RestartCrew

AI Engineering Guidelines

This repository is developed collaboratively by humans and AI coding agents.

These guidelines ensure:

Production-grade, maintainable code
Consistent architecture and design patterns
Secure database access and data handling
Efficient human–AI collaboration

1. AI Role and Responsibilities

You are acting as a senior software engineer.

Your responsibilities:

Write production-grade, readable code
Prefer simple, maintainable solutions over clever ones
Maintain consistent architecture across the codebase
Protect security and performance at all times
Avoid introducing unnecessary dependencies or complexity

Before implementing anything:

Understand — read existing code and architecture
Identify — list all files that will be affected
Propose — outline your approach before writing code
Implement — write clean, tested code
Verify — run through the self-review checklist (Section 21)

2. Proactive Agent Behavior

This project is developed by vibecoders — developers who focus on product vision and user experience, but may not always specify every technical detail. The AI agent must compensate by being proactively professional.

When instructions are incomplete

The agent must independently apply best practices, even when not explicitly asked:

Always add error handling — every async call, every user input, every API response.
Always use TypeScript strict types — create types/interfaces for new data structures.
Always add RLS policies when creating or modifying database tables.
Always create migrations for any database schema changes.
Always validate input server-side, regardless of frontend validation.
Always handle loading and error states in UI components.

When instructions are ambiguous

Make reasonable assumptions based on existing patterns in the codebase.
Document assumptions — add a brief comment in the PR or code explaining what was assumed.
Choose the more secure option — when in doubt, be more restrictive rather than permissive.
Follow established patterns — look at how similar features are implemented in the codebase and mirror that approach.

What the agent should always do (without being asked)

Area	Default behavior
Security	Add auth checks, RLS policies, input validation
Error handling	Wrap async operations, show user-friendly messages, log details
Types	Create TypeScript interfaces for all data structures
Testing	Add tests for new service functions and utilities
Documentation	Update docs when adding features or changing architecture
Performance	Use pagination, selective queries, proper indexes
Accessibility	Use semantic HTML, add aria labels, ensure keyboard navigation

When to ask for clarification

Only ask when:

The decision has significant cost implications (e.g., choosing between hosting providers).
The decision is irreversible (e.g., database schema that would be hard to migrate).
Multiple valid approaches exist with fundamentally different trade-offs.

Do NOT ask when:

Best practices clearly indicate the right approach.
The choice is easily reversible.
Existing patterns in the codebase make the answer obvious.

3. System Architecture Overview

User → Frontend (Next.js App Router) → Supabase Client → PostgreSQL Database
                                     → Supabase Edge Functions (business logic)
                                     → Supabase Auth (authentication)
                                     → Supabase Storage (file uploads)

Core components

Layer	Technology	Responsibility
Frontend	Next.js (App Router) + TypeScript + Tailwind CSS	UI rendering, SSR/SSG, user interaction, API calls
Auth	Supabase Auth	User sessions, JWT tokens, OAuth providers
API	Supabase Client + Edge Functions	Data access, business logic, secure operations
Database	PostgreSQL via Supabase	Schema, RLS policies, migrations
Hosting	GitHub Pages (static export)	Static site deployment via GitHub Actions, automatic HTTPS

4. Architecture Principles

Separation of concerns

Layer	Does	Does NOT
Frontend	Renders UI, handles interaction, calls APIs	Contain business logic, validate data authoritatively, access DB directly
Edge Functions	Business logic, secret handling, complex queries	Render UI, manage state
Database	Schema integrity, RLS enforcement, data validation	Contain application logic in stored procedures (unless justified)

Critical rules

Never place critical logic in the frontend. The browser is untrusted.
Business logic belongs in Edge Functions or database constraints.
The frontend should only call Supabase client methods or Edge Function endpoints.
All data validation must happen server-side (RLS + Edge Functions). Frontend validation is for UX only.

5. Repository Structure

repo/
├── AGENTS.md                    # This file — AI agent guidelines
├── README.md                    # Project overview and setup
├── ARCHITECTURE.md              # Detailed architecture docs
│
├── src/
│   ├── components/              # Reusable UI components
│   ├── pages/                   # Page-level components / routes
│   ├── services/                # API service layer (Supabase calls)
│   ├── lib/                     # Shared utilities, Supabase client init
│   ├── types/                   # TypeScript type definitions
│   └── utils/                   # Pure helper functions
│
├── public/                      # Static assets (served to users)
│
├── supabase/
│   ├── migrations/              # Numbered SQL migration files
│   ├── functions/               # Edge Functions
│   └── seed/                    # Seed data for development
│
├── tests/                       # All test files
│   ├── services/                # Service layer tests
│   ├── functions/               # Edge Function tests
│   └── utils/                   # Utility function tests
│
├── docs/                        # Feature documentation
│
├── dev/                         # Internal developer notes (NOT served to frontend)
│   ├── strategy/                # Product strategy, roadmap, priorities
│   └── notes/                   # Technical research, architecture decisions
│
├── .env.example                 # Template for environment variables
└── .github/
    └── workflows/               # CI/CD pipeline definitions

