41 lines
1.3 KiB
Plaintext
41 lines
1.3 KiB
Plaintext
---
|
||
description: MirrorMatch project rules (Next.js + Prisma + Auth + MinIO)
|
||
globs:
|
||
- "**/*.ts"
|
||
- "**/*.tsx"
|
||
- "**/*.md"
|
||
---
|
||
|
||
## Product rules
|
||
|
||
- MirrorMatch is **invite-only**. All reads/writes must be scoped to a `Group` the user is a member of.
|
||
- A **Set** has **2–10 Photos** and **2–4 Options**.
|
||
- A Photo’s `points` is **1–10** (validate server-side).
|
||
- A user can guess **once per photo**.
|
||
- A photo uploader **cannot guess** their own photo for points.
|
||
- Reveals are **manual by default**; optional auto-reveal when all Group members have guessed.
|
||
|
||
## Next.js rules
|
||
|
||
- Use **App Router** patterns.
|
||
- Do privileged operations (create set, upload, guess, reveal, invite) via **server actions** or route handlers.
|
||
- Never trust client input; validate with **zod** on the server.
|
||
|
||
## Auth rules
|
||
|
||
- Use Auth.js (next-auth) with Prisma adapter.
|
||
- Gate pages using server-side session checks.
|
||
- Treat users as identified by `user.id` from the session only.
|
||
|
||
## Storage rules
|
||
|
||
- Store images in MinIO (S3) bucket; database stores only `storageKey`.
|
||
- Access images via short-lived **presigned URLs**, generated server-side.
|
||
- Never make buckets public.
|
||
|
||
## Database rules
|
||
|
||
- Use Prisma migrations (`prisma migrate dev`) for schema changes.
|
||
- Prefer enforcing uniqueness with DB constraints (e.g., one guess per user per photo).
|
||
|