Design: RLS (Row Level Security) Plan
To secure the backend against direct frontend tampering, we must implement Row Level Security in Supabase.
Phase A: User-Facing Tables (Priority 1)
These tables are accessible by the student app.
profiles
- Policy: Users can read their own profile.
- SQL:
auth.uid() = user_id
wallet
- Policy: Users can read their own balance.
- Restriction: NO ONE can update via the public API (Updates only via service_role).
- SQL:
auth.uid() = user_id(Select only).
usage_logs
- Policy: Users can read their own history.
- SQL:
auth.uid() = user_id
Phase B: Admin Tables (Priority 2)
These tables should be restricted to users with the admin role.
references, scrape_runs
- Policy:
service_rolecan do everything.admincan read/write. - Check:
(auth.jwt() ->> 'role') = 'admin'
Implementation Timeline
- Drafting: Feb 20, 2026.
- Testing: Feb 22, 2026.
- Enforcement: Feb 25, 2026.