feat: add CLAUDE.md for Claude Code compatibility + update llms.txt to 25 rules

vibestackdev · vibestackdev · commit 4b50e58fc62e · 2026-04-01T17:51:16.000+03:00
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1,109 @@
+# CLAUDE.md — Vibe Stack Architecture Rules
+# For use with Claude Code (Anthropic's agentic CLI)
+# These rules prevent the most common AI hallucinations in Next.js 15 + Supabase + Stripe projects.
+
+## Project Overview
+This is a Next.js 15 + Supabase + Stripe application using the App Router, TypeScript strict mode, and Tailwind CSS. All server-side auth MUST use `getUser()`, never `getSession()`.
+
+## Tech Stack
+- Next.js 15 (App Router only — no Pages Router)
+- React 19
+- TypeScript (strict mode)
+- Supabase (auth, database, storage)
+- Stripe (payments via Checkout Sessions)
+- Tailwind CSS + shadcn/ui
+- Zod (validation at every boundary)
+
+## Critical Build Commands
+```bash
+npm run dev          # Start dev server
+npm run build        # Production build (catches type errors)
+npm run lint         # ESLint
+npx tsc --noEmit     # Type check without emitting
+```
+
+## SECURITY RULES — NEVER VIOLATE
+
+<security_critical>
+1. NEVER use `supabase.auth.getSession()` in server-side code (Server Components, Server Actions, Route Handlers, middleware). It reads the JWT from cookies WITHOUT verifying it — a forged token passes silently. ALWAYS use `supabase.auth.getUser()` which makes a verification call to the Supabase auth server.
+
+2. NEVER import from `@supabase/auth-helpers-nextjs` — it is DEPRECATED. Always use `@supabase/ssr` for both `createBrowserClient` (client) and `createServerClient` (server).
+
+3. NEVER put auth enforcement logic in `middleware.ts`. Middleware runs on Edge Runtime and cannot securely verify Supabase JWTs. Middleware should ONLY call `updateSession()` to refresh tokens. Auth enforcement MUST happen in layouts/pages via `getUser()`.
+
+4. NEVER build a custom credit card form. ALWAYS redirect to Stripe Checkout. Custom forms create PCI compliance liability.
+
+5. NEVER handle Stripe webhook events without calling `stripe.webhooks.constructEvent()` first to verify the `stripe-signature` header. Without this, anyone can POST fake events to your webhook endpoint.
+
+6. NEVER upload files directly from client code using the Supabase anon key — it allows writing to any storage path. ALWAYS generate signed upload URLs server-side, scoped to `user.id`.
+
+7. Row Level Security (RLS) MUST be enabled on EVERY Supabase table. Without RLS, the anon key (public in every client bundle) can read ALL rows from any table.
+
+8. NEVER expose raw error messages, stack traces, or database errors to the client. Log server-side, return `{ error: "Internal server error" }` to the client.
+</security_critical>
+
+## NEXT.JS 15 RULES
+
+<nextjs15_breaking_changes>
+1. `params` and `searchParams` are PROMISES in Next.js 15. You MUST await them:
+```typescript
+// CORRECT
+export default async function Page({ params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+}
+
+// WRONG — compiles but crashes at runtime
+export default function Page({ params }: { params: { id: string } }) {
+  const id = params.id // TypeError at runtime
+}
+```
+
+2. After mutations (Server Actions, Route Handlers), ALWAYS call `revalidatePath()` or `revalidateTag()`. Next.js 15 aggressively caches — stale data is the default without explicit revalidation.
+
+3. Use Server Components by default. Only add `'use client'` when the component genuinely needs browser APIs (useState, useEffect, onClick handlers, window/document access).
+
+4. NEVER use `Math.random()`, `Date.now()`, or `new Date()` directly in Server Components for rendering. These cause hydration mismatches. Use them in `useEffect` or pass from the server as props.
+</nextjs15_breaking_changes>
+
+## API & VALIDATION RULES
+
+<api_validation>
+1. EVERY Route Handler and Server Action MUST validate input with Zod before any business logic. Raw `request.json()` access without validation is a crash and injection risk.
+
+2. Auth check ALWAYS happens BEFORE input validation. Order: authenticate -> validate -> execute.
+
+3. Return consistent error shapes: `{ error: string, details?: unknown }`. Never expose internal error messages.
+</api_validation>
+
+## CODE PATTERNS
+
+<code_patterns>
+1. TypeScript: NEVER use `any`. Use `unknown` + type narrowing or Zod inference.
+
+2. Always use `cn()` from `@/lib/utils` for conditional Tailwind classes (wraps clsx + tailwind-merge).
+
+3. Server Actions must return `ActionResponse<T>` — `{ success: true, data: T } | { success: false, error: string }`.
+
+4. File naming: kebab-case for files, PascalCase for React components, camelCase for utilities.
+
+5. Import order: React/Next -> external packages -> @/ aliases -> relative imports -> types.
+</code_patterns>
+
+## SUPABASE PATTERNS
+
+<supabase>
+1. Use `createClient()` from `@/lib/supabase/server` in Server Components and Server Actions.
+2. Use `createClient()` from `@/lib/supabase/client` in Client Components.
+3. Always handle errors: `const { data, error } = await supabase.from('table').select()` — check `error` before using `data`.
+4. Enable RLS on every table. Write policies that check `auth.uid()`.
+5. For email auth, implement the PKCE flow with a callback route at `app/auth/confirm/route.ts`.
+</supabase>
+
+## WORKFLOW
+
+<workflow>
+1. Before writing any code, read the relevant source files to verify current state — do not rely on memory.
+2. After generating code, run `npx tsc --noEmit` to verify types.
+3. Run `npm run lint` before declaring a task complete.
+4. For complex features, break into sub-tasks and verify each step independently.
+</workflow>
diff --git a/llms.txt b/llms.txt
@@ -1,22 +1,23 @@
 # Vibe Stack
 
