These rules are for any AI assistant or developer working in this codebase.
The app is small, but it has several high-risk flows: auth bootstrap, delayed-auth activity creation, guest identity, RSVP/waitlist logic, semi-public/private access behavior, and Supabase schema drift. Treat those flows carefully.
- Treat this as a
React + Vite + Supabaseapp, not an Airtable app or AI Studio/Gemini app. - Assume frontend code, Supabase schema, RLS, and RPC behavior are tightly coupled.
- Prefer small, verifiable changes over broad refactors.
- Do not assume the checked-in SQL fully matches production.
- Preserve existing user flows unless the task explicitly changes product behavior.
- Keep user-facing copy as activity / activities, even though routes/tables still use
eventnaming internally.
Unless the repository is intentionally changed, always assume:
- this is a browser SPA with no first-party backend server in this repo
- Supabase is the real backend integration
- there is no Airtable integration
- signed-in users use Supabase Auth
- guests use
attendee_profiles+attendee_sessions+ local token storage - guest email can be host-required or optional per activity (
require_guest_email_for_join) - the create flow supports delayed auth: fill the form first, authenticate only at save time
- visibility modes matter:
public,semi_public, andprivate - RSVP and waitlist integrity depend on both shared frontend logic and database-backed operations
Be especially careful when editing these:
src/App.tsxsrc/supabase.tssrc/services/guestService.tssrc/pages/CreateEvent.tsxsrc/pages/EventDetail.tsxsrc/pages/HostDashboard.tsxsrc/pages/Login.tsxsrc/pages/Bookings.tsxsrc/pages/Recovery.tsxsrc/pages/Calendar.tsxsrc/pages/Home.tsxsrc/lib/events.tssrc/lib/interests.tssrc/lib/rsvp.tssrc/lib/navigation.tssrc/lib/authRedirect.tssrc/utils.tssupabase_schema.sqlsupabase_reconcile_live_schema.sqlSCHEMA_ALIGNMENT.md
Before changing RSVP, waitlist, auth, guest recovery, bookings, access requests, or visibility behavior:
- Read the relevant page/service/helper files completely.
- Check both
supabase_schema.sqlandsupabase_reconcile_live_schema.sqlfor related tables, RLS, RPCs, triggers, and constraints. - Compare the frontend code against schema/docs for drift.
- Confirm whether the flow depends on:
auth.usersattendee_profilesattendee_sessionsevent_attendeesevent_hostsevent_interestsevent_access_requestsevent_waitlist_positionsevents.visibilityevents.access_code
- Document mismatches instead of silently coding past them.
supabase_schema.sql is a repository snapshot and may lag the live Supabase schema.
Rules:
- Do not claim the checked-in SQL is the full production truth unless you verify it.
- If you touch guest identity, access requests, timezone/duration fields, or RSVP behavior, call out the schema dependencies explicitly.
- If a task changes schema expectations, update docs and migrations/scripts together.
- Treat
SCHEMA_ALIGNMENT.mdas relevant context when schema truth is unclear.
- Protected host routes depend on Supabase
user. - Login is currently magic-link only.
App.tsxsyncs signed-in users into the guest-profile system.
Rules:
- Do not break
supabase.auth.getSession()bootstrap behavior. - Do not remove
onAuthStateChangesyncing without equivalent replacement. - Do not reintroduce Google OAuth or UI for it unless explicitly requested.
- Do not add host-only UI without protecting the route or action.
- Preserve deployment-aware redirect handling when touching auth flows.
CreateEvent.tsx intentionally allows signed-out users to fill the form before they authenticate.
Rules:
- Do not force login at page entry unless explicitly requested.
- Do not break create-form draft persistence.
- If you change create/edit fields, verify draft restore behavior.
- If you touch auth redirects in the create flow, verify the user can still finish saving after login.
Guest identity is real application state, persisted through:
localStorageattendee_profilesattendee_sessions
Rules:
- Do not clear or overwrite guest session tokens casually.
- Do not change storage keys without backward-compat handling.
- Do not assume guest bookings can be derived from email alone.
- Treat no-email guest profiles as valid identities; profile/session matching is primary when available.
- Preserve recovery-link behavior unless explicitly redesigning it.
- Be explicit that
/recovertoken restore is real, but/login?recovery=truecurrently behaves like OTP login rather than a true guest-session recovery flow.
This is one of the most fragile areas in the app.
Rules:
- Do not introduce new RSVP paths without checking existing logic in:
src/pages/EventDetail.tsxsrc/pages/HostDashboard.tsxsrc/lib/rsvp.tssrc/lib/attendees.tssupabase_reconcile_live_schema.sql
- Do not change waitlist behavior in only one place if the same concept exists elsewhere.
- Prefer existing RPCs for fragile attendee operations instead of adding new direct write paths casually.
