create-saas-starter-workspace 0.1.0

package/templates/workspace/web/docs/LIMITS.md

@@ -0,0 +1,54 @@
+# 무료 티어 한도 (SSOT)
+
+변동되는 숫자만 이 파일에 모은다. 스킬·문서는 이 파일을 가리킨다. 공식 docs가 항상 우선이며, 본 파일과 다르면 docs를 따른다.
+
+갱신: 분기 1회 · 최근 2026-05-23.
+
+## Supabase Free
+
+- 활성 프로젝트: 2 / organization
+- DB 크기: 500MB / project
+- inactivity auto-pause: 7일
+- 출처: <https://supabase.com/pricing>
+
+## Vercel Hobby
+
+- 빌드 분: ~6,000 / 월
+- 함수 호출: ~1,000,000 / 월
+- 함수 최대 실행 시간: 300초 (Pro/Ent는 800초)
+- 요청·응답 본문: 4.5MB
+- 로그 보존: 1시간
+- Cron: Hobby는 하루 1회 간격까지 (개수·간격은 공식 docs 확인)
+- Deployment Checks (Wait for Checks): Hobby에서 사용 가능
+- Log Drains: Pro 전용
+- 출처: <https://vercel.com/docs/plans/hobby>
+
+> 상시 워커·웹소켓이 없고 함수 본문이 4.5MB로 제한되므로, 긴 작업은 Vercel Workflows로 처리한다. (한도가 아니라 아키텍처 지침)
+
+## Sentry Developer (Free)
+
+- 에러 이벤트: ~5,000 / 월
+- 보존: 30일
+- organization·user: 1
+- 출처: <https://sentry.io/pricing/>
+
+## GitHub Free
+
+- private repo: 무제한
+- GitHub Actions 분: ~2,000 / 월 (private repo)
+- secret scanning push protection: public repo만 무료 (private는 GitHub Advanced Security, 유료)
+- 출처: <https://github.com/pricing>
+
+## Resend (참고용, 본 템플릿엔 미포함)
+
+- 이메일 발송: ~3,000 / 월
+- 출처: <https://resend.com/pricing>
+
+## 한도 초과 시
+
+| 자원 | 초과 시 |
+|---|---|
+| Supabase | 프로젝트 비활성화 → Pro $25/mo 또는 데이터 정리 |
+| Vercel | 함수·빌드 정지 → 다음 사이클 대기 또는 Pro $20/mo |
+| Sentry | 새 이벤트 drop → 사이클 대기 또는 Team $26/mo |
+| GitHub Actions | 차단 → 다음 사이클 대기 또는 분 구입 |

package/templates/workspace/web/eslint.config.mjs

@@ -0,0 +1,46 @@
+import { defineConfig, globalIgnores } from "eslint/config";
+import nextVitals from "eslint-config-next/core-web-vitals";
+import nextTs from "eslint-config-next/typescript";
+
+const eslintConfig = defineConfig([
+  ...nextVitals,
+  ...nextTs,
+  // type-aware: deprecated API 호출을 lint로 검출.
+  {
+    files: ["**/*.{ts,tsx,mts,cts}"],
+    languageOptions: {
+      parserOptions: { projectService: true, tsconfigRootDir: import.meta.dirname },
+    },
+    rules: {
+      "@typescript-eslint/no-deprecated": "warn",
+      // feature 캡슐화: 다른 feature는 public index(@/features/<name>)로만 import — 내부 deep import 금지.
+      "no-restricted-imports": ["error", {
+        patterns: [{
+          group: ["@/features/*/*"],
+          message: "feature 내부 deep import 금지 — public API(@/features/<name>)로만 import.",
+        }],
+      }],
+    },
+  },
+  {
+    // 소유 표면(lib)은 features를 import하지 않는다 — 단방향 seam 경계(app→features→lib).
+    // 이 경계가 있어 템플릿 갱신(소유 파일 마이그레이션)이 features와 충돌 없이 기계적으로 적용된다.
+    files: ["lib/**/*.{ts,tsx}"],
+    rules: {
+      "no-restricted-imports": ["error", {
+        patterns: [{
+          group: ["@/features", "@/features/*", "@/features/*/*"],
+          message: "lib(소유 표면)은 features를 import할 수 없다 — 단방향 의존(app→features→lib) 유지.",
+        }],
+      }],
+    },
+  },
+  globalIgnores([
+    ".next/**",
+    "out/**",
+    "build/**",
+    "next-env.d.ts",
+  ]),
+]);
+
+export default eslintConfig;

