v3: All missing features — auth callback, settings, PDF export, email (Resend), JWT auth, /api/history, SaulLM integration, extension icons, Supabase 0.10 breaking changes, Stripe v22

api/auth.py

@@ -0,0 +1,114 @@
+"""
+ClauseGuard — JWT Authentication for FastAPI
+Validates Supabase JWTs using JWKS (RS256).
+"""
+
+import os
+from functools import lru_cache
+from typing import Optional
+
+import httpx
+from fastapi import Depends, HTTPException, Header
+from jose import jwt, JWTError, jwk
+from jose.utils import base64url_decode
+
+SUPABASE_URL = os.environ.get("SUPABASE_URL", "")
+SUPABASE_JWT_SECRET = os.environ.get("SUPABASE_JWT_SECRET", "")
+
+_jwks_cache: Optional[dict] = None
+
+
+async def _get_jwks() -> dict:
+    """Fetch and cache JWKS from Supabase."""
+    global _jwks_cache
+    if _jwks_cache:
+        return _jwks_cache
+
+    if not SUPABASE_URL:
+        return {}
+
+    async with httpx.AsyncClient() as client:
+        resp = await client.get(f"{SUPABASE_URL}/auth/v1/jwks")
+        resp.raise_for_status()
+        _jwks_cache = resp.json()
+        return _jwks_cache
+
+
+def _verify_with_secret(token: str) -> dict:
+    """Verify JWT using Supabase JWT secret (HS256 fallback)."""
+    if not SUPABASE_JWT_SECRET:
+        raise HTTPException(status_code=500, detail="JWT secret not configured")
+
+    try:
+        payload = jwt.decode(
+            token,
+            SUPABASE_JWT_SECRET,
+            algorithms=["HS256"],
+            audience="authenticated",
+        )
+        return payload
+    except JWTError as e:
+        raise HTTPException(status_code=401, detail=f"Invalid token: {e}")
+
+
+async def _verify_with_jwks(token: str) -> dict:
+    """Verify JWT using JWKS endpoint (RS256)."""
+    jwks = await _get_jwks()
+    if not jwks or "keys" not in jwks:
+        return _verify_with_secret(token)
+
+    try:
+        unverified_header = jwt.get_unverified_header(token)
+        kid = unverified_header.get("kid")
+
+        key = None
+        for k in jwks["keys"]:
+            if k.get("kid") == kid:
+                key = k
+                break
+
+        if not key:
+            raise HTTPException(status_code=401, detail="Token key ID not found in JWKS")
+
+        payload = jwt.decode(
+            token,
+            key,
+            algorithms=["RS256"],
+            audience="authenticated",
+        )
+        return payload
+    except JWTError as e:
+        raise HTTPException(status_code=401, detail=f"Invalid token: {e}")
+
+
+async def get_current_user(authorization: Optional[str] = Header(None)) -> Optional[dict]:
+    """
+    Extract and validate user from Authorization header.
+    Returns None for unauthenticated requests (free tier).
+    Raises 401 for invalid tokens.
+    """
+    if not authorization:
+        return None
+
+    token = authorization.replace("Bearer ", "")
+    if not token:
+        return None
+
+    try:
+        payload = await _verify_with_jwks(token)
+        return {
+            "id": payload.get("sub"),
+            "email": payload.get("email"),
+            "role": payload.get("role", "authenticated"),
+        }
+    except HTTPException:
+        raise
+    except Exception:
+        raise HTTPException(status_code=401, detail="Authentication failed")
+
+
+async def require_auth(user: Optional[dict] = Depends(get_current_user)) -> dict:
+    """Dependency that requires a valid authenticated user."""
+    if not user:
+        raise HTTPException(status_code=401, detail="Authentication required")
+    return user

api/main.py

@@ -1,42 +1,35 @@
 """
-ClauseGuard — FastAPI Backend
-Serves clause classification via Legal-BERT ONNX model + SaulLM explanations.
-Production-ready: CORS, rate limiting, JWT auth, usage tracking.
-
-Compatible with: FastAPI 0.115+, Pydantic 2.x, Python 3.11+ (April 2026)
+ClauseGuard — FastAPI Backend (Production)
+Clause classification + explanations + history + JWT auth.
+FastAPI 0.136, Pydantic 2.13, Python 3.12 (April 2026)
 """
 
 import os
 import time
-import json
 import re
 from contextlib import asynccontextmanager
 from typing import Optional
 
+import httpx
 import numpy as np
-from fastapi import FastAPI, HTTPException, Depends, Header, Request
+from fastapi import FastAPI, HTTPException, Depends
 from fastapi.middleware.cors import CORSMiddleware
-from fastapi.responses import JSONResponse
 from pydantic import BaseModel, Field
 
+from auth import get_current_user, require_auth
+
 # ─── Config ───
 MODEL_PATH = os.environ.get("MODEL_PATH", "./clauseguard-model/final")
 ONNX_MODEL_PATH = os.environ.get("ONNX_MODEL_PATH", "./clauseguard-model-onnx")
 USE_ONNX = os.environ.get("USE_ONNX", "true").lower() == "true"
 SUPABASE_URL = os.environ.get("SUPABASE_URL", "")
-SUPABASE_KEY = os.environ.get("SUPABASE_ANON_KEY", "")
-RATE_LIMIT_FREE = int(os.environ.get("RATE_LIMIT_FREE", "10"))  # per day
-RATE_LIMIT_PRO = int(os.environ.get("RATE_LIMIT_PRO", "1000"))  # per day
+SUPABASE_SERVICE_KEY = os.environ.get("SUPABASE_SERVICE_ROLE_KEY", "")
+HF_API_TOKEN = os.environ.get("HF_API_TOKEN", "")
+SAULLM_ENDPOINT = os.environ.get("SAULLM_ENDPOINT", "")
 
 LABEL_NAMES = [
-    "Limitation of liability",
-    "Unilateral termination",
-    "Unilateral change",
-    "Content removal",
-    "Contract by using",
-    "Choice of law",
-    "Jurisdiction",
-    "Arbitration",
+    "Limitation of liability", "Unilateral termination", "Unilateral change",
+    "Content removal", "Contract by using", "Choice of law", "Jurisdiction", "Arbitration",
 ]
 
