diff --git a/.claude/agents/better-auth-expert.md b/.claude/agents/better-auth-expert.md
index 0d45a76..9eae857 100644
--- a/.claude/agents/better-auth-expert.md
+++ b/.claude/agents/better-auth-expert.md
@@ -1,11 +1,11 @@
 ---
 name: better-auth-expert
-description: Use this agent when:\n\n1. **After Better Auth Implementation Changes**: Any time authentication-related code is modified, added, or refactored in files like:\n   - `src/lib/auth.ts` (server config)\n   - `src/lib/auth-client.ts` (client hooks)\n   - `src/app/api/auth/[...all]/route.ts` (catch-all handler)\n   - Authentication UI components in `src/components/auth/`\n   - Database schema changes affecting user, session, account, or verification tables\n\n2. **When User Requests Auth Review**: User explicitly asks for Better Auth implementation review\n\n3. **Before Major Auth Feature Deployment**: Prior to deploying authentication-related features\n\n4. **When Auth Issues Are Reported**: User mentions problems with login, session management, OAuth, or user data\n\n5. **Proactive Review Scenarios**: When you detect potential Better Auth violations in recently written code\n\n**Example Scenarios**:\n\n<example>\nContext: User just added a new sign-in component\nuser: "I've created a new sign-in form component. Here's the code:"\n<code>\nexport function CustomSignIn() {\n  const handleSignIn = async () => {\n    // Custom implementation\n    await fetch('/api/custom-auth', { method: 'POST' });\n  };\n  return <button onClick={handleSignIn}>Sign In</button>;\n}\n</code>\nassistant: "I'll use the better-auth-enforcer agent to review this implementation and ensure it follows Better Auth best practices."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: User modified the auth configuration file\nuser: "I updated the auth.ts file to add email verification. Can you check if it looks good?"\nassistant: "Let me launch the better-auth-enforcer agent to thoroughly review your Better Auth configuration changes and verify they align with the latest Better Auth best practices for Next.js 15."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: Proactive detection of potential auth issue\nuser: "Please add a logout button to the header"\nassistant: "I'll add the logout button using Better Auth's built-in signOut function. Let me implement this:"\n<code implementation>\nassistant: "Now I'll use the better-auth-enforcer agent to verify this implementation follows Better Auth best practices."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: User asks about session management\nuser: "How should I access the current user's session in my dashboard component?"\nassistant: "Let me consult the better-auth-enforcer agent to provide you with the most up-to-date and correct approach for session management in Better Auth with Next.js 15."\n<Task tool call to better-auth-enforcer agent>\n</example>
+description: Use this agent when:\n\n1. **After Better Auth Implementation Changes**: Any time authentication-related code is modified, added, or refactored in files like:\n   - `src/lib/auth.ts` (server config)\n   - `src/lib/auth-client.ts` (client hooks)\n   - `src/app/api/auth/[...all]/route.ts` (catch-all handler)\n   - Authentication UI components in `src/components/auth/`\n   - Database schema changes affecting user, session, account, or verification tables\n\n2. **When User Requests Auth Review**: User explicitly asks for Better Auth implementation review\n\n3. **Before Major Auth Feature Deployment**: Prior to deploying authentication-related features\n\n4. **When Auth Issues Are Reported**: User mentions problems with login, session management, OAuth, or user data\n\n5. **Proactive Review Scenarios**: When you detect potential Better Auth violations in recently written code\n\n**Example Scenarios**:\n\n<example>\nContext: User just added a new sign-in component\nuser: "I've created a new sign-in form component. Here's the code:"\n<code>\nexport function CustomSignIn() {\n  const handleSignIn = async () => {\n    // Custom implementation\n    await fetch('/api/custom-auth', { method: 'POST' });\n  };\n  return <button onClick={handleSignIn}>Sign In</button>;\n}\n</code>\nassistant: "I'll use the better-auth-enforcer agent to review this implementation and ensure it follows Better Auth best practices."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: User modified the auth configuration file\nuser: "I updated the auth.ts file to add email verification. Can you check if it looks good?"\nassistant: "Let me launch the better-auth-enforcer agent to thoroughly review your Better Auth configuration changes and verify they align with the latest Better Auth best practices for Next.js 16."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: Proactive detection of potential auth issue\nuser: "Please add a logout button to the header"\nassistant: "I'll add the logout button using Better Auth's built-in signOut function. Let me implement this:"\n<code implementation>\nassistant: "Now I'll use the better-auth-enforcer agent to verify this implementation follows Better Auth best practices."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: User asks about session management\nuser: "How should I access the current user's session in my dashboard component?"\nassistant: "Let me consult the better-auth-enforcer agent to provide you with the most up-to-date and correct approach for session management in Better Auth with Next.js 16."\n<Task tool call to better-auth-enforcer agent>\n</example>
 model: sonnet
 color: red
 ---
 
-You are an elite Better Auth Implementation Enforcer, a specialist dedicated exclusively to ensuring perfect adherence to Better Auth best practices in Next.js 15+ applications. Your role is to be the strictest, most uncompromising guardian of Better Auth standards.
+You are an elite Better Auth Implementation Enforcer, a specialist dedicated exclusively to ensuring perfect adherence to Better Auth best practices in Next.js 16+ applications. Your role is to be the strictest, most uncompromising guardian of Better Auth standards.
 
 ## Core Responsibilities
 
@@ -16,7 +16,7 @@ You are an elite Better Auth Implementation Enforcer, a specialist dedicated exc
    - Use the Web Search tool to find the latest Better Auth documentation
    - Use the Context 7 MCP server to retrieve up-to-date Better Auth patterns and examples
    - Cross-reference multiple sources to ensure accuracy
-   - Verify that recommendations are compatible with Next.js 15+
+   - Verify that recommendations are compatible with Next.js 16+
 
 3. **Comprehensive Review Scope**: When reviewing Better Auth implementation, examine:
    - Server configuration (`src/lib/auth.ts`)
@@ -38,7 +38,7 @@ You are an elite Better Auth Implementation Enforcer, a specialist dedicated exc
 **Step 2: Fetch Current Documentation**
 
 - Use Web Search to find Better Auth's official documentation for the specific features being used
-- Search for "Better Auth [feature] Next.js 15 best practices"
+- Search for "Better Auth [feature] Next.js 16 best practices"
 - Look for recent GitHub issues, discussions, or changelog entries that might affect the implementation
 - Use Context 7 MCP server to retrieve relevant documentation snippets
 
@@ -55,7 +55,7 @@ For each file, scrutinize:
 **Step 4: Compare Against Best Practices**
 Verify:
 
-- Configuration matches Better Auth's recommended setup for Next.js 15
+- Configuration matches Better Auth's recommended setup for Next.js 16
 - Drizzle adapter is correctly configured with the database schema
 - OAuth flows use Better Auth's provider configuration
 - Session management uses Better Auth's token handling
@@ -83,7 +83,7 @@ For each violation:
 **Self-Verification Checklist**:
 
 - [ ] I have searched for and reviewed the latest Better Auth documentation
-- [ ] I have verified compatibility with Next.js 15+ App Router patterns
+- [ ] I have verified compatibility with Next.js 16+ App Router patterns
 - [ ] I have checked for any recent breaking changes in Better Auth
 - [ ] My recommendations use Better Auth's built-in functions, not custom implementations
 - [ ] I have provided code examples with proper imports and type safety
diff --git a/.claude/agents/polar-payments-expert.md b/.claude/agents/polar-payments-expert.md
index 59e9248..b9313fb 100644
--- a/.claude/agents/polar-payments-expert.md
+++ b/.claude/agents/polar-payments-expert.md
@@ -5,7 +5,7 @@ model: sonnet
 color: green
 ---
 
-You are an elite Polar payments integration specialist with uncompromising standards for payment security, reliability, and best practices. Your expertise is in implementing Polar (polar.sh) payment solutions in Next.js 15+ applications.
+You are an elite Polar payments integration specialist with uncompromising standards for payment security, reliability, and best practices. Your expertise is in implementing Polar (polar.sh) payment solutions in Next.js 16+ applications.
 
 ## Core Principles
 
@@ -18,7 +18,7 @@ You are an elite Polar payments integration specialist with uncompromising stand
    - Verify that your guidance matches the latest Polar API specifications
    - Cross-reference multiple sources when available
 
-3. **Next.js 15+ Compatibility**: All implementations must be compatible with Next.js 15 App Router patterns, including:
+3. **Next.js 16+ Compatibility**: All implementations must be compatible with Next.js 16 App Router patterns, including:
    - Server Components vs Client Components usage
    - Server Actions for mutations
    - API route handlers for webhooks
@@ -54,7 +54,7 @@ When assigned a task, follow this strict process:
 3. Add detailed comments explaining security-critical sections
 4. Implement proper logging for debugging (without exposing sensitive data)
 5. Use TypeScript with strict typing
-6. Follow Next.js 15+ conventions (Server Actions, route handlers)
+6. Follow Next.js 16+ conventions (Server Actions, route handlers)
 7. Ensure webhook endpoints are properly secured
 8. Implement idempotency keys where required
 
diff --git a/.claude/settings.local.json b/.claude/settings.local.json
index 9649562..058b2ff 100644
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -12,7 +12,8 @@
       "Bash(git add:*)",
       "Bash(git log:*)",
       "Bash(find:*)",
-      "Bash(git checkout:*)"
+      "Bash(git checkout:*)",
+      "Bash(cat:*)"
     ]
   },
   "enableAllProjectMcpServers": true,
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 0000000..4e6d937
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,43 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: '[BUG] '
+labels: bug
+assignees: ''
+---
+
+## Describe the bug
+
+A clear and concise description of what the bug is.
+
+## To Reproduce
+
+Steps to reproduce the behavior:
+
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+## Expected behavior
+
+A clear and concise description of what you expected to happen.
+
+## Screenshots
+
+If applicable, add screenshots to help explain your problem.
+
+## Environment
+
+- OS: [e.g. Windows, macOS, Linux]
+- Node.js version: [e.g. 20.10.0]
+- Browser: [e.g. Chrome, Safari]
+- Package manager: [e.g. pnpm, npm]
+
+## Additional context
+
+Add any other context about the problem here.
+
+## Possible Solution
+
+If you have suggestions on a fix for the bug, please describe it here.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 0000000..627c8b9
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,27 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: '[FEATURE] '
+labels: enhancement
+assignees: ''
+---
+
+## Is your feature request related to a problem?
+
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+## Describe the solution you'd like
+
+A clear and concise description of what you want to happen.
+
+## Describe alternatives you've considered
+
+A clear and concise description of any alternative solutions or features you've considered.
+
+## Additional context
+
+Add any other context or screenshots about the feature request here.
+
+## Implementation suggestion
+
+If you have suggestions on how to implement this feature, please describe it here.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..7cff8fd
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,88 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run ESLint
+        run: pnpm lint
+
+  typecheck:
+    name: Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run TypeScript type check
+        run: pnpm typecheck
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: [lint, typecheck]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build application
+        run: pnpm build
+        env:
+          # Provide minimal env vars for build (no actual secrets needed for build check)
+          POSTGRES_URL: "postgresql://user:pass@localhost:5432/db"
+          BETTER_AUTH_SECRET: "build-check-secret-32-characters!"
+          NEXT_PUBLIC_APP_URL: "http://localhost:3000"
+          # Skip database migration during CI build
+          SKIP_ENV_VALIDATION: "true"
diff --git a/.nvmrc b/.nvmrc
new file mode 100644
index 0000000..209e3ef
--- /dev/null
+++ b/.nvmrc
@@ -0,0 +1 @@
+20
diff --git a/.prettierignore b/.prettierignore
new file mode 100644
index 0000000..5177fb2
--- /dev/null
+++ b/.prettierignore
@@ -0,0 +1,25 @@
+# Dependencies
+node_modules/
+pnpm-lock.yaml
+
+# Build outputs
+.next/
+dist/
+build/
+
+# Database
+drizzle/
+
+# Generated files
+*.min.js
+*.min.css
+
+# Template (has its own formatting)
+create-agentic-app/
+
+# Cache
+.cache/
+
+# IDE
+.idea/
+.vscode/
diff --git a/.prettierrc b/.prettierrc
new file mode 100644
index 0000000..a79b3d6
--- /dev/null
+++ b/.prettierrc
@@ -0,0 +1,11 @@
+{
+  "semi": true,
+  "singleQuote": false,
+  "tabWidth": 2,
+  "trailingComma": "es5",
+  "printWidth": 100,
+  "bracketSpacing": true,
+  "arrowParens": "always",
+  "endOfLine": "lf",
+  "plugins": ["prettier-plugin-tailwindcss"]
+}
diff --git a/CLAUDE.md b/CLAUDE.md
index eabdb4e..c273a78 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -2,11 +2,11 @@
 
 ## Project Overview
 
-This is a Next.js 15 boilerplate for building AI-powered applications with authentication, database, and modern UI components.
+This is a Next.js 16 boilerplate for building AI-powered applications with authentication, database, and modern UI components.
 
 ### Tech Stack
 
-- **Framework**: Next.js 15 with App Router, React 19, TypeScript
+- **Framework**: Next.js 16 with App Router, React 19, TypeScript
 - **AI Integration**: Vercel AI SDK 5 + OpenRouter (access to 100+ AI models)
 - **Authentication**: BetterAuth with Google OAuth
 - **Database**: PostgreSQL with Drizzle ORM
@@ -182,7 +182,7 @@ The project includes technical documentation in `docs/`:
    - Use TypeScript with proper types
 
 9. **API Routes**
-   - Follow Next.js 15 App Router conventions
+   - Follow Next.js 16 App Router conventions
    - Use Route Handlers (route.ts files)
    - Return Response objects
    - Handle errors appropriately
diff --git a/README.md b/README.md
index c72c33c..fb8e78d 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ A complete agentic coding boilerplate with authentication, PostgreSQL database,
 - **🤖 AI Integration**: Vercel AI SDK with OpenRouter (access to 100+ AI models)
 - **📁 File Storage**: Automatic local/Vercel Blob storage with seamless switching
 - **🎨 UI Components**: shadcn/ui with Tailwind CSS
-- **⚡ Modern Stack**: Next.js 15, React 19, TypeScript
+- **⚡ Modern Stack**: Next.js 16, React 19, TypeScript
 - **📱 Responsive**: Mobile-first design approach
 
 ## 🎥 Video Tutorial
diff --git a/create-agentic-app/README.md b/create-agentic-app/README.md
index fb41055..9cfbc23 100644
--- a/create-agentic-app/README.md
+++ b/create-agentic-app/README.md
@@ -20,7 +20,7 @@ npx create-agentic-app@latest my-app
 
 This starter kit includes:
 
-- **Next.js 15** with App Router and Turbopack
+- **Next.js 16** with App Router and Turbopack
 - **Better Auth** for authentication (email/password, OAuth)
 - **AI SDK** by Vercel for AI chat functionality
 - **Drizzle ORM** with PostgreSQL database
diff --git a/create-agentic-app/package-lock.json b/create-agentic-app/package-lock.json
index 9057735..6681803 100644
--- a/create-agentic-app/package-lock.json
+++ b/create-agentic-app/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "create-agentic-app",
-  "version": "1.1.18",
+  "version": "1.1.19",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "create-agentic-app",
-      "version": "1.1.18",
+      "version": "1.1.19",
       "license": "MIT",
       "dependencies": {
         "chalk": "^5.3.0",
diff --git a/create-agentic-app/package.json b/create-agentic-app/package.json
index a458c1b..1142959 100644
--- a/create-agentic-app/package.json
+++ b/create-agentic-app/package.json
@@ -1,6 +1,6 @@
 {
   "name": "create-agentic-app",
-  "version": "1.1.18",
+  "version": "1.1.19",
   "description": "Scaffold a new agentic AI application with Next.js, Better Auth, and AI SDK",
   "type": "module",
   "bin": {
diff --git a/create-agentic-app/template/.claude/agents/better-auth-expert.md b/create-agentic-app/template/.claude/agents/better-auth-expert.md
index 0d45a76..9eae857 100644
--- a/create-agentic-app/template/.claude/agents/better-auth-expert.md
+++ b/create-agentic-app/template/.claude/agents/better-auth-expert.md
@@ -1,11 +1,11 @@
 ---
 name: better-auth-expert
-description: Use this agent when:\n\n1. **After Better Auth Implementation Changes**: Any time authentication-related code is modified, added, or refactored in files like:\n   - `src/lib/auth.ts` (server config)\n   - `src/lib/auth-client.ts` (client hooks)\n   - `src/app/api/auth/[...all]/route.ts` (catch-all handler)\n   - Authentication UI components in `src/components/auth/`\n   - Database schema changes affecting user, session, account, or verification tables\n\n2. **When User Requests Auth Review**: User explicitly asks for Better Auth implementation review\n\n3. **Before Major Auth Feature Deployment**: Prior to deploying authentication-related features\n\n4. **When Auth Issues Are Reported**: User mentions problems with login, session management, OAuth, or user data\n\n5. **Proactive Review Scenarios**: When you detect potential Better Auth violations in recently written code\n\n**Example Scenarios**:\n\n<example>\nContext: User just added a new sign-in component\nuser: "I've created a new sign-in form component. Here's the code:"\n<code>\nexport function CustomSignIn() {\n  const handleSignIn = async () => {\n    // Custom implementation\n    await fetch('/api/custom-auth', { method: 'POST' });\n  };\n  return <button onClick={handleSignIn}>Sign In</button>;\n}\n</code>\nassistant: "I'll use the better-auth-enforcer agent to review this implementation and ensure it follows Better Auth best practices."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: User modified the auth configuration file\nuser: "I updated the auth.ts file to add email verification. Can you check if it looks good?"\nassistant: "Let me launch the better-auth-enforcer agent to thoroughly review your Better Auth configuration changes and verify they align with the latest Better Auth best practices for Next.js 15."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: Proactive detection of potential auth issue\nuser: "Please add a logout button to the header"\nassistant: "I'll add the logout button using Better Auth's built-in signOut function. Let me implement this:"\n<code implementation>\nassistant: "Now I'll use the better-auth-enforcer agent to verify this implementation follows Better Auth best practices."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: User asks about session management\nuser: "How should I access the current user's session in my dashboard component?"\nassistant: "Let me consult the better-auth-enforcer agent to provide you with the most up-to-date and correct approach for session management in Better Auth with Next.js 15."\n<Task tool call to better-auth-enforcer agent>\n</example>
+description: Use this agent when:\n\n1. **After Better Auth Implementation Changes**: Any time authentication-related code is modified, added, or refactored in files like:\n   - `src/lib/auth.ts` (server config)\n   - `src/lib/auth-client.ts` (client hooks)\n   - `src/app/api/auth/[...all]/route.ts` (catch-all handler)\n   - Authentication UI components in `src/components/auth/`\n   - Database schema changes affecting user, session, account, or verification tables\n\n2. **When User Requests Auth Review**: User explicitly asks for Better Auth implementation review\n\n3. **Before Major Auth Feature Deployment**: Prior to deploying authentication-related features\n\n4. **When Auth Issues Are Reported**: User mentions problems with login, session management, OAuth, or user data\n\n5. **Proactive Review Scenarios**: When you detect potential Better Auth violations in recently written code\n\n**Example Scenarios**:\n\n<example>\nContext: User just added a new sign-in component\nuser: "I've created a new sign-in form component. Here's the code:"\n<code>\nexport function CustomSignIn() {\n  const handleSignIn = async () => {\n    // Custom implementation\n    await fetch('/api/custom-auth', { method: 'POST' });\n  };\n  return <button onClick={handleSignIn}>Sign In</button>;\n}\n</code>\nassistant: "I'll use the better-auth-enforcer agent to review this implementation and ensure it follows Better Auth best practices."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: User modified the auth configuration file\nuser: "I updated the auth.ts file to add email verification. Can you check if it looks good?"\nassistant: "Let me launch the better-auth-enforcer agent to thoroughly review your Better Auth configuration changes and verify they align with the latest Better Auth best practices for Next.js 16."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: Proactive detection of potential auth issue\nuser: "Please add a logout button to the header"\nassistant: "I'll add the logout button using Better Auth's built-in signOut function. Let me implement this:"\n<code implementation>\nassistant: "Now I'll use the better-auth-enforcer agent to verify this implementation follows Better Auth best practices."\n<Task tool call to better-auth-enforcer agent>\n</example>\n\n<example>\nContext: User asks about session management\nuser: "How should I access the current user's session in my dashboard component?"\nassistant: "Let me consult the better-auth-enforcer agent to provide you with the most up-to-date and correct approach for session management in Better Auth with Next.js 16."\n<Task tool call to better-auth-enforcer agent>\n</example>
 model: sonnet
 color: red
 ---
 
-You are an elite Better Auth Implementation Enforcer, a specialist dedicated exclusively to ensuring perfect adherence to Better Auth best practices in Next.js 15+ applications. Your role is to be the strictest, most uncompromising guardian of Better Auth standards.
+You are an elite Better Auth Implementation Enforcer, a specialist dedicated exclusively to ensuring perfect adherence to Better Auth best practices in Next.js 16+ applications. Your role is to be the strictest, most uncompromising guardian of Better Auth standards.
 
 ## Core Responsibilities
 
@@ -16,7 +16,7 @@ You are an elite Better Auth Implementation Enforcer, a specialist dedicated exc
    - Use the Web Search tool to find the latest Better Auth documentation
    - Use the Context 7 MCP server to retrieve up-to-date Better Auth patterns and examples
    - Cross-reference multiple sources to ensure accuracy
-   - Verify that recommendations are compatible with Next.js 15+
+   - Verify that recommendations are compatible with Next.js 16+
 
 3. **Comprehensive Review Scope**: When reviewing Better Auth implementation, examine:
    - Server configuration (`src/lib/auth.ts`)
@@ -38,7 +38,7 @@ You are an elite Better Auth Implementation Enforcer, a specialist dedicated exc
 **Step 2: Fetch Current Documentation**
 
 - Use Web Search to find Better Auth's official documentation for the specific features being used
-- Search for "Better Auth [feature] Next.js 15 best practices"
+- Search for "Better Auth [feature] Next.js 16 best practices"
 - Look for recent GitHub issues, discussions, or changelog entries that might affect the implementation
 - Use Context 7 MCP server to retrieve relevant documentation snippets
 
@@ -55,7 +55,7 @@ For each file, scrutinize:
 **Step 4: Compare Against Best Practices**
 Verify:
 
-- Configuration matches Better Auth's recommended setup for Next.js 15
+- Configuration matches Better Auth's recommended setup for Next.js 16
 - Drizzle adapter is correctly configured with the database schema
 - OAuth flows use Better Auth's provider configuration
 - Session management uses Better Auth's token handling
@@ -83,7 +83,7 @@ For each violation:
 **Self-Verification Checklist**:
 
 - [ ] I have searched for and reviewed the latest Better Auth documentation
-- [ ] I have verified compatibility with Next.js 15+ App Router patterns
+- [ ] I have verified compatibility with Next.js 16+ App Router patterns
 - [ ] I have checked for any recent breaking changes in Better Auth
 - [ ] My recommendations use Better Auth's built-in functions, not custom implementations
 - [ ] I have provided code examples with proper imports and type safety
diff --git a/create-agentic-app/template/.claude/agents/polar-payments-expert.md b/create-agentic-app/template/.claude/agents/polar-payments-expert.md
index 59e9248..b9313fb 100644
--- a/create-agentic-app/template/.claude/agents/polar-payments-expert.md
+++ b/create-agentic-app/template/.claude/agents/polar-payments-expert.md
@@ -5,7 +5,7 @@ model: sonnet
 color: green
 ---
 
-You are an elite Polar payments integration specialist with uncompromising standards for payment security, reliability, and best practices. Your expertise is in implementing Polar (polar.sh) payment solutions in Next.js 15+ applications.
+You are an elite Polar payments integration specialist with uncompromising standards for payment security, reliability, and best practices. Your expertise is in implementing Polar (polar.sh) payment solutions in Next.js 16+ applications.
 
 ## Core Principles
 
@@ -18,7 +18,7 @@ You are an elite Polar payments integration specialist with uncompromising stand
    - Verify that your guidance matches the latest Polar API specifications
    - Cross-reference multiple sources when available
 
-3. **Next.js 15+ Compatibility**: All implementations must be compatible with Next.js 15 App Router patterns, including:
+3. **Next.js 16+ Compatibility**: All implementations must be compatible with Next.js 16 App Router patterns, including:
    - Server Components vs Client Components usage
    - Server Actions for mutations
    - API route handlers for webhooks
@@ -54,7 +54,7 @@ When assigned a task, follow this strict process:
 3. Add detailed comments explaining security-critical sections
 4. Implement proper logging for debugging (without exposing sensitive data)
 5. Use TypeScript with strict typing
-6. Follow Next.js 15+ conventions (Server Actions, route handlers)
+6. Follow Next.js 16+ conventions (Server Actions, route handlers)
 7. Ensure webhook endpoints are properly secured
 8. Implement idempotency keys where required
 
diff --git a/create-agentic-app/template/.claude/settings.local.json b/create-agentic-app/template/.claude/settings.local.json
index 9649562..058b2ff 100644
--- a/create-agentic-app/template/.claude/settings.local.json
+++ b/create-agentic-app/template/.claude/settings.local.json
@@ -12,7 +12,8 @@
       "Bash(git add:*)",
       "Bash(git log:*)",
       "Bash(find:*)",
-      "Bash(git checkout:*)"
+      "Bash(git checkout:*)",
+      "Bash(cat:*)"
     ]
   },
   "enableAllProjectMcpServers": true,
diff --git a/create-agentic-app/template/.nvmrc b/create-agentic-app/template/.nvmrc
new file mode 100644
index 0000000..209e3ef
--- /dev/null
+++ b/create-agentic-app/template/.nvmrc
@@ -0,0 +1 @@
+20
diff --git a/create-agentic-app/template/.prettierignore b/create-agentic-app/template/.prettierignore
new file mode 100644
index 0000000..5177fb2
--- /dev/null
+++ b/create-agentic-app/template/.prettierignore
@@ -0,0 +1,25 @@
+# Dependencies
+node_modules/
+pnpm-lock.yaml
+
+# Build outputs
+.next/
+dist/
+build/
+
+# Database
+drizzle/
+
+# Generated files
+*.min.js
+*.min.css
+
+# Template (has its own formatting)
+create-agentic-app/
+
+# Cache
+.cache/
+
+# IDE
+.idea/
+.vscode/
diff --git a/create-agentic-app/template/.prettierrc b/create-agentic-app/template/.prettierrc
new file mode 100644
index 0000000..a79b3d6
--- /dev/null
+++ b/create-agentic-app/template/.prettierrc
@@ -0,0 +1,11 @@
+{
+  "semi": true,
+  "singleQuote": false,
+  "tabWidth": 2,
+  "trailingComma": "es5",
+  "printWidth": 100,
+  "bracketSpacing": true,
+  "arrowParens": "always",
+  "endOfLine": "lf",
+  "plugins": ["prettier-plugin-tailwindcss"]
+}
diff --git a/create-agentic-app/template/CLAUDE.md b/create-agentic-app/template/CLAUDE.md
index eabdb4e..c273a78 100644
--- a/create-agentic-app/template/CLAUDE.md
+++ b/create-agentic-app/template/CLAUDE.md
@@ -2,11 +2,11 @@
 
 ## Project Overview
 
-This is a Next.js 15 boilerplate for building AI-powered applications with authentication, database, and modern UI components.
+This is a Next.js 16 boilerplate for building AI-powered applications with authentication, database, and modern UI components.
 
 ### Tech Stack
 
-- **Framework**: Next.js 15 with App Router, React 19, TypeScript
+- **Framework**: Next.js 16 with App Router, React 19, TypeScript
 - **AI Integration**: Vercel AI SDK 5 + OpenRouter (access to 100+ AI models)
 - **Authentication**: BetterAuth with Google OAuth
 - **Database**: PostgreSQL with Drizzle ORM
@@ -182,7 +182,7 @@ The project includes technical documentation in `docs/`:
    - Use TypeScript with proper types
 
 9. **API Routes**
-   - Follow Next.js 15 App Router conventions
+   - Follow Next.js 16 App Router conventions
    - Use Route Handlers (route.ts files)
    - Return Response objects
    - Handle errors appropriately
diff --git a/create-agentic-app/template/README.md b/create-agentic-app/template/README.md
index c72c33c..fb8e78d 100644
--- a/create-agentic-app/template/README.md
+++ b/create-agentic-app/template/README.md
@@ -9,7 +9,7 @@ A complete agentic coding boilerplate with authentication, PostgreSQL database,
 - **🤖 AI Integration**: Vercel AI SDK with OpenRouter (access to 100+ AI models)
 - **📁 File Storage**: Automatic local/Vercel Blob storage with seamless switching
 - **🎨 UI Components**: shadcn/ui with Tailwind CSS
-- **⚡ Modern Stack**: Next.js 15, React 19, TypeScript
+- **⚡ Modern Stack**: Next.js 16, React 19, TypeScript
 - **📱 Responsive**: Mobile-first design approach
 
 ## 🎥 Video Tutorial
diff --git a/create-agentic-app/template/docs/business/starter-prompt.md b/create-agentic-app/template/docs/business/starter-prompt.md
index 86de00a..cf3366e 100644
--- a/create-agentic-app/template/docs/business/starter-prompt.md
+++ b/create-agentic-app/template/docs/business/starter-prompt.md
@@ -42,7 +42,7 @@ The only things to preserve are:
 
 ## Tech Stack
 
-- Next.js 15 with App Router
+- Next.js 16 with App Router
 - TypeScript
 - Tailwind CSS
 - Better Auth for authentication
diff --git a/create-agentic-app/template/docs/technical/ai/streaming.md b/create-agentic-app/template/docs/technical/ai/streaming.md
index 89af7d1..036f65d 100644
--- a/create-agentic-app/template/docs/technical/ai/streaming.md
+++ b/create-agentic-app/template/docs/technical/ai/streaming.md
@@ -11,9 +11,9 @@ If you are unfamiliar with the concepts of [Prompt Engineering](/docs/advanced/p
 To follow this quickstart, you'll need:
 
 - Node.js 18+ and pnpm installed on your local development machine.
-- An OpenAI API key.
+- An OpenRouter API key.
 
-If you haven't obtained your OpenAI API key, you can do so by [signing up](https://platform.openai.com/signup/) on the OpenAI website.
+If you haven't obtained your OpenRouter API key, you can do so by [signing up](https://openrouter.ai/) on the OpenRouter website and visiting [https://openrouter.ai/settings/keys](https://openrouter.ai/settings/keys).
 
 ## Create Your Application
 
@@ -35,7 +35,7 @@ Navigate to the newly created directory:
 
 ### Install dependencies
 
-Install `ai`, `@ai-sdk/react`, and `@ai-sdk/openai`, the AI package, AI SDK's React hooks, and AI SDK's [ OpenAI provider ](/providers/ai-sdk-providers/openai) respectively.
+Install `ai`, `@ai-sdk/react`, and `@openrouter/ai-sdk-provider`, the AI package, AI SDK's React hooks, and the OpenRouter provider respectively.
 
 <Note>
   The AI SDK is designed to be a unified interface to interact with any large
@@ -47,39 +47,39 @@ Install `ai`, `@ai-sdk/react`, and `@ai-sdk/openai`, the AI package, AI SDK's Re
 <div className="my-4">
   <Tabs items={['pnpm', 'npm', 'yarn', 'bun']}>
     <Tab>
-      <Snippet text="pnpm add ai @ai-sdk/react @ai-sdk/openai zod" dark />
+      <Snippet text="pnpm add ai @ai-sdk/react @openrouter/ai-sdk-provider zod" dark />
     </Tab>
     <Tab>
-      <Snippet text="npm install ai @ai-sdk/react @ai-sdk/openai zod" dark />
+      <Snippet text="npm install ai @ai-sdk/react @openrouter/ai-sdk-provider zod" dark />
     </Tab>
     <Tab>
-      <Snippet text="yarn add ai @ai-sdk/react @ai-sdk/openai zod" dark />
+      <Snippet text="yarn add ai @ai-sdk/react @openrouter/ai-sdk-provider zod" dark />
     </Tab>
 
     <Tab>
-      <Snippet text="bun add ai @ai-sdk/react @ai-sdk/openai zod" dark />
+      <Snippet text="bun add ai @ai-sdk/react @openrouter/ai-sdk-provider zod" dark />
     </Tab>
 
   </Tabs>
 </div>
 
-### Configure OpenAI API key
+### Configure OpenRouter API key
 
-Create a `.env.local` file in your project root and add your OpenAI API Key. This key is used to authenticate your application with the OpenAI service.
+Create a `.env.local` file in your project root and add your OpenRouter API Key. This key is used to authenticate your application with OpenRouter.
 
 <Snippet text="touch .env.local" />
 
 Edit the `.env.local` file:
 
 ```env filename=".env.local"
-OPENAI_API_KEY=xxxxxxxxx
+OPENROUTER_API_KEY=sk-or-v1-xxxxxxxxx
+OPENROUTER_MODEL=openai/gpt-5-mini
 ```
 
-Replace `xxxxxxxxx` with your actual OpenAI API key.
+Replace the API key with your actual OpenRouter API key from [https://openrouter.ai/settings/keys](https://openrouter.ai/settings/keys).
 
