2026-03-19 — Launch prep sprint: encryption, email, and bug fixes

What shipped today

Today was a massive pre-launch cleanup day. The headline is that integration tokens are now encrypted at rest using Supabase Vault — the full lifecycle from migration to code reads is working in production. The journey had a bump: the original migration failed silently because pgcrypto functions on Supabase need extensions. schema qualification, and we’d already switched all reads to a view that didn’t exist. That broke the entire settings page (interests, preferences, integrations all returned null). Caught it when Paul noticed his interests were empty, diagnosed the root cause quickly, reverted reads, fixed the migration SQL, reapplied, and switched reads back. Clean now.

The article listing got significant polish. Summaries now display below article titles (4 lines), fixing a long-standing issue where the content_summary DB column was never mapped to the frontend summary field. Also discovered that Claude was prepending “# Summary” headers to every summary despite being told not to — moved the formatting rules from the user prompt to the system prompt where they’re treated as authoritative, and ran a DB migration to strip existing headers.

Other fixes shipped: authenticated users no longer get stuck in an onboarding redirect loop (middleware was hardcoding /onboarding instead of /articles), branded email templates were created for all 5 Supabase auth flows, BCC was added on transactional emails for owner visibility, and the parent token encryption issue (#264) was decomposed and fully resolved across 3 child issues plus the follow-up fix.

Earlier in the day (via grind), a batch of hardening issues also landed: OG meta tags, robots.txt for authenticated routes, Claude API timeouts, Stripe price ID logging, scan log status tracking, and a blog page pulling from paulwelty.com RSS.

Completed

• #305 — Add Open Graph and Twitter Card meta tags
• #306 — Add missing authenticated routes to robots.txt
• #307 — Add timeout to Claude API calls
• #308 — Log warning on unknown Stripe price ID
• #309 — Track scan log status for partial failure visibility
• #315 — Implement blog page
• #316 — Show summary/description instead of URL in articles
• #317 — Branded Supabase auth email templates
• #264 — Encrypt integration tokens at rest (parent)
• #321 — Set up Supabase Vault encryption
• #322 — Update web actions to use encrypted integrations
• #323 — Update engine push handlers to read decrypted view
• #327 — Fix onboarding redirect bug
• #328 — Apply Vault encryption migration (pgcrypto fix)

Carry-over

• Apply the 5 branded email templates to the Supabase dashboard (Authentication > Email Templates) — the HTML files are in docs/email-templates/ with a README listing subject lines
• Verify PostHog and Sentry are configured correctly (env vars, events firing, error capture working)

Risks

• The Vault encryption migration creates a BEFORE INSERT/UPDATE trigger on user_profiles. Any writes to integrations now go through encrypt → clear plaintext. If the Vault key is ever deleted, decryption will fail silently (returns '{}'::jsonb). The key is stored in vault.decrypted_secrets with name integrations_encryption_key.
• The user_profiles_decrypted view hardcodes column names. If user_profiles gets new columns, the view needs updating or it won’t expose them.

Flags and watch-outs

• The Brevo API key was accidentally pasted in chat earlier — Paul rotated it. Make sure the new key is in Railway env vars.
• Supabase auth callback URLs need to include both https://www.eclectis.io/auth/callback and http://localhost:3001/** (wildcard for local dev only).

Next session

• Run through the full signup → onboarding → articles flow in Chrome to verify everything works end-to-end after today’s changes
• Apply email templates to Supabase dashboard
• Consider creating a Product Hunt launch milestone and filing any remaining launch-blocking issues
• Check the 2 backlog issues (#77 Vercel issue, #64 inbox scanning) — are they still relevant or should they be closed?