Complete A–Z guides: stack, auth, backend, security, hosting, and launch

I want to build: [DESCRIBE YOUR APP / WEBSITE IN 3-5 SENTENCES]. Answer these to help me choose the right stack: - Expected users at launch: [under 100 / 100-1000 / 1000+] - Team: [solo / 2-3 devs / larger team] - My strongest skill: [frontend / backend / full-stack / no-code] - Timeline to MVP: [2 weeks / 1 month / 3 months] - Budget for hosting/tools: [free tier only / $20-50/mo / $100+/mo] - Mobile app needed: [web only / web + mobile / mobile only] - Real-time features: [yes / no / maybe] - Needs payments: [yes: Stripe / no] - Expected data volume: [light / medium / heavy] Based on my answers, give me: 1. **Recommended stack** — frontend + backend + database + auth + hosting (with exact versions to use today) 2. **Why this stack** — specific reasons for my project, not generic pros 3. **What to avoid** — 2-3 tempting options that would hurt me for this project and why 4. **Starter repo structure** — exact folder/file layout for day 1 5. **MVP scope** — what's in, what's out, what's phase 2 6. **First 3 commands** — how to initialise the project right now

Design the complete system architecture for: [YOUR APP NAME AND DESCRIPTION]. My chosen stack: [FRONTEND / BACKEND / DATABASE / AUTH] Expected scale at 6 months: [USER COUNT / REQUESTS PER DAY] Critical constraints: [cost / latency / compliance / offline support / multi-region] Design: 1. **Component diagram** — every service/layer, how they connect (text-based diagram) 2. **Data flow** — how a typical user request travels through the system end-to-end 3. **Frontend architecture** — routing, state management, data fetching pattern 4. **Backend architecture** — API layer, business logic layer, data layer separation 5. **Database design** — which DB for which data (relational vs KV vs blob) and why 6. **External services** — what to integrate vs build (email, search, storage, queue) 7. **Authentication flow** — token lifecycle, session management, refresh strategy 8. **Caching strategy** — what to cache, where, and for how long 9. **Failure points** — what can go wrong and how each is handled 10. **Scaling path** — what breaks first as you grow and how to fix it when it does Flag: the 2 decisions that will be hardest to reverse later — get these right now.

Design and implement authentication for my [APP TYPE] built with [STACK]. My requirements: - Auth methods needed: [email+password / Google OAuth / GitHub / magic link / phone OTP / SSO] - User roles needed: [admin / user / guest / custom: describe] - Session behaviour: [stay logged in / expire after X hours / device management] - Special requirements: [MFA / invite-only / org/team accounts / public + private areas] Give me: **Part 1 — Auth provider recommendation:** Compare these options for MY project: [Supabase Auth / Auth0 / Clerk / NextAuth / custom JWT / Firebase Auth] - Pros/cons for my specific requirements - Cost at 100 / 1,000 / 10,000 users - Migration difficulty if I want to switch later - **Final recommendation with reasoning** **Part 2 — Full implementation:** 1. Setup and configuration (env vars, provider setup) 2. Sign up flow (with email verification) 3. Sign in flow 4. Session management (access token + refresh token lifecycle) 5. Protected routes middleware 6. Role-based access control (RBAC) implementation 7. Password reset flow 8. OAuth provider setup (if applicable) **Part 3 — Security hardening:** - Rate limiting on auth endpoints - Brute force protection - Token storage (where and why — NOT localStorage for sensitive tokens) - CSRF protection - Security headers to set

Design the complete database layer for my app. App description: [WHAT YOUR APP DOES] Stack: [BACKEND LANGUAGE/FRAMEWORK] Expected data: [describe your main entities and relationships] Scale target: [row counts at 1 year, read/write ratio] Budget: [free / $0-20/mo / $20-100/mo / flexible] **Part 1 — Database type selection:** Evaluate for my use case: - PostgreSQL vs MySQL vs SQLite - Should I add Redis? (caching + queues + sessions) - Should I add a search engine? (Algolia / Typesense / pgvector) - Should I add object storage? (Supabase Storage / Cloudflare R2 / S3) → Recommendation with cost at each growth stage **Part 2 — Where to host it:** Compare these hosting options FOR MY BUDGET AND SCALE: - Supabase (free → Pro → Enterprise) - Railway - PlanetScale / Neon / TiDB - Fly.io Postgres - AWS RDS / DigitalOcean Managed DB - Self-hosted VPS For each: monthly cost, free tier limits, connection pooling, backups, read replicas availability, vendor lock-in risk **→ Final recommendation:** hosting provider + plan + estimated monthly cost at 3 growth stages **Part 3 — Schema design:** Write the complete SQL schema for my app's core entities. Include: indexes, foreign keys, RLS policies (if Supabase), soft deletes, timestamps. Add 5 queries I'll run most often — verify the schema handles them efficiently.

