How to Build a URL Shortener

<context>
App: URL Shortener
Difficulty: Beginner
Estimated build time: 1–2 days

Data model:
  Link: id, user_id, slug (unique), original_url, custom_alias, expires_at, created_at
  Click: id, link_id, referrer, country, device (mobile/desktop), browser, clicked_at

Recommended build order:
  1. Slug generation and redirect — Generate a random 6-character slug (nanoid). Store slug → original_url in your database. Create a catch-all route /[slug] that looks up the slug and returns a 301 redirect. Test this works before anything else.
  2. Click tracking middleware — Before the redirect, log a Click row: extract country from the CF-IPCountry header (Cloudflare/Vercel sets this), device from User-Agent, referrer from the Referer header. Do this asynchronously so it doesn't slow the redirect.
  3. Dashboard and link management — Build a dashboard showing all your links with total clicks, creation date, and original URL. Add create and delete actions. Add an edit to update the destination URL without changing the slug.
  4. Analytics per link — Add a detail page per link: total clicks, clicks over time (bar chart last 30 days), top countries (table), top referrers (table), device split (mobile vs desktop donut). Aggregate from the clicks table.
  5. Custom aliases — Let users choose a custom slug (e.g. yourdomain.com/my-product) instead of a random one. Check for uniqueness. Sanitise input to alphanumeric and hyphens only.
  6. Link expiry — Add an expires_at datetime to links. In the redirect handler, check if the link is expired before redirecting. Return a 410 Gone page with a friendly message if so.
  7. QR code generation — Use the qrcode npm package to generate a PNG QR code for each short URL. Return it as a base64 image. Add a download button to the dashboard next to each link.

Known pitfalls to avoid:
  - Using auto-increment IDs as slugs — they're sequential and predictable. Users can enumerate all links by guessing IDs. Use nanoid() to generate random slugs instead.
  - Logging clicks synchronously before the redirect — this adds latency to every redirect. Use waitUntil() (Vercel Edge) or a background job to log asynchronously while the redirect fires immediately.
  - Not handling slug collisions on custom aliases — two users might want the same alias. Always check for uniqueness before saving and return a clear error if the alias is taken.

Tech stack (intermediate): Next.js + Supabase + Vercel Edge Middleware for sub-ms redirects + Clerk for teams
</context>

<role>
You are a Senior Full-Stack Engineer and product architect who has shipped production URL Shorteners before. You know exactly where developers get stuck and how to structure the project to avoid rewrites.
</role>

<task id="step-1-clarify">
Before writing any code or spec, ask me 3–5 clarifying questions that will meaningfully change the architecture. Focus on: scale expectations, auth requirements, platform (web / mobile / both), must-have vs nice-to-have features for the MVP, and any hard constraints (budget, deadline, existing infrastructure).

<example>
BAD: "What tech stack do you want to use?" — too broad, doesn't change architecture decisions.
GOOD: "Do you need real-time sync across devices, or is single-device with periodic refresh acceptable? This decides whether we use WebSockets or simple REST polling and significantly affects infrastructure complexity."
</example>
</task>

<task id="step-2-architect">
After I answer your questions, generate a complete project specification including:

1. Final tech stack with version numbers
2. Full file and folder structure
3. Complete database schema — every table, column, type, index, and foreign key
4. All API routes with request/response shapes and auth requirements
5. Component tree with TypeScript props interfaces
6. Auth and authorisation flow (who can do what)
7. Step-by-step implementation plan in the exact build order from <context> above
8. All environment variables with descriptions

<self_check>
Before presenting the spec, verify:
□ Every answer I gave in step 1 is reflected in the spec
□ The database schema matches the data model in <context>
□ The implementation plan follows the build order from <context>
□ No circular dependencies in the component tree
□ Auth is wired up before any protected routes are built
□ All known pitfalls from <context> are addressed in the spec
</self_check>
</task>

<task id="step-2.5-agents-md">
Generate an AGENTS.md file at the project root. This file is read automatically by Claude Code, Cursor, Windsurf, Sourcegraph Cody, and all major AI coding tools at the start of every session.

Include:
- Project overview (2–3 sentences)
- Tech stack with version numbers
- Folder structure with one-line descriptions
- Key architectural decisions and why they were made
- Coding conventions: naming (camelCase components, kebab-case files), max 200 lines per file, one concern per file
- Available commands: dev, build, test, lint, db:migrate, db:seed

Note in the file: "Cursor users can symlink .cursorrules → AGENTS.md. Claude Code users can symlink CLAUDE.md → AGENTS.md."
</task>

<task id="step-3-implement">
Implement the full project following the spec from step 2, in the exact order defined. For each step:
- Write the complete code (no placeholders or TODOs)
- Confirm the step is working before moving to the next
- Note any deviations from the spec with an explanation

<constraints>
- Max 200 lines per file. WHY: every file must fit in one AI context window for easy review and editing.
- One concern per file. WHY: mixing auth logic into API routes makes it impossible to reuse — extract to lib/auth.ts.
- TypeScript strict mode, no `any` types. WHY: catches data shape mismatches at compile time, not in production at 2am.
- All database queries in server components or API routes only. WHY: keeps credentials server-side, prevents accidental client-side exposure.
- All environment variables documented in .env.example. WHY: the next developer (or your future self) should be able to set up the project in under 5 minutes.
- Comment every non-obvious decision. WHY: AI tools read your comments to understand intent — without them, the next edit will break the pattern you established.
</constraints>
</task>