nextjs-hackathon-stack 0.1.30 → 0.1.32

package/template/.cursor/rules/general.mdc

@@ -1,12 +1,13 @@
 ---
-description: Stack overview and project conventions. Always applies.
-alwaysApply: true
+description: Stack overview and project conventions. Applies to all source files.
+alwaysApply: false
+globs: ["src/**"]
 ---
 
 # Stack Overview
 
 ## Technology Stack
-- **Framework**: Next.js 16 (App Router)
+- **Framework**: Next.js 16.2 (App Router)
 - **Database**: Supabase (PostgreSQL) with Drizzle ORM for schema/migrations
 - **Auth**: Supabase Auth via `@supabase/ssr`
 - **ORM**: Drizzle + `drizzle-zod` (schema + migrations ONLY — no runtime queries)
@@ -14,7 +15,7 @@ alwaysApply: true
 - **Client State**: TanStack Query v5
 - **Validation**: Zod (auto-generated via `drizzle-zod`)
 - **Forms**: React Hook Form + Zod resolver
-- **UI**: shadcn/ui + Tailwind CSS v4
+- **UI**: shadcn/ui + Tailwind CSS v4 (shadcn skill installed for AI context)
 - **AI**: Vercel AI SDK + Google Gemini 2.0 Flash via AI Gateway
 - **Testing**: Vitest + React Testing Library + Playwright
 
@@ -26,8 +27,10 @@ src/
 │   └── <feature>/
 │       ├── components/
 │       ├── actions/
+│       ├── queries/
 │       ├── hooks/
 │       ├── api/
+│       ├── lib/
 │       └── __tests__/
 ├── shared/            # Shared across features
 │   ├── components/ui/ # shadcn/ui components
@@ -40,7 +43,7 @@ src/
 - Files: `kebab-case.ts`
 - Components: `PascalCase`
 - Hooks: `useCamelCase`
-- Server Actions: `camelCase.action.ts`
+- Server Actions: `kebab-case.action.ts`
 - API Routes: `route.ts` (in feature `api/` folder)
 - Tests: `*.test.ts` or `*.test.tsx`
 - E2e: `*.spec.ts`

package/template/.cursor/rules/nextjs.mdc

@@ -1,9 +1,9 @@
 ---
-description: Next.js 16 App Router patterns.
+description: Next.js 16.2 App Router patterns.
 globs: ["src/app/**"]
 ---
 
-# Next.js 16 Rules
+# Next.js 16.2 Rules
 
 ## App Router Conventions
 - `page.tsx` — public route page component
@@ -11,7 +11,7 @@ globs: ["src/app/**"]
 - `loading.tsx` — Suspense boundary UI
 - `error.tsx` — Error boundary UI
 - `route.ts` — API route handler
-- `proxy.ts` — Request proxy (project root, Node.js runtime)
+- `proxy.ts` — Request proxy (project root, Node.js runtime). Intercepts and rewrites requests before they reach route handlers (e.g., session validation, redirects).
 
