@appsforgood/next-supabase-kit 0.1.0

package/profiles/marketplace.md

@@ -0,0 +1,17 @@
+# Marketplace Compatibility Profile
+
+Use for buyer/seller products, listings, bookings, services, and transaction workflows.
+
+## Required Emphasis
+
+- Role separation for buyer, seller, admin, and support staff.
+- Listing ownership, transaction authorization, disputes, fraud controls, and moderation.
+- RLS policies for private messages, offers, orders, payments, and seller-only data.
+- Smoke tests for search, listing creation, inquiry/order flow, and role-specific access.
+
+## Agent Handoff
+
+- Architect owns role model and transaction lifecycle.
+- Supabase/Postgres engineer owns listing, order, message, and policy design.
+- Security reviewer owns IDOR, file upload, payment/webhook validation, and abuse paths.
+- Frontend design lead owns comparison UX, trust signals, availability states, and mobile search.

package/profiles/saas.md

@@ -0,0 +1,17 @@
+# SaaS Compatibility Profile
+
+Use for subscription products, team workspaces, and account-based apps.
+
+## Required Emphasis
+
+- Tenant isolation, role-based access, team membership, billing state, and usage limits.
+- RLS policies for tenant-owned data and user-owned preferences.
+- Trial, upgrade, downgrade, cancellation, and past-due UX.
+- Smoke tests for signup, login, workspace creation, billing gates, and primary workflow.
+
+## Agent Handoff
+
+- Architect owns tenant boundaries and subscription model.
+- Supabase/Postgres engineer owns membership schema, RLS, migrations, and seed data.
+- Security reviewer owns IDOR, service-role isolation, webhook validation, and dependency exposure.
+- Frontend design lead owns density, state coverage, and non-generic product surfaces.

package/profiles/stack-next-firebase.md

@@ -0,0 +1,25 @@
+# Stack Profile: Next.js And Firebase
+
+Use this profile when adapting the kit to projects using Next.js with Firebase Auth, Firestore, Realtime Database, Storage, Cloud Functions, or Firebase Hosting.
+
+## Replace Supabase-Specific Checks
+
+- Replace Supabase RLS policy review with Firestore/Realtime Database security rules review.
+- Replace service-role guidance with Firebase Admin SDK server-only guidance.
+- Replace Postgres migration checks with Firebase rules, indexes, emulator fixtures, and data-shape validation.
+- Keep OWASP, SSR, secrets, accessibility, testing, deployment, and living-docs requirements.
+
+## Required Evidence
+
+- Firebase security rules are versioned and tested.
+- Client SDK usage cannot access admin-only data.
+- Admin SDK credentials are server-only and never bundled.
+- Emulator or integration tests cover auth, rules, and primary data writes.
+- Storage rules cover uploads, reads, ownership, content type, and size.
+
+## Agent Handoff
+
+- Architect owns auth model, tenancy, and data boundaries.
+- Firebase engineer owns rules, indexes, emulator tests, functions, and storage.
+- Security reviewer owns privilege escalation, IDOR, file uploads, secrets, and dependency exposure.
+- Frontend design lead owns task-first UX, states, accessibility, and screenshot review.

package/profiles/stack-next-postgres.md

@@ -0,0 +1,24 @@
+# Stack Profile: Next.js And Postgres
+
+Use this profile when adapting the kit to projects using Next.js with direct Postgres access through an ORM, query builder, or server-only database client.
+
+## Replace Supabase-Specific Checks
+
+- Replace Supabase RLS review with explicit application authorization, database constraints, and optional Postgres RLS.
+- Replace Supabase Auth guidance with the project's auth provider and session verification model.
+- Keep migration, schema, index, transaction, OWASP, accessibility, testing, deployment, and living-docs requirements.
+
+## Required Evidence
+
+- Server-only database access is enforced.
+- User and tenant ownership checks are centralized and tested.
+- Migrations are ordered, reversible where practical, and covered by rollback notes.
+- Constraints and indexes protect integrity and expected access patterns.
+- Integration tests cover auth, ownership, mutations, and failed authorization.
+
+## Agent Handoff
+
+- Architect owns domain model, tenancy, and service boundaries.
+- Database engineer owns migrations, constraints, indexes, transactions, and query performance.
+- Security reviewer owns IDOR, injection, auth/session checks, secrets, and dependency exposure.
+- Frontend design lead owns task-first UX, states, accessibility, and screenshot review.

