• ✓ Authentication (NextAuth with Google, GitHub providers)
• ✓ Payments (Stripe)
• ✓ Database (Prisma + PostgreSQL)
• ✓ Email (Resend)
• ✗ i18n (not detected)
• ✗ Analytics (not configured)

• ✓ robots.txt present
• ✗ sitemap.xml missing
• ✗ Site verification meta tags missing

undefined

• Domain purchased and configured
• DNS records set up (A/CNAME to Vercel)
• SSL certificate active (automatic on Vercel)
• Vercel project linked
• Environment variables set in Vercel dashboard
• Production branch configured (main/master)
• Preview deployments working

<!-- Google Search Console -->
<meta name="google-site-verification" content="..." />

<!-- Bing Webmaster -->
<meta name="msvalidate.01" content="..." />

<!-- Pinterest -->
<meta name="p:domain_verify" content="..." />

<!-- Twitter/X (for analytics, not cards) -->
<meta name="twitter:site:id" content="..." />

<!-- Facebook/Meta domain verification -->
<meta name="facebook-domain-verification" content="..." />

<!-- Yandex -->
<meta name="yandex-verification" content="..." />

• Google Search Console verified (HTML tag or DNS)
• Sitemap submitted to Google Search Console
• Bing Webmaster Tools verified
• Pinterest site claimed
• Facebook domain verified (for ads/insights)
• Twitter/X analytics connected

Reference:

${CLAUDE_PLUGIN_ROOT}/rules/seo.md

for full SEO rules.

• <html lang="...">

  attribute set

• <meta name="viewport">

  present
• Page titles set (unique, <60 chars per page)
• Meta descriptions written (unique, <160 chars per page)
• Single

  <h1>

  per page, logical heading hierarchy
• Canonical URLs set (avoid duplicate content)
• Images have meaningful

  alt

  text
• No

  noindex

  on production marketing pages (check for Vercel preview leftover)
• Clean URL structure (no UUIDs, no query params for content)
• robots.txt configured and not blocking marketing pages
• sitemap.xml generated and submitted
• Structured data / JSON-LD (if applicable)
• Rich Results Test passing

/arc:seo

• og:title, og:description, og:image set
• og:image is 1200x630px (optimal for all platforms)
• Twitter Card meta tags (twitter:card, twitter:title, etc.)
• Twitter Card type chosen (summary vs summary_large_image)
• Validated with real tools:
  • Twitter Card Validator
  • Facebook Sharing Debugger
  • LinkedIn Post Inspector
  • Pinterest Rich Pins Validator

ImageResponse

// app/og/route.tsx - Dynamic OG image generation
import { ImageResponse } from 'next/og'

export async function GET(request: Request) {
  const { searchParams } = new URL(request.url)
  const title = searchParams.get('title') ?? 'Default Title'

  return new ImageResponse(
    (
      <div style={{ /* your design */ }}>
        <h1>{title}</h1>
      </div>
    ),
    { width: 1200, height: 630 }
  )
}

// app/layout.tsx or page.tsx
export const metadata: Metadata = {
  openGraph: {
    images: ['/og?title=Your+Page+Title'],
  },
}

• PowerPoint-style slides with generic gradients
• Stock photo backgrounds with overlaid text
• Default template looks (Canva templates, etc.)
• Tiny unreadable text
• Generic "hero image + title" layouts

/arc:design

• Clear visual hierarchy (title readable at thumbnail size)
• Brand colors and typography
• Memorable visual element or illustration
• Consistent style across all pages

• favicon.ico (16x16, 32x32)
• apple-touch-icon.png (180x180)
• android-chrome icons (192x192, 512x512)
• site.webmanifest (if PWA)
• Theme color meta tag

app/
├── icon.tsx          # Dynamic favicon (uses ImageResponse)
├── icon.png          # Or static favicon (auto-detected)
├── apple-icon.png    # Apple touch icon (auto-detected)
└── opengraph-image.tsx  # Dynamic OG image per route

