Skills

nextjs-senior-dev

Installation
SKILL.md

Next.js Senior Developer

Transform into Senior Next.js 15+/16 Engineer for production-ready App Router applications.

When to Use

  • Scaffolding new Next.js App Router projects
  • RSC vs Client Component decisions
  • Server Actions and data fetching patterns
  • Performance optimization (CWV, bundle, caching)
  • Middleware and authentication setup
  • Next.js 15/16 migration or audit

Version Notes

Version Key Changes
Next.js 16 middleware.tsproxy.ts, Node.js runtime only, Cache Components
Next.js 15 fetch uncached by default, React 19, Turbopack stable

Triggers

Command Purpose
/next-init Scaffold new App Router project
/next-route Generate route folder (page, layout, loading, error)
/next-audit Audit codebase for patterns, security, performance
/next-opt Optimize bundle, images, fonts, caching

Reference Files (23 Total)

Load based on task context:

Core References

Category Reference When
Routing references/app_router.md Route groups, parallel, intercepting
Components references/components.md RSC vs Client decision, patterns
Data references/data_fetching.md fetch, cache, revalidation, streaming
Security references/security.md Server Actions, auth, OWASP
Performance references/performance.md CWV, images, fonts, bundle, memory
Middleware references/middleware.md Auth, redirects, Edge vs Node

Architecture & Quality

Category Reference When
Architecture references/architecture.md File structure, feature-sliced design
Shared Components references/shared_components.md DRY patterns, composition, reusability
Code Quality references/code_quality.md Error handling, testing, accessibility

Features & Integrations

Category Reference When
SEO & Metadata references/seo_metadata.md generateMetadata, sitemap, OpenGraph
Database references/database.md Prisma, Drizzle, queries, migrations
Authentication references/authentication.md Auth.js, sessions, RBAC
Forms references/forms.md React Hook Form, Zod, file uploads
i18n references/i18n.md next-intl, routing, RTL support
Real-Time references/realtime.md SSE, WebSockets, polling, Pusher
API Design references/api_design.md REST, tRPC, webhooks, versioning

DevOps & Migration

Category Reference When
Deployment references/deployment.md Vercel, Docker, CI/CD, env management
Monorepo references/monorepo.md Turborepo, shared packages, workspaces
Migration references/migration.md Pages→App Router, version upgrades
Debugging references/debugging.md DevTools, profiling, error tracking
Scripts & 3rd-Party references/scripts.md next/script, loading strategies, Google Analytics
Self-Hosting references/self_hosting.md Docker standalone, cache handlers, multi-instance ISR
Debug Tricks references/debug_tricks.md MCP debugging, --debug-build-paths

Core Tenets

1. Server-First

Default to Server Components. Use Client only when required.

RSC when: data fetching, secrets, heavy deps, no interactivity
Client when: useState, useEffect, onClick, browser APIs

2. Component Archetypes

Pattern Runtime Must Have
page.tsx Server async, data fetching
*.action.ts Server "use server", Zod, 7-step security
*.interactive.tsx Client "use client", event handlers
*.ui.tsx Either Pure presentation, stateless

3. 7-Step Server Action Security

"use server"
// 1. Rate limit (IP/user)
// 2. Auth verification
// 3. Zod validation (sanitize errors!)
// 4. Authorization check (IDOR prevention)
// 5. Mutation
// 6. Granular revalidateTag() (NOT revalidatePath)
// 7. Audit log (async)

4. Data Fetching Strategy

Static → generateStaticParams + fetch
ISR → fetch(url, { next: { revalidate: 60 }})
Dynamic → fetch(url, { cache: 'no-store' })
Real-time → Client fetch (SWR)

Next.js 15 Change: fetch is UNCACHED by default (opposite of 14).

5. Caching

Type Scope Invalidation
Request Memoization Request Automatic
Data Cache Server revalidateTag()
Full Route Cache Server Rebuild
Router Cache Client router.refresh()

Prefer revalidateTag() over revalidatePath() to avoid cache storms.

6. Feature-Sliced Architecture

For large apps (50+ routes), use domain-driven structure:

src/
├── app/           # Routing only
├── components/    # Shared UI (ui/, shared/)
├── features/      # Business logic per domain
│   └── [feature]/
│       ├── components/
│       ├── actions/
│       ├── queries/
│       └── hooks/
├── lib/           # Global utilities
└── types/         # Global types

7. Component Sharing Rules

Used 3+ places? Contains business logic? Action
Yes No Move to components/ui/ or shared/
Yes Yes Keep in features/
No Any Keep local (_components/)

8. State Management Hierarchy

State Type Tool Example
URL State searchParams Filters, pagination
Server State Server Components User data, posts
Form State useFormState Form submissions
UI State useState Modals, dropdowns
Shared Client Context/Zustand Theme, cart

Rule: Prefer URL state for shareable/bookmarkable state.

9. DRY with createSafeAction

// lib/safe-action.ts - Reuse for all Server Actions
export const createPost = createSafeAction(schema, handler, {
  revalidateTags: ["posts"]
})

Eliminates duplicate auth/validation/error handling.

Anti-Patterns

Don't Do
"use client" at tree root Push boundary down to leaves
API routes for server data Direct DB in Server Components
useEffect for fetching Server Component async fetch
revalidatePath('/') Granular revalidateTag()
Trust middleware alone Validate at data layer too
Prop drill 5+ levels Context or composition
any types Proper types or unknown
Barrel exports in features Direct imports
localStorage for auth httpOnly cookies
Global caches (memory leak) LRU cache or React cache()

Middleware: Deny by Default

// middleware.ts - Public routes MUST be allowlisted
const publicRoutes = ['/login', '/register', '/api/health']
if (!publicRoutes.some(r => pathname.startsWith(r))) {
  // Require auth
}

CRITICAL: Upgrade to Next.js 15.2.3+ (CVE-2025-29927 fix).

Scripts

Script Purpose
scripts/scaffold_route.py Generate route folder w/ all files

Templates

File Purpose
templates/page.tsx Standard async page
templates/layout.tsx Layout w/ metadata
templates/action.ts 7-step secure Server Action
templates/loading.tsx Loading UI skeleton
templates/error.tsx Error boundary

Assets

File Purpose
assets/next.config.ts Production config w/ security headers
assets/middleware.ts Deny-by-default auth (Next.js 15)
assets/proxy.ts Deny-by-default auth (Next.js 16+)

Quick Reference: Senior Code Review

Before merging any PR, verify:

Performance

  • No unnecessary "use client"
  • Images use next/image with dimensions
  • Heavy components dynamic imported
  • Parallel fetching (Promise.all)

Security

  • Server Actions validate with Zod
  • Auth in actions (not just middleware)
  • IDOR prevention (user owns resource)
  • No secrets in client bundles

Architecture

  • Components in correct layer
  • No cross-feature imports
  • DRY patterns used (createSafeAction)
  • URL state for shareable state

Quality

  • No any types
  • Error boundaries present
  • Loading states for async
  • Accessibility (semantic HTML, alt text)
Related skills

More from georgekhananaev/claude-skills-vault

Installs
11
Repository
georgekhananaev…ls-vault
GitHub Stars
22
First Seen
Feb 27, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass