diff --git a/docs/plans/2026-02-28-login-modal-design.md b/docs/plans/2026-02-28-login-modal-design.md
new file mode 100644
index 0000000..563cc27
--- /dev/null
+++ b/docs/plans/2026-02-28-login-modal-design.md
@@ -0,0 +1,73 @@
+# Login Modal Design
+
+**Date:** 2026-02-28
+**Status:** Approved
+
+## Problem
+
+The Navbar currently shows two separate login buttons (Google + GitHub) side by side when the user is not logged in. This is visually cluttered and inconsistent with common login UX patterns.
+
+## Solution
+
+Replace the two inline login buttons with a single "Log In" button. Clicking it opens a centered modal where users choose their login provider.
+
+## UI Design
+
+### Navbar (unauthenticated state)
+
+Before:
+```
+[ 中文 ]  [ GitHub ]  [ 🔵 Google ]  [ ⚫ GitHub ]
+```
+
+After:
+```
+[ 中文 ]  [ GitHub ]  [ Log In ]
+```
+
+The "Log In" button uses the brand accent color (orange).
+
+### Modal
+
+```
+┌─────────────────────────────────────┐
+│  Welcome to MoltMarket          [×] │
+│                                     │
+│  Choose a login method              │
+│                                     │
+│  ┌─────────────────────────────┐   │
+│  │  🔵  Continue with Google   │   │
+│  └─────────────────────────────┘   │
+│                                     │
+│  ┌─────────────────────────────┐   │
+│  │  ⚫  Continue with GitHub   │   │
+│  └─────────────────────────────┘   │
+│                                     │
+└─────────────────────────────────────┘
+```
+
+- Semi-transparent black overlay; clicking overlay closes modal
+- Centered card with rounded corners and light shadow
+- Close button (×) in top-right corner
+- Google button: border style (existing style)
+- GitHub button: dark fill style (existing style)
+
+## Technical Plan
+
+### Files to change
+
+1. **`src/components/Navbar.tsx`**
+   - Remove the two inline login `<a>` tags
+   - Add a "Log In" `<button>` with `onClick` to open modal
+   - Add `useState(false)` for modal visibility
+   - Add modal JSX: overlay + card with Google and GitHub login links
+
+2. **`messages/en.json`**
+   - Add `Navbar.login`, `Navbar.loginTitle`, `Navbar.loginSubtitle`
+
+3. **`messages/zh.json`**
+   - Add corresponding Chinese translations
+
+### No new files required
+
+All changes are self-contained within the existing Navbar component and translation files.
diff --git a/docs/plans/2026-02-28-login-modal.md b/docs/plans/2026-02-28-login-modal.md
new file mode 100644
index 0000000..6bb66ad
--- /dev/null
+++ b/docs/plans/2026-02-28-login-modal.md
@@ -0,0 +1,196 @@
+# Login Modal Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
+
+**Goal:** Replace the two inline login buttons (Google + GitHub) in the Navbar with a single "Log In" button that opens a centered modal for the user to choose a login provider.
+
+**Architecture:** All changes are self-contained in `Navbar.tsx` — add a `useState` boolean for modal visibility, replace the two `<a>` login tags with one `<button>`, and append a modal overlay + card as a portal-free JSX sibling inside the `<nav>`. Translation keys for the new copy live in `messages/en.json` and `messages/zh.json`.
+
+**Tech Stack:** Next.js 14, TypeScript, Tailwind CSS, next-intl
+
+---
+
+### Task 1: Add translation keys
+
+**Files:**
+- Modify: `messages/en.json`
+- Modify: `messages/zh.json`
+
+**Step 1: Add keys to `messages/en.json`**
+
+Inside the `"Navbar"` object, add three keys:
+
+```json
+"login": "Log In",
+"loginTitle": "Welcome to MoltMarket",
+"loginSubtitle": "Choose a login method"
+```
+
+After editing, the `"Navbar"` block should look like:
+```json
+"Navbar": {
+  "home": "Home",
+  "overview": "Overview",
+  "tokenMarket": "Token Recycling Market",
+  "logout": "Logout",
+  "startEarning": "Start Earning",
+  "login": "Log In",
+  "loginTitle": "Welcome to MoltMarket",
+  "loginSubtitle": "Choose a login method"
+}
+```
+
+**Step 2: Add keys to `messages/zh.json`**
+
+Inside the `"Navbar"` object, add the same three keys in Chinese:
+
+```json
+"login": "登录",
+"loginTitle": "欢迎来到 MoltMarket",
+"loginSubtitle": "选择登录方式"
+```
+
+**Step 3: Commit**
+
+```bash
+git add messages/en.json messages/zh.json
+git commit -m "feat: add login modal translation keys"
+```
+
+---
+
+### Task 2: Rewrite the unauthenticated login section in Navbar
+
+**Files:**
+- Modify: `src/components/Navbar.tsx`
+
+**Step 1: Add `useState` import and modal state**
+
+At the top of the component function body (after the existing `const pathname = usePathname();` line), add:
+
+```tsx
+const [loginOpen, setLoginOpen] = useState(false);
+```
+
+Also add `useState` to the React import at the top of the file:
+
+```tsx
+import { useState } from "react";
+```
+
+**Step 2: Replace the unauthenticated login JSX**
+
+Find the `else` branch of `{userName ? (...) : (...)}` — it currently renders a `<div className="flex items-center gap-2">` containing the Google `<a>` and GitHub `<a>` tags.
+
+Replace that entire `<div>` (lines 109–148 in the original file) with a single button:
+
+```tsx
+<button
+  onClick={() => setLoginOpen(true)}
+  className="font-inter text-[15px] font-semibold text-white rounded-lg px-4 py-2 bg-[var(--accent)] hover:opacity-90 transition-opacity cursor-pointer"
+>
+  {t("login")}
+</button>
+```
+
+**Step 3: Add the modal JSX**
+
+Immediately before the closing `</nav>` tag, add:
+
+```tsx
+{loginOpen && (
+  <>
+    {/* Overlay */}
+    <div
+      className="fixed inset-0 z-[100] bg-black/50 backdrop-blur-sm"
+      onClick={() => setLoginOpen(false)}
+    />
+    {/* Modal card */}
+    <div className="fixed inset-0 z-[101] flex items-center justify-center pointer-events-none">
+      <div className="pointer-events-auto w-[360px] bg-[var(--bg-primary)] rounded-2xl shadow-2xl p-8 flex flex-col gap-6">
+        {/* Header */}
+        <div className="flex items-start justify-between">
+          <div>
+            <h2 className="font-inter text-[20px] font-bold text-[var(--text-primary)]">
+              {t("loginTitle")}
+            </h2>
+            <p className="font-inter text-[14px] text-[var(--text-muted)] mt-1">
+              {t("loginSubtitle")}
+            </p>
+          </div>
+          <button
+            onClick={() => setLoginOpen(false)}
+            className="text-[var(--text-muted)] hover:text-[var(--text-primary)] transition-colors text-[20px] leading-none cursor-pointer"
+          >
+            ×
+          </button>
+        </div>
+
+        {/* Login options */}
+        <div className="flex flex-col gap-3">
+          {/* Google */}
+          <a
+            href="/api/auth/login?provider=google"
+            className="flex items-center gap-3 font-inter text-[15px] font-medium text-[var(--text-primary)] rounded-xl px-4 py-3 border border-[var(--border-medium)] hover:bg-[var(--bg-tag)] transition-colors"
+          >
+            <svg className="w-5 h-5 shrink-0" viewBox="0 0 24 24">
+              <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z" fill="#4285F4" />
+              <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" fill="#34A853" />
+              <path d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l3.66-2.84z" fill="#FBBC05" />
+              <path d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" fill="#EA4335" />
+            </svg>
+            Continue with Google
+          </a>
+
+          {/* GitHub */}
+          <a
+            href="/api/auth/login?provider=github"
+            className="flex items-center gap-3 font-inter text-[15px] font-semibold text-white rounded-xl px-4 py-3 bg-[#24292e] hover:bg-[#1a1e22] transition-colors"
+          >
+            <svg className="w-5 h-5 shrink-0" fill="currentColor" viewBox="0 0 24 24">
+              <path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z" />
+            </svg>
+            Continue with GitHub
+          </a>
+        </div>
+      </div>
+    </div>
+  </>
+)}
+```
+
+**Step 4: Verify the file compiles**
+
+```bash
+npx tsc --noEmit
+```
+
+Expected: no errors
+
+**Step 5: Commit**
+
+```bash
+git add src/components/Navbar.tsx
+git commit -m "feat: replace login buttons with Log In modal in Navbar"
+```
+
+---
+
+### Task 3: Manual smoke test
+
+**Step 1: Start dev server**
+
+```bash
+npm run dev
+```
+
+**Step 2: Verify checklist**
+
+- [ ] Navbar shows single "Log In" button when logged out
+- [ ] Clicking "Log In" opens the modal with Google and GitHub options
+- [ ] Clicking the overlay (outside the card) closes the modal
+- [ ] Clicking the × button closes the modal
+- [ ] Clicking "Continue with Google" redirects to `/api/auth/login?provider=google`
+- [ ] Clicking "Continue with GitHub" redirects to `/api/auth/login?provider=github`
+- [ ] Switching locale (EN ↔ 中文) shows correct translated text in modal title/subtitle
+- [ ] Logged-in state still shows username + Logout (unchanged)
diff --git a/docs/plans/2026-02-28-supabase-oauth-design.md b/docs/plans/2026-02-28-supabase-oauth-design.md
new file mode 100644
index 0000000..dfb3fd9
--- /dev/null
+++ b/docs/plans/2026-02-28-supabase-oauth-design.md
@@ -0,0 +1,95 @@
+# Supabase OAuth 替换 SecondMe OAuth 设计文档
+
+**日期：** 2026-02-28
+**分支：** feature/OAuth
+
+## 背景
+
+将现有的 SecondMe OAuth 认证替换为 Supabase OAuth，支持 Google 和 GitHub 登录。同时删除所有依赖 SecondMe access token 的 API 路由。
+
+## 技术选型
+
+- **认证库：** `@supabase/ssr`（官方推荐的 Next.js App Router 集成方案）
+- **数据库：** 保留 Prisma + PostgreSQL，新增 `supabaseUserId` 字段替换 `secondmeUserId`
+- **Session 管理：** Supabase cookie-based session（`@supabase/ssr` 自动处理刷新）+ 内部 `session_user_id` cookie 指向 Prisma User
+
+## Auth 流程
+
+```
+用户点击 "Sign in with Google/GitHub"
+  → GET /api/auth/login?provider=google|github
+  → supabase.auth.signInWithOAuth({ provider, redirectTo })
+  → 302 到 Google/GitHub 授权页
+  → 授权成功 → 302 到 /api/auth/callback?code=...
+  → supabase.auth.exchangeCodeForSession(code)
+  → 获取 supabase user (email, name, avatar_url)
+  → upsert Prisma User (where: supabaseUserId)
+  → 设置 session_user_id cookie (Prisma user ID)
+  → 302 到 /
+```
+
+## 文件改动
+
+### 新增
+- `src/lib/supabase.ts` — Supabase browser client + server client 工厂（基于 `@supabase/ssr`）
+
+### 修改
+| 文件 | 改动描述 |
+|------|---------|
+| `package.json` | 添加 `@supabase/ssr` |
+| `src/lib/auth.ts` | 删除 `getValidAccessToken`（SecondMe token 刷新逻辑），保留 `getSessionUserId / setSessionUserId / clearSession / getCurrentUser` |
+| `src/app/api/auth/login/route.ts` | 读取 `provider` query param，调用 `supabase.auth.signInWithOAuth()` |
+| `src/app/api/auth/callback/route.ts` | 调用 `exchangeCodeForSession`，upsert Prisma User，保留 claimCode 逻辑 |
+| `src/app/api/auth/logout/route.ts` | 调用 `supabase.auth.signOut()`，清除 session cookie |
+| `src/middleware.ts` | 添加 Supabase session 刷新（createServerClient + getUser） |
+| `prisma/schema.prisma` | User 模型：`secondmeUserId` → `supabaseUserId`，删除 `accessToken/refreshToken/tokenExpiresAt`；删除 `ChatSession/ChatMessage/Note` 模型 |
+| `src/components/Navbar.tsx` | 登录区域改为 Google / GitHub 两个按钮（`/api/auth/login?provider=google` 和 `?provider=github`） |
+
+### 删除
+- `src/app/api/user/info/route.ts`
+- `src/app/api/user/shades/route.ts`
+- `src/app/api/chat/route.ts`
+- `src/app/api/act/route.ts`
+- `src/app/api/note/route.ts`
+- `src/app/api/sessions/route.ts`
+
+## Prisma Schema 变更
+
+```prisma
+model User {
+  id            String   @id @default(cuid())
+  supabaseUserId String  @unique @map("supabase_user_id")  // 替换 secondmeUserId
+  email         String?
+  name          String?
+  avatarUrl     String?  @map("avatar_url")
+  // 删除: accessToken, refreshToken, tokenExpiresAt
+  // 其余字段保持不变
+  ...
+}
+// 删除: ChatSession, ChatMessage, Note 模型
+```
+
+## 环境变量
+
+新增：
+```
+NEXT_PUBLIC_SUPABASE_URL=https://xxx.supabase.co
+NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...
+```
+
+删除：
+```
+SECONDME_CLIENT_ID
+SECONDME_CLIENT_SECRET
+SECONDME_OAUTH_URL
+SECONDME_REDIRECT_URI
+SECONDME_TOKEN_ENDPOINT
+SECONDME_API_BASE_URL
+```
+
+## Supabase 控制台配置
+
+在 Supabase Dashboard 中需要配置：
+1. Authentication → Providers → 启用 Google（填写 Client ID + Secret）
+2. Authentication → Providers → 启用 GitHub（填写 Client ID + Secret）
+3. Authentication → URL Configuration → 添加 Redirect URL：`{APP_URL}/api/auth/callback`
diff --git a/docs/plans/2026-02-28-supabase-oauth.md b/docs/plans/2026-02-28-supabase-oauth.md
new file mode 100644
index 0000000..bad937e
--- /dev/null
+++ b/docs/plans/2026-02-28-supabase-oauth.md
@@ -0,0 +1,846 @@
+# Supabase OAuth Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
+
+**Goal:** Replace SecondMe OAuth with Supabase OAuth (Google + GitHub), delete all SecondMe-dependent API routes, and update the Prisma User model accordingly.
+
+**Architecture:** Use `@supabase/ssr` for Next.js App Router compatible session management. Supabase handles the OAuth handshake; our callback upserts a Prisma User keyed on `supabaseUserId`. We continue to maintain a `session_user_id` cookie pointing at the Prisma User for all downstream app logic.
+
+**Tech Stack:** Next.js 16 App Router, `@supabase/ssr`, `@supabase/supabase-js` (already installed), Prisma 7 + Neon PostgreSQL, next-intl, TypeScript.
+
+---
+
+## Prerequisites (manual – not code tasks)
+
+In the **Supabase Dashboard** before running the code:
+1. **Authentication → Providers** – enable Google (paste Client ID + Secret from Google Cloud Console)
+2. **Authentication → Providers** – enable GitHub (paste Client ID + Secret from GitHub OAuth App)
+3. **Authentication → URL Configuration → Redirect URLs** – add `http://localhost:3000/api/auth/callback` (dev) and your production URL
+
+New env vars to add to `.env.local` (and Vercel):
+```
+NEXT_PUBLIC_SUPABASE_URL=https://<project>.supabase.co
+NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...
+```
+
+---
+
+### Task 1: Install @supabase/ssr
+
+**Files:**
+- Modify: `package.json` (via npm)
+
+**Step 1: Install the package**
+
+```bash
+npm install @supabase/ssr
+```
+
+Expected: package-lock.json updated, `@supabase/ssr` appears in `dependencies`.
+
+**Step 2: Commit**
+
+```bash
+git add package.json package-lock.json
+git commit -m "feat: add @supabase/ssr dependency"
+```
+
+---
+
+### Task 2: Create Supabase client factory
+
+**Files:**
+- Create: `src/lib/supabase.ts`
+
+**Step 1: Create the file**
+
+```typescript
+// src/lib/supabase.ts
+import { createServerClient } from "@supabase/ssr";
+import { createBrowserClient } from "@supabase/ssr";
+import { cookies } from "next/headers";
+import type { NextRequest, NextResponse } from "next/server";
+
+/** Client components */
+export function createSupabaseBrowserClient() {
+  return createBrowserClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
+  );
+}
+
+/** Server components and API route handlers */
+export async function createSupabaseServerClient() {
+  const cookieStore = await cookies();
+  return createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return cookieStore.getAll();
+        },
+        setAll(cookiesToSet) {
+          try {
+            cookiesToSet.forEach(({ name, value, options }) =>
+              cookieStore.set(name, value, options)
+            );
+          } catch {
+            // Called from a Server Component – read-only, ignore
+          }
+        },
+      },
+    }
+  );
+}
+
+/** Middleware – takes both request and mutable response */
+export function createSupabaseMiddlewareClient(
+  request: NextRequest,
+  response: NextResponse
+) {
+  return createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return request.cookies.getAll();
+        },
+        setAll(cookiesToSet) {
+          cookiesToSet.forEach(({ name, value }) =>
+            request.cookies.set(name, value)
+          );
+          cookiesToSet.forEach(({ name, value, options }) =>
+            response.cookies.set(name, value, options)
+          );
+        },
+      },
+    }
+  );
+}
+```
+
+**Step 2: Verify TypeScript compiles**
+
+```bash
+npx tsc --noEmit
+```
+
+Expected: no errors for the new file (env vars are non-null asserted).
+
+**Step 3: Commit**
+
+```bash
+git add src/lib/supabase.ts
+git commit -m "feat: add Supabase client factory (browser/server/middleware)"
+```
+
+---
+
+### Task 3: Update Prisma schema
+
+**Files:**
+- Modify: `prisma/schema.prisma`
+
+**Step 1: Replace the User model and remove ChatSession/ChatMessage/Note**
+
+Replace the entire content of `prisma/schema.prisma` with:
+
+```prisma
+generator client {
+  provider = "prisma-client-js"
+  output   = "../src/generated/prisma"
+}
+
+datasource db {
+  provider = "postgresql"
+}
+
+model User {
+  id             String   @id @default(cuid())
+  supabaseUserId String   @unique @map("supabase_user_id")
+  email          String?
+  name           String?
+  avatarUrl      String?  @map("avatar_url")
+
+  // Wallet fields
+  balance     Decimal @default(100.00) @db.Decimal(10, 2)
+  totalEarned Decimal @default(0.00) @map("total_earned") @db.Decimal(10, 2)
+  totalSpent  Decimal @default(0.00) @map("total_spent") @db.Decimal(10, 2)
+
+  // Statistics
+  completedTasks Int      @default(0) @map("completed_tasks")
+  rating         Decimal? @db.Decimal(3, 2)
+
+  // Status
+  status String @default("active")
+
+  createdAt DateTime @default(now()) @map("created_at")
+  updatedAt DateTime @updatedAt @map("updated_at")
+
+  agents Agent[]
+
+  @@map("users")
+}
+
+model Task {
+  id               String @id @default(cuid())
+  title            String
+  description      String @db.Text
+  context          Json?
+  estimatedTokens  Int    @map("estimated_tokens")
+  estimatedCredits Int    @map("estimated_credits")
+  priority         String @default("medium")
+  status           String @default("pending")
+
+  publisherAgentId String @map("publisher_agent_id")
+  publisherAgent   Agent  @relation("publisher", fields: [publisherAgentId], references: [id], onDelete: Cascade)
+
+  workerAgentId String? @map("worker_agent_id")
+  workerAgent   Agent?  @relation("worker", fields: [workerAgentId], references: [id], onDelete: SetNull)
+
+  result       String? @db.Text
+  actualTokens Int?    @map("actual_tokens")
+  rating       Int?
+
+  createdAt   DateTime  @default(now()) @map("created_at")
+  updatedAt   DateTime  @updatedAt @map("updated_at")
+  acceptedAt  DateTime? @map("accepted_at")
+  completedAt DateTime? @map("completed_at")
+
+  creditTransactions CreditTransaction[]
+  activityFeeds      ActivityFeed[]
+
+  @@index([status])
+  @@index([publisherAgentId])
+  @@index([workerAgentId])
+  @@index([priority])
+  @@index([createdAt])
+  @@map("tasks")
+}
+
+model CreditTransaction {
+  id      String @id @default(cuid())
+  taskId  String @map("task_id")
+  task    Task   @relation(fields: [taskId], references: [id], onDelete: Cascade)
+  agentId String @map("agent_id")
+  agent   Agent  @relation(fields: [agentId], references: [id], onDelete: Cascade)
+  type    String
+  credits Int
+  tokens  Int
+  balanceAfter Int    @map("balance_after")
+  status       String @default("completed")
+  description  String? @db.Text
+  metadata     Json?
+  createdAt    DateTime  @default(now()) @map("created_at")
+  completedAt  DateTime? @map("completed_at")
+
+  @@index([agentId])
+  @@index([taskId])
+  @@index([type])
+  @@index([createdAt])
+  @@map("credit_transactions")
+}
+
+model ActivityFeed {
+  id        String  @id @default(cuid())
+  eventType String  @map("event_type")
+  agentId   String  @map("agent_id")
+  agent     Agent   @relation(fields: [agentId], references: [id], onDelete: Cascade)
+  taskId    String? @map("task_id")
+  task      Task?   @relation(fields: [taskId], references: [id], onDelete: Cascade)
+  title       String
+  description String? @db.Text
+  metadata    Json?
+  createdAt   DateTime @default(now()) @map("created_at")
+
+  @@index([eventType])
+  @@index([agentId])
+  @@index([taskId])
+  @@index([createdAt])
+  @@map("activity_feeds")
+}
+
+model Agent {
+  id         String @id @default(cuid())
+  apiKey     String @unique @map("api_key")
+  apiKeyHash String @map("api_key_hash")
+  name       String
+
+  claimCode        String @unique @map("claim_code")
+  verificationCode String @map("verification_code")
+
+  userId    String?   @map("user_id")
+  user      User?     @relation(fields: [userId], references: [id], onDelete: SetNull)
+  claimedAt DateTime? @map("claimed_at")
+
+  credits           Int @default(100)
+  totalEarned       Int @default(0) @map("total_earned")
+  totalSpent        Int @default(0) @map("total_spent")
+  tokensSaved       Int @default(0) @map("tokens_saved")
+  tokensContributed Int @default(0) @map("tokens_contributed")
+  tasksPublished    Int @default(0) @map("tasks_published")
+  tasksCompleted    Int @default(0) @map("tasks_completed")
+  reputation        Int @default(0)
+
+  status        String    @default("unclaimed")
+  lastActive    DateTime  @default(now()) @map("last_active")
+  lastHeartbeat DateTime? @map("last_heartbeat")
+
+  capabilities Json?
+  preferences  Json?
+  userAgent    String? @map("user_agent")
+
+  createdAt DateTime @default(now()) @map("created_at")
+  updatedAt DateTime @updatedAt @map("updated_at")
+
+  publishedTasks     Task[]              @relation("publisher")
+  workerTasks        Task[]              @relation("worker")
+  creditTransactions CreditTransaction[]
+  activityFeeds      ActivityFeed[]
+
+  @@index([claimCode])
+  @@index([userId])
+  @@index([status])
+  @@index([lastHeartbeat])
+  @@map("agents")
+}
+```
+
+**Step 2: Run migration**
+
+```bash
+npx prisma migrate dev --name supabase-auth
+```
+
+Expected output: migration file created in `prisma/migrations/`, Prisma client regenerated. If prompted about dropped tables (`chat_sessions`, `chat_messages`, `notes`), confirm — this is intentional.
+
+**Step 3: Verify generated types**
+
+```bash
+npx tsc --noEmit
+```
+
+Expected: errors about `secondmeUserId` / `accessToken` etc. in auth files — that's fine, we'll fix them in the next tasks.
+
+**Step 4: Commit**
+
+```bash
+git add prisma/schema.prisma prisma/migrations/ src/generated/
+git commit -m "feat: migrate User model to supabase_user_id, drop chat/note tables"
+```
+
+---
+
+### Task 4: Update src/lib/auth.ts
+
+**Files:**
+- Modify: `src/lib/auth.ts`
+
+**Step 1: Replace file contents**
+
+Remove `getValidAccessToken` entirely. Keep only session cookie helpers and `getCurrentUser`:
+
+```typescript
+// src/lib/auth.ts
+import { cookies } from "next/headers";
+import { prisma } from "./prisma";
+
+const COOKIE_NAME = "session_user_id";
+
+export async function getSessionUserId(): Promise<string | null> {
+  const cookieStore = await cookies();
+  return cookieStore.get(COOKIE_NAME)?.value ?? null;
+}
+
+export async function setSessionUserId(userId: string) {
+  const cookieStore = await cookies();
+  cookieStore.set(COOKIE_NAME, userId, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    maxAge: 60 * 60 * 24 * 30,
+    path: "/",
+  });
+}
+
+export async function clearSession() {
+  const cookieStore = await cookies();
+  cookieStore.delete(COOKIE_NAME);
+}
+
+export async function getCurrentUser() {
+  const userId = await getSessionUserId();
+  if (!userId) return null;
+  return prisma.user.findUnique({ where: { id: userId } });
+}
+```
+
+**Step 2: Verify no remaining references to getValidAccessToken**
+
+```bash
+grep -r "getValidAccessToken" src/
+```
+
+Expected: no output (zero matches).
+
+**Step 3: Commit**
+
+```bash
+git add src/lib/auth.ts
+git commit -m "feat: remove SecondMe token refresh from auth lib"
+```
+
+---
+
+### Task 5: Update login route
+
+**Files:**
+- Modify: `src/app/api/auth/login/route.ts`
+
+**Step 1: Replace file contents**
+
+```typescript
+// src/app/api/auth/login/route.ts
+import { NextRequest, NextResponse } from "next/server";
+import { createSupabaseServerClient } from "@/lib/supabase";
+
+export async function GET(request: NextRequest) {
+  const provider = request.nextUrl.searchParams.get("provider") as
+    | "google"
+    | "github"
+    | null;
+  const claimCode = request.nextUrl.searchParams.get("claimCode");
+
+  if (!provider || !["google", "github"].includes(provider)) {
+    return NextResponse.redirect(
+      new URL("/?error=invalid_provider", request.url)
+    );
+  }
+
+  const supabase = await createSupabaseServerClient();
+
+  const callbackUrl = new URL("/api/auth/callback", request.url);
+  if (claimCode) {
+    callbackUrl.searchParams.set("claimCode", claimCode);
+  }
+
+  const { data, error } = await supabase.auth.signInWithOAuth({
+    provider,
+    options: { redirectTo: callbackUrl.toString() },
+  });
+
+  if (error || !data.url) {
+    return NextResponse.redirect(
+      new URL("/?error=oauth_failed", request.url)
+    );
+  }
+
+  return NextResponse.redirect(data.url);
+}
+```
+
+**Step 2: Verify TypeScript**
+
+```bash
+npx tsc --noEmit
+```
+
+**Step 3: Commit**
+
+```bash
+git add src/app/api/auth/login/route.ts
+git commit -m "feat: replace SecondMe OAuth redirect with Supabase signInWithOAuth"
+```
+
+---
+
+### Task 6: Update callback route
+
+**Files:**
+- Modify: `src/app/api/auth/callback/route.ts`
+
+**Step 1: Replace file contents**
+
+```typescript
+// src/app/api/auth/callback/route.ts
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { createSupabaseServerClient } from "@/lib/supabase";
+
+export async function GET(request: NextRequest) {
+  const code = request.nextUrl.searchParams.get("code");
+  const claimCode = request.nextUrl.searchParams.get("claimCode");
+
+  if (!code) {
+    return NextResponse.redirect(new URL("/?error=no_code", request.url));
+  }
+
+  try {
+    const supabase = await createSupabaseServerClient();
+    const { data, error } = await supabase.auth.exchangeCodeForSession(code);
+
+    if (error || !data.user) {
+      console.error("Session exchange failed:", error);
+      return NextResponse.redirect(
+        new URL("/?error=token_failed", request.url)
+      );
+    }
+
+    const supabaseUser = data.user;
+    const email = supabaseUser.email ?? null;
+    const name =
+      supabaseUser.user_metadata?.full_name ??
+      supabaseUser.user_metadata?.name ??
+      email ??
+      null;
+    const avatarUrl = supabaseUser.user_metadata?.avatar_url ?? null;
+
+    const user = await prisma.user.upsert({
+      where: { supabaseUserId: supabaseUser.id },
+      create: { supabaseUserId: supabaseUser.id, email, name, avatarUrl },
+      update: { email, name, avatarUrl },
+    });
+
+    const response = NextResponse.redirect(new URL("/", request.url));
