How to Build a Social Media App

<context>
App: Social Media App
Difficulty: Advanced
Estimated build time: 2–4 weeks

Data model:
  User: id, username, bio, avatar_url, follower_count, following_count, created_at
  Post: id, user_id, content, media_urls[], like_count, comment_count, created_at, deleted_at
  Follow: follower_id, following_id, created_at
  Like: user_id, post_id, created_at
  Comment: id, post_id, user_id, content, parent_id (for threads), created_at
  Notification: id, user_id, type (like/comment/follow/mention), actor_id, post_id, read, created_at

Recommended build order:
  1. User profiles and auth — Set up Supabase Auth. Create user profiles with username, bio, and avatar. Add a profile page that shows the user's posts. Build follow/unfollow — a simple join table between two user IDs.
  2. Post creation — Build a post composer: text input, image upload (to Supabase Storage or Cloudinary), submit button. On submit: insert the post, update the user's post count, fan out to followers' feeds.
  3. Feed — chronological first — Build the home feed as a simple query: SELECT posts WHERE user_id IN (following list) ORDER BY created_at DESC LIMIT 20. Get this working before any algorithm. Pagination via cursor (last post ID), not offset.
  4. Likes and comments — Add like toggle — check if a like exists, insert or delete. Increment/decrement like_count on the post (denormalised for fast reads). Comments are just posts with a parent_id. Support one level of nesting first.
  5. Notifications — Create a notifications table. On like: insert a notification for the post owner. On follow: insert a notification. On comment: insert a notification. Show an unread count badge in the nav. Mark all read on open.
  6. Media upload — On image select, upload to Supabase Storage. Get back a public URL. Store URLs in the post's media_urls array. Show image previews in the composer before posting. Limit to 4 images per post.
  7. Content moderation — Add a report button on posts and profiles. Store reports in a reports table. Build a simple /admin/reports queue that lets you review and delete reported content or ban users.

Known pitfalls to avoid:
  - Building a fan-out-on-write feed for large accounts — if a user has 1 million followers and posts, writing to 1M feed rows is slow. Use a hybrid: fan-out for small accounts, fan-in (query at read time) for accounts above a threshold.
  - Using OFFSET for pagination — page 100 with OFFSET 2000 requires the DB to scan 2000 rows to skip them. Use cursor-based pagination: WHERE id < last_seen_id ORDER BY id DESC LIMIT 20.
  - Storing like counts only in the likes table — counting likes with COUNT(*) on every feed load is slow. Keep a denormalised like_count on the post row and increment/decrement it atomically with each like/unlike.

Tech stack (intermediate): Next.js + Supabase (auth + DB + Realtime) + Cloudinary — niche community MVP in 2 weeks
</context>

<role>
You are a Senior Full-Stack Engineer and product architect who has shipped production Social Media Apps before. You know exactly where developers get stuck and how to structure the project to avoid rewrites.
</role>

<task id="step-1-clarify">
Before writing any code or spec, ask me 3–5 clarifying questions that will meaningfully change the architecture. Focus on: scale expectations, auth requirements, platform (web / mobile / both), must-have vs nice-to-have features for the MVP, and any hard constraints (budget, deadline, existing infrastructure).

<example>
BAD: "What tech stack do you want to use?" — too broad, doesn't change architecture decisions.
GOOD: "Do you need real-time sync across devices, or is single-device with periodic refresh acceptable? This decides whether we use WebSockets or simple REST polling and significantly affects infrastructure complexity."
</example>
</task>

<task id="step-2-architect">
After I answer your questions, generate a complete project specification including:

1. Final tech stack with version numbers
2. Full file and folder structure
3. Complete database schema — every table, column, type, index, and foreign key
4. All API routes with request/response shapes and auth requirements
5. Component tree with TypeScript props interfaces
6. Auth and authorisation flow (who can do what)
7. Step-by-step implementation plan in the exact build order from <context> above
8. All environment variables with descriptions

<self_check>
Before presenting the spec, verify:
□ Every answer I gave in step 1 is reflected in the spec
□ The database schema matches the data model in <context>
□ The implementation plan follows the build order from <context>
□ No circular dependencies in the component tree
□ Auth is wired up before any protected routes are built
□ All known pitfalls from <context> are addressed in the spec
</self_check>
</task>

<task id="step-2.5-agents-md">
Generate an AGENTS.md file at the project root. This file is read automatically by Claude Code, Cursor, Windsurf, Sourcegraph Cody, and all major AI coding tools at the start of every session.

Include:
- Project overview (2–3 sentences)
- Tech stack with version numbers
- Folder structure with one-line descriptions
- Key architectural decisions and why they were made
- Coding conventions: naming (camelCase components, kebab-case files), max 200 lines per file, one concern per file
- Available commands: dev, build, test, lint, db:migrate, db:seed

Note in the file: "Cursor users can symlink .cursorrules → AGENTS.md. Claude Code users can symlink CLAUDE.md → AGENTS.md."
</task>

<task id="step-3-implement">
Implement the full project following the spec from step 2, in the exact order defined. For each step:
- Write the complete code (no placeholders or TODOs)
- Confirm the step is working before moving to the next
- Note any deviations from the spec with an explanation

<constraints>
- Max 200 lines per file. WHY: every file must fit in one AI context window for easy review and editing.
- One concern per file. WHY: mixing auth logic into API routes makes it impossible to reuse — extract to lib/auth.ts.
- TypeScript strict mode, no `any` types. WHY: catches data shape mismatches at compile time, not in production at 2am.
- All database queries in server components or API routes only. WHY: keeps credentials server-side, prevents accidental client-side exposure.
- All environment variables documented in .env.example. WHY: the next developer (or your future self) should be able to set up the project in under 5 minutes.
- Comment every non-obvious decision. WHY: AI tools read your comments to understand intent — without them, the next edit will break the pattern you established.
</constraints>
</task>