Flow Docs

2026-03-30-supabase-migration-phase6-polish

5 min read

Phase 6: Polish & Optimization — Implementation Plan

For agentic workers: REQUIRED: Use superpowers:subagent-driven-development (if subagents available) or superpowers:executing-plans to implement this plan. Steps use checkbox (- [ ]) syntax for tracking.

Goal: Refine UI/UX, optimize performance, audit security, update all documentation, and achieve production-ready quality.

Architecture: No architectural changes — this phase is about hardening and polish of the Supabase-only architecture completed in Phases 1-5.

Tech Stack: Same as previous phases.

Spec: flow_docs/docs/superpowers/specs/2026-03-29-supabase-only-migration-design.md Depends on: Phases 1-5 completed.

Chunk 1: Performance Optimization

Task 1: Database query optimization

  • Step 1: Identify slow queries

Check Supabase dashboard → Performance → Query Performance for any queries > 100ms.

  • Step 2: Verify all indexes are active
-- Run in Supabase SQL Editor
SELECT schemaname, tablename, indexname, indexdef
FROM pg_indexes
WHERE schemaname = 'public'
ORDER BY tablename, indexname;

Verify all indexes from Phase 1 migration exist and are being used.

  • Step 3: Optimize N+1 queries in mobile

Review EventApiService, UserApiService, MessagingApiService for queries inside loops. Replace with batch queries using .in() filters.

  • Step 4: Add client-side caching config

Ensure TanStack Query (web) has proper staleTime and cacheTime for:

  • Event listings: 5 min stale time
  • User profiles: 10 min stale time
  • Leaderboard: 30 min stale time

Ensure Riverpod (mobile) caches loaded data and only refetches on pull-to-refresh.

  • Step 5: Commit optimizations

Chunk 2: Security Audit

Task 2: RLS policy audit

  • Step 1: Test RLS policies for data leaks

For each table with user data, verify:

  1. Unauthenticated users cannot read private data
  2. Users cannot read other users’ notifications, device_tokens, preferences
  3. Users cannot modify other users’ profiles, events, messages
  4. Admin functions (is_admin(), is_super_admin()) work correctly
  5. Edge Functions with service_role can bypass RLS as expected
  • Step 2: Test for common attack vectors
  1. Try to insert into user_badges as regular user (should fail — no INSERT policy)
  2. Try to read another user’s recommendations_cache (should fail — user_id filter)
  3. Try to delete another user’s message (should fail — sender_id check)
  4. Try to update another user’s profile (should fail — auth.uid() check)
  • Step 3: Review Edge Function input validation

Check all 7 Edge Functions for:

  • Input validation (missing fields, wrong types)

  • SQL injection prevention (Supabase client handles this, but verify)

  • Rate limiting considerations

  • Step 4: Document security findings and commit

Chunk 3: UI/UX Polish

Task 3: Mobile UI consistency pass

  • Step 1: Audit screen-by-screen

Check each major screen for:

  • Consistent use of theme colors and typography

  • Proper loading states (skeleton/shimmer, not just spinners)

  • Error states with retry actions

  • Empty states with helpful messages

  • Proper back navigation

  • Pull-to-refresh on all list screens

  • Step 2: Fix identified issues

Address the most impactful UI issues found.

  • Step 3: Commit

Task 4: Web portal consistency pass

  • Step 1: Audit admin/vendor/moderator dashboards

Check for:

  • Consistent sidebar navigation

  • Table pagination working correctly

  • Form validation with proper error messages

  • Responsive design on mobile/tablet

  • Loading and empty states

  • Step 2: Fix identified issues and commit

Chunk 4: Documentation & Cleanup

Task 5: Update CLAUDE.md files

  • Step 1: Update flow_backend CLAUDE.md

Remove references to Node.js microservices, MongoDB, Redis, Docker Compose. Update to reflect Supabase-only architecture:

  • Supabase CLI commands

  • Edge Function development workflow

  • Migration commands

  • No Docker needed

  • Step 2: Update flow_mobile CLAUDE.md

Reflect that all backend communication goes through Supabase directly. Remove any API gateway references.

  • Step 3: Update flow_docs

Update architecture documentation pages:

  • System overview → Supabase-only diagram

  • Services → Edge Functions list

  • Database schema → current table list

  • Deployment guide → Supabase deployment

  • Step 4: Commit documentation

Task 6: Archive legacy backend code

  • Step 1: Create legacy branch
cd /c/Users/elia-/Documents/flowproject/flow_backend
git checkout -b legacy/microservices
git push -u origin legacy/microservices
git checkout main
  • Step 2: Remove backend microservices (after 2-week validation period)
cd /c/Users/elia-/Documents/flowproject/flow_backend
rm -rf backend/
rm -rf ai-services/
rm docker-compose.yml
rm scripts/mongo-init.js
  • Step 3: Update .claude/launch.json

Remove all microservice server configurations, keep only:

  • Web Portal (Next.js)

  • Documentation (Docusaurus)

  • Step 4: Final commit

cd /c/Users/elia-/Documents/flowproject/flow_backend
git add -A
git commit -m "chore: remove legacy microservices (archived in legacy/microservices branch)
 
All backend logic now runs on Supabase (PostgreSQL + Edge Functions).
See: docs/superpowers/specs/2026-03-29-supabase-only-migration-design.md"

Chunk 5: Production Readiness Checklist

Task 7: Final verification

  • Step 1: Verify all success criteria from spec
- [ ] All mobile app features work with Supabase-only backend
- [ ] Web portal admin/vendor/moderator dashboards fully functional
- [ ] Chat works via Supabase Realtime (no Socket.IO)
- [ ] Push notifications delivered via Edge Function + Firebase
- [ ] Recommendations generated by SQL scoring
- [ ] Badge system awards badges based on defined criteria
- [ ] All RLS policies tested (no data leaks)
- [ ] Zero Docker dependencies for development
- [ ] API latency p95 < 200ms
- [ ] All existing tests pass + new tests for Edge Functions
- [ ] Documentation updated with new architecture
- [ ] Backend code archived in legacy/microservices branch
  • Step 2: Run full test suite
cd /c/Users/elia-/Documents/flowproject/flow_mobile
flutter test
flutter analyze
 
cd /c/Users/elia-/Documents/flowproject/flow_backend/web
npm run build
npm run lint
  • Step 3: Update spec with final status
Phase 6: Polish & Optimization — ✅ COMPLETED
MIGRATION COMPLETE — Supabase-Only Architecture Active

Summary

TaskWhatEst.
1Database & query optimization15 min
2Security audit (RLS + Edge Functions)20 min
3Mobile UI consistency pass30 min
4Web portal consistency pass20 min
5Update CLAUDE.md + documentation20 min
6Archive legacy backend code10 min
7Final verification + test suite15 min

Total: ~130 minutes

Graph View