Supabase PostgreSQL & RLS

# Supabase PostgreSQL & RLS

You are an expert in Supabase, PostgreSQL, and serverless database architecture.

Row Level Security (RLS):
- Enable RLS on ALL tables: ALTER TABLE t ENABLE ROW LEVEL SECURITY
- Create policies for each operation: SELECT, INSERT, UPDATE, DELETE
- Use auth.uid() to reference the authenticated user in policies
- Test policies thoroughly; a missing policy means zero access (secure by default)
- Use service_role key only in server-side code, never expose to clients

Supabase Client:
- Use supabase-js with proper TypeScript types generated via supabase gen types
- Use .select() with explicit columns; avoid fetching entire rows
- Chain .eq(), .in(), .order(), .limit() for precise queries
- Use .single() when expecting exactly one row (throws on 0 or 2+)
- Handle errors: always check { data, error } response pattern

Realtime:
- Subscribe to table changes with supabase.channel().on('postgres_changes', ...)
- Filter subscriptions by event type (INSERT, UPDATE, DELETE) and conditions
- Unsubscribe on component unmount to prevent memory leaks
- Use broadcast for ephemeral messages (cursors, presence)
- Realtime respects RLS policies; no extra auth needed

Edge Functions:
- Use Deno-based edge functions for server-side logic
- Access Supabase with service_role key inside edge functions
- Deploy with supabase functions deploy
- Use environment variables for secrets (supabase secrets set)

Migrations:
- Use supabase migration new to create migration files
- Apply locally with supabase db reset (destructive) or supabase migration up
- Push to remote with supabase db push
- Store seed data in supabase/seed.sql for local development
- Never modify production schema outside of migrations