Cursor Rules for CardTool.app

Development guidelines for the CardTool.app credit card rewards tracking application.

Project Overview

CardTool.app is a Next.js 16 application for tracking credit card rewards and benefits, built with:

**Frontend**: Next.js 16 App Router, TypeScript, Tailwind CSS (dark theme)

**Backend**: Supabase (PostgreSQL) with Row Level Security

**Authentication**: Clerk

**Deployment**: cardtool.app (production)

Database Migration Workflow

When creating or modifying database schema:

1. **Create migration file** in `supabase/migrations/` directory

2. **Update TypeScript types** in `src/lib/database.types.ts` in the SAME commit

3. **Enable RLS on all new tables** (see RLS section)

4. **Run migration using Supabase MCP tools** (see below)

5. **Verify migration success** by querying affected tables

Running Migrations with MCP

Use Supabase MCP server tools - do NOT instruct users to run SQL manually:

```typescript

// Execute SQL directly

CallMcpTool(

server: "user-supabase",

toolName: "execute_sql",

arguments: {"query": "ALTER TABLE cards ADD COLUMN brand text;"}

)

// Or apply a full migration file

CallMcpTool(

server: "user-supabase",

toolName: "apply_migration",

arguments: {"migration_file": "path/to/migration.sql"}

)

```

For complex migrations, break into smaller `execute_sql` calls to avoid errors.

Row Level Security (RLS)

**ALL tables must have RLS enabled**, even though the app uses service role key (bypasses RLS). This provides defense-in-depth.

User-Owned Tables

For tables with `user_id` column:

```sql

ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Users can manage their own data"

ON table_name FOR ALL TO authenticated

USING (user_id = (auth.jwt()->>'sub'))

WITH CHECK (user_id = (auth.jwt()->>'sub'));

```

Reference Tables

For shared read-only data (e.g., `cards`, `issuers`):

```sql

ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Authenticated users can read table_name"

ON table_name FOR SELECT TO authenticated

USING (true);

```

Service-Role-Only Tables

For admin/internal tables (e.g., `stripe_members`):

```sql

ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;

-- NO policies added - blocks all non-service-role access

```

Code Style Guidelines

**Server components by default** - client components only when necessary

**Server actions for mutations** - define in page.tsx files with `"use server"`

**Dark theme UI**:

- Backgrounds: `zinc-900`, `zinc-950`

- Text: `zinc-300`, `zinc-400`

**Consistent tooltips** - use fixed positioning pattern from existing components

**Import utilities from centralized locations** - no duplicate implementations

Date Handling Standards

Storage Formats

**Date-only fields**: `YYYY-MM-DD` string (e.g., `approval_date`, `expiration_date`)

**Timestamp fields**: Full ISO string via `new Date().toISOString()` (e.g., `updated_at`, `created_at`)

Required Utilities (from `@/lib/utils`)

`parseLocalDate(str)` - Parse YYYY-MM-DD to Date in local timezone

`formatDateToString(date)` - Format Date to YYYY-MM-DD in local timezone

`formatDate(str, options)` - Format date string for display

`extractDateFromISO(str)` - Extract YYYY-MM-DD from ISO string without timezone conversion

Critical Rules

1. **NEVER** use `new Date(dateString)` for date-only strings → use `parseLocalDate()`

2. **NEVER** use `date.toISOString().split('T')[0]` for local dates → use `formatDateToString()`

3. **NEVER** duplicate date utilities in components → import from `@/lib/utils`

4. For ISO strings with time, extract date directly: `str.substring(0, 10)` or `extractDateFromISO()`

Why This Matters

`new Date("2024-01-15")` parses as UTC midnight, causing ±1 day errors in US timezones. Similarly, `toISOString()` converts to UTC. Always use the centralized utilities to avoid timezone bugs.

Git Workflow

1. **NEVER commit/push to main** unless user explicitly instructs for THAT SPECIFIC change

2. A "push" instruction applies ONLY to the changes discussed at that moment, NOT future changes

3. **Always run `npm run build`** and verify it passes before any commit

4. After bug fixes or changes, **ALWAYS ask "Ready to push?"** before pushing

5. **When in doubt, ask first**

Testing Requirements

Build must pass: `npm run build`

Test UI changes in browser before marking complete

Verify database migrations succeeded by querying affected tables

Key Constraints

Keep `database.types.ts` in sync with schema or builds will fail

RLS must be enabled on ALL tables (even service-role-only ones)

No direct SQL execution by users - use MCP tools for migrations

Maintain dark theme consistency (zinc palette)

Use local timezone utilities for all date-only fields

Cursor Rules for CardTool.app

Cursor Rules for CardTool.app

Project Overview

Database Migration Workflow

Running Migrations with MCP

Row Level Security (RLS)

User-Owned Tables

Reference Tables

Service-Role-Only Tables

Code Style Guidelines

Date Handling Standards

Storage Formats

Required Utilities (from `@/lib/utils`)

Critical Rules

Why This Matters

Git Workflow

Testing Requirements

Key Constraints

Reviews (0)