Add analytics and documentation updates

AGENTS.md

@@ -3,3 +3,36 @@
 
 This version has breaking changes — APIs, conventions, and file structure may all differ from your training data. Read the relevant guide in `node_modules/next/dist/docs/` before writing any code. Heed deprecation notices.
 <!-- END:nextjs-agent-rules -->
+
+# Scrum4Me Codex Rules
+
+Read `CLAUDE.md` and the relevant files in `docs/` before changing behavior. The same product and security rules apply to Codex work.
+
+## Access Control
+
+- Product-scoped access is owner-or-member: use `productAccessFilter(userId)` from `lib/product-access.ts`.
+- Use owner-only `user_id` checks only for actions that truly require ownership, such as product archiving and team management.
+- Never trust client-provided IDs by themselves. For reorder, promotion, completion, or bulk updates, fetch the records with both `id in (...)` and the parent scope (`product_id`, `pbi_id`, `sprint_id`, or `story_id`) before writing.
+- Reject duplicate IDs in ordered lists or decision payloads.
+- Derive denormalized fields from database parents, for example `pbi.product_id`, not from form data or JSON bodies.
+- Demo users and demo API tokens must receive 403 on write operations.
+
+## Documentation Sync
+
+When changing behavior, API responses, dependencies, environment variables, deployment behavior, or analytics, update the matching docs in the same change:
+
+- `README.md` for setup, dependencies, deployment, and API overview.
+- `docs/scrum4me-functional-spec.md` for user-facing/API requirements.
+- `docs/scrum4me-architecture.md` for stack, access model, data model, env vars, and deployment.
+- `docs/patterns/` when a reusable implementation rule changes.
+- `CLAUDE.md` and this file when an agent instruction would have prevented the issue.
+
+## Verification
+
+Before handing work back, run:
+
+```bash
+npm run lint
+npm test
+npm run build
+```