playbooks

home / skills / jcastillotx / vibe-skeleton-app / supabase-best-practices

supabase-best-practices skill

/setup/skills/supabase-best-practices

This skill enforces Supabase best practices across security, schema design, authentication, real-time, edge functions, and performance for robust apps.

npx playbooks add skill jcastillotx/vibe-skeleton-app --skill supabase-best-practices

Review the files below or copy the command above to add this skill to your agents.

Files (7)
SKILL.md
1.4 KB
---
name: supabase-best-practices
description: Supabase development standards. Triggers when working with Supabase projects, Row Level Security, real-time subscriptions, or Edge Functions.
trigger_patterns:
  - supabase
  - row level security
  - rls
  - auth.uid
  - edge function
  - realtime
  - supabase-js
auto_load_with: []
---

# Supabase Best Practices

Comprehensive coding standards for Supabase development, optimized for AI agents and LLMs.

## Overview

This skill provides 22 rules organized across 8 categories:

1. **Security (RLS) (rls-)** - Row Level Security policies, auth patterns [CRITICAL]
2. **Database Design (schema-)** - Foreign keys, constraints, migrations [CRITICAL]
3. **Authentication (auth-)** - OAuth, MFA, session management [HIGH]
4. **Real-time (realtime-)** - Subscriptions, presence, broadcast [HIGH]
5. **Edge Functions (edge-)** - Deno deploy, secrets, logging [MEDIUM-HIGH]
6. **Storage (storage-)** - Bucket policies, transformations [MEDIUM]
7. **Performance (perf-)** - Connection pooling, indexes [MEDIUM]
8. **Client Libraries (client-)** - Type generation, hooks [LOW-MEDIUM]

## Usage

Reference this skill when:
- Designing Supabase database schemas
- Implementing Row Level Security
- Building real-time features
- Creating Edge Functions
- Configuring authentication

## Build

```bash
pnpm build    # Compile rules to AGENTS.md
pnpm validate # Validate rule files
```

Overview

This skill codifies Supabase development standards for secure, maintainable projects. It focuses on Row Level Security, database design, real-time features, Edge Functions, authentication, storage, performance, and client tooling. Use it as a checklist to reduce risks and speed up common Supabase tasks.

How this skill works

The skill inspects project patterns and recommends concrete rules across eight categories: security (RLS), schema design, auth, realtime, Edge Functions, storage, performance, and client libraries. It flags risky configurations, suggests hardened defaults, and provides actionable steps for migrations, policy definitions, subscription handling, and deployment best practices. Outputs aim to be implementable in code or CI checks.

When to use it

  • Designing or migrating Supabase database schemas
  • Implementing Row Level Security policies and auth rules
  • Building realtime subscriptions, presence, or broadcasting features
  • Developing and deploying Edge Functions or serverless endpoints
  • Configuring storage buckets, file transforms, or signed URLs
  • Optimizing queries, indexes, and connection pooling for production

Best practices

  • Enforce Row Level Security with least-privilege policies and test with role-based scenarios
  • Model relationships with explicit foreign keys, unique constraints, and migration scripts
  • Centralize auth flows: use secure JWT handling, session refresh, and multi-factor where needed
  • Limit realtime subscriptions to necessary channels and validate payloads server-side
  • Use Edge Functions for server-side secrets, environment isolation, and robust logging
  • Apply indexes for frequent filters, use connection pooling, and profile slow queries regularly

Example use cases

  • Create RLS policies that allow users to access only their rows and test via service and anon keys
  • Design migration plan adding foreign keys and backfill logic before enabling constraints
  • Replace client-side secret logic with Edge Functions that sign URLs or validate webhooks
  • Implement realtime presence for collaborative sessions and cap event rates to protect DB
  • Add automated checks in CI to validate schema changes, RLS coverage, and Edge Function build

FAQ

Will this skill break existing behavior when enforcing rules?

No — recommendations prioritize safe rollout: add policies in permissive mode, run tests and gradual enforcement before blocking access.

How do I test Row Level Security effectively?

Use separate test users and service accounts in staging, run integration tests covering allowed and denied access, and include automated policy validations in CI.

Can I use Edge Functions for heavy compute or long-running jobs?

Edge Functions are best for short, secure server-side logic. Offload heavy or long-running tasks to background workers or managed job queues.