Appearance
Project guidance for Claude / AI assistants
This is a starter house-rules file. Fill in the project-specific parts; the security rules below apply as-is.
Before you finish a change
- Run the project's tests and linter/static analysis. Do not claim a change works without verifying.
- Match the existing patterns, naming, and style of the file you are editing.
Security (non-negotiable, see SECURITY-CHECKLIST.md in this repo)
- Authorize every action against the authenticated user. Never trust a client-supplied ID for ownership (IDOR).
- The server is the source of truth for prices, limits, balances, and statuses. Enforce limits atomically (locks or DB unique constraints), never a count-then-insert race.
- No secrets in the repo, including as config defaults. Read them through the config layer. Keep test and prod keys distinct.
- Parameterize all queries. Escape output; emit raw HTML only on sanitized content.
- Throttle auth and API routes. Verify and de-duplicate webhooks (signature + idempotency).
- Whitelist writable fields; never bind a raw request body to a model.
Writing / copy
- No em dashes or en dashes anywhere (docs, copy, comments). Use commas, periods, colons. Hyphens are fine.
Project specifics (fill in)
- Stack:
- Run / build / test commands:
- Deploy target and procedure:
- Gotchas that have bitten before: