# Pathrule Pattern: Supabase + RLS (1.0.0)
# ::pathrule:package:supabase-rls

### [RULE] RLS enabled on every table, deny by default  (path: /supabase)
<!-- scope: folder | priority: high | strict -->

Every table in a public-facing schema has Row Level Security enabled.

- Start from deny by default and add narrow policies per operation (`select`, `insert`, `update`, `delete`).
- A migration that creates a table without enabling RLS and adding policies is incomplete and must not merge.

---

### [RULE] User JWT only, never the service role in client paths  (path: /supabase)
<!-- scope: project | priority: high | strict -->

The service role key bypasses RLS entirely, so it stays server-side.

- Client code and edge functions acting on behalf of a user use the user's JWT, so RLS applies.
- The service role key is only for trusted server-side jobs that intentionally need it.
- Never ship it to a browser or derive it from a client request.

---

### [MEMORY] Access via a single has_access helper  (path: /supabase)

Express membership and ownership in one `SECURITY DEFINER` helper (for example `has_workspace_access(user_id, workspace_id)`) and reference it from RLS policies across tables.

- Keeps the access model in one place.
- Makes policies readable.
- Avoids subtly different inline checks that drift apart over time.

---

### [MEMORY] Migration workflow  (path: /supabase/migrations)

Migrations are forward-only and timestamped.

- Each one is self-contained and idempotent where practical.
- Enable RLS and add policies in the same migration as the table.
- Regenerate TypeScript types after a schema change.
- Never edit a migration that already ran in a shared environment; add a new one.

---

### [SKILL] supabase-rls-review  (path: /)

---
name: supabase-rls-review
description: Review a Supabase migration or schema change for RLS correctness and safety.
---

# Supabase RLS review

- [ ] RLS is enabled on every new table
- [ ] Policies exist per operation and deny by default
- [ ] Policies use the shared access helper, not ad hoc inline checks
- [ ] No service role key is reachable from client or per-request code
- [ ] Indexes back the columns used in policy predicates
- [ ] TypeScript types regenerated after the schema change
- [ ] Migration is forward-only and does not edit an already-applied file