 LABEL_DESCRIPTIONS = {
@@ -44,29 +37,33 @@ LABEL_DESCRIPTIONS = {
     "Unilateral termination": "Company can terminate your account at any time without reason.",
     "Unilateral change": "Company can change terms at any time without your consent.",
     "Content removal": "Company can delete your content without notice or justification.",
-    "Contract by using": "You're bound to the contract simply by using the service — a dark pattern.",
-    "Choice of law": "Governing law may differ from your country — reducing your legal protections.",
+    "Contract by using": "You are bound to the contract simply by using the service.",
+    "Choice of law": "Governing law may differ from your country, reducing your legal protections.",
     "Jurisdiction": "Disputes must be resolved in a jurisdiction that may disadvantage you.",
-    "Arbitration": "Forces disputes to arbitration instead of court — you waive your right to sue.",
+    "Arbitration": "Forces disputes to arbitration instead of court. You waive your right to sue.",
 }
 
 SEVERITY_MAP = {
-    "Limitation of liability": "HIGH",
-    "Unilateral termination": "HIGH",
-    "Arbitration": "HIGH",
-    "Unilateral change": "MEDIUM",
-    "Content removal": "MEDIUM",
-    "Choice of law": "MEDIUM",
-    "Jurisdiction": "MEDIUM",
-    "Contract by using": "LOW",
+    "Limitation of liability": "HIGH", "Unilateral termination": "HIGH", "Arbitration": "HIGH",
+    "Unilateral change": "MEDIUM", "Content removal": "MEDIUM", "Choice of law": "MEDIUM",
+    "Jurisdiction": "MEDIUM", "Contract by using": "LOW",
 }
 
-# ─── Model Loading ───
-classifier = None
+LEGAL_BASIS = {
+    "Arbitration": "EU Directive 93/13/EEC Art. 3; CFPB arbitration rule (US).",
+    "Unilateral change": "EU Directive 93/13/EEC Annex 1(j) — unilateral alteration.",
+    "Content removal": "EU Digital Services Act Art. 17 — statement of reasons required.",
+    "Jurisdiction": "EU Regulation 1215/2012 Art. 18 — consumer domicile prevails.",
+    "Choice of law": "EU Regulation 593/2008 Art. 6 — consumer protection of habitual residence.",
+    "Limitation of liability": "EU Directive 93/13/EEC Annex 1(a) — excluding statutory rights.",
+    "Unilateral termination": "EU Directive 93/13/EEC Annex 1(f)(g) — termination without notice.",
+    "Contract by using": "EU Directive 2011/83/EU Art. 8 — active consent required.",
+}
 
+# ─── Model ───
+classifier = None
 
 def load_model():
-    """Load the ML model (ONNX preferred, PyTorch fallback)."""
     global classifier
     try:
         if USE_ONNX and os.path.exists(ONNX_MODEL_PATH):
@@ -75,103 +72,90 @@ def load_model():
             model = ORTModelForSequenceClassification.from_pretrained(ONNX_MODEL_PATH)
             tokenizer = AutoTokenizer.from_pretrained(ONNX_MODEL_PATH)
             classifier = pipeline("text-classification", model=model, tokenizer=tokenizer, top_k=None)
-            print(f"✅ Loaded ONNX model from {ONNX_MODEL_PATH}")
         elif os.path.exists(MODEL_PATH):
             from transformers import pipeline
             classifier = pipeline("text-classification", model=MODEL_PATH, top_k=None, device=-1)
-            print(f"✅ Loaded PyTorch model from {MODEL_PATH}")
-        else:
-            print("⚠️ No model found — using regex fallback")
     except Exception as e:
-        print(f"⚠️ Model load failed: {e} — using regex fallback")
-
+        print(f"Model load failed: {e}")
 
-# ─── Regex Fallback ───
-CLAUSE_PATTERNS = {
-    0: [r"not liable", r"shall not be (liable|responsible)", r"in no event.*liable",
-        r"limitation of liability", r"without warranty", r"disclaim"],
-    1: [r"terminat.*at any time", r"suspend.*account.*without",
-        r"we may (terminat|suspend|discontinu)", r"right to (terminat|suspend)"],
-    2: [r"sole discretion", r"reserves? the right to (modify|change|update|amend)",
-        r"at any time.*without (prior )?notice", r"we may (modify|change|update)"],
+# ─── Regex fallback ───
+PATTERNS = {
+    0: [r"not liable", r"shall not be (liable|responsible)", r"in no event.*liable", r"limitation of liability", r"without warranty", r"disclaim"],
+    1: [r"terminat.*at any time", r"suspend.*account.*without", r"we may (terminat|suspend|discontinu)", r"right to (terminat|suspend)"],
+    2: [r"sole discretion", r"reserves? the right to (modify|change|update|amend)", r"at any time.*without (prior )?notice", r"we may (modify|change|update)"],
     3: [r"remove.*content.*without", r"right to remove", r"we may.*remove"],
     4: [r"by (using|accessing).*you agree", r"continued use.*constitutes? acceptance"],
     5: [r"governed by.*laws? of", r"shall be governed", r"laws of the state of"],
-    6: [r"exclusive jurisdiction", r"courts? of.*(california|delaware|new york|ireland|england)",
-        r"submit to.*jurisdiction"],
+    6: [r"exclusive jurisdiction", r"courts? of.*(california|delaware|new york|ireland|england)", r"submit to.*jurisdiction"],
     7: [r"arbitrat", r"binding arbitration", r"waive.*right.*court", r"class action waiver"],
 }
 
-
-def classify_regex(text: str) -> list[dict]:
-    """Fallback: classify using regex patterns."""
+def classify_clause(text: str) -> list[dict]:
+    if classifier:
+        try:
+            preds = classifier(text, truncation=True, max_length=512)
+            items = preds[0] if isinstance(preds[0], list) else preds
+            return [
+                {"name": p["label"], "severity": SEVERITY_MAP.get(p["label"], "MEDIUM"),
+                 "description": LABEL_DESCRIPTIONS.get(p["label"], ""), "confidence": round(p["score"], 3)}
+                for p in items if p["score"] > 0.5 and p["label"] in LABEL_DESCRIPTIONS
+            ]
+        except Exception:
+            pass
+
+    # Regex fallback
     results = []
     text_lower = text.lower()
-    for label_id, patterns in CLAUSE_PATTERNS.items():
-        for pattern in patterns:
-            if re.search(pattern, text_lower):
-                name = LABEL_NAMES[label_id]
-                results.append({
-                    "id": label_id,
-                    "name": name,
-                    "severity": SEVERITY_MAP[name],
-                    "description": LABEL_DESCRIPTIONS[name],
-                    "confidence": 0.7,
-                })
+    for lid, pats in PATTERNS.items():
+        for p in pats:
+            if re.search(p, text_lower):
+                name = LABEL_NAMES[lid]
+                results.append({"name": name, "severity": SEVERITY_MAP[name],
+                                "description": LABEL_DESCRIPTIONS[name], "confidence": 0.7})
                 break
     return results
 
-
-def classify_ml(text: str) -> list[dict]:
-    """Classify using the ML model."""
-    if classifier is None:
-        return classify_regex(text)
-
-    try:
-        preds = classifier(text, truncation=True, max_length=512)
-        results = []
-        for p in preds[0] if isinstance(preds[0], list) else preds:
-            label = p["label"]
-            score = p["score"]
-            if score > 0.5 and label in LABEL_DESCRIPTIONS:
-                results.append({
-                    "id": LABEL_NAMES.index(label) if label in LABEL_NAMES else -1,
-                    "name": label,
-                    "severity": SEVERITY_MAP.get(label, "MEDIUM"),
-                    "description": LABEL_DESCRIPTIONS[label],
-                    "confidence": round(score, 3),
-                })
-        return results
-    except Exception:
-        return classify_regex(text)
-
-
-# ─── Request/Response Models ───
+# ─── Supabase helper ───
+async def supabase_insert(table: str, data: dict):
+    if not SUPABASE_URL or not SUPABASE_SERVICE_KEY:
+        return
+    async with httpx.AsyncClient() as client:
+        await client.post(
+            f"{SUPABASE_URL}/rest/v1/{table}",
+            json=data,
+            headers={"apikey": SUPABASE_SERVICE_KEY, "Authorization": f"Bearer {SUPABASE_SERVICE_KEY}",
+                      "Content-Type": "application/json", "Prefer": "return=minimal"},
+        )
+
+async def supabase_query(table: str, params: dict, headers_extra: dict = {}):
+    if not SUPABASE_URL or not SUPABASE_SERVICE_KEY:
+        return []
+    async with httpx.AsyncClient() as client:
+        resp = await client.get(
+            f"{SUPABASE_URL}/rest/v1/{table}",
+            params=params,
+            headers={"apikey": SUPABASE_SERVICE_KEY, "Authorization": f"Bearer {SUPABASE_SERVICE_KEY}", **headers_extra},
+        )
+        return resp.json() if resp.status_code == 200 else []
+
+# ─── Models ───
 class AnalyzeRequest(BaseModel):
     clauses: list[str] = Field(..., min_length=1, max_length=500)
     source_url: Optional[str] = None
 
-
-class ClauseResult(BaseModel):
-    text: str
-    categories: list[dict]
-
-
 class AnalyzeResponse(BaseModel):
     risk_score: int
     grade: str
     total_clauses: int
     flagged_count: int
-    results: list[ClauseResult]
-    model: str  # "ml" or "regex"
+    results: list[dict]
+    model: str
     latency_ms: int
 
-
 class ExplainRequest(BaseModel):
     clause: str = Field(..., min_length=10, max_length=2000)
     category: str
 
-
 class ExplainResponse(BaseModel):
     clause: str
     category: str
@@ -179,109 +163,101 @@ class ExplainResponse(BaseModel):
     legal_basis: str
     recommendation: str
 
-
 # ─── App ───
 @asynccontextmanager
 async def lifespan(app: FastAPI):
     load_model()
     yield
 
-app = FastAPI(
-    title="ClauseGuard API",
-    description="AI-powered unfair clause detection in Terms of Service, contracts, and legal documents.",
-    version="1.0.0",
-    lifespan=lifespan,
-)
+app = FastAPI(title="ClauseGuard API", version="1.0.0", lifespan=lifespan)
 
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=[
-        "https://clauseguard.com",
-        "https://app.clauseguard.com",
-        "chrome-extension://*",
-        "http://localhost:3000",  # dev
-    ],
-    allow_credentials=True,
-    allow_methods=["GET", "POST", "OPTIONS"],
-    allow_headers=["*"],
+    allow_origins=["https://clauseguard.com", "https://app.clauseguard.com", "chrome-extension://*", "http://localhost:3000"],
+    allow_credentials=True, allow_methods=["*"], allow_headers=["*"],
 )
 
-
-# ─── Routes ───
 @app.get("/health")
 async def health():
-    return {"status": "ok", "model_loaded": classifier is not None}
-
+    return {"status": "ok", "model": "ml" if classifier else "regex"}
 
 @app.post("/api/analyze", response_model=AnalyzeResponse)
-async def analyze(req: AnalyzeRequest):
+async def analyze(req: AnalyzeRequest, user: Optional[dict] = Depends(get_current_user)):
     start = time.time()
 
-    results = []
-    for clause in req.clauses:
-        categories = classify_ml(clause) if classifier else classify_regex(clause)
-        results.append(ClauseResult(text=clause, categories=categories))
+    results = [{"text": c, "categories": classify_clause(c)} for c in req.clauses]
+    flagged = [r for r in results if r["categories"]]
 
-    flagged = [r for r in results if len(r.categories) > 0]
-    sev_counts = {"HIGH": 0, "MEDIUM": 0, "LOW": 0}
+    sev = {"HIGH": 0, "MEDIUM": 0, "LOW": 0}
     for r in flagged:
-        for c in r.categories:
-            sev_counts[c.get("severity", "LOW")] += 1
+        for c in r["categories"]:
+            sev[c.get("severity", "LOW")] += 1
 
     total = len(req.clauses)
-    risk_score = min(100, int(
-        (sev_counts["HIGH"] * 20 + sev_counts["MEDIUM"] * 10 + sev_counts["LOW"] * 5)
-        / max(1, total) * 100
-    ))
-
-    if risk_score >= 60:
-        grade = "F"
-    elif risk_score >= 40:
-        grade = "D"
-    elif risk_score >= 20:
-        grade = "C"
-    elif risk_score >= 10:
-        grade = "B"
-    else:
-        grade = "A"
-
+    risk = min(100, round((sev["HIGH"] * 20 + sev["MEDIUM"] * 10 + sev["LOW"] * 5) / max(1, total) * 100))
+    grade = "F" if risk >= 60 else "D" if risk >= 40 else "C" if risk >= 20 else "B" if risk >= 10 else "A"
     latency = int((time.time() - start) * 1000)
 
