chore: add security doc, comparison page, tailwind config, agents guide

Author: vibestackdev

AGENTS.md

@@ -0,0 +1,131 @@
+# AGENTS.md — AI Coding Agent Instructions
+
+> This file provides project context and instructions for AI coding agents (Cursor, Claude, Copilot, Windsurf, Cline) working within this codebase.
+
+## Project Overview
+
+**Vibe Stack** is a production-ready Next.js 15 + Supabase boilerplate designed for AI-assisted development. It includes 22 `.mdc` architecture rule files that constrain AI models to generate secure, modern, production-grade code.
+
+### Tech Stack
+- **Framework:** Next.js 15 (App Router, Server Components, Server Actions)
+- **Runtime:** React 19
+- **Database & Auth:** Supabase (PostgreSQL, Auth with SSR, Row Level Security)
+- **Payments:** Stripe (Checkout Sessions, Webhooks, Customer Portal)
+- **Email:** Resend (transactional email with HTML templates)
+- **Validation:** Zod (runtime validation at every boundary)
+- **Styling:** Tailwind CSS + shadcn/ui
+- **Language:** TypeScript (strict mode, no `any`)
+
+### Architecture Principles
+1. **Server Components by default** — Only use `'use client'` when hooks or event handlers are required
+2. **`getUser()` over `getSession()`** — Server-side auth MUST use `getUser()` for JWT verification
+3. **`@supabase/ssr` only** — Never import from the deprecated `@supabase/auth-helpers-nextjs`
+4. **Zod at every boundary** — All user input validated before processing
+5. **RLS on every table** — Row Level Security is mandatory, never optional
+
+## Directory Structure
+
+```
+src/
+├── app/                    # Next.js App Router pages and layouts
+│   ├── (auth)/             # Auth route group (login, signup)
+│   │   ├── actions.ts      # Auth server actions with Zod validation
+│   │   ├── login/page.tsx  # Login page (Server Component)
+│   │   └── signup/page.tsx # Signup page (Server Component)
+│   ├── auth/confirm/       # PKCE email verification callback
+│   ├── dashboard/          # Protected pages (requires auth)
+│   ├── api/webhooks/       # External webhook handlers (Stripe)
+│   ├── layout.tsx          # Root layout (fonts, metadata, dark mode)
+│   ├── page.tsx            # Landing page
+│   ├── loading.tsx         # Global loading state
+│   ├── error.tsx           # Global error boundary
+│   └── not-found.tsx       # Custom 404
+├── lib/                    # Business logic & integrations
+│   ├── supabase/           # Server + Client factories + middleware helper
+│   ├── stripe/             # Checkout session + customer portal helpers
+│   ├── email/              # Resend email templates (welcome, password reset)
+│   ├── env.ts              # Type-safe environment variable access
+│   └── utils.ts            # cn() helper and general utilities
+├── types/                  # Shared TypeScript types
+│   └── index.ts            # ActionResponse<T>, UserProfile, PaginatedResponse
+└── middleware.ts            # Session refresh entry point
+
+.cursor/
+├── rules/                  # 22 .mdc architecture rules (auto-loaded by Cursor)
+└── mcp.json                # 4 MCP server configurations
+
+docs/
+├── VIBE-CODING.md          # The 3-stage agentic loop framework
+├── ARCHITECTURE.md         # 8 Architecture Decision Records
+└── MCP-SETUP.md            # MCP server setup guide
+
+n8n-workflows/              # 3 importable n8n automation templates
+```
+
+## Key Patterns
+
+### Server Actions
+All mutations use Server Actions with this pattern:
+```typescript
+'use server'
+import { z } from 'zod'
+import { createClient } from '@/lib/supabase/server'
+
+const schema = z.object({ /* fields */ })
+
+export async function myAction(formData: FormData): Promise<ActionResponse<T>> {
+  const parsed = schema.safeParse(Object.fromEntries(formData))
+  if (!parsed.success) return { error: 'Validation failed' }
+  
+  const supabase = await createClient()
+  const { data: { user } } = await supabase.auth.getUser()
+  if (!user) return { error: 'Not authenticated' }
+  
+  // ... business logic
+  return { data: result }
+}
+```
+
+### Auth Check Pattern
+```typescript
+// ALWAYS use this pattern in Server Components and Server Actions
+const supabase = await createClient()
+const { data: { user }, error } = await supabase.auth.getUser()
+if (error || !user) redirect('/login')
+```
+
+### Environment Variables
+- `NEXT_PUBLIC_*` — Safe to expose to client (Supabase URL, app URL)
+- Everything else — Server-only (Stripe secret, Supabase service role, Resend key)
+- Access via `src/lib/env.ts` for type safety
+
+## Rules System
+
+The `.cursor/rules/` directory contains 22 `.mdc` files that auto-activate based on file globs. These rules override AI training data defaults to prevent:
+- Insecure auth patterns (`getSession()` → `getUser()`)
+- Deprecated package imports
+- Next.js 15 breaking changes (async params)
+- Missing RLS policies
+- Client-side Stripe usage
+- Hydration mismatches
+- N+1 query patterns
+
+When adding new features, the AI should read and follow all applicable rules automatically.
+
+## MCP Integrations
+
+4 MCP servers are pre-configured in `.cursor/mcp.json`:
+- **GitHub MCP** — Read repos, PRs, issues, commits
+- **Supabase MCP** — Inspect database schema and RLS policies (read-only)
+- **Filesystem MCP** — Navigate project structure
+- **Browser MCP** — Take screenshots and test the running app
+
+## Contributing
+
+When adding new features:
+1. Follow the 3-stage agentic loop: Plan → Implement (in batches) → Verify
+2. Check applicable `.mdc` rules before writing code
+3. Use Server Components by default
+4. Validate all input with Zod
+5. Add RLS policies for any new tables
+6. Use conventional commits (`feat:`, `fix:`, `docs:`)