package/templates/workspace/web/gitignore

@@ -0,0 +1,51 @@
+# dependencies
+node_modules/
+.pnp/
+.pnp.*
+
+# next
+.next/
+out/
+build/
+
+# vercel
+.vercel
+.vercel.local
+
+# env (절대 커밋 금지)
+.env
+.env.local
+.env.*.local
+.env.development.local
+.env.production.local
+.env.sentry-build-plugin
+
+# testing
+coverage/
+.vitest-cache/
+
+# misc
+.DS_Store
+*.pem
+
+# logs
+*.log
+npm-debug.log*
+pnpm-debug.log*
+
+# typescript
+*.tsbuildinfo
+next-env.d.ts
+
+# sentry
+.sentryclirc
+
+# IDE
+.idea/
+.vscode/*
+!.vscode/settings.json
+!.vscode/extensions.json
+
+# supabase (Docker 미사용이지만 잔여 파일 대비)
+supabase/.branches
+supabase/.temp

package/templates/workspace/web/instrumentation-client.ts

@@ -0,0 +1,16 @@
+// Browser SDK 초기화. Next가 client bundle에 자동 포함.
+import * as Sentry from "@sentry/nextjs";
+
+// 브라우저엔 배포 환경 신호(APP_ENV)가 client bundle에 없으므로 DSN 존재로 게이트한다.
+// DSN은 prod에만 주입되므로(go-live 배선) 사실상 production-only 송출.
+const dsn = process.env.NEXT_PUBLIC_SENTRY_DSN;
+
+Sentry.init({
+  dsn,
+  enabled: !!dsn,
+  environment: dsn ? "production" : "development",
+  tracesSampleRate: 0,
+});
+
+// Next 16: 내비게이션 계측을 위해 Sentry가 요구하는 hook.
+export const onRouterTransitionStart = Sentry.captureRouterTransitionStart;

package/templates/workspace/web/instrumentation.ts

@@ -0,0 +1,12 @@
+import * as Sentry from "@sentry/nextjs";
+
+export async function register() {
+  if (process.env.NEXT_RUNTIME === "nodejs") {
+    await import("./sentry.server.config");
+  }
+  if (process.env.NEXT_RUNTIME === "edge") {
+    await import("./sentry.edge.config");
+  }
+}
+
+export const onRequestError = Sentry.captureRequestError;

package/templates/workspace/web/lib/app-env.ts

@@ -0,0 +1,12 @@
+// 벤더 중립 배포 환경 신호. Vercel은 VERCEL_ENV를 자동 주입하고, 그 외 호스트는 APP_ENV를 직접 설정한다.
+// 순수 함수(process.env만 읽음, server-only 아님)라 런타임 코드(lib/env.server)와
+// 빌드 시점 init 파일(sentry.*.config·instrumentation)에서 모두 안전하게 쓴다.
+export type AppEnv = "development" | "preview" | "production";
+
+export function resolveAppEnv(source: NodeJS.ProcessEnv = process.env): AppEnv {
+  const raw = source.APP_ENV ?? source.VERCEL_ENV;
+  // production·preview만 명시 환경, 그 외(미설정·"" 포함)는 development로 안전 기본.
+  return raw === "production" || raw === "preview" ? raw : "development";
+}
+
+export const APP_ENV: AppEnv = resolveAppEnv();

