Copy/paste these into Claude Code/Codex: - Move the session out of localStorage: "My vibe-coded app stores its auth/session token in localStorage. Migrate me to httpOnly, Secure, SameSite=Lax cookies using [Supabase @supabase/ssr | Clerk]. Show the exact client + server changes, confirm no token is ever readable from window.localStorage, and tell me how to verify it in DevTools." - Enforce auth on the server, not the browser: "Audit every API route / server action in my app for missing server-side authorization. For each protected action, add a check that re-verifies the user's identity and role from the server session (and add a matching Supabase RLS policy). List which routes were unprotected and show the before/after for each." - Require email verification: "Enable required email verification in [Supabase Auth | Clerk] and block unverified users from any write/sensitive action. Show me the provider setting to flip, the server-side guard that checks email_confirmed_at (or Clerk's verified status), and a redirect to a "please verify" screen." - Rate-limit login / signup / reset: "Add rate limiting and temporary lockout to my login, signup, and password-reset flows. Use [Supabase Auth's built-in rate limits | Upstash Ratelimit middleware]. Specify sensible limits (e.g. 5 attempts / 15 min per IP+email), the lockout behavior, and how to test that the 6th attempt is blocked." - Strong + non-breached passwords: "Enforce a strong password policy in [Supabase Auth | Clerk]: minimum length 12, block compromised passwords via the HaveIBeenPwned / leaked-password setting, and surface a clear strength error in my sign-up UI. Show the provider setting and the client validation, and confirm a known-breached password is rejected."

- Optimize images: "Audit my app for unoptimized images. Convert raw <img> tags to next/image (or an equivalent optimized component), enable WebP/AVIF, set correct width/height to stop layout shift, and lazy-load anything below the fold. List each image you changed and its before/after file size." - Add loading/optimistic states: "Add skeleton loading states to every screen that fetches data, and optimistic UI to my create/update actions so the change shows instantly before the server confirms. Show me one reusable Skeleton component and wire it into my main list and detail views." - Cache your data fetches: "Introduce React Query (TanStack Query) into my app to cache and dedupe data fetches. Wrap my existing fetch calls in useQuery with sensible staleTime and cache keys, and replace manual useEffect+useState fetching. Show the provider setup and convert my two busiest screens first." - Code-split the bundle: "{Analyze my bundle for the biggest JavaScript offenders. Code-split heavy routes and components with dynamic import / React.lazy, defer anything not needed for first paint, and flag any large dependency I can drop or replace with something lighter. List the bundle-size before/after." - Index the database: "Review my database queries for missing indexes. For every column I filter, sort, or join on, give me the exact CREATE INDEX statement (Postgres/Supabase), and add pagination (limit/offset or cursor) to any query that returns an unbounded list. Explain how to confirm the index is used with EXPLAIN."

Copy/paste this into Claude Code/Codex: "Review every API route, server action, and endpoint in my app and tell me which ones are missing authentication or authorization checks — i.e. anything a logged-out user (or a logged-in user who shouldn't have access) could call. For each unprotected endpoint, show me the exact auth check to add and where it goes. Pay special attention to anything that reads, writes, or deletes data. Give me the list and the fixes; don't apply them until I confirm."

Copy/paste this into Claude Code/Codex: "Scan my entire codebase for hardcoded secrets: API keys, database URLs, tokens, passwords, and any credential committed in plain text (including in client-side code and old commits). List every one with its file and line. Then move them to environment variables, show me the .env entries I need, update the code to read from env, and add them to .gitignore. Finally, tell me which exposed keys I should rotate immediately because they may already be compromised."

Copy/paste this into Claude: "Act as a security auditor reviewing an app that was built mostly with AI. Go through my entire codebase and find every security vulnerability: exposed secrets/API keys, endpoints with no authentication, places where one user can access another user's data, missing input validation, SQL injection or XSS risks, and anything sensitive sent to the client. For each issue, tell me: the file and line, why it's dangerous in plain English, and the exact code change to fix it. Rank them most-to-least dangerous. Do not change anything yet — give me the list first."