Rules

Never create files outside this structure.
Reuse existing folders — don’t create parallel structures.
Group related functionality — don’t scatter across folders.
Every new folder must have a clear, documented purpose.
The dev/ folder is for internal developer use only — its contents must never be served or bundled into the frontend application.

6. Supabase Client Usage

Client initialization

Create one Supabase client instance in src/lib/supabase.ts:

import { createClient } from '@supabase/supabase-js'
import type { Database } from '../types/database.types'

export const supabase = createClient<Database>(
  process.env.NEXT_PUBLIC_SUPABASE_URL!,
  process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
)

Key rules

Only the anon key is used in the frontend. Never expose the service_role key.
The service_role key is only used inside Edge Functions.
Always import the shared client — never create new instances.
Use generated TypeScript types from supabase gen types for type safety.

Calling patterns

// ✅ Frontend: uses anon key + user JWT (via RLS)
const { data, error } = await supabase
  .from('todos')
  .select('*')
  .eq('user_id', user.id)

// ✅ Edge Function: uses service_role for admin operations
const supabaseAdmin = createClient(
  Deno.env.get('SUPABASE_URL')!,
  Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
)

7. Database Guidelines

Schema rules

All schema changes must use migrations. Never modify production schema manually.
Migration files are numbered sequentially: 001_create_users.sql, 002_add_profiles.sql
Every table must include standard fields:

id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
created_at  TIMESTAMPTZ NOT NULL DEFAULT now(),
updated_at  TIMESTAMPTZ NOT NULL DEFAULT now()

Use TIMESTAMPTZ (not TIMESTAMP) — always store timezone-aware timestamps.
Add appropriate indexes for columns used in WHERE, JOIN, and ORDER BY clauses.
Use foreign key constraints to enforce referential integrity.

Migration rules

One migration per logical change (don’t bundle unrelated changes).
Migrations must be idempotent where possible (use IF NOT EXISTS).
Never modify an existing migration that has been applied — create a new one.
Include both up and down logic when feasible.
Test migrations locally with supabase db reset before committing.

Naming conventions

Element	Convention	Example
Tables	snake_case, plural	`user_profiles`
Columns	snake_case	`first_name`
Indexes	`idx_{table}_{column}`	`idx_todos_user_id`
Constraints	`{table}_{type}_{column}`	`todos_fk_user_id`
Migrations	`NNN_description.sql`	`003_add_user_roles.sql`

8. Row Level Security (RLS)

All tables must have RLS enabled. No exceptions.

Rules

Never expose unrestricted table access.
Policies must use least privilege — grant the minimum access needed.
Always filter by auth.uid() for user-specific data.
Test RLS policies by querying as different user roles.

Standard policy patterns

-- Enable RLS
ALTER TABLE todos ENABLE ROW LEVEL SECURITY;

-- Users can only see their own data
CREATE POLICY "Users can view own todos"
  ON todos FOR SELECT
  USING (user_id = auth.uid());

-- Users can only insert their own data
CREATE POLICY "Users can create own todos"
  ON todos FOR INSERT
  WITH CHECK (user_id = auth.uid());

-- Users can only update their own data
CREATE POLICY "Users can update own todos"
  ON todos FOR UPDATE
  USING (user_id = auth.uid())
  WITH CHECK (user_id = auth.uid());

-- Users can only delete their own data
CREATE POLICY "Users can delete own todos"
  ON todos FOR DELETE
  USING (user_id = auth.uid());

Common mistakes to avoid

Forgetting to enable RLS on new tables (data is public by default without it).
Writing policies that check auth.uid() only in USING but not WITH CHECK.
Bypassing RLS from the frontend — if you need admin access, use an Edge Function with the service_role key.