package/templates/workspace/web/lib/bridge/contract.ts

@@ -0,0 +1,146 @@
+import { z } from "zod";
+
+/**
+ * App ↔ Web bridge contract — SINGLE SOURCE OF TRUTH.
+ *
+ * This file is copied byte-for-byte into the web project (docs/web-adapter/contract.ts).
+ * The two MUST stay identical; the web adapter ships a checksum check to enforce it.
+ *
+ * Invariants (never break these):
+ *  1. Every message is namespaced (`ns: "ssb"`) so unrelated postMessage traffic on
+ *     the page is ignored.
+ *  2. The contract is ADDITIVE-ONLY. Add new message `type`s or new OPTIONAL payload
+ *     fields; never remove a type, rename one, or make an existing field required.
+ *     Old apps must keep working against new webs and vice-versa.
+ *  3. Features are gated by HELLO `capabilities` (a string array), NOT by version
+ *     number. The app advertises what it can do; the web feature-detects.
+ *  4. The reader (reader.ts) is tolerant: anything unrecognized becomes UNKNOWN and
+ *     never throws.
+ *  5. Auth tokens NEVER travel over this channel. Session handoff is a server
+ *     Set-Cookie via a one-time nonce (see src/session + docs/web-adapter).
+ */
+
+export const SSB_NS = "ssb" as const;
+export const SSB_PROTOCOL_VERSION = 1 as const;
+
+/** All message type names. Add here (append-only) when extending the contract. */
+export const MSG = {
+  // ── app → web ──
+  /** App announces itself + capabilities as soon as the page is reachable. */
+  HELLO: "HELLO",
+  /** App confirms a web session cookie was installed (after native login handoff). */
+  SESSION_INSTALLED: "SESSION_INSTALLED",
+  /** App confirms it cleared its local session copy after a logout. */
+  LOGOUT_DONE: "LOGOUT_DONE",
+  /** Forward-compat only — push is a fast-follow; defined so the web can feature-detect later. */
+  PUSH_TOKEN_UPDATED: "PUSH_TOKEN_UPDATED",
+
+  // ── web → app ──
+  /** Web acknowledges the bridge is live (handshake completes). */
+  READY: "READY",
+  /** Web has no session and asks the app to run native login + install a session. */
+  REQUEST_SESSION_INSTALL: "REQUEST_SESSION_INSTALL",
+  /** Web tells the app its auth state changed (e.g. user logged in/out inside the webview). */
+  AUTH_STATE_CHANGED: "AUTH_STATE_CHANGED",
+  /** Web asks the app to forget the session (user logged out). */
+  LOGOUT: "LOGOUT",
+  /** Web asks the app to open a URL in the system browser instead of the webview. */
+  OPEN_EXTERNAL: "OPEN_EXTERNAL",
+
+  // ── reader fallback (not a wire message) ──
+  UNKNOWN: "UNKNOWN",
+} as const;
+
+export type MessageType = (typeof MSG)[keyof typeof MSG];
+
+/** Fields shared by every envelope. */
+const envelopeBase = {
+  ns: z.literal(SSB_NS),
+  v: z.number().int(),
+  /** Correlation id, present on request/response pairs. */
+  id: z.string().optional(),
+};
+
+// ───────────────────────── web → app (inbound) ─────────────────────────
+const ReadyMessage = z.object({
+  ...envelopeBase,
+  type: z.literal(MSG.READY),
+  payload: z.object({}).optional(),
+});
+
+const RequestSessionInstallMessage = z.object({
+  ...envelopeBase,
+  type: z.literal(MSG.REQUEST_SESSION_INSTALL),
+  payload: z.object({ redirectPath: z.string().optional() }).optional(),
+});
+
+const AuthStateChangedMessage = z.object({
+  ...envelopeBase,
+  type: z.literal(MSG.AUTH_STATE_CHANGED),
+  payload: z.object({ authenticated: z.boolean() }),
+});
+
+const LogoutMessage = z.object({
+  ...envelopeBase,
+  type: z.literal(MSG.LOGOUT),
+  payload: z.object({}).optional(),
+});
+
+const OpenExternalMessage = z.object({
+  ...envelopeBase,
+  type: z.literal(MSG.OPEN_EXTERNAL),
+  payload: z.object({ url: z.string() }),
+});
+
+export const InboundSchema = z.discriminatedUnion("type", [
+  ReadyMessage,
+  RequestSessionInstallMessage,
+  AuthStateChangedMessage,
+  LogoutMessage,
+  OpenExternalMessage,
+]);
+export type InboundMessage = z.infer<typeof InboundSchema>;
+
+// ───────────────────────── app → web (outbound) ─────────────────────────
+const HelloMessage = z.object({
+  ...envelopeBase,
+  type: z.literal(MSG.HELLO),
+  payload: z.object({
+    protocolVersion: z.number().int(),
+    capabilities: z.array(z.string()),
+    appVersion: z.string(),
+    platform: z.enum(["ios", "android"]),
+  }),
+});
+
+const SessionInstalledMessage = z.object({
+  ...envelopeBase,
+  type: z.literal(MSG.SESSION_INSTALLED),
+  payload: z.object({ ok: z.boolean() }),
+});
+
+const LogoutDoneMessage = z.object({
+  ...envelopeBase,
+  type: z.literal(MSG.LOGOUT_DONE),
+  payload: z.object({}).optional(),
+});
+
+const PushTokenUpdatedMessage = z.object({
+  ...envelopeBase,
+  type: z.literal(MSG.PUSH_TOKEN_UPDATED),
+  payload: z.object({ token: z.string() }),
+});
+
+export const OutboundSchema = z.discriminatedUnion("type", [
+  HelloMessage,
+  SessionInstalledMessage,
+  LogoutDoneMessage,
+  PushTokenUpdatedMessage,
+]);
+export type OutboundMessage = z.infer<typeof OutboundSchema>;
+
+/**
+ * The tolerant reader's fallback shape. Not a valid wire message — produced only
+ * when an inbound payload cannot be understood. See reader.ts.
+ */
+export type UnknownMessage = { type: typeof MSG.UNKNOWN; raw: unknown };