package/profiles/stack-remix-supabase.md

@@ -0,0 +1,24 @@
+# Stack Profile: Remix And Supabase
+
+Use this profile when adapting the kit to Remix projects using Supabase Auth, Postgres, Storage, Realtime, or Edge Functions.
+
+## Replace Next.js-Specific Checks
+
+- Replace App Router checks with Remix loader, action, route module, error boundary, and nested route checks.
+- Keep Supabase Auth, RLS, service-role isolation, Postgres migrations, OWASP, accessibility, testing, deployment, and living-docs requirements.
+- Treat loaders and actions as the main auth, validation, and mutation boundaries.
+
+## Required Evidence
+
+- Loaders and actions validate input, verify session state, and return safe errors.
+- Supabase clients preserve request auth context.
+- RLS protects user-owned and tenant-owned tables.
+- Service-role access is isolated to trusted server modules.
+- Route-level error boundaries cover loading, empty, failure, and permission-denied states.
+
+## Agent Handoff
+
+- Architect owns route/data boundaries and auth flow.
+- Remix engineer owns loaders, actions, nested routes, and error boundaries.
+- Supabase/Postgres engineer owns RLS, migrations, storage policies, and service-role access.
+- Security reviewer owns IDOR, SSRF, injection, secrets, and dependency exposure.

package/prompts/audit-project-setup.md

@@ -0,0 +1,28 @@
+# Audit Project Setup Prompt
+
+Audit this project's agents, skills, and markdown documentation for a best-practice Next.js + Supabase setup.
+
+Evaluate:
+
+- Agent roles and handoffs
+- `.agent-kit/agent-roster.json` default council routing
+- `.agent-kit/schemas/` roster and council-session contracts
+- `COUNCIL.md` decision, risk, next-handoff, evidence, and verification records
+- `QUALITY_GATES.md` baseline, strong, best-practice, and evidence model
+- `agent-kit audit --min-readiness <level>` threshold appropriate for the project maturity
+- Planner default planning workflow and Lead Architect core-change council workflow
+- Reusable skills
+- Supabase Auth, SSR, RLS, migrations, Storage, and service-role safety
+- Next.js App Router architecture
+- OWASP Top 10 coverage
+- WCAG 2.1 AA frontend standards
+- Testing, deployment, observability, and living docs
+
+Output:
+
+1. Verdict and readiness level: `needs-setup`, `baseline-setup`, `needs-improvement`, or `best-practice-candidate`.
+2. Strengths.
+3. Gaps and risks.
+4. Phased improvement plan.
+5. Markdown files to create or update.
+6. Implementation notes if changes are needed.

package/prompts/brand-content-intake.md

@@ -0,0 +1,17 @@
+# Brand And Content Intake Prompt
+
+Use before designing or changing a user-facing surface.
+
+Ask for or infer the smallest useful set of inputs needed to avoid generic UI.
+
+Return:
+
+1. Product category and primary audience.
+2. User needs in the user's language.
+3. Real content inventory: nouns, labels, data fields, records, assets, examples, and domain terms.
+4. Brand personality and visual constraints.
+5. Category references to learn from and patterns to avoid.
+6. First-screen task, object, or workflow that must be visible.
+7. Missing inputs that block high-quality design.
+
+Do not write vague value propositions. Use concrete domain language from the product.

