nextjs-hackathon-stack 0.1.24 → 0.1.25

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nextjs-hackathon-stack",
-  "version": "0.1.24",
+  "version": "0.1.25",
   "description": "Scaffold a full-stack Next.js hackathon starter",
   "type": "module",
   "bin": {

package/template/.cursor/agents/security-researcher.md

@@ -12,7 +12,7 @@ readonly: true
 ### Authentication & Authorization
 - [ ] Supabase RLS enabled on all tables
 - [ ] Auth check in every protected API route
-- [ ] Session validation in middleware
+- [ ] Session validation in proxy
 - [ ] No hardcoded credentials or API keys
 
 ### Input Validation

package/template/.cursor/rules/general.mdc

@@ -6,7 +6,7 @@ alwaysApply: true
 # Stack Overview
 
 ## Technology Stack
-- **Framework**: Next.js 15 (App Router)
+- **Framework**: Next.js 16 (App Router)
 - **Database**: Supabase (PostgreSQL) with Drizzle ORM for schema/migrations
 - **Auth**: Supabase Auth via `@supabase/ssr`
 - **ORM**: Drizzle + `drizzle-zod` (schema + migrations ONLY — no runtime queries)

package/template/.cursor/rules/nextjs.mdc

@@ -1,9 +1,9 @@
 ---
-description: Next.js 15 App Router patterns.
+description: Next.js 16 App Router patterns.
 globs: ["src/app/**"]
 ---
 
-# Next.js 15 Rules
+# Next.js 16 Rules
 
 ## App Router Conventions
 - `page.tsx` — public route page component
@@ -11,7 +11,7 @@ globs: ["src/app/**"]
 - `loading.tsx` — Suspense boundary UI
 - `error.tsx` — Error boundary UI
 - `route.ts` — API route handler
-- `middleware.ts` — Edge middleware (project root)
+- `proxy.ts` — Request proxy (project root, Node.js runtime)
 
 ## Route Groups
 - `(auth)` — unauthenticated routes

package/template/.cursor/rules/supabase.mdc

@@ -34,3 +34,8 @@ const users = await db.select().from(usersTable); // WRONG — bypasses RLS
 - Enable RLS on ALL tables in Supabase dashboard
 - Every table must have explicit policies
 - Test RLS policies in migrations
+
+## Environment Variables
+- `NEXT_PUBLIC_SUPABASE_URL` + `NEXT_PUBLIC_SUPABASE_ANON_KEY` — client-safe, used in browser + server
+- `DATABASE_URL` — server-only, used by Drizzle for migrations (`drizzle.config.ts`)
+- See `.env.example` for all required variables

package/template/.cursor/skills/security-audit/SKILL.md

@@ -29,7 +29,7 @@ For each table in `src/shared/db/schema.ts`:
 - Confirm explicit policies exist
 
 ### 4. Auth Coverage
-- Verify `middleware.ts` protects all non-public routes
+- Verify `proxy.ts` protects all non-public routes
 - Check every `route.ts` in protected features has auth check
 - Verify `app/(protected)/layout.tsx` has server-side auth check
 

package/template/AGENTS.md

@@ -0,0 +1,21 @@
+<!-- BEGIN:nextjs-agent-rules -->
+
+# Next.js: ALWAYS read docs before coding
+
+Before any Next.js work, find and read the relevant doc in `node_modules/next/dist/docs/`. Your training data is outdated — the docs are the source of truth.
+
+<!-- END:nextjs-agent-rules -->
+
+# Environment variables
+
+Read `.env.example` for the full list. Key vars:
+
+| Variable | Visibility | Where to get it |
+|---|---|---|
+| `NEXT_PUBLIC_SUPABASE_URL` | Client + Server | Supabase > Project Settings > API |
+| `NEXT_PUBLIC_SUPABASE_ANON_KEY` | Client + Server | Supabase > Project Settings > API |
+| `DATABASE_URL` | Server only | Supabase > Project Settings > Database > Connection string (Session mode) |
+
+- `NEXT_PUBLIC_*` vars are safe to expose to the browser — they are public by design
+- Never add `NEXT_PUBLIC_` prefix to secret keys (`DATABASE_URL`, `AI_API_KEY`)
+- `.env.local` is gitignored — never commit real credentials