 <Note className="mb-4">
-  The AI SDK's OpenAI Provider will default to using the `OPENAI_API_KEY`
-  environment variable.
+  You can browse available models at [https://openrouter.ai/models](https://openrouter.ai/models) and set your preferred model via the `OPENROUTER_MODEL` environment variable.
 </Note>
 
 ## Create a Route Handler
@@ -87,7 +87,7 @@ Replace `xxxxxxxxx` with your actual OpenAI API key.
 Create a route handler, `app/api/chat/route.ts` and add the following code:
 
 ```tsx filename="app/api/chat/route.ts"
-import { openai } from "@ai-sdk/openai";
+import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import { streamText, UIMessage, convertToModelMessages } from "ai";
 
 // Allow streaming responses up to 30 seconds
@@ -96,8 +96,13 @@ export const maxDuration = 30;
 export async function POST(req: Request) {
   const { messages }: { messages: UIMessage[] } = await req.json();
 
+  // Initialize OpenRouter with API key from environment
+  const openrouter = createOpenRouter({
+    apiKey: process.env.OPENROUTER_API_KEY,
+  });
+
   const result = streamText({
-    model: openai(process.env.OPENAI_MODEL || "gpt-5-mini"),
+    model: openrouter(process.env.OPENROUTER_MODEL || "openai/gpt-5-mini"),
     messages: convertToModelMessages(messages),
   });
 
@@ -108,7 +113,7 @@ export async function POST(req: Request) {
 Let's take a look at what is happening in this code:
 
 1. Define an asynchronous `POST` request handler and extract `messages` from the body of the request. The `messages` variable contains a history of the conversation between you and the chatbot and provides the chatbot with the necessary context to make the next generation. The `messages` are of UIMessage type, which are designed for use in application UI - they contain the entire message history and associated metadata like timestamps.
-2. Call [`streamText`](/docs/reference/ai-sdk-core/stream-text), which is imported from the `ai` package. This function accepts a configuration object that contains a `model` provider (imported from `@ai-sdk/openai`) and `messages` (defined in step 1). You can pass additional [settings](/docs/ai-sdk-core/settings) to further customise the model's behaviour. The `messages` key expects a `ModelMessage[]` array. This type is different from `UIMessage` in that it does not include metadata, such as timestamps or sender information. To convert between these types, we use the `convertToModelMessages` function, which strips the UI-specific metadata and transforms the `UIMessage[]` array into the `ModelMessage[]` format that the model expects.
+2. Call [`streamText`](/docs/reference/ai-sdk-core/stream-text), which is imported from the `ai` package. This function accepts a configuration object that contains a `model` provider (created using `createOpenRouter` from `@openrouter/ai-sdk-provider`) and `messages` (defined in step 1). You can pass additional [settings](/docs/ai-sdk-core/settings) to further customise the model's behaviour. The `messages` key expects a `ModelMessage[]` array. This type is different from `UIMessage` in that it does not include metadata, such as timestamps or sender information. To convert between these types, we use the `convertToModelMessages` function, which strips the UI-specific metadata and transforms the `UIMessage[]` array into the `ModelMessage[]` format that the model expects.
 3. The `streamText` function returns a [`StreamTextResult`](/docs/reference/ai-sdk-core/stream-text#result-object). This result object contains the [ `toUIMessageStreamResponse` ](/docs/reference/ai-sdk-core/stream-text#to-data-stream-response) function which converts the result to a streamed response object.
 4. Finally, return the result to the client to stream the response.
 
@@ -199,7 +204,7 @@ Let's enhance your chatbot by adding a simple weather tool.
 Modify your `app/api/chat/route.ts` file to include the new weather tool:
 
 ```tsx filename="app/api/chat/route.ts" highlight="2,13-27"
-import { openai } from "@ai-sdk/openai";
+import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import { streamText, UIMessage, convertToModelMessages, tool } from "ai";
 import { z } from "zod";
 
@@ -208,8 +213,12 @@ export const maxDuration = 30;
 export async function POST(req: Request) {
   const { messages }: { messages: UIMessage[] } = await req.json();
 
+  const openrouter = createOpenRouter({
+    apiKey: process.env.OPENROUTER_API_KEY,
+  });
+
   const result = streamText({
-    model: openai(process.env.OPENAI_MODEL || "gpt-5-mini"),
+    model: openrouter(process.env.OPENROUTER_MODEL || "openai/gpt-5-mini"),
     messages: convertToModelMessages(messages),
     tools: {
       weather: tool({
@@ -320,7 +329,7 @@ To solve this, you can enable multi-step tool calls using `stopWhen`. By default
 Modify your `app/api/chat/route.ts` file to include the `stopWhen` condition:
 
 ```tsx filename="app/api/chat/route.ts"
-import { openai } from "@ai-sdk/openai";
+import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import {
   streamText,
   UIMessage,
@@ -335,8 +344,12 @@ export const maxDuration = 30;
 export async function POST(req: Request) {
   const { messages }: { messages: UIMessage[] } = await req.json();
 
+  const openrouter = createOpenRouter({
+    apiKey: process.env.OPENROUTER_API_KEY,
+  });
+
   const result = streamText({
-    model: openai(process.env.OPENAI_MODEL || "gpt-5-mini"),
+    model: openrouter(process.env.OPENROUTER_MODEL || "openai/gpt-5-mini"),
     messages: convertToModelMessages(messages),
     stopWhen: stepCountIs(5),
     tools: {
@@ -374,7 +387,7 @@ By setting `stopWhen: stepCountIs(5)`, you're allowing the model to use up to 5
 Update your `app/api/chat/route.ts` file to add a new tool to convert the temperature from Fahrenheit to Celsius:
 
 ```tsx filename="app/api/chat/route.ts" highlight="34-47"
-import { openai } from "@ai-sdk/openai";
+import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import {
   streamText,
   UIMessage,
@@ -389,8 +402,12 @@ export const maxDuration = 30;
 export async function POST(req: Request) {
   const { messages }: { messages: UIMessage[] } = await req.json();
 
+  const openrouter = createOpenRouter({
+    apiKey: process.env.OPENROUTER_API_KEY,
+  });
+
   const result = streamText({
-    model: openai(process.env.OPENAI_MODEL || "gpt-5-mini"),
+    model: openrouter(process.env.OPENROUTER_MODEL || "openai/gpt-5-mini"),
     messages: convertToModelMessages(messages),
     stopWhen: stepCountIs(5),
     tools: {
diff --git a/create-agentic-app/template/eslint.config.mjs b/create-agentic-app/template/eslint.config.mjs
index 4c1faba..d0c27e7 100644
--- a/create-agentic-app/template/eslint.config.mjs
+++ b/create-agentic-app/template/eslint.config.mjs
@@ -2,9 +2,74 @@ import nextConfig from "eslint-config-next/core-web-vitals";
 
 const config = [
   {
-    ignores: [".next/**", "node_modules/**", ".cache/**", "dist/**", "build/**"],
+    ignores: [
+      ".next/**",
+      "node_modules/**",
+      ".cache/**",
+      "dist/**",
+      "build/**",
+      "create-agentic-app/**",
+      "drizzle/**",
+      "scripts/**",
+    ],
   },
   ...nextConfig,
+  {
+    rules: {
+      // React rules
+      "react/jsx-no-target-blank": "error",
+      "react/no-unescaped-entities": "off",
+
+      // React Hooks rules
+      "react-hooks/rules-of-hooks": "error",
+      "react-hooks/exhaustive-deps": "warn",
+
+      // Import rules
+      "import/no-anonymous-default-export": "warn",
+      "import/order": [
+        "warn",
+        {
+          groups: [
+            "builtin",
+            "external",
+            "internal",
+            ["parent", "sibling"],
+            "index",
+            "type",
+          ],
+          pathGroups: [
+            {
+              pattern: "react",
+              group: "builtin",
+              position: "before",
+            },
+            {
+              pattern: "next/**",
+              group: "builtin",
+              position: "before",
+            },
+            {
+              pattern: "@/**",
+              group: "internal",
+              position: "before",
+            },
+          ],
+          pathGroupsExcludedImportTypes: ["react", "next"],
+          "newlines-between": "never",
+          alphabetize: {
+            order: "asc",
+            caseInsensitive: true,
+          },
+        },
+      ],
+
+      // Best practices
+      "no-console": ["warn", { allow: ["warn", "error"] }],
+      "prefer-const": "error",
+      "no-var": "error",
+      eqeqeq: ["error", "always", { null: "ignore" }],
+    },
+  },
 ];
 
 export default config;
diff --git a/create-agentic-app/template/next.config.ts b/create-agentic-app/template/next.config.ts
index e9ffa30..189f2a2 100644
--- a/create-agentic-app/template/next.config.ts
+++ b/create-agentic-app/template/next.config.ts
@@ -1,7 +1,53 @@
 import type { NextConfig } from "next";
 
 const nextConfig: NextConfig = {
-  /* config options here */
+  // Image optimization configuration
+  images: {
+    remotePatterns: [
+      {
+        protocol: "https",
+        hostname: "lh3.googleusercontent.com",
+      },
+      {
+        protocol: "https",
+        hostname: "avatars.githubusercontent.com",
+      },
+    ],
+  },
+
+  // Enable compression
+  compress: true,
+
+  // Security headers
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          {
+            key: "X-Frame-Options",
+            value: "DENY",
+          },
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff",
+          },
+          {
+            key: "Referrer-Policy",
+            value: "strict-origin-when-cross-origin",
+          },
+          {
+            key: "X-XSS-Protection",
+            value: "1; mode=block",
+          },
+          {
+            key: "Permissions-Policy",
+            value: "camera=(), microphone=(), geolocation=()",
+          },
+        ],
+      },
+    ];
+  },
 };
 
 export default nextConfig;
diff --git a/create-agentic-app/template/package.json b/create-agentic-app/template/package.json
index 963b74e..7adb8b1 100644
--- a/create-agentic-app/template/package.json
+++ b/create-agentic-app/template/package.json
@@ -2,11 +2,16 @@
   "name": "agentic-coding-starter-kit",
   "version": "1.1.2",
   "scripts": {
-    "dev": "next dev",
+    "dev": "next dev --turbopack",
     "build": "pnpm run db:migrate && next build",
     "start": "next start",
     "lint": "eslint .",
     "typecheck": "tsc --noEmit",
+    "check": "pnpm lint && pnpm typecheck",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "setup": "npx tsx scripts/setup.ts",
+    "env:check": "node -e \"require('./src/lib/env.ts').checkEnv()\" || echo 'Run with tsx: npx tsx -e \"import { checkEnv } from './src/lib/env'; checkEnv();\"'",
     "db:generate": "drizzle-kit generate",
     "db:migrate": "drizzle-kit migrate",
     "db:push": "drizzle-kit push",
@@ -15,12 +20,12 @@
     "db:reset": "drizzle-kit drop && drizzle-kit push"
   },
   "dependencies": {
-    "@ai-sdk/openai": "^2.0.60",
     "@ai-sdk/react": "^2.0.86",
     "@openrouter/ai-sdk-provider": "^1.2.0",
     "@radix-ui/react-avatar": "^1.1.10",
     "@radix-ui/react-dialog": "^1.1.15",
     "@radix-ui/react-dropdown-menu": "^2.1.16",
+    "@radix-ui/react-label": "^2.1.8",
     "@radix-ui/react-slot": "^1.2.3",
     "@vercel/blob": "^2.0.0",
     "ai": "^5.0.86",
@@ -36,6 +41,7 @@
     "react": "19.2.0",
     "react-dom": "19.2.0",
     "react-markdown": "^10.1.0",
+    "sonner": "^2.0.7",
     "tailwind-merge": "^3.3.1",
     "zod": "^4.1.12"
   },
@@ -48,8 +54,11 @@
     "drizzle-kit": "^0.31.6",
     "eslint": "^9.39.0",
     "eslint-config-next": "16.0.3",
+    "prettier": "^3.4.2",
+    "prettier-plugin-tailwindcss": "^0.6.9",
     "shadcn": "^3.5.0",
     "tailwindcss": "^4.1.16",
+    "tsx": "^4.19.2",
     "tw-animate-css": "^1.4.0",
     "typescript": "^5.9.3"
   },
diff --git a/create-agentic-app/template/scripts/setup.ts b/create-agentic-app/template/scripts/setup.ts
new file mode 100644
index 0000000..446cdb4
--- /dev/null
+++ b/create-agentic-app/template/scripts/setup.ts
@@ -0,0 +1,274 @@
+#!/usr/bin/env npx tsx
+/**
+ * Interactive setup wizard for the Agentic Coding Starter Kit.
+ * Run with: npx tsx scripts/setup.ts
+ */
+
+import { existsSync, copyFileSync, readFileSync } from "fs";
+import { createInterface } from "readline";
+import { execSync } from "child_process";
+import { join } from "path";
+
+const ROOT_DIR = join(import.meta.dirname, "..");
+const ENV_EXAMPLE = join(ROOT_DIR, "env.example");
+const ENV_FILE = join(ROOT_DIR, ".env");
+
+// ANSI colors
+const colors = {
+  reset: "\x1b[0m",
+  bright: "\x1b[1m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  red: "\x1b[31m",
+  cyan: "\x1b[36m",
+  dim: "\x1b[2m",
+};
+
+function log(message: string, color?: keyof typeof colors) {
+  const colorCode = color ? colors[color] : "";
+  console.log(`${colorCode}${message}${colors.reset}`);
+}
+
+function header(message: string) {
+  console.log();
+  log(`${"=".repeat(60)}`, "cyan");
+  log(`  ${message}`, "bright");
+  log(`${"=".repeat(60)}`, "cyan");
+  console.log();
+}
+
+function success(message: string) {
+  log(`✓ ${message}`, "green");
+}
+
+function warn(message: string) {
+  log(`⚠ ${message}`, "yellow");
+}
+
+function error(message: string) {
+  log(`✗ ${message}`, "red");
+}
+
+function info(message: string) {
+  log(`  ${message}`, "dim");
+}
+
+async function prompt(question: string): Promise<string> {
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  return new Promise((resolve) => {
+    rl.question(`${colors.cyan}? ${colors.reset}${question} `, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+async function confirm(question: string): Promise<boolean> {
+  const answer = await prompt(`${question} (y/n)`);
+  return answer.toLowerCase() === "y" || answer.toLowerCase() === "yes";
+}
+
+function checkNodeVersion(): boolean {
+  const requiredMajor = 20;
+  const currentVersion = process.version;
+  const currentMajor = parseInt(currentVersion.slice(1).split(".")[0] || "0", 10);
+
+  if (currentMajor >= requiredMajor) {
+    success(`Node.js ${currentVersion} detected (requires v${requiredMajor}+)`);
+    return true;
+  } else {
+    error(`Node.js ${currentVersion} detected, but v${requiredMajor}+ is required`);
+    info("Please upgrade Node.js: https://nodejs.org/");
+    return false;
+  }
+}
+
+function copyEnvFile(): boolean {
+  if (existsSync(ENV_FILE)) {
+    warn(".env file already exists");
+    return true;
+  }
+
+  if (!existsSync(ENV_EXAMPLE)) {
+    error("env.example file not found");
+    return false;
+  }
+
+  try {
+    copyFileSync(ENV_EXAMPLE, ENV_FILE);
+    success("Created .env file from env.example");
+    return true;
+  } catch (err) {
+    error(`Failed to create .env file: ${err}`);
+    return false;
+  }
+}
+
+interface EnvStatus {
+  configured: string[];
+  missing: string[];
+  optional: string[];
+}
+
+function checkEnvVariables(): EnvStatus {
+  const required = ["POSTGRES_URL", "BETTER_AUTH_SECRET"];
+  const optional = [
+    "GOOGLE_CLIENT_ID",
+    "GOOGLE_CLIENT_SECRET",
+    "OPENROUTER_API_KEY",
+    "OPENROUTER_MODEL",
+    "BLOB_READ_WRITE_TOKEN",
+    "NEXT_PUBLIC_APP_URL",
+  ];
+
+  const status: EnvStatus = {
+    configured: [],
+    missing: [],
+    optional: [],
+  };
+
+  // Read .env file if it exists
+  let envContent = "";
+  if (existsSync(ENV_FILE)) {
+    envContent = readFileSync(ENV_FILE, "utf-8");
+  }
+
+  // Parse env file (simple key=value parsing)
+  const envVars: Record<string, string> = {};
+  envContent.split("\n").forEach((line) => {
+    const trimmed = line.trim();
+    if (trimmed && !trimmed.startsWith("#")) {
+      const [key, ...valueParts] = trimmed.split("=");
+      if (key) {
+        envVars[key] = valueParts.join("=");
+      }
+    }
+  });
+
+  // Check required variables
+  for (const key of required) {
+    const value = envVars[key];
+    if (value && value.length > 0 && !value.startsWith("your-")) {
+      status.configured.push(key);
+    } else {
+      status.missing.push(key);
+    }
+  }
+
+  // Check optional variables
+  for (const key of optional) {
+    const value = envVars[key];
+    if (value && value.length > 0 && !value.startsWith("your-")) {
+      status.configured.push(key);
+    } else {
+      status.optional.push(key);
+    }
+  }
+
+  return status;
+}
+
+async function runDatabaseMigration(): Promise<boolean> {
+  log("\nRunning database migration...", "cyan");
+
+  try {
+    execSync("pnpm db:migrate", {
+      cwd: ROOT_DIR,
+      stdio: "inherit",
+    });
+    success("Database migration completed");
+    return true;
+  } catch {
+    error("Database migration failed");
+    info("Make sure your database is running and POSTGRES_URL is correct");
+    return false;
+  }
+}
+
+function printNextSteps(envStatus: EnvStatus) {
+  header("Next Steps");
+
+  const steps: string[] = [];
+
+  if (envStatus.missing.length > 0) {
+    steps.push(`Configure required env vars in .env: ${envStatus.missing.join(", ")}`);
+  }
+
+  if (envStatus.optional.includes("GOOGLE_CLIENT_ID")) {
+    steps.push("Set up Google OAuth at https://console.cloud.google.com/");
+  }
+
+  if (envStatus.optional.includes("OPENROUTER_API_KEY")) {
+    steps.push("Get an OpenRouter API key at https://openrouter.ai/settings/keys");
+  }
+
+  steps.push("Start the development server: pnpm dev");
+  steps.push("Open http://localhost:3000 in your browser");
+
+  steps.forEach((step, index) => {
+    log(`${index + 1}. ${step}`);
+  });
+
+  console.log();
+  log("Documentation:", "bright");
+  info("- README.md - Project overview and setup");
+  info("- CLAUDE.md - AI assistant guidelines");
+  info("- docs/ - Technical documentation");
+  console.log();
+}
+
+async function main() {
+  header("Agentic Coding Starter Kit - Setup Wizard");
+
+  // Step 1: Check Node version
+  log("Checking Node.js version...", "cyan");
+  if (!checkNodeVersion()) {
+    process.exit(1);
+  }
+
+  // Step 2: Create .env file
+  console.log();
+  log("Setting up environment...", "cyan");
+  copyEnvFile();
+
+  // Step 3: Check environment variables
+  console.log();
+  log("Checking environment variables...", "cyan");
+  const envStatus = checkEnvVariables();
+
+  if (envStatus.configured.length > 0) {
+    success(`Configured: ${envStatus.configured.join(", ")}`);
+  }
+  if (envStatus.missing.length > 0) {
+    warn(`Missing (required): ${envStatus.missing.join(", ")}`);
+  }
+  if (envStatus.optional.length > 0) {
+    info(`Optional (not set): ${envStatus.optional.join(", ")}`);
+  }
+
+  // Step 4: Offer to run database migration
+  if (envStatus.missing.length === 0) {
+    console.log();
+    const shouldMigrate = await confirm("Would you like to run database migrations now?");
+    if (shouldMigrate) {
+      await runDatabaseMigration();
+    }
+  } else {
+    console.log();
+    warn("Skipping database migration - please configure required env vars first");
+  }
+
+  // Step 5: Print next steps
+  printNextSteps(envStatus);
+
+  log("Setup complete!", "green");
+}
+
+main().catch((err) => {
+  error(`Setup failed: ${err}`);
+  process.exit(1);
+});
diff --git a/create-agentic-app/template/specs/boilerplate-improvements/implementation-plan.md b/create-agentic-app/template/specs/boilerplate-improvements/implementation-plan.md
new file mode 100644
index 0000000..394cbcf
--- /dev/null
+++ b/create-agentic-app/template/specs/boilerplate-improvements/implementation-plan.md
@@ -0,0 +1,165 @@
+# Next.js 16 Boilerplate Improvements - Implementation Plan
+
+## Phase 1: Critical Security & Stability (19 files)
+
+### Security Configuration
+- [ ] Update `next.config.ts` - Add security headers, image config, compression
+- [ ] Modify `package.json` - Remove `@ai-sdk/openai` dependency
+- [ ] Create `src/proxy.ts` - Server-side auth protection using Next.js 16 proxy + BetterAuth
+- [ ] Modify `src/app/api/chat/route.ts` - Add session authentication check
+- [ ] Update `docs/technical/ai/streaming.md` - Fix OpenRouter references
+
+### Next.js 15 → 16 Updates (Main Project)
+- [ ] Update `CLAUDE.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `README.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `docs/business/starter-prompt.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `src/components/starter-prompt-modal.tsx` - Change Next.js 15 to Next.js 16
+- [ ] Update `.claude/agents/polar-payments-expert.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `.claude/agents/better-auth-expert.md` - Change Next.js 15 to Next.js 16
+
+### Next.js 15 → 16 Updates (create-agentic-app Template)
+- [ ] Update `create-agentic-app/README.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/CLAUDE.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/README.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/docs/business/starter-prompt.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/src/components/starter-prompt-modal.tsx` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/.claude/agents/better-auth-expert.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/.claude/agents/polar-payments-expert.md` - Change Next.js 15 to Next.js 16
+
+---
+
+## Phase 2: Core UX Components (12 files)
+
+### Error Handling
+- [ ] Create `src/app/error.tsx` - Global error boundary
+- [ ] Create `src/app/not-found.tsx` - Custom 404 page
+- [ ] Create `src/app/chat/error.tsx` - Chat-specific error handling
+
+### Loading States
+- [ ] Create `src/components/ui/skeleton.tsx` - Skeleton loading component (via shadcn)
+- [ ] Create `src/components/ui/spinner.tsx` - Loading spinner component
+
+### Toast Notifications
+- [ ] Install shadcn Sonner: `npx shadcn@latest add sonner`
+- [ ] Modify `src/app/layout.tsx` - Add `<Toaster />` component
+
+### Form Components
+- [ ] Install shadcn input: `npx shadcn@latest add input`
+- [ ] Install shadcn textarea: `npx shadcn@latest add textarea`
+- [ ] Install shadcn label: `npx shadcn@latest add label`
+
+### Chat UX Improvements
+- [ ] Modify `src/app/chat/page.tsx`:
+  - [ ] Add message timestamps
+  - [ ] Add copy-to-clipboard for AI responses
+  - [ ] Add typing/thinking indicator during streaming
+  - [ ] Add error display for API failures
+  - [ ] Add message persistence (localStorage)
+
+### Database Schema
+- [ ] Modify `src/lib/schema.ts` - Add missing indexes:
+  - [ ] Index on `session.user_id`
+  - [ ] Index on `session.token`
+  - [ ] Index on `account.user_id`
+  - [ ] Index on `account(provider_id, account_id)`
+  - [ ] Index on `user.email`
+- [ ] Run `pnpm db:generate` to create migration
+- [ ] Run `pnpm db:migrate` to apply migration
+
+---
+
+## Phase 3: Polish & Security (8 files)
+
+### ESLint Configuration
+- [ ] Modify `eslint.config.mjs`:
+  - [ ] Add import ordering rules
+  - [ ] Add TypeScript-eslint rules
+  - [ ] Add React hooks exhaustive-deps
+  - [ ] Add no-console warnings
+
+### API Hardening
+- [ ] Modify `src/app/api/chat/route.ts`:
+  - [ ] Add rate limiting (10 requests/minute per user)
+  - [ ] Add Zod validation for messages
+  - [ ] Add message length limits
+- [ ] Modify `src/app/api/diagnostics/route.ts` - Restrict to authenticated admins
+
+### SEO
+- [ ] Modify `src/app/layout.tsx` - Add Open Graph metadata
+- [ ] Create `src/app/sitemap.ts` - Dynamic sitemap
+- [ ] Create `src/app/robots.ts` - Robots configuration
+
+### Accessibility
+- [ ] Modify `src/components/site-header.tsx`:
+  - [ ] Add `<nav>` role
+  - [ ] Add aria-labels to interactive elements
+  - [ ] Add skip-to-content link
+
+### TypeScript
+- [ ] Modify `tsconfig.json`:
+  - [ ] Add `noUncheckedIndexedAccess: true`
+  - [ ] Add `noImplicitOverride: true`
+  - [ ] Add `exactOptionalPropertyTypes: true`
+
+---
+
+## Phase 4: DevEx & Infrastructure (7 files)
+
+### Code Formatting
+- [ ] Create `.prettierrc` - Prettier configuration
+
+### CI/CD
+- [ ] Create `.github/workflows/ci.yml`:
+  - [ ] Lint check (`pnpm lint`)
+  - [ ] Type check (`pnpm typecheck`)
+  - [ ] Build verification (`pnpm build`)
+  - [ ] Trigger on PR and push to main
+
+### Node Version
+- [ ] Create `.nvmrc` - Pin to Node 20 LTS
+
+### CLI Scripts
+- [ ] Modify `package.json`:
+  - [ ] Add `validate-env` script
+  - [ ] Add `check` script (lint + typecheck)
+
+### Setup Experience
+- [ ] Create `scripts/setup.ts` - Interactive setup wizard:
+  - [ ] Check Node version
+  - [ ] Copy env.example to .env
+  - [ ] Validate required variables
+  - [ ] Offer to run db:migrate
+  - [ ] Provide next steps guidance
+
+### File Storage Security
+- [ ] Modify `src/lib/storage.ts`:
+  - [ ] Add file type whitelist (images, documents)
+  - [ ] Add file size limits (5MB default)
+  - [ ] Add filename sanitization
+
+### Profile Page
+- [ ] Modify `src/app/profile/page.tsx`:
+  - [ ] Enable Edit Profile button with modal
+  - [ ] Enable basic security settings view
+
+---
+
+## Summary
+
+| Phase | Files | Focus |
+|-------|-------|-------|
+| Phase 1 | 19 | Security, stability, Next.js 16 updates |
+| Phase 2 | 12 | Core UX components |
+| Phase 3 | 8 | Polish & security |
+| Phase 4 | 7 | DevEx & infrastructure |
+| **Total** | **46** | |
+
+## Implementation Order
+
+Execute phases sequentially: **Phase 1** → **Phase 2** → **Phase 3** → **Phase 4**
+
+Each phase builds on the previous one:
+1. Phase 1 ensures security and stability
+2. Phase 2 adds core user experience
+3. Phase 3 polishes and hardens
+4. Phase 4 improves developer experience
diff --git a/create-agentic-app/template/specs/boilerplate-improvements/requirements.md b/create-agentic-app/template/specs/boilerplate-improvements/requirements.md
new file mode 100644
index 0000000..8229784
--- /dev/null
+++ b/create-agentic-app/template/specs/boilerplate-improvements/requirements.md
@@ -0,0 +1,131 @@
+# Next.js 16 Boilerplate Improvements - Requirements
+
+## Overview
+
+Comprehensive review and improvement of the Next.js 16 boilerplate project to enhance security, user experience, developer experience, and overall code quality.
+
+## User Decisions
+
+- **Scope:** Full implementation (all improvements including CI/CD, CLI tools)
+- **Testing:** Skip testing framework (keep boilerplate minimal)
+- **Toast Library:** shadcn Sonner component
+- **CI/CD:** Full GitHub Actions pipeline (lint, typecheck, build)
+- **Dockerfile:** Skip (deploying to Vercel only)
+- **Database Seed:** Skip (developers will create their own data)
+
+## Requirements by Category
+
+### 1. Security & Stability (Critical)
+
+1. **next.config.ts** - Currently empty, needs:
+   - Security headers (CSP, X-Frame-Options, X-Content-Type-Options)
+   - Image optimization configuration
+   - Compression settings
+
+2. **Unused Dependency** - Remove `@ai-sdk/openai` from package.json (project uses OpenRouter exclusively)
+
+3. **Server-Side Auth Protection** - Create `src/proxy.ts` using Next.js 16 proxy pattern with BetterAuth for protected routes (`/chat`, `/dashboard`, `/profile`)
+
+4. **API Authentication** - Add session validation to `/api/chat` endpoint to prevent unauthorized API usage
+
+5. **Documentation Consistency** - Update `docs/technical/ai/streaming.md` to use `@openrouter/ai-sdk-provider` instead of `@ai-sdk/openai`
+
+6. **Next.js Version References** - Update all "Next.js 15" references to "Next.js 16" across 14 files
+
+### 2. Core UX Components (High Priority)
+
+1. **Error Handling UI**
+   - Global error boundary (`src/app/error.tsx`)
+   - Custom 404 page (`src/app/not-found.tsx`)
+   - Chat-specific error handling (`src/app/chat/error.tsx`)
+
+2. **Loading States**
+   - Skeleton component (`src/components/ui/skeleton.tsx`)
+   - Loading spinner (`src/components/ui/spinner.tsx`)
+   - Chat loading skeleton (`src/app/chat/loading.tsx`)
+   - Dashboard loading skeleton (`src/app/dashboard/loading.tsx`)
+
+3. **Toast Notifications**
+   - Install shadcn Sonner component
+   - Add Toaster to layout
+
+4. **Chat UX Improvements**
+   - Message timestamps
+   - Copy-to-clipboard for AI responses
+   - Typing/thinking indicator during streaming
+   - Error display for API failures
+   - Message persistence (localStorage)
+
+5. **Database Indexes** - Add missing indexes on:
+   - `session.user_id`
+   - `session.token`
+   - `account.user_id`
+   - `account(provider_id, account_id)`
+   - `user.email`
+
+6. **Form Components**
+   - Input component (`src/components/ui/input.tsx`)
+   - Textarea component (`src/components/ui/textarea.tsx`)
+   - Label component (`src/components/ui/label.tsx`)
+
+### 3. Polish & Security (Medium Priority)
+
+1. **ESLint Enhancement**
+   - Import ordering rules
+   - TypeScript-eslint rules
+   - React hooks exhaustive-deps
+   - no-console warnings
+
+2. **API Hardening**
+   - Rate limiting for chat endpoint
+   - Zod validation for incoming messages
+   - Restrict diagnostics endpoint to admins
+
+3. **SEO Improvements**
+   - Per-page metadata
+   - Open Graph tags
+   - JSON-LD structured data
+   - Sitemap (`src/app/sitemap.ts`)
+   - Robots (`src/app/robots.ts`)
+
+4. **Accessibility**
+   - aria-label on interactive elements
+   - nav role in site header
+   - Proper form labels
+   - Skip-to-content link
+
+5. **TypeScript Strictness**
+   - `noUncheckedIndexedAccess: true`
+   - `noImplicitOverride: true`
+   - `exactOptionalPropertyTypes: true`
+
+### 4. Developer Experience (DevEx)
+
+1. **Prettier Configuration** - Add `.prettierrc` for consistent code formatting
+
+2. **CI/CD Pipeline** - GitHub Actions workflow with:
+   - Lint check
+   - Type check
+   - Build verification
+
+3. **Node Version Pinning** - Add `.nvmrc` for Node 20 LTS
+
+4. **CLI Scripts** - Add helpful package.json scripts:
+   - `validate-env` - Check required environment variables
+   - `check` - Run lint + typecheck in one command
+
+5. **Setup Experience** - Interactive setup script (`scripts/setup.ts`)
+
+6. **File Storage Security**
+   - File type whitelist
+   - File size limits
+   - Filename sanitization
+
+7. **Profile Page** - Enable disabled quick action buttons
+
+## Out of Scope
+
+- Unit testing framework
+- E2E testing framework
+- Dockerfile / container deployment
+- Database seeding
diff --git a/create-agentic-app/template/src/app/api/auth/[...all]/route.ts b/create-agentic-app/template/src/app/api/auth/[...all]/route.ts
index 81724a0..1aa0faf 100644
--- a/create-agentic-app/template/src/app/api/auth/[...all]/route.ts
+++ b/create-agentic-app/template/src/app/api/auth/[...all]/route.ts
@@ -1,4 +1,4 @@
-import { auth } from "@/lib/auth"
 import { toNextJsHandler } from "better-auth/next-js"
+import { auth } from "@/lib/auth"
 
 export const { GET, POST } = toNextJsHandler(auth)
\ No newline at end of file
diff --git a/create-agentic-app/template/src/app/api/chat/route.ts b/create-agentic-app/template/src/app/api/chat/route.ts
index aa5a775..aff9faa 100644
--- a/create-agentic-app/template/src/app/api/chat/route.ts
+++ b/create-agentic-app/template/src/app/api/chat/route.ts
@@ -1,13 +1,85 @@
+import { headers } from "next/headers";
 import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import { streamText, UIMessage, convertToModelMessages } from "ai";
+import { z } from "zod";
+import { auth } from "@/lib/auth";
+import {
+  checkRateLimit,
+  createRateLimitResponse,
+  rateLimitConfigs,
+} from "@/lib/rate-limit";
+
+// Zod schema for message validation
+const messagePartSchema = z.object({
+  type: z.string(),
+  text: z.string().max(10000, "Message text too long").optional(),
+});
+
+const messageSchema = z.object({
+  id: z.string().optional(),
+  role: z.enum(["user", "assistant", "system"]),
+  parts: z.array(messagePartSchema).optional(),
+  content: z.union([z.string(), z.array(messagePartSchema)]).optional(),
+});
+
+const chatRequestSchema = z.object({
+  messages: z.array(messageSchema).max(100, "Too many messages"),
+});
 
 export async function POST(req: Request) {
-  const { messages }: { messages: UIMessage[] } = await req.json();
+  // Verify user is authenticated
+  const session = await auth.api.getSession({ headers: await headers() });
+  if (!session) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+
+  // Rate limiting by user ID
+  const rateLimitKey = `chat:${session.user.id}`;
+  const rateLimit = checkRateLimit(rateLimitKey, rateLimitConfigs.chat);
+  if (!rateLimit.allowed) {
+    return createRateLimitResponse(rateLimit.resetTime);
+  }
+
+  // Parse and validate request body
+  let body: unknown;
+  try {
+    body = await req.json();
+  } catch {
+    return new Response(JSON.stringify({ error: "Invalid JSON" }), {
+      status: 400,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+
+  const parsed = chatRequestSchema.safeParse(body);
+  if (!parsed.success) {
+    return new Response(
+      JSON.stringify({
+        error: "Invalid request",
+        details: parsed.error.flatten().fieldErrors,
+      }),
+      {
+        status: 400,
+        headers: { "Content-Type": "application/json" },
+      }
+    );
+  }
+
+  const { messages }: { messages: UIMessage[] } = parsed.data as { messages: UIMessage[] };
 
