scripte/archivmail
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
600552c858a19ea5fddb2aec0ec695647e49e2c1
archivmail/.claude/rules/security.md
T
“alexvisualmakers” 600552c858 feat: Migrate from agent markdown files to Skills, Rules, and Sub-Agents 
Replace the manual "read .claude/agents/*.md" workflow with native
Claude Code features for a more efficient, scalable development experience:

- **Skills** (.claude/skills/): 7 auto-discovered slash commands
  (/requirements, /architecture, /frontend, /backend, /qa, /deploy, /help)
  with forked sub-agents for heavy tasks and inline execution for interactive ones
- **Rules** (.claude/rules/): 4 modular rule files (general, frontend, backend,
  security) auto-applied based on file context
- **Sub-Agents** (.claude/agents/): Lightweight configs for frontend-dev,
  backend-dev, and qa-engineer with model, tool, and turn limit settings
- **Context Engineering**: Layered context loading, context isolation via
  forked skills, built-in context recovery after compaction, and
  "always read, never guess" rules to prevent hallucinated code references
- **CLAUDE.md**: Auto-loaded project context replacing PROJECT_CONTEXT.md
- **Feature tracking**: features/INDEX.md as persistent state across sessions
- **Production guides**: docs/production/ for error tracking, security,
  performance, database optimization, and rate limiting
- **Init Mode**: /requirements detects empty PRD and bootstraps full project
  setup (PRD + all feature specs) from a single project description

Removed: 6 monolithic agent files, PROJECT_CONTEXT.md, HOW_TO_USE_AGENTS.md,
TEMPLATE_CHANGELOG.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 10:15:27 +01:00

1.0 KiB
Raw Blame History

Security Rules

Secrets Management

  • NEVER commit secrets, API keys, or credentials to git
  • Use .env.local for local development (already in .gitignore)
  • Use NEXT_PUBLIC_ prefix ONLY for values safe to expose in browser
  • Document all required env vars in .env.local.example with dummy values

Input Validation

  • Validate ALL user input on the server side with Zod
  • Never trust client-side validation alone
  • Sanitize data before database insertion

Authentication

  • Always verify authentication before processing API requests
  • Use Supabase RLS as a second line of defense
  • Implement rate limiting on authentication endpoints

Security Headers

  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: origin-when-cross-origin
  • Strict-Transport-Security with includeSubDomains

Code Review Triggers

  • Any changes to RLS policies require explicit user approval
  • Any changes to authentication flow require explicit user approval
  • Any new environment variables must be documented in .env.local.example
Reference in New Issue View Git Blame Copy Permalink