npm - autoworkflow - Versions diffs - 3.9.1 → 3.11.0 - Mend

autoworkflow 3.9.1 → 3.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/.claude/hooks/logger.sh +318 -0
package/.claude/hooks/phase-transition.sh +12 -0
package/.claude/hooks/post-bash-router.sh +9 -2
package/.claude/hooks/post-edit.sh +12 -0
package/.claude/hooks/pre-commit-check.sh +10 -0
package/.claude/hooks/pre-tool-router.sh +10 -1
package/.claude/hooks/session-check.sh +13 -1
package/.claude/settings.json +10 -15
package/.claude/settings.local.json +7 -1
package/.claude/skills/nextjs.md +2730 -0
package/CLAUDE.md +36 -0
package/bin/cli.js +67 -1
package/package.json +1 -1

package/.claude/skills/nextjs.md ADDED Viewed

@@ -0,0 +1,2730 @@
+# Next.js Master Skill
+> Comprehensive Next.js 14/15 expertise for production-grade applications.
+> This skill covers App Router, Server Components, Server Actions, and advanced patterns.
+---
+## Table of Contents
+1. [Architecture Fundamentals](#architecture-fundamentals)
+2. [Server vs Client Components](#server-vs-client-components)
+3. [Data Fetching Patterns](#data-fetching-patterns)
+4. [Caching Strategies](#caching-strategies)
+5. [Server Actions](#server-actions)
+6. [Route Handlers (API)](#route-handlers-api)
+7. [Middleware](#middleware)
+8. [Streaming & Suspense](#streaming--suspense)
+9. [Error Handling](#error-handling)
+10. [Metadata & SEO](#metadata--seo)
+11. [Authentication Patterns](#authentication-patterns)
+12. [Database Integration](#database-integration)
+13. [Performance Optimization](#performance-optimization)
+14. [Security Best Practices](#security-best-practices)
+15. [Testing Strategies](#testing-strategies)
+16. [Deployment](#deployment)
+17. [Anti-Patterns to Avoid](#anti-patterns-to-avoid)
+18. [File Structure Conventions](#file-structure-conventions)
+---
+## Architecture Fundamentals
+### App Router Structure (Next.js 13+)
+```
+app/
+├── layout.tsx              # Root layout (required)
+├── page.tsx                # Home page (/)
+├── loading.tsx             # Loading UI
+├── error.tsx               # Error boundary
+├── not-found.tsx           # 404 page
+├── global-error.tsx        # Root error boundary
+├── template.tsx            # Re-renders on navigation
+├── default.tsx             # Parallel route fallback
+│
+├── (marketing)/            # Route group (no URL impact)
+│   ├── layout.tsx
+│   ├── about/page.tsx
+│   └── contact/page.tsx
+│
+├── dashboard/
+│   ├── layout.tsx
+│   ├── page.tsx
+│   ├── @analytics/         # Parallel route (named slot)
+│   │   └── page.tsx
+│   ├── @team/              # Another parallel route
+│   │   └── page.tsx
+│   └── settings/
+│       └── page.tsx
+│
+├── blog/
+│   ├── page.tsx            # /blog
+│   ├── [slug]/             # Dynamic segment
+│   │   └── page.tsx        # /blog/my-post
+│   └── [...catchAll]/      # Catch-all segment
+│       └── page.tsx        # /blog/2024/01/post
+│
+├── api/                    # Route Handlers
+│   └── webhook/
+│       └── route.ts
+│
+└── _components/            # Private folder (not routed)
+    └── shared.tsx
+```
+### Route Segment Config
+```typescript
+// Any page.tsx, layout.tsx, or route.ts
+export const dynamic = 'auto' | 'force-dynamic' | 'error' | 'force-static'
+export const dynamicParams = true | false
+export const revalidate = false | 0 | number
+export const fetchCache = 'auto' | 'default-cache' | 'only-cache' | 'force-cache' | 'force-no-store' | 'default-no-store' | 'only-no-store'
+export const runtime = 'nodejs' | 'edge'
+export const preferredRegion = 'auto' | 'global' | 'home' | string | string[]
+export const maxDuration = number
+```
+---
+## Server vs Client Components
+### Decision Matrix
+| Feature | Server Component | Client Component |
+|---------|------------------|------------------|
+| Fetch data | ✅ Direct DB/API access | ❌ Needs API route |
+| Access backend resources | ✅ Filesystem, DB | ❌ No |
+| Keep secrets secure | ✅ Never sent to client | ❌ Exposed |
+| Reduce bundle size | ✅ Zero JS | ❌ Adds to bundle |
+| useState/useEffect | ❌ No | ✅ Yes |
+| Event handlers (onClick) | ❌ No | ✅ Yes |
+| Browser APIs | ❌ No | ✅ Yes |
+| Custom hooks with state | ❌ No | ✅ Yes |
+| React Context | ❌ No | ✅ Yes |
+### Server Component (Default)
+```typescript
+// app/dashboard/page.tsx
+// NO "use client" directive = Server Component
+import { db } from '@/lib/db'
+import { headers, cookies } from 'next/headers'
+export default async function DashboardPage() {
+  // Direct database access - no API needed
+  const user = await db.user.findUnique({
+    where: { id: cookies().get('userId')?.value }
+  })
+  // Access request headers
+  const headersList = headers()
+  const userAgent = headersList.get('user-agent')
+  // Environment variables (including secrets)
+  const apiKey = process.env.SECRET_API_KEY // Safe - never sent to client
+  return (
+    <div>
+      <h1>Welcome, {user?.name}</h1>
+      <ClientInteractiveSection initialData={user} />
+    </div>
+  )
+}
+```
+### Client Component
+```typescript
+'use client'
+// MUST be first line (before imports)
+// This directive marks the boundary - all imports become client components
+import { useState, useEffect, useTransition } from 'react'
+import { useRouter, usePathname, useSearchParams } from 'next/navigation'
+interface Props {
+  initialData: User
+}
+export function ClientInteractiveSection({ initialData }: Props) {
+  const [data, setData] = useState(initialData)
+  const [isPending, startTransition] = useTransition()
+  const router = useRouter()
+  const pathname = usePathname()
+  const searchParams = useSearchParams()
+  // Browser APIs available
+  useEffect(() => {
+    const handleResize = () => console.log(window.innerWidth)
+    window.addEventListener('resize', handleResize)
+    return () => window.removeEventListener('resize', handleResize)
+  }, [])
+  const handleClick = () => {
+    startTransition(() => {
+      router.refresh() // Revalidate server components
+    })
+  }
+  return (
+    <button onClick={handleClick} disabled={isPending}>
+      {isPending ? 'Refreshing...' : 'Refresh Data'}
+    </button>
+  )
+}
+```
+### Composition Pattern (Server → Client)
+```typescript
+// app/dashboard/page.tsx (Server Component)
+import { ClientTabs } from './client-tabs'
+import { db } from '@/lib/db'
+export default async function Page() {
+  const data = await db.analytics.findMany()
+  // Pass Server Component as child to Client Component
+  return (
+    <ClientTabs>
+      <ServerRenderedChart data={data} />
+    </ClientTabs>
+  )
+}
+// client-tabs.tsx
+'use client'
+import { useState, ReactNode } from 'react'
+export function ClientTabs({ children }: { children: ReactNode }) {
+  const [activeTab, setActiveTab] = useState(0)
+  return (
+    <div>
+      <button onClick={() => setActiveTab(0)}>Tab 1</button>
+      <button onClick={() => setActiveTab(1)}>Tab 2</button>
+      {activeTab === 0 && children} {/* Server component rendered here */}
+    </div>
+  )
+}
+```
+### Provider Pattern
+```typescript
+// app/providers.tsx
+'use client'
+import { ThemeProvider } from 'next-themes'
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query'
+import { SessionProvider } from 'next-auth/react'
+import { useState } from 'react'
+export function Providers({ children }: { children: React.ReactNode }) {
+  // Create QueryClient inside component to avoid sharing between requests
+  const [queryClient] = useState(() => new QueryClient({
+    defaultOptions: {
+      queries: {
+        staleTime: 60 * 1000,
+        refetchOnWindowFocus: false,
+      },
+    },
+  }))
+  return (
+    <SessionProvider>
+      <QueryClientProvider client={queryClient}>
+        <ThemeProvider attribute="class" defaultTheme="system" enableSystem>
+          {children}
+        </ThemeProvider>
+      </QueryClientProvider>
+    </SessionProvider>
+  )
+}
+// app/layout.tsx (Server Component)
+import { Providers } from './providers'
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <html lang="en" suppressHydrationWarning>
+      <body>
+        <Providers>{children}</Providers>
+      </body>
+    </html>
+  )
+}
+```
+---
+## Data Fetching Patterns
+### Server Component Data Fetching (Recommended)
+```typescript
+// app/posts/page.tsx
+import { Suspense } from 'react'
+// Parallel data fetching
+async function getPosts() {
+  const res = await fetch('https://api.example.com/posts', {
+    next: { revalidate: 3600 } // Cache for 1 hour
+  })
+  if (!res.ok) throw new Error('Failed to fetch posts')
+  return res.json()
+}
+async function getUser() {
+  const res = await fetch('https://api.example.com/user', {
+    cache: 'no-store' // Always fresh
+  })
+  return res.json()
+}
+export default async function PostsPage() {
+  // Parallel execution - both start immediately
+  const [posts, user] = await Promise.all([
+    getPosts(),
+    getUser()
+  ])
+  return (
+    <div>
+      <UserHeader user={user} />
+      <PostList posts={posts} />
+      {/* Defer non-critical data */}
+      <Suspense fallback={<CommentsSkeleton />}>
+        <Comments />
+      </Suspense>
+    </div>
+  )
+}
+// Separate component for streaming
+async function Comments() {
+  // This can load after initial page render
+  const comments = await fetch('https://api.example.com/comments', {
+    next: { revalidate: 60 }
+  }).then(r => r.json())
+  return <CommentList comments={comments} />
+}
+```
+### Fetch Deduplication
+```typescript
+// Next.js automatically deduplicates fetch requests with same URL and options
+// across the component tree during a single render
+// component-a.tsx
+async function ComponentA() {
+  // This request...