-    return AnalyzeResponse(
-        risk_score=risk_score,
-        grade=grade,
-        total_clauses=total,
-        flagged_count=len(flagged),
-        results=results,
-        model="ml" if classifier else "regex",
-        latency_ms=latency,
-    )
+    # Save to DB if authenticated
+    if user:
+        await supabase_insert("analyses", {
+            "user_id": user["id"], "source_url": req.source_url, "total_clauses": total,
+            "flagged_count": len(flagged), "risk_score": risk, "grade": grade, "clauses": results,
+        })
 
+    return AnalyzeResponse(risk_score=risk, grade=grade, total_clauses=total,
+                           flagged_count=len(flagged), results=results,
+                           model="ml" if classifier else "regex", latency_ms=latency)
 
 @app.post("/api/explain", response_model=ExplainResponse)
-async def explain(req: ExplainRequest):
-    """Explain why a clause is unfair (premium feature — placeholder for SaulLM integration)."""
+async def explain(req: ExplainRequest, user: dict = Depends(require_auth)):
     desc = LABEL_DESCRIPTIONS.get(req.category, "Unknown category.")
-
-    legal_basis_map = {
-        "Arbitration": "EU Directive 93/13/EEC, Art. 3 — unfair terms in consumer contracts; CFPB arbitration rule (US).",
-        "Unilateral change": "EU Directive 93/13/EEC, Annex 1(j) — terms enabling unilateral alteration.",
-        "Content removal": "EU Digital Services Act (DSA), Art. 17 — statement of reasons required for content moderation.",
-        "Jurisdiction": "EU Regulation 1215/2012 (Brussels I), Art. 18 — consumer's domicile prevails.",
-        "Choice of law": "EU Regulation 593/2008 (Rome I), Art. 6 — consumer protection of habitual residence.",
-        "Limitation of liability": "EU Directive 93/13/EEC, Annex 1(a) — excluding statutory rights is unfair.",
-        "Unilateral termination": "EU Directive 93/13/EEC, Annex 1(f)(g) — termination without reasonable notice.",
-        "Contract by using": "EU Directive 2011/83/EU, Art. 8 — active consent required, not passive acceptance.",
-    }
-
-    return ExplainResponse(
-        clause=req.clause,
-        category=req.category,
-        explanation=desc,
-        legal_basis=legal_basis_map.get(req.category, "Consult local consumer protection laws."),
-        recommendation="Consider negotiating this clause or seeking legal advice before agreeing.",
-    )
-
+    legal = LEGAL_BASIS.get(req.category, "Consult local consumer protection laws.")
+    recommendation = "Review this clause carefully. Consider negotiating or seeking legal advice before agreeing."
+
+    # Try SaulLM-7B if endpoint configured
+    if SAULLM_ENDPOINT and HF_API_TOKEN:
+        try:
+            prompt = f"""You are a consumer protection legal analyst. Analyze this clause and explain why it may be unfair.
+
+Clause: "{req.clause}"
+Category: {req.category}
+
+Provide:
+1. A plain-English explanation of why this is problematic
+2. The specific legal basis (EU/US consumer protection law)
+3. A practical recommendation for the consumer
+
+Be concise. 3-4 sentences maximum per section."""
+
+            async with httpx.AsyncClient(timeout=30.0) as client:
+                resp = await client.post(
+                    SAULLM_ENDPOINT,
+                    json={"inputs": prompt, "parameters": {"max_new_tokens": 300, "temperature": 0.3}},
+                    headers={"Authorization": f"Bearer {HF_API_TOKEN}"},
+                )
+                if resp.status_code == 200:
+                    output = resp.json()
+                    generated = output[0]["generated_text"] if isinstance(output, list) else output.get("generated_text", "")
+                    if generated and len(generated) > 50:
+                        parts = generated.split("\n\n")
+                        desc = parts[0] if len(parts) > 0 else desc
+                        legal = parts[1] if len(parts) > 1 else legal
+                        recommendation = parts[2] if len(parts) > 2 else recommendation
+        except Exception:
+            pass  # Fall back to static responses
+
+    return ExplainResponse(clause=req.clause, category=req.category,
+                           explanation=desc, legal_basis=legal, recommendation=recommendation)
+
+@app.get("/api/history")
+async def history(user: dict = Depends(require_auth), limit: int = 20, offset: int = 0):
+    limit = min(limit, 100)
+    data = await supabase_query("analyses", {
+        "user_id": f"eq.{user['id']}", "select": "*",
+        "order": "created_at.desc", "limit": str(limit), "offset": str(offset),
+    })
+    return {"analyses": data, "limit": limit, "offset": offset}
 
 if __name__ == "__main__":
     import uvicorn

web/.env.example

@@ -1,14 +1,22 @@
 # Supabase
 NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
-NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key
-SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
+NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=eyJ...
+SUPABASE_SERVICE_ROLE_KEY=eyJ...
+SUPABASE_JWT_SECRET=your-jwt-secret
 
-# Stripe
-STRIPE_SECRET_KEY=sk_test_...
+# Stripe (v22 — no apiVersion needed)
+STRIPE_SECRET_KEY=sk_live_...
 STRIPE_WEBHOOK_SECRET=whsec_...
 STRIPE_PRO_PRICE_ID=price_...
 STRIPE_TEAM_PRICE_ID=price_...
 