// app/icon.tsx
import { ImageResponse } from 'next/og'

export const size = { width: 32, height: 32 }
export const contentType = 'image/png'

export default function Icon() {
  return new ImageResponse(
    (
      <div style={{
        fontSize: 24,
        background: '#000',
        color: '#fff',
        width: '100%',
        height: '100%',
        display: 'flex',
        alignItems: 'center',
        justifyContent: 'center',
        borderRadius: 4,
      }}>
        A
      </div>
    ),
    { ...size }
  )
}

• Just shrinking your full logo (unreadable at 16px)
• Generic letter in a colored square
• Too much detail that becomes muddy

/arc:design

• Work at 16x16, 32x32, and 180x180 (apple-touch-icon)
• Use a simplified version of your brand mark
• Are recognizable in a sea of browser tabs
• Have sufficient contrast on both light and dark browser chrome

• Images optimized (next/image, srcset, WebP/AVIF)
• Fonts optimized (display: swap, preload critical)
• Font rendering classes on body (see below)
• Bundle size reasonable (check with

  next build

  output)
• No console errors in production build
• Core Web Vitals passing (LCP, FID, CLS)
• Lighthouse score acceptable (aim for 90+)

<body>

// Tailwind CSS
<body className="antialiased">

// Or with more control:
<body className="antialiased text-base leading-relaxed text-foreground bg-background">

body {
  -webkit-font-smoothing: antialiased;
  -moz-osx-font-smoothing: grayscale;
  text-rendering: optimizeLegibility;
}

• antialiased

  class applied (smoother fonts on macOS/iOS)
• Base text color set (not relying on browser default black)
• Base background color set (prevents flash of white)

• overflow-x-hidden

  on html/body if using full-bleed sections

• scroll-behavior: smooth

  if desired (or Tailwind

  scroll-smooth

  )

• min-h-screen

  on body/main for proper footer positioning

vercel-react-best-practices

Invoke skill: vercel-react-best-practices
"Review performance patterns. Check: component rendering, data fetching, bundle optimization"

vercel-react-native-skills

Invoke skill: vercel-react-native-skills
"Review React Native production readiness. Check: list performance, animation optimization, memory leaks, native module usage, Expo config"

• No secrets in client-side code (check bundle)
• HTTPS enforced (automatic on Vercel)
• Environment variables not prefixed with NEXT_PUBLIC_ unless intended
• Auth tokens stored securely (httpOnly cookies)
• CORS configured for production origins only

• pnpm audit

  shows no critical vulnerabilities

• CSP headers configured
• Rate limiting on auth/API endpoints
• Input validation / sanitization

• SPF record added to DNS
• DKIM record added to DNS
• DMARC record added to DNS
• Test email delivery (check spam folder)
• Unsubscribe mechanism (if marketing emails)
• From address uses verified domain

• Stripe switched to live mode (not test)
• Live API keys in production env vars
• Webhook endpoint URL updated to production domain
• Webhook signing secret updated for production
• Test purchase completed in production
• Receipts/emails working

• Production database provisioned
• Migrations run against production
• Connection string in production env vars
• Connection pooling configured (PgBouncer, Prisma Accelerate)
• Backup strategy in place

• OAuth callback URLs updated to production domain
• OAuth apps approved for production (some providers require review)
• Session cookie domain configured for production
• Magic link / email verification URLs use production domain
• Auth provider dashboard shows production app

• Privacy Policy — Required if collecting ANY data (analytics, cookies, forms, auth)
  • What data is collected
  • How it's used and stored
  • Third parties it's shared with
  • User rights (access, deletion, portability)
  • Contact information for data requests
• Terms of Service — Recommended for any app/SaaS
  • Acceptable use policy
  • Liability limitations
  • Dispute resolution
  • Account termination conditions
• Cookie Policy — Required if using cookies (often part of Privacy Policy)
  • Types of cookies used (essential, analytics, marketing)
  • Purpose of each cookie
  • How to opt out