+  const data = await fetch('https://api.example.com/data')
+  return <div>{data.title}</div>
+}
+// component-b.tsx
+async function ComponentB() {
+  // ...is deduped with this one (same URL, only 1 request made)
+  const data = await fetch('https://api.example.com/data')
+  return <div>{data.description}</div>
+}
+// For non-fetch requests, use React cache()
+import { cache } from 'react'
+import { db } from '@/lib/db'
+export const getUser = cache(async (id: string) => {
+  return db.user.findUnique({ where: { id } })
+})
+// Now getUser(id) is deduped across components in same render
+```
+### Data Fetching with Preloading
+```typescript
+// lib/data.ts
+import { cache } from 'react'
+// Wrap in cache for deduplication
+export const getItem = cache(async (id: string) => {
+  const res = await fetch(`https://api.example.com/items/${id}`)
+  return res.json()
+})
+// Preload function (call early, don't await)
+export const preloadItem = (id: string) => {
+  void getItem(id)
+}
+// page.tsx
+import { getItem, preloadItem } from '@/lib/data'
+export default async function Page({ params }: { params: { id: string } }) {
+  // Start fetching immediately
+  preloadItem(params.id)
+  // Do other work...
+  const otherData = await getOtherData()
+  // Now await - likely already cached
+  const item = await getItem(params.id)
+  return <ItemDisplay item={item} />
+}
+```
+### Static Generation with Dynamic Params
+```typescript
+// app/blog/[slug]/page.tsx
+// Generate static paths at build time
+export async function generateStaticParams() {
+  const posts = await fetch('https://api.example.com/posts').then(r => r.json())
+  return posts.map((post: Post) => ({
+    slug: post.slug,
+  }))
+}
+// Optional: Control behavior for paths not in generateStaticParams
+export const dynamicParams = true // true = generate on-demand, false = 404
+export default async function BlogPost({
+  params
+}: {
+  params: { slug: string }
+}) {
+  const post = await fetch(`https://api.example.com/posts/${params.slug}`, {
+    next: { revalidate: 3600 }
+  }).then(r => r.json())
+  return <article>{post.content}</article>
+}
+// Generate metadata for each page
+export async function generateMetadata({
+  params
+}: {
+  params: { slug: string }
+}): Promise<Metadata> {
+  const post = await getPost(params.slug) // Deduped with page fetch
+  return {
+    title: post.title,
+    description: post.excerpt,
+  }
+}
+```
+---
+## Caching Strategies
+### Cache Hierarchy
+```
+Request Memoization (React)
+        ↓
+    Data Cache (Next.js)
+        ↓
+    Full Route Cache (Next.js)
+        ↓
+    Router Cache (Client-side)
+```
+### Fetch Cache Options
+```typescript
+// 1. Force cache (default for GET in production)
+fetch(url, { cache: 'force-cache' })
+fetch(url) // Same as above
+// 2. No cache (always fresh)
+fetch(url, { cache: 'no-store' })
+// 3. Time-based revalidation
+fetch(url, { next: { revalidate: 3600 } }) // Revalidate every hour
+// 4. Tag-based revalidation
+fetch(url, { next: { tags: ['posts', 'user-123'] } })
+// Then in Server Action or Route Handler:
+import { revalidateTag, revalidatePath } from 'next/cache'
+export async function updatePost() {
+  await db.post.update(...)
+  revalidateTag('posts')           // Revalidate all fetches with this tag
+  revalidatePath('/blog')          // Revalidate specific path
+  revalidatePath('/blog', 'layout') // Revalidate layout and all pages below
+  revalidatePath('/blog/[slug]', 'page') // Revalidate dynamic pages
+}
+```
+### unstable_cache for Non-Fetch Functions
+```typescript
+import { unstable_cache } from 'next/cache'
+import { db } from '@/lib/db'
+// Cache database queries
+const getCachedUser = unstable_cache(
+  async (id: string) => {
+    return db.user.findUnique({ where: { id } })
+  },
+  ['user-cache'], // Cache key prefix
+  {
+    tags: ['users'],
+    revalidate: 3600,
+  }
+)
+// Usage
+const user = await getCachedUser('user-123')
+// Revalidate
+revalidateTag('users')
+```
+### Route Segment Caching
+```typescript
+// app/dashboard/page.tsx
+// Force dynamic rendering (no cache)
+export const dynamic = 'force-dynamic'
+// OR force static (error if dynamic features used)
+export const dynamic = 'force-static'
+// Set revalidation period for entire route
+export const revalidate = 3600 // seconds
+// Disable dynamicParams (404 for unknown params)
+export const dynamicParams = false
+```
+---
+## Server Actions
+### Basic Server Action
+```typescript
+// app/actions.ts
+'use server'
+import { revalidatePath } from 'next/cache'
+import { redirect } from 'next/navigation'
+import { z } from 'zod'
+import { db } from '@/lib/db'
+import { auth } from '@/lib/auth'
+const CreatePostSchema = z.object({
+  title: z.string().min(1).max(100),
+  content: z.string().min(1),
+})
+export async function createPost(formData: FormData) {
+  // 1. Authentication
+  const session = await auth()
+  if (!session?.user) {
+    throw new Error('Unauthorized')
+  }
+  // 2. Validation
+  const validatedFields = CreatePostSchema.safeParse({
+    title: formData.get('title'),
+    content: formData.get('content'),
+  })
+  if (!validatedFields.success) {
+    return {
+      errors: validatedFields.error.flatten().fieldErrors,
+    }
+  }
+  // 3. Database operation
+  try {
+    await db.post.create({
+      data: {
+        ...validatedFields.data,
+        authorId: session.user.id,
+      },
+    })
+  } catch (error) {
+    return {
+      error: 'Failed to create post',
+    }
+  }
+  // 4. Revalidate and redirect
+  revalidatePath('/posts')
+  redirect('/posts')
+}
+```
+### Server Action with useActionState (React 19)
+```typescript
+// app/posts/new/page.tsx
+'use client'
+import { useActionState } from 'react'
+import { createPost } from '../actions'
+const initialState = {
+  errors: {},
+  error: null,
+}
+export default function NewPostForm() {
+  const [state, formAction, isPending] = useActionState(createPost, initialState)
+  return (
+    <form action={formAction}>
+      <div>
+        <label htmlFor="title">Title</label>
+        <input
+          id="title"
+          name="title"
+          type="text"
+          aria-describedby="title-error"
+        />
+        {state.errors?.title && (
+          <p id="title-error" className="text-red-500">