+# Resend
+RESEND_API_KEY=re_...
+
 # App
-NEXT_PUBLIC_APP_URL=http://localhost:3000
+NEXT_PUBLIC_SITE_URL=https://clauseguard.com
 CLAUSEGUARD_API_URL=http://localhost:8000
+
+# ML (optional — for SaulLM explain feature)
+HF_API_TOKEN=hf_...
+SAULLM_ENDPOINT=https://your-endpoint.endpoints.huggingface.cloud

web/app/api/emails/scan-report/route.ts

@@ -0,0 +1,59 @@
+import { NextRequest, NextResponse } from "next/server";
+import { Resend } from "resend";
+
+const resend = new Resend(process.env.RESEND_API_KEY);
+
+export async function POST(req: NextRequest) {
+  try {
+    const { email, risk_score, grade, flagged_count, total_clauses, source_url } = await req.json();
+
+    if (!email) {
+      return NextResponse.json({ error: "Email required" }, { status: 400 });
+    }
+
+    const gradeColor = grade === "F" || grade === "D" ? "#b91c1c" : grade === "C" ? "#a16207" : "#15803d";
+    const gradeBg = grade === "F" || grade === "D" ? "#fef2f2" : grade === "C" ? "#fffbeb" : "#f0fdf4";
+
+    const { data, error } = await resend.emails.send({
+      from: "ClauseGuard <reports@clauseguard.com>",
+      to: [email],
+      subject: `Scan complete — Grade ${grade} (${risk_score}/100 risk)`,
+      html: `
+        <div style="font-family:system-ui,sans-serif;max-width:480px;margin:0 auto;padding:40px 20px;">
+          <p style="font-size:12px;color:#a1a1aa;margin:0 0 8px;">ClauseGuard Scan Report</p>
+          <h1 style="font-size:20px;font-weight:600;color:#18181b;margin:0 0 20px;">
+            ${source_url ? new URL(source_url).hostname : "Document"} — Risk ${risk_score}/100
+          </h1>
+
+          <div style="display:flex;gap:12px;margin-bottom:24px;">
+            <div style="background:${gradeBg};color:${gradeColor};padding:12px 20px;border-radius:8px;text-align:center;flex:1;">
+              <div style="font-size:24px;font-weight:700;">Grade ${grade}</div>
+            </div>
+            <div style="background:#f4f4f5;padding:12px 20px;border-radius:8px;text-align:center;flex:1;">
+              <div style="font-size:24px;font-weight:700;">${flagged_count}</div>
+              <div style="font-size:11px;color:#71717a;">of ${total_clauses} flagged</div>
+            </div>
+          </div>
+
+          <a href="https://clauseguard.com/dashboard-pages/dashboard"
+             style="display:inline-block;background:#18181b;color:#fff;padding:10px 20px;border-radius:6px;text-decoration:none;font-size:14px;font-weight:500;">
+            View full report
+          </a>
+
+          <p style="font-size:12px;color:#a1a1aa;margin-top:32px;border-top:1px solid #f4f4f5;padding-top:16px;">
+            clauseguard.com — Not legal advice.
+          </p>
+        </div>
+      `,
+    });
+
+    if (error) {
+      return NextResponse.json({ error: error.message }, { status: 500 });
+    }
+
+    return NextResponse.json({ id: data?.id });
+  } catch (error) {
+    console.error("Email error:", error);
+    return NextResponse.json({ error: "Failed to send email" }, { status: 500 });
+  }
+}

web/app/api/emails/welcome/route.ts

@@ -0,0 +1,49 @@
+import { NextRequest, NextResponse } from "next/server";
+import { Resend } from "resend";
+
+const resend = new Resend(process.env.RESEND_API_KEY);
+
+export async function POST(req: NextRequest) {
+  try {
+    const { email, name } = await req.json();
+
+    if (!email) {
+      return NextResponse.json({ error: "Email required" }, { status: 400 });
+    }
+
+    const { data, error } = await resend.emails.send({
+      from: "ClauseGuard <welcome@clauseguard.com>",
+      to: [email],
+      subject: "Welcome to ClauseGuard",
+      html: `
+        <div style="font-family:system-ui,sans-serif;max-width:480px;margin:0 auto;padding:40px 20px;">
+          <h1 style="font-size:20px;font-weight:600;color:#18181b;margin:0 0 16px;">Welcome to ClauseGuard${name ? `, ${name}` : ""}</h1>
+          <p style="font-size:14px;color:#52525b;line-height:1.6;margin:0 0 24px;">
+            You now have a tool that reads the fine print for you. Here is what you can do:
+          </p>
+          <ul style="font-size:14px;color:#52525b;line-height:1.8;padding-left:20px;margin:0 0 24px;">
+            <li>Install the Chrome extension to scan pages as you browse</li>
+            <li>Use the web scanner to paste and analyze any document</li>
+            <li>Get a risk score and grade for every Terms of Service you encounter</li>
+          </ul>
+          <a href="https://clauseguard.com/dashboard-pages/analyze" 
+             style="display:inline-block;background:#18181b;color:#fff;padding:10px 20px;border-radius:6px;text-decoration:none;font-size:14px;font-weight:500;">
+            Scan your first document
+          </a>
+          <p style="font-size:12px;color:#a1a1aa;margin-top:32px;border-top:1px solid #f4f4f5;padding-top:16px;">
+            You are receiving this because you signed up at clauseguard.com.
+          </p>
+        </div>
+      `,
+    });
+
+    if (error) {
+      return NextResponse.json({ error: error.message }, { status: 500 });
+    }
+
+    return NextResponse.json({ id: data?.id });
+  } catch (error) {
+    console.error("Email error:", error);
+    return NextResponse.json({ error: "Failed to send email" }, { status: 500 });
+  }
+}

web/app/api/history/route.ts

@@ -0,0 +1,33 @@
+import { NextRequest, NextResponse } from "next/server";
+import { createClient } from "@/lib/supabase/server";
+
+export async function GET(req: NextRequest) {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+
+  if (!user) {
+    return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+  }
+
+  const url = new URL(req.url);
+  const limit = Math.min(parseInt(url.searchParams.get("limit") || "20"), 100);
+  const offset = parseInt(url.searchParams.get("offset") || "0");
+
+  const { data: analyses, count, error } = await supabase
+    .from("analyses")
+    .select("*", { count: "exact" })
+    .eq("user_id", user.id)
+    .order("created_at", { ascending: false })
+    .range(offset, offset + limit - 1);
+
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 });
+  }
+
+  return NextResponse.json({
+    analyses: analyses || [],
+    total: count || 0,
+    limit,
+    offset,
+  });
+}