+    response.cookies.set("session_user_id", user.id, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "lax",
+      maxAge: 60 * 60 * 24 * 30,
+      path: "/",
+    });
+
+    // Handle agent claiming
+    if (claimCode) {
+      try {
+        const agent = await prisma.agent.findUnique({ where: { claimCode } });
+        if (agent && agent.status === "unclaimed") {
+          await prisma.agent.update({
+            where: { id: agent.id },
+            data: { userId: user.id, status: "active", claimedAt: new Date() },
+          });
+          await prisma.activityFeed.create({
+            data: {
+              eventType: "agent_claimed",
+              agentId: agent.id,
+              title: `${agent.name} was claimed`,
+              description: `Agent ${agent.name} has been successfully claimed and linked to your account.`,
+              metadata: {
+                userId: user.id,
+                claimCode,
+                claimedAt: new Date().toISOString(),
+              },
+            },
+          });
+        }
+      } catch (claimError) {
+        console.error("Error claiming agent:", claimError);
+        // Don't block login if claiming fails
+      }
+    }
+
+    return response;
+  } catch (error) {
+    console.error("OAuth callback error:", error);
+    return NextResponse.redirect(
+      new URL("/?error=callback_failed", request.url)
+    );
+  }
+}
+```
+
+**Step 2: Verify TypeScript**
+
+```bash
+npx tsc --noEmit
+```
+
+Expected: no errors for this file.
+
+**Step 3: Commit**
+
+```bash
+git add src/app/api/auth/callback/route.ts
+git commit -m "feat: use Supabase exchangeCodeForSession in auth callback"
+```
+
+---
+
+### Task 7: Update logout route
+
+**Files:**
+- Modify: `src/app/api/auth/logout/route.ts`
+
+**Step 1: Replace file contents**
+
+```typescript
+// src/app/api/auth/logout/route.ts
+import { NextResponse } from "next/server";
+import { clearSession } from "@/lib/auth";
+import { createSupabaseServerClient } from "@/lib/supabase";
+
+export async function GET(request: Request) {
+  const supabase = await createSupabaseServerClient();
+  await supabase.auth.signOut();
+  await clearSession();
+  return NextResponse.redirect(new URL("/", request.url));
+}
+```
+
+**Step 2: Commit**
+
+```bash
+git add src/app/api/auth/logout/route.ts
+git commit -m "feat: add Supabase signOut to logout route"
+```
+
+---
+
+### Task 8: Update middleware to refresh Supabase session
+
+**Files:**
+- Modify: `src/middleware.ts`
+
+**Step 1: Replace file contents**
+
+```typescript
+// src/middleware.ts
+import { type NextRequest, NextResponse } from "next/server";
+import createIntlMiddleware from "next-intl/middleware";
+import { createServerClient } from "@supabase/ssr";
+import { routing } from "./i18n/routing";
+
+const intlMiddleware = createIntlMiddleware(routing);
+
+export async function middleware(request: NextRequest) {
+  // 1. Create a base response so Supabase can write refreshed session cookies
+  let supabaseResponse = NextResponse.next({ request });
+
+  const supabase = createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return request.cookies.getAll();
+        },
+        setAll(cookiesToSet) {
+          // Write new cookie values into the request for downstream handlers
+          cookiesToSet.forEach(({ name, value }) =>
+            request.cookies.set(name, value)
+          );
+          // Rebuild supabaseResponse with updated request
+          supabaseResponse = NextResponse.next({ request });
+          cookiesToSet.forEach(({ name, value, options }) =>
+            supabaseResponse.cookies.set(name, value, options)
+          );
+        },
+      },
+    }
+  );
+
+  // Refresh session if expired — must not run any logic before this
+  await supabase.auth.getUser();
+
+  // 2. Run next-intl middleware on the (potentially cookie-updated) request
+  const intlResponse = intlMiddleware(request);
+
+  // 3. Copy any Supabase session cookies onto the intl response
+  supabaseResponse.cookies.getAll().forEach((cookie) => {
+    intlResponse.cookies.set(cookie.name, cookie.value, { path: "/" });
+  });
+
+  return intlResponse;
+}
+
+export const config = {
+  matcher: ["/((?!api|_next|_vercel|.*\\..*).*)"],
+};
+```
+
+**Step 2: Verify TypeScript**
+
+```bash
+npx tsc --noEmit
+```
+
+**Step 3: Commit**
+
+```bash
+git add src/middleware.ts
+git commit -m "feat: add Supabase session refresh to middleware"
+```
+
+---
+
+### Task 9: Update Navbar – Google & GitHub login buttons
+
+**Files:**
+- Modify: `src/components/Navbar.tsx`
+
+**Step 1: Replace the unauthenticated login section (lines 109-116)**
+
+Find this block in `src/components/Navbar.tsx`:
+
+```tsx
+        // eslint-disable-next-line @next/next/no-html-link-for-pages
+          <a
+            href="/api/auth/login"
+            className="flex items-center justify-center font-inter text-[16px] font-semibold text-white rounded-[20px] px-5 py-2.5 bg-gradient-to-b from-[var(--accent-gradient-start)] to-[var(--accent-gradient-end)] shadow-[0_4px_16px_rgba(224,122,58,0.35)] hover:shadow-[0_6px_20px_rgba(224,122,58,0.45)] hover:scale-[1.02] transition-all"
+          >
+            {t("startEarning")}
+          </a>
+```
+
+Replace with:
+
+```tsx
+          <div className="flex items-center gap-2">
+            {/* Google */}
+            {/* eslint-disable-next-line @next/next/no-html-link-for-pages */}
+            <a
+              href="/api/auth/login?provider=google"
+              className="flex items-center gap-2 font-inter text-[15px] font-medium text-[var(--text-primary)] rounded-lg px-4 py-2 border border-[var(--border-medium)] hover:bg-[var(--bg-tag)] transition-colors"
+            >
+              <svg className="w-4 h-4" viewBox="0 0 24 24">
+                <path
+                  d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"
+                  fill="#4285F4"
+                />
+                <path
+                  d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"
+                  fill="#34A853"
+                />
+                <path
+                  d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l3.66-2.84z"
+                  fill="#FBBC05"
+                />
+                <path
+                  d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"
+                  fill="#EA4335"
+                />
+              </svg>
+              Google
+            </a>
+            {/* GitHub */}
+            {/* eslint-disable-next-line @next/next/no-html-link-for-pages */}
+            <a
+              href="/api/auth/login?provider=github"
+              className="flex items-center gap-2 font-inter text-[15px] font-semibold text-white rounded-lg px-4 py-2 bg-[#24292e] hover:bg-[#1a1e22] transition-colors"
+            >
+              <svg className="w-4 h-4" fill="currentColor" viewBox="0 0 24 24">
+                <path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z" />
+              </svg>
+              GitHub
+            </a>
+          </div>
+```
+
+**Step 2: Verify TypeScript**
+
+```bash
+npx tsc --noEmit
+```
+
+**Step 3: Commit**
+
+```bash
+git add src/components/Navbar.tsx
+git commit -m "feat: replace single login button with Google/GitHub OAuth buttons"
+```
+
+---
+
+### Task 10: Delete SecondMe-only API routes
+
+**Files to delete:**
+- `src/app/api/user/info/route.ts`
+- `src/app/api/user/shades/route.ts`
+- `src/app/api/chat/route.ts`
+- `src/app/api/act/route.ts`
+- `src/app/api/note/route.ts`
+- `src/app/api/sessions/route.ts`
+
+**Step 1: Delete the files**
+
+```bash
+rm src/app/api/user/info/route.ts
+rm src/app/api/user/shades/route.ts
+rm src/app/api/chat/route.ts
+rm src/app/api/act/route.ts
+rm src/app/api/note/route.ts
+rm src/app/api/sessions/route.ts
+```
+
+**Step 2: Check for broken imports**
+
+```bash
+grep -r "api/user/info\|api/user/shades\|api/chat\|api/act\|api/note\|api/sessions" src/ --include="*.ts" --include="*.tsx"
+```
+
+Expected: no matches (these were self-contained routes, not imported elsewhere).
+
+**Step 3: Also remove lib/act.ts if only used by deleted routes**
+
+```bash
+grep -r "from.*lib/act\|from.*@/lib/act" src/ --include="*.ts" --include="*.tsx"
+```
+
+If only `src/app/api/act/route.ts` imported it (now deleted), run:
+
+```bash
+rm src/lib/act.ts
+```
+
+**Step 4: Verify TypeScript**
+
+```bash
+npx tsc --noEmit
+```
+
+Expected: no errors.
+
+**Step 5: Commit**
+
+```bash
+git add -A
+git commit -m "feat: delete SecondMe-dependent API routes (chat, note, act, user/info, user/shades, sessions)"
+```
+
+---
+
+### Task 11: Build verification
+
+**Step 1: Run full build**
+
+```bash
+npm run build
+```
+
+Expected: build completes with no TypeScript errors, no missing module errors.
+
+**Step 2: If errors about SECONDME env vars in other files, find and clean them up**
+
+```bash
+grep -r "SECONDME" src/ --include="*.ts" --include="*.tsx"
+```
+
+Delete or update any remaining references.
+
+**Step 3: Final commit if any cleanup was needed**
+
+```bash
+git add -A
+git commit -m "chore: clean up remaining SecondMe references"
+```
+
+---
+
+## Supabase Dashboard Checklist (one-time manual setup)
+
+- [ ] Google provider enabled with Client ID + Secret
+- [ ] GitHub provider enabled with Client ID + Secret
+- [ ] Redirect URL `{APP_URL}/api/auth/callback` added to allowed list
+- [ ] `NEXT_PUBLIC_SUPABASE_URL` and `NEXT_PUBLIC_SUPABASE_ANON_KEY` added to `.env.local` and Vercel environment variables
diff --git a/messages/en.json b/messages/en.json
index bacfc5f..3030340 100644
--- a/messages/en.json
+++ b/messages/en.json
@@ -8,7 +8,10 @@
     "overview": "Overview",
     "tokenMarket": "Token Recycling Market",
     "logout": "Logout",
-    "startEarning": "Start Earning"
+    "startEarning": "Start Earning",
+    "login": "Log In",
+    "loginTitle": "Welcome to MoltMarket",
+    "loginSubtitle": "Choose a login method"
   },
   "Hero": {
     "tagline": "Claude tokens reset monthly, unused ones go to waste",
diff --git a/messages/zh.json b/messages/zh.json
index 28c3fb9..738eeeb 100644
--- a/messages/zh.json
+++ b/messages/zh.json
@@ -8,7 +8,10 @@
     "overview": "介绍",
     "tokenMarket": "Token 回收市场",
     "logout": "退出",
-    "startEarning": "开始赚取"
+    "startEarning": "开始赚取",
+    "login": "登录",
+    "loginTitle": "欢迎来到 MoltMarket",
+    "loginSubtitle": "选择登录方式"
   },
   "Hero": {
     "tagline": "Claude token 每月清零，没用完就浪费",
diff --git a/package-lock.json b/package-lock.json
index 1677629..adc3f56 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,11 +1,11 @@
 {
-  "name": "credit-trader-secondme",
+  "name": "clawcycle",
   "version": "0.1.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
-      "name": "credit-trader-secondme",
+      "name": "clawcycle",
       "version": "0.1.0",
       "hasInstallScript": true,
       "dependencies": {
@@ -16,6 +16,7 @@
         "@prisma/adapter-neon": "^7.3.0",
         "@prisma/adapter-pg": "^7.3.0",
         "@prisma/client": "^7.3.0",
+        "@supabase/ssr": "^0.8.0",
         "@supabase/supabase-js": "^2.95.3",
         "@types/bcrypt": "^6.0.0",
         "@types/mdx": "^2.0.13",
@@ -2070,6 +2071,18 @@
         "node": ">=20.0.0"
       }
     },
+    "node_modules/@supabase/ssr": {
+      "version": "0.8.0",
+      "resolved": "https://registry.npmmirror.com/@supabase/ssr/-/ssr-0.8.0.tgz",
+      "integrity": "sha512-/PKk8kNFSs8QvvJ2vOww1mF5/c5W8y42duYtXvkOSe+yZKRgTTZywYG2l41pjhNomqESZCpZtXuWmYjFRMV+dw==",
+      "license": "MIT",
+      "dependencies": {
+        "cookie": "^1.0.2"
+      },
+      "peerDependencies": {
+        "@supabase/supabase-js": "^2.76.1"
+      }
+    },
     "node_modules/@supabase/storage-js": {
       "version": "2.98.0",
       "resolved": "https://registry.npmjs.org/@supabase/storage-js/-/storage-js-2.98.0.tgz",
@@ -3975,6 +3988,19 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/cookie": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmmirror.com/cookie/-/cookie-1.1.1.tgz",
+      "integrity": "sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
     "node_modules/cross-spawn": {
       "version": "7.0.6",
       "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
diff --git a/package.json b/package.json
index 36e8d11..9ca9990 100644
--- a/package.json
+++ b/package.json
@@ -1,5 +1,5 @@
 {
-  "name": "credit-trader-secondme",
+  "name": "clawcycle",
   "version": "0.1.0",
   "private": true,
   "scripts": {
@@ -8,7 +8,11 @@
     "start": "next start",
     "lint": "eslint",
     "postinstall": "prisma generate",
-    "prepare": "husky"
+    "prepare": "husky",
+    "seed": "dotenv -e .env.local -- ts-node --compiler-options '{\"module\":\"CommonJS\"}' prisma/seed.ts"
+  },
+  "prisma": {
+    "seed": "npm run seed"
   },
   "dependencies": {
     "@mdx-js/loader": "^3.1.1",
@@ -18,6 +22,7 @@
     "@prisma/adapter-neon": "^7.3.0",
     "@prisma/adapter-pg": "^7.3.0",
     "@prisma/client": "^7.3.0",
+    "@supabase/ssr": "^0.8.0",
     "@supabase/supabase-js": "^2.95.3",
     "@types/bcrypt": "^6.0.0",
     "@types/mdx": "^2.0.13",
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index f5e362b..6156778 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -9,13 +9,10 @@ datasource db {
 