package/templates/workspace/web/lib/bridge/reader.ts

@@ -0,0 +1,31 @@
+import { InboundSchema, MSG, type InboundMessage, type UnknownMessage } from "./contract";
+
+export type ReadResult = InboundMessage | UnknownMessage;
+
+/**
+ * Tolerant reader for messages arriving FROM the web (WebView `onMessage`).
+ *
+ * Hard contract: this function NEVER throws. Anything it cannot confidently
+ * understand — wrong namespace, non-JSON string, unknown `type`, missing/invalid
+ * fields, a number, null — collapses to `{ type: "UNKNOWN", raw }`. The native
+ * shell must survive hostile, outdated, or unrelated postMessage traffic.
+ *
+ * `raw` is whatever `event.nativeEvent.data` gave us (usually a JSON string, but
+ * a parsed object is accepted too).
+ */
+export function readInbound(raw: unknown): ReadResult {
+  let candidate: unknown = raw;
+
+  if (typeof raw === "string") {
+    try {
+      candidate = JSON.parse(raw);
+    } catch {
+      return { type: MSG.UNKNOWN, raw };
+    }
+  }
+
+  const parsed = InboundSchema.safeParse(candidate);
+  if (parsed.success) return parsed.data;
+
+  return { type: MSG.UNKNOWN, raw };
+}

package/templates/workspace/web/lib/env.server.ts

@@ -0,0 +1,33 @@
+import "server-only"; // 클라이언트 bundle 침투 시 빌드 에러로 차단
+import { z } from "zod";
+import { env as clientEnv, emptyAsUndefined } from "@/lib/env";
+import { resolveAppEnv } from "@/lib/app-env";
+
+// 통합은 전부 optional + 빈 문자열 정규화 → 키가 없으면 조용히 no-op(graceful degradation).
+const ServerSchema = z.object({
+  NODE_ENV: z.enum(["development", "test", "production"]).default("development"),
+  // secret key 부재 시 admin 클라이언트 생성이 throw. parsing은 통과(CI test·미설정 통합 허용).
+  SUPABASE_SECRET_KEY: emptyAsUndefined(z.string().optional()),
+  SUPABASE_DEV_REF: emptyAsUndefined(z.string().optional()),
+  SUPABASE_PROD_REF: emptyAsUndefined(z.string().optional()),
+  SENTRY_AUTH_TOKEN: emptyAsUndefined(z.string().optional()),
+  SENTRY_ORG: emptyAsUndefined(z.string().optional()),
+  SENTRY_PROJECT: emptyAsUndefined(z.string().optional()),
+  // CRON_SECRET, RESEND_API_KEY 등은 해당 기능 추가 시 더한다.
+});
+
+const serverOnly = ServerSchema.parse({
+  NODE_ENV: process.env.NODE_ENV,
+  SUPABASE_SECRET_KEY: process.env.SUPABASE_SECRET_KEY,
+  SUPABASE_DEV_REF: process.env.SUPABASE_DEV_REF,
+  SUPABASE_PROD_REF: process.env.SUPABASE_PROD_REF,
+  SENTRY_AUTH_TOKEN: process.env.SENTRY_AUTH_TOKEN,
+  SENTRY_ORG: process.env.SENTRY_ORG,
+  SENTRY_PROJECT: process.env.SENTRY_PROJECT,
+});
+
+// 벤더 중립 배포 환경. Vercel은 VERCEL_ENV 자동 매핑, 그 외 호스트는 APP_ENV. 코드 분기는 이 값으로.
+const APP_ENV = resolveAppEnv();
+
+// client 필드도 같이 묶어 server 코드는 이 하나로 모든 env 접근.
+export const env = { ...clientEnv, ...serverOnly, APP_ENV };