+            {state.errors.title}
+          </p>
+        )}
+      </div>
+      <div>
+        <label htmlFor="content">Content</label>
+        <textarea
+          id="content"
+          name="content"
+          aria-describedby="content-error"
+        />
+        {state.errors?.content && (
+          <p id="content-error" className="text-red-500">
+            {state.errors.content}
+          </p>
+        )}
+      </div>
+      {state.error && (
+        <p className="text-red-500">{state.error}</p>
+      )}
+      <button type="submit" disabled={isPending}>
+        {isPending ? 'Creating...' : 'Create Post'}
+      </button>
+    </form>
+  )
+}
+```
+### Optimistic Updates
+```typescript
+'use client'
+import { useOptimistic, useTransition } from 'react'
+import { likePost } from './actions'
+interface Post {
+  id: string
+  likes: number
+  isLiked: boolean
+}
+export function LikeButton({ post }: { post: Post }) {
+  const [isPending, startTransition] = useTransition()
+  const [optimisticPost, addOptimisticLike] = useOptimistic(
+    post,
+    (currentPost, newLikes: number) => ({
+      ...currentPost,
+      likes: newLikes,
+      isLiked: !currentPost.isLiked,
+    })
+  )
+  const handleLike = () => {
+    startTransition(async () => {
+      // Optimistically update UI
+      addOptimisticLike(optimisticPost.likes + (optimisticPost.isLiked ? -1 : 1))
+      // Actual server action
+      await likePost(post.id)
+    })
+  }
+  return (
+    <button onClick={handleLike} disabled={isPending}>
+      {optimisticPost.isLiked ? '❤️' : '🤍'} {optimisticPost.likes}
+    </button>
+  )
+}
+```
+### Server Action Security Patterns
+```typescript
+'use server'
+import { auth } from '@/lib/auth'
+import { ratelimit } from '@/lib/ratelimit'
+import { z } from 'zod'
+// Rate limiting
+async function checkRateLimit(userId: string) {
+  const { success, remaining } = await ratelimit.limit(userId)
+  if (!success) {
+    throw new Error('Rate limit exceeded')
+  }
+  return remaining
+}
+// Authorization check
+async function requireRole(allowedRoles: string[]) {
+  const session = await auth()
+  if (!session?.user) {
+    throw new Error('Unauthorized')
+  }
+  if (!allowedRoles.includes(session.user.role)) {
+    throw new Error('Forbidden')
+  }
+  return session.user
+}
+// Secure action pattern
+export async function deletePost(postId: string) {
+  // 1. Auth
+  const user = await requireRole(['admin', 'moderator'])
+  // 2. Rate limit
+  await checkRateLimit(user.id)
+  // 3. Validate input
+  const id = z.string().uuid().parse(postId)
+  // 4. Authorization (ownership check)
+  const post = await db.post.findUnique({ where: { id } })
+  if (!post) throw new Error('Not found')
+  if (post.authorId !== user.id && user.role !== 'admin') {
+    throw new Error('Forbidden')
+  }
+  // 5. Perform action
+  await db.post.delete({ where: { id } })
+  // 6. Revalidate
+  revalidatePath('/posts')
+}
+```
+---
+## Route Handlers (API)
+### Basic Route Handler
+```typescript
+// app/api/posts/route.ts
+import { NextRequest, NextResponse } from 'next/server'
+import { auth } from '@/lib/auth'
+import { db } from '@/lib/db'
+// GET /api/posts
+export async function GET(request: NextRequest) {
+  const searchParams = request.nextUrl.searchParams
+  const page = parseInt(searchParams.get('page') ?? '1')
+  const limit = parseInt(searchParams.get('limit') ?? '10')
+  const posts = await db.post.findMany({
+    skip: (page - 1) * limit,
+    take: limit,
+    orderBy: { createdAt: 'desc' },
+  })
+  return NextResponse.json(posts)
+}
+// POST /api/posts
+export async function POST(request: NextRequest) {
+  const session = await auth()
+  if (!session) {
+    return NextResponse.json(
+      { error: 'Unauthorized' },
+      { status: 401 }
+    )
+  }
+  const body = await request.json()
+  const post = await db.post.create({
+    data: {
+      ...body,
+      authorId: session.user.id,
+    },
+  })
+  return NextResponse.json(post, { status: 201 })
+}
+// Set caching behavior
+export const dynamic = 'force-dynamic' // Disable cache
+// OR
+export const revalidate = 60 // Cache for 60 seconds
+```
+### Dynamic Route Handler
+```typescript
+// app/api/posts/[id]/route.ts
+import { NextRequest, NextResponse } from 'next/server'
+interface RouteParams {
+  params: { id: string }
+}
+export async function GET(
+  request: NextRequest,
+  { params }: RouteParams
+) {
+  const post = await db.post.findUnique({
+    where: { id: params.id },
+  })
+  if (!post) {
+    return NextResponse.json(
+      { error: 'Not found' },
+      { status: 404 }
+    )
+  }
+  return NextResponse.json(post)
+}
+export async function PATCH(
+  request: NextRequest,
+  { params }: RouteParams
+) {
+  const body = await request.json()
+  const post = await db.post.update({
+    where: { id: params.id },
+    data: body,
+  })
+  return NextResponse.json(post)
+}
+export async function DELETE(
+  request: NextRequest,
+  { params }: RouteParams
+) {
+  await db.post.delete({
+    where: { id: params.id },
+  })
+  return new NextResponse(null, { status: 204 })
+}
+```
+### Streaming Response
+```typescript
+// app/api/stream/route.ts
+import { NextRequest } from 'next/server'
+export async function GET(request: NextRequest) {
+  const encoder = new TextEncoder()
+  const stream = new ReadableStream({
+    async start(controller) {
+      for (let i = 0; i < 10; i++) {
+        const chunk = encoder.encode(`data: ${JSON.stringify({ count: i })}\n\n`)
+        controller.enqueue(chunk)
+        await new Promise(resolve => setTimeout(resolve, 1000))
+      }
+      controller.close()
+    },
+  })
+  return new Response(stream, {
+    headers: {
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache',
+      'Connection': 'keep-alive',
+    },
+  })
+}
+```
+### Webhook Handler
+```typescript
+// app/api/webhook/stripe/route.ts
+import { NextRequest, NextResponse } from 'next/server'
+import { headers } from 'next/headers'
+import Stripe from 'stripe'
+const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!)
+const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET!
+export async function POST(request: NextRequest) {
+  const body = await request.text()
+  const signature = headers().get('stripe-signature')!
