diff --git a/.beans/nuzlocke-tracker-3mwb--fix-typescript-build-errors-in-runencounterstsx.md b/.beans/nuzlocke-tracker-3mwb--fix-typescript-build-errors-in-runencounterstsx.md
new file mode 100644
index 0000000..ec6f8f9
--- /dev/null
+++ b/.beans/nuzlocke-tracker-3mwb--fix-typescript-build-errors-in-runencounterstsx.md
@@ -0,0 +1,13 @@
+---
+# nuzlocke-tracker-3mwb
+title: Fix TypeScript build errors in RunEncounters.tsx
+status: completed
+type: bug
+priority: normal
+created_at: 2026-03-21T11:24:09Z
+updated_at: 2026-03-21T11:25:37Z
+---
+
+Two TS errors blocking production build:\n1. Line 693: `(typeof bossResults)[number]` fails because bossResults is `BossResult[] | undefined`\n2. Line 1601: Parameter 'tm' implicitly has 'any' type
+
+## Summary of Changes\n\nFixed two TypeScript errors in RunEncounters.tsx:\n1. Used explicit `BossResult` type instead of `(typeof bossResults)[number]`\n2. Added `BossResultTeamMember` type annotation to `tm` parameter\n\nPR: #71
diff --git a/.beans/nuzlocke-tracker-7y9z--fix-test-failures-from-admin-auth-changes.md b/.beans/nuzlocke-tracker-7y9z--fix-test-failures-from-admin-auth-changes.md
new file mode 100644
index 0000000..a48b268
--- /dev/null
+++ b/.beans/nuzlocke-tracker-7y9z--fix-test-failures-from-admin-auth-changes.md
@@ -0,0 +1,13 @@
+---
+# nuzlocke-tracker-7y9z
+title: Fix test failures from admin auth changes
+status: completed
+type: bug
+priority: normal
+created_at: 2026-03-21T10:33:32Z
+updated_at: 2026-03-21T10:39:18Z
+---
+
+After adding require_admin to admin endpoints, tests fail:\n1. test_pokemon.py: Write endpoints return 401 because tests use unauthenticated client instead of admin client\n2. test_runs.py: mock_auth_user has id='test-user-123' which is not a valid UUID, causing ValueError in UUID(user.id)\n\nFix: add admin_override fixture, admin_client fixture, use valid UUID for mock user, update test_pokemon.py to use admin_client for write ops.
+
+## Summary of Changes\n\n- Added `admin_override` and `admin_client` fixtures to conftest.py that override both `require_admin` and `get_current_user`\n- Changed mock user ID from `test-user-123` to a valid UUID4\n- Updated test_pokemon.py, test_games.py, and test_genlocke_boss.py to use `admin_client` for admin-protected endpoints\n- All 252 tests pass
diff --git a/.beans/nuzlocke-tracker-elcn--add-supabase-auth-config-to-production-docker-setu.md b/.beans/nuzlocke-tracker-elcn--add-supabase-auth-config-to-production-docker-setu.md
new file mode 100644
index 0000000..df4bdcb
--- /dev/null
+++ b/.beans/nuzlocke-tracker-elcn--add-supabase-auth-config-to-production-docker-setu.md
@@ -0,0 +1,13 @@
+---
+# nuzlocke-tracker-elcn
+title: Add Supabase auth config to production Docker setup
+status: completed
+type: task
+priority: normal
+created_at: 2026-03-21T11:07:01Z
+updated_at: 2026-03-21T11:08:19Z
+---
+
+Update docker-compose.prod.yml and Dockerfile.prod to support Supabase Cloud auth in production.\n\n- [ ] Add SUPABASE_JWT_SECRET env var to backend in docker-compose.prod.yml\n- [ ] Add build args for VITE_SUPABASE_URL, VITE_SUPABASE_ANON_KEY, VITE_API_URL to frontend in docker-compose.prod.yml\n- [ ] Add ARG/ENV lines to Dockerfile.prod so Vite can pick up env vars at build time\n- [ ] Update .env.example with production notes
+
+## Summary of Changes\n\nUpdated 3 files to support Supabase Cloud auth in production:\n- `docker-compose.prod.yml`: added SUPABASE_JWT_SECRET to backend, added build args to frontend\n- `frontend/Dockerfile.prod`: added ARG lines so Vite inlines Supabase config at build time\n- `.github/workflows/deploy.yml`: pass build args from secrets when building frontend image\n\nPR: #69
diff --git a/.beans/nuzlocke-tracker-liz1--fix-frontend-layout-tests-for-auth-aware-navigatio.md b/.beans/nuzlocke-tracker-liz1--fix-frontend-layout-tests-for-auth-aware-navigatio.md
new file mode 100644
index 0000000..4ed3b3c
--- /dev/null
+++ b/.beans/nuzlocke-tracker-liz1--fix-frontend-layout-tests-for-auth-aware-navigatio.md
@@ -0,0 +1,13 @@
+---
+# nuzlocke-tracker-liz1
+title: Fix frontend Layout tests for auth-aware navigation
+status: completed
+type: bug
+priority: normal
+created_at: 2026-03-21T10:41:51Z
+updated_at: 2026-03-21T10:42:30Z
+---
+
+Layout.test.tsx fails because nav links are now auth-dependent. Tests expect logged-in admin links but render with no user. Fix by mocking useAuth.
+
+## Summary of Changes\n\nMocked `useAuth` in Layout.test.tsx instead of using real AuthProvider. Added separate test groups for logged-out and logged-in-as-admin states, verifying correct nav links appear in each. All 118 frontend tests pass.
diff --git a/.beans/nuzlocke-tracker-t9aj--migrate-jwt-verification-from-hs256-shared-secret.md b/.beans/nuzlocke-tracker-t9aj--migrate-jwt-verification-from-hs256-shared-secret.md
new file mode 100644
index 0000000..d98bae8
--- /dev/null
+++ b/.beans/nuzlocke-tracker-t9aj--migrate-jwt-verification-from-hs256-shared-secret.md
@@ -0,0 +1,11 @@
+---
+# nuzlocke-tracker-t9aj
+title: Migrate JWT verification from HS256 shared secret to asymmetric keys (JWKS)
+status: todo
+type: task
+priority: low
+created_at: 2026-03-21T11:14:29Z
+updated_at: 2026-03-21T11:14:29Z
+---
+
+The backend currently verifies Supabase JWTs using an HS256 shared secret (`SUPABASE_JWT_SECRET`). Supabase recommends migrating to asymmetric keys (RS256) for better security.\n\nInstead of storing a shared secret, the backend would fetch public keys from Supabase's JWKS endpoint (`https://<project>.supabase.co/.well-known/jwks.json`) and verify tokens against those.\n\n## Changes needed\n\n- [ ] Update `backend/src/app/core/auth.py` to fetch and cache JWKS public keys\n- [ ] Change `jwt.decode` from `HS256` to `RS256` with the fetched public key\n- [ ] Remove `SUPABASE_JWT_SECRET` from config, docker-compose, deploy workflow, and .env files\n- [ ] Update tests\n\n## References\n\n- https://supabase.com/docs/guides/auth/signing-keys\n- https://supabase.com/docs/guides/auth/jwts
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 87a51b7..4c41a94 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -34,7 +34,7 @@ services:
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
       - POSTGRES_DB=nuzlocke
     volumes:
-      - ./data/postgres:/var/lib/postgresql/data
+      - ./data/postgres:/var/lib/postgresql
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U postgres"]
       interval: 5s