Full-Stack Developer Needed: Next.js, Supabase, Stripe — Finalize AI Finance SaaS

Job Title Suggestion Senior Full-Stack Next.js & Supabase Developer – Security Fixes & Feature Integration for AI SaaS Job Description Overview We are looking for a Senior Full-Stack Developer to help us finalize and secure Fineloia, an "AI-powered CFO" SaaS. The platform connects to an SME's financial transactions to deliver real-time KPIs, cash flow risk alerts, and AI-generated reports. ⚠️ Non-negotiable Product Rule: The platform only analyzes data and recommends actions. The application DOES NOT move money or execute payments (no banking license required). The application is already built end-to-end (Authentication, Database, Stripe, and the AI engine are 100% operational). A large part of the post-login user interface (UI) is already designed (several buttons, selectors, and menus are already visible on screen), but these elements are currently "static" or disconnected. We need an expert to fix security vulnerabilities identified in a recent audit, connect this existing UI and its buttons to the backend logic, configure our domain, and finalize the project for public launch. Technical Stack Frontend/Backend: Next.js 14 (App Router), TypeScript, Tailwind CSS, shadcn/ui-style components Database & Auth: Supabase (PostgreSQL, Row Level Security - RLS) AI Integration: Anthropic Claude via Vercel AI SDK Payments: Stripe (Subscriptions, Webhooks, Customer Portal) Email & i18n: Resend, next-intl (5 languages supported) Scope of Work 1. Security Fixes (Highest Priority) Fix RLS policies on the members table to prevent users with an "admin" role from self-promoting to "owner". Restrict direct access via Supabase's REST API to the organizations table (plan/billing_cycle columns) to prevent billing system bypasses. Update RLS on transactions, accounts, and kpis to ensure the "viewer" role is strictly read-only. Sanitize internal error messages (error.message) across all API routes to avoid leaking backend details. Fix the authentication bypass risk associated with the NEXT_PUBLIC_DEMO_MODE=1 flag in login and registration forms. Implement rate-limiting on authenticated API routes (/api/kpis, /api/transactions, /api/alerts, /api/stripe/*). Resolve minor security issues (minimum length validation on password resets, missing HTTP security headers like CSP/X-Frame-Options, and input sanitization in AI prompts). 2. Feature Integration & UI Activation (Connecting Existing Buttons) General Activation of Static Elements: Map the buttons, menus, and actions already visible on the dashboard post-login and connect them to their respective functions, API routes, and React states. Anomaly Detection: Connect the existing backend module (lib/alerts/anomaly.ts) to the main alert generation route (/api/alerts/generate) and activate the corresponding flag/alert in the UI. Multi-Currency Consolidation: Connect the pre-coded consolidation engine (lib/consolidation.ts) to a new /api/kpis/consolidated endpoint and activate the organization selector (which is already designed on the dashboard). Settings Page: Implement the actual logic for the 6 placeholders under the /dashboard/settings route (Company, Team, Plan & Billing, Integrations, Notifications, GDPR). Team Invitations: Develop the complete invitation workflow for new organization members. GDPR Compliance: Implement user data export and account deletion functionalities. 3. Testing, Deployment & Launch Domain Integration: Configure and point our custom domain (which we have already purchased and have available) to the production environment. Create automated tests for the core engines (lib/kpis.ts, lib/alerts/rules.ts, lib/alerts/anomaly.ts) and authentication/permissions workflows. Update the Anthropic production model ID to the latest recommended version. Set up a basic CI/CD pipeline (lint, typecheck, tests) and a staging environment with test keys. Conduct final QA across the 5 supported languages (including Arabic RTL layout support) and test Stripe billing flows end-to-end. Required Skills & Experience Proven experience with Next.js 14 (App Router) and TypeScript. Deep understanding of Supabase and complex Row Level Security (RLS) policy architecture in PostgreSQL. Experience integrating Stripe Billing (subscriptions and webhooks). Experience with the Vercel AI SDK and prompt engineering for LLMs. Mastery of clean code principles and writing automated tests. Experience with DNS, domain management, and deployments on platforms like Vercel/Supabase. Project Type & Availability Project Type: One-time project with strong potential for ongoing maintenance and future roadmap development. Communication: Fluency or clear communication in English or Portuguese. To apply, please briefly describe your experience with Supabase RLS and Next.js 14, and indicate your estimated availability to start.