web/app/api/pdf/report/route.ts

@@ -0,0 +1,106 @@
+import { NextRequest, NextResponse } from "next/server";
+import { Document, Page, Text, View, StyleSheet, pdf } from "@react-pdf/renderer";
+import React from "react";
+
+export const runtime = "nodejs";
+
+const styles = StyleSheet.create({
+  page: { padding: 40, fontFamily: "Helvetica", fontSize: 11, color: "#27272a" },
+  header: { marginBottom: 24 },
+  title: { fontSize: 22, fontWeight: "bold", marginBottom: 4 },
+  subtitle: { fontSize: 11, color: "#71717a" },
+  divider: { borderBottomWidth: 1, borderBottomColor: "#e4e4e7", marginVertical: 16 },
+  scoreRow: { flexDirection: "row", justifyContent: "space-between", alignItems: "center", marginBottom: 16 },
+  scoreLabel: { fontSize: 10, color: "#a1a1aa" },
+  scoreValue: { fontSize: 28, fontWeight: "bold" },
+  gradeTag: { fontSize: 12, fontWeight: "bold", padding: "4 12", borderRadius: 4 },
+  clauseCard: { marginBottom: 12, padding: 12, borderWidth: 1, borderColor: "#e4e4e7", borderRadius: 6 },
+  clauseText: { fontSize: 10, color: "#3f3f46", lineHeight: 1.5, marginBottom: 6 },
+  tag: { fontSize: 9, fontWeight: "bold", padding: "2 8", borderRadius: 3, marginRight: 4 },
+  tagHigh: { backgroundColor: "#fef2f2", color: "#b91c1c" },
+  tagMedium: { backgroundColor: "#fffbeb", color: "#a16207" },
+  tagLow: { backgroundColor: "#eff6ff", color: "#1d4ed8" },
+  footer: { position: "absolute", bottom: 30, left: 40, right: 40, fontSize: 8, color: "#a1a1aa", textAlign: "center" },
+});
+
+interface Clause { text: string; categories: { name: string; severity: string }[]; }
+interface ReportData { risk_score: number; grade: string; total_clauses: number; flagged_count: number; results: Clause[]; source_url?: string; }
+
+function ClauseReport({ data }: { data: ReportData }) {
+  const flagged = data.results.filter((r) => r.categories.length > 0);
+  const gradeColor = data.grade === "F" || data.grade === "D" ? "#b91c1c" : data.grade === "C" ? "#a16207" : "#15803d";
+  const gradeBg = data.grade === "F" || data.grade === "D" ? "#fef2f2" : data.grade === "C" ? "#fffbeb" : "#f0fdf4";
+
+  return (
+    <Document>
+      <Page size="A4" style={styles.page}>
+        <View style={styles.header}>
+          <Text style={styles.title}>ClauseGuard Report</Text>
+          <Text style={styles.subtitle}>
+            {data.source_url || "Manual scan"} — {new Date().toLocaleDateString()}
+          </Text>
+        </View>
+
+        <View style={styles.scoreRow}>
+          <View>
+            <Text style={styles.scoreLabel}>RISK SCORE</Text>
+            <Text style={styles.scoreValue}>{data.risk_score}/100</Text>
+          </View>
+          <Text style={[styles.gradeTag, { backgroundColor: gradeBg, color: gradeColor }]}>
+            Grade {data.grade}
+          </Text>
+        </View>
+
+        <Text style={styles.subtitle}>
+          {data.total_clauses} clauses scanned — {data.flagged_count} flagged
+        </Text>
+
+        <View style={styles.divider} />
+
+        {flagged.map((clause, i) => (
+          <View key={i} style={styles.clauseCard}>
+            <Text style={styles.clauseText}>{clause.text.substring(0, 300)}</Text>
+            <View style={{ flexDirection: "row", flexWrap: "wrap" }}>
+              {clause.categories.map((cat, j) => {
+                const tagStyle = cat.severity === "HIGH" ? styles.tagHigh : cat.severity === "MEDIUM" ? styles.tagMedium : styles.tagLow;
+                return (
+                  <Text key={j} style={[styles.tag, tagStyle]}>
+                    {cat.name}
+                  </Text>
+                );
+              })}
+            </View>
+          </View>
+        ))}
+
+        <Text style={styles.footer}>
+          Generated by ClauseGuard — clauseguard.com — Not legal advice
+        </Text>
+      </Page>
+    </Document>
+  );
+}
+
+export async function POST(req: NextRequest) {
+  try {
+    const data: ReportData = await req.json();
+
+    const instance = pdf(React.createElement(ClauseReport, { data }));
+    const buffer = await instance.toBuffer();
+
+    const chunks: Uint8Array[] = [];
+    for await (const chunk of buffer as any) {
+      chunks.push(chunk instanceof Uint8Array ? chunk : new Uint8Array(chunk));
+    }
+
+    return new Response(Buffer.concat(chunks), {
+      headers: {
+        "Content-Type": "application/pdf",
+        "Content-Disposition": `attachment; filename="clauseguard-report-${Date.now()}.pdf"`,
+      },
+    });
+  } catch (error) {
+    console.error("PDF generation error:", error);
+    return NextResponse.json({ error: "PDF generation failed" }, { status: 500 });
+  }
+}

web/app/api/stripe/checkout/route.ts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
-import { stripe, PLANS } from "@/lib/stripe";
+import { getStripe, PLANS } from "@/lib/stripe";
 import { createClient } from "@/lib/supabase/server";
 
 export async function POST(req: NextRequest) {
@@ -22,7 +22,8 @@ export async function POST(req: NextRequest) {
       return NextResponse.json({ error: "Price not configured" }, { status: 500 });
     }
 
-    // Get or create Stripe customer
+    const stripe = getStripe();
+
     const { data: profile } = await supabase
       .from("profiles")
       .select("stripe_customer_id")
@@ -37,24 +38,17 @@ export async function POST(req: NextRequest) {
         metadata: { supabase_user_id: user.id },
       });
       customerId = customer.id;
-
-      await supabase
-        .from("profiles")
-        .update({ stripe_customer_id: customerId })
-        .eq("id", user.id);
+      await supabase.from("profiles").update({ stripe_customer_id: customerId }).eq("id", user.id);
     }
 
-    // Create checkout session
     const session = await stripe.checkout.sessions.create({
       customer: customerId,
       mode: "subscription",
       payment_method_types: ["card"],
       line_items: [{ price: priceId, quantity: 1 }],
-      success_url: `${process.env.NEXT_PUBLIC_APP_URL}/dashboard-pages/dashboard?session_id={CHECKOUT_SESSION_ID}`,
-      cancel_url: `${process.env.NEXT_PUBLIC_APP_URL}/pricing`,
-      subscription_data: {
-        metadata: { supabase_user_id: user.id, plan },
-      },
+      success_url: `${process.env.NEXT_PUBLIC_SITE_URL}/dashboard-pages/dashboard?session_id={CHECKOUT_SESSION_ID}`,
+      cancel_url: `${process.env.NEXT_PUBLIC_SITE_URL}/pricing`,
+      subscription_data: { metadata: { supabase_user_id: user.id, plan } },
     });
 
     return NextResponse.json({ url: session.url });

web/app/api/stripe/webhook/route.ts

@@ -1,66 +1,78 @@
 import { NextRequest, NextResponse } from "next/server";
-import { stripe } from "@/lib/stripe";
+import { getStripe } from "@/lib/stripe";
 import { createClient } from "@supabase/supabase-js";
+import { Resend } from "resend";
 