 ## Route Groups
 - `(auth)` — unauthenticated routes
@@ -44,3 +44,27 @@ export const metadata: Metadata = {
   description: "Page description",
 };
 ```
+
+## Browser Log Forwarding
+
+Next.js 16.2 can forward browser logs to the terminal. Configure in `next.config.ts`:
+
+```typescript
+const nextConfig: NextConfig = {
+  logging: {
+    browserToTerminal: 'error', // 'error' (default) | 'warn' | true (all) | false (disabled)
+  },
+};
+```
+
+- `'error'` — forwards browser errors only (default)
+- `'warn'` — forwards errors and warnings
+- `true` — forwards all console output
+- `false` — disabled
+
+## Dev Server Lock File
+
+Next.js 16.2 writes `.next/dev/lock` when `next dev` starts. The file contains the PID, port, and URL of the running dev server.
+
+- Agents and scripts must check `.next/dev/lock` before starting `next dev` or `next build` to avoid duplicate processes.
+- If the lock file exists and the PID is still alive, attach to the existing server instead of starting a new one.

package/template/.cursor/rules/security.mdc

@@ -1,6 +1,6 @@
 ---
-description: Security rules and OWASP guidelines. Always applies.
-alwaysApply: true
+description: Security rules (OWASP, auth, RLS, XSS, CSP). Applied to server code, API routes, actions, auth, and config.
+globs: ["src/**/actions/**", "src/**/api/**", "src/**/lib/supabase/**", "src/app/**/route.ts", "src/app/**/proxy.ts", "*.config.*"]
 ---
 
 # Security Rules
@@ -28,7 +28,10 @@ Never use `NEXT_PUBLIC_` for secret keys.
 - Write explicit allow/deny policies
 - Test RLS policies — never assume they work
 
-## Auth in API Routes
+## Auth in API Routes and Server Actions
+
+Every Server Action and API route that accesses data must verify auth via `getUser()` before any data access. RLS provides row-level enforcement, but `getUser()` at the action level is required as defense-in-depth — never rely on RLS alone.
+
 ```typescript
 export async function POST(request: Request) {
   const supabase = await createClient();
@@ -38,6 +41,36 @@ export async function POST(request: Request) {
 }
 ```
 
+Every mutation Server Action must:
+1. Call `getUser()` and return an error result if no user
+2. Scope all queries to `user.id` (even with RLS active)
+
+```typescript
+export async function deleteItemAction(id: string): Promise<ActionResult> {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return { status: "error", message: "No autenticado" };
+
+  const { error } = await supabase.from("items").delete().eq("id", id).eq("user_id", user.id);
+  if (error) return { status: "error", message: "Error al eliminar" };
+
+  revalidatePath("/");
+  return { status: "success", message: "Eliminado" };
+}
+```
+
+## Open Redirect Prevention
+
+Validate all redirect targets — ensure `next`/`redirect` params start with `/` and not `//`. Never redirect to user-controlled URLs without validation.
+
+```typescript
+// ✅ Safe redirect validation
+const next = rawNext.startsWith("/") && !rawNext.startsWith("//") ? rawNext : "/";
+
+// ❌ Unsafe — allows protocol-relative redirects (//evil.com)
+const next = searchParams.get("next") ?? "/";
+```
+
 ## Input Validation
 - Validate ALL external input with Zod at the boundary
 - Validate in Server Actions AND API routes
@@ -48,6 +81,26 @@ export async function POST(request: Request) {
 - Apply rate limiting to auth endpoints
 - Use Vercel's built-in rate limiting or `@upstash/ratelimit`
 
+## Content Security Policy
+
+`script-src` must not include `'unsafe-eval'`. Avoid `'unsafe-inline'` for scripts — prefer nonce-based CSP. `'unsafe-inline'` is acceptable for `style-src` only.
+
+```typescript
+// ✅ Ideal — nonce-based CSP (no unsafe-inline for scripts)
+`script-src 'self' 'nonce-${nonce}'`,
+"style-src 'self' 'unsafe-inline'",
+
+// ✅ Acceptable intermediate — add a TODO to migrate to nonce-based
+"script-src 'self' 'unsafe-inline'", // TODO: replace with nonce-based CSP
+"style-src 'self' 'unsafe-inline'",
+
+// ✅ Dev-only — unsafe-eval for React debugging features (silences installHook.js warning)
+`script-src 'self' 'unsafe-inline'${isDev ? " 'unsafe-eval'" : ""}`,
+
+// ❌ Never — unsafe-eval unconditionally in production
+"script-src 'self' 'unsafe-eval' 'unsafe-inline'",
+```
+
 ## Cookies
 - `httpOnly: true` for auth tokens (Supabase handles this)
 - `secure: true` in production

package/template/.cursor/rules/supabase.mdc

@@ -21,10 +21,26 @@ export const selectUserSchema = createSelectSchema(users);
 const userSchema = z.object({ id: z.string(), email: z.string() }); // WRONG
 ```
 
-## Runtime Queries: supabase-js (RLS active)
+## Runtime Reads: Repository Pattern (RLS active)
+
+All reads go through the feature's `queries/` module — never call `supabase.from().select()` inline in pages or actions.
+
 ```typescript
-// ✅ Runtime queries via supabase-js
-const { data, error } = await supabase.from("users").select("*").eq("id", userId);
+// ✅ Read via repository function
+import { getUserById } from "@/features/users/queries/users.queries";
+const { data, error } = await getUserById(supabase, userId);
+
+// ✅ Repository module — receives supabase client as parameter (DI)
+// src/features/users/queries/users.queries.ts
+import type { createClient } from "@/shared/lib/supabase/server";
+type Client = Awaited<ReturnType<typeof createClient>>;
+
+export async function getUserById(supabase: Client, userId: string) {
+  return supabase.from("users").select("*").eq("id", userId).single();
+}
+
+// ❌ Never inline a SELECT in a page or action
+const { data } = await supabase.from("users").select("*").eq("id", userId); // WRONG in page/action
 
 // ❌ Never use Drizzle for runtime queries
 const users = await db.select().from(usersTable); // WRONG — bypasses RLS

package/template/.cursor/rules/testing.mdc

@@ -70,19 +70,28 @@ it("calls signInWithPassword with correct args", () => { ... });
 ```
 
 ## Playwright (E2E)
-- Use `data-testid` attributes for stable selectors
+- **Always use `data-testid` attributes for element selection** — never use visible text or translated labels. Text-based selectors break when copy or i18n changes.
 - Page Object Pattern for complex flows
 - Every user flow needs an e2e test
 
+```typescript
+// ✅ Stable — decoupled from i18n
+await page.getByTestId("submit-button").click();
+
+// ❌ Brittle — breaks if language changes or copy is updated
+await page.getByRole("button", { name: /sign in/i }).click();
+await page.getByLabel(/email/i).fill("...");
+```
+
 ```typescript
 test("user can log in", async ({ page }) => {
   // Arrange
   await page.goto("/login");
 
   // Act
-  await page.getByLabel(/email/i).fill("user@example.com");
-  await page.getByLabel(/password/i).fill("password123");
-  await page.getByRole("button", { name: /sign in/i }).click();
+  await page.getByTestId("email-input").fill("user@example.com");
+  await page.getByTestId("password-input").fill("password123");
+  await page.getByTestId("sign-in-button").click();
 
   // Assert
   await expect(page).toHaveURL("/");
@@ -102,6 +111,14 @@ For every function, ask: what happens with...
 
 If any of these apply, write a test for it. No exceptions.
 
+## jsdom Known Limitations (avoid rework cycles)
+
+jsdom does not implement all browser APIs. Hitting these in tests causes failures that require full component rewrites — avoid them upfront:
+
+- **No `HTMLDialogElement` methods** — `dialog.showModal()` and `dialog.close()` throw in jsdom. Use state-controlled visibility (`isOpen` prop / conditional render) instead of the native `<dialog>` API.
+- **No portal-based components in unit tests** — components like `<Toaster>` (sonner), `<Tooltip>`, `<Popover>` render outside the React tree and are unreliable in jsdom. Exclude their wrapper files from coverage; test toast behavior indirectly via the action's `ActionResult`.
+- **Run `pnpm lint` before finishing** — do not leave lint errors to a separate pass. Fix inline as you go.
+
 ## Coverage Thresholds
 ```typescript
 // vitest.config.ts

package/template/.cursor/skills/create-feature/SKILL.md

@@ -8,38 +8,59 @@ description: Scaffold a new feature following TDD and project conventions. Use w
 ## Process
 
 ### 1. Requirements First
-- Check `.requirements/` for existing spec
-- If none exists, ask the user to describe the feature
-- Document in `.requirements/<feature-name>.md` using the Given/When/Then template
+- Check `.requirements/` for an existing functional issue
+- If a spec exists, read it and proceed to Step 2
+- **If no spec exists, call @business-intelligence** to run the discovery process and produce a functional issue in `.requirements/<feature-name>.md`
+- Wait for the functional issue to be written and confirmed by the user before proceeding to Step 2
 
 ### 2. Create Feature Structure
 ```
 src/features/<feature-name>/
 ├── components/
 ├── actions/
+├── queries/
 ├── hooks/
 ├── api/
+├── lib/
 └── __tests__/
 ```
 
-### 3. TDD: RED Phase
+### 3. Pre-Test Setup (do this before writing any tests)
+
+Update `vitest.config.ts` to exclude files that cannot be meaningfully tested in jsdom:
+- Drizzle schema file(s) (`src/shared/db/schema.ts`)
+- Pure type-only files (no runtime logic)
+- Portal/browser-API-dependent UI wrappers (e.g., `src/shared/components/ui/sonner.tsx`)
+
+```typescript
+// vitest.config.ts — add to coverage.exclude before writing tests
+exclude: [
+  "src/shared/db/schema.ts",
+  "src/shared/components/ui/sonner.tsx",
+]
+```
+
+Configuring exclusions upfront prevents reactive coverage fixes mid-implementation.
+
+### 4. TDD: RED Phase
 Write ALL test files first:
 - `__tests__/<component>.test.tsx` — component tests
 - `__tests__/use-<feature>.test.ts` — hook tests
-- `__tests__/<action>.test.ts` — action tests
+- `__tests__/<action>.test.ts` — action tests (see `references/server-action-test-template.md`)
+- `__tests__/<feature>.queries.test.ts` — query tests
 
 Run `pnpm test:unit` — all tests must FAIL (RED).
 
-### 4. TDD: GREEN Phase
+### 5. TDD: GREEN Phase
 Implement minimum code to pass each test:
 - Components → actions → hooks → API routes
 
 Run `pnpm test:unit` — all tests must PASS (GREEN).
 
-### 5. Refactor
+### 6. Refactor
 Clean up while keeping tests green.
 
-### 6. Verify
+### 7. Verify
 ```bash
 pnpm test:coverage   # Must show 100%
 pnpm lint            # Must pass with 0 warnings

package/template/.cursor/skills/create-feature/references/server-action-test-template.md

@@ -0,0 +1,51 @@
+# Server Action Testing Pattern
+
+Test Server Actions by mocking `createClient`, asserting on the returned `ActionResult`, and verifying side effects.
+
+```typescript
+import { vi, it, expect, describe } from "vitest";
+import { myAction } from "@/features/example/actions/my.action";
+
+vi.mock("@/shared/lib/supabase/server", () => ({
+  createClient: vi.fn(),
+}));
+vi.mock("next/cache", () => ({ revalidatePath: vi.fn() }));
+
+describe("myAction", () => {
+  it("returns error when user is not authenticated", async () => {
+    // Arrange
+    const mockSupabase = {
+      auth: { getUser: vi.fn().mockResolvedValue({ data: { user: null } }) },
+    };
+    vi.mocked(createClient).mockResolvedValue(mockSupabase as never);
+    const formData = new FormData();
+
+    // Act
+    const result = await myAction(formData);
+
+    // Assert
+    expect(result).toEqual({ status: "error", message: "No autenticado" });
+    expect(revalidatePath).not.toHaveBeenCalled();
+  });
+
+  it("returns success and revalidates on valid input", async () => {
+    // Arrange
+    const mockUser = { id: "user-1" };
+    const mockSupabase = {
+      auth: { getUser: vi.fn().mockResolvedValue({ data: { user: mockUser } }) },
+      from: vi.fn().mockReturnThis(),
+      insert: vi.fn().mockResolvedValue({ error: null }),
+    };
+    vi.mocked(createClient).mockResolvedValue(mockSupabase as never);
+    const formData = new FormData();
+    formData.set("name", "Test Item");
+
+    // Act
+    const result = await myAction(formData);
+
+    // Assert
+    expect(result).toEqual({ status: "success", message: expect.any(String) });
+    expect(revalidatePath).toHaveBeenCalledWith("/");
+  });
+});
+```

package/template/.cursor/skills/review-branch/SKILL.md

@@ -17,28 +17,8 @@ Or for a specific branch:
 git diff develop...<branch-name>
 ```
 