9. Edge Functions

When to use

Business logic that must not run in the browser
Operations requiring secrets (API keys, service role key)
Complex multi-step database operations
External API integrations (payments, AI, email)
Scheduled or background jobs

Structure

supabase/functions/
├── my-function/
│   └── index.ts         # Entry point
├── shared/              # Shared utilities across functions
│   └── cors.ts

Standard patterns

import { serve } from 'https://deno.land/std@0.168.0/http/server.ts'
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'

serve(async (req) => {
  // CORS handling
  if (req.method === 'OPTIONS') {
    return new Response('ok', { headers: corsHeaders })
  }

  try {
    // Auth verification
    const authHeader = req.headers.get('Authorization')
    if (!authHeader) throw new Error('Missing authorization')

    // Create authenticated client
    const supabase = createClient(
      Deno.env.get('SUPABASE_URL')!,
      Deno.env.get('SUPABASE_ANON_KEY')!,
      { global: { headers: { Authorization: authHeader } } }
    )

    // Business logic here
    const { data, error } = await supabase.from('table').select('*')
    if (error) throw error

    return new Response(JSON.stringify(data), {
      headers: { ...corsHeaders, 'Content-Type': 'application/json' }
    })
  } catch (err) {
    return new Response(JSON.stringify({ error: err.message }), {
      status: 400,
      headers: { ...corsHeaders, 'Content-Type': 'application/json' }
    })
  }
})

10. Frontend Development Rules

Responsibilities

Rendering UI
Handling user interaction and form state
Calling Supabase client methods and Edge Functions
Client-side routing

Rules

Keep components small and focused (one purpose per component).
Use the service layer (src/services/) for all Supabase calls — components should not call Supabase directly.
Handle loading states and errors in every data-fetching component.
Never store sensitive data (tokens, secrets) in localStorage or frontend state.

11. Error Handling and Logging

Frontend

// ✅ Always handle Supabase errors explicitly
const { data, error } = await supabase.from('todos').select('*')
if (error) {
  console.error('Failed to fetch todos:', error.message)
  // Show user-friendly message — never expose raw error details
  showToast('Could not load your todos. Please try again.')
  return
}

Edge Functions

// ✅ Structured error handling with appropriate status codes
try {
  // ... logic
} catch (err) {
  console.error('Edge function error:', {
    function: 'process-payment',
    error: err.message,
    timestamp: new Date().toISOString()
  })

  return new Response(
    JSON.stringify({ error: 'An unexpected error occurred' }),
    { status: 500 }
  )
}

Rules

Never expose stack traces or internal error details to the user.
Log enough context to debug issues (function name, relevant IDs, timestamp).
Use appropriate HTTP status codes (400 for bad input, 401 for auth, 500 for server errors).
Every async operation must have error handling — no unhandled promise rejections.

12. Code Style and Standards

Language

TypeScript only — strict mode enabled.
No any type unless absolutely necessary (document why).
Use generated database types from Supabase CLI.

Naming conventions

Element	Convention	Example
Variables, functions	camelCase	`getUserProfile`
Components	PascalCase	`TodoListItem`
Files	kebab-case	`todo-list-item.tsx`
Types/Interfaces	PascalCase	`UserProfile`
Constants	SCREAMING_SNAKE	`MAX_RETRY_COUNT`
Database columns	snake_case	`created_at`

Function design

Maximum ~50 lines per function.
Single responsibility — one function, one job.
Prefer pure functions when possible (no side effects).
Avoid deep nesting — use early returns.

// ✅ Early return pattern
async function getUser(id: string): Promise<User | null> {
  if (!id) return null

  const { data, error } = await supabase
    .from('users')
    .select('*')
    .eq('id', id)
    .single()

  if (error) {
    console.error('getUser failed:', error.message)
    return null
  }

  return data
}

13. Dependency Policy

Before adding any dependency:

Check — does the functionality already exist in the codebase?
Prefer built-in — use native APIs, Supabase features, or Deno std lib first.
Evaluate — is the package well-maintained? Small bundle size? Few dependencies?
Document — add a comment explaining why the dependency was added.

Avoid

Large frameworks when a small utility will do
Packages with known security vulnerabilities
Experimental or unmaintained libraries
Multiple packages that do the same thing

14. Security Rules

Secrets management

Never expose service_role key, API secrets, or database credentials in frontend code.
Use environment variables for all secrets.
Maintain .env.example with all required variables (without values).
Never commit .env files — ensure .gitignore includes them.
In Edge Functions, access secrets via Deno.env.get().

Authentication

Always verify auth state before protected operations.
Use Supabase Auth for all authentication — don’t roll your own.
Handle token refresh gracefully (Supabase client does this automatically).
Log users out on auth errors (expired/invalid tokens).

Input validation

Validate and sanitize all user input server-side.
Use parameterized queries (Supabase client handles this) — never build raw SQL strings.
Validate file uploads (type, size) before storing in Supabase Storage.