-// Use service role for webhook (no user context)
 const supabase = createClient(
   process.env.NEXT_PUBLIC_SUPABASE_URL!,
   process.env.SUPABASE_SERVICE_ROLE_KEY!
 );
 
+const resend = process.env.RESEND_API_KEY ? new Resend(process.env.RESEND_API_KEY) : null;
+
 export async function POST(req: NextRequest) {
   const body = await req.text();
   const sig = req.headers.get("stripe-signature")!;
+  const stripe = getStripe();
 
   let event;
   try {
     event = stripe.webhooks.constructEvent(body, sig, process.env.STRIPE_WEBHOOK_SECRET!);
-  } catch (err) {
-    console.error("Webhook signature verification failed:", err);
+  } catch {
     return NextResponse.json({ error: "Invalid signature" }, { status: 400 });
   }
 
   switch (event.type) {
     case "customer.subscription.created":
     case "customer.subscription.updated": {
-      const subscription = event.data.object as any;
-      const customerId = subscription.customer as string;
-      const plan = subscription.metadata?.plan || "pro";
-      const status = subscription.status;
+      const sub = event.data.object as any;
+      const plan = sub.metadata?.plan || "pro";
 
-      if (status === "active" || status === "trialing") {
-        await supabase
+      if (sub.status === "active" || sub.status === "trialing") {
+        const { data } = await supabase
           .from("profiles")
-          .update({
-            plan,
-            stripe_subscription_id: subscription.id,
-            updated_at: new Date().toISOString(),
-          })
-          .eq("stripe_customer_id", customerId);
+          .update({ plan, stripe_subscription_id: sub.id, updated_at: new Date().toISOString() })
+          .eq("stripe_customer_id", sub.customer)
+          .select("email")
+          .single();
+
+        if (data?.email && resend && event.type === "customer.subscription.created") {
+          await resend.emails.send({
+            from: "ClauseGuard <noreply@clauseguard.com>",
+            to: [data.email],
+            subject: `Welcome to ClauseGuard ${plan.charAt(0).toUpperCase() + plan.slice(1)}`,
+            html: `<p>Your ${plan} subscription is active. You now have unlimited scans.</p><p><a href="https://clauseguard.com/dashboard-pages/dashboard">Go to dashboard</a></p>`,
+          });
+        }
       }
       break;
     }
 
     case "customer.subscription.deleted": {
-      const subscription = event.data.object as any;
-      const customerId = subscription.customer as string;
-
+      const sub = event.data.object as any;
       await supabase
         .from("profiles")
-        .update({
-          plan: "free",
-          stripe_subscription_id: null,
-          updated_at: new Date().toISOString(),
-        })
-        .eq("stripe_customer_id", customerId);
+        .update({ plan: "free", stripe_subscription_id: null, updated_at: new Date().toISOString() })
+        .eq("stripe_customer_id", sub.customer);
       break;
     }
 
     case "invoice.payment_failed": {
       const invoice = event.data.object as any;
-      const customerId = invoice.customer as string;
-      console.warn(`Payment failed for customer ${customerId}`);
-      // Could send email notification here
+      const { data } = await supabase
+        .from("profiles")
+        .select("email")
+        .eq("stripe_customer_id", invoice.customer)
+        .single();
+
+      if (data?.email && resend) {
+        await resend.emails.send({
+          from: "ClauseGuard <noreply@clauseguard.com>",
+          to: [data.email],
+          subject: "Payment failed — action needed",
+          html: "<p>Your latest payment failed. Please update your payment method to keep your subscription active.</p>",
+        });
+      }
       break;
     }
   }

web/app/auth/callback/route.ts

@@ -0,0 +1,20 @@
+import { createClient } from "@/lib/supabase/server";
+import { NextResponse } from "next/server";
+
+export async function GET(request: Request) {
+  const requestUrl = new URL(request.url);
+  const code = requestUrl.searchParams.get("code");
+  const next = requestUrl.searchParams.get("next") ?? "/dashboard-pages/dashboard";
+  const origin = requestUrl.origin;
+
+  if (code) {
+    const supabase = await createClient();
+    const { error } = await supabase.auth.exchangeCodeForSession(code);
+
+    if (!error) {
+      return NextResponse.redirect(`${origin}${next}`);
+    }
+  }
+
+  return NextResponse.redirect(`${origin}/auth/login?error=callback_failed`);
+}

