Feat/supabase auth v2
Our analysis
Auth: stripped to a hardcoded "internal" user, then rebuilt on Supabase JWT — read the full analysis →
CarbonIQ / Carbonleo brand reskin of the frontend — read the full analysis →
Stop leaking Anthropic / Gemini keys via NEXT_PUBLIC env vars — read the full analysis →
Deployment migration: Cloudflare Workers / OpenNext → Vercel (frontend + backend) — read the full analysis →
Next.js bumped to 16.2.4 to patch CVE-2025-66478 — read the full analysis →
/projects: replace Supabase `.contains()` on `shared_with` with client-side filter — read the full analysis →
Think the analysis missed something the PR description covers?
Commits in this PR (18)
| SHA | Subject | Author | Date | |
|---|---|---|---|---|
e6568f87 | feat(mike): ic - remove auth - fix sql - all users 'internal' for now | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
a15cd5a1 | update(UI): CarbonIQ design refactor | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
cbd47b90 | Switch frontend from Cloudflare to Vercel | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
8796dfef | Remove Cloudflare dependencies for Vercel deployment | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
af9f6107 | Merge pull request #1 from clapointe-carbonleo/feat/CarbonIQ-imp | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
Feat/carbon iq imp | ||||
1b9a6630 | Remove all Cloudflare and AWS SDK dependencies for Vercel | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
e4b92c1d | Merge remote main, keep local package.json without AWS SDK | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
c79bdaef | Remove package-lock.json to clear stale dependencies | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
c0ee368b | Upgrade Next.js to 16.2.4 to fix CVE-2025-66478 | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
0785addf | Restore AWS SDK packages needed for R2 storage | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
0756a87d | Fix CORS to allow production frontend URL | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
35fd7788 | Configure backend as Vercel serverless function | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
c52c1648 | Remove NEXT_PUBLIC API keys - hardcode availability instead | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
commit bodyAPI keys must never be NEXT_PUBLIC_* (they end up in the browser bundle). Model availability now hardcoded to 'configured' so all models show as available. The backend uses its own server-side keys for actual API calls. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> | ||||
9e02ae0e | Fix /projects endpoint: filter shared_with client-side | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
The .contains() method doesn't work for JSONB arrays in Supabase JS client. Changed to fetch all non-owned projects and filter by shared_with email client-side. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> | ||||
333172e1 | feat(git): add vercel to gitignore | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
2217a5df | Add Supabase email/password authentication | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
commit body- AuthContext now uses real Supabase session (onAuthStateChange) - (pages) layout redirects to /login when not authenticated - Login page with Carbonleo brand styling (dark bg, yellow CTA) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> | ||||
fffe4396 | Validate real Supabase JWT in requireAuth middleware | clapointe-carbonleo | 2026-05-06 | ↗ GitHub |
commit bodyReplaces hardcoded 'internal' userId with the actual Supabase user ID extracted from the Bearer token sent by the frontend. Each user now has their own isolated data in the database. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> | ||||
17605a51 | Fix CORS: allow mike-legal-three.vercel.app | clapointe-carbonleo | 2026-05-07 | ↗ GitHub |
Capture this PR into my fork
Download a Markdown prompt that tells Claude how to port every
commit in this PR into your working tree. Run it via
claude -p < capture-pull-120.md from
inside the repo you want the changes in.