Platform Map & Version Constraints

The stack you already run

You are not learning a new framework. You are learning how to make an AI CLI tool productive inside a framework you already know. That means the AI needs to understand the same constraints you do — version pins, endpoint patterns, file conventions, and the things that will fail a security review if done wrong.

This lesson maps the DS platform so you can encode it into a format AI tools consume automatically.

💬Why this matters

An AI tool that does not know you are on Next.js 15.5 App Router will generate Pages Router code. One that does not know you target Azure Gov will emit *.azure.com endpoints that fail silently in your environment. The platform map eliminates that entire class of error.

Platform stack reference

Layer	Technology	Version	Why this version
Framework	Next.js	15.5	App Router stable, Turbopack production builds
UI library	React	19.1	Server Components, `use()` hook, Actions
Validation	Zod	v3	v4 introduces breaking schema changes; v3 is audit-certified
Component library	MUI	7	Grid v2, Emotion runtime (requires CSP nonce config)
Utility CSS	Tailwind CSS	v4	CSS-first config, `@theme` directive, `@layer` ordering
Database	Azure SQL	Managed Instance	AAD token auth via Managed Identity
Auth	@azure/msal-node	2.x	Azure AD / Entra ID, government tenant
Session	next-auth	v5	JWT strategy, no database sessions
Identity	@azure/identity	4.x	DefaultAzureCredential with government authorityHost
Language	TypeScript	5.x	`strict: true`, `noUncheckedIndexedAccess: true`
Runtime	Node.js	22 LTS	Required by Next.js 15.5
RBAC	Custom	—	5 roles: viewer, operator, manager, admin, superadmin

⚠Zod v3 is deliberate

Zod v4 shipped breaking changes to .transform(), .refine(), and error map types. The DS platform validated and audit-certified on v3. AI tools will suggest upgrading — decline. Pin "zod": "^3.23" in package.json and state this constraint in your CLAUDE.md.

Azure Gov endpoints

Every Azure service you call uses a different base URL in Azure Government than in Azure Commercial. AI tools default to commercial endpoints. This table is the one your CLAUDE.md needs to enforce.

Service	Commercial	Government
Azure AD / Entra ID	`login.microsoftonline.com`	`login.microsoftonline.us`
Graph API	`graph.microsoft.com`	`graph.microsoft.us`
Key Vault	`vault.azure.net`	`vault.usgovcloudapi.net`
Azure SQL	`database.windows.net`	`database.usgovcloudapi.net`
Blob Storage	`blob.core.windows.net`	`blob.core.usgovcloudapi.net`
App Insights	`dc.applicationinsights.azure.com`	`dc.applicationinsights.us`

ℹGovernment authorityHost is mandatory

DefaultAzureCredential from @azure/identity targets Azure Commercial by default. In Azure Gov, you must explicitly set authorityHost: AzureAuthorityHosts.AzureGovernment when constructing the credential. There is no separate class — same credential, different config. If you see AADSTS90002 errors, the credential is hitting the wrong authority.

File structure

The DS platform follows Next.js App Router conventions with additional platform directories.

src/
  app/
    (auth)/           # Auth-required route group
      dashboard/      # Landing after login
      modules/        # Feature modules (each is a folder)
        [moduleName]/
          page.tsx    # Server Component — data fetching
          client.tsx  # Client Component — interactivity
    api/
      [moduleName]/
        route.ts      # API route handler
    layout.tsx        # Root layout — providers, theme, nav
    middleware.ts     # Auth + RBAC checks before route access
  lib/
    auth/             # MSAL config, session helpers, withPermission
    db/               # Azure SQL connection, query helpers
    swr-helpers.ts    # Shared fetchers, mutation wrappers
    response.ts       # listResponse(), errorResponse(), safeError()
  components/
    ui/               # MUI wrappers, shared presentational
    density/          # DensityGate, executive/operational/technical views
    navigation/       # AppBar, Sidebar, breadcrumbs
  types/
    rbac.ts           # Role enum, Permission type, PermissionMatrix
    modules.ts        # Module registration types
migrations/           # Azure SQL migration scripts (sequential)

💡No Pages Router

The DS platform uses App Router exclusively. There is no pages/ directory, no getServerSideProps, no getStaticProps. If AI-generated code contains any of these, reject it.

CLAUDE.md as platform memory

AI CLI tools read a CLAUDE.md (or GEMINI.md, or .codex/instructions.md) file at the root of your project to understand constraints before generating any code. This is the single most impactful file you can create for AI-assisted development on a constrained platform.

The prompt

Open your AI CLI tool at the root of your project and paste this:

Generate a CLAUDE.md file for our Next.js platform. Here are the hard constraints:

Stack: Next.js 15.5 (App Router only, no Pages Router), React 19.1,
TypeScript 5.x strict mode, MUI 7, Tailwind CSS v4, Zod v3 (NOT v4),
next-auth v5 with JWT strategy, @azure/msal-node 2.x

Infrastructure: Azure Government cloud — all endpoints use
*.usgovcloudapi.net (NOT *.azure.com). Azure SQL via Managed Identity
(AAD token auth, never connection strings with passwords). Key Vault
for secrets. App Insights for telemetry.

Auth: @azure/msal-node with explicit
AzureAuthorityHosts.AzureGovernment authorityHost. next-auth v5 JWT strategy
with 8-hour max session (NIST AC-12). No database sessions.