package/template/CLAUDE.md

@@ -0,0 +1,15 @@
+@AGENTS.md
+
+# Architecture
+
+Feature-based structure: `src/features/* → src/shared/*` (never reverse).
+
+- **Drizzle** = schema + migrations ONLY. Never use Drizzle for runtime queries.
+- **supabase-js** = all runtime queries. RLS is always active.
+- **Zod schemas** for DB types: auto-generate via `drizzle-zod`, never write manually.
+
+# Testing
+
+- 100% coverage required — `pnpm test:coverage` must pass
+- AAA pattern (Arrange / Act / Assert) in every test
+- Mock only external boundaries (Supabase, HTTP, DB) — never mock internal code

package/template/README.md

@@ -1,12 +1,12 @@
 # {{projectName}}
 
-Full-stack Next.js 15 hackathon starter.
+Full-stack Next.js 16 hackathon starter.
 
 ## Stack
 
 | Layer | Tool |
 |---|---|
-| Framework | Next.js 15 + App Router |
+| Framework | Next.js 16 + App Router |
 | Database | Supabase (PostgreSQL) |
 | Auth | Supabase Auth |
 | ORM | Drizzle (schema + migrations) |

package/template/next.config.ts

@@ -2,6 +2,9 @@ import type { NextConfig } from "next";
 
 const nextConfig: NextConfig = {
   typedRoutes: true,
+  logging: {
+    browserToTerminal: true,
+  },
   turbopack: {
     root: import.meta.dirname,
   },

package/template/package.json.tmpl

@@ -3,7 +3,7 @@
   "version": "0.1.0",
   "private": true,
   "scripts": {
-    "dev": "next dev --turbopack",
+    "dev": "next dev",
     "build": "next build",
     "start": "next start",
     "lint": "eslint . --max-warnings 0",
@@ -21,7 +21,7 @@
     "prepare": "husky"
   },
   "dependencies": {
-    "next": "^15",
+    "next": "^16.2",
     "@supabase/supabase-js": "^2",
     "@supabase/ssr": "^0.6",
     "drizzle-orm": "^0.44",
@@ -45,6 +45,7 @@
     "@types/node": "^22",
     "@types/react": "^19",
     "@types/react-dom": "^19",
+    "@next/env": "^16",
     "drizzle-kit": "^0.30",
     "vitest": "^3",
     "@vitejs/plugin-react": "^4",
@@ -60,7 +61,7 @@
     "eslint": "^9",
     "@eslint/js": "^9",
     "typescript-eslint": "^8",
-    "@next/eslint-plugin-next": "^15",
+    "@next/eslint-plugin-next": "^16",
     "eslint-plugin-react": "^7",
     "eslint-plugin-react-hooks": "^5",
     "eslint-plugin-import-x": "^4",

package/template/{middleware.ts → proxy.ts}

@@ -2,7 +2,7 @@ import type { NextRequest } from "next/server";
 
 import { updateSession } from "@/shared/lib/supabase/middleware";
 
-export async function middleware(request: NextRequest) {
+export async function proxy(request: NextRequest) {
   return updateSession(request);
 }
 

package/template/src/shared/__tests__/{middleware.test.ts → proxy.test.ts}

@@ -7,16 +7,16 @@ vi.mock("@/shared/lib/supabase/middleware", () => ({
   updateSession: (...args: unknown[]): unknown => mockUpdateSession(...args),
 }));
 
-describe("middleware", () => {
+describe("proxy", () => {
   it("delegates to updateSession", async () => {
     // Arrange
     const mockResponse = new Response(null, { status: 200 });
     mockUpdateSession.mockResolvedValue(mockResponse);
-    const mod = await import("../../../middleware") as { middleware: (req: NextRequest) => Promise<Response> };
+    const mod = await import("../../../proxy") as { proxy: (req: NextRequest) => Promise<Response> };
     const req = new NextRequest("http://localhost/dashboard");
 
     // Act
-    const response = await mod.middleware(req);
+    const response = await mod.proxy(req);
 
     // Assert
     expect(mockUpdateSession).toHaveBeenCalledWith(req);
@@ -25,7 +25,7 @@ describe("middleware", () => {
 
   it("exports a matcher config", async () => {
     // Arrange + Act
-    const mod = await import("../../../middleware") as { config: { matcher: string[] } };
+    const mod = await import("../../../proxy") as { config: { matcher: string[] } };
 
     // Assert
     expect(mod.config.matcher).toBeDefined();