package/templates/workspace/web/lib/env.ts

@@ -0,0 +1,21 @@
+// 클라이언트·서버 어디서나 import 가능.
+// 서버 전용 키(SUPABASE_SECRET_KEY 등)는 `lib/env.server.ts`에 분리.
+import { z } from "zod";
+
+// Vercel은 미설정 변수를 undefined가 아니라 빈 문자열("")로 주입한다. ""를 undefined로 정규화해
+// optional 스키마가 빈 값에서 throw하지 않게 하고, 미설정 통합이 깔끔히 비활성(no-op)되게 한다.
+export const emptyAsUndefined = <T extends z.ZodType>(schema: T) =>
+  z.preprocess((v) => (v === "" ? undefined : v), schema);
+
+// 코어 한 축(Supabase)만 부팅 필수. 나머지 통합은 optional이라 키가 없으면 조용히 비활성.
+const ClientSchema = z.object({
+  NEXT_PUBLIC_SUPABASE_URL: z.url(),
+  NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY: z.string().min(1),
+  NEXT_PUBLIC_SENTRY_DSN: emptyAsUndefined(z.url().optional()),
+});
+
+export const env = ClientSchema.parse({
+  NEXT_PUBLIC_SUPABASE_URL: process.env.NEXT_PUBLIC_SUPABASE_URL,
+  NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY: process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY,
+  NEXT_PUBLIC_SENTRY_DSN: process.env.NEXT_PUBLIC_SENTRY_DSN,
+});

package/templates/workspace/web/lib/logger.ts

@@ -0,0 +1,32 @@
+import "server-only"; // 클라이언트 컴포넌트 import 시 빌드 에러로 잡힘
+import * as Sentry from "@sentry/nextjs";
+import { createSupabaseAdmin } from "@/lib/supabase/admin";
+import { env } from "@/lib/env.server";
+
+type Level = "info" | "warn" | "error" | "audit";
+
+async function write(level: Level, message: string, context?: Record<string, unknown>) {
+  const entry = { level, message, context, ts: new Date().toISOString() };
+  if (level === "error") console.error(entry); else console.log(entry);
+
+  if (level === "error") {
+    Sentry.captureException(new Error(message), { extra: context });
+  }
+
+  // RLS 정책이 service_role만 insert 허용하므로 admin 클라이언트.
+  if (env.SUPABASE_SECRET_KEY) {
+    try {
+      const admin = createSupabaseAdmin();
+      await admin.from("logs").insert({ level, message, context });
+    } catch {
+      /* logs 테이블 미존재·연결 실패는 무시 */
+    }
+  }
+}
+
+export const logger = {
+  info: (msg: string, ctx?: Record<string, unknown>) => write("info", msg, ctx),
+  warn: (msg: string, ctx?: Record<string, unknown>) => write("warn", msg, ctx),
+  error: (msg: string, ctx?: Record<string, unknown>) => write("error", msg, ctx),
+  audit: (msg: string, ctx?: Record<string, unknown>) => write("audit", msg, ctx),
+};

package/templates/workspace/web/lib/supabase/admin.ts

@@ -0,0 +1,14 @@
+import "server-only"; // 클라이언트 import 차단
+// secret 키 사용. RLS 우회. 서버 전용.
+// 일반 사용자 데이터 접근은 server.ts(publishable + 세션) 사용.
+import { createClient } from "@supabase/supabase-js";
+import { env } from "@/lib/env.server";
+
+export function createSupabaseAdmin() {
+  if (!env.SUPABASE_SECRET_KEY) {
+    throw new Error("SUPABASE_SECRET_KEY missing — admin client unavailable");
+  }
+  return createClient(env.NEXT_PUBLIC_SUPABASE_URL, env.SUPABASE_SECRET_KEY, {
+    auth: { persistSession: false, autoRefreshToken: false },
+  });
+}

package/templates/workspace/web/lib/supabase/client.ts

@@ -0,0 +1,9 @@
+import { createBrowserClient } from "@supabase/ssr";
+import { env } from "@/lib/env";
+
+export function createSupabaseClient() {
+  return createBrowserClient(
+    env.NEXT_PUBLIC_SUPABASE_URL,
+    env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY,
+  );
+}

package/templates/workspace/web/lib/supabase/server.ts

@@ -0,0 +1,24 @@
+import { createServerClient } from "@supabase/ssr";
+import { cookies } from "next/headers";
+import { env } from "@/lib/env";
+
+export async function createSupabaseServer() {
+  const cookieStore = await cookies();
+  return createServerClient(
+    env.NEXT_PUBLIC_SUPABASE_URL,
+    env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY,
+    {
+      cookies: {
+        getAll: () => cookieStore.getAll(),
+        setAll: (cookiesToSet) => {
+          try {
+            cookiesToSet.forEach(({ name, value, options }) =>
+              cookieStore.set(name, value, options));
+          } catch {
+            /* server component은 set 불가 — middleware가 갱신 책임 */
+          }
+        },
+      },
+    },
+  );
+}

package/templates/workspace/web/lib/utils.ts

@@ -0,0 +1,6 @@
+import { clsx, type ClassValue } from "clsx"
+import { twMerge } from "tailwind-merge"
+
+export function cn(...inputs: ClassValue[]) {
+  return twMerge(clsx(inputs))
+}

package/templates/workspace/web/next.config.ts

@@ -0,0 +1,16 @@
+import type { NextConfig } from "next";
+import { withSentryConfig } from "@sentry/nextjs";
+
+const nextConfig: NextConfig = {
+  /* config options here */
+};
+
+// Sentry env가 없으면 sourcemap upload만 스킵, 빌드는 통과.
+export default withSentryConfig(nextConfig, {
+  org: process.env.SENTRY_ORG,
+  project: process.env.SENTRY_PROJECT,
+  silent: !process.env.CI,
+  widenClientFileUpload: true,
+  // Vercel Cron 추가 시 cron monitor 자동등록 옵션(webpack.automaticVercelMonitors)을 여기 더한다
+  // — cron 가이드 참조. cron이 없는 기본 상태에선 두지 않아 deprecation 경고를 피한다.
+});

package/templates/workspace/web/npmrc

@@ -0,0 +1,14 @@
+# Supply-chain 안전망
+#
+# 새로 publish된 패키지는 14일이 지나야 install·resolve 대상에 포함된다.
+# 메인테이너 계정 탈취·typosquatting 같은 공격은 보통 publish 후 48시간 내에
+# 발견·yank되므로, 14일 cooldown은 community 검증 윈도우를 확보한다.
+#
+# 단위: 분. 14일 = 14 * 24 * 60 = 20160.
+# 요구: pnpm >= 10.10
+minimum-release-age=20160
+
+# 잠금파일 무결성: install 시 lockfile에 박힌 hash·버전 그대로만 사용.
+# 누군가 임의로 lockfile을 수정하면 install이 실패한다.
+# (CI는 별도로 --frozen-lockfile flag 사용)
+verify-deps-before-run=true

package/templates/workspace/web/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "my-space",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "eslint",
+    "lint:ci": "eslint --max-warnings 0",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "@base-ui/react": "^1.4.1",
+    "@sentry/nextjs": "^10.52.0",
+    "@supabase/ssr": "^0.10.3",
+    "@supabase/supabase-js": "^2.105.4",
+    "class-variance-authority": "^0.7.1",
+    "clsx": "^2.1.1",
+    "lucide-react": "^1.14.0",
+    "next": "^16.2.6",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "server-only": "^0.0.1",
+    "tailwind-merge": "^3.5.0",
+    "tw-animate-css": "^1.4.0",
+    "zod": "^4.4.3"
+  },
+  "devDependencies": {
+    "@tailwindcss/postcss": "^4.3.0",
+    "@testing-library/jest-dom": "^6.9.1",
+    "@testing-library/react": "^16.3.2",
+    "@testing-library/user-event": "^14.6.1",
+    "@types/node": "^20.19.40",
+    "@types/react": "^19.2.14",
+    "@types/react-dom": "^19.2.3",
+    "@vitejs/plugin-react": "^6.0.1",
+    "@vitest/coverage-v8": "^4.1.5",
+    "eslint": "^9.39.4",
+    "eslint-config-next": "^16.2.6",
+    "jsdom": "^29.1.1",
+    "shadcn": "^4.7.0",
+    "supabase": "^2.101.0",
+    "tailwindcss": "^4.3.0",
+    "typescript": "^5.9.3",
+    "vitest": "^4.1.5"
+  },
+  "pnpm": {
+    "overrides": {
+      "postcss@<8.5.10": "^8.5.10"
+    },
+    "onlyBuiltDependencies": [
+      "@sentry/cli",
+      "supabase"
+    ]
+  },
+  "packageManager": "pnpm@10.33.2"
+}