- Next.js application (
src/app,src/components,src/lib) - Supabase backend (Auth, Postgres, RLS, migrations)
- AI services (DeepSeek for scoring/generation, Gemini for voice)
- Optional billing adapters (Stripe, LemonSqueezy)
- Local storage-engine playground (
engine/)
- User interacts with App Router page/component.
- Server route handlers in
src/app/apienforce auth/context. - Business logic in
src/liborchestrates DB + AI calls. - Supabase persists learner state, progress, and generated artifacts.
- UI updates via server responses and client state.
- Schema evolution is migration-first in
supabase/migrations. - Old migrations are immutable; new changes must be additive migrations.
- Prompt and schema contracts live in
src/lib/llm. - API wrappers and retries are centralized in client modules.
- Route handlers should validate and sanitize AI outputs before persistence.
- CI runs lint, tests, type checks, and production build.
- Dependency review and Dependabot reduce supply-chain risk.
- Security disclosures follow
SECURITY.md.