web/app/dashboard-pages/settings/page.tsx

@@ -0,0 +1,119 @@
+import { createClient } from "@/lib/supabase/server";
+import { getStripe } from "@/lib/stripe";
+import { redirect } from "next/navigation";
+import Link from "next/link";
+
+async function createBillingPortal(formData: FormData) {
+  "use server";
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) redirect("/auth/login");
+
+  const { data: profile } = await supabase.from("profiles").select("stripe_customer_id").eq("id", user.id).single();
+  if (!profile?.stripe_customer_id) redirect("/pricing");
+
+  const stripe = getStripe();
+  const { url } = await stripe.billingPortal.sessions.create({
+    customer: profile.stripe_customer_id,
+    return_url: `${process.env.NEXT_PUBLIC_SITE_URL}/dashboard-pages/settings`,
+  });
+  redirect(url!);
+}
+
+async function handleSignOut() {
+  "use server";
+  const supabase = await createClient();
+  await supabase.auth.signOut();
+  redirect("/");
+}
+
+export default async function SettingsPage() {
+  const supabase = await createClient();
+  const { data: { user } } = await supabase.auth.getUser();
+
+  const { data: profile } = await supabase
+    .from("profiles")
+    .select("*")
+    .eq("id", user?.id)
+    .single();
+
+  const plan = profile?.plan || "free";
+  const used = profile?.analyses_this_month || 0;
+  const limit = plan === "free" ? 10 : "Unlimited";
+
+  return (
+    <div className="min-h-screen bg-white">
+      <div className="max-w-2xl mx-auto px-6 py-12">
+        <div className="mb-8">
+          <Link href="/dashboard-pages/dashboard" className="text-sm text-zinc-400 hover:text-zinc-600">← Dashboard</Link>
+          <h1 className="mt-4 text-2xl font-semibold">Settings</h1>
+        </div>
+
+        {/* Account */}
+        <section className="mb-10">
+          <h2 className="text-sm font-medium text-zinc-500 uppercase tracking-wide mb-4">Account</h2>
+          <div className="border border-zinc-200 rounded-lg divide-y divide-zinc-100">
+            <div className="px-5 py-4 flex justify-between items-center">
+              <div>
+                <p className="text-sm font-medium">Email</p>
+                <p className="text-sm text-zinc-500">{user?.email}</p>
+              </div>
+            </div>
+            <div className="px-5 py-4 flex justify-between items-center">
+              <div>
+                <p className="text-sm font-medium">Name</p>
+                <p className="text-sm text-zinc-500">{profile?.full_name || "Not set"}</p>
+              </div>
+            </div>
+            <div className="px-5 py-4 flex justify-between items-center">
+              <div>
+                <p className="text-sm font-medium">User ID</p>
+                <p className="text-sm text-zinc-400 font-mono text-xs">{user?.id}</p>
+              </div>
+            </div>
+          </div>
+        </section>
+
+        {/* Subscription */}
+        <section className="mb-10">
+          <h2 className="text-sm font-medium text-zinc-500 uppercase tracking-wide mb-4">Subscription</h2>
+          <div className="border border-zinc-200 rounded-lg divide-y divide-zinc-100">
+            <div className="px-5 py-4 flex justify-between items-center">
+              <div>
+                <p className="text-sm font-medium">Plan</p>
+                <p className="text-sm text-zinc-500 capitalize">{plan}</p>
+              </div>
+              {plan === "free" ? (
+                <Link href="/#pricing" className="text-sm text-zinc-900 font-medium border border-zinc-200 px-3 py-1.5 rounded-md hover:bg-zinc-50">
+                  Upgrade
+                </Link>
+              ) : (
+                <form action={createBillingPortal}>
+                  <button type="submit" className="text-sm text-zinc-900 font-medium border border-zinc-200 px-3 py-1.5 rounded-md hover:bg-zinc-50">
+                    Manage billing
+                  </button>
+                </form>
+              )}
+            </div>
+            <div className="px-5 py-4 flex justify-between items-center">
+              <div>
+                <p className="text-sm font-medium">Usage this month</p>
+                <p className="text-sm text-zinc-500">{used} / {limit} scans</p>
+              </div>
+            </div>
+          </div>
+        </section>
+
+        {/* Danger zone */}
+        <section>
+          <h2 className="text-sm font-medium text-zinc-500 uppercase tracking-wide mb-4">Session</h2>
+          <form action={handleSignOut}>
+            <button type="submit" className="text-sm text-red-600 font-medium border border-red-200 px-4 py-2 rounded-md hover:bg-red-50">
+              Sign out
+            </button>
+          </form>
+        </section>
+      </div>
+    </div>
+  );
+}

web/lib/stripe.ts

@@ -1,9 +1,13 @@
 import Stripe from "stripe";
 
-export const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {
-  apiVersion: "2026-03-25.dahlia",
-  typescript: true,
-});
+let _stripe: Stripe | null = null;
+
+export function getStripe(): Stripe {
+  if (!_stripe) {
+    _stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
+  }
+  return _stripe;
+}
 
 export const PLANS = {
   free: {

web/lib/supabase/client.ts

@@ -3,6 +3,6 @@ import { createBrowserClient } from "@supabase/ssr";
 export function createClient() {
   return createBrowserClient(
     process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
+    process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!
   );
 }

web/lib/supabase/server.ts

@@ -6,7 +6,7 @@ export async function createClient() {
 
   return createServerClient(
     process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!,
     {
       cookies: {
         getAll() {
@@ -18,7 +18,7 @@ export async function createClient() {
               cookieStore.set(name, value, options)
             );
           } catch {
-            // Server Component — can't set cookies, ignore
+            // Server Component context — middleware handles refresh
           }
         },
       },

web/middleware.ts

@@ -1,12 +1,12 @@
-import { NextResponse, type NextRequest } from "next/server";
 import { createServerClient } from "@supabase/ssr";
+import { NextResponse, type NextRequest } from "next/server";
 
 export async function middleware(request: NextRequest) {
   let supabaseResponse = NextResponse.next({ request });
 
   const supabase = createServerClient(
     process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY!,
     {
       cookies: {
         getAll() {
@@ -23,17 +23,18 @@ export async function middleware(request: NextRequest) {
     }
   );
 
-  const { data: { user } } = await supabase.auth.getUser();
+  const { data } = await supabase.auth.getClaims();
+  const user = data?.claims;
 
-  // Protect dashboard routes
+  // Protect dashboard
   if (request.nextUrl.pathname.startsWith("/dashboard-pages") && !user) {
     const url = request.nextUrl.clone();
     url.pathname = "/auth/login";
-    url.searchParams.set("redirect", request.nextUrl.pathname);
+    url.searchParams.set("next", request.nextUrl.pathname);
     return NextResponse.redirect(url);
   }
 
-  // Redirect logged-in users away from auth pages
+  // Redirect logged-in away from auth pages (except callback)
   if (request.nextUrl.pathname.startsWith("/auth/") && user) {
     if (!request.nextUrl.pathname.includes("callback")) {
       return NextResponse.redirect(new URL("/dashboard-pages/dashboard", request.url));

web/next.config.ts

@@ -10,6 +10,7 @@ const nextConfig: NextConfig = {
   },
   experimental: {
     serverActions: { bodySizeLimit: "2mb" },
+    serverComponentsExternalPackages: ["@react-pdf/renderer"],
   },
 };
 

web/package.json

@@ -15,6 +15,9 @@
     "@supabase/supabase-js": "2.104.0",
     "@supabase/ssr": "0.10.2",
     "stripe": "22.0.2",
+    "resend": "6.12.2",
+    "@react-pdf/renderer": "4.5.1",
+    "jose": "6.2.2",
     "lucide-react": "0.474.0",
     "clsx": "2.1.1",
     "tailwind-merge": "3.0.0"