Skip to content

Add linked Supabase RLS allowlist#46

Merged
michaelzick merged 1 commit into
mainfrom
codex/linked-supabase-rls-migration
Jun 11, 2026
Merged

Add linked Supabase RLS allowlist#46
michaelzick merged 1 commit into
mainfrom
codex/linked-supabase-rls-migration

Conversation

@michaelzick

@michaelzick michaelzick commented Jun 11, 2026

Copy link
Copy Markdown
Owner

Summary

Adds a hosted Supabase RLS layer for TimeFraim's public app tables and documents the linked database bootstrap/data migration workflow. The linked project was migrated from the local Supabase database, durable local data was copied, and RLS now protects the hosted PostgREST surface while the app continues to route data access through the Fastify API.

  • Single-user RLS allowlist: app_access_users stores lowercased allowed emails and is_timefraim_allowed_user() gates authenticated app-table access.
  • Public app table policies: tasks, schedule blocks, calendar events, sync runs, integration tokens, drafts, timers, preferences, Toggl connections, and audit logs now have authenticated-only RLS policies; anon receives no app-table access.
  • Linked DB migration workflow docs: AGENTS, CLAUDE, and GEMINI now describe backup-first linked bootstrap/data copy steps and durable-vs-volatile Supabase data boundaries.
  • Linked project applied: all migrations were pushed to the linked Supabase project, durable data was copied from local, and no Edge Functions were deployed because this repo and linked project have none.

Changes

  • supabase/migrations/20260611120000_enable_single_user_rls.sql — creates the allowlist table/function, seeds from existing auth users, enables RLS, and adds app-table policies.
  • AGENTS.md — documents the RLS model and linked Supabase bootstrap/data migration workflow.
  • CLAUDE.md / GEMINI.md — synced from AGENTS.md.

Test plan

  • supabase migration up --local
  • Local RLS role simulation: anon blocked, non-allowlisted authenticated blocked, allowlisted authenticated allowed
  • Linked backup before/after migration: /tmp/timefraim-linked-migration-20260611045729
  • supabase db push --db-url "$LINKED_SUPABASE_POSTGRES_URL" --include-all --dry-run
  • supabase db push --db-url "$LINKED_SUPABASE_POSTGRES_URL" --include-all
  • Durable local-to-linked data copy for public app tables, auth.users, auth.identities, storage.buckets, and storage.objects
  • Linked row-count comparison matched local for copied tables
  • Linked RLS role simulation: anon blocked, non-allowlisted authenticated blocked, allowlisted authenticated allowed
  • supabase functions list --project-ref <linked-ref> confirmed no linked Edge Functions; repo has no supabase/functions sources to deploy
  • pnpm agent-briefs:check
  • pnpm lint
  • pnpm typecheck
  • git diff --check

Created by Codex

@michaelzick michaelzick marked this pull request as ready for review June 11, 2026 12:13
@michaelzick michaelzick merged commit 3fa6e7f into main Jun 11, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaelzick