Skill

scaffold-nextjs-app

Generate Next.js 15 App Router project with auth, database, API routes. Use when user asks to "scaffold a Next.js app".

Install

Run in your terminal

npx claudepluginhub javimontano/mao-sovereign-architect

Tool Access

This skill is limited to using the following tools:

ReadWriteEditGlobGrepBashAgent

Supporting Assets

View in Repository

agents/app-router-architect-agent.md

agents/auth-db-setup-agent.md

agents/nextjs-e2e-agent.md

evals/evals.json

examples/sample-output.md

prompts/use-case-prompts.md

references/body-of-knowledge.md

references/knowledge-graph.mmd

references/state-of-the-art.md

Skill Content

Scaffold Next.js App

Generate Next.js 15 App Router project with server-first architecture, full-stack auth, database integration, and type-safe API routes.

Guiding Principle

"Server-first architecture produces faster, simpler applications. Default to Server Components — justify every use client directive."

Procedure

Step 1 — Elicit Context and Routing Architecture

Ask: Does this project need SEO or static marketing pages? (YES → confirms Next.js is right choice, not plain React).
Ask: Is this full-stack (API routes included) or frontend-only consuming external API?
Ask: What is the auth strategy? (NextAuth.js/Auth.js v5, Clerk, Supabase Auth, custom JWT).
Ask: What database? (PostgreSQL via Drizzle ORM, Prisma, Supabase, PlanetScale).
Ask: Deployment target? (Vercel → full Edge/Node flexibility; Docker → prefer Node runtime; AWS Lambda → check bundle limits).
Classify all answers: [HECHO] if confirmed, [SUPUESTO] if inferred.

Step 2 — Define App Router Architecture

Map all pages to App Router conventions: app/page.tsx, app/(auth)/login/page.tsx, app/(dashboard)/layout.tsx.
Identify which pages are Server Components (default), Client Components (use client), and Streaming (with <Suspense>).
Design route groups: (marketing) for public pages, (dashboard) for protected routes, (auth) for auth flow.
Define server vs. client boundary: data fetching and form mutations stay in Server Components/Actions; interactive UI only gets use client.
Design loading.tsx and error.tsx boundaries at each route segment.
Document routing map in docs/routing-architecture.md.

Step 3 — Configure Next.js and Tooling

Create next.config.ts with: strict mode, experimental features (PPR if using Next 15), image domains, bundle analyzer hook.
Write tsconfig.json with strict: true, moduleResolution: "Bundler", paths for @/.
Configure tailwind.config.ts for App Router content paths including app/, components/, lib/.
Write .env.example with all required variables; write src/env.ts with Zod validation (use server schema for NODE-only vars, client schema for NEXT_PUBLIC_ vars).
Configure ESLint with eslint-config-next, @typescript-eslint/strict, jsx-a11y.
Set up Drizzle ORM (or Prisma): schema file, migration commands, type generation scripts.

Step 4 — Implement Auth and Middleware

Install and configure Auth.js v5 (NextAuth): auth.config.ts with providers, session strategy, callbacks.
Write middleware.ts at root: protect all routes under /(dashboard), redirect unauthenticated to /login.
Write auth() server helper — use in Server Components, Server Actions, and Route Handlers.
Implement CSRF protection for Server Actions (built-in with Auth.js).
Write src/lib/auth-utils.ts with getCurrentUser() helper that throws if not authenticated.
Test: unauthenticated request to /dashboard → 302 to /login. Auth cookie present → session resolves.

Step 5 — Testing, CI/CD, and Deployment Config

Install Vitest for unit/component testing (Next.js compatible with next/jest or @vitejs/plugin-react).
Configure Playwright for E2E with Next.js: webServer config starts next dev, baseURL from env.
Write next.config.ts production optimizations: output standalone for Docker, compress: true, security headers.
Write Dockerfile using output: 'standalone' — copy only .next/standalone + .next/static + public.
Write .github/workflows/ci.yml: type-check → lint → unit tests → build → E2E.
Document all env variables in README with local setup instructions.