 model User {
   id             String   @id @default(cuid())
-  secondmeUserId String   @unique @map("secondme_user_id")
+  supabaseUserId String   @unique @map("supabase_user_id")
   email          String?
   name           String?
   avatarUrl      String?  @map("avatar_url")
-  accessToken    String   @map("access_token")
-  refreshToken   String   @map("refresh_token")
-  tokenExpiresAt DateTime @map("token_expires_at")
 
   // Wallet fields
   balance     Decimal @default(100.00) @db.Decimal(10, 2)
@@ -32,52 +29,11 @@ model User {
   createdAt DateTime @default(now()) @map("created_at")
   updatedAt DateTime @updatedAt @map("updated_at")
 
-  chatSessions ChatSession[]
-  notes        Note[]
   agents       Agent[]
 
   @@map("users")
 }
 
-model ChatSession {
-  id              String   @id @default(cuid())
-  secondmeSession String?  @map("secondme_session")
-  title           String?
-  userId          String   @map("user_id")
-  createdAt       DateTime @default(now()) @map("created_at")
-  updatedAt       DateTime @updatedAt @map("updated_at")
-
-  user     User          @relation(fields: [userId], references: [id], onDelete: Cascade)
-  messages ChatMessage[]
-
-  @@map("chat_sessions")
-}
-
-model ChatMessage {
-  id        String   @id @default(cuid())
-  sessionId String   @map("session_id")
-  role      String
-  content   String
-  createdAt DateTime @default(now()) @map("created_at")
-
-  session ChatSession @relation(fields: [sessionId], references: [id], onDelete: Cascade)
-
-  @@map("chat_messages")
-}
-
-model Note {
-  id        String   @id @default(cuid())
-  userId    String   @map("user_id")
-  content   String
-  noteId    Int?     @map("secondme_note_id")
-  createdAt DateTime @default(now()) @map("created_at")
-
-  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
-
-  @@map("notes")
-}
-
-// Task table for Agent Labor Market
 model Task {
   id               String @id @default(cuid())
   title            String
diff --git a/prisma/seed.ts b/prisma/seed.ts
new file mode 100644
index 0000000..c4412d7
--- /dev/null
+++ b/prisma/seed.ts
@@ -0,0 +1,283 @@
+import { PrismaClient } from "../src/generated/prisma/client";
+import { Pool } from "pg";
+import { PrismaPg } from "@prisma/adapter-pg";
+import { randomBytes } from "crypto";
+import * as bcrypt from "bcrypt";
+
+const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+const adapter = new PrismaPg(pool);
+const prisma = new PrismaClient({ adapter });
+
+function makeApiKey() {
+  const full = `ct_${randomBytes(32).toString("base64url")}`;
+  return { full, prefix: full.slice(0, 11) };
+}
+
+function makeClaimCode() {
+  return randomBytes(4).toString("hex").toUpperCase().slice(0, 8);
+}
+
+function makeVerificationCode() {
+  return Math.floor(100000 + Math.random() * 900000).toString();
+}
+
+async function main() {
+  console.log("🌱 Seeding database...");
+
+  // ── Users ────────────────────────────────────────────────────────────────
+  const [alice, bob, carol] = await Promise.all([
+    prisma.user.create({
+      data: {
+        supabaseUserId: "test-supabase-uid-alice-0001",
+        email: "alice@example.com",
+        name: "Alice",
+        avatarUrl: "https://api.dicebear.com/7.x/avataaars/svg?seed=alice",
+        balance: 850,
+        totalEarned: 1200,
+        totalSpent: 350,
+        completedTasks: 12,
+      },
+    }),
+    prisma.user.create({
+      data: {
+        supabaseUserId: "test-supabase-uid-bob-0002",
+        email: "bob@example.com",
+        name: "Bob",
+        avatarUrl: "https://api.dicebear.com/7.x/avataaars/svg?seed=bob",
+        balance: 420,
+        totalEarned: 600,
+        totalSpent: 180,
+        completedTasks: 5,
+      },
+    }),
+    prisma.user.create({
+      data: {
+        supabaseUserId: "test-supabase-uid-carol-0003",
+        email: "carol@example.com",
+        name: "Carol",
+        avatarUrl: "https://api.dicebear.com/7.x/avataaars/svg?seed=carol",
+        balance: 100,
+        totalEarned: 0,
+        totalSpent: 0,
+        completedTasks: 0,
+      },
+    }),
+  ]);
+  console.log("✅ Users created:", alice.name, bob.name, carol.name);
+
+  // ── Agents ───────────────────────────────────────────────────────────────
+  async function createAgent(
+    name: string,
+    userId: string | null,
+    status: string,
+    overrides: Record<string, unknown> = {}
+  ) {
+    const { full, prefix } = makeApiKey();
+    const hash = await bcrypt.hash(full, 10);
+    return prisma.agent.create({
+      data: {
+        name,
+        apiKey: prefix,
+        apiKeyHash: hash,
+        claimCode: makeClaimCode(),
+        verificationCode: makeVerificationCode(),
+        userId,
+        status,
+        claimedAt: userId ? new Date() : null,
+        credits: 100,
+        ...overrides,
+      },
+    });
+  }
+
+  const [aliceAgent, aliceAgent2, bobAgent, unclaimedA, unclaimedB] =
+    await Promise.all([
+      createAgent("Alice-Coder", alice.id, "active", {
+        credits: 340,
+        totalEarned: 500,
+        totalSpent: 160,
+        tasksPublished: 8,
+        tasksCompleted: 10,
+        tokensSaved: 24000,
+        tokensContributed: 18000,
+        reputation: 42,
+      }),
+      createAgent("Alice-Researcher", alice.id, "active", {
+        credits: 180,
+        totalEarned: 200,
+        totalSpent: 20,
+        tasksPublished: 3,
+        tasksCompleted: 2,
+        tokensSaved: 8000,
+        tokensContributed: 5000,
+        reputation: 18,
+      }),
+      createAgent("Bob-Analyst", bob.id, "active", {
+        credits: 220,
+        totalEarned: 300,
+        totalSpent: 80,
+        tasksPublished: 5,
+        tasksCompleted: 5,
+        tokensSaved: 12000,
+        tokensContributed: 9000,
+        reputation: 25,
+      }),
+      createAgent("Wanderer-7", null, "unclaimed", {}),
+      createAgent("Scout-Alpha", null, "unclaimed", {}),
+    ]);
+  console.log("✅ Agents created (3 claimed, 2 unclaimed)");
+
+  // ── Tasks ────────────────────────────────────────────────────────────────
+  const tasksData = [
+    // completed
+    {
+      title: "Summarize quarterly earnings report",
+      description: "Parse the Q3 PDF and produce a 3-bullet executive summary.",
+      estimatedTokens: 4000,
+      estimatedCredits: 40,
+      priority: "high",
+      status: "completed",
+      publisherAgentId: aliceAgent.id,
+      workerAgentId: bobAgent.id,
+      result: "Revenue up 12 %, operating margin 18 %, headcount stable.",
+      actualTokens: 3800,
+      rating: 5,
+      acceptedAt: new Date(Date.now() - 1000 * 60 * 60 * 3),
+      completedAt: new Date(Date.now() - 1000 * 60 * 60 * 2),
+    },
+    {
+      title: "Translate README to Chinese",
+      description: "Translate the project README.md from English to Simplified Chinese.",
+      estimatedTokens: 2000,
+      estimatedCredits: 20,
+      priority: "medium",
+      status: "completed",
+      publisherAgentId: bobAgent.id,
+      workerAgentId: aliceAgent.id,
+      result: "Translation complete. 98 % confidence score.",
+      actualTokens: 1950,
+      rating: 4,
+      acceptedAt: new Date(Date.now() - 1000 * 60 * 60 * 10),
+      completedAt: new Date(Date.now() - 1000 * 60 * 60 * 9),
+    },
+    // executing
+    {
+      title: "Generate unit tests for auth module",
+      description: "Write Jest tests covering all branches in src/lib/auth.ts.",
+      estimatedTokens: 6000,
+      estimatedCredits: 60,
+      priority: "high",
+      status: "executing",
+      publisherAgentId: aliceAgent2.id,
+      workerAgentId: bobAgent.id,
+      acceptedAt: new Date(Date.now() - 1000 * 60 * 30),
+    },
+    // accepted
+    {
+      title: "Review PR #42 for security issues",
+      description: "Check the OAuth callback changes for CSRF or token-leak vulnerabilities.",
+      estimatedTokens: 3000,
+      estimatedCredits: 30,
+      priority: "high",
+      status: "accepted",
+      publisherAgentId: aliceAgent.id,
+      workerAgentId: aliceAgent2.id,
+      acceptedAt: new Date(Date.now() - 1000 * 60 * 10),
+    },
+    // pending
+    {
+      title: "Create onboarding email copy",
+      description: "Write 3 onboarding email templates (welcome, day-3, day-7) in a friendly tone.",
+      estimatedTokens: 2500,
+      estimatedCredits: 25,
+      priority: "medium",
+      status: "pending",
+      publisherAgentId: bobAgent.id,
+    },
+    {
+      title: "Analyze competitor pricing page",
+      description: "Screenshot and summarize pricing tiers from top 5 competitors.",
+      estimatedTokens: 5000,
+      estimatedCredits: 50,
+      priority: "low",
+      status: "pending",
+      publisherAgentId: aliceAgent.id,
+    },
+    {
+      title: "Debug slow API response on /api/stats",
+      description: "Profile the endpoint and identify the N+1 query causing latency.",
+      estimatedTokens: 4500,
+      estimatedCredits: 45,
+      priority: "high",
+      status: "pending",
+      publisherAgentId: aliceAgent2.id,
+    },
+  ];
+
+  const tasks = await Promise.all(
+    tasksData.map((t) => prisma.task.create({ data: t as Parameters<typeof prisma.task.create>[0]["data"] }))
+  );
+  console.log(`✅ Tasks created: ${tasks.length} (2 completed, 1 executing, 1 accepted, 3 pending)`);
+
+  // ── Activity Feed ─────────────────────────────────────────────────────────
+  const [completedTask1, completedTask2] = tasks;
+
+  await Promise.all([
+    prisma.activityFeed.create({
+      data: {
+        eventType: "task_completed",
+        agentId: bobAgent.id,
+        taskId: completedTask1.id,
+        title: "Bob-Analyst completed a task",
+        description: "Summarized quarterly earnings report for Alice-Coder.",
+        metadata: { creditsEarned: 40, tokensUsed: 3800 },
+      },
+    }),
+    prisma.activityFeed.create({
+      data: {
+        eventType: "task_completed",
+        agentId: aliceAgent.id,
+        taskId: completedTask2.id,
+        title: "Alice-Coder completed a task",
+        description: "Translated README to Chinese for Bob-Analyst.",
+        metadata: { creditsEarned: 20, tokensUsed: 1950 },
+      },
+    }),
+    prisma.activityFeed.create({
+      data: {
+        eventType: "agent_claimed",
+        agentId: aliceAgent.id,
+        title: "Alice-Coder was claimed",
+        description: "Agent Alice-Coder has been successfully claimed and linked to your account.",
+        metadata: { userId: alice.id },
+      },
+    }),
+    prisma.activityFeed.create({
+      data: {
+        eventType: "task_published",
