# Plan: Fix 8 Critical Issues

## 1. Deepgram API Key Exposed
**File:** `src/services/deepgram.js`
**Problem:** `getClientCredentials()` returns raw API key to frontend
**Fix:**
- Remove `getClientCredentials()` function entirely
- Create server-side WebSocket proxy OR use Deepgram's temporary key API
- For now: Return only the WebSocket URL, handle auth server-side via proxy endpoint

## 2. Missing Authentication on ALL Routes
**Files:** `src/index.js`, new `src/middleware/auth.js`
**Problem:** No auth on any endpoint
**Fix:**
- Create auth middleware that validates Supabase JWT
- Apply to all routes EXCEPT `/health` and `/api/webhooks/*`
- Use Supabase's `getUser()` to validate tokens

## 3. SQL Injection Risk
**File:** `src/routes/webhooks.js:263-268`
**Problem:** Invalid `supabase.sql` template string usage
**Fix:**
- Use proper Supabase JSONB merge: fetch current metadata, merge in JS, update
- Or use raw SQL with proper parameterization

## 4. Duplicate winning_patterns Table
**Files:** `supabase/ai-schema.sql`, `supabase/learning-schema.sql`, `supabase/run-all-migrations.sql`
**Problem:** Two different schemas for same table
**Fix:**
- Keep the learning-schema version (more complete with period tracking)
- Remove from ai-schema.sql
- Update run-all-migrations.sql to use single definition

## 5. Dynamic Tailwind Classes
**File:** `admin/src/components/PredictiveScoreBadge.jsx`
**Problem:** `bg-${color}-100` won't compile
**Fix:**
- Create static class mapping object
- Map color names to full Tailwind class strings

## 6. Undefined Function Call
**File:** `admin/src/components/IntelBriefModal.jsx:136`
**Problem:** Calls `loadBrief()` but function is `loadAllIntel()`
**Fix:** Change to `loadAllIntel()`

## 7. Hardcoded User Email
**File:** `admin/src/components/ContractorFoundModal.jsx:15`
**Problem:** `userEmail: 'admin'` hardcoded
**Fix:**
- Import useAuth from AuthContext
- Get user email from auth context

## 8. Missing description Column
**Files:** `supabase/schema.sql`, `supabase/request-contact-migration.sql`
**Problem:** Migration inserts `description` but column doesn't exist
**Fix:** Add `description TEXT` column to sms_templates table definition

---

## Implementation Order
1. Fix sms_templates schema (quick SQL fix)
2. Fix duplicate winning_patterns (SQL cleanup)
3. Fix SQL injection in webhooks (backend fix)
4. Fix Deepgram API exposure (backend fix)
5. Add auth middleware (backend fix)
6. Fix Tailwind classes (frontend fix)
7. Fix IntelBriefModal function (frontend fix)
8. Fix ContractorFoundModal email (frontend fix)