   // Initialize OpenRouter with API key from environment
-  const openrouter = createOpenRouter({
-    apiKey: process.env.OPENROUTER_API_KEY,
-  });
+  const apiKey = process.env.OPENROUTER_API_KEY;
+  if (!apiKey) {
+    return new Response(JSON.stringify({ error: "OpenRouter API key not configured" }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+
+  const openrouter = createOpenRouter({ apiKey });
 
   const result = streamText({
     model: openrouter(process.env.OPENROUTER_MODEL || "openai/gpt-5-mini"),
diff --git a/create-agentic-app/template/src/app/api/diagnostics/route.ts b/create-agentic-app/template/src/app/api/diagnostics/route.ts
index f5eabae..580d113 100644
--- a/create-agentic-app/template/src/app/api/diagnostics/route.ts
+++ b/create-agentic-app/template/src/app/api/diagnostics/route.ts
@@ -1,4 +1,6 @@
+import { headers } from "next/headers";
 import { NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
 
 type StatusLevel = "ok" | "warn" | "error";
 
@@ -32,6 +34,14 @@ interface DiagnosticsResponse {
 }
 
 export async function GET(req: Request) {
+  // Require authentication for diagnostics endpoint
+  const session = await auth.api.getSession({ headers: await headers() });
+  if (!session) {
+    return NextResponse.json(
+      { error: "Unauthorized. Please sign in to access diagnostics." },
+      { status: 401 }
+    );
+  }
   const env = {
     POSTGRES_URL: Boolean(process.env.POSTGRES_URL),
     BETTER_AUTH_SECRET: Boolean(process.env.BETTER_AUTH_SECRET),
@@ -137,7 +147,7 @@ export async function GET(req: Request) {
     database: {
       connected: dbConnected,
       schemaApplied,
-      error: dbError,
+      ...(dbError !== undefined && { error: dbError }),
     },
     auth: {
       configured: authConfigured,
diff --git a/create-agentic-app/template/src/app/chat/error.tsx b/create-agentic-app/template/src/app/chat/error.tsx
new file mode 100644
index 0000000..0e5731c
--- /dev/null
+++ b/create-agentic-app/template/src/app/chat/error.tsx
@@ -0,0 +1,46 @@
+"use client";
+
+import { useEffect } from "react";
+import { MessageSquareWarning, RefreshCw } from "lucide-react";
+import { Button } from "@/components/ui/button";
+
+export default function ChatError({
+  error,
+  reset,
+}: {
+  error: Error & { digest?: string };
+  reset: () => void;
+}) {
+  useEffect(() => {
+    console.error("Chat error:", error);
+  }, [error]);
+
+  return (
+    <div className="container mx-auto px-4 py-16">
+      <div className="max-w-md mx-auto text-center">
+        <div className="flex justify-center mb-6">
+          <MessageSquareWarning className="h-16 w-16 text-destructive" />
+        </div>
+        <h1 className="text-2xl font-bold mb-4">Chat Error</h1>
+        <p className="text-muted-foreground mb-6">
+          There was a problem with the chat service. This could be due to a
+          connection issue or the AI service being temporarily unavailable.
+        </p>
+        {error.message && (
+          <p className="text-sm text-muted-foreground mb-4 p-2 bg-muted rounded">
+            {error.message}
+          </p>
+        )}
+        <div className="flex gap-4 justify-center">
+          <Button onClick={reset}>
+            <RefreshCw className="h-4 w-4 mr-2" />
+            Try again
+          </Button>
+          <Button variant="outline" onClick={() => (window.location.href = "/")}>
+            Go home
+          </Button>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/create-agentic-app/template/src/app/chat/loading.tsx b/create-agentic-app/template/src/app/chat/loading.tsx
new file mode 100644
index 0000000..c0c47d4
--- /dev/null
+++ b/create-agentic-app/template/src/app/chat/loading.tsx
@@ -0,0 +1,42 @@
+import { Skeleton } from "@/components/ui/skeleton";
+
+export default function ChatLoading() {
+  return (
+    <div className="container mx-auto px-4 py-8">
+      <div className="max-w-4xl mx-auto">
+        {/* Header skeleton */}
+        <div className="flex justify-between items-center mb-6 pb-4 border-b">
+          <Skeleton className="h-8 w-32" />
+          <Skeleton className="h-4 w-40" />
+        </div>
+
+        {/* Messages skeleton */}
+        <div className="min-h-[50vh] space-y-4 mb-4">
+          {/* AI message */}
+          <div className="max-w-[80%]">
+            <Skeleton className="h-4 w-12 mb-2" />
+            <Skeleton className="h-20 w-full rounded-lg" />
+          </div>
+
+          {/* User message */}
+          <div className="max-w-[80%] ml-auto">
+            <Skeleton className="h-4 w-12 mb-2 ml-auto" />
+            <Skeleton className="h-12 w-full rounded-lg" />
+          </div>
+
+          {/* AI message */}
+          <div className="max-w-[80%]">
+            <Skeleton className="h-4 w-12 mb-2" />
+            <Skeleton className="h-32 w-full rounded-lg" />
+          </div>
+        </div>
+
+        {/* Input skeleton */}
+        <div className="flex gap-2">
+          <Skeleton className="flex-1 h-10 rounded-md" />
+          <Skeleton className="h-10 w-20 rounded-md" />
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/create-agentic-app/template/src/app/chat/page.tsx b/create-agentic-app/template/src/app/chat/page.tsx
index c77825e..728c540 100644
--- a/create-agentic-app/template/src/app/chat/page.tsx
+++ b/create-agentic-app/template/src/app/chat/page.tsx
@@ -1,11 +1,13 @@
 "use client";
 
+import { useState, useEffect, type ReactNode } from "react";
 import { useChat } from "@ai-sdk/react";
-import { Button } from "@/components/ui/button";
-import { UserProfile } from "@/components/auth/user-profile";
-import { useSession } from "@/lib/auth-client";
-import { useState, type ReactNode } from "react";
+import { Copy, Check, Loader2 } from "lucide-react";
 import ReactMarkdown from "react-markdown";
+import { toast } from "sonner";
+import { UserProfile } from "@/components/auth/user-profile";
+import { Button } from "@/components/ui/button";
+import { useSession } from "@/lib/auth-client";
 import type { Components } from "react-markdown";
 
 const H1: React.FC<React.HTMLAttributes<HTMLHeadingElement>> = (props) => (
@@ -110,6 +112,18 @@ type MaybePartsMessage = {
   content?: TextPart[];
 };
 
+function getMessageText(message: MaybePartsMessage): string {
+  const parts = Array.isArray(message.parts)
+    ? message.parts
+    : Array.isArray(message.content)
+    ? message.content
+    : [];
+  return parts
+    .filter((p) => p?.type === "text" && p.text)
+    .map((p) => p.text)
+    .join("\n");
+}
+
 function renderMessageContent(message: MaybePartsMessage): ReactNode {
   if (message.display) return message.display;
   const parts = Array.isArray(message.parts)
@@ -126,11 +140,93 @@ function renderMessageContent(message: MaybePartsMessage): ReactNode {
   );
 }
 
+function formatTimestamp(date: Date): string {
+  return new Intl.DateTimeFormat("en-US", {
+    hour: "numeric",
+    minute: "2-digit",
+    hour12: true,
+  }).format(date);
+}
+
+function CopyButton({ text }: { text: string }) {
+  const [copied, setCopied] = useState(false);
+
+  const handleCopy = async () => {
+    try {
+      await navigator.clipboard.writeText(text);
+      setCopied(true);
+      toast.success("Copied to clipboard");
+      setTimeout(() => setCopied(false), 2000);
+    } catch {
+      toast.error("Failed to copy");
+    }
+  };
+
+  return (
+    <button
+      onClick={handleCopy}
+      className="p-1 hover:bg-muted rounded transition-colors"
+      title="Copy to clipboard"
+    >
+      {copied ? (
+        <Check className="h-3.5 w-3.5 text-green-500" />
+      ) : (
+        <Copy className="h-3.5 w-3.5 text-muted-foreground" />
+      )}
+    </button>
+  );
+}
+
+function ThinkingIndicator() {
+  return (
+    <div className="flex items-center gap-2 p-3 rounded-lg bg-muted max-w-[80%]">
+      <Loader2 className="h-4 w-4 animate-spin" />
+      <span className="text-sm text-muted-foreground">AI is thinking...</span>
+    </div>
+  );
+}
+
+const STORAGE_KEY = "chat-messages";
+
 export default function ChatPage() {
   const { data: session, isPending } = useSession();
-  const { messages, sendMessage, status } = useChat();
+  const { messages, sendMessage, status, error, setMessages } = useChat({
+    onError: (err) => {
+      toast.error(err.message || "Failed to send message");
+    },
+  });
   const [input, setInput] = useState("");
 
+  // Load messages from localStorage on mount
+  useEffect(() => {
+    if (typeof window !== "undefined") {
+      const saved = localStorage.getItem(STORAGE_KEY);
+      if (saved) {
+        try {
+          const parsed = JSON.parse(saved);
+          if (Array.isArray(parsed) && parsed.length > 0) {
+            setMessages(parsed);
+          }
+        } catch {
+          // Invalid JSON, ignore
+        }
+      }
+    }
+  }, [setMessages]);
+
+  // Save messages to localStorage when they change
+  useEffect(() => {
+    if (typeof window !== "undefined" && messages.length > 0) {
+      localStorage.setItem(STORAGE_KEY, JSON.stringify(messages));
+    }
+  }, [messages]);
+
+  const clearMessages = () => {
+    setMessages([]);
+    localStorage.removeItem(STORAGE_KEY);
+    toast.success("Chat cleared");
+  };
+
   if (isPending) {
     return <div className="container mx-auto px-4 py-12">Loading...</div>;
   }
@@ -145,37 +241,77 @@ export default function ChatPage() {
     );
   }
 
+  const isStreaming = status === "streaming";
+
   return (
     <div className="container mx-auto px-4 py-8">
       <div className="max-w-4xl mx-auto">
         <div className="flex justify-between items-center mb-6 pb-4 border-b">
           <h1 className="text-2xl font-bold">AI Chat</h1>
-          <span className="text-sm text-muted-foreground">
-            Welcome, {session.user.name}!
-          </span>
+          <div className="flex items-center gap-4">
+            <span className="text-sm text-muted-foreground">
+              Welcome, {session.user.name}!
+            </span>
+            {messages.length > 0 && (
+              <Button variant="ghost" size="sm" onClick={clearMessages}>
+                Clear chat
+              </Button>
+            )}
+          </div>
         </div>
 
+        {error && (
+          <div className="mb-4 p-4 bg-destructive/10 border border-destructive/20 rounded-lg">
+            <p className="text-sm text-destructive">
+              Error: {error.message || "Something went wrong"}
+            </p>
+          </div>
+        )}
+
         <div className="min-h-[50vh] overflow-y-auto space-y-4 mb-4">
           {messages.length === 0 && (
-            <div className="text-center text-muted-foreground">
+            <div className="text-center text-muted-foreground py-12">
               Start a conversation with AI
             </div>
           )}
-          {messages.map((message) => (
-            <div
-              key={message.id}
-              className={`p-3 rounded-lg ${
-                message.role === "user"
-                  ? "bg-primary text-primary-foreground ml-auto max-w-[80%]"
-                  : "bg-muted max-w-[80%]"
-              }`}
-            >
-              <div className="text-sm font-medium mb-1">
-                {message.role === "user" ? "You" : "AI"}
+          {messages.map((message) => {
+            const messageText = getMessageText(message as MaybePartsMessage);
+            const createdAt = (message as { createdAt?: Date }).createdAt;
+            const timestamp = createdAt
+              ? formatTimestamp(new Date(createdAt))
+              : null;
+
+            return (
+              <div
+                key={message.id}
+                className={`group p-3 rounded-lg ${
+                  message.role === "user"
+                    ? "bg-primary text-primary-foreground ml-auto max-w-[80%]"
+                    : "bg-muted max-w-[80%]"
+                }`}
+              >
+                <div className="flex items-center justify-between mb-1">
+                  <div className="flex items-center gap-2">
+                    <span className="text-sm font-medium">
+                      {message.role === "user" ? "You" : "AI"}
+                    </span>
+                    {timestamp && (
+                      <span className="text-xs opacity-60">{timestamp}</span>
+                    )}
+                  </div>
+                  {message.role === "assistant" && messageText && (
+                    <div className="opacity-0 group-hover:opacity-100 transition-opacity">
+                      <CopyButton text={messageText} />
+                    </div>
+                  )}
+                </div>
+                <div>{renderMessageContent(message as MaybePartsMessage)}</div>
               </div>
-              <div>{renderMessageContent(message as MaybePartsMessage)}</div>
-            </div>
-          ))}
+            );
+          })}
+          {isStreaming && messages[messages.length - 1]?.role === "user" && (
+            <ThinkingIndicator />
+          )}
         </div>
 
         <form
@@ -193,12 +329,17 @@ export default function ChatPage() {
             onChange={(e) => setInput(e.target.value)}
             placeholder="Type your message..."
             className="flex-1 p-2 border border-border rounded-md focus:outline-none focus:ring-2 focus:ring-ring"
+            disabled={isStreaming}
           />
-          <Button
-            type="submit"
-            disabled={!input.trim() || status === "streaming"}
-          >
-            Send
+          <Button type="submit" disabled={!input.trim() || isStreaming}>
+            {isStreaming ? (
+              <>
+                <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+                Sending
+              </>
+            ) : (
+              "Send"
+            )}
           </Button>
         </form>
       </div>
diff --git a/create-agentic-app/template/src/app/dashboard/loading.tsx b/create-agentic-app/template/src/app/dashboard/loading.tsx
new file mode 100644
index 0000000..3f1811c
--- /dev/null
+++ b/create-agentic-app/template/src/app/dashboard/loading.tsx
@@ -0,0 +1,63 @@
+import { Skeleton } from "@/components/ui/skeleton";
+
+export default function DashboardLoading() {
+  return (
+    <div className="container mx-auto px-4 py-8">
+      <div className="max-w-4xl mx-auto space-y-8">
+        {/* Header */}
+        <div className="space-y-2">
+          <Skeleton className="h-8 w-48" />
+          <Skeleton className="h-4 w-64" />
+        </div>
+
+        {/* Stats cards */}
+        <div className="grid gap-4 md:grid-cols-3">
+          {[1, 2, 3].map((i) => (
+            <div key={i} className="p-6 border rounded-lg">
+              <Skeleton className="h-4 w-24 mb-2" />
+              <Skeleton className="h-8 w-16" />
+            </div>
+          ))}
+        </div>
+
+        {/* Profile card */}
+        <div className="p-6 border rounded-lg space-y-4">
+          <div className="flex items-center gap-4">
+            <Skeleton className="h-16 w-16 rounded-full" />
+            <div className="space-y-2">
+              <Skeleton className="h-5 w-40" />
+              <Skeleton className="h-4 w-56" />
+            </div>
+          </div>
+          <Skeleton className="h-px w-full" />
+          <div className="grid gap-4 md:grid-cols-2">
+            <div className="space-y-2">
+              <Skeleton className="h-4 w-20" />
+              <Skeleton className="h-4 w-32" />
+            </div>
+            <div className="space-y-2">
+              <Skeleton className="h-4 w-20" />
+              <Skeleton className="h-4 w-32" />
+            </div>
+          </div>
+        </div>
+
+        {/* Recent activity */}
+        <div className="space-y-4">
+          <Skeleton className="h-6 w-36" />
+          <div className="space-y-3">
+            {[1, 2, 3].map((i) => (
+              <div key={i} className="flex items-center gap-4 p-4 border rounded-lg">
+                <Skeleton className="h-10 w-10 rounded-full" />
+                <div className="flex-1 space-y-2">
+                  <Skeleton className="h-4 w-3/4" />
+                  <Skeleton className="h-3 w-1/2" />
+                </div>
+              </div>
+            ))}
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/create-agentic-app/template/src/app/dashboard/page.tsx b/create-agentic-app/template/src/app/dashboard/page.tsx
index 49cd1b6..c4018cc 100644
--- a/create-agentic-app/template/src/app/dashboard/page.tsx
+++ b/create-agentic-app/template/src/app/dashboard/page.tsx
@@ -1,11 +1,11 @@
 "use client";
 
-import { useSession } from "@/lib/auth-client";
+import Link from "next/link";
+import { Lock } from "lucide-react";
 import { UserProfile } from "@/components/auth/user-profile";
 import { Button } from "@/components/ui/button";
-import { Lock } from "lucide-react";
 import { useDiagnostics } from "@/hooks/use-diagnostics";
-import Link from "next/link";
+import { useSession } from "@/lib/auth-client";
 
 export default function DashboardPage() {
   const { data: session, isPending } = useSession();
diff --git a/create-agentic-app/template/src/app/error.tsx b/create-agentic-app/template/src/app/error.tsx
new file mode 100644
index 0000000..45fcc5b
--- /dev/null
+++ b/create-agentic-app/template/src/app/error.tsx
@@ -0,0 +1,44 @@
+"use client";
+
+import { useEffect } from "react";
+import { AlertCircle } from "lucide-react";
+import { Button } from "@/components/ui/button";
+
+export default function Error({
+  error,
+  reset,
+}: {
+  error: Error & { digest?: string };
+  reset: () => void;
+}) {
+  useEffect(() => {
+    // Log the error to an error reporting service
+    console.error("Application error:", error);
+  }, [error]);
+
+  return (
+    <div className="container mx-auto px-4 py-16">
+      <div className="max-w-md mx-auto text-center">
+        <div className="flex justify-center mb-6">
+          <AlertCircle className="h-16 w-16 text-destructive" />
+        </div>
+        <h1 className="text-2xl font-bold mb-4">Something went wrong</h1>
+        <p className="text-muted-foreground mb-6">
+          An unexpected error occurred. Please try again or contact support if
+          the problem persists.
+        </p>
+        {error.digest && (
+          <p className="text-xs text-muted-foreground mb-4">
+            Error ID: {error.digest}
+          </p>
+        )}
+        <div className="flex gap-4 justify-center">
+          <Button onClick={reset}>Try again</Button>
+          <Button variant="outline" onClick={() => (window.location.href = "/")}>
+            Go home
+          </Button>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/create-agentic-app/template/src/app/layout.tsx b/create-agentic-app/template/src/app/layout.tsx
index e9dd733..d6d9c4f 100644
--- a/create-agentic-app/template/src/app/layout.tsx
+++ b/create-agentic-app/template/src/app/layout.tsx
@@ -1,9 +1,10 @@
-import { ThemeProvider } from "@/components/theme-provider";
-import type { Metadata } from "next";
 import { Geist, Geist_Mono } from "next/font/google";
 import "./globals.css";
-import { SiteHeader } from "@/components/site-header";
 import { SiteFooter } from "@/components/site-footer";
+import { SiteHeader } from "@/components/site-header";
+import { ThemeProvider } from "@/components/theme-provider";
+import { Toaster } from "@/components/ui/sonner";
+import type { Metadata } from "next";
 
 const geistSans = Geist({
   variable: "--font-geist-sans",
@@ -16,9 +17,62 @@ const geistMono = Geist_Mono({
 });
 
 export const metadata: Metadata = {
-  title: "Agentic Coding Boilerplate",
+  title: {
+    default: "Agentic Coding Boilerplate",
+    template: "%s | Agentic Coding Boilerplate",
+  },
   description:
     "Complete agentic coding boilerplate with authentication, database, AI integration, and modern tooling - perfect for building AI-powered applications and autonomous agents by Leon van Zyl",
+  keywords: [
+    "Next.js",
+    "React",
+    "TypeScript",
+    "AI",
+    "OpenRouter",
+    "Boilerplate",
+    "Authentication",
+    "PostgreSQL",
+  ],
+  authors: [{ name: "Leon van Zyl" }],
+  creator: "Leon van Zyl",
+  openGraph: {
+    type: "website",
+    locale: "en_US",
+    siteName: "Agentic Coding Boilerplate",
+    title: "Agentic Coding Boilerplate",
+    description:
+      "Complete agentic coding boilerplate with authentication, database, AI integration, and modern tooling",
+  },
+  twitter: {
+    card: "summary_large_image",
+    title: "Agentic Coding Boilerplate",
+    description:
+      "Complete agentic coding boilerplate with authentication, database, AI integration, and modern tooling",
+  },
+  robots: {
+    index: true,
+    follow: true,
+  },
+};
+
+// JSON-LD structured data for SEO
+const jsonLd = {
+  "@context": "https://schema.org",
+  "@type": "WebApplication",
+  name: "Agentic Coding Boilerplate",
+  description:
+    "Complete agentic coding boilerplate with authentication, database, AI integration, and modern tooling",
+  applicationCategory: "DeveloperApplication",
+  operatingSystem: "Any",
+  offers: {
+    "@type": "Offer",
+    price: "0",
+    priceCurrency: "USD",
+  },
+  author: {
+    "@type": "Person",
+    name: "Leon van Zyl",
+  },
 };
 
 export default function RootLayout({
@@ -28,6 +82,12 @@ export default function RootLayout({
 }>) {
   return (
     <html lang="en" suppressHydrationWarning>
+      <head>
+        <script
+          type="application/ld+json"
+          dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLd) }}
+        />
+      </head>
       <body
         className={`${geistSans.variable} ${geistMono.variable} antialiased`}
       >
@@ -38,8 +98,9 @@ export default function RootLayout({
           disableTransitionOnChange
         >
           <SiteHeader />
-          {children}
+          <main id="main-content">{children}</main>
           <SiteFooter />
+          <Toaster richColors position="top-right" />
         </ThemeProvider>
       </body>
     </html>
diff --git a/create-agentic-app/template/src/app/manifest.ts b/create-agentic-app/template/src/app/manifest.ts
new file mode 100644
index 0000000..666d533
--- /dev/null
+++ b/create-agentic-app/template/src/app/manifest.ts
@@ -0,0 +1,21 @@
+import type { MetadataRoute } from "next";
+
+export default function manifest(): MetadataRoute.Manifest {
+  return {
+    name: "Agentic Coding Boilerplate",
+    short_name: "Agentic",
+    description:
+      "Complete agentic coding boilerplate with authentication, database, AI integration, and modern tooling",
+    start_url: "/",
+    display: "standalone",
+    background_color: "#ffffff",
+    theme_color: "#000000",
+    icons: [
+      {
+        src: "/favicon.ico",
+        sizes: "any",
+        type: "image/x-icon",
+      },
+    ],
+  };
+}
diff --git a/create-agentic-app/template/src/app/not-found.tsx b/create-agentic-app/template/src/app/not-found.tsx
new file mode 100644
index 0000000..4a9dd1d
--- /dev/null
+++ b/create-agentic-app/template/src/app/not-found.tsx
@@ -0,0 +1,28 @@
+import Link from "next/link";
+import { FileQuestion } from "lucide-react";
+import { Button } from "@/components/ui/button";
+
+export default function NotFound() {
+  return (
+    <div className="container mx-auto px-4 py-16">
+      <div className="max-w-md mx-auto text-center">
+        <div className="flex justify-center mb-6">
+          <FileQuestion className="h-16 w-16 text-muted-foreground" />
+        </div>
+        <h1 className="text-4xl font-bold mb-4">404</h1>
+        <h2 className="text-xl font-semibold mb-4">Page Not Found</h2>
+        <p className="text-muted-foreground mb-6">
+          The page you&apos;re looking for doesn&apos;t exist or has been moved.
+        </p>
+        <div className="flex gap-4 justify-center">
+          <Button asChild>
+            <Link href="/">Go home</Link>
+          </Button>
+          <Button variant="outline" asChild>
+            <Link href="/dashboard">Dashboard</Link>
+          </Button>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/create-agentic-app/template/src/app/page.tsx b/create-agentic-app/template/src/app/page.tsx
index 7583baa..94b9c8e 100644
--- a/create-agentic-app/template/src/app/page.tsx
+++ b/create-agentic-app/template/src/app/page.tsx
@@ -1,11 +1,11 @@
 "use client";
 
 import Link from "next/link";
-import { Button } from "@/components/ui/button";
-import { SetupChecklist } from "@/components/setup-checklist";
-import { useDiagnostics } from "@/hooks/use-diagnostics";
-import { StarterPromptModal } from "@/components/starter-prompt-modal";
 import { Video, Shield, Database, Palette, Bot } from "lucide-react";
+import { SetupChecklist } from "@/components/setup-checklist";
+import { StarterPromptModal } from "@/components/starter-prompt-modal";
+import { Button } from "@/components/ui/button";
+import { useDiagnostics } from "@/hooks/use-diagnostics";
 
 export default function Home() {
   const { isAuthReady, isAiReady, loading } = useDiagnostics();
diff --git a/create-agentic-app/template/src/app/profile/page.tsx b/create-agentic-app/template/src/app/profile/page.tsx
index b8d6cf1..6a7870e 100644
--- a/create-agentic-app/template/src/app/profile/page.tsx
+++ b/create-agentic-app/template/src/app/profile/page.tsx
@@ -1,17 +1,37 @@
 "use client";
 
-import { useSession } from "@/lib/auth-client";
-import { Avatar, AvatarImage, AvatarFallback } from "@/components/ui/avatar";
-import { Button } from "@/components/ui/button";
-import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
-import { Badge } from "@/components/ui/badge";
-import { Separator } from "@/components/ui/separator";
-import { Mail, Calendar, User, Shield, ArrowLeft } from "lucide-react";
+import { useState } from "react";
 import { useRouter } from "next/navigation";
+import { Mail, Calendar, User, Shield, ArrowLeft, Lock, Smartphone } from "lucide-react";
+import { toast } from "sonner";
+import { Avatar, AvatarImage, AvatarFallback } from "@/components/ui/avatar";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "@/components/ui/card";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { Separator } from "@/components/ui/separator";
+import { useSession } from "@/lib/auth-client";
 
 export default function ProfilePage() {
   const { data: session, isPending } = useSession();
   const router = useRouter();
+  const [editProfileOpen, setEditProfileOpen] = useState(false);
+  const [securityOpen, setSecurityOpen] = useState(false);
+  const [emailPrefsOpen, setEmailPrefsOpen] = useState(false);
 
   if (isPending) {
     return (
@@ -27,11 +47,20 @@ export default function ProfilePage() {
   }
 
   const user = session.user;
-  const createdDate = user.createdAt ? new Date(user.createdAt).toLocaleDateString('en-US', {
-    year: 'numeric',
-    month: 'long',
-    day: 'numeric'
-  }) : null;
+  const createdDate = user.createdAt
+    ? new Date(user.createdAt).toLocaleDateString("en-US", {
+        year: "numeric",
+        month: "long",
+        day: "numeric",
+      })
+    : null;
+
+  const handleEditProfileSubmit = (e: React.FormEvent<HTMLFormElement>) => {
+    e.preventDefault();
+    // In a real app, this would call an API to update the user profile
+    toast.info("Profile updates require backend implementation");
+    setEditProfileOpen(false);
+  };
 
   return (
     <div className="container max-w-4xl mx-auto py-8 px-4">
@@ -60,11 +89,7 @@ export default function ProfilePage() {
                   referrerPolicy="no-referrer"
                 />
                 <AvatarFallback className="text-lg">
-                  {(
-                    user.name?.[0] ||
-                    user.email?.[0] ||
-                    "U"
-                  ).toUpperCase()}
+                  {(user.name?.[0] || user.email?.[0] || "U").toUpperCase()}
                 </AvatarFallback>
               </Avatar>
               <div className="space-y-2">
@@ -73,7 +98,10 @@ export default function ProfilePage() {
                   <Mail className="h-4 w-4" />
                   <span>{user.email}</span>
                   {user.emailVerified && (
-                    <Badge variant="outline" className="text-green-600 border-green-600">
+                    <Badge
+                      variant="outline"
+                      className="text-green-600 border-green-600"
+                    >
                       <Shield className="h-3 w-3 mr-1" />
                       Verified
                     </Badge>
@@ -94,9 +122,7 @@ export default function ProfilePage() {
         <Card>
           <CardHeader>
             <CardTitle>Account Information</CardTitle>
-            <CardDescription>
-              Your account details and settings
-            </CardDescription>
+            <CardDescription>Your account details and settings</CardDescription>
           </CardHeader>
           <CardContent className="space-y-6">
             <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
@@ -115,16 +141,19 @@ export default function ProfilePage() {
                 <div className="p-3 border rounded-md bg-muted/10 flex items-center justify-between">
                   <span>{user.email}</span>
                   {user.emailVerified && (
-                    <Badge variant="outline" className="text-green-600 border-green-600">
+                    <Badge
+                      variant="outline"
+                      className="text-green-600 border-green-600"
+                    >
                       Verified
                     </Badge>
                   )}
                 </div>
               </div>
             </div>
-            
+
             <Separator />
-            
+
             <div className="space-y-4">
               <h3 className="text-lg font-medium">Account Status</h3>
               <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
@@ -171,7 +200,10 @@ export default function ProfilePage() {
                     <p className="text-sm text-muted-foreground">Active now</p>
                   </div>
                 </div>
-                <Badge variant="outline" className="text-green-600 border-green-600">
+                <Badge
+                  variant="outline"
+                  className="text-green-600 border-green-600"
+                >
                   Active
                 </Badge>
               </div>
@@ -189,34 +221,195 @@ export default function ProfilePage() {
           </CardHeader>
           <CardContent>
             <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
-              <Button variant="outline" className="justify-start h-auto p-4" disabled>
+              <Button
+                variant="outline"
+                className="justify-start h-auto p-4"
+                onClick={() => setEditProfileOpen(true)}
+              >
                 <User className="h-4 w-4 mr-2" />
                 <div className="text-left">
                   <div className="font-medium">Edit Profile</div>
-                  <div className="text-xs text-muted-foreground">Update your information</div>
+                  <div className="text-xs text-muted-foreground">
+                    Update your information
+                  </div>
                 </div>
               </Button>
-              <Button variant="outline" className="justify-start h-auto p-4" disabled>
+              <Button
+                variant="outline"
+                className="justify-start h-auto p-4"
+                onClick={() => setSecurityOpen(true)}
+              >
                 <Shield className="h-4 w-4 mr-2" />
                 <div className="text-left">
                   <div className="font-medium">Security Settings</div>
-                  <div className="text-xs text-muted-foreground">Manage security options</div>
+                  <div className="text-xs text-muted-foreground">
+                    Manage security options
+                  </div>
                 </div>
               </Button>
-              <Button variant="outline" className="justify-start h-auto p-4" disabled>
+              <Button
+                variant="outline"
+                className="justify-start h-auto p-4"
+                onClick={() => setEmailPrefsOpen(true)}
+              >
                 <Mail className="h-4 w-4 mr-2" />
                 <div className="text-left">
                   <div className="font-medium">Email Preferences</div>
-                  <div className="text-xs text-muted-foreground">Configure notifications</div>
+                  <div className="text-xs text-muted-foreground">
+                    Configure notifications
+                  </div>
                 </div>
               </Button>
             </div>
-            <p className="text-xs text-muted-foreground mt-4">
-              Additional profile management features coming soon.
-            </p>
           </CardContent>
         </Card>
       </div>
+
+      {/* Edit Profile Dialog */}
+      <Dialog open={editProfileOpen} onOpenChange={setEditProfileOpen}>
+        <DialogContent className="sm:max-w-[425px]">
+          <DialogHeader>
+            <DialogTitle>Edit Profile</DialogTitle>
+            <DialogDescription>
+              Update your profile information. Changes will be saved to your
+              account.
+            </DialogDescription>
+          </DialogHeader>
+          <form onSubmit={handleEditProfileSubmit} className="space-y-4">
+            <div className="space-y-2">
+              <Label htmlFor="name">Full Name</Label>
+              <Input
+                id="name"
+                defaultValue={user.name || ""}
+                placeholder="Enter your name"
+              />
+            </div>
+            <div className="space-y-2">
+              <Label htmlFor="email">Email</Label>
+              <Input
+                id="email"
+                type="email"
+                defaultValue={user.email || ""}
+                disabled
+                className="bg-muted"
+              />
+              <p className="text-xs text-muted-foreground">
+                Email cannot be changed for OAuth accounts
+              </p>
+            </div>
+            <div className="flex justify-end gap-2 pt-4">
+              <Button
+                type="button"
+                variant="outline"
+                onClick={() => setEditProfileOpen(false)}
+              >
+                Cancel
+              </Button>
+              <Button type="submit">Save Changes</Button>
+            </div>
+          </form>
+        </DialogContent>
+      </Dialog>
+
+      {/* Security Settings Dialog */}
+      <Dialog open={securityOpen} onOpenChange={setSecurityOpen}>
+        <DialogContent className="sm:max-w-[500px]">
+          <DialogHeader>
+            <DialogTitle>Security Settings</DialogTitle>
+            <DialogDescription>
+              Manage your account security and authentication options.
+            </DialogDescription>
+          </DialogHeader>
+          <div className="space-y-4">
+            <div className="flex items-center justify-between p-4 border rounded-lg">
+              <div className="flex items-center gap-3">
+                <Lock className="h-5 w-5 text-muted-foreground" />
+                <div>
+                  <p className="font-medium">Password</p>
+                  <p className="text-sm text-muted-foreground">
+                    {user.email?.includes("@gmail")
+                      ? "Managed by Google"
+                      : "Set a password for your account"}
+                  </p>
+                </div>
+              </div>
+              <Badge variant="outline">
+                {user.email?.includes("@gmail") ? "OAuth" : "Not Set"}
+              </Badge>
+            </div>
+
+            <div className="flex items-center justify-between p-4 border rounded-lg">
+              <div className="flex items-center gap-3">
+                <Smartphone className="h-5 w-5 text-muted-foreground" />
+                <div>
+                  <p className="font-medium">Two-Factor Authentication</p>
+                  <p className="text-sm text-muted-foreground">
+                    Add an extra layer of security
+                  </p>
+                </div>
+              </div>
+              <Button variant="outline" size="sm" disabled>
+                Coming Soon
+              </Button>
+            </div>
+
+            <div className="flex items-center justify-between p-4 border rounded-lg">
+              <div className="flex items-center gap-3">
+                <Shield className="h-5 w-5 text-muted-foreground" />
+                <div>
+                  <p className="font-medium">Active Sessions</p>
+                  <p className="text-sm text-muted-foreground">
+                    Manage devices logged into your account
+                  </p>
+                </div>
+              </div>
+              <Badge variant="default">1 Active</Badge>
+            </div>
+          </div>
+          <div className="flex justify-end pt-4">
+            <Button variant="outline" onClick={() => setSecurityOpen(false)}>
+              Close
+            </Button>
+          </div>
+        </DialogContent>
+      </Dialog>
+
+      {/* Email Preferences Dialog */}
+      <Dialog open={emailPrefsOpen} onOpenChange={setEmailPrefsOpen}>
+        <DialogContent className="sm:max-w-[425px]">
+          <DialogHeader>
+            <DialogTitle>Email Preferences</DialogTitle>
+            <DialogDescription>
+              Configure your email notification settings.
+            </DialogDescription>
+          </DialogHeader>
+          <div className="space-y-4">
+            <div className="flex items-center justify-between p-4 border rounded-lg">
+              <div>
+                <p className="font-medium">Marketing Emails</p>
+                <p className="text-sm text-muted-foreground">
+                  Product updates and announcements
+                </p>
+              </div>
+              <Badge variant="secondary">Coming Soon</Badge>
+            </div>
+            <div className="flex items-center justify-between p-4 border rounded-lg">
+              <div>
+                <p className="font-medium">Security Alerts</p>
+                <p className="text-sm text-muted-foreground">
+                  Important security notifications
+                </p>
+              </div>
+              <Badge variant="default">Always On</Badge>
+            </div>
+          </div>
+          <div className="flex justify-end pt-4">
+            <Button variant="outline" onClick={() => setEmailPrefsOpen(false)}>
+              Close
+            </Button>
+          </div>
+        </DialogContent>
+      </Dialog>
     </div>
   );
-}
\ No newline at end of file
+}
diff --git a/create-agentic-app/template/src/app/robots.ts b/create-agentic-app/template/src/app/robots.ts
new file mode 100644
index 0000000..05dc8d5
--- /dev/null
+++ b/create-agentic-app/template/src/app/robots.ts
@@ -0,0 +1,16 @@
+import type { MetadataRoute } from "next";
+
+export default function robots(): MetadataRoute.Robots {
+  const baseUrl = process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000";
+
+  return {
+    rules: [
+      {
+        userAgent: "*",
+        allow: "/",
+        disallow: ["/api/", "/dashboard/", "/profile/", "/chat/"],
+      },
+    ],
+    sitemap: `${baseUrl}/sitemap.xml`,
+  };
+}
diff --git a/create-agentic-app/template/src/app/sitemap.ts b/create-agentic-app/template/src/app/sitemap.ts
new file mode 100644
index 0000000..2c17a46
--- /dev/null
+++ b/create-agentic-app/template/src/app/sitemap.ts
@@ -0,0 +1,26 @@
+import type { MetadataRoute } from "next";
+
+export default function sitemap(): MetadataRoute.Sitemap {
+  const baseUrl = process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000";
+
+  return [
+    {
+      url: baseUrl,
+      lastModified: new Date(),
+      changeFrequency: "monthly",
+      priority: 1,
+    },
+    {
+      url: `${baseUrl}/dashboard`,
+      lastModified: new Date(),
+      changeFrequency: "weekly",
+      priority: 0.8,
+    },
+    {
+      url: `${baseUrl}/chat`,
+      lastModified: new Date(),
+      changeFrequency: "weekly",
+      priority: 0.8,
+    },
+  ];
+}
diff --git a/create-agentic-app/template/src/components/auth/sign-in-button.tsx b/create-agentic-app/template/src/components/auth/sign-in-button.tsx
index c868156..7bed448 100644
--- a/create-agentic-app/template/src/components/auth/sign-in-button.tsx
+++ b/create-agentic-app/template/src/components/auth/sign-in-button.tsx
@@ -1,7 +1,7 @@
 "use client";
 