+        agentId: aliceAgent.id,
+        taskId: tasks[5].id,
+        title: "Alice-Coder published a new task",
+        description: "Analyze competitor pricing page",
+        metadata: { estimatedCredits: 50 },
+      },
+    }),
+  ]);
+  console.log("✅ Activity feed created");
+
+  console.log("\n🎉 Seed complete!");
+  console.log(`   Users:   3  (alice / bob / carol)`);
+  console.log(`   Agents:  5  (3 active, 2 unclaimed)`);
+  console.log(`   Tasks:   ${tasks.length}  (2 completed, 1 executing, 1 accepted, 3 pending)`);
+  console.log(`   Feed:    4 entries`);
+}
+
+main()
+  .catch((e) => {
+    console.error(e);
+    process.exit(1);
+  })
+  .finally(async () => {
+    await prisma.$disconnect();
+    await pool.end();
+  });
diff --git a/src/app/[locale]/claim/ClaimClient.tsx b/src/app/[locale]/claim/ClaimClient.tsx
deleted file mode 100644
index 8bb1e98..0000000
--- a/src/app/[locale]/claim/ClaimClient.tsx
+++ /dev/null
@@ -1,175 +0,0 @@
-"use client";
-
-import { useSearchParams } from "next/navigation";
-import { useEffect, useState, useMemo } from "react";
-import { useTranslations } from "next-intl";
-
-import { Link } from "@/i18n/routing";
-
-interface AgentInfo {
-  id: string;
-  name: string;
-  createdAt: string;
-}
-
-export default function ClaimClient() {
-  const t = useTranslations("Claim");
-  const searchParams = useSearchParams();
-  const token = searchParams.get("token");
-  const [agent, setAgent] = useState<AgentInfo | null>(null);
-  const [loading, setLoading] = useState(() => !!token);
-  const [error, setError] = useState<string | null>(() => token ? null : t("missingToken"));
-  const [claiming, setClaiming] = useState(false);
-
-  useEffect(() => {
-    if (!token) {
-      return;
-    }
-
-    // Fetch agent info by claim token
-    fetch(`/api/agents/claim?token=${encodeURIComponent(token)}`)
-      .then((res) => {
-        if (!res.ok) throw new Error(t("invalidToken"));
-        return res.json();
-      })
-      .then((data) => setAgent(data))
-      .catch((err) => setError(err.message))
-      .finally(() => setLoading(false));
-  }, [token, t]);
-
-  function handleClaim() {
-    // Redirect to OAuth login with claim token in state
-    setClaiming(true);
-    const loginUrl = `/api/auth/login?claim_token=${encodeURIComponent(token || "")}`;
-    window.location.href = loginUrl;
-  }
-
-  const [currentTime, setCurrentTime] = useState(() => Date.now());
-
-  useEffect(() => {
-    const timer = setInterval(() => setCurrentTime(Date.now()), 60000);
-    return () => clearInterval(timer);
-  }, []);
-
-  const timeAgo = useMemo(() => {
-    if (!agent) return "";
-    const diff = currentTime - new Date(agent.createdAt).getTime();
-    const mins = Math.floor(diff / 60000);
-    if (mins < 1) return "just now";
-    if (mins < 60) return `${mins}m ago`;
-    const hours = Math.floor(mins / 60);
-    if (hours < 24) return `${hours}h ago`;
-    return `${Math.floor(hours / 24)}d ago`;
-  }, [agent, currentTime]);
-
-  if (loading) {
-    return (
-      <div className="flex items-center justify-center min-h-screen bg-[var(--bg-primary)]">
-        <div className="animate-spin h-8 w-8 border-2 border-[var(--accent)] border-t-transparent rounded-full" />
-      </div>
-    );
-  }
-
-  if (error || !agent) {
-    return (
-      <div className="flex flex-col items-center justify-center min-h-screen bg-[var(--bg-primary)]">
-        <div className="flex flex-col items-center gap-[16px] p-[32px]">
-          <span className="text-[48px]">❌</span>
-          <h1 className="font-ibm-plex-mono text-[22px] font-bold text-[var(--text-primary)]">
-            {t("invalidTitle")}
-          </h1>
-          <p className="font-ibm-plex-mono text-[16px] text-[var(--text-muted)]">
-            {error || t("invalidDescription")}
-          </p>
-          <Link
-            href="/"
-            className="font-ibm-plex-mono text-[16px] text-[var(--accent)] hover:underline"
-          >
-            {t("backHome")}
-          </Link>
-        </div>
-      </div>
-    );
-  }
-
-
-  return (
-    <div className="flex flex-col items-center justify-center min-h-screen bg-[var(--bg-primary)]">
-      <div className="flex flex-col w-full max-w-[500px] mx-4 md:mx-0 rounded-[16px] bg-white border border-[var(--border-medium)] overflow-hidden shadow-[0_8px_24px_rgba(212,149,104,0.15),0_1px_4px_rgba(212,149,104,0.07)]">
-        {/* Card Header */}
-        <div className="flex flex-col items-center gap-[16px] px-[20px] md:px-[32px] pt-[32px] pb-[24px] w-full">
-          <span className="font-ibm-plex-mono text-[18px] font-bold text-[var(--text-primary)]">
-            {t("brandTitle")}
-          </span>
-          <span className="text-[48px]">🎉</span>
-          <h1 className="font-ibm-plex-mono text-[26px] font-bold text-[var(--text-primary)] text-center">
-            {t("claimOpenClaw")}
-          </h1>
-          <p className="font-ibm-plex-mono text-[16px] text-[var(--text-light)] text-center">
-            {t("completeAuth")}
-          </p>
-        </div>
-
-        <div className="h-[1px] w-full bg-[var(--border-light)]" />
-
-        {/* Agent Info */}
-        <div className="flex flex-col gap-[12px] px-[20px] md:px-[32px] py-[20px] w-full">
-          <span className="font-ibm-plex-mono text-[15px] font-bold text-[var(--accent-dark)]">
-            {t("agentInfo")}
-          </span>
-          <div className="flex gap-[8px] w-full">
-            <span className="font-ibm-plex-mono text-[15px] text-[var(--text-light)]">
-              {t("nameLabel")}
-            </span>
-            <span className="font-ibm-plex-mono text-[15px] font-semibold text-[var(--text-primary)]">
-              {agent.name}
-            </span>
-          </div>
-          <div className="flex gap-[8px] w-full">
-            <span className="font-ibm-plex-mono text-[15px] text-[var(--text-light)]">
-              {t("registeredLabel")}
-            </span>
-            <span className="font-ibm-plex-mono text-[15px] font-semibold text-[var(--text-primary)]">
-              {timeAgo}
-            </span>
-          </div>
-          <div className="flex gap-[8px] w-full">
-            <span className="font-ibm-plex-mono text-[15px] text-[var(--text-light)]">
-              {t("idLabel")}
-            </span>
-            <span className="font-ibm-plex-mono text-[15px] font-semibold text-[var(--text-primary)]">
-              {agent.id.slice(0, 8)}...{agent.id.slice(-4)}
-            </span>
-          </div>
-        </div>
-
-        <div className="h-[1px] w-full bg-[var(--border-light)]" />
-
-        {/* Auth Section */}
-        <div className="flex flex-col items-center gap-[20px] px-[20px] md:px-[32px] py-[24px] w-full">
-          <button
-            onClick={handleClaim}
-            disabled={claiming}
-            className="flex items-center justify-center w-full h-[48px] rounded-[12px] bg-gradient-to-b from-[var(--accent-gradient-start)] to-[var(--accent-gradient-end)] shadow-[0_4px_20px_rgba(224,122,58,0.33),0_0_6px_1px_rgba(244,164,96,0.21)] cursor-pointer disabled:opacity-50"
-          >
-            <span className="font-ibm-plex-mono text-[17px] font-bold text-white">
-              {claiming ? t("redirecting") : t("authorizeBtn")}
-            </span>
-          </button>
-
-          <div className="flex flex-col gap-[8px]">
-            <span className="font-ibm-plex-mono text-[15px] text-[var(--accent-dark)]">
-              {t("secureOAuth")}
-            </span>
-            <span className="font-ibm-plex-mono text-[15px] text-[var(--accent-dark)]">
-              {t("basicProfile")}
-            </span>
-            <span className="font-ibm-plex-mono text-[15px] text-[var(--accent-dark)]">
-              {t("revokeAccess")}
-            </span>
-          </div>
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/src/app/[locale]/claim/page.tsx b/src/app/[locale]/claim/page.tsx
deleted file mode 100644
index 411a674..0000000
--- a/src/app/[locale]/claim/page.tsx
+++ /dev/null
@@ -1,16 +0,0 @@
-import { Suspense } from "react";
-import ClaimClient from "./ClaimClient";
-
-export default function ClaimPage() {
-  return (
-    <Suspense
-      fallback={
-        <div className="flex items-center justify-center min-h-screen bg-[var(--bg-primary)]">
-          <div className="animate-spin h-8 w-8 border-2 border-[var(--accent)] border-t-transparent rounded-full" />
-        </div>
-      }
-    >
-      <ClaimClient />
-    </Suspense>
-  );
-}
diff --git a/src/app/api/act/route.ts b/src/app/api/act/route.ts
deleted file mode 100644
index 7891e38..0000000
--- a/src/app/api/act/route.ts
+++ /dev/null
@@ -1,58 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { getSessionUserId, getValidAccessToken } from "@/lib/auth";
-
-export async function POST(request: NextRequest) {
-  const userId = await getSessionUserId();
-  if (!userId) {
-    return NextResponse.json({ error: "未登录" }, { status: 401 });
-  }
-
-  const accessToken = await getValidAccessToken(userId);
-  if (!accessToken) {
-    return NextResponse.json({ error: "Token 已过期" }, { status: 401 });
-  }
-
-  const body = await request.json();
-  const { message, actionControl, sessionId, systemPrompt } = body;
-
-  if (!message || !actionControl) {
-    return NextResponse.json(
-      { error: "message 和 actionControl 为必填参数" },
-      { status: 400 }
-    );
-  }
-
-  const res = await fetch(
-    `${process.env.SECONDME_API_BASE_URL}/api/secondme/act/stream`,
-    {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Content-Type": "application/json",
-      },
-      body: JSON.stringify({
-        message,
-        actionControl,
-        sessionId,
-        systemPrompt,
-      }),
-    }
-  );
-
-  if (!res.ok) {
-    const errText = await res.text();
-    return NextResponse.json(
-      { error: "Act 请求失败", detail: errText },
-      { status: res.status }
-    );
-  }
-
-  // 转发 SSE 流
-  return new NextResponse(res.body, {
-    headers: {
-      "Content-Type": "text/event-stream",
-      "Cache-Control": "no-cache",
-      Connection: "keep-alive",
-    },
-  });
-}
diff --git a/src/app/api/auth/callback/route.ts b/src/app/api/auth/callback/route.ts
index 6c630ca..72205d8 100644
--- a/src/app/api/auth/callback/route.ts
+++ b/src/app/api/auth/callback/route.ts
@@ -1,90 +1,40 @@
+// src/app/api/auth/callback/route.ts
 import { NextRequest, NextResponse } from "next/server";
 import { prisma } from "@/lib/prisma";
+import { createSupabaseServerClient } from "@/lib/supabase";
 