Build the complete backend API plan for my app. App: [DESCRIPTION] Framework: [Express / FastAPI / Hono / NestJS / Django / etc.] Database: [YOUR DB] Auth: [YOUR AUTH SOLUTION] **Part 1 — API design:** For each resource in my app [LIST YOUR MAIN ENTITIES]: - Endpoints (method + path + description) - Request schema (body + query params + path params) - Response schema (success + error) - Auth required + permission level - Rate limit recommendation **Part 2 — Middleware stack (in order):** 1. CORS configuration (exact settings for my setup) 2. Security headers (helmet.js config or equivalent) 3. Rate limiting (per IP + per user) 4. Auth middleware (token verification + user injection) 5. Request validation (Zod / Joi schema) 6. Request logging 7. Error handler (global — never leak stack traces to client) **Part 3 — Patterns to implement:** - Consistent error response format (code, message, details) - Pagination pattern (cursor-based vs offset and when to use which) - File upload handling - Background job pattern (what to process async vs sync) - API versioning strategy **Part 4 — Testing plan:** - Unit tests: what to test, what to mock - Integration tests: which endpoints need real DB tests - Load test: what to check before launch

Perform a pre-launch security audit for my [APP TYPE] and give me everything to fix. My stack: [FRONTEND + BACKEND + DATABASE + HOSTING] Handles: [user data / payments / medical / just content — describe sensitivity] Auth method: [WHAT I'M USING] Current stage: [building / near launch / already live] **Audit me on every category:** 1. **Injection attacks** (SQL injection, command injection, XSS) - What to check in my specific stack - Code patterns that are vulnerable — show the bad vs good version 2. **Authentication & session security** - Token storage vulnerabilities - Session fixation, CSRF, clickjacking - Password policy and storage (bcrypt cost factor) 3. **Access control** - IDOR (Insecure Direct Object Reference) — how to check for it - Privilege escalation paths - API endpoint that should be protected but might not be 4. **Data exposure** - What my API should NEVER return (passwords, tokens, internal IDs) - Logging what I shouldn't (PII, secrets) - .env and secrets management — what can't go in git 5. **Security headers** (give me the exact headers to set) 6. **Dependency security** (how to audit npm/pip packages) 7. **Infrastructure** (firewall rules, exposed ports, SSH hardening if VPS) 8. **GDPR / compliance** (if handling EU users — what's legally required) Output: a numbered checklist ordered by severity. Critical items first.

Recommend the best hosting setup for my app. App details: - Type: [SaaS / portfolio / marketplace / API / e-commerce / internal tool] - Stack: [FRONTEND FRAMEWORK + BACKEND FRAMEWORK + DATABASE] - Expected traffic at launch: [requests/day or users/day] - Expected traffic at 1 year: [growth estimate] - Monthly hosting budget: [AMOUNT or "minimise cost"] - Team size: [1 / 2-5 / 5+] - DevOps experience: [none / some / confident] - Must-have: [low latency / multi-region / EU hosting / SLA guarantee / specific compliance] **Compare these options for MY project:** Frontend hosting: - Vercel / Netlify / Cloudflare Pages / AWS Amplify / self-hosted Nginx → Recommendation + why + cost breakdown + hidden gotchas Backend hosting: - Railway / Render / Fly.io / DigitalOcean App Platform / Heroku / AWS / GCP / self-hosted VPS → Compare: cold starts, pricing model, scaling behaviour, DX, ops complexity → Recommendation + plan + estimated cost at 3 growth stages Database hosting: [covered in schema prompt or repeat here] **Final architecture recommendation:** Exact services to use + monthly cost at: - Launch (0-100 users): $___/mo - Early growth (1,000 users): $___/mo - Scale (10,000 users): $___/mo Flags: services where I'll hit a pricing cliff and need to plan ahead.