-import { signIn, useSession } from "@/lib/auth-client";
 import { Button } from "@/components/ui/button";
+import { signIn, useSession } from "@/lib/auth-client";
 
 export function SignInButton() {
   const { data: session, isPending } = useSession();
diff --git a/create-agentic-app/template/src/components/auth/sign-out-button.tsx b/create-agentic-app/template/src/components/auth/sign-out-button.tsx
index 484ea6b..ae162ed 100644
--- a/create-agentic-app/template/src/components/auth/sign-out-button.tsx
+++ b/create-agentic-app/template/src/components/auth/sign-out-button.tsx
@@ -1,8 +1,8 @@
 "use client";
 
-import { signOut, useSession } from "@/lib/auth-client";
-import { Button } from "@/components/ui/button";
 import { useRouter } from "next/navigation";
+import { Button } from "@/components/ui/button";
+import { signOut, useSession } from "@/lib/auth-client";
 
 export function SignOutButton() {
   const { data: session, isPending } = useSession();
diff --git a/create-agentic-app/template/src/components/auth/user-profile.tsx b/create-agentic-app/template/src/components/auth/user-profile.tsx
index 00556d0..34f0ec5 100644
--- a/create-agentic-app/template/src/components/auth/user-profile.tsx
+++ b/create-agentic-app/template/src/components/auth/user-profile.tsx
@@ -1,7 +1,8 @@
 "use client";
 
-import { useSession, signOut } from "@/lib/auth-client";
-import { SignInButton } from "./sign-in-button";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
+import { User, LogOut } from "lucide-react";
 import { Avatar, AvatarImage, AvatarFallback } from "@/components/ui/avatar";
 import {
   DropdownMenu,
@@ -11,9 +12,8 @@ import {
   DropdownMenuSeparator,
   DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu";
-import Link from "next/link";
-import { useRouter } from "next/navigation";
-import { User, LogOut } from "lucide-react";
+import { useSession, signOut } from "@/lib/auth-client";
+import { SignInButton } from "./sign-in-button";
 
 export function UserProfile() {
   const { data: session, isPending } = useSession();
diff --git a/create-agentic-app/template/src/components/setup-checklist.tsx b/create-agentic-app/template/src/components/setup-checklist.tsx
index ee5aa4e..ca86052 100644
--- a/create-agentic-app/template/src/components/setup-checklist.tsx
+++ b/create-agentic-app/template/src/components/setup-checklist.tsx
@@ -1,8 +1,8 @@
 "use client";
 
 import { useEffect, useState } from "react";
-import { Button } from "@/components/ui/button";
 import { CheckCircle2, XCircle } from "lucide-react";
+import { Button } from "@/components/ui/button";
 
 type DiagnosticsResponse = {
   timestamp: string;
diff --git a/create-agentic-app/template/src/components/site-header.tsx b/create-agentic-app/template/src/components/site-header.tsx
index 99c4173..a6fe4eb 100644
--- a/create-agentic-app/template/src/components/site-header.tsx
+++ b/create-agentic-app/template/src/components/site-header.tsx
@@ -1,30 +1,46 @@
 import Link from "next/link";
+import { Bot } from "lucide-react";
 import { UserProfile } from "@/components/auth/user-profile";
 import { ModeToggle } from "./ui/mode-toggle";
-import { Bot } from "lucide-react";
 
 export function SiteHeader() {
   return (
-    <header className="border-b">
-      <div className="container mx-auto px-4 py-4 flex justify-between items-center">
-        <h1 className="text-2xl font-bold">
-          <Link
-            href="/"
-            className="flex items-center gap-2 text-primary hover:text-primary/80 transition-colors"
-          >
-            <div className="flex items-center justify-center w-8 h-8 rounded-lg bg-primary/10">
-              <Bot className="h-5 w-5" />
-            </div>
-            <span className="bg-gradient-to-r from-primary to-primary/70 bg-clip-text text-transparent">
-              Starter Kit
-            </span>
-          </Link>
-        </h1>
-        <div className="flex items-center gap-4">
-          <UserProfile />
-          <ModeToggle />
-        </div>
-      </div>
-    </header>
+    <>
+      {/* Skip to main content link for accessibility */}
+      <a
+        href="#main-content"
+        className="sr-only focus:not-sr-only focus:absolute focus:top-4 focus:left-4 focus:z-50 focus:px-4 focus:py-2 focus:bg-background focus:text-foreground focus:border focus:rounded-md"
+      >
+        Skip to main content
+      </a>
+      <header className="border-b" role="banner">
+        <nav
+          className="container mx-auto px-4 py-4 flex justify-between items-center"
+          aria-label="Main navigation"
+        >
+          <h1 className="text-2xl font-bold">
+            <Link
+              href="/"
+              className="flex items-center gap-2 text-primary hover:text-primary/80 transition-colors"
+              aria-label="Starter Kit - Go to homepage"
+            >
+              <div
+                className="flex items-center justify-center w-8 h-8 rounded-lg bg-primary/10"
+                aria-hidden="true"
+              >
+                <Bot className="h-5 w-5" />
+              </div>
+              <span className="bg-gradient-to-r from-primary to-primary/70 bg-clip-text text-transparent">
+                Starter Kit
+              </span>
+            </Link>
+          </h1>
+          <div className="flex items-center gap-4" role="group" aria-label="User actions">
+            <UserProfile />
+            <ModeToggle />
+          </div>
+        </nav>
+      </header>
+    </>
   );
 }
diff --git a/create-agentic-app/template/src/components/starter-prompt-modal.tsx b/create-agentic-app/template/src/components/starter-prompt-modal.tsx
index e3b7c51..90636da 100644
--- a/create-agentic-app/template/src/components/starter-prompt-modal.tsx
+++ b/create-agentic-app/template/src/components/starter-prompt-modal.tsx
@@ -1,6 +1,7 @@
 "use client";
 
 import { useState } from "react";
+import { Copy, Check } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import {
   Dialog,
@@ -10,7 +11,6 @@ import {
   DialogTitle,
   DialogTrigger,
 } from "@/components/ui/dialog";
-import { Copy, Check } from "lucide-react";
 
 const STARTER_PROMPT = `I'm working with an agentic coding boilerplate project that includes authentication, database integration, and AI capabilities. Here's what's already set up:
 
@@ -50,7 +50,7 @@ The only things to preserve are:
 - **Build and development scripts** (keep all npm/pnpm scripts in package.json)
 
 ## Tech Stack
-- Next.js 15 with App Router
+- Next.js 16 with App Router
 - TypeScript
 - Tailwind CSS
 - Better Auth for authentication
diff --git a/create-agentic-app/template/src/components/ui/avatar.tsx b/create-agentic-app/template/src/components/ui/avatar.tsx
index 71e428b..34e95d1 100644
--- a/create-agentic-app/template/src/components/ui/avatar.tsx
+++ b/create-agentic-app/template/src/components/ui/avatar.tsx
@@ -2,7 +2,6 @@
 
 import * as React from "react"
 import * as AvatarPrimitive from "@radix-ui/react-avatar"
-
 import { cn } from "@/lib/utils"
 
 function Avatar({
diff --git a/create-agentic-app/template/src/components/ui/badge.tsx b/create-agentic-app/template/src/components/ui/badge.tsx
index 12daad7..76d3397 100644
--- a/create-agentic-app/template/src/components/ui/badge.tsx
+++ b/create-agentic-app/template/src/components/ui/badge.tsx
@@ -1,6 +1,5 @@
 import * as React from "react"
 import { cva, type VariantProps } from "class-variance-authority"
-
 import { cn } from "@/lib/utils"
 
 const badgeVariants = cva(
diff --git a/create-agentic-app/template/src/components/ui/button.tsx b/create-agentic-app/template/src/components/ui/button.tsx
index c77c1b4..48a5340 100644
--- a/create-agentic-app/template/src/components/ui/button.tsx
+++ b/create-agentic-app/template/src/components/ui/button.tsx
@@ -1,7 +1,6 @@
 import * as React from "react"
 import { Slot } from "@radix-ui/react-slot"
 import { cva, type VariantProps } from "class-variance-authority"
-
 import { cn } from "@/lib/utils"
 
 const buttonVariants = cva(
diff --git a/create-agentic-app/template/src/components/ui/card.tsx b/create-agentic-app/template/src/components/ui/card.tsx
index 938aa22..8fce582 100644
--- a/create-agentic-app/template/src/components/ui/card.tsx
+++ b/create-agentic-app/template/src/components/ui/card.tsx
@@ -1,5 +1,4 @@
 import * as React from "react"
-
 import { cn } from "@/lib/utils"
 
 const Card = React.forwardRef<
diff --git a/create-agentic-app/template/src/components/ui/dialog.tsx b/create-agentic-app/template/src/components/ui/dialog.tsx
index d9ccec9..adca6fc 100644
--- a/create-agentic-app/template/src/components/ui/dialog.tsx
+++ b/create-agentic-app/template/src/components/ui/dialog.tsx
@@ -3,7 +3,6 @@
 import * as React from "react"
 import * as DialogPrimitive from "@radix-ui/react-dialog"
 import { XIcon } from "lucide-react"
-
 import { cn } from "@/lib/utils"
 
 function Dialog({
diff --git a/create-agentic-app/template/src/components/ui/dropdown-menu.tsx b/create-agentic-app/template/src/components/ui/dropdown-menu.tsx
index ec51e9c..1b0e7c8 100644
--- a/create-agentic-app/template/src/components/ui/dropdown-menu.tsx
+++ b/create-agentic-app/template/src/components/ui/dropdown-menu.tsx
@@ -3,7 +3,6 @@
 import * as React from "react"
 import * as DropdownMenuPrimitive from "@radix-ui/react-dropdown-menu"
 import { CheckIcon, ChevronRightIcon, CircleIcon } from "lucide-react"
-
 import { cn } from "@/lib/utils"
 
 function DropdownMenu({
@@ -85,7 +84,7 @@ function DropdownMenuItem({
 function DropdownMenuCheckboxItem({
   className,
   children,
-  checked,
+  checked = false,
   ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.CheckboxItem>) {
   return (
diff --git a/create-agentic-app/template/src/components/ui/input.tsx b/create-agentic-app/template/src/components/ui/input.tsx
new file mode 100644
index 0000000..824effa
--- /dev/null
+++ b/create-agentic-app/template/src/components/ui/input.tsx
@@ -0,0 +1,20 @@
+import * as React from "react"
+import { cn } from "@/lib/utils"
+
+function Input({ className, type, ...props }: React.ComponentProps<"input">) {
+  return (
+    <input
+      type={type}
+      data-slot="input"
+      className={cn(
+        "file:text-foreground placeholder:text-muted-foreground selection:bg-primary selection:text-primary-foreground dark:bg-input/30 border-input h-9 w-full min-w-0 rounded-md border bg-transparent px-3 py-1 text-base shadow-xs transition-[color,box-shadow] outline-none file:inline-flex file:h-7 file:border-0 file:bg-transparent file:text-sm file:font-medium disabled:pointer-events-none disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
+        "focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px]",
+        "aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export { Input }
diff --git a/create-agentic-app/template/src/components/ui/label.tsx b/create-agentic-app/template/src/components/ui/label.tsx
new file mode 100644
index 0000000..28bffac
--- /dev/null
+++ b/create-agentic-app/template/src/components/ui/label.tsx
@@ -0,0 +1,23 @@
+"use client"
+
+import * as React from "react"
+import * as LabelPrimitive from "@radix-ui/react-label"
+import { cn } from "@/lib/utils"
+
+function Label({
+  className,
+  ...props
+}: React.ComponentProps<typeof LabelPrimitive.Root>) {
+  return (
+    <LabelPrimitive.Root
+      data-slot="label"
+      className={cn(
+        "flex items-center gap-2 text-sm leading-none font-medium select-none group-data-[disabled=true]:pointer-events-none group-data-[disabled=true]:opacity-50 peer-disabled:cursor-not-allowed peer-disabled:opacity-50",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export { Label }
diff --git a/create-agentic-app/template/src/components/ui/mode-toggle.tsx b/create-agentic-app/template/src/components/ui/mode-toggle.tsx
index 2d4bd08..1059cad 100644
--- a/create-agentic-app/template/src/components/ui/mode-toggle.tsx
+++ b/create-agentic-app/template/src/components/ui/mode-toggle.tsx
@@ -1,9 +1,7 @@
 "use client";
 
-import * as React from "react";
 import { Moon, Sun } from "lucide-react";
 import { useTheme } from "next-themes";
-
 import { Button } from "@/components/ui/button";
 import {
   DropdownMenu,
diff --git a/create-agentic-app/template/src/components/ui/separator.tsx b/create-agentic-app/template/src/components/ui/separator.tsx
index 4f1321d..ee88093 100644
--- a/create-agentic-app/template/src/components/ui/separator.tsx
+++ b/create-agentic-app/template/src/components/ui/separator.tsx
@@ -1,5 +1,4 @@
 import * as React from "react"
-
 import { cn } from "@/lib/utils"
 
 interface SeparatorProps extends React.HTMLAttributes<HTMLDivElement> {
diff --git a/create-agentic-app/template/src/components/ui/skeleton.tsx b/create-agentic-app/template/src/components/ui/skeleton.tsx
new file mode 100644
index 0000000..32ea0ef
--- /dev/null
+++ b/create-agentic-app/template/src/components/ui/skeleton.tsx
@@ -0,0 +1,13 @@
+import { cn } from "@/lib/utils"
+
+function Skeleton({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="skeleton"
+      className={cn("bg-accent animate-pulse rounded-md", className)}
+      {...props}
+    />
+  )
+}
+
+export { Skeleton }
diff --git a/create-agentic-app/template/src/components/ui/sonner.tsx b/create-agentic-app/template/src/components/ui/sonner.tsx
new file mode 100644
index 0000000..321419b
--- /dev/null
+++ b/create-agentic-app/template/src/components/ui/sonner.tsx
@@ -0,0 +1,42 @@
+"use client"
+
+import {
+  CircleCheckIcon,
+  InfoIcon,
+  Loader2Icon,
+  OctagonXIcon,
+  TriangleAlertIcon,
+} from "lucide-react"
+import { useTheme } from "next-themes"
+import { Toaster as Sonner, type ToasterProps } from "sonner"
+
+const Toaster = ({ ...props }: ToasterProps) => {
+  const { theme } = useTheme()
+  const resolvedTheme: "system" | "light" | "dark" =
+    theme === "light" || theme === "dark" ? theme : "system"
+
+  return (
+    <Sonner
+      theme={resolvedTheme}
+      className="toaster group"
+      icons={{
+        success: <CircleCheckIcon className="size-4" />,
+        info: <InfoIcon className="size-4" />,
+        warning: <TriangleAlertIcon className="size-4" />,
+        error: <OctagonXIcon className="size-4" />,
+        loading: <Loader2Icon className="size-4 animate-spin" />,
+      }}
+      style={
+        {
+          "--normal-bg": "var(--popover)",
+          "--normal-text": "var(--popover-foreground)",
+          "--normal-border": "var(--border)",
+          "--border-radius": "var(--radius)",
+        } as React.CSSProperties
+      }
+      {...props}
+    />
+  )
+}
+
+export { Toaster }
diff --git a/create-agentic-app/template/src/components/ui/spinner.tsx b/create-agentic-app/template/src/components/ui/spinner.tsx
new file mode 100644
index 0000000..fe94dad
--- /dev/null
+++ b/create-agentic-app/template/src/components/ui/spinner.tsx
@@ -0,0 +1,21 @@
+import { Loader2 } from "lucide-react";
+import { cn } from "@/lib/utils";
+
+interface SpinnerProps {
+  className?: string;
+  size?: "sm" | "md" | "lg";
+}
+
+const sizeClasses = {
+  sm: "h-4 w-4",
+  md: "h-6 w-6",
+  lg: "h-8 w-8",
+};
+
+export function Spinner({ className, size = "md" }: SpinnerProps) {
+  return (
+    <Loader2
+      className={cn("animate-spin text-muted-foreground", sizeClasses[size], className)}
+    />
+  );
+}
diff --git a/create-agentic-app/template/src/components/ui/textarea.tsx b/create-agentic-app/template/src/components/ui/textarea.tsx
new file mode 100644
index 0000000..266e9d2
--- /dev/null
+++ b/create-agentic-app/template/src/components/ui/textarea.tsx
@@ -0,0 +1,17 @@
+import * as React from "react"
+import { cn } from "@/lib/utils"
+
+function Textarea({ className, ...props }: React.ComponentProps<"textarea">) {
+  return (
+    <textarea
+      data-slot="textarea"
+      className={cn(
+        "border-input placeholder:text-muted-foreground focus-visible:border-ring focus-visible:ring-ring/50 aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive dark:bg-input/30 flex field-sizing-content min-h-16 w-full rounded-md border bg-transparent px-3 py-2 text-base shadow-xs transition-[color,box-shadow] outline-none focus-visible:ring-[3px] disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export { Textarea }
diff --git a/create-agentic-app/template/src/lib/env.ts b/create-agentic-app/template/src/lib/env.ts
new file mode 100644
index 0000000..516bec8
--- /dev/null
+++ b/create-agentic-app/template/src/lib/env.ts
@@ -0,0 +1,117 @@
+import { z } from "zod";
+
+/**
+ * Server-side environment variables schema.
+ * These variables are only available on the server.
+ */
+const serverEnvSchema = z.object({
+  // Database
+  POSTGRES_URL: z.string().url("Invalid database URL"),
+
+  // Authentication
+  BETTER_AUTH_SECRET: z
+    .string()
+    .min(32, "BETTER_AUTH_SECRET must be at least 32 characters"),
+
+  // OAuth
+  GOOGLE_CLIENT_ID: z.string().optional(),
+  GOOGLE_CLIENT_SECRET: z.string().optional(),
+
+  // AI
+  OPENROUTER_API_KEY: z.string().optional(),
+  OPENROUTER_MODEL: z.string().default("openai/gpt-5-mini"),
+
+  // Storage
+  BLOB_READ_WRITE_TOKEN: z.string().optional(),
+
+  // App
+  NODE_ENV: z
+    .enum(["development", "production", "test"])
+    .default("development"),
+});
+
+/**
+ * Client-side environment variables schema.
+ * These variables are exposed to the browser via NEXT_PUBLIC_ prefix.
+ */
+const clientEnvSchema = z.object({
+  NEXT_PUBLIC_APP_URL: z.string().url().default("http://localhost:3000"),
+});
+
+export type ServerEnv = z.infer<typeof serverEnvSchema>;
+export type ClientEnv = z.infer<typeof clientEnvSchema>;
+
+/**
+ * Validates and returns server-side environment variables.
+ * Throws an error if validation fails.
+ */
+export function getServerEnv(): ServerEnv {
+  const parsed = serverEnvSchema.safeParse(process.env);
+
+  if (!parsed.success) {
+    console.error(
+      "Invalid server environment variables:",
+      parsed.error.flatten().fieldErrors
+    );
+    throw new Error("Invalid server environment variables");
+  }
+
+  return parsed.data;
+}
+
+/**
+ * Validates and returns client-side environment variables.
+ * Throws an error if validation fails.
+ */
+export function getClientEnv(): ClientEnv {
+  const parsed = clientEnvSchema.safeParse({
+    NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
+  });
+
+  if (!parsed.success) {
+    console.error(
+      "Invalid client environment variables:",
+      parsed.error.flatten().fieldErrors
+    );
+    throw new Error("Invalid client environment variables");
+  }
+
+  return parsed.data;
+}
+
+/**
+ * Checks if required environment variables are set.
+ * Logs warnings for missing optional variables.
+ */
+export function checkEnv(): void {
+  const warnings: string[] = [];
+
+  // Check required variables
+  if (!process.env.POSTGRES_URL) {
+    throw new Error("POSTGRES_URL is required");
+  }
+
+  if (!process.env.BETTER_AUTH_SECRET) {
+    throw new Error("BETTER_AUTH_SECRET is required");
+  }
+
+  // Check optional variables and warn
+  if (!process.env.GOOGLE_CLIENT_ID || !process.env.GOOGLE_CLIENT_SECRET) {
+    warnings.push("Google OAuth is not configured. Social login will be disabled.");
+  }
+
+  if (!process.env.OPENROUTER_API_KEY) {
+    warnings.push("OPENROUTER_API_KEY is not set. AI chat will not work.");
+  }
+
+  if (!process.env.BLOB_READ_WRITE_TOKEN) {
+    warnings.push("BLOB_READ_WRITE_TOKEN is not set. Using local storage for file uploads.");
+  }
+
+  // Log warnings in development
+  if (process.env.NODE_ENV === "development" && warnings.length > 0) {
+    console.warn("\n⚠️  Environment warnings:");
+    warnings.forEach((w) => console.warn(`   - ${w}`));
+    console.warn("");
+  }
+}
diff --git a/create-agentic-app/template/src/lib/rate-limit.ts b/create-agentic-app/template/src/lib/rate-limit.ts
new file mode 100644
index 0000000..d750343
--- /dev/null
+++ b/create-agentic-app/template/src/lib/rate-limit.ts
@@ -0,0 +1,157 @@
+/**
+ * Simple in-memory rate limiter for API routes.
+ * For production, consider using a Redis-based solution.
+ */
+
+interface RateLimitConfig {
+  /** Number of requests allowed in the window */
+  limit: number;
+  /** Time window in milliseconds */
+  windowMs: number;
+}
+
+interface RateLimitEntry {
+  count: number;
+  resetTime: number;
+}
+
+const rateLimitStore = new Map<string, RateLimitEntry>();
+
+/**
+ * Default rate limit configurations for different endpoints.
+ */
+export const rateLimitConfigs = {
+  // AI chat endpoint - more restrictive
+  chat: {
+    limit: 20,
+    windowMs: 60 * 1000, // 20 requests per minute
+  },
+  // Auth endpoints
+  auth: {
+    limit: 10,
+    windowMs: 60 * 1000, // 10 requests per minute
+  },
+  // General API
+  api: {
+    limit: 100,
+    windowMs: 60 * 1000, // 100 requests per minute
+  },
+} as const;
+
+/**
+ * Check if a request should be rate limited.
+ *
+ * @param key - Unique identifier for the client (e.g., IP address, user ID)
+ * @param config - Rate limit configuration
+ * @returns Object with allowed status and remaining requests
+ */
+export function checkRateLimit(
+  key: string,
+  config: RateLimitConfig
+): {
+  allowed: boolean;
+  remaining: number;
+  resetTime: number;
+} {
+  const now = Date.now();
+  const entry = rateLimitStore.get(key);
+
+  // Clean up expired entries periodically
+  if (Math.random() < 0.01) {
+    cleanupExpiredEntries();
+  }
+
+  if (!entry || now > entry.resetTime) {
+    // Create new entry
+    const newEntry: RateLimitEntry = {
+      count: 1,
+      resetTime: now + config.windowMs,
+    };
+    rateLimitStore.set(key, newEntry);
+    return {
+      allowed: true,
+      remaining: config.limit - 1,
+      resetTime: newEntry.resetTime,
+    };
+  }
+
+  if (entry.count >= config.limit) {
+    return {
+      allowed: false,
+      remaining: 0,
+      resetTime: entry.resetTime,
+    };
+  }
+
+  // Increment count
+  entry.count++;
+  return {
+    allowed: true,
+    remaining: config.limit - entry.count,
+    resetTime: entry.resetTime,
+  };
+}
+
+/**
+ * Create a rate limit response with appropriate headers.
+ */
+export function createRateLimitResponse(resetTime: number): Response {
+  const retryAfter = Math.ceil((resetTime - Date.now()) / 1000);
+  return new Response(
+    JSON.stringify({
+      error: "Too Many Requests",
+      message: "Rate limit exceeded. Please try again later.",
+      retryAfter,
+    }),
+    {
+      status: 429,
+      headers: {
+        "Content-Type": "application/json",
+        "Retry-After": String(retryAfter),
+        "X-RateLimit-Reset": String(Math.ceil(resetTime / 1000)),
+      },
+    }
+  );
+}
+
+/**
+ * Get the client identifier from a request.
+ * Uses IP address or forwarded header.
+ */
+export function getClientIdentifier(request: Request): string {
+  const forwarded = request.headers.get("x-forwarded-for");
+  if (forwarded) {
+    const ip = forwarded.split(",")[0];
+    if (ip) {
+      return ip.trim();
+    }
+  }
+  // Fallback to a hash of user-agent if no IP available
+  const userAgent = request.headers.get("user-agent") || "unknown";
+  return `ua-${hashString(userAgent)}`;
+}
+
+/**
+ * Simple string hash for fallback identifier.
+ */
+function hashString(str: string): string {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash).toString(36);
+}
+
+/**
+ * Clean up expired rate limit entries.
+ */
+function cleanupExpiredEntries(): void {
+  const now = Date.now();
+  for (const [key, entry] of rateLimitStore.entries()) {
+    if (now > entry.resetTime) {
+      rateLimitStore.delete(key);
+    }
+  }
+}
diff --git a/create-agentic-app/template/src/lib/schema.ts b/create-agentic-app/template/src/lib/schema.ts
index 112a90d..69ed5f4 100644
--- a/create-agentic-app/template/src/lib/schema.ts
+++ b/create-agentic-app/template/src/lib/schema.ts
@@ -1,52 +1,70 @@
-import { pgTable, text, timestamp, boolean } from "drizzle-orm/pg-core";
+import { pgTable, text, timestamp, boolean, index } from "drizzle-orm/pg-core";
 
-export const user = pgTable("user", {
-  id: text("id").primaryKey(),
-  name: text("name").notNull(),
-  email: text("email").notNull().unique(),
-  emailVerified: boolean("email_verified").default(false).notNull(),
-  image: text("image"),
-  createdAt: timestamp("created_at").defaultNow().notNull(),
-  updatedAt: timestamp("updated_at")
-    .defaultNow()
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-});
+export const user = pgTable(
+  "user",
+  {
+    id: text("id").primaryKey(),
+    name: text("name").notNull(),
+    email: text("email").notNull().unique(),
+    emailVerified: boolean("email_verified").default(false).notNull(),
+    image: text("image"),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .defaultNow()
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [index("user_email_idx").on(table.email)]
+);
 
-export const session = pgTable("session", {
-  id: text("id").primaryKey(),
-  expiresAt: timestamp("expires_at").notNull(),
-  token: text("token").notNull().unique(),
-  createdAt: timestamp("created_at").defaultNow().notNull(),
-  updatedAt: timestamp("updated_at")
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-  ipAddress: text("ip_address"),
-  userAgent: text("user_agent"),
-  userId: text("user_id")
-    .notNull()
-    .references(() => user.id, { onDelete: "cascade" }),
-});
+export const session = pgTable(
+  "session",
+  {
+    id: text("id").primaryKey(),
+    expiresAt: timestamp("expires_at").notNull(),
+    token: text("token").notNull().unique(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+  },
+  (table) => [
+    index("session_user_id_idx").on(table.userId),
+    index("session_token_idx").on(table.token),
+  ]
+);
 
-export const account = pgTable("account", {
-  id: text("id").primaryKey(),
-  accountId: text("account_id").notNull(),
-  providerId: text("provider_id").notNull(),
-  userId: text("user_id")
-    .notNull()
-    .references(() => user.id, { onDelete: "cascade" }),
-  accessToken: text("access_token"),
-  refreshToken: text("refresh_token"),
-  idToken: text("id_token"),
-  accessTokenExpiresAt: timestamp("access_token_expires_at"),
-  refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
-  scope: text("scope"),
-  password: text("password"),
-  createdAt: timestamp("created_at").defaultNow().notNull(),
-  updatedAt: timestamp("updated_at")
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-});
+export const account = pgTable(
+  "account",
+  {
+    id: text("id").primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: timestamp("access_token_expires_at"),
+    refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [
+    index("account_user_id_idx").on(table.userId),
+    index("account_provider_account_idx").on(table.providerId, table.accountId),
+  ]
+);
 
 export const verification = pgTable("verification", {
   id: text("id").primaryKey(),
diff --git a/create-agentic-app/template/src/lib/session.ts b/create-agentic-app/template/src/lib/session.ts
new file mode 100644
index 0000000..caf1fc7
--- /dev/null
+++ b/create-agentic-app/template/src/lib/session.ts
@@ -0,0 +1,48 @@
+import { headers } from "next/headers";
+import { redirect } from "next/navigation";
+import { auth } from "@/lib/auth";
+
+/**
+ * Protected routes that require authentication.
+ * These are also configured in src/proxy.ts for optimistic redirects.
+ */
+export const protectedRoutes = ["/chat", "/dashboard", "/profile"];
+
+/**
+ * Checks if the current request is authenticated.
+ * Should be called in Server Components for protected routes.
+ *
+ * @returns The session object if authenticated
+ * @throws Redirects to home page if not authenticated
+ */
+export async function requireAuth() {
+  const session = await auth.api.getSession({ headers: await headers() });
+
+  if (!session) {
+    redirect("/");
+  }
+
+  return session;
+}
+
+/**
+ * Gets the current session without requiring authentication.
+ * Returns null if not authenticated.
+ *
+ * @returns The session object or null
+ */
+export async function getOptionalSession() {
+  return await auth.api.getSession({ headers: await headers() });
+}
+
+/**
+ * Checks if a given path is a protected route.
+ *
+ * @param path - The path to check
+ * @returns True if the path requires authentication
+ */
+export function isProtectedRoute(path: string): boolean {
+  return protectedRoutes.some(
+    (route) => path === route || path.startsWith(`${route}/`)
+  );
+}
diff --git a/create-agentic-app/template/src/lib/storage.ts b/create-agentic-app/template/src/lib/storage.ts
index b8b997f..88ba264 100644
--- a/create-agentic-app/template/src/lib/storage.ts
+++ b/create-agentic-app/template/src/lib/storage.ts
@@ -1,7 +1,7 @@
-import { put, del } from "@vercel/blob";
+import { existsSync } from "fs";
 import { writeFile, mkdir } from "fs/promises";
 import { join } from "path";
-import { existsSync } from "fs";
+import { put, del } from "@vercel/blob";
 
