nextjs-hackathon-stack 0.1.29 → 0.1.31

package/template/.cursor/rules/nextjs.mdc

@@ -1,9 +1,9 @@
 ---
-description: Next.js 16 App Router patterns.
+description: Next.js 16.2 App Router patterns.
 globs: ["src/app/**"]
 ---
 
-# Next.js 16 Rules
+# Next.js 16.2 Rules
 
 ## App Router Conventions
 - `page.tsx` — public route page component
@@ -11,7 +11,7 @@ globs: ["src/app/**"]
 - `loading.tsx` — Suspense boundary UI
 - `error.tsx` — Error boundary UI
 - `route.ts` — API route handler
-- `proxy.ts` — Request proxy (project root, Node.js runtime)
+- `proxy.ts` — Request proxy (project root, Node.js runtime). Intercepts and rewrites requests before they reach route handlers (e.g., session validation, redirects).
 
 ## Route Groups
 - `(auth)` — unauthenticated routes
@@ -44,3 +44,27 @@ export const metadata: Metadata = {
   description: "Page description",
 };
 ```
+
+## Browser Log Forwarding
+
+Next.js 16.2 can forward browser logs to the terminal. Configure in `next.config.ts`:
+
+```typescript
+const nextConfig: NextConfig = {
+  logging: {
+    browserToTerminal: 'error', // 'error' (default) | 'warn' | true (all) | false (disabled)
+  },
+};
+```
+
+- `'error'` — forwards browser errors only (default)
+- `'warn'` — forwards errors and warnings
+- `true` — forwards all console output
+- `false` — disabled
+
+## Dev Server Lock File
+
+Next.js 16.2 writes `.next/dev/lock` when `next dev` starts. The file contains the PID, port, and URL of the running dev server.
+
+- Agents and scripts must check `.next/dev/lock` before starting `next dev` or `next build` to avoid duplicate processes.
+- If the lock file exists and the PID is still alive, attach to the existing server instead of starting a new one.

package/template/.cursor/rules/security.mdc

@@ -1,6 +1,6 @@
 ---
-description: Security rules and OWASP guidelines. Always applies.
-alwaysApply: true
+description: Security rules (OWASP, auth, RLS, XSS, CSP). Applied to server code, API routes, actions, auth, and config.
+globs: ["src/**/actions/**", "src/**/api/**", "src/**/lib/supabase/**", "src/app/**/route.ts", "src/app/**/proxy.ts", "*.config.*"]
 ---
 
 # Security Rules
@@ -28,7 +28,10 @@ Never use `NEXT_PUBLIC_` for secret keys.
 - Write explicit allow/deny policies
 - Test RLS policies — never assume they work
 
-## Auth in API Routes
+## Auth in API Routes and Server Actions
+
+Every Server Action and API route that accesses data must verify auth via `getUser()` before any data access. RLS provides row-level enforcement, but `getUser()` at the action level is required as defense-in-depth — never rely on RLS alone.
+
 ```typescript
 export async function POST(request: Request) {
   const supabase = await createClient();
@@ -38,6 +41,36 @@ export async function POST(request: Request) {
 }
 ```
 
+Every mutation Server Action must:
+1. Call `getUser()` and return an error result if no user
+2. Scope all queries to `user.id` (even with RLS active)
+
+```typescript
+export async function deleteItemAction(id: string): Promise<ActionResult> {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return { status: "error", message: "No autenticado" };
+
+  const { error } = await supabase.from("items").delete().eq("id", id).eq("user_id", user.id);
+  if (error) return { status: "error", message: "Error al eliminar" };
+
+  revalidatePath("/");
+  return { status: "success", message: "Eliminado" };
+}
+```
+
+## Open Redirect Prevention
+
+Validate all redirect targets — ensure `next`/`redirect` params start with `/` and not `//`. Never redirect to user-controlled URLs without validation.
+
+```typescript
+// ✅ Safe redirect validation
+const next = rawNext.startsWith("/") && !rawNext.startsWith("//") ? rawNext : "/";
+
+// ❌ Unsafe — allows protocol-relative redirects (//evil.com)
+const next = searchParams.get("next") ?? "/";
+```
+
 ## Input Validation
 - Validate ALL external input with Zod at the boundary
 - Validate in Server Actions AND API routes
@@ -48,6 +81,23 @@ export async function POST(request: Request) {
 - Apply rate limiting to auth endpoints
 - Use Vercel's built-in rate limiting or `@upstash/ratelimit`
 
+## Content Security Policy
+
+`script-src` must not include `'unsafe-eval'`. Avoid `'unsafe-inline'` for scripts — prefer nonce-based CSP. `'unsafe-inline'` is acceptable for `style-src` only.
+
+```typescript
+// ✅ Ideal — nonce-based CSP (no unsafe-inline for scripts)
+`script-src 'self' 'nonce-${nonce}'`,
+"style-src 'self' 'unsafe-inline'",
+
+// ✅ Acceptable intermediate — add a TODO to migrate to nonce-based
+"script-src 'self' 'unsafe-inline'", // TODO: replace with nonce-based CSP
+"style-src 'self' 'unsafe-inline'",
+
+// ❌ Never — unsafe-eval is forbidden
+"script-src 'self' 'unsafe-eval' 'unsafe-inline'",
+```
+
 ## Cookies
 - `httpOnly: true` for auth tokens (Supabase handles this)
 - `secure: true` in production

package/template/.cursor/rules/supabase.mdc

@@ -21,10 +21,26 @@ export const selectUserSchema = createSelectSchema(users);
 const userSchema = z.object({ id: z.string(), email: z.string() }); // WRONG
 ```
 
