Keep customer auth, tokens, and source connections behind explicit operator controls.

Auth

Supabase Auth with backend isolation

Use Supabase-managed identity while keeping backend writes separately token-gated until the app auth bridge is fully unified.

Mutations

Explicit write token handling

Mutation actions remain gated while the frontend migrates ahead of the backend auth layer.

Runners

Remote-only browser automation

Client machines never open browser automation flows for protected sources like Indeed or LinkedIn.