CLAUDE.md TemplatesTemplate

CLAUDE.md Template for SvelteKit + SingleStore DB + Auth0 + Drizzle ORM Execution Framework

CLAUDE.md Template for a SvelteKit stack using SingleStore DB, Auth0, and Drizzle ORM with a copyable CLAUDE.md block and stack-specific execution rules.

CLAUDE.md TemplateSvelteKitSingleStoreDBAuth0Drizzle ORMClaude CodeExecution FrameworkServer-SideTypeScript

Target User

Frontend and backend engineers building SvelteKit apps with SingleStore DB and Auth0 using Drizzle ORM

Use Cases

  • Code scaffolding for SvelteKit apps
  • Policy-driven integration with Auth0
  • Drizzle ORM data access patterns
  • Claude Code guided implementation

Markdown Template

CLAUDE.md Template for SvelteKit + SingleStore DB + Auth0 + Drizzle ORM Execution Framework

# CLAUDE.md

Project role: Lead Engineer for a SvelteKit app using SingleStore DB, Auth0, and Drizzle ORM. Deliver a secure, maintainable, and testable execution framework via Claude Code.

Architecture rules:
- Layered architecture: app layer (routes), domain layer (business logic), persistence layer (Drizzle + SingleStore).
- Use REST-like endpoints with clear separation of concerns; avoid exporting raw DB adapters to the client.
- Claude must rely on environment configuration; do not embed secrets in code.
- All business logic must be accessible via typed interfaces (TypeScript).

File structure rules:
- src/lib/db/drizzle.ts
- src/lib/db/schema.ts
- src/routes/api/[endpoint].ts
- src/hooks/server.ts
- src/lib/auth/auth0.ts
- drizzle.config.ts
- migrations/ (if needed)

Authentication rules:
- Use Auth0 for authentication with universal login RPC and RS256-secured JWTs.
- Validate access tokens on all protected routes; verify issuer, audience, and signature.
- Store session identifiers in httpOnly cookies; enable CSRF protection for stateful flows.

Database rules:
- Connect to SingleStore DB via Drizzle ORM; migrations must be explicit and versioned.
- Use parameterized queries; never concatenate user input into SQL strings.
- Validate schemas at the boundary of each DB interaction using Drizzle types.

Validation rules:
- Validate all input with a type-safe schema (e.g., Zod) before DB access.
- Use exhaustive pattern matching for request handlers; never default to loose types.

Security rules:
- Do not expose DB credentials in client code or logs.
- Enforce TLS for all endpoints; set secure and httpOnly cookies.
- Rotate JWTs and refresh tokens per policy; implement nonce/replay protection where feasible.

Testing rules:
- Unit test DB adapters with mocked Drizzle carts; test schema validations.
- Integration tests for Auth0-protected routes.
- End-to-end tests (Playwright) for login flows and protected data access.

Deployment rules:
- Inject env vars: AUTH0_DOMAIN, AUTH0_AUDIENCE, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, SINGLESTORE_HOST, SINGLESTORE_USER, SINGLESTORE_PASSWORD, SINGLESTORE_DATABASE.
- Build with SvelteKit (Vite); ensure server runtime supports Node 18+.
- Run migrations during deployment; verify DB connectivity post-deploy.

Things Claude must not do:
- Do not bypass authentication or emit tokens client-side.
- Do not rely on client-side validation alone for security-sensitive operations.
- Do not hard-code secrets or credentials.
- Do not use Prisma or Mongoose; this template targets Drizzle ORM only.

Overview

A CLAUDE.md template describing a SvelteKit stack integrated with SingleStore DB, Auth0 authentication, and Drizzle ORM for data access. This page is a copyable CLAUDE.md block and stack-specific execution framework for Claude Code.

Direct answer: This CLAUDE.md Template provides a concrete, paste-ready Claude Code guidance set to implement a secure, scalable SvelteKit app with SingleStore DB via Drizzle ORM and Auth0 authentication, including a ready-to-paste CLAUDE.md block, a stack-aligned project structure, and operational rules.

When to Use This CLAUDE.md Template

  • You are building a SvelteKit app requiring server-side data access with a MySQL-compatible SingleStore DB.
  • You need Auth0-based authentication and session management in a clean architecture.
  • You want Drizzle ORM for typesafe data access without Prisma or Mongoose.
  • You require a copyable CLAUDE.md block to bootstrap Claude Code execution within your repo.
  • You need stack-specific guidance that is paste-ready for quick integration into a CLAUDE.md workflow.

Copyable CLAUDE.md Template

# CLAUDE.md

Project role: Lead Engineer for a SvelteKit app using SingleStore DB, Auth0, and Drizzle ORM. Deliver a secure, maintainable, and testable execution framework via Claude Code.

Architecture rules:
- Layered architecture: app layer (routes), domain layer (business logic), persistence layer (Drizzle + SingleStore).
- Use REST-like endpoints with clear separation of concerns; avoid exporting raw DB adapters to the client.
- Claude must rely on environment configuration; do not embed secrets in code.
- All business logic must be accessible via typed interfaces (TypeScript).

