Hey Cursor community,
I have been using Cursor Agent full-time on Next.js 15 + Supabase projects for 3 months and kept a log of every recurring mistake the AI makes. Here are the two most critical ones and how I fixed them.
**Problem 1: getSession() is a security flaw the AI always generates**
Every Supabase + Next.js tutorial from before 2024 uses getSession() for auth checks. The AI is trained on those tutorials. But getSession() reads a JWT from cookies without verifying it with the auth server โ a forged token passes validation.
The rule that fixes it:
Glob pattern: **/app/**, **/actions/**, **/api/**
Rule: NEVER use supabase.auth.getSession() in server-side code. Always use getUser() which verifies against the auth server.
**Problem 2: Next.js 15 params are Promises**
Next.js 15 made params and searchParams async. The AI generates synchronous access patterns from older tutorials. The app compiles but crashes with a runtime error in production.
The rule: params and searchParams are Promises in Next.js 15. Always destructure with await.
I turned 47 of these patterns into 22 .mdc rules โ all MIT licensed and free on GitHub: GitHub - vibestackdev/vibe-stack: 22 .mdc architecture rules that prevent AI coding assistants from hallucinating insecure auth, deprecated imports, and broken Next.js 15 patterns. Built for Cursor Agent. ยท GitHub
What hallucination patterns are you seeing that I should add rules for?