odd-studio 3.5.0 → 3.6.0

package/templates/CLAUDE.md

@@ -24,6 +24,8 @@ Before starting any build session, read:
 ### Build Sequence
 - NEVER build an outcome whose dependencies are not yet verified
 - ALWAYS build shared infrastructure before individual outcomes
+- ALWAYS run `npm test` after building and before verification — failing tests block verification
+- ALWAYS write tests for pure-logic modules (business rules, calculations, parsing, safety-critical logic)
 - ALWAYS run the full verification walkthrough before marking an outcome complete
 - ALWAYS commit after each verified outcome with message: "Outcome [N] [name] — verified"
 
@@ -110,6 +112,21 @@ export function canAccess(user: User): boolean {
 ### Security Baseline
 - No hardcoded secrets, API keys, or credentials — use environment variables
 - Validate user input at system boundaries
+- Authenticate and authorise every protected route, action, webhook, and admin surface
+- Verify webhooks, uploads, and third-party callbacks before trusting payloads
+- Use secure session defaults — no localStorage auth/session tokens, no JWT-by-default shortcuts
+- Rate-limit auth, admin, upload, payment, and public write surfaces
+- Record audit trails for admin and security-sensitive actions
+- Never disable TLS, CSRF, origin, or certificate verification in production code
+- Treat any security scan finding as release-blocking until fixed
+
+## Debugging Inside ODD
+- Use `*debug` when verification fails or a build breaks
+- Debugging stays inside the current outcome — it is not a free-form detour
+- Choose an explicit debug strategy before touching code: `ui-behaviour`, `full-stack`, `auth-security`, `integration-contract`, `background-process`, or `performance-state`
+- Reproduce first, identify the failing boundary second, fix third
+- Never apply a “quick fix” without naming the failing boundary
+- After a fix, return to the verification walkthrough from step one
 
 ## UI Standards (Every UI Outcome)
 - Use shadcn/ui components as the default component library
@@ -127,9 +144,19 @@ _Until then, the ODD defaults apply:_
 - Styling: Tailwind CSS v4 + shadcn/ui
 - Database: PostgreSQL via Drizzle ORM
 - Auth: NextAuth.js
+- Testing: Vitest (default — chosen during Step 9)
 - Email: Resend
 - Deployment: Vercel
 
+## Build & Test
+```bash
+npm run dev       # Development server
+npm run build     # Production build
+npm test          # Run test suite (must pass before verification)
+npm run test:watch # Watch mode during development
+npm run lint      # Lint
+```
+
 ## Design Approach (see docs/ui/design-system.md for full detail)
 _This section is populated by Rachel during Step 9b of the planning phase._