<!-- BEGIN:nextjs-agent-rules -->
# This is NOT the Next.js you know

This version has breaking changes — APIs, conventions, and file structure may all differ from your training data. Read the relevant guide in `node_modules/next/dist/docs/` before writing any code. Heed deprecation notices.
<!-- END:nextjs-agent-rules -->

# Scrum4Me Codex Rules

Read `CLAUDE.md` and the relevant files in `docs/` before changing behavior. The same product and security rules apply to Codex work.

## Access Control

- Product-scoped access is owner-or-member: use `productAccessFilter(userId)` from `lib/product-access.ts`.
- Use owner-only `user_id` checks only for actions that truly require ownership, such as product archiving and team management.
- Never trust client-provided IDs by themselves. For reorder, promotion, completion, or bulk updates, fetch the records with both `id in (...)` and the parent scope (`product_id`, `pbi_id`, `sprint_id`, or `story_id`) before writing.
- Reject duplicate IDs in ordered lists or decision payloads.
- Derive denormalized fields from database parents, for example `pbi.product_id`, not from form data or JSON bodies.
- Demo users and demo API tokens must receive 403 on write operations.

## Documentation Sync

When changing behavior, API responses, dependencies, environment variables, deployment behavior, or analytics, update the matching docs in the same change:

- `README.md` for setup, dependencies, deployment, and API overview.
- `docs/scrum4me-functional-spec.md` for user-facing/API requirements.
- `docs/scrum4me-architecture.md` for stack, access model, data model, env vars, and deployment.
- `docs/patterns/` when a reusable implementation rule changes.
- `CLAUDE.md` and this file when an agent instruction would have prevented the issue.

## Verification

Before handing work back, run:

```bash
npm run lint
npm test
npm run build
```