# Supabase Backend

Supabase development discipline for auth, database, and storage.

## Rules

1. **Row Level Security on every table.** RLS is not optional. Every table exposed via the client API must have policies that enforce who can read and write what.

2. **Use the service role key only server-side.** The service role bypasses RLS. It never ships to the client, never appears in frontend code, never logs.

3. **Migrations are version-controlled SQL.** Schema changes go through migration files, not manual dashboard edits that drift from your repo.

4. **Auth hooks for custom logic.** `auth.users` triggers and edge functions for post-signup flows — don't bolt auth logic into client-side redirects alone.

5. **Storage buckets have policies too.** File access is governed by storage policies, not obscurity. Public buckets are public — verify that's intentional.

6. **Check the docs before implementing.** Supabase APIs evolve. Verify current patterns for auth, realtime, and edge functions against official documentation.

## What This Replaces

Supabase projects with no RLS, service role keys in frontend bundles, and schema changes made only in the dashboard.

## Official Source

Distilled from Supabase's official agent skills.
Full upstream: https://github.com/supabase/agent-skills