 /**
  * Result from uploading a file to storage
@@ -11,14 +11,123 @@ export interface StorageResult {
   pathname: string; // Path/key of the stored file
 }
 
+/**
+ * Storage configuration
+ */
+export interface StorageConfig {
+  /** Maximum file size in bytes (default: 5MB) */
+  maxSize?: number;
+  /** Allowed MIME types (default: images and documents) */
+  allowedTypes?: string[];
+}
+
+/**
+ * Default storage configuration
+ */
+const DEFAULT_CONFIG: Required<StorageConfig> = {
+  maxSize: 5 * 1024 * 1024, // 5MB
+  allowedTypes: [
+    // Images
+    "image/jpeg",
+    "image/png",
+    "image/gif",
+    "image/webp",
+    "image/svg+xml",
+    // Documents
+    "application/pdf",
+    "text/plain",
+    "text/csv",
+    "application/json",
+  ],
+};
+
+/**
+ * Allowed file extensions mapped from MIME types
+ */
+const ALLOWED_EXTENSIONS = new Set([
+  ".jpg",
+  ".jpeg",
+  ".png",
+  ".gif",
+  ".webp",
+  ".svg",
+  ".pdf",
+  ".txt",
+  ".csv",
+  ".json",
+]);
+
+/**
+ * Sanitize a filename by removing dangerous characters and path traversal attempts
+ */
+export function sanitizeFilename(filename: string): string {
+  // Remove path components (prevent directory traversal)
+  const basename = filename.split(/[/\\]/).pop() || filename;
+
+  // Remove or replace dangerous characters
+  const sanitized = basename
+    .replace(/[<>:"|?*\x00-\x1f]/g, "") // Remove dangerous chars
+    .replace(/\.{2,}/g, ".") // Collapse multiple dots
+    .replace(/^\.+/, "") // Remove leading dots
+    .trim();
+
+  // Ensure filename is not empty
+  if (!sanitized || sanitized.length === 0) {
+    throw new Error("Invalid filename");
+  }
+
+  // Limit filename length
+  if (sanitized.length > 255) {
+    const ext = sanitized.slice(sanitized.lastIndexOf("."));
+    const name = sanitized.slice(0, 255 - ext.length);
+    return name + ext;
+  }
+
+  return sanitized;
+}
+
+/**
+ * Validate file for upload
+ */
+export function validateFile(
+  buffer: Buffer,
+  filename: string,
+  config: StorageConfig = {}
+): { valid: true } | { valid: false; error: string } {
+  const { maxSize } = { ...DEFAULT_CONFIG, ...config };
+
+  // Check file size
+  if (buffer.length > maxSize) {
+    return {
+      valid: false,
+      error: `File too large. Maximum size is ${Math.round(maxSize / 1024 / 1024)}MB`,
+    };
+  }
+
+  // Check file extension
+  const ext = filename.slice(filename.lastIndexOf(".")).toLowerCase();
+  if (!ALLOWED_EXTENSIONS.has(ext)) {
+    return {
+      valid: false,
+      error: `File type not allowed. Allowed extensions: ${Array.from(ALLOWED_EXTENSIONS).join(", ")}`,
+    };
+  }
+
+  // Optionally check MIME type if provided
+  // Note: For full MIME type validation, consider using a library like 'file-type'
+
+  return { valid: true };
+}
+
 /**
  * Uploads a file to storage (Vercel Blob or local filesystem)
- * 
+ *
  * @param buffer - File contents as a Buffer
  * @param filename - Name of the file (e.g., "image.png")
  * @param folder - Optional folder/prefix (e.g., "avatars")
+ * @param config - Optional storage configuration
  * @returns StorageResult with url and pathname
- * 
+ *
  * @example
  * ```ts
  * const result = await upload(fileBuffer, "avatar.png", "avatars");
@@ -28,13 +137,23 @@ export interface StorageResult {
 export async function upload(
   buffer: Buffer,
   filename: string,
-  folder?: string
+  folder?: string,
+  config?: StorageConfig
 ): Promise<StorageResult> {
+  // Sanitize filename
+  const sanitizedFilename = sanitizeFilename(filename);
+
+  // Validate file
+  const validation = validateFile(buffer, sanitizedFilename, config);
+  if (!validation.valid) {
+    throw new Error(validation.error);
+  }
+
   const hasVercelBlob = Boolean(process.env.BLOB_READ_WRITE_TOKEN);
 
   if (hasVercelBlob) {
     // Use Vercel Blob storage
-    const pathname = folder ? `${folder}/${filename}` : filename;
+    const pathname = folder ? `${folder}/${sanitizedFilename}` : sanitizedFilename;
     const blob = await put(pathname, buffer, {
       access: "public",
     });
@@ -54,11 +173,11 @@ export async function upload(
     }
 
     // Write the file
-    const filepath = join(targetDir, filename);
+    const filepath = join(targetDir, sanitizedFilename);
     await writeFile(filepath, buffer);
 
     // Return local URL
-    const pathname = folder ? `${folder}/${filename}` : filename;
+    const pathname = folder ? `${folder}/${sanitizedFilename}` : sanitizedFilename;
     const url = `/uploads/${pathname}`;
 
     return {
diff --git a/create-agentic-app/template/src/proxy.ts b/create-agentic-app/template/src/proxy.ts
new file mode 100644
index 0000000..15502cf
--- /dev/null
+++ b/create-agentic-app/template/src/proxy.ts
@@ -0,0 +1,25 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionCookie } from "better-auth/cookies";
+
+/**
+ * Next.js 16 Proxy for auth protection.
+ * Uses cookie-based checks for fast, optimistic redirects.
+ *
+ * Note: This only checks for cookie existence, not validity.
+ * Full session validation should be done in each protected page/route.
+ */
+export async function proxy(request: NextRequest) {
+  const sessionCookie = getSessionCookie(request);
+
+  // Optimistic redirect - cookie existence check only
+  // Full validation happens in page components via auth.api.getSession()
+  if (!sessionCookie) {
+    return NextResponse.redirect(new URL("/", request.url));
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ["/dashboard", "/chat", "/profile"], // Protected routes
+};
diff --git a/create-agentic-app/template/tsconfig.json b/create-agentic-app/template/tsconfig.json
index e74efcd..b887142 100644
--- a/create-agentic-app/template/tsconfig.json
+++ b/create-agentic-app/template/tsconfig.json
@@ -1,14 +1,24 @@
 {
   "compilerOptions": {
     "target": "ES2017",
-    "lib": [
-      "dom",
-      "dom.iterable",
-      "esnext"
-    ],
+    "lib": ["dom", "dom.iterable", "esnext"],
     "allowJs": true,
     "skipLibCheck": true,
     "strict": true,
+    "strictNullChecks": true,
+    "strictFunctionTypes": true,
+    "strictBindCallApply": true,
+    "strictPropertyInitialization": true,
+    "noImplicitAny": true,
+    "noImplicitThis": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedIndexedAccess": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noImplicitOverride": true,
+    "exactOptionalPropertyTypes": true,
+    "forceConsistentCasingInFileNames": true,
     "noEmit": true,
     "esModuleInterop": true,
     "module": "esnext",
@@ -22,15 +32,9 @@
         "name": "next"
       }
     ],
-    "types": [
-      "react",
-      "react-dom",
-      "node"
-    ],
+    "types": ["react", "react-dom", "node"],
     "paths": {
-      "@/*": [
-        "./src/*"
-      ]
+      "@/*": ["./src/*"]
     }
   },
   "include": [
@@ -40,7 +44,5 @@
     ".next/types/**/*.ts",
     ".next/dev/types/**/*.ts"
   ],
-  "exclude": [
-    "node_modules"
-  ]
+  "exclude": ["node_modules", "create-agentic-app"]
 }
diff --git a/docs/business/starter-prompt.md b/docs/business/starter-prompt.md
index 86de00a..cf3366e 100644
--- a/docs/business/starter-prompt.md
+++ b/docs/business/starter-prompt.md
@@ -42,7 +42,7 @@ The only things to preserve are:
 
 ## Tech Stack
 
-- Next.js 15 with App Router
+- Next.js 16 with App Router
 - TypeScript
 - Tailwind CSS
 - Better Auth for authentication
diff --git a/docs/technical/ai/streaming.md b/docs/technical/ai/streaming.md
index 89af7d1..036f65d 100644
--- a/docs/technical/ai/streaming.md
+++ b/docs/technical/ai/streaming.md
@@ -11,9 +11,9 @@ If you are unfamiliar with the concepts of [Prompt Engineering](/docs/advanced/p
 To follow this quickstart, you'll need:
 
 - Node.js 18+ and pnpm installed on your local development machine.
-- An OpenAI API key.
+- An OpenRouter API key.
 
-If you haven't obtained your OpenAI API key, you can do so by [signing up](https://platform.openai.com/signup/) on the OpenAI website.
+If you haven't obtained your OpenRouter API key, you can do so by [signing up](https://openrouter.ai/) on the OpenRouter website and visiting [https://openrouter.ai/settings/keys](https://openrouter.ai/settings/keys).
 
 ## Create Your Application
 
@@ -35,7 +35,7 @@ Navigate to the newly created directory:
 
 ### Install dependencies
 
-Install `ai`, `@ai-sdk/react`, and `@ai-sdk/openai`, the AI package, AI SDK's React hooks, and AI SDK's [ OpenAI provider ](/providers/ai-sdk-providers/openai) respectively.
+Install `ai`, `@ai-sdk/react`, and `@openrouter/ai-sdk-provider`, the AI package, AI SDK's React hooks, and the OpenRouter provider respectively.
 
 <Note>
   The AI SDK is designed to be a unified interface to interact with any large
@@ -47,39 +47,39 @@ Install `ai`, `@ai-sdk/react`, and `@ai-sdk/openai`, the AI package, AI SDK's Re
 <div className="my-4">
   <Tabs items={['pnpm', 'npm', 'yarn', 'bun']}>
     <Tab>
-      <Snippet text="pnpm add ai @ai-sdk/react @ai-sdk/openai zod" dark />
+      <Snippet text="pnpm add ai @ai-sdk/react @openrouter/ai-sdk-provider zod" dark />
     </Tab>
     <Tab>
-      <Snippet text="npm install ai @ai-sdk/react @ai-sdk/openai zod" dark />
+      <Snippet text="npm install ai @ai-sdk/react @openrouter/ai-sdk-provider zod" dark />
     </Tab>
     <Tab>
-      <Snippet text="yarn add ai @ai-sdk/react @ai-sdk/openai zod" dark />
+      <Snippet text="yarn add ai @ai-sdk/react @openrouter/ai-sdk-provider zod" dark />
     </Tab>
 
     <Tab>
-      <Snippet text="bun add ai @ai-sdk/react @ai-sdk/openai zod" dark />
+      <Snippet text="bun add ai @ai-sdk/react @openrouter/ai-sdk-provider zod" dark />
     </Tab>
 
   </Tabs>
 </div>
 
-### Configure OpenAI API key
+### Configure OpenRouter API key
 
-Create a `.env.local` file in your project root and add your OpenAI API Key. This key is used to authenticate your application with the OpenAI service.
+Create a `.env.local` file in your project root and add your OpenRouter API Key. This key is used to authenticate your application with OpenRouter.
 
 <Snippet text="touch .env.local" />
 
 Edit the `.env.local` file:
 
 ```env filename=".env.local"
-OPENAI_API_KEY=xxxxxxxxx
+OPENROUTER_API_KEY=sk-or-v1-xxxxxxxxx
+OPENROUTER_MODEL=openai/gpt-5-mini
 ```
 
-Replace `xxxxxxxxx` with your actual OpenAI API key.
+Replace the API key with your actual OpenRouter API key from [https://openrouter.ai/settings/keys](https://openrouter.ai/settings/keys).
 
 <Note className="mb-4">
-  The AI SDK's OpenAI Provider will default to using the `OPENAI_API_KEY`
-  environment variable.
+  You can browse available models at [https://openrouter.ai/models](https://openrouter.ai/models) and set your preferred model via the `OPENROUTER_MODEL` environment variable.
 </Note>
 
 ## Create a Route Handler
@@ -87,7 +87,7 @@ Replace `xxxxxxxxx` with your actual OpenAI API key.
 Create a route handler, `app/api/chat/route.ts` and add the following code:
 
 ```tsx filename="app/api/chat/route.ts"
-import { openai } from "@ai-sdk/openai";
+import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import { streamText, UIMessage, convertToModelMessages } from "ai";
 
 // Allow streaming responses up to 30 seconds
@@ -96,8 +96,13 @@ export const maxDuration = 30;
 export async function POST(req: Request) {
   const { messages }: { messages: UIMessage[] } = await req.json();
 
+  // Initialize OpenRouter with API key from environment
+  const openrouter = createOpenRouter({
+    apiKey: process.env.OPENROUTER_API_KEY,
+  });
+
   const result = streamText({
-    model: openai(process.env.OPENAI_MODEL || "gpt-5-mini"),
+    model: openrouter(process.env.OPENROUTER_MODEL || "openai/gpt-5-mini"),
     messages: convertToModelMessages(messages),
   });
 
@@ -108,7 +113,7 @@ export async function POST(req: Request) {
 Let's take a look at what is happening in this code:
 
 1. Define an asynchronous `POST` request handler and extract `messages` from the body of the request. The `messages` variable contains a history of the conversation between you and the chatbot and provides the chatbot with the necessary context to make the next generation. The `messages` are of UIMessage type, which are designed for use in application UI - they contain the entire message history and associated metadata like timestamps.
-2. Call [`streamText`](/docs/reference/ai-sdk-core/stream-text), which is imported from the `ai` package. This function accepts a configuration object that contains a `model` provider (imported from `@ai-sdk/openai`) and `messages` (defined in step 1). You can pass additional [settings](/docs/ai-sdk-core/settings) to further customise the model's behaviour. The `messages` key expects a `ModelMessage[]` array. This type is different from `UIMessage` in that it does not include metadata, such as timestamps or sender information. To convert between these types, we use the `convertToModelMessages` function, which strips the UI-specific metadata and transforms the `UIMessage[]` array into the `ModelMessage[]` format that the model expects.
+2. Call [`streamText`](/docs/reference/ai-sdk-core/stream-text), which is imported from the `ai` package. This function accepts a configuration object that contains a `model` provider (created using `createOpenRouter` from `@openrouter/ai-sdk-provider`) and `messages` (defined in step 1). You can pass additional [settings](/docs/ai-sdk-core/settings) to further customise the model's behaviour. The `messages` key expects a `ModelMessage[]` array. This type is different from `UIMessage` in that it does not include metadata, such as timestamps or sender information. To convert between these types, we use the `convertToModelMessages` function, which strips the UI-specific metadata and transforms the `UIMessage[]` array into the `ModelMessage[]` format that the model expects.
 3. The `streamText` function returns a [`StreamTextResult`](/docs/reference/ai-sdk-core/stream-text#result-object). This result object contains the [ `toUIMessageStreamResponse` ](/docs/reference/ai-sdk-core/stream-text#to-data-stream-response) function which converts the result to a streamed response object.
 4. Finally, return the result to the client to stream the response.
 
@@ -199,7 +204,7 @@ Let's enhance your chatbot by adding a simple weather tool.
 Modify your `app/api/chat/route.ts` file to include the new weather tool:
 
 ```tsx filename="app/api/chat/route.ts" highlight="2,13-27"
-import { openai } from "@ai-sdk/openai";
+import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import { streamText, UIMessage, convertToModelMessages, tool } from "ai";
 import { z } from "zod";
 
@@ -208,8 +213,12 @@ export const maxDuration = 30;
 export async function POST(req: Request) {
   const { messages }: { messages: UIMessage[] } = await req.json();
 
+  const openrouter = createOpenRouter({
+    apiKey: process.env.OPENROUTER_API_KEY,
+  });
+
   const result = streamText({
-    model: openai(process.env.OPENAI_MODEL || "gpt-5-mini"),
+    model: openrouter(process.env.OPENROUTER_MODEL || "openai/gpt-5-mini"),
     messages: convertToModelMessages(messages),
     tools: {
       weather: tool({
@@ -320,7 +329,7 @@ To solve this, you can enable multi-step tool calls using `stopWhen`. By default
 Modify your `app/api/chat/route.ts` file to include the `stopWhen` condition:
 
 ```tsx filename="app/api/chat/route.ts"
-import { openai } from "@ai-sdk/openai";
+import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import {
   streamText,
   UIMessage,
@@ -335,8 +344,12 @@ export const maxDuration = 30;
 export async function POST(req: Request) {
   const { messages }: { messages: UIMessage[] } = await req.json();
 
