Seal vault

Supabase setup

Migrations, Auth, reading archive, rate limiting, and database safety before real traffic.

If the database is not ready, a beautiful interface becomes a mask without doors.

Stripe test flow Rollback plan

Apply migrations

Production database must receive all SQL migrations that add reading records, owner fields, rate limits, events, and support fields.

Migrations applied without errors.
Indexes created.
owner_user_id and owner_email columns exist.

Check Auth

Magic link should create or open the account, return the user to callback, and show account.

Redirect URL is allowed in Supabase Auth settings.
Email link opens on production domain.
Account sees owner.

Check privacy model

A reading should belong to a user or safe link. One user must not open another user's archive.

RLS and server checks match access model.
Share-safe does not expose the private question.
Data deletion leaves a clear outcome.

checklist

What to check

Production Supabase URL and anon key are set.
Service role key only on server.
RATE_LIMIT_STORE=supabase in production.
Auth callback works at /auth/callback.

red flags

When to stop

Account is empty after creating a paid reading under the same email.
Recovery email arrives, but link does not open result.
Rate limit falls back to memory without reason.

done when

Definition of done

New user signs in by email.
New reading attaches to account.
Recovery opens path to archive.

related doors

Production checklistThe master list before real users enter.VercelEnvironment variables, redeploy, build logs, and domain.Stripe test flowCheckout, webhook, paid status, AI, receipt, and access.Resend emailSender, receipt, recovery, and Oracle Letters.TrustBoundaries, honesty, and safe positioning.AI transparencyWhat AI does and what the server checks.