Backend Security & Billing Implementation

My React single-page SaaS for FCA-regulated UK mortgage advisers is production-ready on the front end. What remains is tightening the backend security layer, locking down the AI system prompt, and wiring up paid access so I can launch commercially. Security Build an API-key proxy inside a Netlify serverless function that sits in front of the Anthropic Claude endpoint. Validate each request with the Supabase-issued JWT and block anything that fails or exceeds rate limits. Return usage metrics so I can log prompt counts per user. AI Prompt Stability The letter-generation system prompt (approximately 5KB) currently lives inside [login to view URL] alongside the UI code. Every time a developer touches the frontend there is a risk the prompt is accidentally changed or corrupted. This has happened repeatedly during development and each time it degrades the quality of compliance letters going to FCA-regulated advisers. Extract the prompt function from [login to view URL] into a dedicated server-side file inside the Netlify function (e.g. netlify/functions/prompts/[login to view URL]). The function must accept productType, firmData and adviserNotes as parameters and return the system prompt string — identical interface to the current mf() function in app.js. After this work, editing any line of [login to view URL] must have zero effect on the prompt file. The prompt file must be clearly commented so a non-developer can read each section and verify it has not changed. Prompt changes must require an explicit edit to the prompt file and appear as a separate commit in Git — they cannot happen as a side effect of a UI fix. Billing Configure Stripe to offer subscription plans only — no one-offs or metered billing. Plans must be created in the Stripe dashboard, synced to Supabase, and surfaced to the app via existing React hooks. On successful checkout the user's Stripe customer ID should be stored in Supabase and their role updated to "paid". Failed or cancelled payments should downgrade them automatically. Acceptance criteria The solution is considered done when: Requests without a valid JWT or with an invalid API key never reach Claude. Active subscribers can generate letters. Lapsed or free users cannot. Stripe webhooks reliably update Supabase roles in real time. I can deploy the Netlify function and environment variables without code edits. The mf() prompt function no longer exists in app.js. The business owner can open the prompt file in any text editor and read it without needing to understand JavaScript. Making any change to [login to view URL] has no effect on the letter generation prompt.

Project ID: 40393205