+  const openrouter = createOpenRouter({
+    apiKey: process.env.OPENROUTER_API_KEY,
+  });
+
   const result = streamText({
-    model: openai(process.env.OPENAI_MODEL || "gpt-5-mini"),
+    model: openrouter(process.env.OPENROUTER_MODEL || "openai/gpt-5-mini"),
     messages: convertToModelMessages(messages),
     stopWhen: stepCountIs(5),
     tools: {
@@ -374,7 +387,7 @@ By setting `stopWhen: stepCountIs(5)`, you're allowing the model to use up to 5
 Update your `app/api/chat/route.ts` file to add a new tool to convert the temperature from Fahrenheit to Celsius:
 
 ```tsx filename="app/api/chat/route.ts" highlight="34-47"
-import { openai } from "@ai-sdk/openai";
+import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import {
   streamText,
   UIMessage,
@@ -389,8 +402,12 @@ export const maxDuration = 30;
 export async function POST(req: Request) {
   const { messages }: { messages: UIMessage[] } = await req.json();
 
+  const openrouter = createOpenRouter({
+    apiKey: process.env.OPENROUTER_API_KEY,
+  });
+
   const result = streamText({
-    model: openai(process.env.OPENAI_MODEL || "gpt-5-mini"),
+    model: openrouter(process.env.OPENROUTER_MODEL || "openai/gpt-5-mini"),
     messages: convertToModelMessages(messages),
     stopWhen: stepCountIs(5),
     tools: {
diff --git a/eslint.config.mjs b/eslint.config.mjs
index 4c1faba..d0c27e7 100644
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -2,9 +2,74 @@ import nextConfig from "eslint-config-next/core-web-vitals";
 
 const config = [
   {
-    ignores: [".next/**", "node_modules/**", ".cache/**", "dist/**", "build/**"],
+    ignores: [
+      ".next/**",
+      "node_modules/**",
+      ".cache/**",
+      "dist/**",
+      "build/**",
+      "create-agentic-app/**",
+      "drizzle/**",
+      "scripts/**",
+    ],
   },
   ...nextConfig,
+  {
+    rules: {
+      // React rules
+      "react/jsx-no-target-blank": "error",
+      "react/no-unescaped-entities": "off",
+
+      // React Hooks rules
+      "react-hooks/rules-of-hooks": "error",
+      "react-hooks/exhaustive-deps": "warn",
+
+      // Import rules
+      "import/no-anonymous-default-export": "warn",
+      "import/order": [
+        "warn",
+        {
+          groups: [
+            "builtin",
+            "external",
+            "internal",
+            ["parent", "sibling"],
+            "index",
+            "type",
+          ],
+          pathGroups: [
+            {
+              pattern: "react",
+              group: "builtin",
+              position: "before",
+            },
+            {
+              pattern: "next/**",
+              group: "builtin",
+              position: "before",
+            },
+            {
+              pattern: "@/**",
+              group: "internal",
+              position: "before",
+            },
+          ],
+          pathGroupsExcludedImportTypes: ["react", "next"],
+          "newlines-between": "never",
+          alphabetize: {
+            order: "asc",
+            caseInsensitive: true,
+          },
+        },
+      ],
+
+      // Best practices
+      "no-console": ["warn", { allow: ["warn", "error"] }],
+      "prefer-const": "error",
+      "no-var": "error",
+      eqeqeq: ["error", "always", { null: "ignore" }],
+    },
+  },
 ];
 
 export default config;
diff --git a/next.config.ts b/next.config.ts
index e9ffa30..189f2a2 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -1,7 +1,53 @@
 import type { NextConfig } from "next";
 
 const nextConfig: NextConfig = {
-  /* config options here */
+  // Image optimization configuration
+  images: {
+    remotePatterns: [
+      {
+        protocol: "https",
+        hostname: "lh3.googleusercontent.com",
+      },
+      {
+        protocol: "https",
+        hostname: "avatars.githubusercontent.com",
+      },
+    ],
+  },
+
+  // Enable compression
+  compress: true,
+
+  // Security headers
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          {
+            key: "X-Frame-Options",
+            value: "DENY",
+          },
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff",
+          },
+          {
+            key: "Referrer-Policy",
+            value: "strict-origin-when-cross-origin",
+          },
+          {
+            key: "X-XSS-Protection",
+            value: "1; mode=block",
+          },
+          {
+            key: "Permissions-Policy",
+            value: "camera=(), microphone=(), geolocation=()",
+          },
+        ],
+      },
+    ];
+  },
 };
 
 export default nextConfig;
diff --git a/package.json b/package.json
index 9db167d..0b48e32 100644
--- a/package.json
+++ b/package.json
@@ -2,11 +2,16 @@
   "name": "agentic-coding-starter-kit",
   "version": "1.1.2",
   "scripts": {
-    "dev": "next dev",
+    "dev": "next dev --turbopack",
     "build": "pnpm run db:migrate && next build",
     "start": "next start",
     "lint": "eslint .",
     "typecheck": "tsc --noEmit",
+    "check": "pnpm lint && pnpm typecheck",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "setup": "npx tsx scripts/setup.ts",
+    "env:check": "node -e \"require('./src/lib/env.ts').checkEnv()\" || echo 'Run with tsx: npx tsx -e \"import { checkEnv } from './src/lib/env'; checkEnv();\"'",
     "db:generate": "drizzle-kit generate",
     "db:migrate": "drizzle-kit migrate",
     "db:push": "drizzle-kit push",
@@ -16,12 +21,12 @@
     "sync-template": "node create-agentic-app/scripts/sync-templates.js"
   },
   "dependencies": {
-    "@ai-sdk/openai": "^2.0.60",
     "@ai-sdk/react": "^2.0.86",
     "@openrouter/ai-sdk-provider": "^1.2.0",
     "@radix-ui/react-avatar": "^1.1.10",
     "@radix-ui/react-dialog": "^1.1.15",
     "@radix-ui/react-dropdown-menu": "^2.1.16",
+    "@radix-ui/react-label": "^2.1.8",
     "@radix-ui/react-slot": "^1.2.3",
     "@vercel/blob": "^2.0.0",
     "ai": "^5.0.86",
@@ -37,6 +42,7 @@
     "react": "19.2.0",
     "react-dom": "19.2.0",
     "react-markdown": "^10.1.0",
+    "sonner": "^2.0.7",
     "tailwind-merge": "^3.3.1",
     "zod": "^4.1.12"
   },
@@ -49,8 +55,11 @@
     "drizzle-kit": "^0.31.6",
     "eslint": "^9.39.0",
     "eslint-config-next": "16.0.3",
+    "prettier": "^3.4.2",
+    "prettier-plugin-tailwindcss": "^0.6.9",
     "shadcn": "^3.5.0",
     "tailwindcss": "^4.1.16",
+    "tsx": "^4.19.2",
     "tw-animate-css": "^1.4.0",
     "typescript": "^5.9.3"
   },
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a3c3aea..a10ecc7 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -12,9 +12,6 @@ importers:
 
   .:
     dependencies:
-      '@ai-sdk/openai':
-        specifier: ^2.0.60
-        version: 2.0.60(zod@4.1.12)
       '@ai-sdk/react':
         specifier: ^2.0.86
         version: 2.0.86(react@19.2.0)(zod@4.1.12)
@@ -30,6 +27,9 @@ importers:
       '@radix-ui/react-dropdown-menu':
         specifier: ^2.1.16
         version: 2.1.16(@types/react-dom@19.2.3(@types/react@19.2.5))(@types/react@19.2.5)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+      '@radix-ui/react-label':
+        specifier: ^2.1.8
+        version: 2.1.8(@types/react-dom@19.2.3(@types/react@19.2.5))(@types/react@19.2.5)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       '@radix-ui/react-slot':
         specifier: ^1.2.3
         version: 1.2.3(@types/react@19.2.5)(react@19.2.0)
@@ -75,6 +75,9 @@ importers:
       react-markdown:
         specifier: ^10.1.0
         version: 10.1.0(@types/react@19.2.5)(react@19.2.0)
+      sonner:
+        specifier: ^2.0.7
+        version: 2.0.7(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       tailwind-merge:
         specifier: ^3.3.1
         version: 3.3.1
@@ -106,12 +109,21 @@ importers:
       eslint-config-next:
         specifier: 16.0.3
         version: 16.0.3(@typescript-eslint/parser@8.46.4(eslint@9.39.0(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.0(jiti@2.6.1))(typescript@5.9.3)
+      prettier:
+        specifier: ^3.4.2
+        version: 3.7.3
+      prettier-plugin-tailwindcss:
+        specifier: ^0.6.9
+        version: 0.6.14(prettier@3.7.3)
       shadcn:
         specifier: ^3.5.0
         version: 3.5.0(@types/node@20.19.24)(typescript@5.9.3)
       tailwindcss:
         specifier: ^4.1.16
         version: 4.1.16
+      tsx:
+        specifier: ^4.19.2
+        version: 4.20.6
       tw-animate-css:
         specifier: ^1.4.0
         version: 1.4.0
@@ -127,12 +139,6 @@ packages:
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
 
-  '@ai-sdk/openai@2.0.60':
-    resolution: {integrity: sha512-h7Bg3nY4UYyBj2HDmsFzPxuBhK4ZGGkC2ssZGXOov+81DVSiRJXR4NFfsxbWW/7c6uMCP/YmZ8MiWtvsKMSCHg==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.25.76 || ^4.1.8
-
   '@ai-sdk/provider-utils@3.0.15':
     resolution: {integrity: sha512-kOc6Pxb7CsRlNt+sLZKL7/VGQUd7ccl3/tIK+Bqf5/QhHR0Qm3qRBMz1IwU1RmjJEZA73x+KB5cUckbDl2WF7Q==}
     engines: {node: '>=18'}
@@ -1187,6 +1193,19 @@ packages:
       '@types/react':
         optional: true
 
+  '@radix-ui/react-label@2.1.8':
+    resolution: {integrity: sha512-FmXs37I6hSBVDlO4y764TNz1rLgKwjJMQ0EGte6F3Cb3f4bIuHB/iLa/8I9VKkmOy+gNHq8rql3j686ACVV21A==}
+    peerDependencies:
+      '@types/react': 19.2.5
+      '@types/react-dom': 19.2.3
+      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
+      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
+    peerDependenciesMeta:
+      '@types/react':
+        optional: true
+      '@types/react-dom':
+        optional: true
+
   '@radix-ui/react-menu@2.1.16':
     resolution: {integrity: sha512-72F2T+PLlphrqLcAotYPp0uJMr5SjP5SL01wfEspJbru5Zs5vQaSHb4VB3ZMJPimgHHCHG7gMOeOB9H3Hdmtxg==}
     peerDependencies:
@@ -1252,6 +1271,19 @@ packages:
       '@types/react-dom':
         optional: true
 
+  '@radix-ui/react-primitive@2.1.4':
+    resolution: {integrity: sha512-9hQc4+GNVtJAIEPEqlYqW5RiYdrr8ea5XQ0ZOnD6fgru+83kqT15mq2OCcbe8KnjRZl5vF3ks69AKz3kh1jrhg==}
+    peerDependencies:
+      '@types/react': 19.2.5
+      '@types/react-dom': 19.2.3
+      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
+      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
+    peerDependenciesMeta:
+      '@types/react':
+        optional: true
+      '@types/react-dom':
+        optional: true
+
   '@radix-ui/react-roving-focus@1.1.11':
     resolution: {integrity: sha512-7A6S9jSgm/S+7MdtNDSb+IU859vQqJ/QAtcYQcfFC6W8RS4IxIZDldLR0xqCFZ6DCyrQLjLPsxtTNch5jVA4lA==}
     peerDependencies:
@@ -1274,6 +1306,15 @@ packages:
       '@types/react':
         optional: true
 
+  '@radix-ui/react-slot@1.2.4':
+    resolution: {integrity: sha512-Jl+bCv8HxKnlTLVrcDE8zTMJ09R9/ukw4qBs/oZClOfoQk/cOTbDn+NceXfV7j09YPVQUryJPHurafcSg6EVKA==}
+    peerDependencies:
+      '@types/react': 19.2.5
+      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
+    peerDependenciesMeta:
+      '@types/react':
+        optional: true
+
   '@radix-ui/react-use-callback-ref@1.1.1':
     resolution: {integrity: sha512-FkBMwD+qbGQeMu1cOHnuGB6x4yzPjho8ap5WtbEJ26umhgqVXbhekKUQO+hZEL1vU92a3wHwdp0HAcqAUF5iDg==}
     peerDependencies:
@@ -1800,8 +1841,8 @@ packages:
   balanced-match@1.0.2:
     resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
 
-  baseline-browser-mapping@2.8.23:
-    resolution: {integrity: sha512-616V5YX4bepJFzNyOfce5Fa8fDJMfoxzOIzDCZwaGL8MKVpFrXqfNUoIpRn9YMI5pXf/VKgzjB4htFMsFKKdiQ==}
+  baseline-browser-mapping@2.8.32:
+    resolution: {integrity: sha512-OPz5aBThlyLFgxyhdwf/s2+8ab3OvT7AdTNvKHBwpXomIYeXqpUUuT8LrdtxZSsWJ4R4CU1un4XGh5Ez3nlTpw==}
     hasBin: true
 
   better-auth@1.3.34:
@@ -2521,6 +2562,11 @@ packages:
     resolution: {integrity: sha512-Xr9F6z6up6Ws+NjzMCZc6WXg2YFRlrLP9NQDO3VQrWrfiojdhS56TzueT88ze0uBdCTwEIhQ3ptnmKeWGFAe0A==}
     engines: {node: '>=14.14'}
 
+  fsevents@2.3.3:
+    resolution: {integrity: sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==}
+    engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
+    os: [darwin]
+
   function-bind@1.1.2:
     resolution: {integrity: sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==}
 
@@ -3503,6 +3549,72 @@ packages:
     resolution: {integrity: sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==}
     engines: {node: '>= 0.8.0'}
 
+  prettier-plugin-tailwindcss@0.6.14:
+    resolution: {integrity: sha512-pi2e/+ZygeIqntN+vC573BcW5Cve8zUB0SSAGxqpB4f96boZF4M3phPVoOFCeypwkpRYdi7+jQ5YJJUwrkGUAg==}
+    engines: {node: '>=14.21.3'}
+    peerDependencies:
+      '@ianvs/prettier-plugin-sort-imports': '*'
+      '@prettier/plugin-hermes': '*'
+      '@prettier/plugin-oxc': '*'
+      '@prettier/plugin-pug': '*'
+      '@shopify/prettier-plugin-liquid': '*'
+      '@trivago/prettier-plugin-sort-imports': '*'
+      '@zackad/prettier-plugin-twig': '*'
+      prettier: ^3.0
+      prettier-plugin-astro: '*'
+      prettier-plugin-css-order: '*'
+      prettier-plugin-import-sort: '*'
+      prettier-plugin-jsdoc: '*'
+      prettier-plugin-marko: '*'
+      prettier-plugin-multiline-arrays: '*'
+      prettier-plugin-organize-attributes: '*'
+      prettier-plugin-organize-imports: '*'
+      prettier-plugin-sort-imports: '*'
+      prettier-plugin-style-order: '*'
+      prettier-plugin-svelte: '*'
+    peerDependenciesMeta:
+      '@ianvs/prettier-plugin-sort-imports':
+        optional: true
+      '@prettier/plugin-hermes':
+        optional: true
+      '@prettier/plugin-oxc':
+        optional: true
+      '@prettier/plugin-pug':
+        optional: true
+      '@shopify/prettier-plugin-liquid':
+        optional: true
+      '@trivago/prettier-plugin-sort-imports':
+        optional: true
+      '@zackad/prettier-plugin-twig':
+        optional: true
+      prettier-plugin-astro:
+        optional: true
+      prettier-plugin-css-order:
+        optional: true
+      prettier-plugin-import-sort:
+        optional: true
+      prettier-plugin-jsdoc:
+        optional: true
+      prettier-plugin-marko:
+        optional: true
+      prettier-plugin-multiline-arrays:
+        optional: true
+      prettier-plugin-organize-attributes:
+        optional: true
+      prettier-plugin-organize-imports:
+        optional: true
+      prettier-plugin-sort-imports:
+        optional: true
+      prettier-plugin-style-order:
+        optional: true
+      prettier-plugin-svelte:
+        optional: true
+
+  prettier@3.7.3:
+    resolution: {integrity: sha512-QgODejq9K3OzoBbuyobZlUhznP5SKwPqp+6Q6xw6o8gnhr4O85L2U915iM2IDcfF2NPXVaM9zlo9tdwipnYwzg==}
+    engines: {node: '>=14'}
+    hasBin: true
+
   pretty-ms@9.3.0:
     resolution: {integrity: sha512-gjVS5hOP+M3wMm5nmNOucbIrqudzs9v/57bWRHQWLYklXqoXKrVfYW2W9+glfGsqtPgpiz5WwyEEB+ksXIx3gQ==}
     engines: {node: '>=18'}
@@ -3759,6 +3871,12 @@ packages:
   sisteransi@1.0.5:
     resolution: {integrity: sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==}
 
+  sonner@2.0.7:
+    resolution: {integrity: sha512-W6ZN4p58k8aDKA4XPcx2hpIQXBRAgyiWVkYhT7CvK6D3iAu7xjvVyhQHg2/iaKJZ1XVJ4r7XuwGL+WGEK37i9w==}
+    peerDependencies:
+      react: ^18.0.0 || ^19.0.0 || ^19.0.0-rc
+      react-dom: ^18.0.0 || ^19.0.0 || ^19.0.0-rc
+
   source-map-js@1.2.1:
     resolution: {integrity: sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==}
     engines: {node: '>=0.10.0'}
@@ -3964,6 +4082,11 @@ packages:
   tslib@2.8.1:
     resolution: {integrity: sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==}
 
+  tsx@4.20.6:
+    resolution: {integrity: sha512-ytQKuwgmrrkDTFP4LjR0ToE2nqgy886GpvRSpU0JAnrdBYppuY5rLkRUYPU1yCryb24SsKBTL/hlDQAEFVwtZg==}
+    engines: {node: '>=18.0.0'}
+    hasBin: true
+
   tsyringe@4.10.0:
     resolution: {integrity: sha512-axr3IdNuVIxnaK5XGEUFTu3YmAQ6lllgrvqfEoR16g/HGnYY/6We4oWENtAnzK6/LpJ2ur9PAb80RBt7/U4ugw==}
     engines: {node: '>= 6.0.0'}
@@ -4210,12 +4333,6 @@ snapshots:
       '@vercel/oidc': 3.0.3
       zod: 4.1.12
 
-  '@ai-sdk/openai@2.0.60(zod@4.1.12)':
-    dependencies:
-      '@ai-sdk/provider': 2.0.0
-      '@ai-sdk/provider-utils': 3.0.15(zod@4.1.12)
-      zod: 4.1.12
-
   '@ai-sdk/provider-utils@3.0.15(zod@4.1.12)':
     dependencies:
       '@ai-sdk/provider': 2.0.0
@@ -5196,6 +5313,15 @@ snapshots:
     optionalDependencies:
       '@types/react': 19.2.5
 
+  '@radix-ui/react-label@2.1.8(@types/react-dom@19.2.3(@types/react@19.2.5))(@types/react@19.2.5)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
+    dependencies:
+      '@radix-ui/react-primitive': 2.1.4(@types/react-dom@19.2.3(@types/react@19.2.5))(@types/react@19.2.5)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
+    optionalDependencies:
+      '@types/react': 19.2.5
+      '@types/react-dom': 19.2.3(@types/react@19.2.5)
+
   '@radix-ui/react-menu@2.1.16(@types/react-dom@19.2.3(@types/react@19.2.5))(@types/react@19.2.5)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
     dependencies:
       '@radix-ui/primitive': 1.1.3
@@ -5269,6 +5395,15 @@ snapshots:
       '@types/react': 19.2.5
       '@types/react-dom': 19.2.3(@types/react@19.2.5)
 
+  '@radix-ui/react-primitive@2.1.4(@types/react-dom@19.2.3(@types/react@19.2.5))(@types/react@19.2.5)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
+    dependencies:
+      '@radix-ui/react-slot': 1.2.4(@types/react@19.2.5)(react@19.2.0)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
+    optionalDependencies:
+      '@types/react': 19.2.5
+      '@types/react-dom': 19.2.3(@types/react@19.2.5)
+
   '@radix-ui/react-roving-focus@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.5))(@types/react@19.2.5)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
     dependencies:
       '@radix-ui/primitive': 1.1.3
@@ -5293,6 +5428,13 @@ snapshots:
     optionalDependencies:
       '@types/react': 19.2.5
 
+  '@radix-ui/react-slot@1.2.4(@types/react@19.2.5)(react@19.2.0)':
+    dependencies:
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.5)(react@19.2.0)
+      react: 19.2.0
+    optionalDependencies:
+      '@types/react': 19.2.5
+
   '@radix-ui/react-use-callback-ref@1.1.1(@types/react@19.2.5)(react@19.2.0)':
     dependencies:
       react: 19.2.0
@@ -5810,7 +5952,7 @@ snapshots:
 
   balanced-match@1.0.2: {}
 
-  baseline-browser-mapping@2.8.23: {}
+  baseline-browser-mapping@2.8.32: {}
 
   better-auth@1.3.34(next@16.0.3(@babel/core@7.28.5)(@opentelemetry/api@1.9.0)(react-dom@19.2.0(react@19.2.0))(react@19.2.0))(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
@@ -5870,7 +6012,7 @@ snapshots:
 
   browserslist@4.27.0:
     dependencies:
-      baseline-browser-mapping: 2.8.23
+      baseline-browser-mapping: 2.8.32
       caniuse-lite: 1.0.30001753
       electron-to-chromium: 1.5.244
       node-releases: 2.0.27
@@ -6655,6 +6797,9 @@ snapshots:
       jsonfile: 6.2.0
       universalify: 2.0.1
 
+  fsevents@2.3.3:
+    optional: true
+
   function-bind@1.1.2: {}
 
   function.prototype.name@1.1.8:
@@ -7713,6 +7858,12 @@ snapshots:
 
   prelude-ls@1.2.1: {}
 
+  prettier-plugin-tailwindcss@0.6.14(prettier@3.7.3):
+    dependencies:
+      prettier: 3.7.3
+
+  prettier@3.7.3: {}
+
   pretty-ms@9.3.0:
     dependencies:
       parse-ms: 4.0.0
@@ -8092,6 +8243,11 @@ snapshots:
 
   sisteransi@1.0.5: {}
 
+  sonner@2.0.7(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
+    dependencies:
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
+
   source-map-js@1.2.1: {}
 
   source-map-support@0.5.21:
@@ -8299,6 +8455,13 @@ snapshots:
 
   tslib@2.8.1: {}
 
+  tsx@4.20.6:
+    dependencies:
+      esbuild: 0.25.12
+      get-tsconfig: 4.13.0
+    optionalDependencies:
+      fsevents: 2.3.3
+
   tsyringe@4.10.0:
     dependencies:
       tslib: 1.14.1
diff --git a/scripts/setup.ts b/scripts/setup.ts
new file mode 100644
index 0000000..446cdb4
--- /dev/null
+++ b/scripts/setup.ts
@@ -0,0 +1,274 @@
+#!/usr/bin/env npx tsx
+/**
+ * Interactive setup wizard for the Agentic Coding Starter Kit.
+ * Run with: npx tsx scripts/setup.ts
+ */
+
+import { existsSync, copyFileSync, readFileSync } from "fs";
+import { createInterface } from "readline";
+import { execSync } from "child_process";
+import { join } from "path";
+
+const ROOT_DIR = join(import.meta.dirname, "..");
+const ENV_EXAMPLE = join(ROOT_DIR, "env.example");
+const ENV_FILE = join(ROOT_DIR, ".env");
+
+// ANSI colors
+const colors = {
+  reset: "\x1b[0m",
+  bright: "\x1b[1m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  red: "\x1b[31m",
+  cyan: "\x1b[36m",
+  dim: "\x1b[2m",
+};
+
+function log(message: string, color?: keyof typeof colors) {
+  const colorCode = color ? colors[color] : "";
+  console.log(`${colorCode}${message}${colors.reset}`);
+}
+
+function header(message: string) {
+  console.log();
+  log(`${"=".repeat(60)}`, "cyan");
+  log(`  ${message}`, "bright");
+  log(`${"=".repeat(60)}`, "cyan");
+  console.log();
+}
+
+function success(message: string) {
+  log(`✓ ${message}`, "green");
+}
+
+function warn(message: string) {
+  log(`⚠ ${message}`, "yellow");
+}
+
+function error(message: string) {
+  log(`✗ ${message}`, "red");
+}
+
+function info(message: string) {
+  log(`  ${message}`, "dim");
+}
+
+async function prompt(question: string): Promise<string> {
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  return new Promise((resolve) => {
+    rl.question(`${colors.cyan}? ${colors.reset}${question} `, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+async function confirm(question: string): Promise<boolean> {
+  const answer = await prompt(`${question} (y/n)`);
+  return answer.toLowerCase() === "y" || answer.toLowerCase() === "yes";
+}
+
+function checkNodeVersion(): boolean {
+  const requiredMajor = 20;
+  const currentVersion = process.version;
+  const currentMajor = parseInt(currentVersion.slice(1).split(".")[0] || "0", 10);
+
+  if (currentMajor >= requiredMajor) {
+    success(`Node.js ${currentVersion} detected (requires v${requiredMajor}+)`);
+    return true;
+  } else {
+    error(`Node.js ${currentVersion} detected, but v${requiredMajor}+ is required`);
+    info("Please upgrade Node.js: https://nodejs.org/");
+    return false;
+  }
+}
+
+function copyEnvFile(): boolean {
+  if (existsSync(ENV_FILE)) {
+    warn(".env file already exists");
+    return true;
+  }
+
+  if (!existsSync(ENV_EXAMPLE)) {
+    error("env.example file not found");
+    return false;
+  }
+
+  try {
+    copyFileSync(ENV_EXAMPLE, ENV_FILE);
+    success("Created .env file from env.example");
+    return true;
+  } catch (err) {
+    error(`Failed to create .env file: ${err}`);
+    return false;
+  }
+}
+
+interface EnvStatus {
+  configured: string[];
+  missing: string[];
+  optional: string[];
+}
+
+function checkEnvVariables(): EnvStatus {
+  const required = ["POSTGRES_URL", "BETTER_AUTH_SECRET"];
+  const optional = [
+    "GOOGLE_CLIENT_ID",
+    "GOOGLE_CLIENT_SECRET",
+    "OPENROUTER_API_KEY",
+    "OPENROUTER_MODEL",
+    "BLOB_READ_WRITE_TOKEN",
+    "NEXT_PUBLIC_APP_URL",
+  ];
+
+  const status: EnvStatus = {
+    configured: [],
+    missing: [],
+    optional: [],
+  };
+
+  // Read .env file if it exists
+  let envContent = "";
+  if (existsSync(ENV_FILE)) {
+    envContent = readFileSync(ENV_FILE, "utf-8");
+  }
+
+  // Parse env file (simple key=value parsing)
+  const envVars: Record<string, string> = {};
+  envContent.split("\n").forEach((line) => {
+    const trimmed = line.trim();
+    if (trimmed && !trimmed.startsWith("#")) {
+      const [key, ...valueParts] = trimmed.split("=");
+      if (key) {
+        envVars[key] = valueParts.join("=");
+      }
+    }
+  });
+
+  // Check required variables
+  for (const key of required) {
+    const value = envVars[key];
+    if (value && value.length > 0 && !value.startsWith("your-")) {
+      status.configured.push(key);
+    } else {
+      status.missing.push(key);
+    }
+  }
+
+  // Check optional variables
+  for (const key of optional) {
+    const value = envVars[key];
+    if (value && value.length > 0 && !value.startsWith("your-")) {
+      status.configured.push(key);
+    } else {
+      status.optional.push(key);
+    }
+  }
+
+  return status;
+}
+
+async function runDatabaseMigration(): Promise<boolean> {
+  log("\nRunning database migration...", "cyan");
+
+  try {
+    execSync("pnpm db:migrate", {
+      cwd: ROOT_DIR,
+      stdio: "inherit",
+    });
+    success("Database migration completed");
+    return true;
+  } catch {
+    error("Database migration failed");
+    info("Make sure your database is running and POSTGRES_URL is correct");
+    return false;
+  }
+}
+
+function printNextSteps(envStatus: EnvStatus) {
+  header("Next Steps");
+
+  const steps: string[] = [];
+
+  if (envStatus.missing.length > 0) {
+    steps.push(`Configure required env vars in .env: ${envStatus.missing.join(", ")}`);
+  }
+
+  if (envStatus.optional.includes("GOOGLE_CLIENT_ID")) {
+    steps.push("Set up Google OAuth at https://console.cloud.google.com/");
+  }
+
+  if (envStatus.optional.includes("OPENROUTER_API_KEY")) {
+    steps.push("Get an OpenRouter API key at https://openrouter.ai/settings/keys");
+  }
+
+  steps.push("Start the development server: pnpm dev");
+  steps.push("Open http://localhost:3000 in your browser");
+
+  steps.forEach((step, index) => {
+    log(`${index + 1}. ${step}`);
+  });
+
+  console.log();
+  log("Documentation:", "bright");
+  info("- README.md - Project overview and setup");
+  info("- CLAUDE.md - AI assistant guidelines");
+  info("- docs/ - Technical documentation");
+  console.log();
+}
+
+async function main() {
+  header("Agentic Coding Starter Kit - Setup Wizard");
+
+  // Step 1: Check Node version
+  log("Checking Node.js version...", "cyan");
+  if (!checkNodeVersion()) {
+    process.exit(1);
+  }
+
+  // Step 2: Create .env file
+  console.log();
+  log("Setting up environment...", "cyan");
+  copyEnvFile();
+
+  // Step 3: Check environment variables
+  console.log();
+  log("Checking environment variables...", "cyan");
+  const envStatus = checkEnvVariables();
+
+  if (envStatus.configured.length > 0) {
+    success(`Configured: ${envStatus.configured.join(", ")}`);
+  }
+  if (envStatus.missing.length > 0) {
+    warn(`Missing (required): ${envStatus.missing.join(", ")}`);
+  }
+  if (envStatus.optional.length > 0) {
+    info(`Optional (not set): ${envStatus.optional.join(", ")}`);
+  }
+
+  // Step 4: Offer to run database migration
+  if (envStatus.missing.length === 0) {
+    console.log();
+    const shouldMigrate = await confirm("Would you like to run database migrations now?");
+    if (shouldMigrate) {
+      await runDatabaseMigration();
+    }
+  } else {
+    console.log();
+    warn("Skipping database migration - please configure required env vars first");
+  }
+
+  // Step 5: Print next steps
+  printNextSteps(envStatus);
+
+  log("Setup complete!", "green");
+}
+
+main().catch((err) => {
+  error(`Setup failed: ${err}`);
+  process.exit(1);
+});
diff --git a/specs/boilerplate-improvements/implementation-plan.md b/specs/boilerplate-improvements/implementation-plan.md
new file mode 100644
index 0000000..394cbcf
--- /dev/null
+++ b/specs/boilerplate-improvements/implementation-plan.md
@@ -0,0 +1,165 @@
+# Next.js 16 Boilerplate Improvements - Implementation Plan
+
+## Phase 1: Critical Security & Stability (19 files)
+
+### Security Configuration
+- [ ] Update `next.config.ts` - Add security headers, image config, compression
+- [ ] Modify `package.json` - Remove `@ai-sdk/openai` dependency
+- [ ] Create `src/proxy.ts` - Server-side auth protection using Next.js 16 proxy + BetterAuth
+- [ ] Modify `src/app/api/chat/route.ts` - Add session authentication check
+- [ ] Update `docs/technical/ai/streaming.md` - Fix OpenRouter references
+
+### Next.js 15 → 16 Updates (Main Project)
+- [ ] Update `CLAUDE.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `README.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `docs/business/starter-prompt.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `src/components/starter-prompt-modal.tsx` - Change Next.js 15 to Next.js 16
+- [ ] Update `.claude/agents/polar-payments-expert.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `.claude/agents/better-auth-expert.md` - Change Next.js 15 to Next.js 16
+
+### Next.js 15 → 16 Updates (create-agentic-app Template)
+- [ ] Update `create-agentic-app/README.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/CLAUDE.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/README.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/docs/business/starter-prompt.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/src/components/starter-prompt-modal.tsx` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/.claude/agents/better-auth-expert.md` - Change Next.js 15 to Next.js 16
+- [ ] Update `create-agentic-app/template/.claude/agents/polar-payments-expert.md` - Change Next.js 15 to Next.js 16
+
+---
+
+## Phase 2: Core UX Components (12 files)
+
+### Error Handling
+- [ ] Create `src/app/error.tsx` - Global error boundary
+- [ ] Create `src/app/not-found.tsx` - Custom 404 page
+- [ ] Create `src/app/chat/error.tsx` - Chat-specific error handling
+
+### Loading States
+- [ ] Create `src/components/ui/skeleton.tsx` - Skeleton loading component (via shadcn)
+- [ ] Create `src/components/ui/spinner.tsx` - Loading spinner component
+
+### Toast Notifications
+- [ ] Install shadcn Sonner: `npx shadcn@latest add sonner`
+- [ ] Modify `src/app/layout.tsx` - Add `<Toaster />` component
+
+### Form Components
+- [ ] Install shadcn input: `npx shadcn@latest add input`
+- [ ] Install shadcn textarea: `npx shadcn@latest add textarea`
+- [ ] Install shadcn label: `npx shadcn@latest add label`
+
+### Chat UX Improvements
+- [ ] Modify `src/app/chat/page.tsx`:
+  - [ ] Add message timestamps
+  - [ ] Add copy-to-clipboard for AI responses
+  - [ ] Add typing/thinking indicator during streaming
+  - [ ] Add error display for API failures
+  - [ ] Add message persistence (localStorage)
+
+### Database Schema
+- [ ] Modify `src/lib/schema.ts` - Add missing indexes:
+  - [ ] Index on `session.user_id`
+  - [ ] Index on `session.token`
+  - [ ] Index on `account.user_id`
+  - [ ] Index on `account(provider_id, account_id)`
+  - [ ] Index on `user.email`
+- [ ] Run `pnpm db:generate` to create migration
+- [ ] Run `pnpm db:migrate` to apply migration
+
+---
+
+## Phase 3: Polish & Security (8 files)
+
+### ESLint Configuration
+- [ ] Modify `eslint.config.mjs`:
+  - [ ] Add import ordering rules
+  - [ ] Add TypeScript-eslint rules
+  - [ ] Add React hooks exhaustive-deps
+  - [ ] Add no-console warnings
+
+### API Hardening
+- [ ] Modify `src/app/api/chat/route.ts`:
+  - [ ] Add rate limiting (10 requests/minute per user)
+  - [ ] Add Zod validation for messages
+  - [ ] Add message length limits
+- [ ] Modify `src/app/api/diagnostics/route.ts` - Restrict to authenticated admins
+
+### SEO
+- [ ] Modify `src/app/layout.tsx` - Add Open Graph metadata
+- [ ] Create `src/app/sitemap.ts` - Dynamic sitemap
+- [ ] Create `src/app/robots.ts` - Robots configuration
+
+### Accessibility
+- [ ] Modify `src/components/site-header.tsx`:
+  - [ ] Add `<nav>` role
+  - [ ] Add aria-labels to interactive elements
+  - [ ] Add skip-to-content link
+
+### TypeScript
+- [ ] Modify `tsconfig.json`:
+  - [ ] Add `noUncheckedIndexedAccess: true`
+  - [ ] Add `noImplicitOverride: true`
+  - [ ] Add `exactOptionalPropertyTypes: true`
+
+---
+
+## Phase 4: DevEx & Infrastructure (7 files)
+
+### Code Formatting
+- [ ] Create `.prettierrc` - Prettier configuration
+
+### CI/CD
+- [ ] Create `.github/workflows/ci.yml`:
+  - [ ] Lint check (`pnpm lint`)
+  - [ ] Type check (`pnpm typecheck`)
+  - [ ] Build verification (`pnpm build`)
+  - [ ] Trigger on PR and push to main
+
+### Node Version
+- [ ] Create `.nvmrc` - Pin to Node 20 LTS
+
+### CLI Scripts
+- [ ] Modify `package.json`:
+  - [ ] Add `validate-env` script
+  - [ ] Add `check` script (lint + typecheck)
+
+### Setup Experience
+- [ ] Create `scripts/setup.ts` - Interactive setup wizard:
+  - [ ] Check Node version
+  - [ ] Copy env.example to .env
+  - [ ] Validate required variables
+  - [ ] Offer to run db:migrate
+  - [ ] Provide next steps guidance
+
+### File Storage Security
+- [ ] Modify `src/lib/storage.ts`:
+  - [ ] Add file type whitelist (images, documents)
+  - [ ] Add file size limits (5MB default)
+  - [ ] Add filename sanitization
+
+### Profile Page
+- [ ] Modify `src/app/profile/page.tsx`:
+  - [ ] Enable Edit Profile button with modal
+  - [ ] Enable basic security settings view
+
+---
+
+## Summary
+
+| Phase | Files | Focus |
+|-------|-------|-------|
+| Phase 1 | 19 | Security, stability, Next.js 16 updates |
+| Phase 2 | 12 | Core UX components |
+| Phase 3 | 8 | Polish & security |
+| Phase 4 | 7 | DevEx & infrastructure |
+| **Total** | **46** | |
+
+## Implementation Order
+
+Execute phases sequentially: **Phase 1** → **Phase 2** → **Phase 3** → **Phase 4**
+
+Each phase builds on the previous one:
+1. Phase 1 ensures security and stability
+2. Phase 2 adds core user experience
+3. Phase 3 polishes and hardens
+4. Phase 4 improves developer experience
diff --git a/specs/boilerplate-improvements/requirements.md b/specs/boilerplate-improvements/requirements.md
new file mode 100644
index 0000000..8229784
--- /dev/null
+++ b/specs/boilerplate-improvements/requirements.md
@@ -0,0 +1,131 @@
+# Next.js 16 Boilerplate Improvements - Requirements
+
+## Overview
+
+Comprehensive review and improvement of the Next.js 16 boilerplate project to enhance security, user experience, developer experience, and overall code quality.
+
+## User Decisions
+
+- **Scope:** Full implementation (all improvements including CI/CD, CLI tools)
+- **Testing:** Skip testing framework (keep boilerplate minimal)
+- **Toast Library:** shadcn Sonner component
+- **CI/CD:** Full GitHub Actions pipeline (lint, typecheck, build)
+- **Dockerfile:** Skip (deploying to Vercel only)
+- **Database Seed:** Skip (developers will create their own data)
+
+## Requirements by Category
+
+### 1. Security & Stability (Critical)
+
+1. **next.config.ts** - Currently empty, needs:
+   - Security headers (CSP, X-Frame-Options, X-Content-Type-Options)
+   - Image optimization configuration
+   - Compression settings
+
+2. **Unused Dependency** - Remove `@ai-sdk/openai` from package.json (project uses OpenRouter exclusively)
+
+3. **Server-Side Auth Protection** - Create `src/proxy.ts` using Next.js 16 proxy pattern with BetterAuth for protected routes (`/chat`, `/dashboard`, `/profile`)
+
+4. **API Authentication** - Add session validation to `/api/chat` endpoint to prevent unauthorized API usage
+
+5. **Documentation Consistency** - Update `docs/technical/ai/streaming.md` to use `@openrouter/ai-sdk-provider` instead of `@ai-sdk/openai`
+
+6. **Next.js Version References** - Update all "Next.js 15" references to "Next.js 16" across 14 files
+
+### 2. Core UX Components (High Priority)
+
+1. **Error Handling UI**
+   - Global error boundary (`src/app/error.tsx`)
+   - Custom 404 page (`src/app/not-found.tsx`)
+   - Chat-specific error handling (`src/app/chat/error.tsx`)
+
+2. **Loading States**
+   - Skeleton component (`src/components/ui/skeleton.tsx`)
+   - Loading spinner (`src/components/ui/spinner.tsx`)
+   - Chat loading skeleton (`src/app/chat/loading.tsx`)
+   - Dashboard loading skeleton (`src/app/dashboard/loading.tsx`)
+
+3. **Toast Notifications**
+   - Install shadcn Sonner component
+   - Add Toaster to layout
+
+4. **Chat UX Improvements**
+   - Message timestamps
+   - Copy-to-clipboard for AI responses
+   - Typing/thinking indicator during streaming
+   - Error display for API failures
+   - Message persistence (localStorage)
+
+5. **Database Indexes** - Add missing indexes on:
+   - `session.user_id`
+   - `session.token`
+   - `account.user_id`
+   - `account(provider_id, account_id)`
+   - `user.email`
+
+6. **Form Components**
+   - Input component (`src/components/ui/input.tsx`)
+   - Textarea component (`src/components/ui/textarea.tsx`)
+   - Label component (`src/components/ui/label.tsx`)
+
+### 3. Polish & Security (Medium Priority)
+
+1. **ESLint Enhancement**
+   - Import ordering rules
+   - TypeScript-eslint rules
+   - React hooks exhaustive-deps
+   - no-console warnings
+
+2. **API Hardening**
+   - Rate limiting for chat endpoint
+   - Zod validation for incoming messages
+   - Restrict diagnostics endpoint to admins
+
+3. **SEO Improvements**
+   - Per-page metadata
+   - Open Graph tags
+   - JSON-LD structured data
+   - Sitemap (`src/app/sitemap.ts`)
+   - Robots (`src/app/robots.ts`)
+
+4. **Accessibility**
+   - aria-label on interactive elements
+   - nav role in site header
+   - Proper form labels
+   - Skip-to-content link
+
+5. **TypeScript Strictness**
+   - `noUncheckedIndexedAccess: true`
+   - `noImplicitOverride: true`
+   - `exactOptionalPropertyTypes: true`
+
+### 4. Developer Experience (DevEx)
+
+1. **Prettier Configuration** - Add `.prettierrc` for consistent code formatting
+
+2. **CI/CD Pipeline** - GitHub Actions workflow with:
+   - Lint check
+   - Type check
+   - Build verification
+
+3. **Node Version Pinning** - Add `.nvmrc` for Node 20 LTS
+
+4. **CLI Scripts** - Add helpful package.json scripts:
+   - `validate-env` - Check required environment variables
+   - `check` - Run lint + typecheck in one command
+
+5. **Setup Experience** - Interactive setup script (`scripts/setup.ts`)
+
+6. **File Storage Security**
+   - File type whitelist
+   - File size limits
+   - Filename sanitization
+
+7. **Profile Page** - Enable disabled quick action buttons
+
+## Out of Scope
+
+- Unit testing framework
+- E2E testing framework
+- Dockerfile / container deployment
+- Database seeding
diff --git a/src/app/api/auth/[...all]/route.ts b/src/app/api/auth/[...all]/route.ts
index 81724a0..1aa0faf 100644
--- a/src/app/api/auth/[...all]/route.ts
+++ b/src/app/api/auth/[...all]/route.ts
@@ -1,4 +1,4 @@
-import { auth } from "@/lib/auth"
 import { toNextJsHandler } from "better-auth/next-js"
+import { auth } from "@/lib/auth"
 
 export const { GET, POST } = toNextJsHandler(auth)
\ No newline at end of file
diff --git a/src/app/api/chat/route.ts b/src/app/api/chat/route.ts
index aa5a775..aff9faa 100644
--- a/src/app/api/chat/route.ts
+++ b/src/app/api/chat/route.ts
@@ -1,13 +1,85 @@
+import { headers } from "next/headers";
 import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import { streamText, UIMessage, convertToModelMessages } from "ai";
+import { z } from "zod";
+import { auth } from "@/lib/auth";
+import {
+  checkRateLimit,
+  createRateLimitResponse,
+  rateLimitConfigs,
+} from "@/lib/rate-limit";
+
+// Zod schema for message validation
+const messagePartSchema = z.object({
+  type: z.string(),
+  text: z.string().max(10000, "Message text too long").optional(),
+});
+
+const messageSchema = z.object({
+  id: z.string().optional(),
+  role: z.enum(["user", "assistant", "system"]),
+  parts: z.array(messagePartSchema).optional(),
+  content: z.union([z.string(), z.array(messagePartSchema)]).optional(),
+});
+
+const chatRequestSchema = z.object({
+  messages: z.array(messageSchema).max(100, "Too many messages"),
+});
 
 export async function POST(req: Request) {
-  const { messages }: { messages: UIMessage[] } = await req.json();
+  // Verify user is authenticated
+  const session = await auth.api.getSession({ headers: await headers() });
+  if (!session) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+
+  // Rate limiting by user ID
+  const rateLimitKey = `chat:${session.user.id}`;
+  const rateLimit = checkRateLimit(rateLimitKey, rateLimitConfigs.chat);
+  if (!rateLimit.allowed) {
+    return createRateLimitResponse(rateLimit.resetTime);
+  }
+
+  // Parse and validate request body
+  let body: unknown;
+  try {
+    body = await req.json();
+  } catch {
+    return new Response(JSON.stringify({ error: "Invalid JSON" }), {
+      status: 400,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+
+  const parsed = chatRequestSchema.safeParse(body);
+  if (!parsed.success) {
+    return new Response(
+      JSON.stringify({
+        error: "Invalid request",
+        details: parsed.error.flatten().fieldErrors,
+      }),
+      {
+        status: 400,
+        headers: { "Content-Type": "application/json" },
+      }
+    );
+  }
+
+  const { messages }: { messages: UIMessage[] } = parsed.data as { messages: UIMessage[] };
 
   // Initialize OpenRouter with API key from environment
-  const openrouter = createOpenRouter({
-    apiKey: process.env.OPENROUTER_API_KEY,
-  });
+  const apiKey = process.env.OPENROUTER_API_KEY;
+  if (!apiKey) {
+    return new Response(JSON.stringify({ error: "OpenRouter API key not configured" }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+
+  const openrouter = createOpenRouter({ apiKey });
 
   const result = streamText({
     model: openrouter(process.env.OPENROUTER_MODEL || "openai/gpt-5-mini"),
diff --git a/src/app/api/diagnostics/route.ts b/src/app/api/diagnostics/route.ts
index f5eabae..580d113 100644
--- a/src/app/api/diagnostics/route.ts
+++ b/src/app/api/diagnostics/route.ts
@@ -1,4 +1,6 @@
+import { headers } from "next/headers";
 import { NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
 
 type StatusLevel = "ok" | "warn" | "error";
 
@@ -32,6 +34,14 @@ interface DiagnosticsResponse {
 }
 
 export async function GET(req: Request) {
+  // Require authentication for diagnostics endpoint
+  const session = await auth.api.getSession({ headers: await headers() });
+  if (!session) {
+    return NextResponse.json(
+      { error: "Unauthorized. Please sign in to access diagnostics." },
+      { status: 401 }
+    );
+  }
   const env = {
     POSTGRES_URL: Boolean(process.env.POSTGRES_URL),
     BETTER_AUTH_SECRET: Boolean(process.env.BETTER_AUTH_SECRET),
@@ -137,7 +147,7 @@ export async function GET(req: Request) {
     database: {
       connected: dbConnected,
       schemaApplied,
-      error: dbError,
+      ...(dbError !== undefined && { error: dbError }),
     },
     auth: {
       configured: authConfigured,
diff --git a/src/app/chat/error.tsx b/src/app/chat/error.tsx
new file mode 100644
index 0000000..0e5731c
--- /dev/null
+++ b/src/app/chat/error.tsx
@@ -0,0 +1,46 @@
+"use client";
+
+import { useEffect } from "react";
+import { MessageSquareWarning, RefreshCw } from "lucide-react";
+import { Button } from "@/components/ui/button";
+
+export default function ChatError({
+  error,
+  reset,
+}: {
+  error: Error & { digest?: string };
+  reset: () => void;
+}) {
+  useEffect(() => {
+    console.error("Chat error:", error);
+  }, [error]);
+
+  return (
+    <div className="container mx-auto px-4 py-16">
+      <div className="max-w-md mx-auto text-center">
+        <div className="flex justify-center mb-6">
+          <MessageSquareWarning className="h-16 w-16 text-destructive" />
+        </div>
+        <h1 className="text-2xl font-bold mb-4">Chat Error</h1>
+        <p className="text-muted-foreground mb-6">
+          There was a problem with the chat service. This could be due to a
+          connection issue or the AI service being temporarily unavailable.
+        </p>
+        {error.message && (
+          <p className="text-sm text-muted-foreground mb-4 p-2 bg-muted rounded">
+            {error.message}
+          </p>
+        )}
+        <div className="flex gap-4 justify-center">
+          <Button onClick={reset}>
+            <RefreshCw className="h-4 w-4 mr-2" />
+            Try again
+          </Button>
+          <Button variant="outline" onClick={() => (window.location.href = "/")}>
+            Go home
+          </Button>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/src/app/chat/loading.tsx b/src/app/chat/loading.tsx
new file mode 100644
index 0000000..c0c47d4
--- /dev/null
+++ b/src/app/chat/loading.tsx
@@ -0,0 +1,42 @@
+import { Skeleton } from "@/components/ui/skeleton";
+
+export default function ChatLoading() {
+  return (
+    <div className="container mx-auto px-4 py-8">
+      <div className="max-w-4xl mx-auto">
+        {/* Header skeleton */}
+        <div className="flex justify-between items-center mb-6 pb-4 border-b">
+          <Skeleton className="h-8 w-32" />
+          <Skeleton className="h-4 w-40" />
+        </div>
+
+        {/* Messages skeleton */}
+        <div className="min-h-[50vh] space-y-4 mb-4">
+          {/* AI message */}
+          <div className="max-w-[80%]">
+            <Skeleton className="h-4 w-12 mb-2" />
+            <Skeleton className="h-20 w-full rounded-lg" />
+          </div>
+
+          {/* User message */}
+          <div className="max-w-[80%] ml-auto">
+            <Skeleton className="h-4 w-12 mb-2 ml-auto" />
+            <Skeleton className="h-12 w-full rounded-lg" />
+          </div>
+
+          {/* AI message */}
+          <div className="max-w-[80%]">
+            <Skeleton className="h-4 w-12 mb-2" />
+            <Skeleton className="h-32 w-full rounded-lg" />
+          </div>
+        </div>
+
+        {/* Input skeleton */}
+        <div className="flex gap-2">
+          <Skeleton className="flex-1 h-10 rounded-md" />
+          <Skeleton className="h-10 w-20 rounded-md" />
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/src/app/chat/page.tsx b/src/app/chat/page.tsx
index c77825e..728c540 100644
--- a/src/app/chat/page.tsx
+++ b/src/app/chat/page.tsx
@@ -1,11 +1,13 @@
 "use client";
 
+import { useState, useEffect, type ReactNode } from "react";
 import { useChat } from "@ai-sdk/react";
-import { Button } from "@/components/ui/button";
-import { UserProfile } from "@/components/auth/user-profile";
-import { useSession } from "@/lib/auth-client";
-import { useState, type ReactNode } from "react";
+import { Copy, Check, Loader2 } from "lucide-react";
 import ReactMarkdown from "react-markdown";
+import { toast } from "sonner";
+import { UserProfile } from "@/components/auth/user-profile";
+import { Button } from "@/components/ui/button";
+import { useSession } from "@/lib/auth-client";
 import type { Components } from "react-markdown";
 
 const H1: React.FC<React.HTMLAttributes<HTMLHeadingElement>> = (props) => (
@@ -110,6 +112,18 @@ type MaybePartsMessage = {
   content?: TextPart[];
 };
 
+function getMessageText(message: MaybePartsMessage): string {
+  const parts = Array.isArray(message.parts)
+    ? message.parts
+    : Array.isArray(message.content)
+    ? message.content
+    : [];
+  return parts
+    .filter((p) => p?.type === "text" && p.text)
+    .map((p) => p.text)
+    .join("\n");
+}
+
 function renderMessageContent(message: MaybePartsMessage): ReactNode {
   if (message.display) return message.display;
   const parts = Array.isArray(message.parts)
@@ -126,11 +140,93 @@ function renderMessageContent(message: MaybePartsMessage): ReactNode {
   );
 }
 
+function formatTimestamp(date: Date): string {
+  return new Intl.DateTimeFormat("en-US", {
+    hour: "numeric",
+    minute: "2-digit",
+    hour12: true,
+  }).format(date);
+}
+
+function CopyButton({ text }: { text: string }) {
+  const [copied, setCopied] = useState(false);
+
+  const handleCopy = async () => {
+    try {
+      await navigator.clipboard.writeText(text);
+      setCopied(true);
+      toast.success("Copied to clipboard");
+      setTimeout(() => setCopied(false), 2000);
+    } catch {
+      toast.error("Failed to copy");
+    }
+  };
+
+  return (
+    <button
+      onClick={handleCopy}
+      className="p-1 hover:bg-muted rounded transition-colors"
+      title="Copy to clipboard"
+    >
+      {copied ? (
+        <Check className="h-3.5 w-3.5 text-green-500" />
+      ) : (
+        <Copy className="h-3.5 w-3.5 text-muted-foreground" />
+      )}
+    </button>
+  );
+}
+
+function ThinkingIndicator() {
+  return (
+    <div className="flex items-center gap-2 p-3 rounded-lg bg-muted max-w-[80%]">
+      <Loader2 className="h-4 w-4 animate-spin" />
+      <span className="text-sm text-muted-foreground">AI is thinking...</span>
+    </div>
+  );
+}
+
+const STORAGE_KEY = "chat-messages";
+
 export default function ChatPage() {
   const { data: session, isPending } = useSession();
-  const { messages, sendMessage, status } = useChat();
+  const { messages, sendMessage, status, error, setMessages } = useChat({
+    onError: (err) => {
+      toast.error(err.message || "Failed to send message");
+    },
+  });
   const [input, setInput] = useState("");
 
+  // Load messages from localStorage on mount
+  useEffect(() => {
+    if (typeof window !== "undefined") {
+      const saved = localStorage.getItem(STORAGE_KEY);
+      if (saved) {
+        try {
+          const parsed = JSON.parse(saved);
+          if (Array.isArray(parsed) && parsed.length > 0) {
+            setMessages(parsed);
+          }
+        } catch {
+          // Invalid JSON, ignore
+        }
+      }
+    }
+  }, [setMessages]);
+
+  // Save messages to localStorage when they change
+  useEffect(() => {
+    if (typeof window !== "undefined" && messages.length > 0) {
+      localStorage.setItem(STORAGE_KEY, JSON.stringify(messages));
+    }
+  }, [messages]);
+
+  const clearMessages = () => {
+    setMessages([]);
+    localStorage.removeItem(STORAGE_KEY);
+    toast.success("Chat cleared");
+  };
+
   if (isPending) {
     return <div className="container mx-auto px-4 py-12">Loading...</div>;
   }
@@ -145,37 +241,77 @@ export default function ChatPage() {
     );
   }
 
+  const isStreaming = status === "streaming";
+
   return (
     <div className="container mx-auto px-4 py-8">
       <div className="max-w-4xl mx-auto">
         <div className="flex justify-between items-center mb-6 pb-4 border-b">
           <h1 className="text-2xl font-bold">AI Chat</h1>
-          <span className="text-sm text-muted-foreground">
-            Welcome, {session.user.name}!
-          </span>
+          <div className="flex items-center gap-4">
+            <span className="text-sm text-muted-foreground">
+              Welcome, {session.user.name}!
+            </span>
+            {messages.length > 0 && (
+              <Button variant="ghost" size="sm" onClick={clearMessages}>
+                Clear chat
+              </Button>
+            )}
+          </div>
         </div>
 
+        {error && (
+          <div className="mb-4 p-4 bg-destructive/10 border border-destructive/20 rounded-lg">
+            <p className="text-sm text-destructive">
+              Error: {error.message || "Something went wrong"}
+            </p>
+          </div>
+        )}
+
         <div className="min-h-[50vh] overflow-y-auto space-y-4 mb-4">
           {messages.length === 0 && (
-            <div className="text-center text-muted-foreground">
+            <div className="text-center text-muted-foreground py-12">
               Start a conversation with AI
             </div>
           )}
-          {messages.map((message) => (
-            <div
-              key={message.id}
-              className={`p-3 rounded-lg ${
-                message.role === "user"
-                  ? "bg-primary text-primary-foreground ml-auto max-w-[80%]"
-                  : "bg-muted max-w-[80%]"
-              }`}
-            >
-              <div className="text-sm font-medium mb-1">
-                {message.role === "user" ? "You" : "AI"}
+          {messages.map((message) => {
+            const messageText = getMessageText(message as MaybePartsMessage);
+            const createdAt = (message as { createdAt?: Date }).createdAt;
+            const timestamp = createdAt
+              ? formatTimestamp(new Date(createdAt))
+              : null;
+
+            return (
+              <div
+                key={message.id}
+                className={`group p-3 rounded-lg ${
+                  message.role === "user"
+                    ? "bg-primary text-primary-foreground ml-auto max-w-[80%]"
+                    : "bg-muted max-w-[80%]"
+                }`}
+              >
+                <div className="flex items-center justify-between mb-1">
+                  <div className="flex items-center gap-2">
+                    <span className="text-sm font-medium">
+                      {message.role === "user" ? "You" : "AI"}
+                    </span>
+                    {timestamp && (
+                      <span className="text-xs opacity-60">{timestamp}</span>
+                    )}
+                  </div>
+                  {message.role === "assistant" && messageText && (
+                    <div className="opacity-0 group-hover:opacity-100 transition-opacity">
+                      <CopyButton text={messageText} />
+                    </div>
+                  )}
+                </div>
+                <div>{renderMessageContent(message as MaybePartsMessage)}</div>
               </div>
-              <div>{renderMessageContent(message as MaybePartsMessage)}</div>
-            </div>
-          ))}
+            );
+          })}
+          {isStreaming && messages[messages.length - 1]?.role === "user" && (
+            <ThinkingIndicator />
+          )}
         </div>
 
         <form
@@ -193,12 +329,17 @@ export default function ChatPage() {
             onChange={(e) => setInput(e.target.value)}
             placeholder="Type your message..."
             className="flex-1 p-2 border border-border rounded-md focus:outline-none focus:ring-2 focus:ring-ring"
+            disabled={isStreaming}
           />
-          <Button
-            type="submit"
-            disabled={!input.trim() || status === "streaming"}
-          >
-            Send
+          <Button type="submit" disabled={!input.trim() || isStreaming}>
+            {isStreaming ? (
+              <>
+                <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+                Sending
+              </>
+            ) : (
+              "Send"
+            )}
           </Button>
         </form>
       </div>
diff --git a/src/app/dashboard/loading.tsx b/src/app/dashboard/loading.tsx
new file mode 100644
index 0000000..3f1811c
--- /dev/null
+++ b/src/app/dashboard/loading.tsx
@@ -0,0 +1,63 @@
+import { Skeleton } from "@/components/ui/skeleton";
+
+export default function DashboardLoading() {
+  return (
+    <div className="container mx-auto px-4 py-8">
+      <div className="max-w-4xl mx-auto space-y-8">
+        {/* Header */}
+        <div className="space-y-2">
+          <Skeleton className="h-8 w-48" />
+          <Skeleton className="h-4 w-64" />
+        </div>
+
+        {/* Stats cards */}
+        <div className="grid gap-4 md:grid-cols-3">
+          {[1, 2, 3].map((i) => (
+            <div key={i} className="p-6 border rounded-lg">
+              <Skeleton className="h-4 w-24 mb-2" />
+              <Skeleton className="h-8 w-16" />
+            </div>
+          ))}
+        </div>
+
+        {/* Profile card */}
+        <div className="p-6 border rounded-lg space-y-4">
+          <div className="flex items-center gap-4">
+            <Skeleton className="h-16 w-16 rounded-full" />
+            <div className="space-y-2">
+              <Skeleton className="h-5 w-40" />
