Urgent pre-launch review: Stripe webhooks + AI proxy security, finished Next.js/Supabase SaaS

Hi, I'm launching a solo AI SaaS, a prompt management tool, built in Next.js (App Router) + Supabase (auth + database) + Stripe + Vercel. I built it myself with AI assistance, and it is functionally complete and working in test mode. I am NOT looking for someone to build anything. I need a focused security and correctness review of code that already exists, before I go live. This is urgent. Two areas to review: 1.AI proxy security. I have a server-side /api/brain route that calls the Anthropic API with my key. It already has authentication checks, per-user rate limits, a global daily spend ceiling, input size limits, and usage logging. I need you to review and harden it, and confirm it cannot be abused to run up my API bill or leak my key. Replay/spoofing, free users reaching paid features, credit-check bypass. 2.Stripe billing correctness. Subscription tiers, a credits system, and the full webhook state machine are already built in Stripe test mode (Sandbox). I need you to verify it is correct and safe before real money flows: webhook signature verification, idempotency (no double-granting credits on retries), correct handling of cancellation, failed payment, refund, and plan changes. The codebase is clean and well-documented, with all architecture decisions written down. I am non-technical but I know exactly what I want and can answer any question precisely. Please share: your estimate for reviewing each area (I expect this is hours of work, not days), examples of similar Next.js + Supabase + Stripe work, and your earliest availability. Fast turnaround matters to me. Thanks