+  let event: Stripe.Event
+  try {
+    event = stripe.webhooks.constructEvent(body, signature, webhookSecret)
+  } catch (err) {
+    console.error('Webhook signature verification failed')
+    return NextResponse.json({ error: 'Invalid signature' }, { status: 400 })
+  }
+  switch (event.type) {
+    case 'checkout.session.completed':
+      const session = event.data.object as Stripe.Checkout.Session
+      await handleCheckoutComplete(session)
+      break
+    case 'customer.subscription.deleted':
+      const subscription = event.data.object as Stripe.Subscription
+      await handleSubscriptionCanceled(subscription)
+      break
+    default:
+      console.log(`Unhandled event type: ${event.type}`)
+  }
+  return NextResponse.json({ received: true })
+}
+```
+---
+## Middleware
+### Basic Middleware
+```typescript
+// middleware.ts (root of project)
+import { NextResponse } from 'next/server'
+import type { NextRequest } from 'next/server'
+export function middleware(request: NextRequest) {
+  // Get pathname
+  const pathname = request.nextUrl.pathname
+  // Example: Redirect old URLs
+  if (pathname.startsWith('/old-blog')) {
+    return NextResponse.redirect(
+      new URL(pathname.replace('/old-blog', '/blog'), request.url)
+    )
+  }
+  // Example: Add custom headers
+  const response = NextResponse.next()
+  response.headers.set('x-custom-header', 'my-value')
+  // Example: Rewrite (internal redirect)
+  if (pathname === '/dashboard' && !request.cookies.get('auth')) {
+    return NextResponse.rewrite(new URL('/login', request.url))
+  }
+  return response
+}
+// Configure which paths middleware runs on
+export const config = {
+  matcher: [
+    // Match all paths except static files and api
+    '/((?!_next/static|_next/image|favicon.ico|api).*)',
+  ],
+}
+```
+### Authentication Middleware
+```typescript
+// middleware.ts
+import { NextResponse } from 'next/server'
+import type { NextRequest } from 'next/server'
+import { getToken } from 'next-auth/jwt'
+const protectedRoutes = ['/dashboard', '/settings', '/profile']
+const authRoutes = ['/login', '/register']
+export async function middleware(request: NextRequest) {
+  const token = await getToken({
+    req: request,
+    secret: process.env.NEXTAUTH_SECRET,
+  })
+  const pathname = request.nextUrl.pathname
+  // Redirect authenticated users away from auth pages
+  if (authRoutes.some(route => pathname.startsWith(route))) {
+    if (token) {
+      return NextResponse.redirect(new URL('/dashboard', request.url))
+    }
+    return NextResponse.next()
+  }
+  // Protect routes
+  if (protectedRoutes.some(route => pathname.startsWith(route))) {
+    if (!token) {
+      const loginUrl = new URL('/login', request.url)
+      loginUrl.searchParams.set('callbackUrl', pathname)
+      return NextResponse.redirect(loginUrl)
+    }
+  }
+  // Role-based access
+  if (pathname.startsWith('/admin')) {
+    if (token?.role !== 'admin') {
+      return NextResponse.redirect(new URL('/unauthorized', request.url))
+    }
+  }
+  return NextResponse.next()
+}
+export const config = {
+  matcher: [
+    '/dashboard/:path*',
+    '/settings/:path*',
+    '/profile/:path*',
+    '/admin/:path*',
+    '/login',
+    '/register',
+  ],
+}
+```
+### Geolocation & A/B Testing
+```typescript
+// middleware.ts
+import { NextResponse } from 'next/server'
+import type { NextRequest } from 'next/server'
+export function middleware(request: NextRequest) {
+  // Geolocation (available on Vercel Edge)
+  const country = request.geo?.country ?? 'US'
+  const city = request.geo?.city ?? 'Unknown'
+  // A/B Testing
+  let bucket = request.cookies.get('ab-bucket')?.value
+  if (!bucket) {
+    bucket = Math.random() < 0.5 ? 'control' : 'variant'
+  }
+  const response = NextResponse.next()
+  // Set headers for downstream use
+  response.headers.set('x-country', country)
+  response.headers.set('x-city', city)
+  response.headers.set('x-ab-bucket', bucket)
+  // Set cookie for consistent bucketing
+  response.cookies.set('ab-bucket', bucket, {
+    maxAge: 60 * 60 * 24 * 30, // 30 days
+  })
+  return response
+}
+```
+---
+## Streaming & Suspense
+### Loading UI with Suspense
+```typescript
+// app/dashboard/page.tsx
+import { Suspense } from 'react'
+import { Skeleton } from '@/components/ui/skeleton'
+export default function DashboardPage() {
+  return (
+    <div className="grid gap-4">
+      {/* Critical content - renders immediately */}
+      <DashboardHeader />
+      {/* Non-critical - streams in */}
+      <Suspense fallback={<StatsSkeleton />}>
+        <Stats />
+      </Suspense>
+      <div className="grid grid-cols-2 gap-4">
+        <Suspense fallback={<ChartSkeleton />}>
+          <RevenueChart />
+        </Suspense>
+        <Suspense fallback={<ChartSkeleton />}>
+          <UserChart />
+        </Suspense>
+      </div>
+      <Suspense fallback={<TableSkeleton />}>
+        <RecentOrders />
+      </Suspense>
+    </div>
+  )
+}
+// Each async component streams independently
+async function Stats() {
+  const stats = await getStats() // Slow API call
+  return <StatsDisplay stats={stats} />
+}
+async function RevenueChart() {
+  const data = await getRevenueData()
+  return <Chart data={data} />
+}
+```
+### Loading.tsx (Route-level Loading)
+```typescript
+// app/dashboard/loading.tsx
+// Automatically wraps page.tsx in Suspense
+import { Skeleton } from '@/components/ui/skeleton'
+export default function DashboardLoading() {
+  return (
+    <div className="space-y-4">
+      <Skeleton className="h-8 w-[200px]" />
+      <div className="grid grid-cols-4 gap-4">
+        {Array.from({ length: 4 }).map((_, i) => (
+          <Skeleton key={i} className="h-24" />
+        ))}
+      </div>
+      <Skeleton className="h-[400px]" />
+    </div>
+  )
+}
+```
+### Parallel Routes with Loading States
+```typescript
+// app/dashboard/layout.tsx
+export default function DashboardLayout({
+  children,
+  analytics,
+  team,
+}: {
+  children: React.ReactNode
+  analytics: React.ReactNode  // @analytics/page.tsx
+  team: React.ReactNode       // @team/page.tsx
+}) {
+  return (
+    <div className="grid grid-cols-3 gap-4">
+      <div className="col-span-2">{children}</div>
+      <div className="space-y-4">
+        {analytics}
+        {team}
+      </div>
+    </div>
+  )
+}
+// app/dashboard/@analytics/loading.tsx
+export default function AnalyticsLoading() {
+  return <Skeleton className="h-[200px]" />
+}
+// app/dashboard/@team/loading.tsx
+export default function TeamLoading() {
+  return <Skeleton className="h-[150px]" />
+}
+```
+### Streaming with AI/LLM
+```typescript
+// app/api/chat/route.ts
+import { OpenAIStream, StreamingTextResponse } from 'ai'
+import OpenAI from 'openai'
+const openai = new OpenAI()
+export async function POST(req: Request) {
+  const { messages } = await req.json()
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4-turbo-preview',
+    stream: true,
+    messages,
+  })
+  const stream = OpenAIStream(response)
+  return new StreamingTextResponse(stream)
+}
+// Client component
+'use client'
+import { useChat } from 'ai/react'
+export function Chat() {
+  const { messages, input, handleInputChange, handleSubmit, isLoading } = useChat()
+  return (
+    <div>
+      {messages.map(m => (
+        <div key={m.id}>
+          <strong>{m.role}:</strong> {m.content}
+        </div>
+      ))}
+      <form onSubmit={handleSubmit}>
+        <input
+          value={input}
+          onChange={handleInputChange}
+          placeholder="Say something..."
+          disabled={isLoading}
+        />
+      </form>
+    </div>
+  )
+}
+```
+---
+## Error Handling
+### Error Boundary (error.tsx)
+```typescript
+// app/dashboard/error.tsx
+'use client' // Error boundaries must be client components
+import { useEffect } from 'react'
+import { Button } from '@/components/ui/button'
+export default function DashboardError({
+  error,
+  reset,
+}: {
+  error: Error & { digest?: string }
+  reset: () => void
+}) {
+  useEffect(() => {
+    // Log error to monitoring service
+    console.error('Dashboard error:', error)
+    // Send to Sentry, etc.
+    // Sentry.captureException(error)
+  }, [error])
+  return (
+    <div className="flex flex-col items-center justify-center min-h-[400px] gap-4">
+      <h2 className="text-2xl font-bold">Something went wrong!</h2>
+      <p className="text-muted-foreground">
+        {error.message || 'An unexpected error occurred'}
+      </p>
+      {error.digest && (
+        <p className="text-xs text-muted-foreground">
+          Error ID: {error.digest}
+        </p>
+      )}
+      <Button onClick={reset}>Try again</Button>
+    </div>
+  )
+}
+```
+### Global Error Boundary
+```typescript
+// app/global-error.tsx
+'use client'
+export default function GlobalError({
+  error,
+  reset,
+}: {
+  error: Error & { digest?: string }
+  reset: () => void
+}) {
+  return (
+    // Must include html and body tags
+    <html>
+      <body>
+        <div className="flex flex-col items-center justify-center min-h-screen">
+          <h2>Something went wrong!</h2>
+          <button onClick={reset}>Try again</button>
+        </div>
+      </body>
+    </html>
+  )
+}
+```
+### Not Found Handling
+```typescript
+// app/not-found.tsx
+import Link from 'next/link'
+export default function NotFound() {
+  return (
+    <div className="flex flex-col items-center justify-center min-h-[400px]">
+      <h2 className="text-2xl font-bold">Page Not Found</h2>
+      <p className="text-muted-foreground">
+        The page you're looking for doesn't exist.
