AI Agent Rules

​

Required reading

• Read docs/codebase-map.json before editing.
• Read relevant docs before changing features.
• Read AGENTS.md for repo rules.
• Inspect existing patterns before adding code.
• Search the codebase before changing uncertain logic.

​

Core rules

• Do not create duplicate systems.
• Do not bypass Supabase auth or RLS.
• Preserve org_id scoping.
• Keep dashboard, company admin, and superadmin separate.
• Do not invent routes.
• Do not edit dangerous large files blindly.
• Preserve API contracts.
• Preserve database relationships.
• Use existing components first.
• Follow current layout and auth rules.
• Explain assumptions before major edits.

​

Add a dashboard page

1. Find the existing dashboard route pattern.
2. Reuse the dashboard layout.
3. Add auth and org_id checks.
4. Add the sidebar item after the route works.
5. Update docs if user behavior changes.

​

Add a company admin page

1. Find existing company admin pages.
2. Reuse admin role checks.
3. Keep settings scoped to one workspace.
4. Test member access denial.

​

Add a superadmin page

1. Find existing superadmin pages.
2. Use superadmin auth only.
3. Keep it out of customer navigation.
4. Add audit context for sensitive actions.

​

Add an API route

1. Reuse route handler patterns.
2. Validate input.
3. Preserve response shape rules.
4. Apply auth, rate limits, and org_id scope where relevant.
5. Add API docs.

​

Add an Aria action

1. Find current Aria action patterns.
2. Keep inputs scoped to one workspace.
3. Return structured output.
4. Keep human review in the flow.
5. Update AI and Aria docs.