15. Environment Variables

Required variables

# .env.example — commit this file (without values)
NEXT_PUBLIC_SUPABASE_URL=             # Supabase project URL
NEXT_PUBLIC_SUPABASE_ANON_KEY=        # Supabase anon/public key (safe for frontend)

# Edge Functions only (never in frontend)
SUPABASE_SERVICE_ROLE_KEY=            # Admin key — server-side only
SUPABASE_DB_URL=                      # Direct DB connection (if needed)

Rules

Prefix frontend variables with NEXT_PUBLIC_ so they are bundled by Next.js.
Variables without the prefix are NOT available in the frontend — use this for server secrets.
Document every variable in .env.example.
Use different values for development, staging, and production.

16. Performance Guidelines

Frontend

Avoid unnecessary re-renders — memoize where it matters.
Lazy load heavy components and routes.
Minimize bundle size — code split by route.
Use Supabase real-time subscriptions sparingly (only when truly needed).

Database

Add indexes for columns used in WHERE, JOIN, and ORDER BY.
Use select('column1, column2') instead of select('*') when possible.
Paginate large result sets — never fetch unbounded lists.
Avoid N+1 queries — use Supabase’s foreign key joins.

// ✅ Efficient: single query with join
const { data } = await supabase
  .from('todos')
  .select('*, category:categories(name)')
  .eq('user_id', user.id)
  .range(0, 19)  // Paginate: first 20 items

// ❌ Inefficient: N+1 queries
const { data: todos } = await supabase.from('todos').select('*')
for (const todo of todos) {
  const { data: category } = await supabase
    .from('categories')
    .select('name')
    .eq('id', todo.category_id)  // One query per todo!
}

17. Git Workflow

Branch strategy

Branch	Purpose	Rules
`main`	Production	Never push directly. Deploy via merge only.
`dev`	Development integration	PRs from feature branches.
`feature/*`	Individual features	Branch from `dev`, PR back to `dev`.
`fix/*`	Bug fixes	Branch from `dev` or `main` (hotfix).

Commit messages

Use conventional commits:

feat: add user profile page
fix: correct RLS policy for shared todos
chore: update Supabase client to v2.39
docs: add Edge Function deployment guide

Pull request rules

Every PR must include a clear description of changes.
Reference related issues or tasks.
PRs must pass CI checks before merge.
Keep PRs focused — one feature or fix per PR.

18. Testing Requirements

What to test

All service layer functions (Supabase calls)
Edge Function logic
Complex utility functions
RLS policies (test with different user contexts)

Structure

tests/
├── services/          # Service layer tests
├── functions/         # Edge Function tests
├── utils/             # Utility function tests
└── setup.ts           # Test configuration and helpers

Rules

Tests live in /tests, mirroring the src/ structure.
Use descriptive test names that explain the expected behavior.
Mock Supabase client for unit tests — don’t hit real database.
Integration tests can use a local Supabase instance (supabase start).

19. Documentation

Required documentation

README.md — project overview, setup instructions, tech stack
ARCHITECTURE.md — system design, data flow, key decisions
docs/ — feature-specific documentation, API behavior, deployment guides

Rules

Document why, not just what — explain architectural decisions.
Update docs when changing architecture or adding features.
Keep README setup instructions current and testable.
Document all Edge Function endpoints (input, output, auth requirements).

20. AI Agent Development Workflow

When implementing a feature, follow this sequence:

Step 1 — Understand

Read relevant existing code
Understand the current architecture
Identify patterns already in use

Step 2 — Plan

List all files that will be created or modified
Describe the approach and any trade-offs
Flag potential security or performance implications

Step 3 — Implement

Write code following all guidelines in this document
Include error handling, types, and edge cases
Create migrations for any database changes

Step 4 — Verify

Run through the self-review checklist below
Ensure no secrets are exposed
Confirm RLS policies are in place for new tables

21. Self-Review Checklist

Before committing code, verify every item:

Architecture

Changes follow the established architecture
Repository structure is respected
No business logic in the frontend

Security

No secrets or keys in committed code
RLS enabled and policies defined for any new tables
Auth state verified before protected operations
User input validated server-side

Code quality

TypeScript strict mode — no any types without justification
All async operations have error handling
Functions are small, focused, and readable
No unnecessary dependencies added

Database

Schema changes are in migration files
Standard fields included (id, created_at, updated_at)
Indexes added for queried columns
Foreign keys and constraints defined

Testing

Tests added for new service functions
Existing tests still pass

Documentation

README updated if setup changed
New features documented
Edge Function endpoints documented

22. Long-Term Maintainability

This repository should remain:

Simple — new developers can understand it quickly
Consistent — same patterns used everywhere
Scalable — architecture supports growth without rewrites

Prefer clarity over cleverness. If a junior developer can’t understand it, simplify it.