“alexvisualmakers”
a893084a88
- Add paths frontmatter to frontend, backend, and security rules so they only load when editing relevant files - Add mandatory new-project detection to general rules that redirects to /requirements before any implementation - Add write-then-verify protocol for feature tracking updates to prevent hallucinated file edits Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
37 lines
1.1 KiB
Markdown
37 lines
1.1 KiB
Markdown
---
|
|
paths:
|
|
- "src/app/api/**"
|
|
- ".env*"
|
|
- "supabase/**"
|
|
- "next.config.*"
|
|
---
|
|
|
|
# Security Rules
|
|
|
|
## Secrets Management
|
|
- NEVER commit secrets, API keys, or credentials to git
|
|
- Use `.env.local` for local development (already in .gitignore)
|
|
- Use `NEXT_PUBLIC_` prefix ONLY for values safe to expose in browser
|
|
- Document all required env vars in `.env.local.example` with dummy values
|
|
|
|
## Input Validation
|
|
- Validate ALL user input on the server side with Zod
|
|
- Never trust client-side validation alone
|
|
- Sanitize data before database insertion
|
|
|
|
## Authentication
|
|
- Always verify authentication before processing API requests
|
|
- Use Supabase RLS as a second line of defense
|
|
- Implement rate limiting on authentication endpoints
|
|
|
|
## Security Headers
|
|
- X-Frame-Options: DENY
|
|
- X-Content-Type-Options: nosniff
|
|
- Referrer-Policy: origin-when-cross-origin
|
|
- Strict-Transport-Security with includeSubDomains
|
|
|
|
## Code Review Triggers
|
|
- Any changes to RLS policies require explicit user approval
|
|
- Any changes to authentication flow require explicit user approval
|
|
- Any new environment variables must be documented in .env.local.example
|