How to Build a Booking App

<context>
App: Booking App
Difficulty: Intermediate
Estimated build time: 1–2 weeks

Data model:
  Provider: id, user_id, name, slug, timezone, booking_url_enabled
  Service: id, provider_id, name, duration_minutes, price, buffer_minutes
  Availability: id, provider_id, day_of_week (0–6), start_time, end_time
  Booking: id, provider_id, service_id, customer_name, customer_email, start_at (UTC), end_at (UTC), status (pending/confirmed/cancelled), stripe_payment_intent

Recommended build order:
  1. Provider profile and services — Create a provider profile with name and timezone. Add a services list — each service has a name, duration (e.g. 60 min), price, and buffer time between appointments.
  2. Availability configuration — Add a weekly availability grid — the provider sets which hours they work each day. Store as day_of_week + start_time + end_time rows. Show a preview of open slots.
  3. Public booking page — Create /book/[slug] — a public page for customers. Show a date picker. For the selected date, calculate open slots by subtracting existing bookings from availability windows.
  4. Slot calculation logic — Write a function: given a date, the provider's availability, existing bookings, service duration, and buffer time — return an array of available start times as UTC ISO strings. This is the core algorithm.
  5. Stripe payment at booking time — When a customer selects a slot and fills in their details, create a Stripe Payment Intent. Only confirm the booking after payment succeeds via the webhook. Never book without confirmed payment.
  6. Email confirmations and reminders — On booking confirmed, send email to both provider and customer via Resend. Schedule a reminder 24h before via a Vercel cron job that queries bookings starting in the next 24–25h window.
  7. Google Calendar sync — Use the Google Calendar API with OAuth. On each new booking, create a calendar event on the provider's Google Calendar. On cancellation, delete it. Store the Google event ID on the booking row.

Known pitfalls to avoid:
  - Not locking slots during checkout — two customers can select the same slot simultaneously. Use a database lock (SELECT FOR UPDATE) or a short-lived reservation row to hold the slot while payment processes.
  - Storing times in local timezone — always store start_at and end_at in UTC. Convert to the provider's timezone only for display. A provider in Tokyo and a customer in London will both see the correct local time.
  - Forgetting buffer time in slot calculation — if a service is 60 min with 15 min buffer and a booking starts at 9am, the next available slot is 10:15am, not 10:00am.

Tech stack (intermediate): Next.js + Supabase + Stripe + Resend + Google Calendar API
</context>

<role>
You are a Senior Full-Stack Engineer and product architect who has shipped production Booking Apps before. You know exactly where developers get stuck and how to structure the project to avoid rewrites.
</role>

<task id="step-1-clarify">
Before writing any code or spec, ask me 3–5 clarifying questions that will meaningfully change the architecture. Focus on: scale expectations, auth requirements, platform (web / mobile / both), must-have vs nice-to-have features for the MVP, and any hard constraints (budget, deadline, existing infrastructure).

<example>
BAD: "What tech stack do you want to use?" — too broad, doesn't change architecture decisions.
GOOD: "Do you need real-time sync across devices, or is single-device with periodic refresh acceptable? This decides whether we use WebSockets or simple REST polling and significantly affects infrastructure complexity."
</example>
</task>

<task id="step-2-architect">
After I answer your questions, generate a complete project specification including:

1. Final tech stack with version numbers
2. Full file and folder structure
3. Complete database schema — every table, column, type, index, and foreign key
4. All API routes with request/response shapes and auth requirements
5. Component tree with TypeScript props interfaces
6. Auth and authorisation flow (who can do what)
7. Step-by-step implementation plan in the exact build order from <context> above
8. All environment variables with descriptions

<self_check>
Before presenting the spec, verify:
□ Every answer I gave in step 1 is reflected in the spec
□ The database schema matches the data model in <context>
□ The implementation plan follows the build order from <context>
□ No circular dependencies in the component tree
□ Auth is wired up before any protected routes are built
□ All known pitfalls from <context> are addressed in the spec
</self_check>
</task>

<task id="step-2.5-agents-md">
Generate an AGENTS.md file at the project root. This file is read automatically by Claude Code, Cursor, Windsurf, Sourcegraph Cody, and all major AI coding tools at the start of every session.

Include:
- Project overview (2–3 sentences)
- Tech stack with version numbers
- Folder structure with one-line descriptions
- Key architectural decisions and why they were made
- Coding conventions: naming (camelCase components, kebab-case files), max 200 lines per file, one concern per file
- Available commands: dev, build, test, lint, db:migrate, db:seed

Note in the file: "Cursor users can symlink .cursorrules → AGENTS.md. Claude Code users can symlink CLAUDE.md → AGENTS.md."
</task>

<task id="step-3-implement">
Implement the full project following the spec from step 2, in the exact order defined. For each step:
- Write the complete code (no placeholders or TODOs)
- Confirm the step is working before moving to the next
- Note any deviations from the spec with an explanation

<constraints>
- Max 200 lines per file. WHY: every file must fit in one AI context window for easy review and editing.
- One concern per file. WHY: mixing auth logic into API routes makes it impossible to reuse — extract to lib/auth.ts.
- TypeScript strict mode, no `any` types. WHY: catches data shape mismatches at compile time, not in production at 2am.
- All database queries in server components or API routes only. WHY: keeps credentials server-side, prevents accidental client-side exposure.
- All environment variables documented in .env.example. WHY: the next developer (or your future self) should be able to set up the project in under 5 minutes.
- Comment every non-obvious decision. WHY: AI tools read your comments to understand intent — without them, the next edit will break the pattern you established.
</constraints>
</task>