-### 2. Check Each Changed File Against:
-
-#### Code Quality
-- Zero `any` types
-- Zero comments
-- Functions ≤ 20 lines, files ≤ 200 lines
-- No magic numbers/strings
-
-#### Tests
-- Test files exist for every changed source file
-- Tests cover new code paths
-- No implementation-detail testing
-
-#### Architecture
-- Correct imports (features → shared only)
-- Server Actions for mutations
-- Edge runtime on AI routes
-
-#### Security
-- Input validation at boundaries
-- Auth checks present
-- No exposed secrets
+### 2. Check Each Changed File
+Apply the full checklist from `references/review-checklist.md` — covers code quality, tests, architecture, security, performance, and accessibility.
 
 ### 3. Generate Report
 ```

package/template/.cursor/skills/review-branch/references/review-checklist.md

@@ -0,0 +1,36 @@
+# Review Checklist
+
+## Code Quality
+- Zero `any` types
+- Zero comments (excluding test AAA labels: `// Arrange`, `// Act`, `// Assert`)
+- Functions ≤ 20 lines
+- Files ≤ 200 lines
+- No magic numbers/strings
+- Proper error handling
+
+## Tests
+- Tests written BEFORE implementation (TDD)
+- 100% coverage on new/changed files
+- 100% BRANCH coverage (every if/else/ternary/catch)
+- Behavior tested, not implementation
+- AAA pattern with labeled comments on every test
+- Tests NOT weakened (no removed assertions, no loosened matchers, no .skip)
+- Edge cases covered: null, empty, boundaries, errors, auth expired
+
+## Architecture
+- Correct layer (features → shared only)
+- Server Actions for mutations (not TanStack)
+- Edge runtime on AI routes
+
+## Security
+- Input validation at boundaries
+- Auth checks in protected routes
+- No exposed secrets
+
+## Performance
+- No N+1 query patterns
+- No unnecessary re-renders
+
+## Accessibility
+- Semantic HTML
+- ARIA labels where needed

package/template/.cursor/skills/security-audit/SKILL.md

@@ -8,45 +8,14 @@ disable-model-invocation: true
 
 ## Process
 
-### 1. Dependency Audit
-```bash
-pnpm audit
-```
-Categorize findings by: Critical / High / Medium / Low
-
-### 2. Secret Scan
-Search for hardcoded secrets:
-```bash
-grep -r "sk_" src/ --include="*.ts"
-grep -r "apiKey\s*=" src/ --include="*.ts"
-grep -r "password\s*=" src/ --include="*.ts"
-```
-Check `.env.example` has no real values.
-
-### 3. RLS Verification
-For each table in `src/shared/db/schema.ts`:
-- Confirm RLS is enabled in Supabase dashboard
-- Confirm explicit policies exist
-
-### 4. Auth Coverage
-- Verify `proxy.ts` protects all non-public routes
-- Check every `route.ts` in protected features has auth check
-- Verify `app/(protected)/layout.tsx` has server-side auth check
-
-### 5. Input Validation
-- Every `route.ts` has Zod schema validation
-- Every `.action.ts` has Zod schema validation
-
-### 6. XSS Check
-```bash
-grep -r "dangerouslySetInnerHTML" src/ --include="*.tsx"
-```
-
-### 7. Security Headers
-Verify in `next.config.ts`:
-- `Content-Security-Policy`
-- `Strict-Transport-Security`
-- `X-Frame-Options`
+Execute all 7 audit steps from `references/audit-steps.md`:
+1. Dependency audit (`pnpm audit`)
+2. Secret scan (hardcoded keys)
+3. RLS verification (all tables)
+4. Auth coverage (routes + actions)
+5. Input validation (Zod at boundaries)
+6. XSS check (`dangerouslySetInnerHTML`)
+7. Security headers (`next.config.ts`)
 
 ## Output Format
 ```

