Backend: JWT middleware validates Clerk tokens on every request,
extracts org ID from claims, enforces org-scoped queries via
Supabase RLS. Frontend: ClerkProvider wraps the app, auth gate
blocks unauthenticated access, UserButton in header, token
injected into every API call. Supabase production wired to trust
Clerk JWTs via Third-Party Auth integration.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- supabase_client.py: lazy singleton client (no-ops when env vars absent)
- persistence.py: persist_upload writes batch, source_files, normalized_records,
mapping_decisions, report_runs; persist_export records export_files
- schema.sql: 11-table schema with RLS + WORM rules for audit/raw tables
- main.py: wire persist_upload/persist_export; add ExportRequest body model
so export accepts {records, batch_id}; batch_id returned on upload response
- api.js: add exportFromBackend helper passing batch_id through
- requirements.txt: add supabase>=2.0.0
- smoke_test.py: update export call to new body format
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