Decision Framework

Decision	Default	Alternative	When to Switch
Rendering	Server Components	Client Components	Interactive UI, browser APIs needed
Data fetching	`fetch()` in Server Component	Route Handler + TanStack Query	Client-side re-fetching required
Mutations	Server Actions	Route Handlers	Non-form mutations from client
Auth	Auth.js v5	Clerk	Managed auth with UI components wanted
ORM	Drizzle ORM	Prisma	Team prefers Prisma's DX; large team
Database	PostgreSQL (Neon/Supabase)	SQLite (Turso)	Low-traffic or edge deployment
Caching	Next.js `unstable_cache`	Redis via Upstash	Multi-region or high-volume cache
Styling	Tailwind CSS v4	CSS Modules	Existing non-Tailwind design system
Deployment	Vercel	Docker/ECS	No vendor lock-in; custom infra
Image handling	next/image (required)	Direct `<img>`	Never — always use next/image

Quality Criteria

next build exits 0 — no TypeScript errors, no missing env variables.
All routes under (dashboard) return 302 to /login when unauthenticated (Playwright test).
Lighthouse score ≥ 90 Performance on main marketing page (static generation verified).
next/image used for all images — no raw <img> tags.
No use client on pages that only render static or server-fetched data.
All Server Actions have zod input validation before touching the database.
Database migrations tracked in version control (drizzle/ or prisma/migrations/).
Security headers configured in next.config.ts (CSP, X-Frame-Options, HSTS).

Anti-Patterns

Mixing Pages Router and App Router patterns — Never import useRouter from next/router in App Router. Use next/navigation. Never use getServerSideProps in app/.
use client on layout files — Makes the entire subtree client-side. Put interactivity in leaf components, keep layouts as Server Components.
Fetching in Client Components when a Server Component would do — Adds unnecessary loading states, exposes internal API structure, increases bundle size.
Not using output: 'standalone' for Docker — Default Next.js Docker build includes all node_modules. Standalone output is 10x smaller.
Storing secrets in NEXT_PUBLIC_* variables — These are embedded in the client bundle. Use unprefixed vars for server-only secrets.

When NOT to Use

When the project is a pure SPA with no SEO requirements → Use scaffold-react-app (lighter, faster DX).
When the backend is a separate service team owns → Consider a React SPA calling the existing API rather than adding a Next.js BFF.
When deploying to a platform that doesn't support Node.js processes → Static-only sites are better served by plain HTML or Astro.
When the team has no React experience → Consider the learning curve; Next.js App Router adds Server Component mental model on top of React.

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

138.0k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

everything-claude-code

138.0k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

138.0k

Stats

Stars0

Forks0

Last CommitMar 28, 2026

Actions

View Source View Plugin View on GitHub View README

Scaffold Next.js App

Generate Next.js 15 App Router project with server-first architecture, full-stack auth, database integration, and type-safe API routes.

Guiding Principle

"Server-first architecture produces faster, simpler applications. Default to Server Components — justify every use client directive."

Procedure

Step 1 — Elicit Context and Routing Architecture

Ask: Does this project need SEO or static marketing pages? (YES → confirms Next.js is right choice, not plain React).
Ask: Is this full-stack (API routes included) or frontend-only consuming external API?
Ask: What is the auth strategy? (NextAuth.js/Auth.js v5, Clerk, Supabase Auth, custom JWT).
Ask: What database? (PostgreSQL via Drizzle ORM, Prisma, Supabase, PlanetScale).
Ask: Deployment target? (Vercel → full Edge/Node flexibility; Docker → prefer Node runtime; AWS Lambda → check bundle limits).
Classify all answers: [HECHO] if confirmed, [SUPUESTO] if inferred.

Step 2 — Define App Router Architecture

Map all pages to App Router conventions: app/page.tsx, app/(auth)/login/page.tsx, app/(dashboard)/layout.tsx.
Identify which pages are Server Components (default), Client Components (use client), and Streaming (with <Suspense>).
Design route groups: (marketing) for public pages, (dashboard) for protected routes, (auth) for auth flow.
Define server vs. client boundary: data fetching and form mutations stay in Server Components/Actions; interactive UI only gets use client.
Design loading.tsx and error.tsx boundaries at each route segment.
Document routing map in docs/routing-architecture.md.

Step 3 — Configure Next.js and Tooling

Create next.config.ts with: strict mode, experimental features (PPR if using Next 15), image domains, bundle analyzer hook.
Write tsconfig.json with strict: true, moduleResolution: "Bundler", paths for @/.
Configure tailwind.config.ts for App Router content paths including app/, components/, lib/.
Write .env.example with all required variables; write src/env.ts with Zod validation (use server schema for NODE-only vars, client schema for NEXT_PUBLIC_ vars).
Configure ESLint with eslint-config-next, @typescript-eslint/strict, jsx-a11y.
Set up Drizzle ORM (or Prisma): schema file, migration commands, type generation scripts.

Step 4 — Implement Auth and Middleware

Install and configure Auth.js v5 (NextAuth): auth.config.ts with providers, session strategy, callbacks.
Write middleware.ts at root: protect all routes under /(dashboard), redirect unauthenticated to /login.
Write auth() server helper — use in Server Components, Server Actions, and Route Handlers.
Implement CSRF protection for Server Actions (built-in with Auth.js).
Write src/lib/auth-utils.ts with getCurrentUser() helper that throws if not authenticated.
Test: unauthenticated request to /dashboard → 302 to /login. Auth cookie present → session resolves.

Step 5 — Testing, CI/CD, and Deployment Config

Install Vitest for unit/component testing (Next.js compatible with next/jest or @vitejs/plugin-react).
Configure Playwright for E2E with Next.js: webServer config starts next dev, baseURL from env.
Write next.config.ts production optimizations: output standalone for Docker, compress: true, security headers.
Write Dockerfile using output: 'standalone' — copy only .next/standalone + .next/static + public.
Write .github/workflows/ci.yml: type-check → lint → unit tests → build → E2E.
Document all env variables in README with local setup instructions.

Decision Framework

Decision	Default	Alternative	When to Switch
Rendering	Server Components	Client Components	Interactive UI, browser APIs needed
Data fetching	`fetch()` in Server Component	Route Handler + TanStack Query	Client-side re-fetching required
Mutations	Server Actions	Route Handlers	Non-form mutations from client
Auth	Auth.js v5	Clerk	Managed auth with UI components wanted
ORM	Drizzle ORM	Prisma	Team prefers Prisma's DX; large team
Database	PostgreSQL (Neon/Supabase)	SQLite (Turso)	Low-traffic or edge deployment
Caching	Next.js `unstable_cache`	Redis via Upstash	Multi-region or high-volume cache
Styling	Tailwind CSS v4	CSS Modules	Existing non-Tailwind design system
Deployment	Vercel	Docker/ECS	No vendor lock-in; custom infra
Image handling	next/image (required)	Direct `<img>`	Never — always use next/image

Quality Criteria

next build exits 0 — no TypeScript errors, no missing env variables.
All routes under (dashboard) return 302 to /login when unauthenticated (Playwright test).
Lighthouse score ≥ 90 Performance on main marketing page (static generation verified).
next/image used for all images — no raw <img> tags.
No use client on pages that only render static or server-fetched data.
All Server Actions have zod input validation before touching the database.
Database migrations tracked in version control (drizzle/ or prisma/migrations/).
Security headers configured in next.config.ts (CSP, X-Frame-Options, HSTS).

Anti-Patterns

Mixing Pages Router and App Router patterns — Never import useRouter from next/router in App Router. Use next/navigation. Never use getServerSideProps in app/.
use client on layout files — Makes the entire subtree client-side. Put interactivity in leaf components, keep layouts as Server Components.
Fetching in Client Components when a Server Component would do — Adds unnecessary loading states, exposes internal API structure, increases bundle size.
Not using output: 'standalone' for Docker — Default Next.js Docker build includes all node_modules. Standalone output is 10x smaller.
Storing secrets in NEXT_PUBLIC_* variables — These are embedded in the client bundle. Use unprefixed vars for server-only secrets.

When NOT to Use

When the project is a pure SPA with no SEO requirements → Use scaffold-react-app (lighter, faster DX).
When the backend is a separate service team owns → Consider a React SPA calling the existing API rather than adding a Next.js BFF.
When deploying to a platform that doesn't support Node.js processes → Static-only sites are better served by plain HTML or Astro.
When the team has no React experience → Consider the learning curve; Next.js App Router adds Server Component mental model on top of React.