22 .mdc rules that prevent the most common Next.js 15 hallucinations

Hey Cursor community,

I have been using Cursor Agent full-time on Next.js 15 + Supabase projects for 3 months and kept a log of every recurring mistake the AI makes. Here are the two most critical ones and how I fixed them.

**Problem 1: getSession() is a security flaw the AI always generates**

Every Supabase + Next.js tutorial from before 2024 uses getSession() for auth checks. The AI is trained on those tutorials. But getSession() reads a JWT from cookies without verifying it with the auth server – a forged token passes validation.

The rule that fixes it:

Glob pattern: **/app/**, **/actions/**, **/api/**

Rule: NEVER use supabase.auth.getSession() in server-side code. Always use getUser() which verifies against the auth server.

**Problem 2: Next.js 15 params are Promises**

Next.js 15 made params and searchParams async. The AI generates synchronous access patterns from older tutorials. The app compiles but crashes with a runtime error in production.

The rule: params and searchParams are Promises in Next.js 15. Always destructure with await.

I turned 47 of these patterns into 22 .mdc rules – all MIT licensed and free on GitHub: GitHub - vibestackdev/vibe-stack: 22 .mdc architecture rules that prevent AI coding assistants from hallucinating insecure auth, deprecated imports, and broken Next.js 15 patterns. Built for Cursor Agent. · GitHub

What hallucination patterns are you seeing that I should add rules for?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.