package/prompts/copy-review.md

@@ -0,0 +1,15 @@
+# Copy Review Prompt
+
+Use this before accepting marketing, landing-page, onboarding, pricing, CTA, or product voice changes.
+
+Review the copy against `MESSAGING.md`, `DESIGN.md`, and the current implementation.
+
+Report:
+
+- Missing discovery answers: audience, pain, outcome, alternatives, differentiator, proof, objections, voice, and conversion goal.
+- Positioning statement and whether it is specific enough.
+- Unsupported claims, invented proof, vague SaaS language, or risky wording.
+- Headline, subhead, CTA, proof, and objection-handling alignment.
+- Onboarding, empty-state, error, permission, or upgrade copy that lacks a useful next step.
+- Voice/tone consistency and terminology conflicts.
+- Required changes before Frontend Design Lead or QA acceptance.

package/prompts/council-session-review.md

@@ -0,0 +1,17 @@
+# Council Session Review Prompt
+
+Use before completing meaningful planning, core-change, frontend-change, security-review, release, or research work.
+
+Review the current work against `.agent-kit/agent-roster.json`, `AGENT_ROSTER.md`, `COUNCIL.md`, and any `.agent-kit/council-sessions/*.json` records.
+
+Return:
+
+1. Selected workflow and why it applies.
+2. Required agents and whether each participated.
+3. Required outputs and whether each is missing, partial, complete, or not applicable.
+4. Handoff trail: agent, decision, risk, next handoff, and evidence.
+5. Verification evidence: commands, reviews, screenshots, visual diffs, or documented gaps.
+6. Blockers that prevent the session from being marked complete.
+
+Do not accept a handoff that lacks decision, risk, next owner, or evidence.
+Run `agent-kit audit` after adding or changing structured council-session JSON records.

package/prompts/creative-direction-matrix.md

@@ -0,0 +1,22 @@
+# Creative Direction Matrix Prompt
+
+Use after brand/content intake and before implementation.
+
+Create 2-3 distinct directions for the same product. Each direction must be meaningfully different in layout, density, typography, imagery, color behavior, and interaction tone.
+
+For each direction, return:
+
+- Name.
+- Best-fit audience and use case.
+- First-screen composition.
+- Token direction: color, type, spacing, radius, motion, depth.
+- Imagery or asset strategy.
+- Component/state implications.
+- Risks and what could make it look generic.
+- Reference and anti-reference fit, including what must not be copied.
+
+Then choose one direction and explain:
+
+- Why it fits the product content and user need.
+- Why rejected directions are weaker.
+- What screenshot evidence must prove after implementation.

package/prompts/design-critique-gate.md

@@ -0,0 +1,28 @@
+# Design Critique Gate Prompt
+
+Use after creative direction is chosen and before accepting implementation.
+
+Inputs:
+
+- `DESIGN.md`
+- Selected creative direction
+- Reference set and anti-references
+- Desktop and mobile screenshots or preview links
+- Primary workflow and real content/data examples
+- Accessibility and visual QA evidence
+- Frontend product-quality scorecard, if already drafted
+
+Return:
+
+- Reference-set summary: what each reference teaches and what must not be copied.
+- Anti-reference summary: patterns, palettes, layouts, copy, or interaction choices to avoid.
+- First-screen critique: whether the actual product, object, task, workflow, or content is immediately visible.
+- Distinctiveness verdict: `weak`, `adequate`, or `strong`.
+- Product-quality scorecard: user/task fit, content specificity, visual identity, information architecture, component states, accessibility and interaction, source safety, and total score.
+- AI-slop risks: generic gradients, vague SaaS copy, card soup, fake metrics, stock-like imagery, one-note palette, or placeholder content.
+- UX risks: unclear primary action, weak information hierarchy, poor density, missing states, or mobile compromise.
+- Accessibility risks: semantic structure, keyboard path, focus, contrast, motion, labels, and error feedback.
+- Required changes before acceptance.
+- Evidence still missing before release.
+
+Reject the UI if it could be swapped into another product in the same category without changing the content.