-## Runtime Queries: supabase-js (RLS active)
+## Runtime Reads: Repository Pattern (RLS active)
+
+All reads go through the feature's `queries/` module — never call `supabase.from().select()` inline in pages or actions.
+
 ```typescript
-// ✅ Runtime queries via supabase-js
-const { data, error } = await supabase.from("users").select("*").eq("id", userId);
+// ✅ Read via repository function
+import { getUserById } from "@/features/users/queries/users.queries";
+const { data, error } = await getUserById(supabase, userId);
+
+// ✅ Repository module — receives supabase client as parameter (DI)
+// src/features/users/queries/users.queries.ts
+import type { createClient } from "@/shared/lib/supabase/server";
+type Client = Awaited<ReturnType<typeof createClient>>;
+
+export async function getUserById(supabase: Client, userId: string) {
+  return supabase.from("users").select("*").eq("id", userId).single();
+}
+
+// ❌ Never inline a SELECT in a page or action
+const { data } = await supabase.from("users").select("*").eq("id", userId); // WRONG in page/action
 
 // ❌ Never use Drizzle for runtime queries
 const users = await db.select().from(usersTable); // WRONG — bypasses RLS

package/template/.cursor/rules/testing.mdc

@@ -70,19 +70,28 @@ it("calls signInWithPassword with correct args", () => { ... });
 ```
 
 ## Playwright (E2E)
-- Use `data-testid` attributes for stable selectors
+- **Always use `data-testid` attributes for element selection** — never use visible text or translated labels. Text-based selectors break when copy or i18n changes.
 - Page Object Pattern for complex flows
 - Every user flow needs an e2e test
 
