This skill should be used when the user requests to generate, create, or add Row-Level Security (RLS) policies for Supabase databases in multi-tenant or role-based applications. It generates comprehensive RLS policies using auth.uid(), auth.jwt() claims, and role-based access patterns. Trigger terms include RLS, row level security, supabase security, generate policies, auth policies, multi-tenant security, role-based access, database security policies, supabase permissions, tenant isolation.
Generates comprehensive Row-Level Security policies for Supabase databases. Creates multi-tenant isolation, role-based access controls, and helper functions with test queries when you request RLS policies for your database tables.
/plugin marketplace add hopeoverture/worldbuilding-app-skills/plugin install supabase-rls-policy-generator@worldbuilding-app-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
assets/policy-documentation-template.mdassets/policy-templates.sqlreferences/rls-patterns.mdreferences/supabase-auth.mdTo generate comprehensive Row-Level Security policies for Supabase databases, follow these steps systematically.
Before generating policies:
Determine access patterns by asking:
Consult references/rls-patterns.md for common security patterns.
For each table requiring protection, generate policies following this structure:
ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;
SELECT Policies - Control read access:
INSERT Policies - Control creation:
UPDATE Policies - Control modifications:
DELETE Policies - Control deletion:
Use templates from assets/policy-templates.sql:
Basic User Ownership:
CREATE POLICY "Users can view own records"
ON table_name FOR SELECT
USING (auth.uid() = user_id);
Multi-Tenant Isolation:
CREATE POLICY "Tenant isolation"
ON table_name FOR ALL
USING (
tenant_id IN (
SELECT tenant_id FROM user_tenants
WHERE user_id = auth.uid()
)
);
Role-Based Access:
CREATE POLICY "Admins have full access"
ON table_name FOR ALL
USING (
auth.jwt() ->> 'role' = 'admin'
);
JWT Claims:
CREATE POLICY "Organization access"
ON table_name FOR SELECT
USING (
organization_id = (auth.jwt() -> 'app_metadata' ->> 'organization_id')::uuid
);
Create PostgreSQL functions to support complex policies:
-- Function to check user role
CREATE OR REPLACE FUNCTION auth.user_has_role(required_role TEXT)
RETURNS BOOLEAN AS $$
BEGIN
RETURN (auth.jwt() ->> 'role') = required_role;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
-- Function to check tenant membership
CREATE OR REPLACE FUNCTION auth.user_in_tenant(target_tenant_id UUID)
RETURNS BOOLEAN AS $$
BEGIN
RETURN EXISTS (
SELECT 1 FROM user_tenants
WHERE user_id = auth.uid()
AND tenant_id = target_tenant_id
);
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
Create test queries to verify policies work correctly:
-- Test as authenticated user
SET request.jwt.claim.sub = 'user-uuid';
SELECT * FROM table_name; -- Should see only accessible records
-- Test as admin
SET request.jwt.claim.role = 'admin';
SELECT * FROM table_name; -- Should see all records
-- Test as different tenant
SET request.jwt.claim.sub = 'other-user-uuid';
SELECT * FROM table_name; -- Should see different tenant's records
Generate a migration file with proper structure:
-- Migration: Add RLS policies
-- Created: [timestamp]
-- Enable RLS on tables
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
ALTER TABLE items ENABLE ROW LEVEL SECURITY;
-- Drop existing policies if any
DROP POLICY IF EXISTS "policy_name" ON table_name;
-- Create new policies
[Generated policies here]
-- Create helper functions
[Generated functions here]
-- Grant necessary permissions
GRANT SELECT, INSERT, UPDATE, DELETE ON table_name TO authenticated;
GRANT SELECT ON table_name TO anon; -- If public read needed
Create documentation explaining:
Use template from assets/policy-documentation-template.md.
Consult references/rls-patterns.md for detailed examples of:
Generate files in the following structure:
migrations/
[timestamp]_add_rls_policies.sql
docs/
rls-policies.md (documentation)
tests/
rls_tests.sql (test queries)
Before completing:
Throughout generation:
references/rls-patterns.md for security patternsreferences/supabase-auth.md for auth.uid() and JWT structureassets/policy-templates.sqlWhen finished:
Use when working with Payload CMS projects (payload.config.ts, collections, fields, hooks, access control, Payload API). Use when debugging validation errors, security issues, relationship queries, transactions, or hook behavior.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.