Scrum4Me/AGENTS.md

This is NOT the Next.js you know

This version has breaking changes — APIs, conventions, and file structure may all differ from your training data. Read the relevant guide in node_modules/next/dist/docs/ before writing any code. Heed deprecation notices.

Scrum4Me Codex Rules

Read CLAUDE.md and the relevant files in docs/ before changing behavior. The same product and security rules apply to Codex work.

Access Control

• Product-scoped access is owner-or-member: use productAccessFilter(userId) from lib/product-access.ts.
• Use owner-only user_id checks only for actions that truly require ownership, such as product archiving and team management.
• Never trust client-provided IDs by themselves. For reorder, promotion, completion, or bulk updates, fetch the records with both id in (...) and the parent scope (product_id, pbi_id, sprint_id, or story_id) before writing.
• Reject duplicate IDs in ordered lists or decision payloads.
• Derive denormalized fields from database parents, for example pbi.product_id, not from form data or JSON bodies.
• Demo users and demo API tokens must receive 403 on write operations.

Documentation Sync

When changing behavior, API responses, dependencies, environment variables, deployment behavior, or analytics, update the matching docs in the same change:

• README.md for setup, dependencies, deployment, and API overview.
• docs/scrum4me-functional-spec.md for user-facing/API requirements.
• docs/scrum4me-architecture.md for stack, access model, data model, env vars, and deployment.
• docs/patterns/ when a reusable implementation rule changes.
• CLAUDE.md and this file when an agent instruction would have prevented the issue.

Verification

Before handing work back, run:

npm run lint
npm test
npm run build