vibestackdev/vibe-stack
29 .mdc architecture rules that prevent AI coding assistants from hallucinating insecure auth, deprecated imports, and broken Next.js 15 patterns. Built for Cursor Agent and Claude Code.
Platform-specific configuration:
{
"mcpServers": {
"vibe-stack": {
"command": "npx",
"args": [
"-y",
"vibe-stack"
]
}
}
}Add the config above to .claude/settings.json under the mcpServers key.
A Next.js 15 + Supabase boilerplate with 29 `.mdc` architecture rules that physically prevent AI coding assistants from hallucinating insecure auth, deprecated packages, and broken patterns.
[](https://nextjs.org/) [](https://react.dev/) [](https://supabase.com/) [](https://www.typescriptlang.org/) [](LICENSE)
> The problem: AI models generate code that compiles perfectly but ships critical vulnerabilities ā getSession() instead of getUser(), synchronous params that crash in Next.js 15, missing RLS policies that expose your database. These bugs are invisible until production. > > The fix: Architecture rules that override the AI's training data. When a rule says "NEVER use getSession()", the model is constrained to generate the secure pattern. Every time.
---
git clone https://github.com/vibestackdev/vibe-stack.git
cd vibe-stack
npm install
cp .env.example .env.local
# Add your Supabase URL + anon key to .env.local
npm run devOpen in Cursor and start building. The rules activate automatically ā zero configuration.
---
This open-source repo includes 5 foundational architecture rules ā the most critical safeguards for any Next.js 15 + Supabase project:
| Free Rule | What It Prevents | |---|---| | supabase-auth-security.mdc | Bans getSession(), enforces getUser() for JWT verification | | nextjs15-params.mdc | Prevents synchronous params access (the #1 Next.js 15 breaking change) | | supabase-ssr-only.mdc | Blocks deprec
Loading reviews...