS Template (Copy This Every Time)
+```sql
+ALTER TABLE public.example ENABLE ROW LEVEL SECURITY;
+
+-- Users can only see their own data
+CREATE POLICY "Users own data" ON public.example
+  FOR ALL USING (auth.uid() = user_id);
+
+-- Or for public read + owner write:
+CREATE POLICY "Public read" ON public.example
+  FOR SELECT USING (true);
+CREATE POLICY "Owner write" ON public.example
+  FOR INSERT WITH CHECK (auth.uid() = user_id);
+CREATE POLICY "Owner update" ON public.example
+  FOR UPDATE USING (auth.uid() = user_id);
+CREATE POLICY "Owner delete" ON public.example
+  FOR DELETE USING (auth.uid() = user_id);
+```
+
+## Type Generation
+After schema changes, regenerate types:
+```bash
+npx supabase gen types typescript --project-id YOUR_PROJECT_REF > src/types/database.ts
+```
+ALWAYS use generated types — NEVER manually type database schemas.
+
+## Anti-Patterns
+- NEVER use `TEXT` for fields that should be enums — use PostgreSQL enums or CHECK constraints
+- NEVER store JSON blobs when structured columns work — use `JSONB` only for truly dynamic data
+- NEVER create tables without RLS — see `supabase-rls.mdc`
+- NEVER use `SERIAL` for IDs — use `UUID` for security (prevents enumeration attacks)

.cursor/rules/env-management.mdc

@@ -0,0 +1,66 @@
+---
+description: Environment variable management and secrets handling
+globs: ["**/*.ts", "**/*.tsx", "**/.env*"]
+alwaysApply: false
+---
+
+# Environment Variable Management
+
+## Classification Rules
+| Prefix | Visibility | Use For |
+|--------|-----------|---------|
+| `NEXT_PUBLIC_` | Client + Server | Non-sensitive public values (Supabase URL, Stripe publishable key) |
+| No prefix | Server Only | ALL secrets (API keys, webhook secrets, database URLs) |
+
+## NEVER Expose These to the Client
+```
+STRIPE_SECRET_KEY         → Server only (NEVER NEXT_PUBLIC_)
+STRIPE_WEBHOOK_SECRET     → Server only
+SUPABASE_SERVICE_ROLE_KEY → Server only (admin bypass key)
+RESEND_API_KEY            → Server only
+DATABASE_URL              → Server only
+```
+
+## Safe for Client
+```
+NEXT_PUBLIC_SUPABASE_URL           → Public Supabase endpoint
+NEXT_PUBLIC_SUPABASE_ANON_KEY      → Rate-limited client key (RLS protects data)
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY → Stripe public key (payment form only)
+NEXT_PUBLIC_APP_URL                → Your app's URL
+```
+
+## Validation Pattern
+Use `src/lib/env.ts` to validate at startup:
+```typescript
+function getEnvVar(key: string, required = true): string {
+  const value = process.env[key]
+  if (!value && required) {
+    throw new Error(`❌ Missing required env var: ${key}`)
+  }
+  return value ?? ''
+}
+```
+
+## .env.local Structure
+```bash
+# Supabase (required)
+NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
+NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...
+
+# Stripe (optional in dev)
+STRIPE_SECRET_KEY=sk_test_...
+STRIPE_WEBHOOK_SECRET=whsec_...
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_...
+
+# Email (optional in dev)
+RESEND_API_KEY=re_...
+
+# App
+NEXT_PUBLIC_APP_URL=http://localhost:3000
+```
+
+## Anti-Patterns
+- NEVER commit `.env.local` — it's in `.gitignore`
+- NEVER use `process.env.X` directly in components — use the centralized `env` config
+- NEVER hardcode API keys or secrets in source code
+- NEVER use `NEXT_PUBLIC_` for write-access API keys

.cursor/rules/file-naming.mdc

@@ -0,0 +1,46 @@
+---
+description: File naming conventions and project organization rules
+globs: ["**/*.ts", "**/*.tsx"]
+alwaysApply: false
+---
+
+# File Naming & Organization
+
+## Naming Conventions
+- **Components:** PascalCase → `UserProfile.tsx`, `DashboardLayout.tsx`
+- **Utilities/Libs:** camelCase → `formatDate.ts`, `createClient.ts`
+- **Constants:** SCREAMING_SNAKE → `export const MAX_RETRIES = 3`
+- **Types files:** camelCase → `types/index.ts`, `types/database.ts`
+- **Server Actions:** camelCase in grouped files → `actions.ts` (not one file per action)
+- **Route Handlers:** always `route.ts` (Next.js convention)
+
+## Directory Rules
+- Components in `src/components/` — NEVER in `src/app/`
+- Page-specific components in `src/app/[route]/_components/` (underscore prefix = private)
+- Shared types in `src/types/` — NEVER define types inline in components
+- Business logic in `src/lib/` — NEVER put business logic in components
+- Server actions in the nearest `actions.ts` to where they're used
+
+## Import Order (enforce in every file)
+```typescript
+// 1. React/Next.js imports
+import { Suspense } from 'react'
+import Link from 'next/link'
+
+// 2. Third-party libraries
+import { z } from 'zod'
+
+// 3. Internal aliases (@/)
+import { Button } from '@/components/ui/button'
+import { createClient } from '@/lib/supabase/server'
+import type { UserProfile } from '@/types'
+
+// 4. Relative imports (only for co-located files)
+import { columns } from './columns'
+```
+
+## Anti-Patterns
+- NEVER create `utils/helpers.ts` catch-all files — name files by what they do
+- NEVER put more than 1 exported component per file
+- NEVER use default exports for utilities — use named exports
+- NEVER create `index.ts` barrel files that re-export everything (breaks tree-shaking)