package/prompts/docs-update.md

@@ -0,0 +1,16 @@
+# Docs Update Prompt
+
+Update living docs after this change.
+
+Check:
+
+- `SPEC.md` for functional and technical behavior
+- `DECISIONS.md` for important tradeoffs
+- `DOCS.md` for setup, workflows, and integrations
+- `COUNCIL.md` for meaningful handoffs, required outputs, evidence, and verification status
+- `QUALITY_GATES.md` for maturity target and evidence expectations
+- `DESIGN.md` for brand/content, creative direction, and visual-system implications
+- `STYLE_GUIDE.md` for code and design patterns
+- `SECURITY.md` for auth/data boundaries
+- `TESTING.md` for coverage and gaps
+- `DEPLOYMENT.md` for release implications

package/prompts/frontend-design-review.md

@@ -0,0 +1,29 @@
+# Frontend Design Review Prompt
+
+Review this UI for product-specific quality and accessibility.
+
+Reject:
+
+- Missing brand/content intake or `DESIGN.md` context
+- Missing creative-direction rationale
+- Missing frontend product-quality scorecard
+- Missing visual QA or component-state evidence
+- Generic AI-site gradients
+- Vague SaaS copy
+- Fake metrics
+- Card soup
+- Missing mobile states
+- Missing loading, empty, error, disabled, or success states
+
+Recommend:
+
+- Content-first inputs that must be filled before implementation is accepted
+- Which creative direction should be selected or explored next
+- Product-quality scorecard with critical zeroes and total score
+- Which visual QA tier is appropriate for the change
+- Task-first layout
+- Domain-specific hierarchy
+- Design tokens
+- Accessible forms and controls
+- WCAG 2.1 AA behavior
+- Stronger visual direction where needed

package/prompts/frontend-distinctiveness-benchmark.md

@@ -0,0 +1,32 @@
+# Frontend Distinctiveness Benchmark Prompt
+
+Use before accepting significant frontend work.
+
+Inputs:
+
+- `DESIGN.md`
+- Current screen, screenshots, preview URL, or implementation notes
+- Product category, audience, user needs, content inventory, and primary workflow
+- Reference set, anti-references, and source-safety notes
+- Asset list and provenance notes
+- Product-quality scorecard and visual QA evidence
+
+Review:
+
+- Does the first viewport prove what this product is and what the user does here?
+- Which product nouns, data shapes, records, actions, and edge cases are visible?
+- Which reference lessons were applied without copying source design, copy, assets, or brand identity?
+- Which anti-references were avoided?
+- Do assets have clear source, generation, license, or placeholder constraints?
+- Which loading, empty, error, disabled, success, permission, and focus states still need proof?
+- Would this screen still look valid for another product in the same category after only changing the logo or headline?
+
+Return:
+
+- Verdict: `reject`, `adequate`, or `distinctive`.
+- First-screen proof: missing, adequate, or strong.
+- Content fingerprint: missing, adequate, or strong.
+- Reference benchmark: missing, adequate, or strong.
+- Asset/source-safety risks.
+- Generic-AI-site risk.
+- Required changes before acceptance.

package/prompts/frontend-product-quality-scorecard.md

@@ -0,0 +1,35 @@
+# Frontend Product Quality Scorecard Prompt
+
+Use before accepting significant frontend work.
+
+Inputs:
+
+- `DESIGN.md`
+- Selected creative direction
+- Reference set, anti-references, and source-safety notes
+- Desktop and mobile screenshots or preview links
+- Primary workflow and real content/data examples
+- Component states, accessibility evidence, and visual QA tier
+- Frontend distinctiveness benchmark verdict
+
+Score each dimension from `0` to `2`:
+
+- User/task fit
+- Content specificity
+- Visual identity
+- Information architecture
+- Component states
+- Accessibility and interaction
+- Source safety
+
+Return:
+
+- Score table with one sentence of evidence per dimension.
+- Total score out of `14`.
+- Critical zeroes.
+- Verdict: `reject`, `adequate`, or `strong`.
+- Required changes before acceptance.
+- Evidence still missing before release.
+- Whether distinctiveness benchmark evidence is strong enough for a best-practice frontend claim.
+
+Reject when any critical dimension has a zero, total score is below `10`, or the first screen could be reused for another product in the same category without changing meaningful content.