RBAC: 5 roles — viewer, operator, manager, admin, superadmin.
withPermission() HOF wraps every API route. Middleware.ts enforces
route-level checks.

File conventions: Feature modules live in src/app/(auth)/modules/[name]/.
API routes in src/app/api/[name]/route.ts. Shared DB helpers in
src/lib/db/. Response helpers (listResponse, errorResponse) in
src/lib/response.ts. All API responses paginated with 500-item cap.

Testing: Vitest for unit/integration (Node env for server, jsdom
for components). Playwright for E2E.

Rules:
- Never generate Pages Router code (no getServerSideProps, getStaticProps)
- Never use *.azure.com endpoints — always *.usgovcloudapi.net
- Never use Zod v4 APIs (.pipe(), v4 error maps)
- Never put DB access in middleware (edge runtime can't run mssql)
- Never fabricate seed data that looks like real operational data
- Always use response helpers for API routes
- Always wrap API routes with withPermission()
- Always include data_source column in new tables

What you get

The AI produces a CLAUDE.md that every subsequent prompt in this project will respect. It typically runs 60-100 lines and covers stack versions, endpoint patterns, file conventions, and explicit prohibitions. Every AI tool that reads this file will generate code that fits your platform instead of fighting it.

💡GEMINI.md and .codex/instructions.md

Gemini CLI reads GEMINI.md. Codex CLI reads .codex/instructions.md. The content is identical — copy it to whichever file your tool expects. Some teams maintain all three.

See it in action

Here is what the interaction looks like when you ask the AI about your platform with the CLAUDE.md in place:

Claude Code — AI-aware of constraints

/home/user $ What framework and router does this project use?

This project uses Next.js 15.5 with the App Router exclusively. There is no Pages Router — no pages/ directory, no getServerSideProps, no getStaticProps. All routes are defined under src/app/ using the App Router file conventions (page.tsx, layout.tsx, route.ts). React version is 19.1, which enables Server Components and the use() hook.

/home/user $ I need to call Azure Key Vault to fetch a database connection string. Show me the credential setup.

Since this project targets Azure Government, you need to use the government authority host. Here's the credential setup: ```typescript import { DefaultAzureCredential } from '@azure/identity'; import { SecretClient } from '@azure/keyvault-secrets'; const credential = new DefaultAzureCredential({ authorityHost: 'https://login.microsoftonline.us' }); // Note: .usgovcloudapi.net, NOT .azure.net const vaultUrl = `https://${process.env.KEY_VAULT_NAME}.vault.usgovcloudapi.net`; const client = new SecretClient(vaultUrl, credential); const secret = await client.getSecret('db-connection'); ``` Key points: - Authority host is login.microsoftonline.us (gov) - Vault URL uses vault.usgovcloudapi.net (gov) - Never hardcode the secret value — always fetch at runtime

/home/user $ Generate a Zod schema for a new form with email validation and a date range.

```typescript import { z } from 'zod'; export const dateRangeFormSchema = z.object({ email: z.string().email('Invalid email address'), startDate: z.string().datetime({ offset: true }), endDate: z.string().datetime({ offset: true }), description: z.string().min(1).max(500), }).refine( (data) => new Date(data.endDate) > new Date(data.startDate), { message: 'End date must be after start date', path: ['endDate'] } ); export type DateRangeForm = z.infer<typeof dateRangeFormSchema>; ``` Using Zod v3 API as specified in CLAUDE.md. No .pipe() or v4 error maps.

/home/user $

Notice the AI references Azure Gov endpoints and Zod v3 without being reminded. That is the CLAUDE.md doing its job.

What happens without CLAUDE.md

Without a platform memory file, the same prompts produce code that:

Uses login.microsoftonline.com instead of login.microsoftonline.us
Generates vault.azure.net URLs that time out in your gov subscription
Suggests getServerSideProps for data fetching (Pages Router)
Uses Zod v4 .pipe() chains that break at compile time
Omits withPermission() from API routes, failing your next security review

You do not catch these errors at development time. You catch them in staging when the Azure AD token request fails, or worse, during a compliance audit when an unprotected route is discovered.

KNOWLEDGE CHECK

Your Next.js application deployed to Azure Government needs to fetch secrets from Key Vault. Which endpoint pattern should the vault URL use?

Key takeaways

The platform map is your first deliverable. Before writing any feature code, encode your stack constraints into a CLAUDE.md that the AI reads automatically.
Azure Gov endpoints are a different domain, not a different path. Every *.azure.com or *.azure.net reference must become *.usgovcloudapi.net. There is no fallback — commercial endpoints do not resolve in government subscriptions.
Version pins are stability decisions, not technical debt. Zod v3, Next.js 15.5, and MUI 7 are pinned because they passed audit certification. The CLAUDE.md prevents AI tools from suggesting upgrades that would invalidate that certification.
App Router only. Pages Router code (getServerSideProps, getStaticProps, pages/ directory) does not exist in this platform. Reject any AI output that contains it.

What’s next

In the next lesson, you will build the authentication layer: @azure/msal-node for Azure AD, next-auth v5 for session management, and the 8-hour session timeout required by NIST AC-12. The CLAUDE.md you just created will keep the AI on target for every file it generates.