+      </p>
+      <Link href="/" className="mt-4 underline">
+        Go home
+      </Link>
+    </div>
+  )
+}
+// Trigger not-found programmatically
+import { notFound } from 'next/navigation'
+export default async function PostPage({ params }: { params: { id: string } }) {
+  const post = await getPost(params.id)
+  if (!post) {
+    notFound() // Renders not-found.tsx
+  }
+  return <PostDisplay post={post} />
+}
+```
+### Error Handling in Server Actions
+```typescript
+'use server'
+import { z } from 'zod'
+// Type-safe error responses
+type ActionResult<T> =
+  | { success: true; data: T }
+  | { success: false; error: string; fieldErrors?: Record<string, string[]> }
+export async function createUser(formData: FormData): Promise<ActionResult<User>> {
+  try {
+    const validated = UserSchema.safeParse({
+      email: formData.get('email'),
+      name: formData.get('name'),
+    })
+    if (!validated.success) {
+      return {
+        success: false,
+        error: 'Validation failed',
+        fieldErrors: validated.error.flatten().fieldErrors,
+      }
+    }
+    const user = await db.user.create({ data: validated.data })
+    return { success: true, data: user }
+  } catch (error) {
+    // Log error
+    console.error('Create user error:', error)
+    // Return generic error (don't expose internal details)
+    return {
+      success: false,
+      error: 'Failed to create user. Please try again.'
+    }
+  }
+}
+```
+---
+## Metadata & SEO
+### Static Metadata
+```typescript
+// app/layout.tsx
+import type { Metadata } from 'next'
+export const metadata: Metadata = {
+  metadataBase: new URL('https://example.com'),
+  title: {
+    default: 'My App',
+    template: '%s | My App', // Pages can override: "About | My App"
+  },
+  description: 'The best app ever',
+  keywords: ['Next.js', 'React', 'TypeScript'],
+  authors: [{ name: 'John Doe', url: 'https://johndoe.com' }],
+  creator: 'John Doe',
+  publisher: 'My Company',
+  // Open Graph
+  openGraph: {
+    type: 'website',
+    locale: 'en_US',
+    url: 'https://example.com',
+    siteName: 'My App',
+    title: 'My App',
+    description: 'The best app ever',
+    images: [
+      {
+        url: '/og-image.png',
+        width: 1200,
+        height: 630,
+        alt: 'My App',
+      },
+    ],
+  },
+  // Twitter
+  twitter: {
+    card: 'summary_large_image',
+    title: 'My App',
+    description: 'The best app ever',
+    creator: '@johndoe',
+    images: ['/twitter-image.png'],
+  },
+  // Robots
+  robots: {
+    index: true,
+    follow: true,
+    googleBot: {
+      index: true,
+      follow: true,
+      'max-video-preview': -1,
+      'max-image-preview': 'large',
+      'max-snippet': -1,
+    },
+  },
+  // Icons
+  icons: {
+    icon: '/favicon.ico',
+    shortcut: '/favicon-16x16.png',
+    apple: '/apple-touch-icon.png',
+  },
+  // Manifest
+  manifest: '/site.webmanifest',
+  // Verification
+  verification: {
+    google: 'google-site-verification-code',
+    yandex: 'yandex-verification-code',
+  },
+}
+```
+### Dynamic Metadata
+```typescript
+// app/blog/[slug]/page.tsx
+import type { Metadata, ResolvingMetadata } from 'next'
+interface Props {
+  params: { slug: string }
+  searchParams: { [key: string]: string | string[] | undefined }
+}
+export async function generateMetadata(
+  { params, searchParams }: Props,
+  parent: ResolvingMetadata
+): Promise<Metadata> {
+  const post = await getPost(params.slug)
+  // Optionally access parent metadata
+  const previousImages = (await parent).openGraph?.images || []
+  return {
+    title: post.title,
+    description: post.excerpt,
+    openGraph: {
+      title: post.title,
+      description: post.excerpt,
+      type: 'article',
+      publishedTime: post.createdAt,
+      authors: [post.author.name],
+      images: [
+        {
+          url: post.image,
+          width: 1200,
+          height: 630,
+        },
+        ...previousImages,
+      ],
+    },
+    twitter: {
+      card: 'summary_large_image',
+      title: post.title,
+      description: post.excerpt,
+      images: [post.image],
+    },
+  }
+}
+```
+### JSON-LD Structured Data
+```typescript
+// app/blog/[slug]/page.tsx
+export default async function BlogPost({ params }: Props) {
+  const post = await getPost(params.slug)
+  const jsonLd = {
+    '@context': 'https://schema.org',
+    '@type': 'BlogPosting',
+    headline: post.title,
+    description: post.excerpt,
+    image: post.image,
+    datePublished: post.createdAt,
+    dateModified: post.updatedAt,
+    author: {
+      '@type': 'Person',
+      name: post.author.name,
+      url: post.author.url,
+    },
+    publisher: {
+      '@type': 'Organization',
+      name: 'My Company',
+      logo: {
+        '@type': 'ImageObject',
+        url: 'https://example.com/logo.png',
+      },
+    },
+  }
+  return (
+    <>
+      <script
+        type="application/ld+json"
+        dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLd) }}
+      />
+      <article>{/* content */}</article>
+    </>
+  )
+}
+```
+### Sitemap & Robots
+```typescript
+// app/sitemap.ts
+import { MetadataRoute } from 'next'
+export default async function sitemap(): Promise<MetadataRoute.Sitemap> {
+  const posts = await db.post.findMany({
+    select: { slug: true, updatedAt: true },
+  })
+  const postUrls = posts.map((post) => ({
+    url: `https://example.com/blog/${post.slug}`,
+    lastModified: post.updatedAt,
+    changeFrequency: 'weekly' as const,
+    priority: 0.8,
+  }))
+  return [
+    {
+      url: 'https://example.com',
+      lastModified: new Date(),
+      changeFrequency: 'daily',
+      priority: 1,
+    },
+    {
+      url: 'https://example.com/about',
+      lastModified: new Date(),
+      changeFrequency: 'monthly',
+      priority: 0.5,
+    },
+    ...postUrls,
+  ]
+}
+// app/robots.ts
+import { MetadataRoute } from 'next'
+export default function robots(): MetadataRoute.Robots {
+  return {
+    rules: [
+      {
+        userAgent: '*',
+        allow: '/',
+        disallow: ['/api/', '/admin/', '/private/'],
+      },
+      {
+        userAgent: 'Googlebot',
+        allow: '/',
+      },
+    ],
+    sitemap: 'https://example.com/sitemap.xml',
+  }
+}
+```
+---
+## Authentication Patterns
+### NextAuth.js v5 Setup
+```typescript
+// auth.ts
+import NextAuth from 'next-auth'
+import GitHub from 'next-auth/providers/github'
+import Google from 'next-auth/providers/google'
+import Credentials from 'next-auth/providers/credentials'
+import { PrismaAdapter } from '@auth/prisma-adapter'
+import { db } from '@/lib/db'
+import bcrypt from 'bcryptjs'
+export const { auth, handlers, signIn, signOut } = NextAuth({
+  adapter: PrismaAdapter(db),
+  session: { strategy: 'jwt' },
+  providers: [
+    GitHub({
+      clientId: process.env.GITHUB_ID,
+      clientSecret: process.env.GITHUB_SECRET,
+    }),
+    Google({
+      clientId: process.env.GOOGLE_ID,
+      clientSecret: process.env.GOOGLE_SECRET,
+    }),
+    Credentials({
+      credentials: {
+        email: { label: 'Email', type: 'email' },
+        password: { label: 'Password', type: 'password' },
+      },
+      async authorize(credentials) {
+        if (!credentials?.email || !credentials?.password) {
+          return null
+        }
+        const user = await db.user.findUnique({
+          where: { email: credentials.email as string },
+        })
+        if (!user || !user.password) {
+          return null
+        }
+        const isValid = await bcrypt.compare(
+          credentials.password as string,
+          user.password
+        )
+        if (!isValid) {
+          return null
+        }
+        return {
+          id: user.id,
+          email: user.email,
+          name: user.name,
+          role: user.role,
+        }
+      },
+    }),
+  ],
+  callbacks: {
+    async jwt({ token, user, trigger, session }) {
+      if (user) {
+        token.id = user.id
+        token.role = user.role
+      }