• Cookie consent banner implemented
• Consent recorded before non-essential cookies set
• "Reject All" option available (GDPR requirement)
• Preferences can be changed after initial choice
• Analytics/tracking only fires AFTER consent

• Legal basis for data processing documented
• Data export mechanism (user can download their data)
• Data deletion mechanism (user can request deletion)
• Data processing agreements with third parties
• Privacy policy includes EU-specific rights

• Accessibility statement page (if WCAG compliance needed)
• Contact method for accessibility issues

Invoke skill: /arc:legal
"Generate Privacy Policy, Terms of Service, and Cookie Policy for this project"

• Analytics provider configured (GA4, Plausible, PostHog, etc.)
• Privacy-respecting settings (IP anonymization, etc.)
• Conversion tracking set up (if applicable)
• Events/goals configured

• Custom 404 page
• Custom 500/error page
• Error tracking set up (Sentry, etc.)
• Error boundaries in React components
• Alerts configured for critical errors

• All tests passing
• No TypeScript errors (

  pnpm tsc --noEmit

  )
• No lint errors (

  pnpm biome check .

  or eslint)

• /arc:audit --hygiene

  run (no code artifacts)
• Placeholder content replaced
• Lorem ipsum removed

• Correct logo version used everywhere (not outdated versions)
• Logo appears in correct sizes (not stretched/distorted)
• Logo has proper spacing/clearance
• Dark mode logo variant used where needed
• Favicon matches current logo

• Product name cased consistently everywhere
• Check: page titles, meta tags, footer, emails, error messages
• Third-party brand names correctly cased (see common mistakes below)

WRONG          → CORRECT
Github         → GitHub
Javascript     → JavaScript
Typescript     → TypeScript
NextJS/Nextjs  → Next.js
NodeJS/Nodejs  → Node.js
VSCode         → VS Code
MacOS          → macOS
iOS (correct)  → iOS (not IOS)
PostgreSQL     → PostgreSQL (not Postgres in formal contexts)
MongoDB        → MongoDB (not Mongo in formal contexts)
LinkedIn       → LinkedIn (not Linkedin)
YouTube        → YouTube (not Youtube)
PayPal         → PayPal (not Paypal)

undefined

• Old URLs mapped to new URLs
• 301 redirects configured in vercel.json or middleware
• www vs non-www canonical decided
• HTTP → HTTPS redirects (automatic on Vercel)

• Responsive audit completed (

  /arc:responsive

  if not done already)
• Test on real mobile device (not just DevTools)
• Test in incognito/private browsing
• Test critical user flows end-to-end
• Test with slow network (DevTools throttling)
• Check print styles (if applicable)

• No layout shift on dynamic content (hardcoded dimensions,

  tabular-nums

  , no font-weight changes on hover)
• Animations have

  prefers-reduced-motion

  support
• Touch targets are 44px minimum
• Hover effects gated behind

  @media (hover: hover)

• Keyboard navigation works (tab order, focus trap in modals, arrow keys in lists)
• Icon-only buttons have

  aria-label

• Forms submit with Enter; textareas with ⌘/Ctrl+Enter
• Inputs are

  text-base

  (16px+) to prevent iOS zoom
• No

  transition: all

  — specify exact properties
• z-index uses fixed scale or

  isolation: isolate

• No flash on refresh for interactive state (tabs, theme, toggles)
• Destructive actions require confirmation (

  AlertDialog

  , not

  confirm()

  )

Reference:

${CLAUDE_PLUGIN_ROOT}/rules/interface/

for detailed rules on each item.

1. Explain what's needed and why
2. Offer to implement or provide step-by-step instructions
3. Provide code snippets where helpful

• Runs /arc:testing as part of quality check
• Runs /arc:audit --hygiene as part of quality check (code artifact detection)
• References /arc:vision to verify alignment
• Invokes /arc:legal to generate missing legal documents
• Can invoke vercel-react-best-practices skill for performance review (if available)
• Can invoke vercel-react-native-skills skill for React Native performance review (if available)
• Can invoke vercel:deploy skill for deployment (if available)