CLAUDE.md Template for Next.js TypeScript AI Procurement SaaS

Overview

CLAUDE.md template for building a complete AI Procurement Approval SaaS with Next.js, TypeScript, Supabase, Clerk, Stripe, vendor risk analysis, policy checks, and human approval workflow. This page provides a copyable Claude Code blueprint for the stack and notes on architecture, security, testing, and deployment.

Direct answer: this CLAUDE.md Template gives you a ready to paste Claude Code blueprint that covers the full procurement workflow with AI risk checks and human approvals in the Next.js TS stack.

When to Use This CLAUDE.md Template

• When building an AI driven procurement approval SaaS using Next.js, TypeScript, Supabase, Clerk, and Stripe
• When vendor risk analysis and policy checks must be automated with human in the loop
• When you want a copyable Claude Code blueprint that can be pasted into a CLAUDE.md file for rapid iteration

Copyable CLAUDE.md Template

# CLAUDE.md
Project role: Full Stack AI Procurement Platform Engineer
Stack: Next.js, TypeScript, Supabase, Clerk, Stripe

Architecture rules:
- Use Next.js app router
- Separate frontend, API layer, and worker tasks
- Supabase for database and auth backend; Clerk for user authentication flows
- Stripe for payments and events
- Vendor risk analysis microservice as a serverless function
- Logging and audit trails enabled
- Do not rely on browser env for secrets

File structure rules:
- apps/procurement-web
- apps/procurement-api
- packages/libs
- infra/db/migrations
- infra/db/seeds
- services/vendor-risk
- policy/checks
- tests/unit, tests/integration, tests/e2e
- .env.example
- tsconfig.json

Authentication rules:
- Clerk for sign in and sign up
- Roles: admin, approver, user
- All procurement actions require sign in

Database rules:
- Supabase PostgreSQL with Row Level Security enabled
- Tables: vendors, procurement_requests, approvals, policies, risk_scores, audit_logs, users
- Use proper foreign keys and not null constraints
- Enable audit trails and point in time recovery

Validation rules:
- Use zod schemas for input validation
- Server side validation on all API routes
- Validate shape of data before writes

Security rules:
- Do not expose secret keys on client
- Use environment variables and secret management
- Validate Stripe webhook signatures
- Enforce least privilege RBAC
- Enforce HTTPS and proper CORS settings

Testing rules:
- Unit tests for domain logic and helpers
- Integration tests for API routes and Stripe webhooks
- End to end tests for the human in the loop workflow

Deployment rules:
- GitHub Actions CI/CD with PR previews
- Environment variables stored in secret manager
- Deploy to Vercel or equivalent; ensure env vars are present in each env

Things Claude must not do:
- Do not access secrets on the client
- Do not bypass RBAC checks
- Do not perform unvetted database writes
- Do not assume vendor data is trusted

Recommended Project Structure

project/
  apps/
    procurement-web/          # Next.js frontend app
    procurement-api/          # API layer with server actions / routes
  libs/
    shared/                   # TS utilities, types, and clients
  infra/
    db/
      migrations/
      seeds/
  services/
    vendor-risk/              # vendor risk analysis microservice
  policy/
    checks/                   # policy checks and rules
  payments/
    stripe/                   # Stripe integration
  tests/
    unit/
    integration/
    e2e/
  .env.example
  tsconfig.json

Core Engineering Principles

• Modularity and clear boundaries between frontend, API, and services
• Security by design with RBAC, secret management, and encryption best practices
• Explicit interfaces and strong typing with TypeScript
• Data governance and auditability for procurement actions
• Testability with unit, integration, and end to end tests
• Observability through structured logging and metrics

Code Construction Rules

• Target Next.js app router with TypeScript strict mode
• Separate concerns for UI, API, and background jobs
• Use Supabase as the primary database and Clerk for authentication flows
• Provide a separate vendor risk analysis service with clear input and output contracts
• Validate all inputs with server side checks and schema validation
• Store secrets in environment variables and never on the client
• Use Stripe webhooks with signature verification for payments related events
• Implement a robust human in the loop approval workflow with audit trails
• Do not use client side for any security sensitive checks

Security and Production Rules

• Enable Row Level Security on all tables in Supabase
• Enforce RBAC with Clerk roles and policy checks
• Validate all server side API inputs before processing
• Do not log sensitive information; mask personal data in logs
• Rotate and store secrets securely; use encrypted storage
• Validate Stripe webhooks with signatures in a secure endpoint
• Use HTTPS everywhere and configure proper CORS policy

Testing Checklist

• Unit tests for domain rules and validators
• Integration tests for API routes, data layer, and Stripe webhooks
• End to end tests for procurement flow and human approvals
• Continuous deployment with PR previews and smoke tests

Common Mistakes to Avoid

• Assuming client side validation is sufficient for security
• Skipping RBAC checks in API routes
• Over relying on vendor data trust without validation
• Ignoring audit trails and immutable logs

Related implementation resources: AI Use Case for Real Estate Brokerages Using Docusign To Flag Missing Clauses or Anomalies In Sales Contracts and Security-focused skill files to strengthen authentication flows.

FAQ