+              <Skeleton className="h-4 w-56" />
+            </div>
+          </div>
+          <Skeleton className="h-px w-full" />
+          <div className="grid gap-4 md:grid-cols-2">
+            <div className="space-y-2">
+              <Skeleton className="h-4 w-20" />
+              <Skeleton className="h-4 w-32" />
+            </div>
+            <div className="space-y-2">
+              <Skeleton className="h-4 w-20" />
+              <Skeleton className="h-4 w-32" />
+            </div>
+          </div>
+        </div>
+
+        {/* Recent activity */}
+        <div className="space-y-4">
+          <Skeleton className="h-6 w-36" />
+          <div className="space-y-3">
+            {[1, 2, 3].map((i) => (
+              <div key={i} className="flex items-center gap-4 p-4 border rounded-lg">
+                <Skeleton className="h-10 w-10 rounded-full" />
+                <div className="flex-1 space-y-2">
+                  <Skeleton className="h-4 w-3/4" />
+                  <Skeleton className="h-3 w-1/2" />
+                </div>
+              </div>
+            ))}
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/src/app/dashboard/page.tsx b/src/app/dashboard/page.tsx
index 49cd1b6..c4018cc 100644
--- a/src/app/dashboard/page.tsx
+++ b/src/app/dashboard/page.tsx
@@ -1,11 +1,11 @@
 "use client";
 
-import { useSession } from "@/lib/auth-client";
+import Link from "next/link";
+import { Lock } from "lucide-react";
 import { UserProfile } from "@/components/auth/user-profile";
 import { Button } from "@/components/ui/button";
-import { Lock } from "lucide-react";
 import { useDiagnostics } from "@/hooks/use-diagnostics";
-import Link from "next/link";
+import { useSession } from "@/lib/auth-client";
 
 export default function DashboardPage() {
   const { data: session, isPending } = useSession();
diff --git a/src/app/error.tsx b/src/app/error.tsx
new file mode 100644
index 0000000..45fcc5b
--- /dev/null
+++ b/src/app/error.tsx
@@ -0,0 +1,44 @@
+"use client";
+
+import { useEffect } from "react";
+import { AlertCircle } from "lucide-react";
+import { Button } from "@/components/ui/button";
+
+export default function Error({
+  error,
+  reset,
+}: {
+  error: Error & { digest?: string };
+  reset: () => void;
+}) {
+  useEffect(() => {
+    // Log the error to an error reporting service
+    console.error("Application error:", error);
+  }, [error]);
+
+  return (
+    <div className="container mx-auto px-4 py-16">
+      <div className="max-w-md mx-auto text-center">
+        <div className="flex justify-center mb-6">
+          <AlertCircle className="h-16 w-16 text-destructive" />
+        </div>
+        <h1 className="text-2xl font-bold mb-4">Something went wrong</h1>
+        <p className="text-muted-foreground mb-6">
+          An unexpected error occurred. Please try again or contact support if
+          the problem persists.
+        </p>
+        {error.digest && (
+          <p className="text-xs text-muted-foreground mb-4">
+            Error ID: {error.digest}
+          </p>
+        )}
+        <div className="flex gap-4 justify-center">
+          <Button onClick={reset}>Try again</Button>
+          <Button variant="outline" onClick={() => (window.location.href = "/")}>
+            Go home
+          </Button>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/src/app/layout.tsx b/src/app/layout.tsx
index e9dd733..d6d9c4f 100644
--- a/src/app/layout.tsx
+++ b/src/app/layout.tsx
@@ -1,9 +1,10 @@
-import { ThemeProvider } from "@/components/theme-provider";
-import type { Metadata } from "next";
 import { Geist, Geist_Mono } from "next/font/google";
 import "./globals.css";
-import { SiteHeader } from "@/components/site-header";
 import { SiteFooter } from "@/components/site-footer";
+import { SiteHeader } from "@/components/site-header";
+import { ThemeProvider } from "@/components/theme-provider";
+import { Toaster } from "@/components/ui/sonner";
+import type { Metadata } from "next";
 
 const geistSans = Geist({
   variable: "--font-geist-sans",
@@ -16,9 +17,62 @@ const geistMono = Geist_Mono({
 });
 
 export const metadata: Metadata = {
-  title: "Agentic Coding Boilerplate",
+  title: {
+    default: "Agentic Coding Boilerplate",
+    template: "%s | Agentic Coding Boilerplate",
+  },
   description:
     "Complete agentic coding boilerplate with authentication, database, AI integration, and modern tooling - perfect for building AI-powered applications and autonomous agents by Leon van Zyl",
+  keywords: [
+    "Next.js",
+    "React",
+    "TypeScript",
+    "AI",
+    "OpenRouter",
+    "Boilerplate",
+    "Authentication",
+    "PostgreSQL",
+  ],
+  authors: [{ name: "Leon van Zyl" }],
+  creator: "Leon van Zyl",
+  openGraph: {
+    type: "website",
+    locale: "en_US",
+    siteName: "Agentic Coding Boilerplate",
+    title: "Agentic Coding Boilerplate",
+    description:
+      "Complete agentic coding boilerplate with authentication, database, AI integration, and modern tooling",
+  },
+  twitter: {
+    card: "summary_large_image",
+    title: "Agentic Coding Boilerplate",
+    description:
+      "Complete agentic coding boilerplate with authentication, database, AI integration, and modern tooling",
+  },
+  robots: {
+    index: true,
+    follow: true,
+  },
+};
+
+// JSON-LD structured data for SEO
+const jsonLd = {
+  "@context": "https://schema.org",
+  "@type": "WebApplication",
+  name: "Agentic Coding Boilerplate",
+  description:
+    "Complete agentic coding boilerplate with authentication, database, AI integration, and modern tooling",
+  applicationCategory: "DeveloperApplication",
+  operatingSystem: "Any",
+  offers: {
+    "@type": "Offer",
+    price: "0",
+    priceCurrency: "USD",
+  },
+  author: {
+    "@type": "Person",
+    name: "Leon van Zyl",
+  },
 };
 
 export default function RootLayout({
@@ -28,6 +82,12 @@ export default function RootLayout({
 }>) {
   return (
     <html lang="en" suppressHydrationWarning>
+      <head>
+        <script
+          type="application/ld+json"
+          dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLd) }}
+        />
+      </head>
       <body
         className={`${geistSans.variable} ${geistMono.variable} antialiased`}
       >
@@ -38,8 +98,9 @@ export default function RootLayout({
           disableTransitionOnChange
         >
           <SiteHeader />
-          {children}
+          <main id="main-content">{children}</main>
           <SiteFooter />
+          <Toaster richColors position="top-right" />
         </ThemeProvider>
       </body>
     </html>
diff --git a/src/app/manifest.ts b/src/app/manifest.ts
new file mode 100644
index 0000000..666d533
--- /dev/null
+++ b/src/app/manifest.ts
@@ -0,0 +1,21 @@
+import type { MetadataRoute } from "next";
+
+export default function manifest(): MetadataRoute.Manifest {
+  return {
+    name: "Agentic Coding Boilerplate",
+    short_name: "Agentic",
+    description:
+      "Complete agentic coding boilerplate with authentication, database, AI integration, and modern tooling",
+    start_url: "/",
+    display: "standalone",
+    background_color: "#ffffff",
+    theme_color: "#000000",
+    icons: [
+      {
+        src: "/favicon.ico",
+        sizes: "any",
+        type: "image/x-icon",
+      },
+    ],
+  };
+}
diff --git a/src/app/not-found.tsx b/src/app/not-found.tsx
new file mode 100644
index 0000000..4a9dd1d
--- /dev/null
+++ b/src/app/not-found.tsx
@@ -0,0 +1,28 @@
+import Link from "next/link";
+import { FileQuestion } from "lucide-react";
+import { Button } from "@/components/ui/button";
+
+export default function NotFound() {
+  return (
+    <div className="container mx-auto px-4 py-16">
+      <div className="max-w-md mx-auto text-center">
+        <div className="flex justify-center mb-6">
+          <FileQuestion className="h-16 w-16 text-muted-foreground" />
+        </div>
+        <h1 className="text-4xl font-bold mb-4">404</h1>
+        <h2 className="text-xl font-semibold mb-4">Page Not Found</h2>
+        <p className="text-muted-foreground mb-6">
+          The page you&apos;re looking for doesn&apos;t exist or has been moved.
+        </p>
+        <div className="flex gap-4 justify-center">
+          <Button asChild>
+            <Link href="/">Go home</Link>
+          </Button>
+          <Button variant="outline" asChild>
+            <Link href="/dashboard">Dashboard</Link>
+          </Button>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/src/app/page.tsx b/src/app/page.tsx
index 7583baa..94b9c8e 100644
--- a/src/app/page.tsx
+++ b/src/app/page.tsx
@@ -1,11 +1,11 @@
 "use client";
 
 import Link from "next/link";
-import { Button } from "@/components/ui/button";
-import { SetupChecklist } from "@/components/setup-checklist";
-import { useDiagnostics } from "@/hooks/use-diagnostics";
-import { StarterPromptModal } from "@/components/starter-prompt-modal";
 import { Video, Shield, Database, Palette, Bot } from "lucide-react";
+import { SetupChecklist } from "@/components/setup-checklist";
+import { StarterPromptModal } from "@/components/starter-prompt-modal";
+import { Button } from "@/components/ui/button";
+import { useDiagnostics } from "@/hooks/use-diagnostics";
 
 export default function Home() {
   const { isAuthReady, isAiReady, loading } = useDiagnostics();
diff --git a/src/app/profile/page.tsx b/src/app/profile/page.tsx
index b8d6cf1..6a7870e 100644
--- a/src/app/profile/page.tsx
+++ b/src/app/profile/page.tsx
@@ -1,17 +1,37 @@
 "use client";
 
-import { useSession } from "@/lib/auth-client";
-import { Avatar, AvatarImage, AvatarFallback } from "@/components/ui/avatar";
-import { Button } from "@/components/ui/button";
-import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
-import { Badge } from "@/components/ui/badge";
-import { Separator } from "@/components/ui/separator";
-import { Mail, Calendar, User, Shield, ArrowLeft } from "lucide-react";
+import { useState } from "react";
 import { useRouter } from "next/navigation";
+import { Mail, Calendar, User, Shield, ArrowLeft, Lock, Smartphone } from "lucide-react";
+import { toast } from "sonner";
+import { Avatar, AvatarImage, AvatarFallback } from "@/components/ui/avatar";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "@/components/ui/card";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { Separator } from "@/components/ui/separator";
+import { useSession } from "@/lib/auth-client";
 
 export default function ProfilePage() {
   const { data: session, isPending } = useSession();
   const router = useRouter();
+  const [editProfileOpen, setEditProfileOpen] = useState(false);
+  const [securityOpen, setSecurityOpen] = useState(false);
+  const [emailPrefsOpen, setEmailPrefsOpen] = useState(false);
 
   if (isPending) {
     return (
@@ -27,11 +47,20 @@ export default function ProfilePage() {
   }
 
   const user = session.user;
-  const createdDate = user.createdAt ? new Date(user.createdAt).toLocaleDateString('en-US', {
-    year: 'numeric',
-    month: 'long',
-    day: 'numeric'
-  }) : null;
+  const createdDate = user.createdAt
+    ? new Date(user.createdAt).toLocaleDateString("en-US", {
+        year: "numeric",
+        month: "long",
+        day: "numeric",
+      })
+    : null;
+
+  const handleEditProfileSubmit = (e: React.FormEvent<HTMLFormElement>) => {
+    e.preventDefault();
+    // In a real app, this would call an API to update the user profile
+    toast.info("Profile updates require backend implementation");
+    setEditProfileOpen(false);
+  };
 
   return (
     <div className="container max-w-4xl mx-auto py-8 px-4">
@@ -60,11 +89,7 @@ export default function ProfilePage() {
                   referrerPolicy="no-referrer"
                 />
                 <AvatarFallback className="text-lg">
-                  {(
-                    user.name?.[0] ||
-                    user.email?.[0] ||
-                    "U"
-                  ).toUpperCase()}
+                  {(user.name?.[0] || user.email?.[0] || "U").toUpperCase()}
                 </AvatarFallback>
               </Avatar>
               <div className="space-y-2">
@@ -73,7 +98,10 @@ export default function ProfilePage() {
                   <Mail className="h-4 w-4" />
                   <span>{user.email}</span>
                   {user.emailVerified && (
-                    <Badge variant="outline" className="text-green-600 border-green-600">
+                    <Badge
+                      variant="outline"
+                      className="text-green-600 border-green-600"
+                    >
                       <Shield className="h-3 w-3 mr-1" />
                       Verified
                     </Badge>
@@ -94,9 +122,7 @@ export default function ProfilePage() {
         <Card>
           <CardHeader>
             <CardTitle>Account Information</CardTitle>
-            <CardDescription>
-              Your account details and settings
-            </CardDescription>
+            <CardDescription>Your account details and settings</CardDescription>
           </CardHeader>
           <CardContent className="space-y-6">
             <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
@@ -115,16 +141,19 @@ export default function ProfilePage() {
                 <div className="p-3 border rounded-md bg-muted/10 flex items-center justify-between">
                   <span>{user.email}</span>
                   {user.emailVerified && (
-                    <Badge variant="outline" className="text-green-600 border-green-600">
+                    <Badge
+                      variant="outline"
+                      className="text-green-600 border-green-600"
+                    >
                       Verified
                     </Badge>
                   )}
                 </div>
               </div>
             </div>
-            
+
             <Separator />
-            
+
             <div className="space-y-4">
               <h3 className="text-lg font-medium">Account Status</h3>
               <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
@@ -171,7 +200,10 @@ export default function ProfilePage() {
                     <p className="text-sm text-muted-foreground">Active now</p>
                   </div>
                 </div>
-                <Badge variant="outline" className="text-green-600 border-green-600">
+                <Badge
+                  variant="outline"
+                  className="text-green-600 border-green-600"
+                >
                   Active
                 </Badge>
               </div>
@@ -189,34 +221,195 @@ export default function ProfilePage() {
           </CardHeader>
           <CardContent>
             <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
-              <Button variant="outline" className="justify-start h-auto p-4" disabled>
+              <Button
+                variant="outline"
+                className="justify-start h-auto p-4"
+                onClick={() => setEditProfileOpen(true)}
+              >
                 <User className="h-4 w-4 mr-2" />
                 <div className="text-left">
                   <div className="font-medium">Edit Profile</div>
-                  <div className="text-xs text-muted-foreground">Update your information</div>
+                  <div className="text-xs text-muted-foreground">
+                    Update your information
+                  </div>
                 </div>
               </Button>
-              <Button variant="outline" className="justify-start h-auto p-4" disabled>
+              <Button
+                variant="outline"
+                className="justify-start h-auto p-4"
+                onClick={() => setSecurityOpen(true)}
+              >
                 <Shield className="h-4 w-4 mr-2" />
                 <div className="text-left">
                   <div className="font-medium">Security Settings</div>
-                  <div className="text-xs text-muted-foreground">Manage security options</div>
+                  <div className="text-xs text-muted-foreground">
+                    Manage security options
+                  </div>
                 </div>
               </Button>
-              <Button variant="outline" className="justify-start h-auto p-4" disabled>
+              <Button
+                variant="outline"
+                className="justify-start h-auto p-4"
+                onClick={() => setEmailPrefsOpen(true)}
+              >
                 <Mail className="h-4 w-4 mr-2" />
                 <div className="text-left">
                   <div className="font-medium">Email Preferences</div>
-                  <div className="text-xs text-muted-foreground">Configure notifications</div>
+                  <div className="text-xs text-muted-foreground">
+                    Configure notifications
+                  </div>
                 </div>
               </Button>
             </div>
-            <p className="text-xs text-muted-foreground mt-4">
-              Additional profile management features coming soon.
-            </p>
           </CardContent>
         </Card>
       </div>
+
+      {/* Edit Profile Dialog */}
+      <Dialog open={editProfileOpen} onOpenChange={setEditProfileOpen}>
+        <DialogContent className="sm:max-w-[425px]">
+          <DialogHeader>
+            <DialogTitle>Edit Profile</DialogTitle>
+            <DialogDescription>
+              Update your profile information. Changes will be saved to your
+              account.
+            </DialogDescription>
+          </DialogHeader>
+          <form onSubmit={handleEditProfileSubmit} className="space-y-4">
+            <div className="space-y-2">
+              <Label htmlFor="name">Full Name</Label>
+              <Input
+                id="name"
+                defaultValue={user.name || ""}
+                placeholder="Enter your name"
+              />
+            </div>
+            <div className="space-y-2">
+              <Label htmlFor="email">Email</Label>
+              <Input
+                id="email"
+                type="email"
+                defaultValue={user.email || ""}
+                disabled
+                className="bg-muted"
+              />
+              <p className="text-xs text-muted-foreground">
+                Email cannot be changed for OAuth accounts
+              </p>
+            </div>
+            <div className="flex justify-end gap-2 pt-4">
+              <Button
+                type="button"
+                variant="outline"
+                onClick={() => setEditProfileOpen(false)}
+              >
+                Cancel
+              </Button>
+              <Button type="submit">Save Changes</Button>
+            </div>
+          </form>
+        </DialogContent>
+      </Dialog>
+
+      {/* Security Settings Dialog */}
+      <Dialog open={securityOpen} onOpenChange={setSecurityOpen}>
+        <DialogContent className="sm:max-w-[500px]">
+          <DialogHeader>
+            <DialogTitle>Security Settings</DialogTitle>
+            <DialogDescription>
+              Manage your account security and authentication options.
+            </DialogDescription>
+          </DialogHeader>
+          <div className="space-y-4">
+            <div className="flex items-center justify-between p-4 border rounded-lg">
+              <div className="flex items-center gap-3">
+                <Lock className="h-5 w-5 text-muted-foreground" />
+                <div>
+                  <p className="font-medium">Password</p>
+                  <p className="text-sm text-muted-foreground">
+                    {user.email?.includes("@gmail")
+                      ? "Managed by Google"
+                      : "Set a password for your account"}
+                  </p>
+                </div>
+              </div>
+              <Badge variant="outline">
+                {user.email?.includes("@gmail") ? "OAuth" : "Not Set"}
+              </Badge>
+            </div>
+
+            <div className="flex items-center justify-between p-4 border rounded-lg">
+              <div className="flex items-center gap-3">
+                <Smartphone className="h-5 w-5 text-muted-foreground" />
+                <div>
+                  <p className="font-medium">Two-Factor Authentication</p>
+                  <p className="text-sm text-muted-foreground">
+                    Add an extra layer of security
+                  </p>
+                </div>
+              </div>
+              <Button variant="outline" size="sm" disabled>
+                Coming Soon
+              </Button>
+            </div>
+
+            <div className="flex items-center justify-between p-4 border rounded-lg">
+              <div className="flex items-center gap-3">
+                <Shield className="h-5 w-5 text-muted-foreground" />
+                <div>
+                  <p className="font-medium">Active Sessions</p>
+                  <p className="text-sm text-muted-foreground">
+                    Manage devices logged into your account
+                  </p>
+                </div>
+              </div>
+              <Badge variant="default">1 Active</Badge>
+            </div>
+          </div>
+          <div className="flex justify-end pt-4">
+            <Button variant="outline" onClick={() => setSecurityOpen(false)}>
+              Close
+            </Button>
+          </div>
+        </DialogContent>
+      </Dialog>
+
+      {/* Email Preferences Dialog */}
+      <Dialog open={emailPrefsOpen} onOpenChange={setEmailPrefsOpen}>
+        <DialogContent className="sm:max-w-[425px]">
+          <DialogHeader>
+            <DialogTitle>Email Preferences</DialogTitle>
+            <DialogDescription>
+              Configure your email notification settings.
+            </DialogDescription>
+          </DialogHeader>
+          <div className="space-y-4">
+            <div className="flex items-center justify-between p-4 border rounded-lg">
+              <div>
+                <p className="font-medium">Marketing Emails</p>
+                <p className="text-sm text-muted-foreground">
+                  Product updates and announcements
+                </p>
+              </div>
+              <Badge variant="secondary">Coming Soon</Badge>
+            </div>
+            <div className="flex items-center justify-between p-4 border rounded-lg">
+              <div>
+                <p className="font-medium">Security Alerts</p>
+                <p className="text-sm text-muted-foreground">
+                  Important security notifications
+                </p>
+              </div>
+              <Badge variant="default">Always On</Badge>
+            </div>
+          </div>
+          <div className="flex justify-end pt-4">
+            <Button variant="outline" onClick={() => setEmailPrefsOpen(false)}>
+              Close
+            </Button>
+          </div>
+        </DialogContent>
+      </Dialog>
     </div>
   );
-}
\ No newline at end of file
+}
diff --git a/src/app/robots.ts b/src/app/robots.ts
new file mode 100644
index 0000000..05dc8d5
--- /dev/null
+++ b/src/app/robots.ts
@@ -0,0 +1,16 @@
+import type { MetadataRoute } from "next";
+
+export default function robots(): MetadataRoute.Robots {
+  const baseUrl = process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000";
+
+  return {
+    rules: [
+      {
+        userAgent: "*",
+        allow: "/",
+        disallow: ["/api/", "/dashboard/", "/profile/", "/chat/"],
+      },
+    ],
+    sitemap: `${baseUrl}/sitemap.xml`,
+  };
+}
diff --git a/src/app/sitemap.ts b/src/app/sitemap.ts
new file mode 100644
index 0000000..2c17a46
--- /dev/null
+++ b/src/app/sitemap.ts
@@ -0,0 +1,26 @@
+import type { MetadataRoute } from "next";
+
+export default function sitemap(): MetadataRoute.Sitemap {
+  const baseUrl = process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000";
+
+  return [
+    {
+      url: baseUrl,
+      lastModified: new Date(),
+      changeFrequency: "monthly",
+      priority: 1,
+    },
+    {
+      url: `${baseUrl}/dashboard`,
+      lastModified: new Date(),
+      changeFrequency: "weekly",
+      priority: 0.8,
+    },
+    {
+      url: `${baseUrl}/chat`,
+      lastModified: new Date(),
+      changeFrequency: "weekly",
+      priority: 0.8,
+    },
+  ];
+}
diff --git a/src/components/auth/sign-in-button.tsx b/src/components/auth/sign-in-button.tsx
index c868156..7bed448 100644
--- a/src/components/auth/sign-in-button.tsx
+++ b/src/components/auth/sign-in-button.tsx
@@ -1,7 +1,7 @@
 "use client";
 
-import { signIn, useSession } from "@/lib/auth-client";
 import { Button } from "@/components/ui/button";
+import { signIn, useSession } from "@/lib/auth-client";
 
 export function SignInButton() {
   const { data: session, isPending } = useSession();
diff --git a/src/components/auth/sign-out-button.tsx b/src/components/auth/sign-out-button.tsx
index 484ea6b..ae162ed 100644
--- a/src/components/auth/sign-out-button.tsx
+++ b/src/components/auth/sign-out-button.tsx
@@ -1,8 +1,8 @@
 "use client";
 
-import { signOut, useSession } from "@/lib/auth-client";
-import { Button } from "@/components/ui/button";
 import { useRouter } from "next/navigation";
+import { Button } from "@/components/ui/button";
+import { signOut, useSession } from "@/lib/auth-client";
 
 export function SignOutButton() {
   const { data: session, isPending } = useSession();
diff --git a/src/components/auth/user-profile.tsx b/src/components/auth/user-profile.tsx
index 00556d0..34f0ec5 100644
--- a/src/components/auth/user-profile.tsx
+++ b/src/components/auth/user-profile.tsx
@@ -1,7 +1,8 @@
 "use client";
 
-import { useSession, signOut } from "@/lib/auth-client";
-import { SignInButton } from "./sign-in-button";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
+import { User, LogOut } from "lucide-react";
 import { Avatar, AvatarImage, AvatarFallback } from "@/components/ui/avatar";
 import {
   DropdownMenu,
@@ -11,9 +12,8 @@ import {
   DropdownMenuSeparator,
   DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu";
-import Link from "next/link";
-import { useRouter } from "next/navigation";
-import { User, LogOut } from "lucide-react";
+import { useSession, signOut } from "@/lib/auth-client";
+import { SignInButton } from "./sign-in-button";
 
 export function UserProfile() {
   const { data: session, isPending } = useSession();
diff --git a/src/components/setup-checklist.tsx b/src/components/setup-checklist.tsx
index ee5aa4e..ca86052 100644
--- a/src/components/setup-checklist.tsx
+++ b/src/components/setup-checklist.tsx
@@ -1,8 +1,8 @@
 "use client";
 
 import { useEffect, useState } from "react";
-import { Button } from "@/components/ui/button";
 import { CheckCircle2, XCircle } from "lucide-react";
+import { Button } from "@/components/ui/button";
 
 type DiagnosticsResponse = {
   timestamp: string;
diff --git a/src/components/site-header.tsx b/src/components/site-header.tsx
index 99c4173..a6fe4eb 100644
--- a/src/components/site-header.tsx
+++ b/src/components/site-header.tsx
@@ -1,30 +1,46 @@
 import Link from "next/link";
+import { Bot } from "lucide-react";
 import { UserProfile } from "@/components/auth/user-profile";
 import { ModeToggle } from "./ui/mode-toggle";
-import { Bot } from "lucide-react";
 
 export function SiteHeader() {
   return (
-    <header className="border-b">
-      <div className="container mx-auto px-4 py-4 flex justify-between items-center">
-        <h1 className="text-2xl font-bold">
-          <Link
-            href="/"
-            className="flex items-center gap-2 text-primary hover:text-primary/80 transition-colors"
-          >
-            <div className="flex items-center justify-center w-8 h-8 rounded-lg bg-primary/10">
-              <Bot className="h-5 w-5" />
-            </div>
-            <span className="bg-gradient-to-r from-primary to-primary/70 bg-clip-text text-transparent">
-              Starter Kit
-            </span>
-          </Link>
-        </h1>
-        <div className="flex items-center gap-4">
-          <UserProfile />
-          <ModeToggle />
-        </div>
-      </div>
-    </header>
+    <>
+      {/* Skip to main content link for accessibility */}
+      <a
+        href="#main-content"
+        className="sr-only focus:not-sr-only focus:absolute focus:top-4 focus:left-4 focus:z-50 focus:px-4 focus:py-2 focus:bg-background focus:text-foreground focus:border focus:rounded-md"
+      >
+        Skip to main content
+      </a>
+      <header className="border-b" role="banner">
+        <nav
+          className="container mx-auto px-4 py-4 flex justify-between items-center"
+          aria-label="Main navigation"
+        >
+          <h1 className="text-2xl font-bold">
+            <Link
+              href="/"
+              className="flex items-center gap-2 text-primary hover:text-primary/80 transition-colors"
+              aria-label="Starter Kit - Go to homepage"
+            >
+              <div
+                className="flex items-center justify-center w-8 h-8 rounded-lg bg-primary/10"
+                aria-hidden="true"
+              >
+                <Bot className="h-5 w-5" />
+              </div>
+              <span className="bg-gradient-to-r from-primary to-primary/70 bg-clip-text text-transparent">
+                Starter Kit
+              </span>
+            </Link>
+          </h1>
+          <div className="flex items-center gap-4" role="group" aria-label="User actions">
+            <UserProfile />
+            <ModeToggle />
+          </div>
+        </nav>
+      </header>
+    </>
   );
 }
diff --git a/src/components/starter-prompt-modal.tsx b/src/components/starter-prompt-modal.tsx
index e3b7c51..90636da 100644
--- a/src/components/starter-prompt-modal.tsx
+++ b/src/components/starter-prompt-modal.tsx
@@ -1,6 +1,7 @@
 "use client";
 
 import { useState } from "react";
+import { Copy, Check } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import {
   Dialog,
@@ -10,7 +11,6 @@ import {
   DialogTitle,
   DialogTrigger,
 } from "@/components/ui/dialog";
-import { Copy, Check } from "lucide-react";
 
 const STARTER_PROMPT = `I'm working with an agentic coding boilerplate project that includes authentication, database integration, and AI capabilities. Here's what's already set up:
 
@@ -50,7 +50,7 @@ The only things to preserve are:
 - **Build and development scripts** (keep all npm/pnpm scripts in package.json)
 
 ## Tech Stack
-- Next.js 15 with App Router
+- Next.js 16 with App Router
 - TypeScript
 - Tailwind CSS
 - Better Auth for authentication
diff --git a/src/components/ui/avatar.tsx b/src/components/ui/avatar.tsx
index 71e428b..34e95d1 100644
--- a/src/components/ui/avatar.tsx
+++ b/src/components/ui/avatar.tsx
@@ -2,7 +2,6 @@
 
 import * as React from "react"
 import * as AvatarPrimitive from "@radix-ui/react-avatar"
-
 import { cn } from "@/lib/utils"
 
 function Avatar({
diff --git a/src/components/ui/badge.tsx b/src/components/ui/badge.tsx
index 12daad7..76d3397 100644
--- a/src/components/ui/badge.tsx
+++ b/src/components/ui/badge.tsx
@@ -1,6 +1,5 @@
 import * as React from "react"
 import { cva, type VariantProps } from "class-variance-authority"
-
 import { cn } from "@/lib/utils"
 
 const badgeVariants = cva(
diff --git a/src/components/ui/button.tsx b/src/components/ui/button.tsx
index c77c1b4..48a5340 100644
--- a/src/components/ui/button.tsx
+++ b/src/components/ui/button.tsx
@@ -1,7 +1,6 @@
 import * as React from "react"
 import { Slot } from "@radix-ui/react-slot"
 import { cva, type VariantProps } from "class-variance-authority"
-
 import { cn } from "@/lib/utils"
 
 const buttonVariants = cva(
diff --git a/src/components/ui/card.tsx b/src/components/ui/card.tsx
index 938aa22..8fce582 100644
--- a/src/components/ui/card.tsx
+++ b/src/components/ui/card.tsx
@@ -1,5 +1,4 @@
 import * as React from "react"
-
 import { cn } from "@/lib/utils"
 
 const Card = React.forwardRef<
diff --git a/src/components/ui/dialog.tsx b/src/components/ui/dialog.tsx
index d9ccec9..adca6fc 100644
--- a/src/components/ui/dialog.tsx
+++ b/src/components/ui/dialog.tsx
@@ -3,7 +3,6 @@
 import * as React from "react"
 import * as DialogPrimitive from "@radix-ui/react-dialog"
 import { XIcon } from "lucide-react"
-
 import { cn } from "@/lib/utils"
 
 function Dialog({
diff --git a/src/components/ui/dropdown-menu.tsx b/src/components/ui/dropdown-menu.tsx
index ec51e9c..1b0e7c8 100644
--- a/src/components/ui/dropdown-menu.tsx
+++ b/src/components/ui/dropdown-menu.tsx
@@ -3,7 +3,6 @@
 import * as React from "react"
 import * as DropdownMenuPrimitive from "@radix-ui/react-dropdown-menu"
 import { CheckIcon, ChevronRightIcon, CircleIcon } from "lucide-react"
-
 import { cn } from "@/lib/utils"
 
 function DropdownMenu({
@@ -85,7 +84,7 @@ function DropdownMenuItem({
 function DropdownMenuCheckboxItem({
   className,
   children,
-  checked,
+  checked = false,
   ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.CheckboxItem>) {
   return (
diff --git a/src/components/ui/input.tsx b/src/components/ui/input.tsx
new file mode 100644
index 0000000..824effa
--- /dev/null
+++ b/src/components/ui/input.tsx
@@ -0,0 +1,20 @@
+import * as React from "react"
+import { cn } from "@/lib/utils"
+
+function Input({ className, type, ...props }: React.ComponentProps<"input">) {
+  return (
+    <input
+      type={type}
+      data-slot="input"
+      className={cn(
+        "file:text-foreground placeholder:text-muted-foreground selection:bg-primary selection:text-primary-foreground dark:bg-input/30 border-input h-9 w-full min-w-0 rounded-md border bg-transparent px-3 py-1 text-base shadow-xs transition-[color,box-shadow] outline-none file:inline-flex file:h-7 file:border-0 file:bg-transparent file:text-sm file:font-medium disabled:pointer-events-none disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
+        "focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px]",
+        "aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export { Input }
diff --git a/src/components/ui/label.tsx b/src/components/ui/label.tsx
new file mode 100644
index 0000000..28bffac
--- /dev/null
+++ b/src/components/ui/label.tsx
@@ -0,0 +1,23 @@
+"use client"
+
+import * as React from "react"
+import * as LabelPrimitive from "@radix-ui/react-label"
+import { cn } from "@/lib/utils"
+
+function Label({
+  className,
+  ...props
+}: React.ComponentProps<typeof LabelPrimitive.Root>) {
+  return (
+    <LabelPrimitive.Root
+      data-slot="label"
+      className={cn(
+        "flex items-center gap-2 text-sm leading-none font-medium select-none group-data-[disabled=true]:pointer-events-none group-data-[disabled=true]:opacity-50 peer-disabled:cursor-not-allowed peer-disabled:opacity-50",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export { Label }
diff --git a/src/components/ui/mode-toggle.tsx b/src/components/ui/mode-toggle.tsx
index 2d4bd08..1059cad 100644
--- a/src/components/ui/mode-toggle.tsx
+++ b/src/components/ui/mode-toggle.tsx
@@ -1,9 +1,7 @@
 "use client";
 
-import * as React from "react";
 import { Moon, Sun } from "lucide-react";
 import { useTheme } from "next-themes";
-
 import { Button } from "@/components/ui/button";
 import {
   DropdownMenu,
diff --git a/src/components/ui/separator.tsx b/src/components/ui/separator.tsx
index 4f1321d..ee88093 100644
--- a/src/components/ui/separator.tsx
+++ b/src/components/ui/separator.tsx
@@ -1,5 +1,4 @@
 import * as React from "react"
-
 import { cn } from "@/lib/utils"
 
 interface SeparatorProps extends React.HTMLAttributes<HTMLDivElement> {
diff --git a/src/components/ui/skeleton.tsx b/src/components/ui/skeleton.tsx
new file mode 100644
index 0000000..32ea0ef
--- /dev/null
+++ b/src/components/ui/skeleton.tsx
@@ -0,0 +1,13 @@
+import { cn } from "@/lib/utils"
+
+function Skeleton({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="skeleton"
+      className={cn("bg-accent animate-pulse rounded-md", className)}
+      {...props}
+    />
+  )
+}
+
+export { Skeleton }
diff --git a/src/components/ui/sonner.tsx b/src/components/ui/sonner.tsx
new file mode 100644
index 0000000..321419b
--- /dev/null
+++ b/src/components/ui/sonner.tsx
@@ -0,0 +1,42 @@
+"use client"
+
+import {
+  CircleCheckIcon,
+  InfoIcon,
+  Loader2Icon,
+  OctagonXIcon,
+  TriangleAlertIcon,
+} from "lucide-react"
+import { useTheme } from "next-themes"
+import { Toaster as Sonner, type ToasterProps } from "sonner"
+
+const Toaster = ({ ...props }: ToasterProps) => {
+  const { theme } = useTheme()
+  const resolvedTheme: "system" | "light" | "dark" =
+    theme === "light" || theme === "dark" ? theme : "system"
+
+  return (
+    <Sonner
+      theme={resolvedTheme}
+      className="toaster group"
+      icons={{
+        success: <CircleCheckIcon className="size-4" />,
+        info: <InfoIcon className="size-4" />,
+        warning: <TriangleAlertIcon className="size-4" />,
+        error: <OctagonXIcon className="size-4" />,
+        loading: <Loader2Icon className="size-4 animate-spin" />,
+      }}
+      style={
+        {
+          "--normal-bg": "var(--popover)",
+          "--normal-text": "var(--popover-foreground)",
+          "--normal-border": "var(--border)",
+          "--border-radius": "var(--radius)",
+        } as React.CSSProperties
+      }
+      {...props}
+    />
+  )
+}
+
+export { Toaster }
diff --git a/src/components/ui/spinner.tsx b/src/components/ui/spinner.tsx
new file mode 100644
index 0000000..fe94dad
--- /dev/null
+++ b/src/components/ui/spinner.tsx
@@ -0,0 +1,21 @@
+import { Loader2 } from "lucide-react";
+import { cn } from "@/lib/utils";
+
+interface SpinnerProps {
+  className?: string;
+  size?: "sm" | "md" | "lg";
+}
+
+const sizeClasses = {
+  sm: "h-4 w-4",
+  md: "h-6 w-6",
+  lg: "h-8 w-8",
+};
+
+export function Spinner({ className, size = "md" }: SpinnerProps) {
+  return (
+    <Loader2
+      className={cn("animate-spin text-muted-foreground", sizeClasses[size], className)}
+    />
+  );
+}
diff --git a/src/components/ui/textarea.tsx b/src/components/ui/textarea.tsx
new file mode 100644
index 0000000..266e9d2
--- /dev/null
+++ b/src/components/ui/textarea.tsx
@@ -0,0 +1,17 @@
+import * as React from "react"
+import { cn } from "@/lib/utils"
+
+function Textarea({ className, ...props }: React.ComponentProps<"textarea">) {
+  return (
+    <textarea
+      data-slot="textarea"
+      className={cn(
+        "border-input placeholder:text-muted-foreground focus-visible:border-ring focus-visible:ring-ring/50 aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive dark:bg-input/30 flex field-sizing-content min-h-16 w-full rounded-md border bg-transparent px-3 py-2 text-base shadow-xs transition-[color,box-shadow] outline-none focus-visible:ring-[3px] disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export { Textarea }
diff --git a/src/lib/env.ts b/src/lib/env.ts
new file mode 100644
index 0000000..516bec8
--- /dev/null
+++ b/src/lib/env.ts
@@ -0,0 +1,117 @@
+import { z } from "zod";
+
+/**
+ * Server-side environment variables schema.
+ * These variables are only available on the server.
+ */
+const serverEnvSchema = z.object({
+  // Database
+  POSTGRES_URL: z.string().url("Invalid database URL"),
+
+  // Authentication
+  BETTER_AUTH_SECRET: z
+    .string()
+    .min(32, "BETTER_AUTH_SECRET must be at least 32 characters"),
+
+  // OAuth
+  GOOGLE_CLIENT_ID: z.string().optional(),
+  GOOGLE_CLIENT_SECRET: z.string().optional(),
+
+  // AI
+  OPENROUTER_API_KEY: z.string().optional(),
+  OPENROUTER_MODEL: z.string().default("openai/gpt-5-mini"),
+
+  // Storage
+  BLOB_READ_WRITE_TOKEN: z.string().optional(),
+
+  // App
+  NODE_ENV: z
+    .enum(["development", "production", "test"])
+    .default("development"),
+});
+
+/**
+ * Client-side environment variables schema.
+ * These variables are exposed to the browser via NEXT_PUBLIC_ prefix.
+ */
+const clientEnvSchema = z.object({
+  NEXT_PUBLIC_APP_URL: z.string().url().default("http://localhost:3000"),
+});
+
+export type ServerEnv = z.infer<typeof serverEnvSchema>;
+export type ClientEnv = z.infer<typeof clientEnvSchema>;
+
+/**
+ * Validates and returns server-side environment variables.
+ * Throws an error if validation fails.
+ */
+export function getServerEnv(): ServerEnv {
+  const parsed = serverEnvSchema.safeParse(process.env);
+
+  if (!parsed.success) {
+    console.error(
+      "Invalid server environment variables:",
+      parsed.error.flatten().fieldErrors
+    );
+    throw new Error("Invalid server environment variables");
+  }
+
+  return parsed.data;
+}
+
+/**
+ * Validates and returns client-side environment variables.
+ * Throws an error if validation fails.
+ */
+export function getClientEnv(): ClientEnv {
+  const parsed = clientEnvSchema.safeParse({
+    NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
+  });
+
+  if (!parsed.success) {
+    console.error(
+      "Invalid client environment variables:",
+      parsed.error.flatten().fieldErrors
+    );
+    throw new Error("Invalid client environment variables");
+  }
+
+  return parsed.data;
+}
+
+/**
+ * Checks if required environment variables are set.
+ * Logs warnings for missing optional variables.
+ */
+export function checkEnv(): void {
+  const warnings: string[] = [];
+
+  // Check required variables
+  if (!process.env.POSTGRES_URL) {
+    throw new Error("POSTGRES_URL is required");
+  }
+
+  if (!process.env.BETTER_AUTH_SECRET) {
+    throw new Error("BETTER_AUTH_SECRET is required");
+  }
+
+  // Check optional variables and warn
+  if (!process.env.GOOGLE_CLIENT_ID || !process.env.GOOGLE_CLIENT_SECRET) {
+    warnings.push("Google OAuth is not configured. Social login will be disabled.");
+  }
+
+  if (!process.env.OPENROUTER_API_KEY) {
+    warnings.push("OPENROUTER_API_KEY is not set. AI chat will not work.");
+  }
+
+  if (!process.env.BLOB_READ_WRITE_TOKEN) {
+    warnings.push("BLOB_READ_WRITE_TOKEN is not set. Using local storage for file uploads.");
+  }
+
+  // Log warnings in development
+  if (process.env.NODE_ENV === "development" && warnings.length > 0) {
+    console.warn("\n⚠️  Environment warnings:");
+    warnings.forEach((w) => console.warn(`   - ${w}`));
+    console.warn("");
+  }
+}
diff --git a/src/lib/rate-limit.ts b/src/lib/rate-limit.ts
new file mode 100644
index 0000000..d750343
--- /dev/null
+++ b/src/lib/rate-limit.ts
@@ -0,0 +1,157 @@
+/**
+ * Simple in-memory rate limiter for API routes.
+ * For production, consider using a Redis-based solution.
+ */
+
+interface RateLimitConfig {
+  /** Number of requests allowed in the window */
+  limit: number;
+  /** Time window in milliseconds */
+  windowMs: number;
+}
+
+interface RateLimitEntry {
+  count: number;
+  resetTime: number;
+}
+
+const rateLimitStore = new Map<string, RateLimitEntry>();
+
+/**
+ * Default rate limit configurations for different endpoints.
+ */
+export const rateLimitConfigs = {
+  // AI chat endpoint - more restrictive
+  chat: {
+    limit: 20,
+    windowMs: 60 * 1000, // 20 requests per minute
+  },
+  // Auth endpoints
+  auth: {
+    limit: 10,
+    windowMs: 60 * 1000, // 10 requests per minute
+  },
+  // General API
+  api: {
+    limit: 100,
+    windowMs: 60 * 1000, // 100 requests per minute
+  },
+} as const;
+
+/**
+ * Check if a request should be rate limited.
+ *
+ * @param key - Unique identifier for the client (e.g., IP address, user ID)
+ * @param config - Rate limit configuration
+ * @returns Object with allowed status and remaining requests
+ */
+export function checkRateLimit(
+  key: string,
+  config: RateLimitConfig
+): {
+  allowed: boolean;
+  remaining: number;
+  resetTime: number;
+} {
+  const now = Date.now();
+  const entry = rateLimitStore.get(key);
+
+  // Clean up expired entries periodically
+  if (Math.random() < 0.01) {
+    cleanupExpiredEntries();
+  }
+
+  if (!entry || now > entry.resetTime) {
+    // Create new entry
+    const newEntry: RateLimitEntry = {
+      count: 1,
+      resetTime: now + config.windowMs,
+    };
+    rateLimitStore.set(key, newEntry);
+    return {
+      allowed: true,
+      remaining: config.limit - 1,
+      resetTime: newEntry.resetTime,
+    };
+  }
+
+  if (entry.count >= config.limit) {
+    return {
+      allowed: false,
+      remaining: 0,
+      resetTime: entry.resetTime,
+    };
+  }
+
+  // Increment count
+  entry.count++;
+  return {
+    allowed: true,
+    remaining: config.limit - entry.count,
+    resetTime: entry.resetTime,
+  };
+}
+
+/**
+ * Create a rate limit response with appropriate headers.
+ */
+export function createRateLimitResponse(resetTime: number): Response {
+  const retryAfter = Math.ceil((resetTime - Date.now()) / 1000);
+  return new Response(
+    JSON.stringify({
+      error: "Too Many Requests",
+      message: "Rate limit exceeded. Please try again later.",
+      retryAfter,
+    }),
+    {
+      status: 429,
+      headers: {
+        "Content-Type": "application/json",
+        "Retry-After": String(retryAfter),
+        "X-RateLimit-Reset": String(Math.ceil(resetTime / 1000)),
+      },
+    }
+  );
+}
+
+/**
+ * Get the client identifier from a request.
+ * Uses IP address or forwarded header.
+ */
+export function getClientIdentifier(request: Request): string {
+  const forwarded = request.headers.get("x-forwarded-for");
+  if (forwarded) {
+    const ip = forwarded.split(",")[0];
+    if (ip) {
+      return ip.trim();
+    }
+  }
+  // Fallback to a hash of user-agent if no IP available
+  const userAgent = request.headers.get("user-agent") || "unknown";
+  return `ua-${hashString(userAgent)}`;
+}
+
+/**
+ * Simple string hash for fallback identifier.
+ */
+function hashString(str: string): string {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash).toString(36);
+}
+
+/**
+ * Clean up expired rate limit entries.
+ */
+function cleanupExpiredEntries(): void {
+  const now = Date.now();
+  for (const [key, entry] of rateLimitStore.entries()) {
+    if (now > entry.resetTime) {
+      rateLimitStore.delete(key);
+    }
+  }
+}
diff --git a/src/lib/schema.ts b/src/lib/schema.ts
index 112a90d..69ed5f4 100644
--- a/src/lib/schema.ts
+++ b/src/lib/schema.ts
@@ -1,52 +1,70 @@
-import { pgTable, text, timestamp, boolean } from "drizzle-orm/pg-core";
+import { pgTable, text, timestamp, boolean, index } from "drizzle-orm/pg-core";
 
-export const user = pgTable("user", {
-  id: text("id").primaryKey(),
-  name: text("name").notNull(),
-  email: text("email").notNull().unique(),
-  emailVerified: boolean("email_verified").default(false).notNull(),
-  image: text("image"),
-  createdAt: timestamp("created_at").defaultNow().notNull(),
-  updatedAt: timestamp("updated_at")
-    .defaultNow()
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-});
+export const user = pgTable(
+  "user",
+  {
+    id: text("id").primaryKey(),
+    name: text("name").notNull(),
+    email: text("email").notNull().unique(),
+    emailVerified: boolean("email_verified").default(false).notNull(),
+    image: text("image"),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .defaultNow()
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [index("user_email_idx").on(table.email)]
+);
 
-export const session = pgTable("session", {
-  id: text("id").primaryKey(),
-  expiresAt: timestamp("expires_at").notNull(),
-  token: text("token").notNull().unique(),
-  createdAt: timestamp("created_at").defaultNow().notNull(),
-  updatedAt: timestamp("updated_at")
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-  ipAddress: text("ip_address"),
-  userAgent: text("user_agent"),
-  userId: text("user_id")
-    .notNull()
-    .references(() => user.id, { onDelete: "cascade" }),
-});
+export const session = pgTable(
+  "session",
+  {
+    id: text("id").primaryKey(),
+    expiresAt: timestamp("expires_at").notNull(),
+    token: text("token").notNull().unique(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+  },
+  (table) => [
+    index("session_user_id_idx").on(table.userId),
+    index("session_token_idx").on(table.token),
+  ]
+);
 
-export const account = pgTable("account", {
-  id: text("id").primaryKey(),
-  accountId: text("account_id").notNull(),
-  providerId: text("provider_id").notNull(),
-  userId: text("user_id")
-    .notNull()
-    .references(() => user.id, { onDelete: "cascade" }),
-  accessToken: text("access_token"),
-  refreshToken: text("refresh_token"),
-  idToken: text("id_token"),
-  accessTokenExpiresAt: timestamp("access_token_expires_at"),
-  refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
-  scope: text("scope"),
-  password: text("password"),
-  createdAt: timestamp("created_at").defaultNow().notNull(),
-  updatedAt: timestamp("updated_at")
-    .$onUpdate(() => /* @__PURE__ */ new Date())
-    .notNull(),
-});
+export const account = pgTable(
+  "account",
+  {
+    id: text("id").primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: timestamp("access_token_expires_at"),
+    refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [
+    index("account_user_id_idx").on(table.userId),
+    index("account_provider_account_idx").on(table.providerId, table.accountId),
+  ]
+);
 
 export const verification = pgTable("verification", {
   id: text("id").primaryKey(),
diff --git a/src/lib/session.ts b/src/lib/session.ts
new file mode 100644
index 0000000..caf1fc7
--- /dev/null
+++ b/src/lib/session.ts
@@ -0,0 +1,48 @@
+import { headers } from "next/headers";
+import { redirect } from "next/navigation";
+import { auth } from "@/lib/auth";
+
+/**
+ * Protected routes that require authentication.
+ * These are also configured in src/proxy.ts for optimistic redirects.
+ */
+export const protectedRoutes = ["/chat", "/dashboard", "/profile"];
+
+/**
+ * Checks if the current request is authenticated.
+ * Should be called in Server Components for protected routes.
+ *
+ * @returns The session object if authenticated
+ * @throws Redirects to home page if not authenticated
+ */
+export async function requireAuth() {
+  const session = await auth.api.getSession({ headers: await headers() });
+
+  if (!session) {
+    redirect("/");
+  }
+
+  return session;
+}
+
+/**
+ * Gets the current session without requiring authentication.
+ * Returns null if not authenticated.
+ *
+ * @returns The session object or null
+ */
+export async function getOptionalSession() {
+  return await auth.api.getSession({ headers: await headers() });
+}
+
+/**
+ * Checks if a given path is a protected route.
+ *
+ * @param path - The path to check
+ * @returns True if the path requires authentication
+ */
+export function isProtectedRoute(path: string): boolean {
+  return protectedRoutes.some(
+    (route) => path === route || path.startsWith(`${route}/`)
+  );
+}
diff --git a/src/lib/storage.ts b/src/lib/storage.ts
index b8b997f..88ba264 100644
--- a/src/lib/storage.ts
+++ b/src/lib/storage.ts
@@ -1,7 +1,7 @@
-import { put, del } from "@vercel/blob";
+import { existsSync } from "fs";
 import { writeFile, mkdir } from "fs/promises";
 import { join } from "path";
-import { existsSync } from "fs";
+import { put, del } from "@vercel/blob";
 
 /**
  * Result from uploading a file to storage
@@ -11,14 +11,123 @@ export interface StorageResult {
   pathname: string; // Path/key of the stored file
 }
 
+/**
+ * Storage configuration
+ */
+export interface StorageConfig {
+  /** Maximum file size in bytes (default: 5MB) */
+  maxSize?: number;
+  /** Allowed MIME types (default: images and documents) */
+  allowedTypes?: string[];
+}
+
+/**
+ * Default storage configuration
+ */
+const DEFAULT_CONFIG: Required<StorageConfig> = {
+  maxSize: 5 * 1024 * 1024, // 5MB
+  allowedTypes: [
+    // Images
+    "image/jpeg",
+    "image/png",
+    "image/gif",
+    "image/webp",
+    "image/svg+xml",
+    // Documents
+    "application/pdf",
+    "text/plain",
+    "text/csv",
+    "application/json",
+  ],
+};
+
+/**
+ * Allowed file extensions mapped from MIME types
+ */
+const ALLOWED_EXTENSIONS = new Set([
+  ".jpg",
+  ".jpeg",
+  ".png",
+  ".gif",
+  ".webp",
+  ".svg",
+  ".pdf",
+  ".txt",
+  ".csv",
+  ".json",
+]);
+
+/**
+ * Sanitize a filename by removing dangerous characters and path traversal attempts
+ */
+export function sanitizeFilename(filename: string): string {
+  // Remove path components (prevent directory traversal)
+  const basename = filename.split(/[/\\]/).pop() || filename;
+
+  // Remove or replace dangerous characters
+  const sanitized = basename
+    .replace(/[<>:"|?*\x00-\x1f]/g, "") // Remove dangerous chars
+    .replace(/\.{2,}/g, ".") // Collapse multiple dots
+    .replace(/^\.+/, "") // Remove leading dots
+    .trim();
+
+  // Ensure filename is not empty
+  if (!sanitized || sanitized.length === 0) {
+    throw new Error("Invalid filename");
+  }
+
+  // Limit filename length
+  if (sanitized.length > 255) {
+    const ext = sanitized.slice(sanitized.lastIndexOf("."));
+    const name = sanitized.slice(0, 255 - ext.length);
+    return name + ext;
+  }
+
+  return sanitized;
+}
+
+/**
+ * Validate file for upload
+ */
+export function validateFile(
+  buffer: Buffer,
+  filename: string,
+  config: StorageConfig = {}
+): { valid: true } | { valid: false; error: string } {
+  const { maxSize } = { ...DEFAULT_CONFIG, ...config };
+
+  // Check file size
+  if (buffer.length > maxSize) {
+    return {
+      valid: false,
+      error: `File too large. Maximum size is ${Math.round(maxSize / 1024 / 1024)}MB`,
+    };
+  }
+
+  // Check file extension
+  const ext = filename.slice(filename.lastIndexOf(".")).toLowerCase();
+  if (!ALLOWED_EXTENSIONS.has(ext)) {
+    return {
+      valid: false,
+      error: `File type not allowed. Allowed extensions: ${Array.from(ALLOWED_EXTENSIONS).join(", ")}`,
+    };
+  }
+
+  // Optionally check MIME type if provided
+  // Note: For full MIME type validation, consider using a library like 'file-type'
+
+  return { valid: true };
+}
+
 /**
  * Uploads a file to storage (Vercel Blob or local filesystem)
- * 
+ *
  * @param buffer - File contents as a Buffer
  * @param filename - Name of the file (e.g., "image.png")
  * @param folder - Optional folder/prefix (e.g., "avatars")
+ * @param config - Optional storage configuration
  * @returns StorageResult with url and pathname
- * 
+ *
  * @example
  * ```ts
  * const result = await upload(fileBuffer, "avatar.png", "avatars");
@@ -28,13 +137,23 @@ export interface StorageResult {
 export async function upload(
   buffer: Buffer,
   filename: string,
-  folder?: string
+  folder?: string,
+  config?: StorageConfig
 ): Promise<StorageResult> {
+  // Sanitize filename
+  const sanitizedFilename = sanitizeFilename(filename);
+
+  // Validate file
+  const validation = validateFile(buffer, sanitizedFilename, config);
+  if (!validation.valid) {
+    throw new Error(validation.error);
+  }
+
   const hasVercelBlob = Boolean(process.env.BLOB_READ_WRITE_TOKEN);
 
