Lovable migration and setup

**Supabase Auth, Security & Integrations Setup — B2B Payroll SaaS** We are building a B2B payroll reconciliation and validation SaaS application (React + Vite + Supabase) and need an experienced developer to configure authentication, data security, and two third-party integrations. The application handles sensitive payroll and HR data for business clients, so correctness and security are the priority over speed. **Background** The app is being migrated from Lovable and the codebase is built on the standard Lovable stack: React, Vite, and Supabase. It is a multi-tenant application — multiple client organisations use the same platform and their data must be completely isolated from one another at the database level. Please audit the existing codebase as part of this engagement and flag anything that does not meet the requirements below. **Scope of work** Authentication. Configure Supabase Auth with email/password login, email verification on signup, and a working password reset flow. Set up an admin role using a role column on the users table with appropriate access controls. Row Level Security. Enable and configure RLS policies on all Supabase tables. Policies must enforce strict organisation-level data isolation — one client's data must be completely invisible to another client's session at the database level, not just at the application layer. This is the most important deliverable of this engagement. Codebase audit. Review the existing frontend code for any exposure of the Supabase service role key or other privileged credentials on the client side. Remove any instances found. Document what was found and what was changed. Secrets and credentials. No API keys, secrets, or credentials hardcoded anywhere in the codebase. All secrets via environment variables or Supabase Vault. Provide a handover note listing every third-party service or credential used during the build. Inbound email via BCC. Set up inbound email parsing so the app can receive emails when BCC'd. Use Resend, Postmark, or Sendgrid inbound parse — your recommendation is welcome. Parsed emails and attachments must be stored in a private Supabase Storage bucket accessible via signed URLs only. Triggered via a Supabase edge function. No attachments or email content accessible via public URLs. Outbound email. Configure outbound transactional email for system notifications and user-facing emails (verification, password reset, alerts) using the same email service chosen for inbound. Outbound Slack notifications. Set up outbound Slack notifications via webhook so the app can send alerts or summaries to a designated Slack channel. **Data handling** This application processes payroll and HR data for EU-based business clients. Please confirm you are familiar with GDPR requirements as they apply to sensitive personal data in storage and access patterns. We do not require legal advice but do require that the implementation reflects appropriate data handling practices. **Handover requirements** On completion we require a short written or recorded walkthrough covering what has been implemented, where the RLS policies live, how each integration is configured, and where secrets are stored. We want to fully understand what has been built, not just have it running. **What we are looking for** Demonstrated Supabase experience including RLS policies and edge functions. Experience with inbound email parsing via a third-party service. Familiarity with multi-tenant SaaS data isolation patterns. Prior experience handling sensitive financial or HR data is a strong plus. Please include examples of relevant previous work in your proposal — applications without examples will not be considered. **Access and process** You will be given access to a dedicated Supabase project and a feature branch on GitHub. You will not have access to the production environment during the build. All work will be reviewed before being promoted to **To apply:** Include examples of previous Supabase auth or integration work. Tell us briefly how you would approach multi-tenant RLS isolation and what you would check for in the codebase audit. Applications that do not address these points will not be shortlisted.