SECURITY.md

@@ -0,0 +1,95 @@
+# Security Guide
+
+Vibe Stack enforces security at the architecture level through `.mdc` rules that physically prevent AI coding assistants from generating insecure patterns.
+
+## Security Rules Included
+
+### Authentication Security
+| Rule | Threat Prevented |
+|---|---|
+| `supabase-auth-security.mdc` | **JWT forgery** — `getSession()` accepts unverified tokens; `getUser()` cryptographically verifies every JWT |
+| `supabase-ssr-only.mdc` | **Deprecated auth** — blocks `@supabase/auth-helpers-nextjs` which mishandles App Router cookies |
+| `middleware-auth.mdc` | **Silent session expiry** — enforces `updateSession()` middleware to refresh tokens |
+
+### Data Security
+| Rule | Threat Prevented |
+|---|---|
+| `supabase-rls.mdc` | **Data exposure** — every table must have RLS policies; without them, the anon key reads all data |
+| `database-design.mdc` | **Schema vulnerabilities** — enforces UUID primary keys, proper foreign key constraints, and audit columns |
+| `env-management.mdc` | **Secret leakage** — classifies env vars and prevents `NEXT_PUBLIC_` exposure of secrets |
+
+### Input Validation
+| Rule | Threat Prevented |
+|---|---|
+| `typescript-strict.mdc` | **Type bypass** — bans `any`, enforces Zod schemas at every input boundary |
+| `server-actions.mdc` | **Injection attacks** — all Server Action inputs must pass Zod validation before processing |
+| `api-validation.mdc` | **Malformed requests** — Route Handler inputs validated and sanitized |
+
+### Payment Security
+| Rule | Threat Prevented |
+|---|---|
+| `stripe-payments.mdc` | **PCI liability** — forces Stripe Checkout (never custom card forms); requires webhook signature verification |
+
+### Application Security
+| Rule | Threat Prevented |
+|---|---|
+| `security.mdc` | **OWASP Top 10** — rate limiting, CSRF protection, XSS prevention, secure headers |
+| `hydration-safety.mdc` | **Hydration attacks** — prevents client/server mismatches that expose internal state |
+| `file-uploads.mdc` | **Malicious uploads** — file type validation, size limits, secure Supabase Storage patterns |
+
+## Security Architecture
+
+### The Secure Auth Flow
+```
+User submits login form
+  → Server Action validates input with Zod
+    → supabase.auth.signInWithPassword()
+      → Supabase issues JWT (cookie-based, httpOnly)
+        → Middleware refreshes token on every request
+          → Server Components verify with getUser() (NEVER getSession())
+```
+
+### Why `getUser()` is Non-Negotiable
+
+`getSession()` reads the JWT from cookies and trusts it at face value. An attacker can:
+1. Craft a fake JWT with any `user_id`
+2. Set it as a cookie
+3. `getSession()` will return it as a valid session
+
+`getUser()` sends the JWT to Supabase's auth server for cryptographic verification. If the token is forged, tampered, or expired, it returns an error.
+
+**Every AI model defaults to `getSession()` because the training data contains years of pre-2024 tutorials.** Our rule overrides this default.
+
+### Row Level Security Pattern
+
+Every table in the `public` schema must follow this pattern:
+
+```sql
+-- 1. Create the table
+CREATE TABLE public.projects (
+  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+  user_id UUID REFERENCES auth.users(id) ON DELETE CASCADE NOT NULL,
+  name TEXT NOT NULL,
+  created_at TIMESTAMPTZ DEFAULT now()
+);
+
+-- 2. Enable RLS (MANDATORY)
+ALTER TABLE public.projects ENABLE ROW LEVEL SECURITY;
+
+-- 3. Create policies
+CREATE POLICY "Users can only access own projects"
+  ON public.projects FOR ALL
+  USING (auth.uid() = user_id);
+```
+
+Without step 2, any user with the `anon` key can read ALL rows in the table.
+
+## Reporting Vulnerabilities
+
+If you discover a security vulnerability in Vibe Stack, please [open a private issue](https://github.com/vibestackdev/vibe-stack/security/advisories/new) or email security concerns directly.
+
+Do NOT open a public issue for security vulnerabilities.
+
+---
+
+*Vibe Stack security rules are updated whenever Next.js, Supabase, or Stripe release security-relevant changes. All paid tiers include lifetime updates.*

docs/COMPARISON.md

@@ -0,0 +1,93 @@
+# Vibe Stack vs Other Boilerplates
+
+A detailed, honest comparison of Vibe Stack against the major Next.js/Supabase boilerplates.
+
+> **Our philosophy:** Other boilerplates sell you a locked box of code and 400 pages of docs. Vibe Stack gives your AI the intelligence to build the right architecture from scratch.
+
+---
+
+## The Fundamental Difference
+
+| Approach | Traditional Boilerplate | Vibe Stack |
+|---|---|---|
+| **What you get** | A giant codebase you must learn | Architecture rules your AI follows |
+| **Learning curve** | Read 200-400 pages of docs | Clone, open in Cursor, start building |
+| **Customization** | Deviate from the "happy path" and things break | Rules adapt to YOUR architecture |
+| **AI compatibility** | AI doesn't know their conventions | AI reads `.mdc` rules automatically |
+| **Updates** | Merge conflicts when upgrading | Drop in new rule files — zero conflicts |
+
+---
+
+## Feature-by-Feature Comparison
+
+| Feature | Vibe Stack ($149) | ShipFast ($169) | supastarter ($249) | MakerKit ($299) |
+|---|:---:|:---:|:---:|:---:|
+| **AI Architecture Rules** | ✅ 25 rules | ❌ | ❌ | ❌ |
+| **MCP Server Configs** | ✅ 4 servers | ❌ | ❌ | ❌ |
+| **AGENTS.md** | ✅ | ❌ | ✅ | ❌ |
+| **n8n Automations** | ✅ 3 workflows | ❌ | ❌ | ❌ |
+| **Next.js 15 Support** | ✅ | ✅ | ✅ | ✅ |
+| **React 19** | ✅ | ✅ | ✅ | ✅ |
+| **Supabase Auth (SSR)** | ✅ (getUser) | ✅ | ✅ | ✅ |
+| **Stripe Payments** | ✅ | ✅ | ✅ | ✅ |
+| **Email (Resend)** | ✅ | ✅ | ✅ | ✅ |
+| **Multi-tenancy** | ❌ | ❌ | ✅ | ✅ |
+| **Internationalization** | ❌ | ❌ | ✅ | ✅ |
+| **Admin Dashboard** | Basic | ✅ | ✅ | ✅ |
+| **Blog/CMS** | ❌ | ✅ | ✅ | ✅ |
+| **Documentation Size** | 3 short docs | 400+ pages | 300+ pages | 200+ pages |
+| **Time to Understand** | 20 minutes | 3-4 hours | 2-3 hours | 1-2 days |
+| **Free Tier** | ✅ (5 rules) | ❌ | ❌ | ❌ |
+
+---
+
+## When to Choose Each
+
+### Choose **Vibe Stack** if:
+- You're building with AI (Cursor, Claude, Copilot) and want guardrails
+- You want to understand and control your architecture, not inherit someone else's
+- You prefer lightweight foundations over feature-heavy monoliths
+- You want your AI to read GitHub PRs and inspect your database (MCP)
+- You're a solo developer who ships fast
+
+### Choose **ShipFast** if:
+- You want a complete, opinionated SaaS template out of the box
+- You're comfortable reading extensive documentation
+- You don't use AI coding tools heavily
+- You need SEO pages, blog, and admin panel from day one
+
+### Choose **supastarter** if:
+- You need multi-tenancy and team/organization features
+- You need internationalization (i18n)
+- You're building a B2B SaaS with complex access control
+- You have budget for a premium price point
+
+### Choose **MakerKit** if:
+- You need the most feature-complete solution available
+- You're building an enterprise-grade product
+- You need extensive customization documentation
+- Budget is not a primary constraint
+
+---
+
+## The AI-Native Advantage
+
+Here's what happens when you ask Cursor to "add a settings page with profile editing" in each boilerplate:
+
+**In ShipFast/MakerKit:**
+1. The AI doesn't know their conventions
+2. It generates patterns that conflict with their architecture
+3. You spend 30 minutes fixing the integration
+4. You read docs to understand what went wrong
+
+**In Vibe Stack:**
+1. The AI reads the `.mdc` rules automatically
+2. It knows to use Server Components, `getUser()`, and Zod validation
+3. The generated code follows your project's architecture correctly
+4. You review and ship — 5 minutes total
+
+This is the core insight: **Traditional boilerplates were designed for humans to read. Vibe Stack was designed for AI to read.**
+
+---
+
+*Last updated: April 2026. We regularly review competitor offerings to keep this comparison accurate.*

