Senior Full-Stack Dev (Next.js/Supabase/Stripe) — Security + Functionality Audit & Fix

I have a SaaS web app built on Next.js / React / Node + Supabase (mid-migration) with Stripe subscriptions. It's currently on STAGING and not yet live. I need one senior full-stack engineer to fix the critical issues, harden it, and take it live to production — on a tight timeline. The app was built over ~5 months primarily through AI-assisted ("vibe") coding, so I want an experienced engineer to review it with that in mind. This is a focused, launch-critical engagement, not an open-ended rebuild. Timeline (important): - Target completion: Tuesday, June 30, 2026. - Hard deadline: Tuesday, July 7, 2026 — critical fixes done, tested, and live in production. - Please start with a rapid 1–2 day audit and confirm in your proposal whether this timeline is realistic. Scope (must-haves only): Security & data safety 1. Account isolation — audit Supabase RLS policies and prove no data leaks across user accounts (multi-tenant). Top priority. 2. Payment flow — verify Stripe checkout + webhooks; confirm the correct subscription tier is assigned on purchase/upgrade/downgrade/cancel and stays in sync. 3. Common vulnerability sweep — the app was built largely with AI-assisted coding, so I want a focused pass for the high-risk issues these apps typically have: exposed secrets/API keys (e.g. Supabase service_role key reaching the frontend), missing or weak RLS, endpoints/server actions that don't verify the user, IDOR (changing an ID to access someone else's data), and missing input validation / rate limiting. 4. Essential hardening — make sure every endpoint enforces auth server-side, secrets are stored correctly (not in the client or in git), and basic input validation is in place. Focused on launch-blockers, not an exhaustive enterprise pen-test. Core user flows (must work end-to-end) 5. Onboarding flow — new-user onboarding works correctly from start to finish. 6. Terms of Service & Privacy Policy acceptance — works and is properly recorded (who accepted which version, and when). 7. 12-week journey flow — it works on the surface; verify it's correctly implemented under the hood (data saving/loading correctly, progress tracked accurately, no silent bugs). 8. Pricing/subscription page — a website page with monthly and annual Stripe options. Make sure it's wired into the signup → payment → access flow, and that monthly vs annual assigns the right plan/tier. Production launch (go-live) 9. Take the app from staging to real production: production Vercel deployment, production Supabase project, Stripe live mode (live keys + live webhooks), real domain/DNS, and all env variables/secrets configured. Verify the full paid signup flow works end-to-end in production. Out of scope for this first pass: broad refactoring and non-critical polish. If you spot something important beyond this list, flag it and I'll consider it as follow-up work. Ongoing opportunity: This first engagement is launch-critical fixes, but there will be cleanup and follow-up items that won't all be addressed in this pass. I'd prefer to keep working with the same person on those, and depending on how this goes, I'm open to an ongoing/retainer arrangement for continued maintenance and improvements. If you do great work here, there's more. Must have: shipped production Supabase RLS + Stripe webhook logic, has launched apps to production before, comfortable debugging an inherited (AI-assisted) codebase, and available to work intensively this week and next to hit the deadline. How I'd like to work: rapid audit (days 1–2) → confirm timeline → fix top-down by security/user impact → launch. I'd like to structure this in milestones, starting with a paid audit milestone. A few quick questions in your proposal: - Can you realistically hit June 30 (target) / July 7 (hard deadline)? Be honest. - How would you prove one user can't read another user's data in Supabase? - What are the first things you check for security on an AI-assisted Next.js + Supabase app? - A user picks annual then downgrades to monthly — how do you keep their tier/access correct, and where does that logic live? - Have you taken an app from staging to production (Vercel + Supabase + Stripe live mode)? Walk me through how you'd do it safely. Please share a past project where you launched or fixed a real SaaS payment/auth flow.