Improve AX scaffolding for Vercel + Supabase workflows

[jeffgreendesign]

Motivation

• Improve agent + developer experience (AX) for projects targeting Vercel + Supabase by providing a clear control plane of agent instructions, runbooks, and environment guidance.
• Reduce agent/human mistakes by standardizing a single verification gate and lightweight guardrails (secret scanning, env rules, server/client key boundaries).

Description

• Add AGENTS.md and refresh CLAUDE.md to provide clear, copy-paste-ready agent/startup commands and working rules for Codex/Claude-style agents.
• Add maintainer docs: docs/ENV.md, docs/RUNBOOK.md, docs/ARCHITECTURE.md, docs/DECISIONS.md, docs/TROUBLESHOOTING.md, and docs/AX_UPGRADE_REPORT.md with explicit references to Vercel and Supabase official guidance (see Vercel env docs and deployments, Supabase auth/API key and migrations/RLS docs). (Vercel: https://vercel.com/docs/environment-variables, https://vercel.com/docs/deployments; Supabase: https://supabase.com/docs/guides/auth/server-side/nextjs, https://supabase.com/docs/guides/api/api-keys, https://supabase.com/docs/guides/deployment/database-migrations, https://supabase.com/docs/guides/database/postgres/row-level-security, https://supabase.com/partners/integrations/vercel)
• Standardize developer commands in package.json and CI: add dev, and a canonical verify script (runs lint + typecheck + test + build), and add .github/workflows/verify.yml so CI runs the same pnpm verify gate. (Aligns with Vercel recommended CI/deploy consistency practices: https://vercel.com/docs/)
• Harden scaffold templates and pre-commit guards: update scaffold/.env.example to document client vs server secrets and Vercel preview/prod considerations (see https://vercel.com/docs/environment-variables and Supabase key guidance https://supabase.com/docs/guides/api/api-keys), update scaffold/.github/workflows/ci.yml to run the verify gate, and add a strict scripts/security-check.sh invocation to .husky/pre-commit to warn/fail on common secret/security patterns.
• Regenerate the installer (scripts/init.sh) after scaffold edits to keep generated output consistent with template rules and project conventions.

Testing

• Ran pnpm install locally and it completed successfully.
• Ran pnpm verify locally which executed lint (./scripts/check-templates.sh), typecheck (bash -n checks), test (scaffold smoke via ./scripts/scaffold.sh), and build (regenerated scripts/init.sh), and the full verify gate passed without errors.
• Confirmed pre-commit hook and updated scaffold CI template reference the verify gate and that scripts/init.sh was regenerated as part of the build step.

---

Codex Task

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5601057 and e2e2fe5.

📒 Files selected for processing (7)

• .github/workflows/verify.yml
• docs/AX_UPGRADE_REPORT.md
• docs/ENV.md
• scaffold/.env.example
• scaffold/.github/workflows/ci.yml
• scripts/generate-init.sh
• scripts/init.sh

✅ Files skipped from review due to trivial changes (1)

• docs/ENV.md

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/verify.yml

---

Walkthrough

This PR establishes standardized development processes and documentation for the project. It introduces a new GitHub Actions verify workflow that runs on push to main and pull requests, establishes pnpm@10.6.0 as the package manager with standardized npm scripts (dev, lint, typecheck, test, build, verify), and adds comprehensive documentation including project guidelines (AGENTS.md), an expanded project guide (CLAUDE.md), and technical references covering architecture, environment variables, deployment runbooks, and troubleshooting. The scaffold template is updated to reflect Vercel and Supabase as the baseline stack with corresponding environment variable configurations. A pre-commit security check is added to the Husky workflow, and the verify command becomes the canonical quality gate for both CI and local development workflows.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer (local)
  participant GitHub as GitHub (PR / push)
  participant Actions as GitHub Actions Runner
  participant Node as Node + pnpm
  participant Verify as verify (scripts: lint/typecheck/test/build)

  Dev->>GitHub: push branch / open PR
  GitHub->>Actions: trigger "Verify" workflow
  Actions->>Node: setup pnpm@10.6.0, setup Node v22
  Actions->>Node: pnpm install --frozen-lockfile
  Actions->>Verify: pnpm verify
  Verify->>Node: run lint, typecheck, test, build
  Node-->>Verify: test/lint results
  Verify-->>Actions: exit success/failure
  Actions-->>GitHub: report status (checks/pass/fail)
  GitHub-->>Dev: notify status on PR

Loading

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main improvement: enhancing the AX (agent/developer experience) scaffolding to support Vercel + Supabase workflows, which aligns directly with the changeset's core objectives.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing motivation, implementation approach, testing performed, and references to relevant documentation links.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/improve-ax-for-vercel-and-supabase-project

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

.github/workflows/verify.yml (1)

6-7: Consider scoping pull_request trigger to main for consistency.

