Passit — Developer Brief: Auth, Stripe, Stability (Pre-Launch)

Scoped task order for this engagement Phase 1 — Stabilise & deploy auth (1-2 days) Verify/fix Vercel preview deploy of existing auth work (item 1) Fix hydration error (item 6) Confirm Google sign-in + magic link work end-to-end on Vercel preview Phase 2 — User migration + authorisation enforcement (2-3 days) Build "claim your account" flow for the 33 existing users (item 2) Rewrite RLS on practice_sessions and any remaining email-keyed tables to auth.uid() (item 3) — this is the core authorisation work: ensures authenticated users can only access their own data Browser-verify: existing user claims account, sees their practice history intact; new user sees only their own data; user A cannot access user B's data Phase 3 — Stripe live (2-3 days) Switch Stripe to live keys, set up webhook + signing secret stripe_customer_id + subscription_status on parent's profiles row Stripe Checkout flow (parent-initiated), gate premium content based on subscription status via family link Webhook handler for subscription lifecycle events Browser-verify: parent subscribes (test card on live keys, or Stripe test mode), gated content unlocks for linked student Phase 4 — Concurrency check (1 day) Review practice_sessions write path for race conditions Check Supabase plan/connection limits against expected concurrent users at launch