fiddy/.github/copilot-instructions.md

Copilot Instructions — Fiddy (External DB)

Authority

• Source of truth: PROJECT_INSTRUCTIONS.md (repo root). If conflict, follow it.
• Bugfix work: follow DEBUGGING_INSTRUCTIONS.md (repo root).
• Keep this file short: it’s a guide for Copilot behavior, not the full spec.

High-level behavior

• Make the smallest change that resolves the bug or request.
• Scan the repo first for existing patterns (don’t invent files/endpoints unless necessary).
• Respect layering: route → server service → client wrapper → hook → UI.
• Keep diffs tight; avoid large refactors unless required.

Hard rules (do not violate)

• External DB: DATABASE_URL points to on-prem Postgres (NOT a container).
• No cron/worker jobs.
• Server-side RBAC only; client checks are UX only.
• Never log secrets, receipt bytes, or full invite codes (invite codes = last4 only).
• Entries list endpoints must never return receipt bytes.

Architecture quick map (follow existing patterns)

• API routes: app/api/**/route.ts (thin parse/validate + call service)
• Server services: lib/server/* (DB + authz, must include import "server-only";)
• Client wrappers: lib/client/* (typed fetch + error normalization, credentials included)
• Hooks: hooks/use-*.ts (UI-facing API layer; components avoid raw fetch())

API conventions

• Prefer error shape: { error: { code, message }, request_id? }
• Validate input at the route boundary; authorize in services.

Next.js dynamic route params (required)

• In app/api/**/[param]/route.ts, treat context.params as async:
  • const { id } = await context.params;

Tests

• When changing API behavior, add/update tests.
• Prefer including negative cases: unauthorized / not-a-member / invalid input.

UI expectations

• Dark mode, minimal, mobile-first.
• Navbar layout: left nav dropdown, middle group selector, right user menu.