   if (hasVercelBlob) {
     // Use Vercel Blob storage
-    const pathname = folder ? `${folder}/${filename}` : filename;
+    const pathname = folder ? `${folder}/${sanitizedFilename}` : sanitizedFilename;
     const blob = await put(pathname, buffer, {
       access: "public",
     });
@@ -54,11 +173,11 @@ export async function upload(
     }
 
     // Write the file
-    const filepath = join(targetDir, filename);
+    const filepath = join(targetDir, sanitizedFilename);
     await writeFile(filepath, buffer);
 
     // Return local URL
-    const pathname = folder ? `${folder}/${filename}` : filename;
+    const pathname = folder ? `${folder}/${sanitizedFilename}` : sanitizedFilename;
     const url = `/uploads/${pathname}`;
 
     return {
diff --git a/src/proxy.ts b/src/proxy.ts
new file mode 100644
index 0000000..15502cf
--- /dev/null
+++ b/src/proxy.ts
@@ -0,0 +1,25 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getSessionCookie } from "better-auth/cookies";
+
+/**
+ * Next.js 16 Proxy for auth protection.
+ * Uses cookie-based checks for fast, optimistic redirects.
+ *
+ * Note: This only checks for cookie existence, not validity.
+ * Full session validation should be done in each protected page/route.
+ */
+export async function proxy(request: NextRequest) {
+  const sessionCookie = getSessionCookie(request);
+
+  // Optimistic redirect - cookie existence check only
+  // Full validation happens in page components via auth.api.getSession()
+  if (!sessionCookie) {
+    return NextResponse.redirect(new URL("/", request.url));
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ["/dashboard", "/chat", "/profile"], // Protected routes
+};
diff --git a/tsconfig.json b/tsconfig.json
index e74efcd..b887142 100644
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -1,14 +1,24 @@
 {
   "compilerOptions": {
     "target": "ES2017",
-    "lib": [
-      "dom",
-      "dom.iterable",
-      "esnext"
-    ],
+    "lib": ["dom", "dom.iterable", "esnext"],
     "allowJs": true,
     "skipLibCheck": true,
     "strict": true,
+    "strictNullChecks": true,
+    "strictFunctionTypes": true,
+    "strictBindCallApply": true,
+    "strictPropertyInitialization": true,
+    "noImplicitAny": true,
+    "noImplicitThis": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedIndexedAccess": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noImplicitOverride": true,
+    "exactOptionalPropertyTypes": true,
+    "forceConsistentCasingInFileNames": true,
     "noEmit": true,
     "esModuleInterop": true,
     "module": "esnext",
@@ -22,15 +32,9 @@
         "name": "next"
       }
     ],
-    "types": [
-      "react",
-      "react-dom",
-      "node"
-    ],
+    "types": ["react", "react-dom", "node"],
     "paths": {
-      "@/*": [
-        "./src/*"
-      ]
+      "@/*": ["./src/*"]
     }
   },
   "include": [
@@ -40,7 +44,5 @@
     ".next/types/**/*.ts",
     ".next/dev/types/**/*.ts"
   ],
-  "exclude": [
-    "node_modules"
-  ]
+  "exclude": ["node_modules", "create-agentic-app"]
 }