The Modh Playbook

Why every tool in our stack exists, and why yours might be different

Why we never write raw database queries

Type-safe mutations that just work

Server Components changed everything

Schema-first, types-generated, RLS-enforced

Files live next to the route that uses them

Building webhooks that never lose events

RLS: the database does the auth checking

How we think about cache invalidation

5-second CI that catches everything

What we test and why — confidence over coverage

Zero any, generated types, strict mode always on

Factories, mocking, and integration tests that prove it works

Systematic route audits that find dead code, wrong abstractions, and missing tests

When things break: our runbook

AI-assisted reviews that teach, not just gatekeep -- seven dimensions, three severities, zero ambiguity

Zod schemas at every boundary

Defense in depth for multi-tenant SaaS

Row Level Security as your authorization layer

Retention, rotation, and responsible deletion

CSP, CORS, and webhook signature verification

Every webhook traced end-to-end with searchable tags

Logs that tell a story

Following a request across 6 services

Measuring what matters

Think before you code — 2-3 approaches, then decide

User stories, architecture context, sub-task breakdown

CI passes first, then a rich description with test plan

How we estimate and ship on time

One-way doors vs two-way doors

Three-layer docs for humans + AI

Building with AI agents, not against them

The user should never wait

Composition over configuration

Suspense, streaming, and instant UI

shadcn/ui, semantic tokens, premium by default

Data density over visual impact, scannability first