Copy/paste these into Claude Code/Codex: - Move the session out of localStorage: "My vibe-coded app stores its auth/session token in localStorage. Migrate me to httpOnly, Secure, SameSite=Lax cookies using [Supabase @supabase/ssr | Clerk]. Show the exact client + server changes, confirm no token is ever readable from window.localStorage, and tell me how to verify it in DevTools." - Enforce auth on the server, not the browser: "Audit every API route / server action in my app for missing server-side authorization. For each protected action, add a check that re-verifies the user's identity and role from the server session (and add a matching Supabase RLS policy). List which routes were unprotected and show the before/after for each." - Require email verification: "Enable required email verification in [Supabase Auth | Clerk] and block unverified users from any write/sensitive action. Show me the provider setting to flip, the server-side guard that checks email_confirmed_at (or Clerk's verified status), and a redirect to a "please verify" screen." - Rate-limit login / signup / reset: "Add rate limiting and temporary lockout to my login, signup, and password-reset flows. Use [Supabase Auth's built-in rate limits | Upstash Ratelimit middleware]. Specify sensible limits (e.g. 5 attempts / 15 min per IP+email), the lockout behavior, and how to test that the 6th attempt is blocked." - Strong + non-breached passwords: "Enforce a strong password policy in [Supabase Auth | Clerk]: minimum length 12, block compromised passwords via the HaveIBeenPwned / leaked-password setting, and surface a clear strength error in my sign-up UI. Show the provider setting and the client validation, and confirm a known-breached password is rejected."