Follow these rules when implementing changes in this repository:
Auth (critical)
- •Use NextAuth cookie sessions for web UI flows.
- •Do not use
localStoragetokens for auth in the UI. - •In API routes, prefer
getServerSession(authOptions)and server-side role checks. - •Only allow
Authorization: Bearer ...when explicitly required for non-browser clients.
Multi-tenancy & privacy (critical)
- •Never expose contractor identities to clients.
- •Clients must not be able to browse/search contractors or contact them directly.
- •Enforce role-based access for any contractor profile endpoints/pages.
Implementation workflow
- •Scan for auth-token usage (
localStorage,Authorization: Bearer) and remove/limit as required. - •Verify server-side auth checks in any modified
app/api/**/route.ts. - •Run targeted checks for the area changed:
- •
npm run lint - •
npm test - •
npm run build
- •
- •Fix failures only if they are related to the change being made.