- If you touch attendee transitions, inspect:
confirmedwaitlistcancelledpromoted_atcancelled_at- proxy-added attendees
- host-added attendees
When editing RSVP logic, explicitly think through:
- duplicate RSVP prevention
- full-capacity handling
- waitlist ordering
- cancellation promotion
- guest vs authenticated attendee matching
- proxy RSVP behavior
- semi-public/private path behavior after join
Current visibility contract:
is_public = true=> discoverable in public browseis_public = false=> hidden from public browsevisibility = semi_public=> public preview + host-shared private linkvisibility = private=> unlisted/link-only behavior
Rules:
- Keep visibility behavior consistent across:
- calendar browse
- event path building
- share/copy actions
- host preview/manage pages
- signed-in dashboard links
- guest bookings links
- When editing navigation, confirm joined users still get the correct private/public path.
- When editing semi-public flows, check access-request behavior and host actions together.
The app now stores schedule data using:
starts_atin UTCtimezoneas authoring/display contextduration_minutesinstead of authoring around end time
Rules:
- Do not reintroduce device-time assumptions accidentally.
- If you touch scheduling UI, verify create, edit, display, and copy/duplicate behavior.
- Keep
utils.tstimezone helpers aligned with UI behavior.
- Keep database access patterns readable and localized.
- Use existing table names and fields exactly.
- Do not invent schema fields without updating migrations/docs.
- Be careful with client-side writes because security depends on RLS, not hidden server code.
- If a change needs stronger guarantees, prefer an RPC or clearly documented server-side pattern.
Current meaningful env vars:
VITE_SUPABASE_URLVITE_SUPABASE_ANON_KEYVITE_APP_URL
Legacy optional:
APP_URL
Rules:
- Do not add new env vars unless truly needed.
- If you add or change an env var, update:
.env.exampleREADME.mdPROJECT_ARCHITECTURE.md- deployment notes
- Remember that
VITE_*vars are exposed to the client bundle.
- Maintain compatibility with
BrowserRouter. - Preserve deep-link behavior for:
/events/:slug/host/events/:id/host/events/:id/edit/calendar/bookings/recover
- When adding routes, ensure they still work with static-host SPA rewrites.
- After broad UI refactors, do route-by-route smoke checks.
When architecture or product behavior changes, update docs in the same task when practical.
At minimum, update docs if you change:
- routes/pages
- auth flow
- create/edit behavior
- env vars
- deployment assumptions
- schema expectations
- visibility/share-link rules
- guest recovery behavior
- timezone/duration behavior
- user-facing features or behavior (
CHANGELOG.md)
Docs should describe the current real architecture:
- Supabase, not Airtable
- activities app, not Gemini app
- magic-link only auth
- delayed-auth create flow
Rules:
- Do not add packages casually for small problems.
- Before adding a dependency, check whether existing utilities already solve it.
- If removing a dependency, confirm it is actually unused.
- Avoid reintroducing stale setup assumptions into docs or code.
There is no automated test suite right now, so manual verification matters.
After meaningful changes, verify the relevant flows manually when possible:
- App boots with valid env vars.
- Login still works.
- Protected routes still redirect correctly.
- Create activity still works for:
- signed-in user
- signed-out delayed-auth save flow
- edit mode
- Public calendar still loads.
- Activity detail page still loads attendees.
- RSVP still works for:
- signed-in user
- guest user
- waitlist case
- proxy/add-another-person case
- Cancellation still works.
- Semi-public share/access-request behavior still works.
- Thinking-about-it state still works on public and non-public activities.
- Guest bookings still load.
- Recovery link flow still restores session.
- Host manage page still supports preview/share/edit paths.
If you cannot verify a flow, say so clearly.
Assume static deployment unless the repo changes significantly.
For Render/static hosting:
- build output is
dist - SPA rewrites are required
VITE_SUPABASE_URLandVITE_SUPABASE_ANON_KEYmust be available at build timeVITE_APP_URLshould be considered when auth redirect correctness matters
If changing deployment behavior:
- update
PROJECT_ARCHITECTURE.md - update
README.md - call out required host configuration changes
Preferred patterns:
- small focused edits
- explicit comments only when logic is non-obvious
- updates that keep schema/docs/code aligned
- preserving current behavior unless product changes are requested
- route-by-route smoke checks after broad UI changes
Avoid:
- broad stylistic rewrites bundled into behavior fixes
- renaming core route/table/schema fields without migrations
- mixing unrelated refactors into fragile flow changes
- silently changing auth, guest-session, or visibility semantics
Watch for these known risks:
- schema drift between frontend expectations and SQL
- stale README/setup instructions
- RPC/frontend logic drift for RSVP/cancel flows
- duplicated business logic across client and SQL
- demo-grade recovery token/email flow
- split signed-in dashboard vs guest bookings behavior
- auth redirect drift between localhost and deployed environments
- regressions in semi-public/private link handling
- regressions in timezone/duration save/display behavior
When a task touches data integrity, auth, visibility, or deployment and the safest behavior is unclear:
- stop broad implementation
- explain the ambiguity
- propose the smallest safe option
- note any schema or product decision that should be confirmed first
- Supabase is the backend.
- Airtable is not used.
- Guest identity is real application state.
- Magic-link auth and delayed-auth create flow are important product behavior.
- RSVP/waitlist and visibility/link behavior are high risk.
- Schema and code are not perfectly aligned.
- Keep changes small, explicit, and documented.