+```typescript
+// ✅ Stable — decoupled from i18n
+await page.getByTestId("submit-button").click();
+
+// ❌ Brittle — breaks if language changes or copy is updated
+await page.getByRole("button", { name: /sign in/i }).click();
+await page.getByLabel(/email/i).fill("...");
+```
+
 ```typescript
 test("user can log in", async ({ page }) => {
   // Arrange
   await page.goto("/login");
 
   // Act
-  await page.getByLabel(/email/i).fill("user@example.com");
-  await page.getByLabel(/password/i).fill("password123");
-  await page.getByRole("button", { name: /sign in/i }).click();
+  await page.getByTestId("email-input").fill("user@example.com");
+  await page.getByTestId("password-input").fill("password123");
+  await page.getByTestId("sign-in-button").click();
 
   // Assert
   await expect(page).toHaveURL("/");

package/template/.cursor/skills/create-feature/SKILL.md

@@ -8,17 +8,20 @@ description: Scaffold a new feature following TDD and project conventions. Use w
 ## Process
 
 ### 1. Requirements First
-- Check `.requirements/` for existing spec
-- If none exists, ask the user to describe the feature
-- Document in `.requirements/<feature-name>.md` using the Given/When/Then template
+- Check `.requirements/` for an existing functional issue
+- If a spec exists, read it and proceed to Step 2
+- **If no spec exists, call @business-intelligence** to run the discovery process and produce a functional issue in `.requirements/<feature-name>.md`
+- Wait for the functional issue to be written and confirmed by the user before proceeding to Step 2
 
 ### 2. Create Feature Structure
 ```
 src/features/<feature-name>/
 ├── components/
 ├── actions/
+├── queries/
 ├── hooks/
 ├── api/
+├── lib/
 └── __tests__/
 ```
 
@@ -26,7 +29,8 @@ src/features/<feature-name>/
 Write ALL test files first:
 - `__tests__/<component>.test.tsx` — component tests
 - `__tests__/use-<feature>.test.ts` — hook tests
-- `__tests__/<action>.test.ts` — action tests
+- `__tests__/<action>.test.ts` — action tests (see `references/server-action-test-template.md`)
+- `__tests__/<feature>.queries.test.ts` — query tests
 
 Run `pnpm test:unit` — all tests must FAIL (RED).
 

package/template/.cursor/skills/create-feature/references/server-action-test-template.md

@@ -0,0 +1,51 @@
+# Server Action Testing Pattern
+
+Test Server Actions by mocking `createClient`, asserting on the returned `ActionResult`, and verifying side effects.
+
+```typescript
+import { vi, it, expect, describe } from "vitest";
+import { myAction } from "@/features/example/actions/my.action";
+
+vi.mock("@/shared/lib/supabase/server", () => ({
+  createClient: vi.fn(),
+}));
+vi.mock("next/cache", () => ({ revalidatePath: vi.fn() }));
+
+describe("myAction", () => {
+  it("returns error when user is not authenticated", async () => {
+    // Arrange
+    const mockSupabase = {
+      auth: { getUser: vi.fn().mockResolvedValue({ data: { user: null } }) },
+    };
+    vi.mocked(createClient).mockResolvedValue(mockSupabase as never);
+    const formData = new FormData();
+
+    // Act
+    const result = await myAction(formData);
+
+    // Assert
+    expect(result).toEqual({ status: "error", message: "No autenticado" });
+    expect(revalidatePath).not.toHaveBeenCalled();
+  });
+
+  it("returns success and revalidates on valid input", async () => {
+    // Arrange
+    const mockUser = { id: "user-1" };
+    const mockSupabase = {
+      auth: { getUser: vi.fn().mockResolvedValue({ data: { user: mockUser } }) },
+      from: vi.fn().mockReturnThis(),
+      insert: vi.fn().mockResolvedValue({ error: null }),
+    };
+    vi.mocked(createClient).mockResolvedValue(mockSupabase as never);
+    const formData = new FormData();
+    formData.set("name", "Test Item");
+
+    // Act
+    const result = await myAction(formData);
+
+    // Assert
+    expect(result).toEqual({ status: "success", message: expect.any(String) });
+    expect(revalidatePath).toHaveBeenCalledWith("/");
+  });
+});
+```

package/template/.cursor/skills/review-branch/SKILL.md

@@ -17,28 +17,8 @@ Or for a specific branch:
 git diff develop...<branch-name>
 ```
 
-### 2. Check Each Changed File Against:
-
-#### Code Quality
-- Zero `any` types
-- Zero comments
-- Functions ≤ 20 lines, files ≤ 200 lines
-- No magic numbers/strings
-
-#### Tests
-- Test files exist for every changed source file
-- Tests cover new code paths
-- No implementation-detail testing
-
-#### Architecture
-- Correct imports (features → shared only)
-- Server Actions for mutations
-- Edge runtime on AI routes
-
-#### Security
-- Input validation at boundaries
-- Auth checks present
-- No exposed secrets
+### 2. Check Each Changed File
+Apply the full checklist from `references/review-checklist.md` — covers code quality, tests, architecture, security, performance, and accessibility.
 