Set up a complete CI/CD pipeline and production deployment for my app. Stack: [FRONTEND + BACKEND + DATABASE] Hosting: [WHERE YOU'RE DEPLOYING] Repo: [GitHub / GitLab / Bitbucket] Team: [solo / small team] Environments needed: [dev / staging / prod / all three] **Part 1 — GitHub Actions / CI pipeline:** Write the complete workflow YAML for: 1. On every PR: lint + type check + unit tests + build check 2. On merge to main: run tests → build → deploy to staging 3. On tag/release: deploy to production with manual approval gate 4. Environment-specific secrets management 5. Notifications (Slack / email on failure) **Part 2 — Environment management:** - How to manage environment variables across dev/staging/prod - Which secrets go where (which provider: Doppler / GitHub Secrets / Vault / .env) - How to keep staging as close to prod as possible - Database migration strategy (never break prod on deploy) **Part 3 — Production readiness:** - Health check endpoint (what it should verify) - Zero-downtime deployment strategy - Rollback procedure (how to revert in under 5 minutes) - Database backup schedule and restore test **Part 4 — Monitoring (free tier first):** - Error tracking: Sentry setup (what to capture, what to ignore) - Uptime monitoring: how to get alerted when site is down - Performance monitoring: what metrics to watch - Log aggregation: where to send logs and how to query them Give me the complete setup I can follow step by step.

Generate a complete pre-launch checklist for my app before I go live. App type: [WHAT IT DOES] Stack: [FULL STACK] Hosting: [WHERE IT'S DEPLOYED] Has payments: [yes / no] Handles user data: [yes / no] Expected launch date: [DATE] Check every category — mark each as [DONE / TODO / NOT APPLICABLE]: **Performance:** - [ ] Lighthouse score (target: 90+ performance, 100 accessibility) - [ ] Images optimised and lazy loaded - [ ] Bundle size analysed (no massive dependencies) - [ ] Database queries have indexes — no N+1 problems - [ ] API response times under 200ms for common endpoints **Security:** - [ ] All environment variables set in production (none hardcoded) - [ ] HTTPS enforced (HTTP → HTTPS redirect) - [ ] Security headers verified (helmet / CF headers) - [ ] Auth tokens expire and refresh correctly - [ ] Rate limiting active on API and auth endpoints - [ ] Error responses don't leak stack traces or internal details - [ ] Dependencies audited (npm audit / pip check) **Reliability:** - [ ] Error tracking live (Sentry or equivalent) - [ ] Uptime monitoring active with alert - [ ] Database backups configured and tested - [ ] Rollback procedure documented and tested **Legal / Compliance:** - [ ] Privacy Policy live and linked - [ ] Terms of Service live and linked - [ ] Cookie consent (if tracking EU users) - [ ] GDPR data deletion flow works **UX:** - [ ] 404 page looks intentional - [ ] Error states shown to user (not blank screens) - [ ] Email sending tested (confirmation, password reset) - [ ] Mobile tested on real device - [ ] Forms work with keyboard only (accessibility) **Business:** - [ ] Analytics tracking verified (events firing correctly) - [ ] Payment flow tested with test card - [ ] Customer support contact visible - [ ] Social meta tags (OG image, title, description) For every TODO: give me the exact fix.

Create a realistic week-by-week roadmap to build and launch my app. Project: [DESCRIBE YOUR APP] My skill level: [beginner / intermediate / experienced] Available time per week: [HOURS] Target launch: [DATE or "as fast as possible"] Stack (if decided): [OR "help me choose"] Solo or team: [SOLO / TEAM SIZE] **Week-by-week plan:** For each week, define: - **Goal** — what "done" looks like at end of week - **Tasks** — specific things to build/configure/test (not vague) - **Deliverable** — what you can show or deploy at the end - **Risk** — what could take longer than expected - **Decision point** — anything requiring a choice that would block progress Include explicit phases: - Week 1-2: Foundation (repo, stack, auth, database, basic deploy) - Week 3-4: Core features (the thing that makes it useful) - Week 5-6: Polish + edge cases + error states - Week 7: Security hardening + performance - Week 8: Launch prep + monitoring + soft launch **Also include:** - Which tasks to batch together (things that share context) - Which tasks can be skipped for MVP and added post-launch - The #1 thing that will kill the timeline (and how to prevent it) - A "if I only have X hours this week" priority cut list