Claude Code Plugins

Community-maintained marketplace

Feedback

rls-templates

@vanman2024/ai-dev-marketplace
0
0

Row Level Security policy templates for Supabase - multi-tenant patterns, user isolation, role-based access, and secure-by-default configurations. Use when securing Supabase tables, implementing RLS policies, building multi-tenant AI apps, protecting user data, creating chat/RAG systems, or when user mentions row level security, RLS, Supabase security, tenant isolation, or data access policies.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name rls-templates
description Row Level Security policy templates for Supabase - multi-tenant patterns, user isolation, role-based access, and secure-by-default configurations. Use when securing Supabase tables, implementing RLS policies, building multi-tenant AI apps, protecting user data, creating chat/RAG systems, or when user mentions row level security, RLS, Supabase security, tenant isolation, or data access policies.
allowed-tools Bash, Read, Write, Edit

RLS Templates

Production-ready Row Level Security policy templates for Supabase applications, with focus on AI application patterns (multi-tenant chat, RAG systems, user-specific embeddings).

Instructions

1. Applying RLS Policies

Apply policies to tables:

# Apply user isolation policies
bash scripts/apply-rls-policies.sh user-isolation conversations messages

# Apply multi-tenant policies
bash scripts/apply-rls-policies.sh multi-tenant organizations org_members documents

# Apply AI-specific policies
bash scripts/apply-rls-policies.sh ai-chat conversations messages message_embeddings

Generate custom policy:

# Generate policy from template
bash scripts/generate-policy.sh user-isolation my_table user_id

# Generate with custom column
bash scripts/generate-policy.sh multi-tenant projects organization_id

2. Testing RLS Enforcement

Test policies work correctly:

# Test all policies on a table
bash scripts/test-rls-policies.sh conversations

# Test specific user context
bash scripts/test-rls-policies.sh messages --user-id "user-uuid-here"

# Test multi-tenant isolation
bash scripts/test-rls-policies.sh documents --org-id "org-uuid-here"

3. Auditing Security

Audit tables for missing RLS:

# Audit all tables in public schema
bash scripts/audit-rls.sh

# Audit specific tables
bash scripts/audit-rls.sh conversations messages embeddings

# Generate audit report
bash scripts/audit-rls.sh --report audit-report.md

4. Policy Pattern Selection

Choose the right pattern:

  • user-isolation.sql: User owns row directly (user_id column)

    • Use for: User profiles, settings, personal documents
    • Pattern: auth.uid() = user_id

  • multi-tenant.sql: Organization/team-based isolation

    • Use for: SaaS apps, team workspaces, shared resources
    • Pattern: Check organization membership via join

  • role-based-access.sql: Different permissions per role

    • Use for: Admin panels, hierarchical access, permission levels
    • Pattern: Check role from auth.jwt() claims

  • ai-chat-policies.sql: Chat/conversation data

    • Use for: AI chat apps, message history, conversation threads
    • Pattern: User owns conversation + participants table

  • embeddings-policies.sql: Vector/embedding data

    • Use for: RAG systems, semantic search, vector databases
    • Pattern: User owns source document that owns embeddings

Examples

Example 1: Secure Chat Application

-- Apply chat policies to tables
\i templates/ai-chat-policies.sql

-- Tables: conversations, messages, participants
-- Result: Users only see conversations they participate in

Example 2: Multi-Tenant RAG System

-- Apply organization isolation
\i templates/multi-tenant.sql

-- Apply embedding security
\i templates/embeddings-policies.sql

-- Tables: organizations, documents, document_embeddings
-- Result: Each org only sees their own documents and embeddings

Example 3: Role-Based Admin Panel

-- Apply role-based policies
\i templates/role-based-access.sql

-- Roles: admin (full access), editor (read/write), viewer (read-only)
-- Result: Different permissions based on user role

Requirements

Prerequisites

  • Supabase project with database access
  • PostgreSQL client (psql) installed
  • Environment variables set:
    • SUPABASE_DB_URL: PostgreSQL connection string
    • SUPABASE_ANON_KEY: For testing anon access
    • SUPABASE_SERVICE_KEY: For admin operations

Security Checklist

  • RLS enabled on all tables in public schema
  • Policies test both authenticated and anonymous access
  • Indexes created on columns used in policies (user_id, org_id, etc.)
  • Service key never exposed to client applications
  • Policies use (SELECT auth.uid()) for performance
  • WITH CHECK clause included on INSERT/UPDATE policies
  • Testing validates isolation between users/tenants

Performance Optimization

  • Create indexes: CREATE INDEX idx_table_user_id ON table(user_id);
  • Wrap auth functions: (SELECT auth.uid()) instead of auth.uid()
  • Always filter queries: .eq('user_id', userId) in client code
  • Use security definer functions for complex authorization logic
  • Specify roles in policies: TO authenticated to skip anon checks

Best Practices:

  1. Enable RLS before adding any data
  2. Test with multiple user contexts
  3. Use audit script regularly in CI/CD
  4. Document policy decisions in migration files
  5. Monitor query performance after adding policies