package/template/.cursor/skills/security-audit/references/audit-steps.md

@@ -0,0 +1,41 @@
+# Security Audit Steps
+
+### 1. Dependency Audit
+```bash
+pnpm audit
+```
+Categorize findings by: Critical / High / Medium / Low
+
+### 2. Secret Scan
+Search for hardcoded secrets:
+```bash
+grep -r "sk_" src/ --include="*.ts"
+grep -r "apiKey\s*=" src/ --include="*.ts"
+grep -r "password\s*=" src/ --include="*.ts"
+```
+Check `.env.example` has no real values.
+
+### 3. RLS Verification
+For each table in `src/shared/db/schema.ts`:
+- Confirm RLS is enabled in Supabase dashboard
+- Confirm explicit policies exist
+
+### 4. Auth Coverage
+- Verify `proxy.ts` protects all non-public routes
+- Check every `route.ts` in protected features has auth check
+- Verify `app/(protected)/layout.tsx` has server-side auth check
+
+### 5. Input Validation
+- Every `route.ts` has Zod schema validation
+- Every `.action.ts` has Zod schema validation
+
+### 6. XSS Check
+```bash
+grep -r "dangerouslySetInnerHTML" src/ --include="*.tsx"
+```
+
+### 7. Security Headers
+Verify in `next.config.ts`:
+- `Content-Security-Policy`
+- `Strict-Transport-Security`
+- `X-Frame-Options`

package/template/CLAUDE.md

@@ -1,16 +1,49 @@
 @AGENTS.md
+@.claude/rules/general.mdc
+@.claude/rules/architecture.mdc
+@.claude/rules/coding-standards.mdc
 
-# Architecture
+# Context-Specific Rules
 
-Feature-based structure: `src/features/* → src/shared/*` (never reverse).
+Read these rules when working on related files:
+- Data fetching (components, queries, hooks, actions): `.claude/rules/data-fetching.mdc`
+- Security (actions, API routes, auth, config): `.claude/rules/security.mdc`
+- Components (UI, shadcn/ui, Tailwind): `.claude/rules/components.mdc`
+- Forms: `.claude/rules/forms.mdc`
+- Migrations: `.claude/rules/migrations.mdc`
+- Next.js specifics: `.claude/rules/nextjs.mdc`
+- Supabase (Drizzle, RLS, repository pattern): `.claude/rules/supabase.mdc`
+- Testing: `.claude/rules/testing.mdc`
 
-- **Drizzle** = schema + migrations ONLY. Never use Drizzle for runtime queries.
-- **supabase-js** = all runtime queries. RLS is always active.
-- **Zod schemas** for DB types: auto-generate via `drizzle-zod`, never write manually.
-- **Migrations** are auto-generated — NEVER write/edit SQL files in `src/shared/db/migrations/` directly. Use `pnpm db:generate` + `pnpm db:migrate`.
+# Agent Workflow
 
-# Testing
+This project uses specialist agents in `.claude/agents/`. Follow the technical-lead workflow:
 
