BookifAI — Session Handoff (2026-07-10)
Context
BookifAI is LIVE at https://bookifai.app (real Stripe money on). React+Vite+TS, Supabase umnlokuehteqwrheoyai ("bookify-ai-studio"), Cloudflare Pages bookifai, repo AmplifAI-Your-Business/amplifai-bookifai. This session ran a full audit + fixes. Sondra's verdict: the app feels "vanilla" vs her Pain-2-Profit app and needs to be brought up to that level. Next session's job = do that.
✅ Done + verified this session (do NOT redo)
- Storage security hole FIXED (live):
covers bucket was any-authenticated update/delete + fully public listing. Now owner-scoped (owner = auth.uid()) via migration 20260710000000. Verified: policy re-query + advisor listing-warning gone. Public image rendering unaffected (public bucket serves via public URL).
- Money-DR drift captured:
apply_purchase (confirmed idempotent from live source) + drifted columns committed in migration 20260710000100. Purchase function is solid — can't double-grant.
- Hardening: revoked EXECUTE from PUBLIC on trigger fns (handle_new_user/handle_new_project/update_updated_at_column). Advisor warnings cleared.
- Google-first login LIVE + confirmed by Sondra: "Continue with Google" is the primary button (email secondary). Google provider already enabled on the backend. Sondra signed in with Google successfully = end-to-end verified.
- "Welcome back" removed for first-timers: Auth card + Dashboard header now "Welcome to BookifAI" (was greeting new users as returning). Live.
- All committed + pushed (
7c5e4e4); welcome-back fix committed locally (deployed live).
🎯 NEXT SESSION — bring BookifAI up to Pain-2-Profit parity
FIRST TASK: actually study the Pain-2-Profit app (PROJECTS/Pain-2-Profit Engine/app/) — Sondra spent more time on it and it's the quality bar. Note its onboarding, FAQ, buy-credits UX, sidebar structure, admin area, support surface. Then close these BookifAI gaps:
- Onboarding / direction (biggest complaint): a new user who signs in — AND a buyer right after purchase — gets no guidance. P2P has clear next-steps. Build a first-run/empty-state flow + a post-purchase "here's what to do next."
- Admin dashboard: BookifAI has NONE (verified — zero admin code). Build one keyed to
srverva@gmail.com (like P2P). Sondra asked "how does it know who's admin?" — answer: it doesn't yet; hardcode/env her email as admin.
- Support is invisible:
/support page + submit-support fn EXIST but Support is NOT in the sidebar (nav only has Dashboard/My Books/Templates/Account). Add it to the sidebar. (Registerable-app standard: help form → admin + email alert.)
- KDP resources: nothing in the sidebar/app about KDP publishing help. Add a KDP Resources section/page.
- Buy Credits surface: P2P has an obvious buy-credits area; BookifAI's credit purchase isn't surfaced like that. Add it.
- Templates has no children's / book-type templates: Sondra saw no children's-book templates. Check
Templates.tsx; add templates across book types (fiction/non-fiction/children's).
- Sales page "children's" section is confusing (Sondra didn't understand it herself). Rework so it's clear BookifAI is for ANY book (create / edit / illustrate), children's included — not children's-only. (App backend is already general;
book_type defaults 'general', illustrations optional.)
- Google sign-in shows raw
umnlokuehteqwrheoyai.supabase.co: brand the Google consent screen (Google Cloud → OAuth consent screen → App name "BookifAI"), ideally a Supabase custom auth domain (auth.bookifai.app) so it stops showing the supabase.co URL. Mostly a settings task; guide Sondra.
🟡 Also open (from the security audit — deliberately deferred, with reasons)
- CORS wildcard — lowest severity (not exploitable without a valid login). Correct fix = origin allowlist + redeploy all 9 payment-adjacent edge functions; do as its own curl-verified pass. NOT done.
- DOMPurify on
book-export.ts innerHTML — not exploitable today (own RLS-scoped content); only matters if shared/collaborative books added. Needs a dependency decision. NOT done.
- Leaked-password protection OFF — 1-click toggle in Supabase Auth settings (matters less now Google is primary). Sondra's toggle.
- localStorage auth tokens — inherent to a browser-only app; no clean fix; just don't add untrusted scripts.
- GDPR self-serve account deletion — currently manual via support form; fine at current scale.
🔵 Future feature (separately scoped, NOT started)
- "Import your existing book" (paste + Word .docx first, PDF later; ANY book). Architecture supports it cheaply — writes
projects+chapters rows into the existing editor; illustrate/KDP/export all reuse. projects.uploaded_content column already exists. Needs the mammoth.js dep for Word (ask first). Write PRD + Fable build prompt when she says go.
Quick verification still worth a 10-sec eyeball
- Open an existing book and confirm illustrations still display (storage policy change — should be fine, public URLs unaffected).