Add Next.js 15 + Supabase architecture rules (Vibe Stack)

README.md

@@ -87,6 +87,7 @@ By creating a `.cursorrules` file in your project's root directory, you can leve
 - [Beefree SDK (TypeScript, JavaScript, CSS, HTML, React, Angular, Vue)](./rules/beefreeSDK-nocode-content-editor-cursorrules-prompt-file/.cursorrules) - Cursor rules for embedding Beefree SDK's no-code content editors (for emails, pages, and popups) into a web application.
 - [Cursor AI (React, TypeScript, shadcn/ui)](./rules/cursor-ai-react-typescript-shadcn-ui-cursorrules-p/.cursorrules) - Cursor rules for Cursor AI development with React, TypeScript, and shadcn/ui integration.
 - [Next.js 15 (React 19, Vercel AI, Tailwind)](./rules/nextjs15-react19-vercelai-tailwind-cursorrules-prompt-file/.cursorrules) - Cursor rules for Next.js development with React 19, Vercel AI, and Tailwind CSS integration.
+- [Next.js 15 (Supabase, TypeScript, Security)](./rules/nextjs15-supabase-cursorrules-prompt-file/.cursorrules) - 27 architecture rules preventing AI hallucinations: insecure auth (getSession vs getUser), synchronous params, deprecated imports, missing RLS, and Stripe key exposure. Built for Cursor Agent and Claude Code.
 - [Next.js 14 (Tailwind, SEO)](./rules/cursorrules-cursor-ai-nextjs-14-tailwind-seo-setup/.cursorrules) - Cursor rules for Next.js development with Tailwind CSS and SEO optimization.
 - [Next.js (React, Tailwind)](./rules/nextjs-react-tailwind-cursorrules-prompt-file/.cursorrules) - Cursor rules for Next.js development with React and Tailwind CSS integration.
 - [Next.js (React, TypeScript)](./rules/nextjs-react-typescript-cursorrules-prompt-file/.cursorrules) - Cursor rules for Next.js development with React and TypeScript integration.