File structure rules:
- src/lib/db/drizzle.ts
- src/lib/db/schema.ts
- src/routes/api/[endpoint].ts
- src/hooks/server.ts
- src/lib/auth/auth0.ts
- drizzle.config.ts
- migrations/ (if needed)

Authentication rules:
- Use Auth0 for authentication with universal login RPC and RS256-secured JWTs.
- Validate access tokens on all protected routes; verify issuer, audience, and signature.
- Store session identifiers in httpOnly cookies; enable CSRF protection for stateful flows.

Database rules:
- Connect to SingleStore DB via Drizzle ORM; migrations must be explicit and versioned.
- Use parameterized queries; never concatenate user input into SQL strings.
- Validate schemas at the boundary of each DB interaction using Drizzle types.

Validation rules:
- Validate all input with a type-safe schema (e.g., Zod) before DB access.
- Use exhaustive pattern matching for request handlers; never default to loose types.

Security rules:
- Do not expose DB credentials in client code or logs.
- Enforce TLS for all endpoints; set secure and httpOnly cookies.
- Rotate JWTs and refresh tokens per policy; implement nonce/replay protection where feasible.

Testing rules:
- Unit test DB adapters with mocked Drizzle carts; test schema validations.
- Integration tests for Auth0-protected routes.
- End-to-end tests (Playwright) for login flows and protected data access.

Deployment rules:
- Inject env vars: AUTH0_DOMAIN, AUTH0_AUDIENCE, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, SINGLESTORE_HOST, SINGLESTORE_USER, SINGLESTORE_PASSWORD, SINGLESTORE_DATABASE.
- Build with SvelteKit (Vite); ensure server runtime supports Node 18+.
- Run migrations during deployment; verify DB connectivity post-deploy.

Things Claude must not do:
- Do not bypass authentication or emit tokens client-side.
- Do not rely on client-side validation alone for security-sensitive operations.
- Do not hard-code secrets or credentials.
- Do not use Prisma or Mongoose; this template targets Drizzle ORM only.

Recommended Project Structure

my-app/
├── src/
│   ├── lib/
│   │   ├── db/
│   │   │   ├── drizzle.ts
│   │   │   ├── drizzle.config.ts
│   │   │   └── schema.ts
│   │   └── auth/
│   │       └── auth0.ts
│   ├── routes/
│   │   └── api/
│   │       └── [endpoint].ts
│   └── hooks/
│       └── server.ts
├── migrations/
├── drizzle.config.ts
├── package.json
└── tsconfig.json

Core Engineering Principles

  • Type safety from end-to-end (TypeScript + Drizzle schemas).
  • Explicit architecture boundaries and single-responsibility components.
  • Secure defaults: strict Auth0 validation, httpOnly cookies, TLS, and CSRF protection.
  • Infrastructure-as-code mindset for migrations and configuration via env vars.
  • Deterministic builds and reproducible migrations for production parity.

Code Construction Rules

  • Prefer typed DTOs for all API contracts; compile-time validation where possible.
  • Use Drizzle ORM for all DB access; avoid raw string concatenation.
  • Auth0 tokens must be validated server-side on protected routes.
  • Branching strategy: feature branches with CI checks for type safety and tests.
  • Do not ship secrets in code or logs; use environment variables and secret managers.

Security and Production Rules

  • Verify JWT signature, issuer, and audience on each protected endpoint.
  • Store sessions in httpOnly, Secure cookies with SameSite restrictions.
  • Enforce TLS, and rotate credentials in a regular cadence.
  • Limit database privileges for app users; use least privilege accounts.
  • Audit trails for auth events and data access; emit only necessary telemetry in production.

Testing Checklist

  • Unit tests for drizzle.ts and auth guards.
  • Integration tests for Auth0-protected routes with mocked tokens.
  • End-to-end tests for login, token refresh, and protected data fetch.
  • Migration tests to ensure DB schema changes apply cleanly.
  • CI checks that lint, typecheck, and tests pass on pull requests.

Common Mistakes to Avoid

  • Skipping server-side authentication checks on protected routes.
  • Hard-coding secrets or credentials in code or commits.
  • Using client-side DB calls for sensitive data operations.
  • Neglecting proper migration/versioning for the SingleStore DB schema.
  • Overcomplicating the architecture with unnecessary layers.

FAQ

  • What technologies does this CLAUDE.md Template cover? SvelteKit, SingleStore DB, Auth0, and Drizzle ORM with Claude Code guidance.
  • How do I use the copyable CLAUDE.md block? Paste the block into CLAUDE.md in your repo and adapt paths and tokens to your env.
  • What should I configure in environment variables? AUTH0_DOMAIN, AUTH0_AUDIENCE, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, SINGLESTORE_HOST, SINGLESTORE_USER, SINGLESTORE_PASSWORD, SINGLESTORE_DATABASE, etc.
  • Is this ready for production? Yes, when all environment variables are set, migrations run, and security checks pass.
  • What if I don’t use one of the stack components? Remove the unused integration points and adjust the CLAUDE.md accordingly without changing architecture rules.