Project: Audit, Hardening & Validation of Existing Stripe/Supabase/Resend System (Vercel) Overview I have a live production website built with React + Vite + Tailwind, deployed via Vercel. The core system is already implemented and working: * Stripe Checkout (server-side session creation) * Stripe webhook (signature verified, raw body handling) * Supabase (purchase persistence with idempotency) * Resend (email fulfilment flow) * Environment variable separation (no secrets client-side) This is NOT a build-from-scratch job. I need an experienced developer to audit, harden, validate, and production-proof the existing system. --- Scope of Work 1. Stripe Checkout & API Layer * Review `create-checkout-session` endpoint * Confirm secure server-side handling only (no client exposure) * Validate product restrictions and request validation * Ensure correct success/cancel flows 2. Stripe Webhook (Critical) * Verify signature validation and raw body handling * Confirm correct handling of `checkout.session.completed` * Validate idempotency (no duplicate inserts) * Ensure safe handling of retries from Stripe * Implement / verify atomic “claim” logic to prevent race conditions (no duplicate fulfilment events) 3. Supabase (Database Layer) * Review schema (purchases table, constraints, indexes) * Validate idempotency via unique session ID * Confirm correct insert/update logic * Ensure service role usage is secure (server-side only) 4. Fulfilment Logic (Resend) * Validate email sending flow * Ensure no duplicate emails under any condition * Confirm fulfilment_status lifecycle (pending → sent / failed) * Ensure failure handling is safe and recoverable * Validate integration with webhook flow 5. End-to-End Flow Testing Run full test coverage in Stripe test mode: * Successful payment → DB insert → email sent * Cancelled checkout * Webhook retry simulation * Email failure scenario * Duplicate webhook delivery Confirm system behaves correctly in all cases. 6. Race Conditions & Concurrency * Ensure no race conditions in webhook → fulfilment flow * Implement or validate atomic DB claim before email send * Confirm safe behaviour under concurrent webhook events 7. Technical SEO & Domain Consistency * Fix any domain inconsistencies * Validate canonical URLs * Review metadata (basic technical SEO only, no marketing rewrite) * Ensure no incorrect domain references in code 8. Codebase Audit & Cleanup * Identify any unsafe patterns or edge-case risks * Fix minor TypeScript / logic inconsistencies if needed * Keep changes minimal and targeted (no refactoring for style) --- Constraints * Do NOT redesign UI or change frontend unless necessary for functionality * Do NOT change stack or architecture * Do NOT rebuild existing systems * Keep all changes minimal, surgical, and production-focused * Preserve all existing behaviour unless fixing a bug or risk --- Deliverables * Clear audit summary (issues found) * List of fixes implemented (with file references) * Confirmation of: * Stripe checkout working * Webhook handling correctly under retries * No duplicate DB entries * No duplicate emails * End-to-end purchase flow working * Any remaining risks or recommendations --- Tech Stack * React + Vite + Tailwind * Vercel (serverless functions) * Stripe * Supabase * Resend --- Expectation This should be a short, focused engagement for an experienced developer. The system is already in place the goal is to validate, secure, and harden it for production use. Please respond with: * Relevant experience (Stripe/webhooks/serverless) * Estimated time * Fixed price or hourly estimate