Add Next.js 15 + Supabase architecture rules (Vibe Stack)

[vibestackdev]

Adds a comprehensive .cursorrules file for Next.js 15 + Supabase projects.

Covers the 10 most common AI hallucination patterns including:

• getSession() vs getUser() (auth bypass vulnerability)
• Synchronous params access (Next.js 15 runtime crash)
• Deprecated @supabase/auth-helpers-nextjs imports
• Missing RLS on Supabase tables
• Middleware auth enforcement (Edge Runtime limitation)
• Stripe secret key exposure in NEXT_PUBLIC_ variables

Includes a README with documentation and an installable npm package.

Full set of 27 .mdc rules: https://github.com/vibestackdev/vibe-stack

Summary by CodeRabbit

• Documentation
  • Added comprehensive Next.js 15 + Supabase architectural rules file with 27 security-focused guidelines covering authentication patterns, database constraints, TypeScript validation, and configuration best practices.
  • Included setup instructions and documentation for integrating rules into your development workflow.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a new Cursor rules configuration file for Next.js 15 with Supabase, TypeScript, Tailwind, and Stripe integration. Includes comprehensive architectural constraints in the .cursorrules format and updated the root README to reference the new ruleset documentation.

Changes

Cohort / File(s)	Summary
README Documentation README.md	Added entry linking to the new Next.js 15 + Supabase Cursor rules in "Frontend Frameworks and Libraries" section.
Cursor Rules Configuration rules/nextjs15-supabase-cursorrules-prompt-file/.cursorrules	New ruleset defining 27 architectural constraints for Next.js 15 (App Router) development, covering authentication (prohibit getSession(), require getUser()), Supabase RLS enforcement, async params handling, deprecated import prevention, Stripe key exposure prevention, and server-side mutation patterns with Zod validation.
Rules Documentation rules/nextjs15-supabase-cursorrules-prompt-file/README.md	New documentation describing the ruleset, listing specific patterns prevented (e.g., improper params access, missing error boundaries, client-side auth), and providing installation command and attribution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested reviewers

• PatrickJS

Poem

🐰 A ruleset hopped into place,
Where Next.js and Supabase embrace,
With TypeScript so strict, Stripe kept tight,
Security patterns shining bright—
No hallucinations here, just right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding Next.js 15 + Supabase architecture rules from the Vibe Stack project, which matches the core content of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

README.md (1)

90-90: Entry is correctly placed and well-structured.

The new Next.js 15 + Supabase entry is alphabetically correct within the "Frontend Frameworks and Libraries" section, and the relative link follows the repository's conventions.

Optional: Consider condensing the description for consistency.

The description is notably longer and more technical than most entries in the list. While the detail is valuable, consider a more concise format to match the repository's style:

♻️ Suggested condensed description

-- [Next.js 15 (Supabase, TypeScript, Security)](./rules/nextjs15-supabase-cursorrules-prompt-file/.cursorrules) - 27 architecture rules preventing AI hallucinations: insecure auth (getSession vs getUser), synchronous params, deprecated imports, missing RLS, and Stripe key exposure. Built for Cursor Agent and Claude Code.
+- [Next.js 15 (Supabase, TypeScript, Security)](./rules/nextjs15-supabase-cursorrules-prompt-file/.cursorrules) - 27 security-focused architecture rules preventing common Next.js 15 + Supabase vulnerabilities and deprecated patterns.

As per coding guidelines: "Use consistent formatting for list items in the README.md file" and "Use clear and concise language in all documentation."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 90, The list entry titled "[Next.js 15 (Supabase,
TypeScript, Security)]" has an overly long, technical description; shorten it to
match the concise style of other items by keeping the link and a single short
clause summarizing key points (e.g., "27 architecture rules for auth, deprecated
APIs, RLS, and secret exposure") and remove the extended examples ("getSession
vs getUser", "synchronous params", "Stripe key exposure") while preserving that
it's for Cursor Agent and Claude Code; update the README line so the relative
link and brief summary remain but the wording is condensed and consistent with
surrounding entries.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@README.md`:
- Line 90: The list entry titled "[Next.js 15 (Supabase, TypeScript, Security)]"
has an overly long, technical description; shorten it to match the concise style
of other items by keeping the link and a single short clause summarizing key
points (e.g., "27 architecture rules for auth, deprecated APIs, RLS, and secret
exposure") and remove the extended examples ("getSession vs getUser",
"synchronous params", "Stripe key exposure") while preserving that it's for
Cursor Agent and Claude Code; update the README line so the relative link and
brief summary remain but the wording is condensed and consistent with
surrounding entries.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7d11c95e-afdc-4a5a-9b16-fcee96ff2117

📥 Commits

Reviewing files that changed from the base of the PR and between fc2ce04 and e4291cc.

📒 Files selected for processing (3)

• README.md
• rules/nextjs15-supabase-cursorrules-prompt-file/.cursorrules
• rules/nextjs15-supabase-cursorrules-prompt-file/README.md