CLAUDE.md Template: SvelteKit + PlanetScale MySQL + Kinde Auth + Prisma ORM Setup

Overview

This CLAUDE.md template is a copyable blueprint for bootstrapping a modern full-stack application using SvelteKit, PlanetScale MySQL, Kinde Auth, and Prisma ORM. It provides Claude Code instructions to implement typed data access, secure authentication, and scalable deployment, all in one cohesive template. The goal is to enable developers to paste a single CLAUDE.md block and land a working foundation that is production-ready for this stack.

Direct answer: You get a ready-to-paste CLAUDE.md template that enforces Prisma ORM with PlanetScale, Kinde-based authentication, and a SvelteKit frontend architecture, with security, testing, and deployment rules baked in.

When to Use This CLAUDE.md Template

• Starting a new project with SvelteKit, PlanetScale, Kinde Auth, and Prisma ORM.
• Standardizing project structure and security rules across teams.
• Generating a repeatable CLAUDE.md template to accelerate onboarding for new contributors.
• Ensuring compliance with a production-ready data access layer and authentication flow from day one.

Copyable CLAUDE.md Template

# CLAUDE.md

Project role
- You are Claude Code, building an end-to-end backend + frontend foundation for a SvelteKit + PlanetScale MySQL + Kinde Auth + Prisma ORM app. Your primary task is to output precise, copyable code blocks and a deterministic project structure.

Architecture rules
- Use Prisma ORM for all database access; PlanetScale is the MySQL provider with shadow databases for migrations.
- Use SvelteKit for the frontend with a clean separation between routes and shared libraries.
- Authentication must be handled by Kinde Auth using OAuth2/OIDC flows, with tokens verified server-side.
- All server-side API routes must validate input using Zod schemas and respond with typed responses.
- Environment variables must be accessed via process.env and never hard-coded.
- Use HttpOnly cookies for session management; CSRF protection must be included for state-changing requests.

File structure rules
- Keep only stack-relevant folders: src/, prisma/, tests/ (optional), and configuration files.
- Core server code in src/lib/, route handlers in src/routes/, and hooks in src/hooks.server.ts.
- Prisma schema at prisma/schema.prisma; migrations handled via Prisma CLI.

Authentication rules
- Integrate Kinde Auth; verify ID tokens server-side; store minimal user info locally.
- Do not rely on client-side validation for access control.
- Protect API routes with auth guards; ensure roles/permissions are checked where applicable.

Database rules
- PlanPlanetScale schema migrations using Prisma migrate with non-destructive changes in production.
- Never expose database credentials in frontend code.
- Use explicit connection strings via environment variables.

Validation rules
- Validate all inputs with Zod before hitting Prisma; return strongly typed errors.
- Normalize inputs (trim, lowercase where appropriate) before validation.

Security rules
- Never log secrets; rotate JWT signing keys securely; validate Kinde tokens against the issuer.
- Enforce CSRF, CORS, and secure cookies; set Secure and HttpOnly flags in production.
- Disable debug endpoints in production.

Testing rules
- Unit tests for utility functions; integration tests for Prisma + API routes; end-to-end tests for critical user flows.
- Use Vitest for unit/integration tests; Playwright for E2E tests.

Deployment rules
- Deploy to a modern host (Vercel/Netlify or a Node.js host) with environment variables for Kinde and PlanetScale.
- Run migrations in a controlled CI step; do not auto-migrate in production without review.
- Ensure build is reproducible via package-lock.json/yarn.lock.

Things Claude must not do
- Do not bypass Prisma; do not perform raw DB admin tasks outside Prisma; do not expose keys.
- Do not implement non-approved authentication providers; do not degrade security for speed.
- Do not alter deployment configs without explicit instruction.

Recommended Project Structure

my-app/
├─ prisma/
│  └─ schema.prisma
├─ src/
│  ├─ lib/
│  │  ├─ db.ts
│  │  └─ auth.ts
│  │  └─ validators.ts
│  ├─ routes/
│  │  ├─ +layout.server.ts
│  │  ├─ api/
│  │  │  ├─ users.ts
│  │  │  └─ items.ts
│  │  └─ +page.server.ts
│  ├─ hooks.server.ts
│  └─ app.html
├─ .env
├─ package.json
├─ tsconfig.json
├─ vite.config.js

Core Engineering Principles

• Type safety across backend and frontend with Prisma ORM and Zod validation.
• Security-by-default: authenticated endpoints, HttpOnly cookies, CSRF protection, and secure token handling.
• Single source of truth for configuration via environment variables and centralized config modules.
• Explicit, minimal dependencies; avoid bespoke hacks that drift from the stack.
• Deterministic builds and migrations; predictable deployments.
• Test-driven or at least test-focused development for critical paths (auth, data access, API contracts).

Code Construction Rules

• Always use Prisma Client for data access; generate types via Prisma + TypeScript.
• Validate all inputs with Zod schemas before querying the database.
• Use Kinde Auth SDK for login flows; verify JWTs on API routes; not rely on client-only checks.
• Store secrets in environment variables; never commit them to source control.
• Keep API routes lean; move complex logic to src/lib modules; export typed interfaces.
• Respect PlanetScale best practices: non-destructive migrations, shadow databases, and proper connection pooling.
• Do not bypass Prisma migrations with manual SQL edits in production-like environments.

Security and Production Rules

• Use HttpOnly, Secure cookies for sessions; set SameSite=Lax or Strict in production.
• Validate Kinde tokens against issuer and JWKS endpoint; reject expired or invalid tokens.
• Implement CORS with a strict allowed-origin policy; disable credentials on non-secured endpoints.
• Never log secrets or raw tokens; mask sensitive fields in logs.
• Enable rate limiting and input sanitization on API routes to prevent abuse.

Testing Checklist

• Unit tests for individual utilities in src/lib/.
• Integration tests for Prisma data access and API routes.
• End-to-end tests for login flows and protected routes (Playwright).
• CI checks to run prisma migrate deploy with proper review steps.
• Security tests to ensure token validation and CSRF protection are active.

Common Mistakes to Avoid

• Forgetting to validate inputs before hitting Prisma; rely on client-side validation only.
• Storing credentials in code or committing .env.example with real secrets.
• Not configuring PlanetScale migrations properly or performing destructive migrations in prod.
• Overlooking token verification and relying on client-side checks for protected routes.
• Neglecting to test edge cases for auth flows and data access errors.

FAQ

• Q: Is this CLAUDE.md Template suitable for production deployments?
• A: Yes, with proper environment configuration, migrations, and security hardening as outlined.
• Q: How does Kinde Auth integrate with SvelteKit?
• A: Use Kinde SDK on the server to validate tokens and manage sessions; protect routes with guards.
• Q: How do I connect Prisma to PlanetScale?
• A: Configure Prisma to use PlanetScale MySQL, enable shadow databases for migrations, and apply non-destructive migrations.
• Q: Where should secrets live?
• A: In environment variables; reference via process.env; never commit secrets.