| Supabase project | Provisioning, the connection, backups, and point-in-time recovery. FirstFlow only reads and writes the firstflow_* tables. |
| Migrations | Applying the shipped SQL in order, and applying new files when you upgrade @firstflow/config-schema. See Set up Supabase. |
| Row Level Security | The policies that protect the firstflow_* tables from the browser’s anon key. See Row Level Security. |
| Key hygiene | Keeping SUPABASE_SERVICE_ROLE_KEY (and any AI provider key) server-only and out of git. |
| Identity | Authenticating your users and passing a trustworthy user.id. FirstFlow has no auth of its own. See Identity & auth. |
| AI cost | The tokens spent by any LLM you wrap, and by the intent classifier. FirstFlow adds observability, not a model. |
| Your app deploy | Shipping the frontend and (optional) backend that embed the packages your normal CI/CD. |