 export async function GET(request: NextRequest) {
   const code = request.nextUrl.searchParams.get("code");
-  const stateParam = request.nextUrl.searchParams.get("state");
+  const claimCode = request.nextUrl.searchParams.get("claimCode");
 
   if (!code) {
     return NextResponse.redirect(new URL("/?error=no_code", request.url));
   }
 
-  // Parse state to extract claimCode if present
-  let claimCode: string | null = null;
-  if (stateParam) {
-    try {
-      const state = JSON.parse(stateParam);
-      claimCode = state.claimCode || null;
-    } catch {
-      // Invalid state, ignore
-    }
-  }
-
   try {
-    // 用 authorization_code 换取 access_token（必须用 x-www-form-urlencoded）
-    const params = new URLSearchParams({
-      grant_type: "authorization_code",
-      client_id: process.env.SECONDME_CLIENT_ID!,
-      client_secret: process.env.SECONDME_CLIENT_SECRET!,
-      code,
-      redirect_uri: process.env.SECONDME_REDIRECT_URI!,
-    });
-
-    const tokenRes = await fetch(process.env.SECONDME_TOKEN_ENDPOINT!, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: params.toString(),
-    });
-
-    if (!tokenRes.ok) {
-      const errText = await tokenRes.text();
-      console.error("Token exchange failed:", errText);
-      return NextResponse.redirect(new URL("/?error=token_failed", request.url));
-    }
-
-    const tokenResult = await tokenRes.json();
-    const tokenData = tokenResult.data ?? tokenResult;
-
-    // 兼容 camelCase 和 snake_case 两种响应格式
-    const accessToken = tokenData.accessToken ?? tokenData.access_token;
-    const refreshToken = tokenData.refreshToken ?? tokenData.refresh_token;
-    const expiresIn = tokenData.expiresIn ?? tokenData.expires_in ?? 7200;
-
-    // 获取用户信息
-    const userRes = await fetch(
-      `${process.env.SECONDME_API_BASE_URL}/api/secondme/user/info`,
-      {
-        headers: { Authorization: `Bearer ${accessToken}` },
-      }
-    );
-
-    if (!userRes.ok) {
-      return NextResponse.redirect(new URL("/?error=user_info_failed", request.url));
+    const supabase = await createSupabaseServerClient();
+    const { data, error } = await supabase.auth.exchangeCodeForSession(code);
+
+    if (error || !data.user) {
+      console.error("Session exchange failed:", error);
+      return NextResponse.redirect(
+        new URL("/?error=token_failed", request.url)
+      );
     }
 
-    const userResult = await userRes.json();
-    const userData = userResult.data;
+    const supabaseUser = data.user;
+    const email = supabaseUser.email ?? null;
+    const name =
+      supabaseUser.user_metadata?.full_name ??
+      supabaseUser.user_metadata?.name ??
+      email ??
+      null;
+    const avatarUrl = supabaseUser.user_metadata?.avatar_url ?? null;
 
-    // 创建或更新用户
     const user = await prisma.user.upsert({
-      where: { secondmeUserId: userData.route ?? userData.id ?? userData.email },
-      create: {
-        secondmeUserId: userData.route ?? userData.id ?? userData.email,
-        email: userData.email,
-        name: userData.name,
-        avatarUrl: userData.avatarUrl,
-        accessToken,
-        refreshToken,
-        tokenExpiresAt: new Date(Date.now() + expiresIn * 1000),
-      },
-      update: {
-        email: userData.email,
-        name: userData.name,
-        avatarUrl: userData.avatarUrl,
-        accessToken,
-        refreshToken,
-        tokenExpiresAt: new Date(Date.now() + expiresIn * 1000),
-      },
+      where: { supabaseUserId: supabaseUser.id },
+      create: { supabaseUserId: supabaseUser.id, email, name, avatarUrl },
+      update: { email, name, avatarUrl },
     });
 
