# Phase 6: Polish & Optimization — Implementation Plan
> **For agentic workers:** REQUIRED: Use superpowers:subagent-driven-development (if subagents available) or superpowers:executing-plans to implement this plan. Steps use checkbox (`- [ ]`) syntax for tracking.
**Goal:** Refine UI/UX, optimize performance, audit security, update all documentation, and achieve production-ready quality.
**Architecture:** No architectural changes — this phase is about hardening and polish of the Supabase-only architecture completed in Phases 1-5.
**Tech Stack:** Same as previous phases.
**Spec:** `flow_docs/docs/superpowers/specs/2026-03-29-supabase-only-migration-design.md`
**Depends on:** Phases 1-5 completed.
---
## Chunk 1: Performance Optimization
### Task 1: Database query optimization
- [ ] **Step 1: Identify slow queries**
Check Supabase dashboard → Performance → Query Performance for any queries > 100ms.
- [ ] **Step 2: Verify all indexes are active**
```sql
-- Run in Supabase SQL Editor
SELECT schemaname, tablename, indexname, indexdef
FROM pg_indexes
WHERE schemaname = 'public'
ORDER BY tablename, indexname;
```
Verify all indexes from Phase 1 migration exist and are being used.
- [ ] **Step 3: Optimize N+1 queries in mobile**
Review EventApiService, UserApiService, MessagingApiService for queries inside loops. Replace with batch queries using `.in()` filters.
- [ ] **Step 4: Add client-side caching config**
Ensure TanStack Query (web) has proper `staleTime` and `cacheTime` for:
- Event listings: 5 min stale time
- User profiles: 10 min stale time
- Leaderboard: 30 min stale time
Ensure Riverpod (mobile) caches loaded data and only refetches on pull-to-refresh.
- [ ] **Step 5: Commit optimizations**
---
## Chunk 2: Security Audit
### Task 2: RLS policy audit
- [ ] **Step 1: Test RLS policies for data leaks**
For each table with user data, verify:
1. Unauthenticated users cannot read private data
2. Users cannot read other users' notifications, device_tokens, preferences
3. Users cannot modify other users' profiles, events, messages
4. Admin functions (`is_admin()`, `is_super_admin()`) work correctly
5. Edge Functions with service_role can bypass RLS as expected
- [ ] **Step 2: Test for common attack vectors**
1. Try to insert into `user_badges` as regular user (should fail — no INSERT policy)
2. Try to read another user's `recommendations_cache` (should fail — user_id filter)
3. Try to delete another user's message (should fail — sender_id check)
4. Try to update another user's profile (should fail — auth.uid() check)
- [ ] **Step 3: Review Edge Function input validation**
Check all 7 Edge Functions for:
- Input validation (missing fields, wrong types)
- SQL injection prevention (Supabase client handles this, but verify)
- Rate limiting considerations
- [ ] **Step 4: Document security findings and commit**
---
## Chunk 3: UI/UX Polish
### Task 3: Mobile UI consistency pass
- [ ] **Step 1: Audit screen-by-screen**
Check each major screen for:
- Consistent use of theme colors and typography
- Proper loading states (skeleton/shimmer, not just spinners)
- Error states with retry actions
- Empty states with helpful messages
- Proper back navigation
- Pull-to-refresh on all list screens
- [ ] **Step 2: Fix identified issues**
Address the most impactful UI issues found.
- [ ] **Step 3: Commit**
### Task 4: Web portal consistency pass
- [ ] **Step 1: Audit admin/vendor/moderator dashboards**
Check for:
- Consistent sidebar navigation
- Table pagination working correctly
- Form validation with proper error messages
- Responsive design on mobile/tablet
- Loading and empty states
- [ ] **Step 2: Fix identified issues and commit**
---
## Chunk 4: Documentation & Cleanup
### Task 5: Update CLAUDE.md files
- [ ] **Step 1: Update flow_backend CLAUDE.md**
Remove references to Node.js microservices, MongoDB, Redis, Docker Compose. Update to reflect Supabase-only architecture:
- Supabase CLI commands
- Edge Function development workflow
- Migration commands
- No Docker needed
- [ ] **Step 2: Update flow_mobile CLAUDE.md**
Reflect that all backend communication goes through Supabase directly. Remove any API gateway references.
- [ ] **Step 3: Update flow_docs**
Update architecture documentation pages:
- System overview → Supabase-only diagram
- Services → Edge Functions list
- Database schema → current table list
- Deployment guide → Supabase deployment
- [ ] **Step 4: Commit documentation**
### Task 6: Archive legacy backend code
- [ ] **Step 1: Create legacy branch**
```bash
cd /c/Users/elia-/Documents/flowproject/flow_backend
git checkout -b legacy/microservices
git push -u origin legacy/microservices
git checkout main
```
- [ ] **Step 2: Remove backend microservices (after 2-week validation period)**
```bash
cd /c/Users/elia-/Documents/flowproject/flow_backend
rm -rf backend/
rm -rf ai-services/
rm docker-compose.yml
rm scripts/mongo-init.js
```
- [ ] **Step 3: Update .claude/launch.json**
Remove all microservice server configurations, keep only:
- Web Portal (Next.js)
- Documentation (Docusaurus)
- [ ] **Step 4: Final commit**
```bash
cd /c/Users/elia-/Documents/flowproject/flow_backend
git add -A
git commit -m "chore: remove legacy microservices (archived in legacy/microservices branch)
All backend logic now runs on Supabase (PostgreSQL + Edge Functions).
See: docs/superpowers/specs/2026-03-29-supabase-only-migration-design.md"
```
---
## Chunk 5: Production Readiness Checklist
### Task 7: Final verification
- [ ] **Step 1: Verify all success criteria from spec**
```
- [ ] All mobile app features work with Supabase-only backend
- [ ] Web portal admin/vendor/moderator dashboards fully functional
- [ ] Chat works via Supabase Realtime (no Socket.IO)
- [ ] Push notifications delivered via Edge Function + Firebase
- [ ] Recommendations generated by SQL scoring
- [ ] Badge system awards badges based on defined criteria
- [ ] All RLS policies tested (no data leaks)
- [ ] Zero Docker dependencies for development
- [ ] API latency p95 < 200ms
- [ ] All existing tests pass + new tests for Edge Functions
- [ ] Documentation updated with new architecture
- [ ] Backend code archived in legacy/microservices branch
```
- [ ] **Step 2: Run full test suite**
```bash
cd /c/Users/elia-/Documents/flowproject/flow_mobile
flutter test
flutter analyze
cd /c/Users/elia-/Documents/flowproject/flow_backend/web
npm run build
npm run lint
```
- [ ] **Step 3: Update spec with final status**
```
Phase 6: Polish & Optimization — ✅ COMPLETED
MIGRATION COMPLETE — Supabase-Only Architecture Active
```
---
## Summary
| Task | What | Est. |
|------|------|------|
| 1 | Database & query optimization | 15 min |
| 2 | Security audit (RLS + Edge Functions) | 20 min |
| 3 | Mobile UI consistency pass | 30 min |
| 4 | Web portal consistency pass | 20 min |
| 5 | Update CLAUDE.md + documentation | 20 min |
| 6 | Archive legacy backend code | 10 min |
| 7 | Final verification + test suite | 15 min |
**Total: ~130 minutes**