 ### 3. Generate Report
 ```

package/template/.cursor/skills/review-branch/references/review-checklist.md

@@ -0,0 +1,36 @@
+# Review Checklist
+
+## Code Quality
+- Zero `any` types
+- Zero comments (excluding test AAA labels: `// Arrange`, `// Act`, `// Assert`)
+- Functions ≤ 20 lines
+- Files ≤ 200 lines
+- No magic numbers/strings
+- Proper error handling
+
+## Tests
+- Tests written BEFORE implementation (TDD)
+- 100% coverage on new/changed files
+- 100% BRANCH coverage (every if/else/ternary/catch)
+- Behavior tested, not implementation
+- AAA pattern with labeled comments on every test
+- Tests NOT weakened (no removed assertions, no loosened matchers, no .skip)
+- Edge cases covered: null, empty, boundaries, errors, auth expired
+
+## Architecture
+- Correct layer (features → shared only)
+- Server Actions for mutations (not TanStack)
+- Edge runtime on AI routes
+
+## Security
+- Input validation at boundaries
+- Auth checks in protected routes
+- No exposed secrets
+
+## Performance
+- No N+1 query patterns
+- No unnecessary re-renders
+
+## Accessibility
+- Semantic HTML
+- ARIA labels where needed

package/template/.cursor/skills/security-audit/SKILL.md

@@ -8,45 +8,14 @@ disable-model-invocation: true
 
 ## Process
 
-### 1. Dependency Audit
-```bash
-pnpm audit
-```
-Categorize findings by: Critical / High / Medium / Low
-
-### 2. Secret Scan
-Search for hardcoded secrets:
-```bash
-grep -r "sk_" src/ --include="*.ts"
-grep -r "apiKey\s*=" src/ --include="*.ts"
-grep -r "password\s*=" src/ --include="*.ts"
-```
-Check `.env.example` has no real values.
-
-### 3. RLS Verification
-For each table in `src/shared/db/schema.ts`:
-- Confirm RLS is enabled in Supabase dashboard
-- Confirm explicit policies exist
-
-### 4. Auth Coverage
-- Verify `proxy.ts` protects all non-public routes
-- Check every `route.ts` in protected features has auth check
-- Verify `app/(protected)/layout.tsx` has server-side auth check
-
-### 5. Input Validation
-- Every `route.ts` has Zod schema validation
-- Every `.action.ts` has Zod schema validation
-
-### 6. XSS Check
-```bash
-grep -r "dangerouslySetInnerHTML" src/ --include="*.tsx"
-```
-
-### 7. Security Headers
-Verify in `next.config.ts`:
-- `Content-Security-Policy`
-- `Strict-Transport-Security`
-- `X-Frame-Options`
+Execute all 7 audit steps from `references/audit-steps.md`:
+1. Dependency audit (`pnpm audit`)
+2. Secret scan (hardcoded keys)
+3. RLS verification (all tables)
+4. Auth coverage (routes + actions)
+5. Input validation (Zod at boundaries)
+6. XSS check (`dangerouslySetInnerHTML`)
+7. Security headers (`next.config.ts`)
 
 ## Output Format
 ```

package/template/.cursor/skills/security-audit/references/audit-steps.md

@@ -0,0 +1,41 @@
+# Security Audit Steps
+
+### 1. Dependency Audit
+```bash
+pnpm audit
+```
+Categorize findings by: Critical / High / Medium / Low
+
+### 2. Secret Scan
+Search for hardcoded secrets:
+```bash
+grep -r "sk_" src/ --include="*.ts"
+grep -r "apiKey\s*=" src/ --include="*.ts"
+grep -r "password\s*=" src/ --include="*.ts"
+```
+Check `.env.example` has no real values.
+
+### 3. RLS Verification
+For each table in `src/shared/db/schema.ts`:
+- Confirm RLS is enabled in Supabase dashboard
+- Confirm explicit policies exist
+
+### 4. Auth Coverage
+- Verify `proxy.ts` protects all non-public routes
+- Check every `route.ts` in protected features has auth check
+- Verify `app/(protected)/layout.tsx` has server-side auth check
+
+### 5. Input Validation
+- Every `route.ts` has Zod schema validation
+- Every `.action.ts` has Zod schema validation
+
+### 6. XSS Check
+```bash
+grep -r "dangerouslySetInnerHTML" src/ --include="*.tsx"
+```
+
+### 7. Security Headers
+Verify in `next.config.ts`:
+- `Content-Security-Policy`
+- `Strict-Transport-Security`
+- `X-Frame-Options`

package/template/CLAUDE.md

@@ -1,16 +1,33 @@
 @AGENTS.md
+@.claude/rules/general.mdc
+@.claude/rules/architecture.mdc
+@.claude/rules/coding-standards.mdc
 
-# Architecture
+# Context-Specific Rules
 
-Feature-based structure: `src/features/* → src/shared/*` (never reverse).
+Read these rules when working on related files:
+- Data fetching (components, queries, hooks, actions): `.claude/rules/data-fetching.mdc`
+- Security (actions, API routes, auth, config): `.claude/rules/security.mdc`
+- Components (UI, shadcn/ui, Tailwind): `.claude/rules/components.mdc`
+- Forms: `.claude/rules/forms.mdc`
+- Migrations: `.claude/rules/migrations.mdc`
+- Next.js specifics: `.claude/rules/nextjs.mdc`
+- Supabase (Drizzle, RLS, repository pattern): `.claude/rules/supabase.mdc`
+- Testing: `.claude/rules/testing.mdc`
 
