CLAUDE.md Template: Law Firm Intake SaaS with Next.js, TS, Supabase, Clerk, Stripe

Overview

A CLAUDE.md template for building a complete Law Firm Intake SaaS using Next.js (App Router), TypeScript, Supabase, Clerk, Stripe, AI case summaries, document upload, and appointment booking. This page is a copyable CLAUDE.md template page designed for Claude Code workflows. Direct answer: paste the code block below into Claude Code to generate a production-ready scaffold that follows the architecture and security constraints described.

When to Use This CLAUDE.md Template

• You need a full-stack SaaS skeleton for a law-firm intake system with client onboarding, case creation, document upload, and appointment scheduling.
• You require rapid bootstrap of Next.js with TS + Supabase for data persistence and Clerk for authentication.
• You want integrated Stripe billing for subscriptions or one-time payments tied to client matters.
• You must generate AI-driven case summaries and store them alongside case documents securely.
• You require strong production rules for security, validation, and deployment in a legal services context.

Copyable CLAUDE.md Template

# CLAUDE.md

Project role:
- You are Claude Code, responsible for generating a production-ready blueprint and code skeleton for a Law Firm Intake SaaS using Next.js (App Router), TypeScript, Supabase, Clerk, Stripe, AI case summaries, document upload, and appointment booking.
- Output must be concrete, runnable where possible, and tailored to this stack.

Architecture rules:
- Use Next.js App Router under src/app with server components by default and client components as needed.
- Supabase is the primary database and authentication provider; Clerk handles user identity and sessions; Stripe handles payments/subscriptions.
- All secrets must be consumed from environment variables; never embed secrets in code or the CLAUDE.md output.
- Follow a modular monorepo-like style in a single Next.js app: cohesive domains separated by routes and services, not random file coupling.
- Favor server actions for write operations; fetch data on server where possible and hydrate on the client.
- Use strict TypeScript with runtime validation when data crosses boundaries (for example using zod for payload validation).
- Ensure accessibility (ARIA) and responsive design in UI components.
- Code must be auditable, with clear names, types, and minimal reliance on global state.

File structure rules:
- Root contains a Next.js app in src/app with folders: layout.tsx, page.tsx, and nested routes for /clients, /matters, /appointments, /documents, /summaries, /billing.
- src/lib/ contains clients and services:
  - supabaseClient.ts
  - clerkClient.ts
  - stripeClient.ts
  - auth.ts
- src/components/ contains reusable UI blocks: Button, Input, Modal, DataTable, DocumentUploader.
- src/hooks/ contains useAuth, useSWRFetch, useAiSummaries.
- src/services/ contains AI, documents, appointments, billing services.
- db/migrations/ contains SQL migrations for Supabase with RLS policies.

Authentication rules:
- Integrate Clerk Provider at the root of the app; use Clerk's UI components for sign-in/up and session handling.
- Define roles: client, attorney, admin; restrict access to routes and data via role checks in server components/actions.
- Use server-side verification of session for API routes; deny unauthenticated access.
- Do not expose API keys through the client; always fetch secrets from server contexts.

Database rules:
- Supabase database with tables: clients, matters, appointments, documents, summaries, payments, users.
- Implement Row Level Security (RLS) with policies applying per-table owner and role checks.
- Use foreign keys to link clients to matters, matters to appointments, documents to matters, and summaries to matters.
- Store sensitive fields encrypted at rest where possible; avoid storing raw sensitive identifiers in client-visible fields.
- Use server-side views to shape data for UI and protect complex joins.

Validation rules:
- Client name and email are required; email must be valid; phone numbers must match a pattern.
- Appointment times must be in the future and not overlap existing appointments for the same attorney.
- Document uploads must be limited to allowed mime types (pdf, docx, png, jpg, txt) and max size 25MB.
- AI summaries must be generated from existing matter data and cannot be invoked without a matter id.

Security rules:
- Use signed/uploaded URL flows for document uploads; validate file type and size on server before storing.
- Do not expose database credentials or API keys to the client.
- Enforce CSRF protection on state-changing actions; rely on Clerk sessions for identity.
- Sanitize all user-provided text inputs; avoid rendering raw HTML from user input.

Testing rules:
- Unit tests for service functions (AI summarization call, document handling, payment logic).
- Integration tests for Supabase interactions and Stripe webhooks.
- End-to-end tests for user journeys (sign-in, create client, create matter, upload document, book appointment, generate AI summary).

Deployment rules:
- Deploy on a modern hosting platform (Vercel) with proper environment variables for NEXT_PUBLIC_* (client) and SECRET_* (server).
- Configure Supabase project with proper API keys and anon/public keys; enable RLS.
- Set up Stripe webhooks in the deployment environment; verify signatures.
- Keep CLAUDE.md code blocks as documentation during deployment; do not commit secrets in code blocks.

