Harden auth launch flows

[Taleef7]

Summary

• Adds local browser-side cooldowns for sign-in, sign-up, password reset, and Google OAuth auth actions, with generic auth error messages that avoid account enumeration.
• Tightens the OAuth callback profile gate so users missing either WhatsApp number or timezone go through /auth/profile-setup before dashboard access.
• Updates README and project docs with Supabase Auth rate-limit/custom SMTP launch notes and marks the Google OAuth profile setup check resolved.

Verification

• npm test -- lib/tests/auth-throttle.test.ts lib/tests/auth-utils.test.ts
• npm test
• npm run typecheck
• npm run lint
• npm run build with local placeholder Supabase/WhatsApp/bank env vars
• npx playwright test e2e/auth.spec.ts --project=chromium --project=mobile with the same local placeholder env vars
• git diff --check
• git diff --cached --check

Notes

• Context7 Supabase docs were used for current Auth rate-limit and SMTP guidance.
• No database schema or migration changes are included.
• NPM install reports two existing audit findings; this PR does not change dependency versions.

Closes #136
Closes #137

[Copilot]

Pull request overview

Hardens CorvEd’s authentication launch flows by adding client-side attempt cooldowns (as a UX/abuse-speedbump) with non-enumerating error messaging, and by tightening the post-auth profile completion gate so incomplete Google OAuth profiles must complete required business fields before reaching the dashboard.

Changes:

• Added lib/auth/throttle.ts to implement browser-side cooldown tracking and a helper for mapping provider errors to generic, non-enumerating messages.
• Updated sign-in/sign-up/tutor sign-up/forgot-password pages to apply cooldown checks and show friendly generic errors.
• Strengthened /auth/callback profile gating via requiresProfileSetup() (WhatsApp number + timezone) and updated docs/README accordingly.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
lib/auth/utils.ts	Adds requiresProfileSetup() helper to centralize profile-completeness checks.
lib/auth/throttle.ts	Introduces localStorage-backed per-action cooldowns + generic auth error mapping.
lib/tests/auth-utils.test.ts	Adds unit coverage for requiresProfileSetup().
lib/tests/auth-throttle.test.ts	Adds unit coverage for cooldown behavior and error-message mapping.
app/auth/sign-up/tutor/page.tsx	Applies signup cooldown + generic error handling to tutor signup.
app/auth/sign-up/page.tsx	Applies signup + Google OAuth cooldowns and generic error handling.
app/auth/sign-in/SignInForm.tsx	Applies sign-in + Google OAuth cooldowns; clears sign-in cooldown on success; generic error mapping.
app/auth/forgot-password/page.tsx	Applies password-reset cooldown + generic error handling.
app/auth/callback/route.ts	Extends profile gate to require both WhatsApp number and timezone before dashboard access.
docs/plan-CorvEd.md	Updates plan/checklist notes to reflect resolved OAuth profile setup and new throttling.
docs/GAP_ANALYSIS.md	Documents launch auth protections (Supabase rate limits + app-side cooldowns) and non-enumerating errors.
docs/ARCHITECTURE.md	Updates rate-limiting section with current protections and production-scale recommendations.
README.md	Updates auth feature checklist + adds Supabase Auth rate-limit/SMTP launch notes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.