+      // Handle session update
+      if (trigger === 'update' && session) {
+        token.name = session.name
+      }
+      return token
+    },
+    async session({ session, token }) {
+      if (session.user) {
+        session.user.id = token.id as string
+        session.user.role = token.role as string
+      }
+      return session
+    },
+    async signIn({ user, account, profile }) {
+      // Block sign in if email not verified
+      if (account?.provider === 'credentials') {
+        const existingUser = await db.user.findUnique({
+          where: { id: user.id },
+        })
+        if (!existingUser?.emailVerified) {
+          return false
+        }
+      }
+      return true
+    },
+  },
+  pages: {
+    signIn: '/login',
+    error: '/auth/error',
+    verifyRequest: '/auth/verify',
+  },
+})
+// app/api/auth/[...nextauth]/route.ts
+import { handlers } from '@/auth'
+export const { GET, POST } = handlers
+```
+### Protected Server Component
+```typescript
+// app/dashboard/page.tsx
+import { auth } from '@/auth'
+import { redirect } from 'next/navigation'
+export default async function DashboardPage() {
+  const session = await auth()
+  if (!session) {
+    redirect('/login')
+  }
+  // Role-based check
+  if (session.user.role !== 'admin') {
+    redirect('/unauthorized')
+  }
+  return (
+    <div>
+      <h1>Welcome, {session.user.name}</h1>
+    </div>
+  )
+}
+```
+### Protected Client Component
+```typescript
+'use client'
+import { useSession } from 'next-auth/react'
+import { useRouter } from 'next/navigation'
+import { useEffect } from 'react'
+export function ProtectedComponent() {
+  const { data: session, status } = useSession()
+  const router = useRouter()
+  useEffect(() => {
+    if (status === 'unauthenticated') {
+      router.push('/login')
+    }
+  }, [status, router])
+  if (status === 'loading') {
+    return <div>Loading...</div>
+  }
+  if (!session) {
+    return null
+  }
+  return <div>Protected content for {session.user.name}</div>
+}
+```
+### Sign In/Out Server Actions
+```typescript
+// app/actions/auth.ts
+'use server'
+import { signIn, signOut } from '@/auth'
+import { AuthError } from 'next-auth'
+import { redirect } from 'next/navigation'
+export async function signInWithCredentials(formData: FormData) {
+  try {
+    await signIn('credentials', {
+      email: formData.get('email'),
+      password: formData.get('password'),
+      redirectTo: '/dashboard',
+    })
+  } catch (error) {
+    if (error instanceof AuthError) {
+      switch (error.type) {
+        case 'CredentialsSignin':
+          return { error: 'Invalid credentials' }
+        default:
+          return { error: 'Something went wrong' }
+      }
+    }
+    throw error
+  }
+}
+export async function signInWithGitHub() {
+  await signIn('github', { redirectTo: '/dashboard' })
+}
+export async function signOutAction() {
+  await signOut({ redirectTo: '/' })
+}
+```
+---
+## Database Integration
+### Prisma Setup
+```typescript
+// lib/db.ts
+import { PrismaClient } from '@prisma/client'
+const globalForPrisma = globalThis as unknown as {
+  prisma: PrismaClient | undefined
+}
+export const db = globalForPrisma.prisma ?? new PrismaClient({
+  log: process.env.NODE_ENV === 'development'
+    ? ['query', 'error', 'warn']
+    : ['error'],
+})
+if (process.env.NODE_ENV !== 'production') {
+  globalForPrisma.prisma = db
+}
+```
+### Drizzle ORM Setup
+```typescript
+// lib/db.ts
+import { drizzle } from 'drizzle-orm/postgres-js'
+import postgres from 'postgres'
+import * as schema from './schema'
+const connectionString = process.env.DATABASE_URL!
+// For query purposes
+const queryClient = postgres(connectionString)
+export const db = drizzle(queryClient, { schema })
+// lib/schema.ts
+import { pgTable, text, timestamp, uuid, boolean } from 'drizzle-orm/pg-core'
+export const users = pgTable('users', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  email: text('email').notNull().unique(),
+  name: text('name'),
+  emailVerified: timestamp('email_verified'),
+  image: text('image'),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  updatedAt: timestamp('updated_at').defaultNow().notNull(),
+})
+export const posts = pgTable('posts', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  title: text('title').notNull(),
+  content: text('content'),
+  published: boolean('published').default(false).notNull(),
+  authorId: uuid('author_id').references(() => users.id).notNull(),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  updatedAt: timestamp('updated_at').defaultNow().notNull(),
+})
+```
+### Database Query Patterns
+```typescript
+// lib/queries/posts.ts
+import { cache } from 'react'
+import { db } from '@/lib/db'
+import { unstable_cache } from 'next/cache'
+// Request-level caching (deduplication)
+export const getPost = cache(async (id: string) => {
+  return db.post.findUnique({
+    where: { id },
+    include: { author: true },
+  })
+})
+// Time-based caching
+export const getPublishedPosts = unstable_cache(
+  async () => {
+    return db.post.findMany({
+      where: { published: true },
+      orderBy: { createdAt: 'desc' },
+      include: { author: { select: { name: true, image: true } } },
+    })
+  },
+  ['published-posts'],
+  { revalidate: 3600, tags: ['posts'] }
+)
+// Pagination
+export async function getPaginatedPosts(page: number, limit: number = 10) {
+  const [posts, total] = await Promise.all([
+    db.post.findMany({
+      skip: (page - 1) * limit,
+      take: limit,
+      orderBy: { createdAt: 'desc' },
+    }),
+    db.post.count(),
+  ])
+  return {
+    posts,
+    total,
+    pages: Math.ceil(total / limit),
+    hasMore: page * limit < total,
+  }
+}
+```
+---
+## Performance Optimization
+### Image Optimization
+```typescript
+import Image from 'next/image'
+// Basic usage
+<Image
+  src="/hero.jpg"
+  alt="Hero image"
+  width={1200}
+  height={600}
+  priority // Load immediately (above the fold)
+/>
+// Fill container
+<div className="relative h-64 w-full">
+  <Image
+    src="/background.jpg"
+    alt="Background"
+    fill
+    className="object-cover"
+    sizes="100vw"
+  />
+</div>
+// Responsive images
+<Image
+  src="/photo.jpg"
+  alt="Photo"
+  width={800}
+  height={600}
+  sizes="(max-width: 768px) 100vw, (max-width: 1200px) 50vw, 33vw"
+  placeholder="blur"
+  blurDataURL="data:image/jpeg;base64,..." // Or use static import for auto blur
+/>
+// Remote images (configure in next.config.js)
+// next.config.js
+module.exports = {
+  images: {
+    remotePatterns: [
+      {
+        protocol: 'https',
+        hostname: 'cdn.example.com',
+        pathname: '/images/**',
+      },
+    ],
+  },
+}
+```
+### Font Optimization
+```typescript
+// app/layout.tsx
+import { Inter, Roboto_Mono } from 'next/font/google'
+import localFont from 'next/font/local'
+// Google Fonts
+const inter = Inter({
+  subsets: ['latin'],
+  display: 'swap',
+  variable: '--font-inter',
+})
+const robotoMono = Roboto_Mono({
+  subsets: ['latin'],
+  display: 'swap',
+  variable: '--font-roboto-mono',
+})
+// Local fonts
+const customFont = localFont({
+  src: [
+    {
+      path: '../fonts/CustomFont-Regular.woff2',
+      weight: '400',
+      style: 'normal',
+    },
+    {
+      path: '../fonts/CustomFont-Bold.woff2',
+      weight: '700',
+      style: 'normal',
+    },
+  ],
+  variable: '--font-custom',
+})
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <html lang="en" className={`${inter.variable} ${robotoMono.variable} ${customFont.variable}`}>
+      <body className="font-sans">{children}</body>
+    </html>
+  )
+}
+// tailwind.config.ts
+module.exports = {
+  theme: {
+    extend: {
+      fontFamily: {
+        sans: ['var(--font-inter)'],
+        mono: ['var(--font-roboto-mono)'],
+        custom: ['var(--font-custom)'],
+      },
+    },
+  },
+}
+```
+### Bundle Analysis
+```bash
+# Install analyzer
+npm install @next/bundle-analyzer
+# next.config.js
+const withBundleAnalyzer = require('@next/bundle-analyzer')({
+  enabled: process.env.ANALYZE === 'true',
+})
+module.exports = withBundleAnalyzer({
+  // your config
+})
+# Run analysis
+ANALYZE=true npm run build
+```
+### Dynamic Imports
+```typescript
+import dynamic from 'next/dynamic'
+// Basic dynamic import
+const DynamicComponent = dynamic(() => import('./HeavyComponent'), {
+  loading: () => <p>Loading...</p>,
+})
+// Disable SSR (for browser-only components)
+const MapComponent = dynamic(() => import('./Map'), {
+  ssr: false,
+  loading: () => <MapSkeleton />,
+})
+// Named exports
+const Modal = dynamic(() =>
+  import('./Modal').then((mod) => mod.Modal)
+)
+// Usage
+export default function Page() {
+  return (
+    <div>
+      <DynamicComponent />
+      <MapComponent />
+    </div>
+  )
+}
+```
+---
+## Security Best Practices
+### Environment Variables
+```typescript
+// ❌ Wrong - exposes to client
+const apiKey = process.env.API_KEY // undefined on client
+// ✅ Correct - server only
+const apiKey = process.env.API_KEY // Only in Server Components/Actions/Route Handlers
+// ✅ Correct - exposed to client (prefix with NEXT_PUBLIC_)
+const publicKey = process.env.NEXT_PUBLIC_STRIPE_KEY // Available everywhere
+// lib/env.ts - Validate environment variables
+import { z } from 'zod'
+const envSchema = z.object({
+  DATABASE_URL: z.string().url(),
+  NEXTAUTH_SECRET: z.string().min(32),
+  STRIPE_SECRET_KEY: z.string().startsWith('sk_'),
+  NEXT_PUBLIC_APP_URL: z.string().url(),
+})
+export const env = envSchema.parse(process.env)
+```
+### Content Security Policy
+```typescript
+// next.config.js
+const ContentSecurityPolicy = `
+  default-src 'self';
+  script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.example.com;
+  style-src 'self' 'unsafe-inline';
+  img-src 'self' blob: data: https://cdn.example.com;
+  font-src 'self';
+  connect-src 'self' https://api.example.com;
+  frame-ancestors 'none';
+`
+const securityHeaders = [
+  {
+    key: 'Content-Security-Policy',
+    value: ContentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
+  },
+  {
+    key: 'X-Frame-Options',
+    value: 'DENY',
+  },
+  {
+    key: 'X-Content-Type-Options',
+    value: 'nosniff',
+  },
+  {
+    key: 'Referrer-Policy',
+    value: 'strict-origin-when-cross-origin',
+  },
+  {
+    key: 'Permissions-Policy',
+    value: 'camera=(), microphone=(), geolocation=()',
+  },
+]
+module.exports = {
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: securityHeaders,
+      },
+    ]
+  },
+}
+```
+### Input Validation
+```typescript
+// lib/validations/post.ts
+import { z } from 'zod'
+export const createPostSchema = z.object({
+  title: z
+    .string()
+    .min(1, 'Title is required')
+    .max(100, 'Title must be less than 100 characters')
+    .transform((val) => val.trim()),
+  content: z
+    .string()
+    .min(1, 'Content is required')
+    .max(10000, 'Content must be less than 10000 characters'),
+  tags: z
+    .array(z.string().max(20))
+    .max(5, 'Maximum 5 tags allowed')
+    .optional(),
+})
+export type CreatePostInput = z.infer<typeof createPostSchema>
+// Server Action
+'use server'
+import { createPostSchema } from '@/lib/validations/post'
+import { auth } from '@/auth'
+import DOMPurify from 'isomorphic-dompurify'
+export async function createPost(input: unknown) {
+  const session = await auth()
+  if (!session) throw new Error('Unauthorized')
+  // Validate input
+  const validated = createPostSchema.parse(input)
+  // Sanitize HTML content if allowing rich text
+  const sanitizedContent = DOMPurify.sanitize(validated.content, {
+    ALLOWED_TAGS: ['p', 'b', 'i', 'em', 'strong', 'a', 'ul', 'ol', 'li'],
+    ALLOWED_ATTR: ['href'],
+  })
+  return db.post.create({
+    data: {
+      ...validated,
+      content: sanitizedContent,
+      authorId: session.user.id,
+    },
+  })
+}
+```
+### CSRF Protection
+```typescript
+// Server Actions have built-in CSRF protection via the Origin header check
+// For API Routes, implement manually:
+// app/api/webhook/route.ts
+import { headers } from 'next/headers'
+import crypto from 'crypto'
+export async function POST(request: Request) {
+  const headersList = headers()
+  const signature = headersList.get('x-webhook-signature')
+  if (!signature) {
+    return new Response('Missing signature', { status: 401 })
+  }
+  const body = await request.text()
+  const expectedSignature = crypto
+    .createHmac('sha256', process.env.WEBHOOK_SECRET!)
+    .update(body)
+    .digest('hex')
+  if (!crypto.timingSafeEqual(
+    Buffer.from(signature),
+    Buffer.from(expectedSignature)
+  )) {
+    return new Response('Invalid signature', { status: 401 })
+  }
+  // Process webhook...
+}
+```
+---
+## Testing Strategies
+### Unit Testing with Vitest
+```typescript
+// __tests__/utils.test.ts
+import { describe, it, expect } from 'vitest'
+import { formatDate, slugify } from '@/lib/utils'
+describe('formatDate', () => {
+  it('formats date correctly', () => {
+    const date = new Date('2024-01-15')
+    expect(formatDate(date)).toBe('January 15, 2024')
+  })
+})
+describe('slugify', () => {
+  it('converts string to slug', () => {
+    expect(slugify('Hello World')).toBe('hello-world')
+    expect(slugify('Test 123!')).toBe('test-123')
+  })
+})
+```
+### Component Testing with React Testing Library
+```typescript
+// __tests__/components/Button.test.tsx
+import { render, screen, fireEvent } from '@testing-library/react'
+import { describe, it, expect, vi } from 'vitest'
+import { Button } from '@/components/ui/button'
+describe('Button', () => {
+  it('renders children correctly', () => {
+    render(<Button>Click me</Button>)
+    expect(screen.getByRole('button')).toHaveTextContent('Click me')
+  })
+  it('calls onClick when clicked', () => {
+    const handleClick = vi.fn()
+    render(<Button onClick={handleClick}>Click me</Button>)
+    fireEvent.click(screen.getByRole('button'))
+    expect(handleClick).toHaveBeenCalledTimes(1)
+  })
+  it('is disabled when disabled prop is true', () => {
+    render(<Button disabled>Click me</Button>)
+    expect(screen.getByRole('button')).toBeDisabled()
+  })
+})
+```
+### Integration Testing with Playwright
+```typescript
+// tests/e2e/auth.spec.ts
+import { test, expect } from '@playwright/test'
+test.describe('Authentication', () => {
+  test('should redirect to login when accessing protected route', async ({ page }) => {
+    await page.goto('/dashboard')
+    await expect(page).toHaveURL('/login?callbackUrl=%2Fdashboard')
+  })
+  test('should login successfully with valid credentials', async ({ page }) => {
+    await page.goto('/login')
+    await page.fill('input[name="email"]', 'test@example.com')
+    await page.fill('input[name="password"]', 'password123')
+    await page.click('button[type="submit"]')
+    await expect(page).toHaveURL('/dashboard')
+    await expect(page.locator('h1')).toContainText('Welcome')
+  })
+  test('should show error with invalid credentials', async ({ page }) => {
+    await page.goto('/login')
+    await page.fill('input[name="email"]', 'wrong@example.com')
+    await page.fill('input[name="password"]', 'wrongpassword')
+    await page.click('button[type="submit"]')
+    await expect(page.locator('[data-testid="error-message"]')).toBeVisible()
+  })
+})
+```
+### API Route Testing
+```typescript
+// __tests__/api/posts.test.ts
+import { describe, it, expect, beforeEach, vi } from 'vitest'
+import { GET, POST } from '@/app/api/posts/route'
+import { db } from '@/lib/db'
+vi.mock('@/lib/db')
+vi.mock('@/auth', () => ({
+  auth: vi.fn(() => Promise.resolve({ user: { id: '1' } })),
+}))
+describe('POST /api/posts', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+  it('creates a post successfully', async () => {
+    const mockPost = { id: '1', title: 'Test', content: 'Content' }
+    vi.mocked(db.post.create).mockResolvedValue(mockPost)
+    const request = new Request('http://localhost/api/posts', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ title: 'Test', content: 'Content' }),