     // 把 session cookie 直接设到 redirect 响应上（Vercel serverless 环境下 cookies().set 与 NextResponse.redirect 的 cookie 不会合并）
diff --git a/src/app/api/auth/login/route.ts b/src/app/api/auth/login/route.ts
index 18e1576..598c001 100644
--- a/src/app/api/auth/login/route.ts
+++ b/src/app/api/auth/login/route.ts
@@ -1,25 +1,38 @@
+// src/app/api/auth/login/route.ts
 import { NextRequest, NextResponse } from "next/server";
+import { createSupabaseServerClient } from "@/lib/supabase";
 
 export async function GET(request: NextRequest) {
-  const clientId = process.env.SECONDME_CLIENT_ID!;
-  const redirectUri = process.env.SECONDME_REDIRECT_URI!;
-  const oauthUrl = process.env.SECONDME_OAUTH_URL!;
-
-  // Get optional claimCode from query parameters
+  const provider = request.nextUrl.searchParams.get("provider") as
+    | "google"
+    | "github"
+    | null;
   const claimCode = request.nextUrl.searchParams.get("claimCode");
 
-  const params = new URLSearchParams({
-    client_id: clientId,
-    redirect_uri: redirectUri,
-    response_type: "code",
-    scope: "user.info user.info.shades user.info.softmemory chat note.add",
-  });
+  if (!provider || !["google", "github"].includes(provider)) {
+    return NextResponse.redirect(
+      new URL("/?error=invalid_provider", request.url)
+    );
+  }
+
+  const supabase = await createSupabaseServerClient();
 
-  // Include claimCode in state if present
+  const callbackUrl = new URL("/api/auth/callback", request.url);
+  // Don't lose the claimcode
   if (claimCode) {
-    const state = JSON.stringify({ claimCode });
-    params.set("state", state);
+    callbackUrl.searchParams.set("claimCode", claimCode);
+  }
+
+  const { data, error } = await supabase.auth.signInWithOAuth({
+    provider,
+    options: { redirectTo: callbackUrl.toString() },
+  });
+
+  if (error || !data.url) {
+    return NextResponse.redirect(
+      new URL("/?error=oauth_failed", request.url)
+    );
   }
 
-  return NextResponse.redirect(`${oauthUrl}?${params.toString()}`);
+  return NextResponse.redirect(data.url);
 }
diff --git a/src/app/api/auth/logout/route.ts b/src/app/api/auth/logout/route.ts
index eb5aeff..a37a284 100644
--- a/src/app/api/auth/logout/route.ts
+++ b/src/app/api/auth/logout/route.ts
@@ -1,7 +1,11 @@
+// src/app/api/auth/logout/route.ts
 import { NextResponse } from "next/server";
 import { clearSession } from "@/lib/auth";
+import { createSupabaseServerClient } from "@/lib/supabase";
 
 export async function GET(request: Request) {
+  const supabase = await createSupabaseServerClient();
+  await supabase.auth.signOut();
   await clearSession();
   return NextResponse.redirect(new URL("/", request.url));
 }
diff --git a/src/app/api/chat/route.ts b/src/app/api/chat/route.ts
deleted file mode 100644
index 3881e65..0000000
--- a/src/app/api/chat/route.ts
+++ /dev/null
@@ -1,50 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { getSessionUserId, getValidAccessToken } from "@/lib/auth";
-
-export async function POST(request: NextRequest) {
-  const userId = await getSessionUserId();
-  if (!userId) {
-    return NextResponse.json({ error: "未登录" }, { status: 401 });
-  }
-
-  const accessToken = await getValidAccessToken(userId);
-  if (!accessToken) {
-    return NextResponse.json({ error: "Token 已过期" }, { status: 401 });
-  }
-
-  const body = await request.json();
-  const { message, sessionId, systemPrompt } = body;
-
-  const res = await fetch(
-    `${process.env.SECONDME_API_BASE_URL}/api/secondme/chat/stream`,
-    {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Content-Type": "application/json",
-      },
-      body: JSON.stringify({
-        message,
-        sessionId,
-        systemPrompt,
-      }),
-    }
-  );
-
-  if (!res.ok) {
-    const errText = await res.text();
-    return NextResponse.json(
-      { error: "聊天请求失败", detail: errText },
-      { status: res.status }
-    );
-  }
-
-  // 转发 SSE 流
-  return new NextResponse(res.body, {
-    headers: {
-      "Content-Type": "text/event-stream",
-      "Cache-Control": "no-cache",
-      Connection: "keep-alive",
-    },
-  });
-}
diff --git a/src/app/api/note/route.ts b/src/app/api/note/route.ts
deleted file mode 100644
index 29d9999..0000000
--- a/src/app/api/note/route.ts
+++ /dev/null
@@ -1,44 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { getSessionUserId, getValidAccessToken } from "@/lib/auth";
-
-export async function POST(request: NextRequest) {
-  const userId = await getSessionUserId();
-  if (!userId) {
-    return NextResponse.json({ error: "未登录" }, { status: 401 });
-  }
-
-  const accessToken = await getValidAccessToken(userId);
-  if (!accessToken) {
-    return NextResponse.json({ error: "Token 已过期" }, { status: 401 });
-  }
-
-  const body = await request.json();
-  const { content } = body;
-
-  if (!content) {
-    return NextResponse.json({ error: "笔记内容不能为空" }, { status: 400 });
-  }
-
-  const res = await fetch(
-    `${process.env.SECONDME_API_BASE_URL}/api/secondme/note/add`,
-    {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Content-Type": "application/json",
-      },
-      body: JSON.stringify({ content }),
-    }
-  );
-
-  if (!res.ok) {
-    const errText = await res.text();
-    return NextResponse.json(
-      { error: "添加笔记失败", detail: errText },
-      { status: res.status }
-    );
-  }
-
-  const result = await res.json();
-  return NextResponse.json(result);
-}
diff --git a/src/app/api/sessions/route.ts b/src/app/api/sessions/route.ts
deleted file mode 100644
index 3380dd2..0000000
--- a/src/app/api/sessions/route.ts
+++ /dev/null
@@ -1,28 +0,0 @@
-import { NextResponse } from "next/server";
-import { getSessionUserId, getValidAccessToken } from "@/lib/auth";
-
-export async function GET() {
-  const userId = await getSessionUserId();
-  if (!userId) {
-    return NextResponse.json({ error: "未登录" }, { status: 401 });
-  }
-
-  const accessToken = await getValidAccessToken(userId);
-  if (!accessToken) {
-    return NextResponse.json({ error: "Token 已过期" }, { status: 401 });
-  }
-
-  const res = await fetch(
-    `${process.env.SECONDME_API_BASE_URL}/api/secondme/chat/session/list`,
-    {
-      headers: { Authorization: `Bearer ${accessToken}` },
-    }
-  );
-
-  if (!res.ok) {
-    return NextResponse.json({ error: "获取会话列表失败" }, { status: res.status });
-  }
-
-  const result = await res.json();
-  return NextResponse.json(result);
-}
diff --git a/src/app/api/user/info/route.ts b/src/app/api/user/info/route.ts
deleted file mode 100644
index e04b69d..0000000
--- a/src/app/api/user/info/route.ts
+++ /dev/null
@@ -1,28 +0,0 @@
-import { NextResponse } from "next/server";
-import { getSessionUserId, getValidAccessToken } from "@/lib/auth";
-
-export async function GET() {
-  const userId = await getSessionUserId();
-  if (!userId) {
-    return NextResponse.json({ error: "未登录" }, { status: 401 });
-  }
-
-  const accessToken = await getValidAccessToken(userId);
-  if (!accessToken) {
-    return NextResponse.json({ error: "Token 已过期" }, { status: 401 });
-  }
-
-  const res = await fetch(
-    `${process.env.SECONDME_API_BASE_URL}/api/secondme/user/info`,
-    {
-      headers: { Authorization: `Bearer ${accessToken}` },
-    }
-  );
-
-  if (!res.ok) {
-    return NextResponse.json({ error: "获取用户信息失败" }, { status: res.status });
-  }
-
-  const result = await res.json();
-  return NextResponse.json(result);
-}
diff --git a/src/app/api/user/shades/route.ts b/src/app/api/user/shades/route.ts
deleted file mode 100644
index 3178bc3..0000000
--- a/src/app/api/user/shades/route.ts
+++ /dev/null
@@ -1,28 +0,0 @@
-import { NextResponse } from "next/server";
-import { getSessionUserId, getValidAccessToken } from "@/lib/auth";
-
-export async function GET() {
-  const userId = await getSessionUserId();
-  if (!userId) {
-    return NextResponse.json({ error: "未登录" }, { status: 401 });
-  }
-
-  const accessToken = await getValidAccessToken(userId);
-  if (!accessToken) {
-    return NextResponse.json({ error: "Token 已过期" }, { status: 401 });
-  }
-
-  const res = await fetch(
-    `${process.env.SECONDME_API_BASE_URL}/api/secondme/user/shades`,
-    {
-      headers: { Authorization: `Bearer ${accessToken}` },
-    }
-  );
-
-  if (!res.ok) {
-    return NextResponse.json({ error: "获取兴趣标签失败" }, { status: res.status });
-  }
-
-  const result = await res.json();
-  return NextResponse.json(result);
-}
diff --git a/src/components/Navbar.tsx b/src/components/Navbar.tsx
index cae71cc..db3f84f 100644
--- a/src/components/Navbar.tsx
+++ b/src/components/Navbar.tsx
@@ -1,8 +1,10 @@
 "use client";
 
+import { useState } from "react";
 import { useTranslations } from "next-intl";
 import { Link, usePathname, useRouter } from "@/i18n/routing";
 import { useLocale } from "next-intl";
+import { GoogleIcon, GitHubIcon } from "@/components/icons";
 
 export default function Navbar({
   userName,
@@ -15,6 +17,7 @@ export default function Navbar({
   const locale = useLocale();
   const router = useRouter();
   const pathname = usePathname();
+  const [loginOpen, setLoginOpen] = useState(false);
 
   const navLinks = [
     { href: "/" as const, label: t("home") },
@@ -27,6 +30,7 @@ export default function Navbar({
   }
 
   return (
+    <>
     <nav className="sticky top-0 z-50 flex items-center justify-between px-[16px] md:px-[48px] h-[60px] bg-[var(--bg-primary)]/95 backdrop-blur-sm border-b border-[var(--border-light)]">
       {/* Left: Logo */}
       <Link href="/" className="flex items-center gap-[8px] cursor-pointer hover:opacity-80 transition-opacity">
@@ -82,9 +86,7 @@ export default function Navbar({
           rel="noreferrer"
           className="hidden sm:flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:bg-black/5 transition-colors"
         >
-          <svg className="w-4 h-4" fill="currentColor" viewBox="0 0 24 24">
-            <path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z"/>
-          </svg>
+          <GitHubIcon className="w-4 h-4" />
           <span className="text-[15px] font-medium">GitHub</span>
         </a>
 
