// Supabase auth, favorites, and security boundaries for DevVerse. Use when changing files under supabase/, auth or favorites UI, or the verify-email and reset-password API routes.
MDX article conventions for DevVerse. Use when adding or editing files under content/, changing article metadata, updating author or date lines, or modifying code that parses article content for feeds, related posts, reading stats, or RAG ingestion.
Feed, sitemap, metadata, and publishing guidance for DevVerse. Use when modifying lib/rss.ts, lib/jsonfeed.ts, feed routes, next-sitemap.config.js, app/layout.tsx metadata, manifest or robots files, or SEO-related site metadata.
DevVerse chat, citation, and retrieval workflow. Use when modifying the chat page, the chat API route, citation parsing, local retrieval fallback, Pinecone or Gemini integration, or the article vectorization pipeline.
Refresh Pinecone article embeddings after MDX article changes or RAG chunking and metadata changes. Use when content updates should be reflected in chat retrieval or when the vectorization pipeline changes.
Route and UI conventions for the DevVerse Next.js app. Use when modifying app routes, layout, navigation, page components, global styling, route-scoped CSS, article rendering, favorites UI, or chat UI.
Run repository-specific validation for DevVerse changes. Use when asked to test, validate, smoke check, or confirm modifications in this repository.
| name | devverse-supabase-auth |
| description | Supabase auth, favorites, and security boundaries for DevVerse. Use when changing files under supabase/, auth or favorites UI, or the verify-email and reset-password API routes. |
Keep anon and service-role responsibilities separate. Browser-facing auth, favorites, and storage helpers use the anon client. Service-role usage must stay server-only.
Treat verify-email and reset-password routes as security-sensitive.
Those routes are publicly callable and currently enumerate users via listUsers({ perPage: 1000 }).
Do not move service-role code into shared modules imported by client code.
Remember what Supabase is and is not used for here. Supabase handles auth, favorites, and some profile/storage helpers. It is not the runtime source of article content.
Read the runtime boundaries before changing auth or favorites behavior. @references/runtime-boundaries.md
After auth route changes, run repo tests and state any real-env validation you could not perform.