docs: update JWT verification table and add missing config.toml entries

- Add 5 missing Edge Functions to config.toml: webhooks-shopify,
  scraper-webhook, get-pending-install-info, auto-register-shoprenter,
  vapi-webhook
- Update CLAUDE.md table with "In config.toml" column
- Add deployment note about --no-verify-jwt flag for Supabase bug workaround

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

CLAUDE.md

@@ -67,21 +67,33 @@ npx supabase link --project-ref <project-ref>
 
 Some Edge Functions have **built-in JWT/auth verification** and require Supabase's default JWT verification to be **disabled** in `config.toml`. This is configured with `verify_jwt = false`.
 
-| Function | Reason for Disabled Supabase JWT |
-|----------|----------------------------------|
-| `auth` | Handles login/signup - no token yet |
-| `shopify-oauth` | OAuth callback from Shopify |
-| `woocommerce-oauth` | OAuth callback from WooCommerce |
-| `oauth-shoprenter-init` | OAuth initiation for ShopRenter |
-| `oauth-shoprenter-callback` | OAuth callback from ShopRenter |
-| `webhook-shoprenter-uninstall` | Webhook from ShopRenter (HMAC verified) |
-| `validate-shoprenter-hmac` | HMAC validation endpoint |
-| `gdpr-webhooks` | GDPR webhooks from platforms |
-| `shop-data-api` | Public API with custom API key auth |
-| `woocommerce-scheduled-sync` | Internal scheduled sync (service role) |
-| `shoprenter-scheduled-sync` | Internal scheduled sync (service role) |
-
-**Important**: When adding new Edge Functions that handle OAuth callbacks, webhooks, or have custom authentication, add them to `supabase/config.toml` with `verify_jwt = false`.
+| Function | Reason for Disabled Supabase JWT | In config.toml |
+|----------|----------------------------------|----------------|
+| `auth` | Handles login/signup - no token yet | ✅ |
+| `shopify-oauth` | OAuth callback from Shopify | ✅ |
+| `woocommerce-oauth` | OAuth callback from WooCommerce | ✅ |
+| `oauth-shoprenter-init` | OAuth initiation for ShopRenter | ✅ |
+| `oauth-shoprenter-callback` | OAuth callback from ShopRenter | ✅ |
+| `webhook-shoprenter-uninstall` | Webhook from ShopRenter (HMAC verified) | ✅ |
+| `validate-shoprenter-hmac` | HMAC validation endpoint | ✅ |
+| `gdpr-webhooks` | GDPR webhooks from platforms | ✅ |
+| `shop-data-api` | Public API with custom API key auth | ✅ |
+| `woocommerce-scheduled-sync` | Internal scheduled sync (service role) | ✅ |
+| `shoprenter-scheduled-sync` | Internal scheduled sync (service role) | ✅ |
+| `webhooks-shopify` | Webhooks from Shopify (HMAC verified) | ✅ |
+| `scraper-webhook` | Webhooks from scraper service | ✅ |
+| `get-pending-install-info` | Public endpoint for OAuth flow | ✅ |
+| `auto-register-shoprenter` | Auto-registers user during OAuth flow | ✅ |
+| `vapi-webhook` | VAPI end-of-call webhooks (internal API key) | ✅ |
+
+**Deployment Note**: Due to a known Supabase bug, `config.toml` settings may not be applied when updating existing functions. If JWT verification issues occur, redeploy with the explicit flag:
+```bash
+npx supabase functions deploy <function-name> --no-verify-jwt --project-ref <project-ref>
+```
+
+**Important**: When adding new Edge Functions that handle OAuth callbacks, webhooks, or have custom authentication:
+1. Add them to `supabase/config.toml` with `verify_jwt = false`
+2. Deploy with `--no-verify-jwt` flag to ensure the setting takes effect
 
 ## Technology Stack
 

supabase/config.toml

@@ -45,3 +45,18 @@ verify_jwt = false
 
 [functions.webhook-shoprenter-uninstall]
 verify_jwt = false
+
+[functions.webhooks-shopify]
+verify_jwt = false
+
+[functions.scraper-webhook]
+verify_jwt = false
+
+[functions.get-pending-install-info]
+verify_jwt = false
+
+[functions.auto-register-shoprenter]
+verify_jwt = false
+
+[functions.vapi-webhook]
+verify_jwt = false