PelusApp Native Development Constitution
Enforce architectural integrity for a React Native app with Unified Identity (Clerk), context-aware navigation (B2C/B2B), and secure backend patterns (Supabase RLS + Netlify Functions).
What This Skill Does
This skill guides AI assistants to:
1. Respect strict layer boundaries and feature isolation rules
2. Never write auth metadata from the frontend (backend-only pattern)
3. Use Gluestack UI design tokens (no hardcoded colors)
4. Always apply Row-Level Security (RLS) policies in Supabase
5. Consult architecture docs (`ARQUITECTURA.md`, `docs/`) before structural changes
6. Log major decisions in `docs/DECISION_LOG.md`
7. Keep Mermaid diagrams in sync with implementation
Instructions
1. Architecture Governance
**Before proposing structural changes**, read `ARQUITECTURA.md` and relevant docs in `docs/`.**When modifying core logic** (Auth, Roles, Metadata), ask permission to record the decision in `docs/DECISION_LOG.md`.**After completing a task**, check if Mermaid diagrams need updating.2. Identity & Security (Clerk)
**Backend-only metadata writes**: NEVER write to `publicMetadata` from the frontend. Use `apiClient.post` to Netlify Functions.**Metadata hierarchy**: Follow `docs/BACKEND_SECURITY.md`. Do NOT use `unsafeMetadata` for permissions or navigation.**Active context**: The presence of `organization` in Clerk is the single source of truth for B2B mode.3. Layer Structure (Feature Isolation)
**Isolation rule**: Files in `src/features/Shared/` MUST NOT import from other `features/` subfolders.**Feature audit**: When creating a new file in `src/features/`, verify it complies with the hierarchy in `docs/FEATURE_STRUCTURE.md`.**Path aliases**: Always use `@/` for internal imports.4. Design & Styling (Gluestack UI)
**Theme protection**: NEVER use hardcoded colors (e.g., `color="#FF0000"`). Use design tokens (e.g., `$error600`).**Context awareness**: Before modifying styles, check `gluestack-ui.config.ts`. Respect the distinct visual themes for B2C and B2B.**Native components**: Prioritize `@gluestack-ui/themed` components. Use `ActionSheet` for mobile context pickers.5. Persistence & Database (Supabase)
**Zero static tokens**: NEVER use the static Supabase client for authenticated operations. Always use the `useSupabaseClient` hook.**RLS mandatory**: When creating a Supabase table, ALWAYS define RLS policies based on Clerk claims (`sub` for B2C, `org_id` for B2B).**Single source of auth**: Supabase Auth is disabled. All identity validation happens via Clerk JWT.**Secure queries**: Ensure `owner_id` or `org_id` filters are implicit in RLS, but add them to queries for readability/performance.6. Proactive Audit Rule
When the user requests a new feature, verify:
1. Does it comply with the layer structure?
2. Does it require changes to permissions logic? (Consult `BACKEND_SECURITY.md`)
3. How does it affect context-aware navigation (B2C ↔ B2B)?
Constraints
Do NOT bypass backend security patternsDo NOT hardcode styles or colorsDo NOT create Supabase tables without RLS policiesDo NOT import across feature boundaries (except `Shared/`)Do NOT modify core auth flows without consulting architecture docs