-- 100% coverage required — `pnpm test:coverage` must pass
-- AAA pattern (Arrange / Act / Assert) in every test
-- Mock only external boundaries (Supabase, HTTP, DB) — never mock internal code
+- **New feature**: requirements (`business-intelligence`) → task breakdown (`technical-lead`) → tests first (`test-qa`) → implementation (`backend` + `frontend` **in parallel**) → review (`code-reviewer` + `security-researcher` **in parallel**)
+- **Bug fix**: reproduce with failing test (`test-qa`) → fix (`backend`/`frontend`) → review (`code-reviewer`)
+- **Refactor**: plan (`technical-lead`) → implement (`backend`/`frontend`) → verify (`test-qa`) → review (`code-reviewer`)
+
+## Recommended: 2-Conversation Workflow for New Features
+
+Split new feature work across two conversations to avoid context exhaustion (hitting >80% context mid-implementation):
+
+**Conversation 1 — Requirements** (low context, can be discarded after)
+```
+@business-intelligence → write .requirements/<feature-name>.md → confirm with user
+```
+
+**Conversation 2 — Implementation** (fresh context, reads spec from file)
+```
+/create-feature  →  reads .requirements/<feature-name>.md  →  full TDD pipeline
+```
+
+The `/create-feature` skill reads the requirements file directly, so the BI conversation history is not needed during implementation. This keeps each conversation well under 50% context usage.
+
+# File Naming
+
+- Server Actions: `name.action.ts` with `"use server"` at top
+- React hooks: `use-name.ts`
+- Components: PascalCase `.tsx`
+- Tests: colocated in `__tests__/`, named `name.test.ts`
+
+# Maintenance Notes

package/template/eslint.config.ts

@@ -65,6 +65,12 @@ export default tseslint.config(
     rules: { "no-console": "off" },
   },
   {
-    ignores: [".next/**", "node_modules/**", "dist/**", "eslint.config.ts", "next-env.d.ts", "next.config.ts", "playwright.config.ts", "drizzle.config.ts", "vitest.config.ts", "postcss.config.mjs"],
+    // TODO: @supabase/ssr exports createServerClient as deprecated while the replacement
+    // API is not yet stable. Remove this override once the package provides a non-deprecated alternative.
+    files: ["src/shared/lib/supabase/server.ts", "src/shared/lib/supabase/middleware.ts"],
+    rules: { "@typescript-eslint/no-deprecated": "off" },
+  },
+  {
+    ignores: [".next/**", "node_modules/**", "dist/**", "coverage/**", "eslint.config.ts", "next-env.d.ts", "next.config.ts", "playwright.config.ts", "drizzle.config.ts", "vitest.config.ts", "postcss.config.mjs"],
   }
 );

package/template/next.config.ts

@@ -1,5 +1,7 @@
 import type { NextConfig } from "next";
 
+const isDev = process.env.NODE_ENV !== "production";
+
 const nextConfig: NextConfig = {
   typedRoutes: true,
   logging: {
@@ -20,7 +22,9 @@ const nextConfig: NextConfig = {
           key: "Content-Security-Policy",
           value: [
             "default-src 'self'",
-            "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
+            // TODO: replace 'unsafe-inline' with nonce-based CSP
+            // 'unsafe-eval' is added in dev only for React's debugging features (never in production)
+            `script-src 'self' 'unsafe-inline'${isDev ? " 'unsafe-eval'" : ""}`,
             "style-src 'self' 'unsafe-inline'",
             "img-src 'self' data: blob: https:",
             "font-src 'self'",

package/template/src/app/(protected)/page.tsx

@@ -1,11 +1,9 @@
-import { eq } from "drizzle-orm";
 import { redirect } from "next/navigation";
 
 import { logoutAction } from "@/features/auth/actions/logout.action";
 import { AddTodoForm } from "@/features/todos/components/add-todo-form";
 import { TodoList } from "@/features/todos/components/todo-list";
-import { db } from "@/shared/db";
-import { todos } from "@/shared/db/schema";
+import { getTodosByUserId } from "@/features/todos/queries/todos.queries";
 import { createClient } from "@/shared/lib/supabase/server";
 
 export default async function HomePage() {
@@ -14,7 +12,7 @@ export default async function HomePage() {
     data: { user },
   } = await supabase.auth.getUser();
   if (!user) redirect("/login");
-  const items = await db.select().from(todos).where(eq(todos.userId, user.id));
+  const { data: items } = await getTodosByUserId(supabase, user.id);
 
   return (
     <main className="container mx-auto max-w-2xl p-8">