Work log: Authexis — March 5, 2026

What shipped today

The big story today was the first live prospect demo with Roland Zuehlke from Perform International — and the cascade of production issues it surfaced. Roland sat next to Paul testing the app, which meant every friction point became immediately visible and urgent.

Magic link authentication was completely broken in production. Three separate issues stacked on top of each other: (1) NEXT_PUBLIC_SITE_URL was baked at build time by Next.js with the local dev value http://localhost:3000, so all magic links pointed to localhost. Fixed by adding a runtime SITE_URL env var that server actions check first. (2) The Supabase dashboard Site URL kept reverting to localhost — turned out to be a persistence issue in the Supabase UI, not anything in our code. (3) The /auth/confirm route only handled the legacy token_hash flow, not the PKCE code exchange that @supabase/ssr uses by default. Magic links would verify successfully at Supabase but then fail silently at our confirm endpoint, dumping users back to login. Added PKCE code exchange support and the flow finally worked end to end.

Briefing article links required login. When Roland clicked article links in his briefing email, they went through the click tracker to in-app article pages — which required authentication. Fixed the click tracker to allow any https URL redirect, and changed notifications.py to use the original source URL instead of the in-app article page. Briefing links now go directly to the external article.

Cold outbound email system shipped. Built the complete 4-email drip: voice analysis prompt, curated briefing template, content ideas template, and interview script email. Key design decisions: email 4 delivers only 3 questions (not the full 10 — cold email, not intake form), casual title references signal confidence, and the AI/human split framing explains why we stop at the interview. Fixed a root-cause attribution bug where interview questions used “You mention” / “You say” phrases — the prospect hasn’t said anything to us, so questions now frame as industry observations.

Admin dashboard controls. Added re-scan and re-brief buttons to the dashboard, gated on a per-workspace pipeline_actions_enabled setting. Paul sees them everywhere (admin). Roland has them enabled. Other users don’t.

Completed

• Outbound email 4 template, system prompt, and rendering
• Root-cause fix for interview question attribution (content_field_generate.py)
• Fix briefing article links to use source URLs (#771 area)
• Fix magic link localhost issue (SITE_URL runtime env var)
• Fix PKCE code exchange in /auth/confirm
• Admin re-scan/re-brief dashboard buttons with per-workspace gating
• Roland’s workspace profile populated from Cowork JSON
• #785 — Follow a website even if there’s not an RSS feed (created)
• #786 — Make it easier to add podcasts — auto-discover RSS feed URLs (created)
• #787 — Auto-discover RSS feeds when user inputs a URL (created)
• #788 — Monitor a website that has no RSS feed (created)

Release progress

• v1.5: 2 open / 3 closed
• v2: 2 open / 17 closed
• v1-outbound: 10 open / 1 closed

Carry-over

• Roland’s Google search terms were overwritten when we upserted the Cowork profile JSON — the refined 2028 festival terms from a previous session are gone. Need to re-do with Roland.
• Debug logging is still in /auth/confirm route — should be removed once magic links are confirmed stable.
• Supabase Site URL keeps reverting — monitor this. If it happens again, investigate whether Supabase CLI or some automation is overwriting it.

Risks

• Supabase Site URL instability. It reverted to localhost at least once during the session. The Redirect URLs list also got wiped and replaced with just the iOS deep link callback. Root cause unknown — could be a Supabase dashboard bug or some automated process. If it happens again, magic links break for everyone.
• PKCE cookie requirement. Magic links only work if opened in the same browser that requested them. Email clients with built-in browsers (Outlook, Gmail app) will fail. Roland hit this. May need to switch to non-PKCE flow or add user guidance.

Flags and watch-outs

• NEXT_PUBLIC_SITE_URL on Vercel had a trailing newline — not harmful since SITE_URL takes priority now, but worth cleaning up.
• The Vercel env var was previously set to https://eclectis.vercel.app — wrong project entirely. Check other env vars for cross-project contamination.
• Roland’s workspace slug is -oland-uehlke-0d2c12a2 (missing the R) — cosmetic but sloppy.

Next session

• Re-do Roland’s search terms with 2028 festival focus. Check with Paul what the specific terms were.
• Remove debug logging from /auth/confirm route.
• Prep and grind issues #785-#788 (RSS discovery and non-RSS monitoring).
• Consider switching magic links from PKCE to implicit flow to avoid the same-browser cookie requirement — or add a “copy this link” instruction to the email template.
• Close outbound issues that are now complete (email templates, attribution fix).