+    })
+    const response = await POST(request)
+    const data = await response.json()
+    expect(response.status).toBe(201)
+    expect(data).toEqual(mockPost)
+  })
+})
+```
+---
+## Deployment
+### Vercel Configuration
+```json
+// vercel.json
+{
+  "buildCommand": "prisma generate && next build",
+  "framework": "nextjs",
+  "regions": ["iad1"],
+  "env": {
+    "DATABASE_URL": "@database-url",
+    "NEXTAUTH_SECRET": "@nextauth-secret"
+  },
+  "crons": [
+    {
+      "path": "/api/cron/cleanup",
+      "schedule": "0 0 * * *"
+    }
+  ]
+}
+```
+### Docker Deployment
+```dockerfile
+# Dockerfile
+FROM node:20-alpine AS base
+# Install dependencies only when needed
+FROM base AS deps
+RUN apk add --no-cache libc6-compat
+WORKDIR /app
+COPY package.json package-lock.json* ./
+RUN npm ci
+# Rebuild the source code only when needed
+FROM base AS builder
+WORKDIR /app
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+ENV NEXT_TELEMETRY_DISABLED 1
+RUN npx prisma generate
+RUN npm run build
+# Production image
+FROM base AS runner
+WORKDIR /app
+ENV NODE_ENV production
+ENV NEXT_TELEMETRY_DISABLED 1
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+COPY --from=builder /app/public ./public
+COPY --from=builder /app/.next/standalone ./
+COPY --from=builder /app/.next/static ./.next/static
+USER nextjs
+EXPOSE 3000
+ENV PORT 3000
+ENV HOSTNAME "0.0.0.0"
+CMD ["node", "server.js"]
+```
+```javascript
+// next.config.js for standalone output
+module.exports = {
+  output: 'standalone',
+}
+```
+---
+## Anti-Patterns to Avoid
+### 1. Fetching in Client Components Unnecessarily
+```typescript
+// ❌ Bad - unnecessary client-side fetch
+'use client'
+export function Posts() {
+  const [posts, setPosts] = useState([])
+  useEffect(() => {
+    fetch('/api/posts').then(r => r.json()).then(setPosts)
+  }, [])
+  return <PostList posts={posts} />
+}
+// ✅ Good - fetch in Server Component
+export default async function Posts() {
+  const posts = await db.post.findMany()
+  return <PostList posts={posts} />
+}
+```
+### 2. Waterfall Requests
+```typescript
+// ❌ Bad - sequential fetches
+async function Page() {
+  const user = await getUser()
+  const posts = await getPosts()  // Waits for user
+  const comments = await getComments()  // Waits for posts
+  return <Content user={user} posts={posts} comments={comments} />
+}
+// ✅ Good - parallel fetches
+async function Page() {
+  const [user, posts, comments] = await Promise.all([
+    getUser(),
+    getPosts(),
+    getComments(),
+  ])
+  return <Content user={user} posts={posts} comments={comments} />
+}
+```
+### 3. Passing Functions as Props to Client Components
+```typescript
+// ❌ Bad - can't serialize functions
+async function Page() {
+  async function handleSubmit(data: FormData) {
+    'use server'
+    await db.post.create({ data })
+  }
+  return <Form onSubmit={handleSubmit} /> // Error!
+}
+// ✅ Good - import Server Action
+import { createPost } from './actions'
+export default function Page() {
+  return <Form action={createPost} />
+}
+```
+### 4. Using useEffect for Data Fetching
+```typescript
+// ❌ Bad - client-side fetch with useEffect
+'use client'
+function Dashboard() {
+  const [data, setData] = useState(null)
+  useEffect(() => {
+    fetchData().then(setData)
+  }, [])
+  if (!data) return <Loading />
+  return <DashboardContent data={data} />
+}
+// ✅ Good - Server Component with Suspense
+async function Dashboard() {
+  const data = await fetchData()
+  return <DashboardContent data={data} />
+}
+// Wrap in Suspense at parent level
+<Suspense fallback={<Loading />}>
+  <Dashboard />
+</Suspense>
+```
+### 5. Overusing 'use client'
+```typescript
+// ❌ Bad - entire page is client
+'use client'
+export default function Page() {
+  const [count, setCount] = useState(0)
+  const data = useData() // Client-side fetch
+  return (
+    <div>
+      <Header />
+      <Navigation />
+      <Content data={data} />
+      <Counter count={count} setCount={setCount} />
+      <Footer />
+    </div>
+  )
+}
+// ✅ Good - only interactive parts are client
+export default async function Page() {
+  const data = await getData() // Server fetch
+  return (
+    <div>
+      <Header />
+      <Navigation />
+      <Content data={data} />
+      <Counter /> {/* Only this is 'use client' */}
+      <Footer />
+    </div>
+  )
+}
+```
+### 6. Not Handling Loading States
+```typescript
+// ❌ Bad - no loading state
+export default async function Page() {
+  const data = await slowFetch() // User sees blank page
+  return <Content data={data} />
+}
+// ✅ Good - with loading state
+// loading.tsx
+export default function Loading() {
+  return <Skeleton />
+}
+// page.tsx
+export default async function Page() {
+  const data = await slowFetch()
+  return <Content data={data} />
+}
+```
+---
+## File Structure Conventions
+### Recommended Structure
+```
+src/
+├── app/                      # App Router
+│   ├── (auth)/              # Auth route group
+│   │   ├── login/
+│   │   └── register/
+│   ├── (marketing)/         # Marketing route group
+│   │   ├── about/
+│   │   └── pricing/
+│   ├── (dashboard)/         # Dashboard route group
+│   │   ├── layout.tsx
+│   │   ├── dashboard/
+│   │   └── settings/
+│   ├── api/                 # Route Handlers
+│   ├── layout.tsx
+│   ├── page.tsx
+│   ├── loading.tsx
+│   ├── error.tsx
+│   ├── not-found.tsx
+│   └── providers.tsx
+│
+├── components/
+│   ├── ui/                  # Shadcn/UI components
+│   │   ├── button.tsx
+│   │   ├── input.tsx
+│   │   └── dialog.tsx
+│   ├── forms/               # Form components
+│   │   ├── login-form.tsx
+│   │   └── post-form.tsx
+│   ├── layouts/             # Layout components
+│   │   ├── header.tsx
+│   │   ├── footer.tsx
+│   │   └── sidebar.tsx
+│   └── [feature]/           # Feature-specific components
+│       ├── post-card.tsx
+│       └── post-list.tsx
+│
+├── lib/
+│   ├── db.ts               # Database client
+│   ├── auth.ts             # Auth configuration
+│   ├── utils.ts            # Utility functions
+│   └── validations/        # Zod schemas
+│       ├── auth.ts
+│       └── post.ts
+│
+├── hooks/                   # Custom React hooks
+│   ├── use-media-query.ts
+│   └── use-debounce.ts
+│
+├── actions/                 # Server Actions
+│   ├── auth.ts
+│   ├── posts.ts
+│   └── users.ts
+│
+├── types/                   # TypeScript types
+│   ├── index.d.ts
+│   └── next-auth.d.ts
+│
+├── styles/
+│   └── globals.css
+│
+└── config/
+    ├── site.ts             # Site configuration
+    └── dashboard.ts        # Dashboard navigation
+```
+---
+## Quick Reference
+### Common Imports
+```typescript
+// Navigation
+import { redirect, notFound } from 'next/navigation'
+import { useRouter, usePathname, useSearchParams } from 'next/navigation'
+import Link from 'next/link'
+// Headers/Cookies
+import { headers, cookies } from 'next/headers'
+// Caching
+import { revalidatePath, revalidateTag } from 'next/cache'
+import { unstable_cache } from 'next/cache'
+import { cache } from 'react'
+// Images/Fonts
+import Image from 'next/image'
+import { Inter } from 'next/font/google'
+// Dynamic
+import dynamic from 'next/dynamic'
+// Metadata
+import type { Metadata, ResolvingMetadata } from 'next'
+```
+### Essential Patterns Cheat Sheet
+| Pattern | Use Case |
+|---------|----------|
+| `async function Component()` | Server Component data fetching |
+| `'use client'` | Interactive components |
+| `'use server'` | Server Actions |
+| `<Suspense>` | Streaming/loading states |
+| `loading.tsx` | Route-level loading UI |
+| `error.tsx` | Route-level error boundary |
+| `generateStaticParams` | Static generation for dynamic routes |
+| `generateMetadata` | Dynamic SEO metadata |
+| `revalidatePath/Tag` | On-demand revalidation |
+| `unstable_cache` | Cache non-fetch functions |
+| `cache()` | Request memoization |
+---
+*This skill provides comprehensive Next.js expertise. Reference specific sections as needed during development.*