Skip to content

Project guidance for Claude / AI assistants

This is a starter house-rules file. Fill in the project-specific parts; the security rules below apply as-is.

Before you finish a change

  • Run the project's tests and linter/static analysis. Do not claim a change works without verifying.
  • Match the existing patterns, naming, and style of the file you are editing.

Security (non-negotiable, see SECURITY-CHECKLIST.md in this repo)

  • Authorize every action against the authenticated user. Never trust a client-supplied ID for ownership (IDOR).
  • The server is the source of truth for prices, limits, balances, and statuses. Enforce limits atomically (locks or DB unique constraints), never a count-then-insert race.
  • No secrets in the repo, including as config defaults. Read them through the config layer. Keep test and prod keys distinct.
  • Parameterize all queries. Escape output; emit raw HTML only on sanitized content.
  • Throttle auth and API routes. Verify and de-duplicate webhooks (signature + idempotency).
  • Whitelist writable fields; never bind a raw request body to a model.

Writing / copy

  • No em dashes or en dashes anywhere (docs, copy, comments). Use commas, periods, colons. Hyphens are fine.

Project specifics (fill in)

  • Stack:
  • Run / build / test commands:
  • Deploy target and procedure:
  • Gotchas that have bitten before:

CaptiFi — Guest WiFi Marketing Platform