package/prompts/implement-feature.md

@@ -0,0 +1,14 @@
+# Implement Feature Prompt
+
+Implement the requested feature using this workflow:
+
+1. Confirm preserved behavior and affected layers.
+2. Select the matching workflow from `.agent-kit/agent-roster.json` and record meaningful council-session evidence in `COUNCIL.md`.
+3. Update Supabase schema/RLS first if data boundaries change.
+4. Implement Next.js behavior with explicit server/client boundaries.
+5. Apply frontend design and accessibility review.
+6. Run OWASP security review.
+7. Add tests proportional to risk.
+8. Update living docs.
+
+Return key changes, preserved capabilities, council handoffs, tests run, docs updated, and follow-up tasks.

package/prompts/migration-review.md

@@ -0,0 +1,14 @@
+# Migration Review Prompt
+
+Review this Supabase/Postgres migration.
+
+Check:
+
+- Schema correctness
+- Constraints and indexes
+- RLS enablement
+- Select, insert, update, and delete policies
+- Ownership and tenant boundaries
+- Service-role assumptions
+- Backfill or destructive-change risk
+- Rollback and deployment order

package/prompts/screenshot-review.md

@@ -0,0 +1,27 @@
+# Screenshot Review Prompt
+
+Use after a UI is implemented and screenshots are available across desktop and mobile.
+
+Review the screenshots against the product goal, `DESIGN.md`, design brief, and `STYLE_GUIDE.md`.
+
+Check:
+
+- First screen shows the real product, task, object, or workflow.
+- The selected creative direction is visible in tokens, layout, copy, imagery, density, and interaction tone.
+- Layout is usable on desktop and mobile without overlapping text or controls.
+- Visual direction fits the domain and does not rely on generic AI-site gradients, card soup, vague SaaS copy, or fake metrics.
+- Design tokens are visible in color, typography, spacing, radius, state color, and focus treatment.
+- Loading, empty, error, disabled, success, and mobile states are represented or explicitly accounted for.
+- Visual QA tier is appropriate for the risk: screenshot review, Playwright screenshots, Storybook visual tests, or visual-regression service.
+- Controls use familiar patterns: icons for repeated tools, inputs for values, toggles for booleans, tabs for views, and menus for option sets.
+- Text is specific, scannable, and not padded with feature explanations.
+- Accessibility risks are called out: contrast, focus, keyboard order, touch target size, labels, semantics, and motion.
+
+Return:
+
+1. Critical blockers.
+2. High-value polish fixes.
+3. Evidence that the screen avoids generic AI-site defaults.
+4. Evidence that the screen follows the selected creative direction.
+5. Visual QA tier and baseline-review risks.
+6. Follow-up screenshots or states still required.

package/prompts/security-review.md

@@ -0,0 +1,17 @@
+# Security Review Prompt
+
+Review this change against OWASP Top 10 and the project's Supabase/Auth/RLS boundaries.
+
+Prioritize:
+
+- Broken access control
+- IDOR
+- Injection
+- SSRF
+- Secret exposure
+- Service-role misuse
+- Missing RLS
+- Unsafe dependencies
+- Misconfiguration
+
+Lead with findings ordered by severity. Include exploit path, affected behavior, and remediation.

package/prompts/upgrade-review.md

@@ -0,0 +1,18 @@
+# Upgrade Review Prompt
+
+Use this prompt before accepting a dependency, framework, Agent Kit, or template upgrade.
+
+## Prompt
+
+Review this upgrade against `UPGRADE.md`, `QUALITY_GATES.md`, `SECURITY.md`, `TESTING.md`, and `DEPLOYMENT.md`.
+
+Return:
+
+- What changed and why.
+- Which release notes, migration guides, or codemods apply.
+- Which local templates or overrides changed.
+- Which Supabase migrations, RLS policies, generated types, or auth boundaries are affected.
+- Which Next.js routing, rendering, caching, metadata, or middleware behavior is affected.
+- Which tests, smoke checks, visual QA, and release checks prove the upgrade.
+- Rollback plan.
+- Remaining warnings before best-practice readiness.