-> The AI Builder's Complete System — 22 .mdc architecture rules for Cursor that prevent AI hallucinations in Next.js 15 + Supabase production applications.
+> The AI Builder's Complete System — 25 .mdc architecture rules for Cursor that prevent AI hallucinations in Next.js 15 + Supabase production applications.
 
 ## Overview
-Vibe Stack is a battle-tested Next.js 15 + Supabase boilerplate with 22 `.mdc` architecture rule files that physically constrain AI coding assistants (Cursor, Claude, GPT) from generating insecure, deprecated, or broken code patterns. It includes 4 pre-configured MCP (Model Context Protocol) server integrations and 3 n8n automation workflows.
+Vibe Stack is a battle-tested Next.js 15 + Supabase boilerplate with 25 `.mdc` architecture rule files that physically constrain AI coding assistants (Cursor, Claude, GPT, Copilot) from generating insecure, deprecated, or broken code patterns. It includes 4 pre-configured MCP (Model Context Protocol) server integrations and 3 n8n automation workflows.
 
 ## Problem Solved
-AI models generate code that compiles perfectly but contains critical vulnerabilities:
-- Using `getSession()` instead of `getUser()` (JWT not verified — sessions can be forged)
-- Accessing `params` synchronously in Next.js 15 (works in dev, crashes in production)
-- Importing deprecated `@supabase/auth-helpers-nextjs` instead of `@supabase/ssr`
-- Missing Row Level Security on Supabase tables (data publicly readable)
-- Exposing Stripe secret keys in `NEXT_PUBLIC_` environment variables
+AI models generate code that compiles perfectly but contains critical vulnerabilities. These are the 5 most dangerous patterns:
+
+1. **Auth Vulnerability:** Using `getSession()` instead of `getUser()` — JWT not verified, sessions can be forged by attackers
+2. **Next.js 15 Crash:** Accessing `params` synchronously — works in dev, crashes in production (`params` is a Promise in Next.js 15)
+3. **Deprecated Imports:** Using `@supabase/auth-helpers-nextjs` instead of `@supabase/ssr` — broken cookie handling in App Router
+4. **Data Exposure:** Missing Row Level Security on Supabase tables — any user can read all data via the anon key
+5. **Secret Leakage:** Putting Stripe secret keys in `NEXT_PUBLIC_` environment variables — visible to all users
 
 ## How It Works
-Each `.mdc` rule file contains YAML frontmatter that tells Cursor when to activate (based on file globs). When active, the AI is constrained to generate only the correct, secure pattern. Rules include explicit ✅ correct and ❌ incorrect code examples.
+Each `.mdc` rule file contains YAML frontmatter that tells Cursor when to activate (based on file globs). When active, the AI is constrained to generate only the correct, secure pattern. Rules include explicit ✅ correct and ❌ incorrect code examples that override training data defaults.
 