rules/nextjs15-supabase-cursorrules-prompt-file/.cursorrules

@@ -0,0 +1,132 @@
+# Next.js 15 + Supabase Architecture Rules
+
+You are an expert Next.js 15 developer working with Supabase, TypeScript (strict), and shadcn/ui.
+Follow ALL rules below unconditionally. If you are tempted to deviate, re-read the rule.
+
+## Tech Stack
+- Framework: Next.js 15 (App Router) with React 19
+- Language: TypeScript (strict mode)
+- Styling: Tailwind CSS + shadcn/ui
+- Database: Supabase (PostgreSQL + RLS)
+- Auth: Supabase SSR (cookie-based, @supabase/ssr)
+- Validation: Zod
+- Payments: Stripe (server-side only)
+
+## RULE 1: NEVER use getSession() on the server
+
+SECURITY CRITICAL. getSession() reads the JWT from cookies WITHOUT verifying it.
+A forged cookie passes silently. ALWAYS use getUser() for server-side auth.
+
+```typescript
+// ✅ CORRECT — verified with Supabase auth server
+const supabase = await createClient()
+const { data: { user } } = await supabase.auth.getUser()
+if (!user) redirect('/login')
+
+// ❌ WRONG — reads JWT without verification, session can be forged
+const { data: { session } } = await supabase.auth.getSession()
+```
+
+## RULE 2: NEVER access params synchronously in Next.js 15
+
+In Next.js 15, params and searchParams are Promises. Synchronous access compiles
+but crashes at runtime.
+
+```typescript
+// ✅ CORRECT
+export default async function Page({ params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+}
+
+// ❌ WRONG — runtime crash
+export default function Page({ params }: { params: { id: string } }) {
+  const { id } = params // TypeError at runtime
+}
+```
+
+## RULE 3: NEVER import from @supabase/auth-helpers-nextjs
+
+This package is deprecated. It does NOT work with Next.js 15 App Router cookies.
+ALWAYS use @supabase/ssr with manual cookie handling.
+
+```typescript
+// ✅ CORRECT
+import { createServerClient } from '@supabase/ssr'
+
+// ❌ WRONG — deprecated, broken with App Router
+import { createServerComponentClient } from '@supabase/auth-helpers-nextjs'
+```
+
+## RULE 4: All database tables MUST have RLS enabled
+
+Every Supabase table must have Row Level Security enabled. Without RLS, any
+user with the anon key can read ALL data from the table.
+
+```sql
+-- ✅ Always add after CREATE TABLE:
+ALTER TABLE public.my_table ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "Users can only read their own data"
+  ON public.my_table FOR SELECT
+  USING (auth.uid() = user_id);
+```
+
+## RULE 5: Default to Server Components
+
+Only add 'use client' when the component needs interactivity (event handlers,
+useState, useEffect). Push 'use client' to the smallest leaf component possible.
+
+## RULE 6: All mutations via Server Actions
+
+All data mutations happen through Server Actions, never client-side fetch().
+Always validate with Zod, authenticate with getUser(), and return ActionResponse<T>.
+
+```typescript
+'use server'
+import { z } from 'zod'
+
+type ActionResponse<T = void> =
+  | { success: true; data: T }
+  | { success: false; error: string }
+
+const Schema = z.object({ title: z.string().min(1).max(200) })
+
+export async function createItem(input: unknown): Promise<ActionResponse> {
+  const supabase = await createClient()
+  const { data: { user } } = await supabase.auth.getUser()
+  if (!user) return { success: false, error: 'Unauthorized' }
+
+  const result = Schema.safeParse(input)
+  if (!result.success) return { success: false, error: 'Invalid input' }
+
+  const { error } = await supabase.from('items').insert({ ...result.data, user_id: user.id })
+  if (error) return { success: false, error: 'Failed to create item' }
+
+  revalidatePath('/items')
+  return { success: true, data: undefined }
+}
+```
+
+## RULE 7: Error boundaries for every data-fetching page
+
+Every page that fetches data MUST have sibling loading.tsx and error.tsx files.
+
+## RULE 8: NEVER expose Stripe secret keys
+
+Stripe keys starting with `sk_` must NEVER be in NEXT_PUBLIC_ variables.
+Use process.env.STRIPE_SECRET_KEY (server-only).
+
+## RULE 9: TypeScript strict mode, no `any`
+
+NEVER use `any`. Use `unknown` with Zod validation or type narrowing.
+tsconfig.json MUST have `strict: true`.
+
+## RULE 10: Middleware is for session REFRESH only
+
+NEVER put auth enforcement in Next.js middleware. Middleware runs on Edge Runtime
+and cannot verify Supabase JWTs. Auth enforcement belongs in layouts/pages with getUser().
+
+---
+
+Full rule set (27 rules) available at: https://github.com/vibestackdev/vibe-stack
+Quick install: npx vibe-stack-rules init

rules/nextjs15-supabase-cursorrules-prompt-file/README.md

@@ -0,0 +1,25 @@
+# Next.js 15 + Supabase Architecture Rules (Vibe Stack)
+
+27 `.mdc` architecture rules that prevent AI coding assistants from hallucinating insecure auth, deprecated imports, and broken Next.js 15 patterns.
+
+Built for Cursor Agent and Claude Code.
+
+## What these rules prevent
+
+- Using `getSession()` instead of `getUser()` (JWT bypass vulnerability)
+- Synchronous `params` access (compiles, crashes in production on Next.js 15)
+- Importing deprecated `@supabase/auth-helpers-nextjs` (broken cookie handling)
+- Missing Row Level Security on Supabase tables
+- Leaking Stripe secret keys in `NEXT_PUBLIC_` variables
+- Missing error boundaries and loading states
+- Client-side auth checks that can be spoofed via devtools
+
+## Author
+
+[Vibe Stack](https://github.com/vibestackdev/vibe-stack)
+
+## Quick Install
+
+```bash
+npx vibe-stack-rules init
+```