AI Agent Guidelines
This page documents the conventions that AI coding agents (Copilot, Cursor, Codex, etc.) should follow when working on the Leave Localhost codebase.
This page documents the conventions that AI coding agents (Copilot, Cursor, Codex, etc.) should follow when working on the Leave Localhost codebase.
Before Editing
- Read
AGENTS.mdat the repository root for the full rules. - Read
packages/backend/AGENTS.mdbefore editing Convex code. - Read
packages/backend/convex/_generated/ai/guidelines.mdfor Convex-specific API patterns that override training data. - Check
.agents/skills/directories for relevant skills before starting.
Code Style
- Write concise, technical TypeScript.
- Use functional and declarative patterns; avoid classes.
- Prefer iteration and modularization over duplication.
- Use descriptive variable names with auxiliary verbs (
isLoading,hasError). - Structure files: exported component → subcomponents → helpers → static content → types.
Naming
- Directories: lowercase with dashes (e.g.
components/auth-wizard). - Exports: favor named exports for components.
- TypeScript: prefer
interfaceovertype. Avoidenum; use maps.
Workspace Ownership
| Change | Location |
|---|---|
| Shared UI | packages/ui |
| Product-only UI | apps/app |
| Marketing UI | apps/marketing |
| Backend logic | packages/backend/convex |
| Env validation | tooling/env-doctor |
Package Manager
Use Bun for all commands. Do not introduce npm, pnpm, yarn, or npx.
bun install # Install dependencies
bun run <script> # Run root script
bunx <cli> # Run CLI toolVerification After Changes
| After | Run |
|---|---|
| TypeScript changes | bun run typecheck |
| UI changes | bun run lint |
| Env changes | bun test tooling/env-doctor |
| Convex changes | Read AI guidelines, then run backend tests |
| Before PRs | bun run lint && bun run typecheck && bun run test |
Do Not Edit
packages/backend/convex/_generated/**— auto-generated..env,.env.local— local configuration..next,.turbo,.react-email,node_modules— build outputs.
Key Patterns
Error Handling
Use ConvexAppError factories (notFound, forbidden, invalidInput), not
raw throw new Error().
Permissions
Start every public function with requireAppPermission() or
canAppPermission().
Organization Scoping
All tenant data must be filtered by actor.organizationId from the permission
check.
React Components
- Minimize
"use client",useEffect, andsetState. - Favor React Server Components.
- Wrap client components in
Suspensewith fallback. - Use
next/dynamicfor non-critical components.
Loading UX
- Use route-level
loading.tsxfiles with small skeleton components. - For initial authenticated page data, preload a page-level view model on the
server with
convexAuth.preloadAuthQuery, pass thePreloadedresult to the client component, and read it withusePreloadedAuthQuery. - Include ordinary permission and capability state in that view model when the route needs it. When a protected query would throw before it can be preloaded, make a preliminary server authorization decision instead; the billing page is the reference implementation.
- A client
useQueryis appropriate only for live, paginated, or interaction-driven data that genuinely needs a subscription. Do not turn an initial route load into per-component permission subscriptions. - Keep skeleton geometry aligned with the final layout.
Security Model
Leave Localhost implements a layered security model: authentication via Better Auth, authorization via role + capability checks, and step-up verification for sensitive actions.
Authentication Overview
The Leave Localhost Starter utilizes Better Auth as the core authentication framework, seamlessly integrated with our Convex backend.