If your intent is “main-only verification flow,” add the same branch filter to PRs to avoid extra runs on unrelated targets.

Suggested tweak

 pull_request:
+  branches: [main]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/verify.yml around lines 6 - 7, The workflow currently
triggers on all pull_request events via the pull_request key; if you intend
verification only for main, scope that trigger by adding a branches filter to
pull_request (e.g., add branches: [main]) in the verify.yml so PR runs only
target the main branch; update the pull_request block in
.github/workflows/verify.yml accordingly to include the branches filter.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/AX_UPGRADE_REPORT.md`:
- Line 43: The documentation incorrectly references the command path
`scaffold/scripts/security-check.sh`; update the text in AX_UPGRADE_REPORT.md
(the line showing the verification command) to use the actual generated-project
path `scripts/security-check.sh` so the example command becomes `bash
scripts/security-check.sh --strict`; ensure the rest of the sentence and
formatting remain unchanged.

In `@docs/ENV.md`:
- Around line 23-24: Rewrite the ambiguous line "Keep `.env*` files out of Git."
to explicitly exempt the example template so it cannot be misread as also
excluding `.env.example`; for example change it to something like "Keep local
`.env*` files (e.g. `.env`, `.env.local`, `.env.development`) out of Git — do
not ignore the `.env.example` template." Update the sentence near the existing
lines that read "Keep `.env*` files out of Git." and "Keep `.env.example`
documented with safe placeholders only." so they clearly state that
`.env.example` is tracked and contains safe placeholders while other `.env*`
files are not.

In `@scaffold/.env.example`:
- Around line 18-19: The dotenv-linter UnorderedKey warning is caused by the two
Supabase env vars being out of alphabetical order; swap the two entries so
NEXT_PUBLIC_SUPABASE_ANON_KEY appears before NEXT_PUBLIC_SUPABASE_URL in the
.env example (update the lines referencing NEXT_PUBLIC_SUPABASE_ANON_KEY and
NEXT_PUBLIC_SUPABASE_URL accordingly) to satisfy the linter.

In `@scaffold/.github/workflows/ci.yml`:
- Around line 8-9: The comment incorrectly states that pre-commit runs `npm run
verify`; update the comment to accurately describe current pre-commit behavior
by saying it runs strict security checks, lint, and typecheck directly (e.g.,
"pre-commit runs strict security + lint + typecheck directly, rather than the
full `npm run verify`"). Replace the existing explanatory lines around the final
CI step to reflect those exact command names so the documentation matches the
actual pre-commit hooks.

In `@scripts/init.sh`:
- Around line 411-413: Update the explanatory comment describing the "Final
step" so it accurately reflects what the generated pre-commit actually runs:
replace the claim that pre-commit runs the same `npm run verify` with a note
that pre-commit executes the individual checks (`lint`, `typecheck`, and
security check) and that CI uses `npm run verify` to run them together; edit the
comment text surrounding the "Final step runs `npm run verify`" sentence to
mention the specific `lint`, `typecheck`, and security checks instead of
`verify`.
- Around line 505-506: The CI invokes "run verify" but setup_gates() currently
only writes a "gates" script into package.json, causing fresh scaffolds to fail;
update setup_gates() so the generated package.json includes a "verify" script as
an alias to "gates" (e.g., "verify": "npm run gates" or the equivalent for the
detected package manager) to preserve backward compatibility with existing CI
and ensure newly scaffolded projects pass without manual edits.

---

Nitpick comments:
In @.github/workflows/verify.yml:
- Around line 6-7: The workflow currently triggers on all pull_request events
via the pull_request key; if you intend verification only for main, scope that
trigger by adding a branches filter to pull_request (e.g., add branches: [main])
in the verify.yml so PR runs only target the main branch; update the
pull_request block in .github/workflows/verify.yml accordingly to include the
branches filter.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e61ff23 and 5601057.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (14)

• .github/workflows/verify.yml
• AGENTS.md
• CLAUDE.md
• docs/ARCHITECTURE.md
• docs/AX_UPGRADE_REPORT.md
• docs/DECISIONS.md
• docs/ENV.md
• docs/RUNBOOK.md
• docs/TROUBLESHOOTING.md
• package.json
• scaffold/.env.example
• scaffold/.github/workflows/ci.yml
• scaffold/.husky/pre-commit
• scripts/init.sh