package/prompts/visual-qa-plan.md

@@ -0,0 +1,16 @@
+# Visual QA Plan Prompt
+
+Use before accepting a frontend change or before adding visual regression coverage.
+
+Return:
+
+1. Visual QA tier: baseline, strong, or mature.
+2. Surfaces requiring evidence.
+3. Component states to capture.
+4. Viewports, themes, locales, permissions, or data states to cover.
+5. Dynamic content that must be mocked, masked, frozen, or excluded.
+6. Tooling recommendation: Playwright screenshots, Storybook stories, Chromatic, Argos, Loki, or manual screenshot review.
+7. CI or PR evidence that should be produced.
+8. Rules for approving baseline updates.
+
+Do not recommend visual snapshots for volatile full pages unless the volatile regions can be stabilized.

package/research/proposed-updates.md

@@ -0,0 +1,70 @@
+# Proposed Agent Kit Updates
+
+Generated after the 100-repo scan on 2026-06-02.
+
+## Repeated Evidence
+
+- 88 of 100 findings had weak or non-discoverable Supabase/Auth/RLS signals.
+- 66 of 100 findings had immature agent handoff or AI-workflow signals.
+- 57 of 100 findings had weak accessibility signals.
+- 54 of 100 findings had implicit or incomplete security expectations.
+- Stronger repos consistently exposed docs, CI, validation, component systems, test setup, or explicit review workflows.
+
+## Updates Promoted In This Iteration
+
+- Added package-level `DECISIONS.md`.
+- Added RLS policy inventory expectations to `templates/next-supabase/SPEC.md` and `SECURITY.md`.
+- Added security control inventory expectations to `templates/next-supabase/SECURITY.md`.
+- Added design token and component-state inventory expectations to `STYLE_GUIDE.md` and `SPEC.md`.
+- Added CI gate expectations to `TESTING.md`.
+- Strengthened frontend-design, Supabase/RLS, accessibility, and testing skills/checklists.
+- Added machine-readable agent council routing with Planner-first planning and architect-led core-change handoffs.
+- Added public-readiness expectations around MIT licensing, neutral package identity, citation policy, and install smoke.
+- Added a focused creative-design follow-up pass after recognizing that the original frontend score over-weighted tokens, components, and states.
+- Added `DESIGN.md`, content-first design skill, brand/content intake, creative-direction matrix, brand/content checklist, expanded design briefs, and audit coverage for frontend creative-direction evidence.
+- Added a visual QA follow-up pass for Storybook, Playwright screenshots, Chromatic, Argos, Loki, visual baselines, and component-state evidence.
+- Added Visual Regression QA skill, visual-regression checklist, visual QA plan prompt, `TESTING.md` visual QA tiers, roster routing, audit coverage, and research scanner signals.
+- Added a schema-backed council traceability pass after recognizing that the 100-repo research volume was not enough unless practices became enforceable contracts.
+- Added `schemas/agent-roster.schema.json`, `schemas/council-session.schema.json`, `COUNCIL.md`, Agent Handoff Tracing skill, agent-council checklist, council-session review prompt, roster routing, audit coverage, and public-readiness tests.
+- Added a repo-health follow-up pass for issue templates, PR templates, CODEOWNERS, Dependabot, CodeQL, support, conduct, governance, and public-maintainer workflows.
+- Added repo-health files, public-readiness tests, scanner scoring, and a refresh category so public OSS maintainability is treated as release readiness.
+- Added a repository-settings follow-up for branch protection, protected publish environment, private vulnerability reporting, required labels, discussions, and security settings that live outside git.
+- Added `REPOSITORY_SETTINGS.md`, `.github/labels.yml`, `.github/labeler.yml`, PR labeler workflow, public-readiness tests, and scanner signals.
+- Added shared release-readiness command so CI, release, and local checks use the same gate.
+- Added a supply-chain follow-up pass for npm Trusted Publishing/provenance, Dependency Review, OpenSSF Scorecard, workflow hardening, and release controls.
+- Added `SUPPLY_CHAIN.md`, Dependency Review workflow, Scorecard workflow, workflow concurrency/non-persistent checkout controls, manual publish ref validation, supply-chain scanner scoring, and public-readiness tests.
+- Added lockfile-derived CycloneDX SBOM validation and release-workflow SBOM attestation for the exact npm tarball being published.
+- Added a maturity-model follow-up pass after recognizing that a broad 100-repo scan still needs a project-level definition of baseline, strong, and best-practice evidence.
+- Added `QUALITY_GATES.md`, installed it by default, added audit coverage for multi-area maturity expectations, and added tests that catch hollowed-out quality-gate docs.
+- Added project-evidence placeholder audit warnings so a fresh install does not get mistaken for completed best-practice evidence.
+- Added machine-readable audit readiness verdicts so downstream projects can distinguish setup failures, baseline setup, remaining warnings, and best-practice candidates.
+- Added `agent-kit audit --min-readiness <level>` so projects can enforce baseline or best-practice readiness in CI without parsing JSON themselves.
+- Added `schemas/audit-report.schema.json` and runtime contract tests so audit consumers can validate machine-readable output.
+- Added an assistant-adapter activation pass after recognizing that a roster is not enough unless downstream tools load or reference it.
+- Added `ASSISTANT_ADAPTERS.md`, `assistant-adapters/*`, install support, audit checks, and public-readiness tests for AGENTS.md-compatible tools, GitHub Copilot/VS Code instructions, Cursor rules, and Claude Code subagents.
+- Added an upgrade-lifecycle pass after recognizing that reusable kits need safe adoption paths for future template, assistant-adapter, framework, and Supabase changes.
+- Added `UPGRADE.md`, `templates/next-supabase/UPGRADE.md`, Upgrade Maintenance skill, upgrade checklist, upgrade-review prompt, roster routing, audit checks, and public-readiness tests.
+- Added a reference-led design critique pass after recognizing that frontend work could still pass with generic visual quality if it had tokens, states, and screenshots but no reference-set evidence or distinctiveness verdict.
+- Added Reference-Led Design Critique skill, design-critique prompt, design-critique checklist, `DESIGN.md` reference/anti-reference fields, roster routing, audit coverage, and public-readiness tests.
+- Added a frontend product-quality rubric pass after recognizing that qualitative critique still needed a repeatable score threshold.
+- Added Frontend Product Quality Rubric skill, product-quality checklist, scorecard prompt, `DESIGN.md` scorecard fields, roster routing, audit coverage, and public-readiness tests.
+- Added a frontend distinctiveness benchmark pass after recognizing that even a scored UI can still feel interchangeable without first-screen proof, content fingerprint, safe reference learning, asset provenance, state proof, and visual QA proof.
+- Added Frontend Distinctiveness Benchmark skill, checklist, benchmark prompt, `DESIGN.md` evidence fields, roster routing, audit coverage, and public-readiness tests.
+
+## Future Updates To Consider
+
+- Re-run dogfood installs after the public package is published.
+- Add more stack-specific rosters for non-Supabase stacks.
+- Add richer audit severity scoring once more downstream evidence exists.
+- Dogfood the visual QA tier guidance on a real frontend project and convert repeated findings into concrete starter examples.
+- Dogfood the reference-led design critique gate on a real frontend project and convert repeated weaknesses into stricter examples or audit signals.
+- Dogfood the frontend product-quality scorecard on a real frontend project and tune score thresholds from actual review evidence.
+- Dogfood the frontend distinctiveness benchmark on a real frontend project and convert repeated weaknesses into stricter examples or audit signals.
+- Dogfood assistant adapters in real Codex, Copilot, Cursor, and Claude Code projects and convert repeated activation failures into stricter checks.
+- Dogfood the upgrade lifecycle on a real existing install and convert repeated conflict or rollback gaps into stricter checks.
+- Add optional CI validation for structured council-session JSON records once downstream projects start storing machine-readable traces.
+- Add optional scorecard-style repository health checks once the public repo has enough external contribution activity to tune the signal.
+- Add branch/environment protection documentation after the GitHub repository settings are confirmed.
+- Compare actual GitHub repository settings against `REPOSITORY_SETTINGS.md` after maintainer credentials are available.
+
+Do not copy source code from scanned repositories. Adopt only generalized practices with clear rationale.