# RateRight v2 - Project Memory

## Environment Notes
- Repo at `/home/ccuser/the-50-dollar-app` is owned by root but ccuser can write (chown was done)
- Writable clone created at `/home/ccuser/workdir` for making changes
- No GitHub credentials configured on this server - cannot push to remote
- Git safe.directory config needed: `git config --global --add safe.directory /home/ccuser/the-50-dollar-app`
- `.env.local` must be created manually (not in repo) with Supabase credentials for builds
- **Workdir `.env.local` is MISSING `OPENAI_API_KEY` and `SUPABASE_SERVICE_ROLE_KEY`** — copy from main repo if needed

## Deployment Architecture (IMPORTANT)
- App is SELF-HOSTED on a DigitalOcean droplet, NOT on Vercel
- nginx reverse proxy on the server: `rateright.com.au` -> `localhost:3000`
- systemd service: `rateright-app.service` runs `npm run start` (next start) as ccuser
- `cc.rateright.com.au` -> localhost:3001 (Control Centre)
- Also runs: `vapi-webhook.service` on port 3456, voice server on port 3334
- After code changes: MUST run `npx next build` then the service auto-restarts
- If .next/BUILD_ID missing, service crash-loops with "Could not find a production build"
- No sudo access — cannot `systemctl stop/start` but service has auto-restart

## Key Architecture
- Next.js 16 with App Router, Tailwind CSS, shadcn/ui
- Supabase for auth/DB, OpenAI for AI features
- 4 API routes: abn-lookup, ai/generate-profile, auth/verify-email, company-logo
- Authenticated layout at `src/app/(authenticated)/layout.tsx` provides header + bottom nav
- `src/lib/supabase/server.ts` exports: createClient, supabaseAdmin, createServiceClient, verifyEmail, isEmailVerified
- `src/lib/supabase/client.ts` exports: createClient (using createBrowserClient from @supabase/ssr)

## Completed Audit Fixes
- C6: DELETE RLS policies on profiles, companies, worker_profiles, jobs, matches, notifications
- H1: Rate limiting (checkRateLimit from rate-limit.ts) on all 4 API routes
- H2: Replaced singleton client.ts with createBrowserClient from @supabase/ssr
- H3: sanitizePromptInput() in utils.ts, used in generate-profile route
- H4: error.tsx at root and (authenticated) level
- H5: CORS origin restricted to NEXT_PUBLIC_APP_URL in company-logo
- H9: not-found.tsx with 404 page
- H10: verify-email redirects all go to /dashboard
- H11: supabaseAdmin handles missing SUPABASE_SERVICE_KEY gracefully
- H12: handle_new_user() has BEGIN/EXCEPTION block for type cast
- H13: loading.tsx at (authenticated) and dashboard levels
- H14: Rate limit cleanup interval every 60s
- M4: sonner installed, Toaster in root layout, alert() replaced with toast.error()
- M5: Dashboard page no longer has duplicate header/BottomNavWrapper
- M7: /offline page created
- M9: SW registration moved to public/register-sw.js
- M16: test-signup.js deleted
- M17: middleware.ts.backup deleted