postcss.config.js

@@ -0,0 +1,6 @@
+module.exports = {
+  plugins: {
+    tailwindcss: {},
+    autoprefixer: {},
+  },
+}

src/app/layout.tsx

@@ -20,7 +20,7 @@ export const metadata: Metadata = {
   openGraph: {
     title: 'Vibe Stack — AI-Powered Next.js Boilerplate',
     description:
-      'Ship production apps in hours, not months. 15 battle-tested AI rules prevent hallucinations.',
+      'Ship production apps in hours, not months. 22 battle-tested AI architecture rules prevent hallucinations.',
     type: 'website',
   },
 }

tailwind.config.ts

@@ -0,0 +1,53 @@
+import type { Config } from 'tailwindcss'
+
+const config: Config = {
+  darkMode: 'class',
+  content: [
+    './src/app/**/*.{ts,tsx}',
+    './src/components/**/*.{ts,tsx}',
+    './src/lib/**/*.{ts,tsx}',
+  ],
+  theme: {
+    extend: {
+      colors: {
+        border: 'hsl(var(--border))',
+        input: 'hsl(var(--input))',
+        ring: 'hsl(var(--ring))',
+        background: 'hsl(var(--background))',
+        foreground: 'hsl(var(--foreground))',
+        primary: {
+          DEFAULT: 'hsl(var(--primary))',
+          foreground: 'hsl(var(--primary-foreground))',
+        },
+        secondary: {
+          DEFAULT: 'hsl(var(--secondary))',
+          foreground: 'hsl(var(--secondary-foreground))',
+        },
+        destructive: {
+          DEFAULT: 'hsl(var(--destructive))',
+          foreground: 'hsl(var(--destructive-foreground))',
+        },
+        muted: {
+          DEFAULT: 'hsl(var(--muted))',
+          foreground: 'hsl(var(--muted-foreground))',
+        },
+        accent: {
+          DEFAULT: 'hsl(var(--accent))',
+          foreground: 'hsl(var(--accent-foreground))',
+        },
+        card: {
+          DEFAULT: 'hsl(var(--card))',
+          foreground: 'hsl(var(--card-foreground))',
+        },
+      },
+      borderRadius: {
+        lg: 'var(--radius)',
+        md: 'calc(var(--radius) - 2px)',
+        sm: 'calc(var(--radius) - 4px)',
+      },
+    },
+  },
+  plugins: [],
+}
+
+export default config