@@ -106,15 +108,70 @@ export default function Navbar({
             </a>
           </div>
         ) : (
-          // eslint-disable-next-line @next/next/no-html-link-for-pages
-          <a
-            href="/api/auth/login"
-            className="flex items-center justify-center font-inter text-[16px] font-semibold text-white rounded-[20px] px-5 py-2.5 bg-gradient-to-b from-[var(--accent-gradient-start)] to-[var(--accent-gradient-end)] shadow-[0_4px_16px_rgba(224,122,58,0.35)] hover:shadow-[0_6px_20px_rgba(224,122,58,0.45)] hover:scale-[1.02] transition-all"
+          <button
+            onClick={() => setLoginOpen(true)}
+            className="font-inter text-[15px] font-semibold text-white rounded-lg px-4 py-2 bg-[var(--accent)] hover:opacity-90 transition-opacity cursor-pointer"
           >
-            {t("startEarning")}
-          </a>
+            {t("login")}
+          </button>
         )}
       </div>
     </nav>
+
+    {loginOpen && (
+      <>
+        {/* Overlay */}
+        <div
+          className="fixed inset-0 z-[100] bg-black/50 backdrop-blur-sm"
+          onClick={() => setLoginOpen(false)}
+        />
+        {/* Modal card */}
+        <div className="fixed inset-0 z-[101] flex items-center justify-center pointer-events-none">
+          <div className="pointer-events-auto w-[360px] bg-[var(--bg-primary)] rounded-2xl shadow-2xl p-8 flex flex-col gap-6">
+            {/* Header */}
+            <div className="flex items-start justify-between">
+              <div>
+                <h2 className="font-inter text-[20px] font-bold text-[var(--text-primary)]">
+                  {t("loginTitle")}
+                </h2>
+                <p className="font-inter text-[14px] text-[var(--text-muted)] mt-1">
+                  {t("loginSubtitle")}
+                </p>
+              </div>
+              <button
+                onClick={() => setLoginOpen(false)}
+                className="text-[var(--text-muted)] hover:text-[var(--text-primary)] transition-colors text-[20px] leading-none cursor-pointer"
+              >
+                ×
+              </button>
+            </div>
+
+            {/* Login options */}
+            <div className="flex flex-col gap-3">
+              {/* Google */}
+              {/* eslint-disable-next-line @next/next/no-html-link-for-pages */}
+              <a
+                href="/api/auth/login?provider=google"
+                className="flex items-center gap-3 font-inter text-[15px] font-medium text-[var(--text-primary)] rounded-xl px-4 py-3 border border-[var(--border-medium)] hover:bg-[var(--bg-tag)] transition-colors"
+              >
+                <GoogleIcon className="w-5 h-5 shrink-0" />
+                Continue with Google
+              </a>
+
+              {/* GitHub */}
+              {/* eslint-disable-next-line @next/next/no-html-link-for-pages */}
+              <a
+                href="/api/auth/login?provider=github"
+                className="flex items-center gap-3 font-inter text-[15px] font-semibold text-white rounded-xl px-4 py-3 bg-[#24292e] hover:bg-[#1a1e22] transition-colors"
+              >
+                <GitHubIcon className="w-5 h-5 shrink-0" />
+                Continue with GitHub
+              </a>
+            </div>
+          </div>
+        </div>
+      </>
+    )}
+    </>
   );
 }
diff --git a/src/components/icons.tsx b/src/components/icons.tsx
new file mode 100644
index 0000000..258f5e3
--- /dev/null
+++ b/src/components/icons.tsx
@@ -0,0 +1,18 @@
+export function GoogleIcon({ className }: { className?: string }) {
+  return (
+    <svg className={className} viewBox="0 0 24 24">
+      <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z" fill="#4285F4" />
+      <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" fill="#34A853" />
+      <path d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l3.66-2.84z" fill="#FBBC05" />
+      <path d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" fill="#EA4335" />
+    </svg>
+  );
+}
+
+export function GitHubIcon({ className }: { className?: string }) {
+  return (
+    <svg className={className} fill="currentColor" viewBox="0 0 24 24">
+      <path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z" />
+    </svg>
+  );
+}
diff --git a/src/lib/act.ts b/src/lib/act.ts
deleted file mode 100644
index c9fd45d..0000000
--- a/src/lib/act.ts
+++ /dev/null
@@ -1,65 +0,0 @@
-/**
- * Act API 工具函数 - 发送 actionControl 并解析 SSE JSON 结果
- */
-export async function callActStream(
-  accessToken: string,
-  message: string,
-  actionControl: string,
-  options?: {
-    sessionId?: string;
-    systemPrompt?: string;
-  }
-): Promise<{ sessionId: string; result: unknown }> {
-  const baseUrl = process.env.SECONDME_API_BASE_URL!;
-
-  const res = await fetch(`${baseUrl}/api/secondme/act/stream`, {
-    method: "POST",
-    headers: {
-      Authorization: `Bearer ${accessToken}`,
-      "Content-Type": "application/json",
-    },
-    body: JSON.stringify({
-      message,
-      actionControl,
-      sessionId: options?.sessionId,
-      systemPrompt: options?.systemPrompt,
-    }),
-  });
-
-  if (!res.ok) {
-    throw new Error(`Act API error: ${res.status}`);
-  }
-
-  const text = await res.text();
-  const lines = text.split("\n");
-
-  let sessionId = "";
-  let content = "";
-
-  for (const line of lines) {
-    if (line.startsWith("event: session")) {
-      const nextLine = lines[lines.indexOf(line) + 1];
-      if (nextLine?.startsWith("data: ")) {
-        const sessionData = JSON.parse(nextLine.slice(6));
-        sessionId = sessionData.sessionId;
-      }
-    } else if (line.startsWith("data: ") && !line.includes("[DONE]")) {
-      try {
-        const data = JSON.parse(line.slice(6));
-        const delta = data?.choices?.[0]?.delta?.content;
-        if (delta) content += delta;
-      } catch {
-        // skip non-JSON lines
-      }
-    }
-  }
-
-  let result: unknown;
-  try {
-    result = JSON.parse(content);
-  } catch {
-    result = content;
-  }
-
-  return { sessionId, result };
-}
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index e391356..4e114ce 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -1,3 +1,4 @@
+// src/lib/auth.ts
 import { cookies } from "next/headers";
 import { prisma } from "./prisma";
 
@@ -27,62 +28,5 @@ export async function clearSession() {
 export async function getCurrentUser() {
   const userId = await getSessionUserId();
   if (!userId) return null;
-
-  const user = await prisma.user.findUnique({
-    where: { id: userId },
-  });
-
-  return user;
-}
-
-export async function getValidAccessToken(userId: string): Promise<string | null> {
-  const user = await prisma.user.findUnique({
-    where: { id: userId },
-  });
-
-  if (!user) return null;
-
-  // Token 仍然有效
-  if (user.tokenExpiresAt > new Date()) {
-    return user.accessToken;
-  }
-
-  // 尝试刷新 Token
-  try {
-    const params = new URLSearchParams({
-      grant_type: "refresh_token",
-      client_id: process.env.SECONDME_CLIENT_ID!,
-      client_secret: process.env.SECONDME_CLIENT_SECRET!,
-      refresh_token: user.refreshToken,
-    });
-
-    const refreshEndpoint = process.env.SECONDME_API_BASE_URL + "/api/oauth/token/refresh";
-    const res = await fetch(refreshEndpoint, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: params.toString(),
-    });
-
-    if (!res.ok) return null;
-
-    const data = await res.json();
-    const tokenData = data.data ?? data;
-
-    const newAccessToken = tokenData.accessToken ?? tokenData.access_token;
-    const newRefreshToken = tokenData.refreshToken ?? tokenData.refresh_token ?? user.refreshToken;
-    const expiresIn = tokenData.expiresIn ?? tokenData.expires_in ?? 7200;
-
-    await prisma.user.update({
-      where: { id: userId },
-      data: {
-        accessToken: newAccessToken,
-        refreshToken: newRefreshToken,
-        tokenExpiresAt: new Date(Date.now() + expiresIn * 1000),
-      },
-    });
-
-    return newAccessToken;
-  } catch {
-    return null;
-  }
+  return prisma.user.findUnique({ where: { id: userId } });
 }
diff --git a/src/lib/supabase.ts b/src/lib/supabase.ts
new file mode 100644
index 0000000..6289047
--- /dev/null
+++ b/src/lib/supabase.ts
@@ -0,0 +1,64 @@
+// src/lib/supabase.ts
+import { createServerClient } from "@supabase/ssr";
+import { createBrowserClient } from "@supabase/ssr";
+import { cookies } from "next/headers";
+import type { NextRequest, NextResponse } from "next/server";
+
+/** Client components */
+export function createSupabaseBrowserClient() {
+  return createBrowserClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
+  );
+}
+
+/** Server components and API route handlers */
+export async function createSupabaseServerClient() {
+  const cookieStore = await cookies();
+  return createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return cookieStore.getAll();
+        },
+        setAll(cookiesToSet) {
+          try {
+            cookiesToSet.forEach(({ name, value, options }) =>
+              cookieStore.set(name, value, options)
+            );
+          } catch {
+            // Called from a Server Component – read-only, ignore
+          }
+        },
+      },
+    }
+  );
+}
+
+/** Middleware – takes both request and mutable response */
+export function createSupabaseMiddlewareClient(
+  request: NextRequest,
+  response: NextResponse
+) {
+  return createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return request.cookies.getAll();
+        },
+        setAll(cookiesToSet) {
+          cookiesToSet.forEach(({ name, value }) =>
+            request.cookies.set(name, value)
+          );
+          cookiesToSet.forEach(({ name, value, options }) =>
+            response.cookies.set(name, value, options)
+          );
+        },
+      },
+    }
+  );
+}
diff --git a/src/middleware.ts b/src/middleware.ts
deleted file mode 100644
index 3fae024..0000000
--- a/src/middleware.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import createMiddleware from "next-intl/middleware";
-import { routing } from "./i18n/routing";
-
-export default createMiddleware(routing);
-
-export const config = {
-  // Match all pathnames except for
-  // - /api (API routes)
-  // - /_next (Next.js internals)
-  // - /_vercel (Vercel internals)
-  // - /favicon.ico, /sitemap.xml, /robots.txt (static files)
-  // - files with extensions (e.g. .js, .css, .png)
-  matcher: ["/((?!api|_next|_vercel|.*\\..*).*)"],
-};
diff --git a/src/proxy.ts b/src/proxy.ts
new file mode 100644
index 0000000..db1c9e5
--- /dev/null
+++ b/src/proxy.ts
@@ -0,0 +1,64 @@
+// src/proxy.ts
+// server behavior
+import { type NextRequest, NextResponse } from "next/server";
+import createIntlMiddleware from "next-intl/middleware";
+import { createServerClient } from "@supabase/ssr";
+import { routing } from "./i18n/routing";
+
+const intlMiddleware = createIntlMiddleware(routing);
+
+export async function proxy(request: NextRequest) {
+  // 1. Create a base response so Supabase can write refreshed session cookies
+  let supabaseResponse = NextResponse.next({ request });
+
+  const supabase = createServerClient(
+    process.env.NEXT_PUBLIC_SUPABASE_URL!,
+    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+    {
+      cookies: {
+        getAll() {
+          return request.cookies.getAll();
+        },
+        setAll(cookiesToSet) {
+          // Write new cookie values into the request for downstream handlers
+          cookiesToSet.forEach(({ name, value }) =>
+            request.cookies.set(name, value)
+          );
+          // Rebuild supabaseResponse with updated request
+          supabaseResponse = NextResponse.next({ request });
+          cookiesToSet.forEach(({ name, value, options }) =>
+            supabaseResponse.cookies.set(name, value, options)
+          );
+        },
+      },
+    }
+  );
+
+  // Refresh session if expired — must not run any logic before this.
+  // getUser() internally checks whether the access_token has expired.
+  // If so, it uses the refresh_token from the cookie to obtain a new
+  // access_token / refresh_token pair from Supabase, then writes the
+  // new tokens back to supabaseResponse via the setAll callback above.
+  // Token values are never exposed to application code.
+  await supabase.auth.getUser();
+
+  // 2. Run next-intl middleware on the (potentially cookie-updated) request
+  const intlResponse = intlMiddleware(request);
+
+  // 3. Copy any Supabase session cookies onto the intl response
+  supabaseResponse.cookies.getAll().forEach((cookie) => {
+    intlResponse.cookies.set(cookie.name, cookie.value, { path: "/" });
+  });
+
+  return intlResponse;
+}
+
+export const config = {
+    // Match all pathnames except for
+  // - /api (API routes)
+  // - /_next (Next.js internals)
+  // - /_vercel (Vercel internals)
+  // - /favicon.ico, /sitemap.xml, /robots.txt (static files)
+  // - files with extensions (e.g. .js, .css, .png)
+  matcher: ["/((?!api|_next|_vercel|.*\\..*).*)"],
+};