Security-first infrastructure scaffold for a collaborative restaurant picker app.
- Next.js App Router + TypeScript
- Tailwind CSS UI foundation
- React Query provider setup
- Typed domain models for rooms, members, restaurants, votes, and ranking
- API route skeletons for room creation, room join, health, and restaurant search
- Server-only provider abstraction with mock fallback
- Supabase-ready browser/server client stubs
- Environment validation via Zod
- Middleware-based security headers and CSP
- Initial SQL migration scaffold for rooms / members / restaurants / votes
- Third-party restaurant providers are expected to be called server-side only.
- Environment variables are validated on boot.
- API routes validate JSON payloads before domain logic executes.
- Middleware adds CSP and several protective response headers.
- Next.js
poweredByHeaderis disabled. - Supabase service-role usage is isolated to server-only modules.
-
Copy env template:
cp .env.example .env.local
-
Fill in your secrets later when ready.
-
Install / verify packages:
npm install
-
Start the app:
npm run dev
-
Validate the scaffold:
npm run check npm run build
src/
app/ App Router pages + API routes
components/ UI and provider components
features/ Domain modules (rooms, restaurants, voting)
lib/ Config, env, security, supabase, utilities
types/ Shared types
supabase/migrations/ SQL scaffolding for later Supabase setup
See AGENTS.md for the authoritative product philosophy, mobile-first design rules, security posture, and iteration guidance for future agents or contributors.
- Real Supabase schema deployment and RLS policies
- Real Google Places adapter implementation
- Auth and guest-session persistence
- Realtime subscriptions / presence
- Production analytics and monitoring
- Test suite (unit, integration, e2e)
- Add real Supabase credentials to
.env.local. - Apply
supabase/migrations/0001_initial_schema.sqlin your Supabase project. - Replace the mock restaurant provider with a Google Places adapter.
- Persist room creation and join flows into Supabase.
- Add vote APIs and result finalization service.