-- **Drizzle** = schema + migrations ONLY. Never use Drizzle for runtime queries.
-- **supabase-js** = all runtime queries. RLS is always active.
-- **Zod schemas** for DB types: auto-generate via `drizzle-zod`, never write manually.
-- **Migrations** are auto-generated — NEVER write/edit SQL files in `src/shared/db/migrations/` directly. Use `pnpm db:generate` + `pnpm db:migrate`.
+# Agent Workflow
 
-# Testing
+This project uses specialist agents in `.claude/agents/`. Follow the technical-lead workflow:
 
-- 100% coverage required — `pnpm test:coverage` must pass
-- AAA pattern (Arrange / Act / Assert) in every test
-- Mock only external boundaries (Supabase, HTTP, DB) — never mock internal code
+- **New feature**: requirements (`business-intelligence`) → task breakdown (`technical-lead`) → tests first (`test-qa`) → implementation (`backend`/`frontend`) → review (`code-reviewer`) → security (`security-researcher`)
+- **Bug fix**: reproduce with failing test (`test-qa`) → fix (`backend`/`frontend`) → review (`code-reviewer`)
+- **Refactor**: plan (`technical-lead`) → implement (`backend`/`frontend`) → verify (`test-qa`) → review (`code-reviewer`)
+
+# File Naming
+
+- Server Actions: `name.action.ts` with `"use server"` at top
+- React hooks: `use-name.ts`
+- Components: PascalCase `.tsx`
+- Tests: colocated in `__tests__/`, named `name.test.ts`
+
+# Maintenance Notes

package/template/eslint.config.ts

@@ -65,6 +65,12 @@ export default tseslint.config(
     rules: { "no-console": "off" },
   },
   {
-    ignores: [".next/**", "node_modules/**", "dist/**", "eslint.config.ts", "next-env.d.ts", "next.config.ts", "playwright.config.ts", "drizzle.config.ts", "vitest.config.ts", "postcss.config.mjs"],
+    // TODO: @supabase/ssr exports createServerClient as deprecated while the replacement
+    // API is not yet stable. Remove this override once the package provides a non-deprecated alternative.
+    files: ["src/shared/lib/supabase/server.ts", "src/shared/lib/supabase/middleware.ts"],
+    rules: { "@typescript-eslint/no-deprecated": "off" },
+  },
+  {
+    ignores: [".next/**", "node_modules/**", "dist/**", "coverage/**", "eslint.config.ts", "next-env.d.ts", "next.config.ts", "playwright.config.ts", "drizzle.config.ts", "vitest.config.ts", "postcss.config.mjs"],
   }
 );

package/template/next.config.ts

@@ -20,7 +20,8 @@ const nextConfig: NextConfig = {
           key: "Content-Security-Policy",
           value: [
             "default-src 'self'",
-            "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
+            // TODO: replace 'unsafe-inline' with nonce-based CSP
+            "script-src 'self' 'unsafe-inline'",
             "style-src 'self' 'unsafe-inline'",
             "img-src 'self' data: blob: https:",
             "font-src 'self'",

package/template/src/app/(protected)/page.tsx

@@ -1,11 +1,9 @@
-import { eq } from "drizzle-orm";
 import { redirect } from "next/navigation";
 
 import { logoutAction } from "@/features/auth/actions/logout.action";
 import { AddTodoForm } from "@/features/todos/components/add-todo-form";
 import { TodoList } from "@/features/todos/components/todo-list";
-import { db } from "@/shared/db";
-import { todos } from "@/shared/db/schema";
+import { getTodosByUserId } from "@/features/todos/queries/todos.queries";
 import { createClient } from "@/shared/lib/supabase/server";
 
 export default async function HomePage() {
@@ -14,7 +12,7 @@ export default async function HomePage() {
     data: { user },
   } = await supabase.auth.getUser();
   if (!user) redirect("/login");
-  const items = await db.select().from(todos).where(eq(todos.userId, user.id));
+  const { data: items } = await getTodosByUserId(supabase, user.id);
 
   return (
     <main className="container mx-auto max-w-2xl p-8">

package/template/src/app/__tests__/auth-callback.test.ts

@@ -69,4 +69,18 @@ describe("auth callback route", () => {
     expect(response.status).toBe(307);
     expect(response.headers.get("location")).toContain("/dashboard");
   });
+
+  it("ignores protocol-relative next param to prevent open redirect", async () => {
+    // Arrange
+    mockExchangeCodeForSession.mockResolvedValue({ error: null });
+    const { GET } = await import("../api/auth/callback/route");
+    const req = new Request("http://localhost/api/auth/callback?code=valid-code&next=//evil.com");
+
+    // Act
+    const response = await GET(req);
+
+    // Assert
+    expect(response.status).toBe(307);
+    expect(response.headers.get("location")).toBe("http://localhost/");
+  });
 });

package/template/src/app/__tests__/protected-page.test.tsx

@@ -1,27 +1,18 @@
 import { describe, it, expect, vi, beforeEach } from "vitest";
 
 const mockGetUser = vi.fn();
-const mockSelect = vi.fn();
+const mockFrom = vi.fn();
 const mockRedirect = vi.fn();
 
 vi.mock("@/shared/lib/supabase/server", () => ({
   createClient: vi.fn(() =>
     Promise.resolve({
       auth: { getUser: mockGetUser },
+      from: mockFrom,
     })
   ),
 }));
 
-vi.mock("@/shared/db", () => ({
-  db: {
-    select: vi.fn(() => ({
-      from: vi.fn(() => ({
-        where: mockSelect,
-      })),
-    })),
-  },
-}));
-
 vi.mock("@/features/todos/components/todo-list", () => ({
   TodoList: () => <div data-testid="todo-list" />,
 }));
@@ -34,6 +25,13 @@ vi.mock("next/navigation", () => ({
   redirect: (url: string): unknown => mockRedirect(url),
 }));
 
+function makeTodosChain(data: unknown[]) {
+  return {
+    select: vi.fn().mockReturnThis(),
+    eq: vi.fn(() => Promise.resolve({ data, error: null })),
+  };
+}
+
 describe("HomePage (protected)", () => {
   beforeEach(() => {
     vi.clearAllMocks();
@@ -53,7 +51,7 @@ describe("HomePage (protected)", () => {
   it("renderiza la página con las tareas del usuario", async () => {
     // Arrange
     mockGetUser.mockResolvedValue({ data: { user: { id: "u1", email: "user@example.com" } } });
-    mockSelect.mockResolvedValue([]);
+    mockFrom.mockReturnValue(makeTodosChain([]));
     const { default: HomePage } = await import("../(protected)/page");
 
     // Act
@@ -66,7 +64,7 @@ describe("HomePage (protected)", () => {
   it("renderiza correctamente con lista de tareas vacía", async () => {
     // Arrange
     mockGetUser.mockResolvedValue({ data: { user: { id: "u1", email: "user@example.com" } } });
-    mockSelect.mockResolvedValue([]);
+    mockFrom.mockReturnValue(makeTodosChain([]));
     const { default: HomePage } = await import("../(protected)/page");
 
     // Act

package/template/src/app/api/auth/callback/route.ts

@@ -5,7 +5,8 @@ import { createClient } from "@/shared/lib/supabase/server";
 export async function GET(request: Request) {
   const { searchParams, origin } = new URL(request.url);
   const code = searchParams.get("code");
-  const next = searchParams.get("next") ?? "/";
+  const rawNext = searchParams.get("next") ?? "/";
+  const next = rawNext.startsWith("/") && !rawNext.startsWith("//") ? rawNext : "/";
 
   if (!code) {
     return NextResponse.redirect(`${origin}/login?error=no_code`);

package/template/src/e2e/login.spec.ts

@@ -9,13 +9,13 @@ test.describe("Login flow", () => {
   test("shows login form", async ({ page }) => {
     await page.goto("/login");
     await expect(page.getByTestId("login-form")).toBeVisible();
-    await expect(page.getByLabel(/email/i)).toBeVisible();
-    await expect(page.getByLabel(/password/i)).toBeVisible();
+    await expect(page.getByLabel(/correo electrónico/i)).toBeVisible();
+    await expect(page.getByLabel(/contraseña/i)).toBeVisible();
   });
 
   test("shows validation errors on empty submit", async ({ page }) => {
     await page.goto("/login");
-    await page.getByRole("button", { name: /sign in/i }).click();
-    await expect(page.getByText(/invalid email/i)).toBeVisible();
+    await page.getByRole("button", { name: /iniciar sesión/i }).click();
+    await expect(page.getByText(/correo electrónico inválido/i)).toBeVisible();
   });
 });