Things Claude must not do:
- Do not bypass authentication or authorization checks.
- Do not generate hard-coded secrets or API keys.
- Do not assume a database schema that conflicts with Supabase migration policies.
- Do not propose insecure file upload handlers or unsafe evaluation of user-provided content.
- Do not reference unsupported libraries; stick to the stack: Next.js, TS, Supabase, Clerk, Stripe.

Recommended Project Structure

my-law-firm-intake-app/
├── src/
│   ├── app/
│   │   ├── layout.tsx
│   │   ├── page.tsx
│   │   │
│   │   ├── clients/
│   │   │   └── page.tsx
│   │   ├── matters/
│   │   │   └── page.tsx
│   │   ├── appointments/
│   │   │   └── page.tsx
│   │   ├── documents/
│   │   │   └── page.tsx
│   │   ├── summaries/
│   │   │   └── page.tsx
│   │   └── billing/
│   │       └── page.tsx
│   ├── hooks/
│   │   └── useAuth.ts
│   ├── components/
│   │   ├── Button.tsx
│   │   ├── Input.tsx
│   │   └── DocumentUploader.tsx
│   ├── services/
│   │   ├── aiSummaries.ts
│   │   ├── documents.ts
│   │   └── appointments.ts
│   ├── lib/
│   │   ├── supabaseClient.ts
│   │   ├── clerkClient.ts
│   │   └── stripeClient.ts
│   └── styles/
│       └── globals.css
├── db/
│   └── migrations/
│       └── 001_initial.sql
└── README.md

Core Engineering Principles

• Security-first by default: enforce authentication, authorization, and data access policies at every boundary.
• Type safety and validation: use TypeScript and runtime validation (e.g., Zod) for all inputs and external data.
• Principle of least privilege: Clerk roles and Supabase RLS policies gate every operation.
• Modular design: domain-based separation (clients, matters, documents, appointments, summaries, billing).
• Observability: structured logging, metrics, and error tracking integrated into each service.
• Data integrity: idempotent API routes, structured migrations, and deterministic AI outputs.
• Performance and DX balance: server components where possible, client components for interactivity only when needed.

Code Construction Rules

• Use TypeScript strictly; no implicit any; export clear types for all API surfaces.
• All API routes and server actions must validate input and return explicit error shapes.
• Adopt a single source of truth for data models in a shared types folder.
• Keep AI-related logic isolated in services/aiSummaries.ts and expose deterministic results to the UI.
• Document upload must go through a signed URL flow; verify mime types and size on server.
• Payments and subscriptions flow through Stripe, with webhook verification and idempotent handling.
• Respect accessibility (ARIA), keyboard navigation, and responsive UI patterns.
• Do not hard-code secrets; rely on environment variables and secret management.

Security and Production Rules

• Enable Supabase RLS and write policies that enforce per-user data access by role and ownership.
• Authenticate all critical endpoints via Clerk sessions and server-side checks.
• Implement signed URLs for document uploads; restrict file types and enforce size limits server-side.
• Validate all user input and escape data before rendering to prevent injection attacks.
• Configure strict CSP, secure cookies, and appropriate CORS settings for API routes.
• Log and monitor Stripe webhooks securely; verify webhook signatures using a secret.

Testing Checklist

• Unit tests for services: AI summarization, document handling, appointment logic, and payment flows.
• Integration tests for Supabase CRUD operations and RLS enforcement.
• Stripe webhook handling tests with mock events; end-to-end flow tests for sign-in, client creation, matter creation, document upload, and appointment booking.
• Accessibility and responsive checks for core UI components.
• Security testing: input validation, file upload validation, and secret exposure checks.

Common Mistakes to Avoid

• Inadequate RLS policies or bypassing authorization checks.
• Storing or transmitting secrets on the client side.
• Overloading the client with huge AI payloads without server-side processing or caching.
• Ignoring file validation for uploads; allowlisting only approved types and sizes.
• Not enforcing consistent error handling across API routes and UI layers.

Related implementation resources: AI Use Case for Pet Groomers Using Sms Systems To Send Booking Confirmations Along with Pet Styling Preference Options and Using Skill Files to Stop SQL Injection in Generated Backend Code.

FAQ

Q1: What stack is this CLAUDE.md Template designed for?

A1: Next.js (App Router) + TypeScript + Supabase + Clerk + Stripe, with AI case summaries, document upload, and appointment booking.

Q2: What is the purpose of this CLAUDE.md Template?

A2: It provides a concrete, copyable CLAUDE.md block and a stack-specific project structure, rules, and security guidance to accelerate building a production-ready law-firm intake SaaS.

Q3: How do I handle authentication and data access?

A3: Use Clerk for identity; implement role-based access (client, attorney, admin) and enforce Supabase RLS policies for data access.

Q4: How should AI summaries be integrated?

A4: Generate AI summaries server-side via a dedicated service, store results in a matter-scoped table, and expose results through secure routes only.

Q5: What about deployment?

A5: Deploy on a platform like Vercel; configure env vars for Next.js, Supabase, Clerk, and Stripe; set up Stripe webhooks and Supabase migrations.