-## Architecture Rules (22 files)
+## Architecture Rules (25 files in `.cursor/rules/`)
 - supabase-auth-security.mdc — Bans getSession(), enforces getUser()
 - nextjs15-params.mdc — Prevents synchronous params access
 - supabase-ssr-only.mdc — Blocks deprecated auth-helpers imports
@@ -34,44 +35,59 @@ Each `.mdc` rule file contains YAML frontmatter that tells Cursor when to activa
 - caching-revalidation.mdc — Correct caching + revalidatePath
 - shadcn-patterns.mdc — Form patterns with react-hook-form + Zod
 - api-design.mdc — Route Handler patterns with auth
+- api-validation.mdc — Input validation for API routes
+- middleware-auth.mdc — Protected route middleware patterns
+- file-uploads.mdc — Secure file upload with Supabase Storage
 - testing.mdc — Vitest + Playwright strategy
 - git-conventions.mdc — Conventional commits
 - ai-collaboration.mdc — 3-stage agentic loop
 - file-naming.mdc — Naming conventions + import order
 - project-context.mdc — Global architecture context
 
-## MCP Integrations (4 servers)
+## MCP Integrations (4 servers in `.cursor/mcp.json`)
 - GitHub MCP — AI reads PRs, commits, and issues
-- Supabase MCP — AI inspects database schema and RLS policies
+- Supabase MCP — AI inspects database schema and RLS policies (read-only)
 - Filesystem MCP — AI navigates project structure
 - Browser MCP — AI takes screenshots and tests running app
 
 ## Technology Stack
-- Next.js 15 (App Router)
+- Next.js 15 (App Router, Server Components, Server Actions)
 - React 19
-- Supabase (Auth, Database, RLS)
-- Stripe (Subscriptions, Webhooks)
+- Supabase (Auth with SSR, Database, Row Level Security)
+- Stripe (Subscriptions, Webhooks, Customer Portal)
 - Resend (Transactional email)
-- TypeScript (strict mode)
+- TypeScript (strict mode, no `any`)
 - Zod (runtime validation)
 - shadcn/ui (component library)
 - Tailwind CSS
 - n8n (workflow automation)
 
+## Key Differentiators vs Competitors
+- **vs ShipFast ($169):** ShipFast is a monolithic boilerplate with 400+ pages of docs. Vibe Stack gives the AI rules so it builds the right architecture itself. No proprietary docs to memorize.
+- **vs MakerKit ($299):** MakerKit targets enterprise B2B with multi-tenancy. Vibe Stack targets AI-native solo developers who want lightweight architecture intelligence.
+- **vs supastarter ($249):** supastarter has more features but no AI integration. Vibe Stack is the only boilerplate with .mdc rules and MCP configs.
+- **vs cursor.directory (free):** cursor.directory has individual snippets of variable quality. Vibe Stack is a cohesive, tested system where rules work together.
+
 ## Use Cases
 - Solo developers building production SaaS applications with AI assistance
 - Teams adopting AI-assisted development workflows with security guardrails
-- Developers migrating from Next.js 14 to 15 with AI help
-- No-code founders using Cursor to generate their first codebase
+- Developers migrating from Next.js 14 to 15 who need AI to use correct patterns
+- No-code founders using Cursor to generate their first codebase safely
 - Agencies needing consistent architecture across AI-generated projects
 
-## Pricing
-- Free: Open-source GitHub repository with all 22 rules
-- Rules Pack ($29): All rules + Vibe Coding guide
-- Builder System ($69): Rules + MCP configs + Architecture docs
-- Complete Vault ($149): Full boilerplate + Stripe + email + Masterclass
+## Free vs Paid
+- **Free (GitHub):** 5 foundational rules + working auth boilerplate + Phase 1 of Vibe Coding guide
+- **Rules Pack ($29):** All 25 rules + lifetime updates
+- **Builder System ($69):** Rules + 4 MCP configs + Architecture docs + SQL migrations
+- **Complete Vault ($149):** Full boilerplate + Stripe + email + n8n workflows + Masterclass
 
 ## Links
 - GitHub: https://github.com/vibestackdev/vibe-stack
 - Product: https://vibestackdev.gumroad.com/l/vibe-stack
 - Author: VibeStack (https://github.com/vibestackdev)
+- Dev.to: https://dev.to/vibestackdev
+
+## Common Questions
+- "Is this just cursor rules?" — No. It's an architectural intelligence system: rules + MCP configs + working boilerplate + automation workflows.
+- "Why not just ask ChatGPT to write rules?" — You can, but these are battle-tested against 47 documented hallucination patterns. Ad-hoc rules miss edge cases.
+- "Does this work with models other than Claude?" — Yes. The .mdc rules work with any model Cursor supports. MCP integrations work with Claude and any MCP-compatible model.
