Engineering Advanced SupabaseRLSEdge Functions

Supabase Architect

Supabase development: Row-Level Security policies, Edge Functions, Realtime subscriptions, Storage, Auth configuration, and migration from Firebase.

A hands-on Supabase skill that covers the features developers most often get wrong: RLS policy design that doesn't break under joins, Edge Function patterns for server-side logic, Realtime subscription filtering, Storage bucket policies, and the Auth configuration details that prevent security holes. Includes migration patterns from Firebase Firestore.

Added Mar 20, 2026

$npx skills add johnefemer/skillfish --skill supabase-architect

Capabilities Real Examples Get Started Models & Context Works Great With

What This Skill Can Do

Concrete capabilities you get when you install this skill.

Design Row-Level Security policies that are correct, performant, and testable

Build Edge Functions with proper request validation, error handling, and Supabase client patterns

Configure Realtime subscriptions with channel filtering and presence for multi-user features

Set up Storage bucket policies with RLS integration for user-owned file access

Design Auth flows: email/magic link, OAuth providers, custom claims, and JWT hooks

Migrate Firebase Firestore data models and security rules to Postgres + RLS

Real Conversations

See how the Supabase Architect skill responds to actual requests. These are representative examples of what your AI agent will produce.

You

I'm building a multi-tenant SaaS where users belong to organizations. I need RLS so users can only see their org's data. How do I set this up correctly?

Agent

Multi-tenant RLS requires a membership table and using auth.uid() to look up org membership. Here's the full pattern:

Schema:

CREATE TABLE organizations (id uuid PRIMARY KEY DEFAULT gen_random_uuid(), name text);

CREATE TABLE org_members (
  user_id uuid REFERENCES auth.users(id) ON DELETE CASCADE,
  org_id uuid REFERENCES organizations(id) ON DELETE CASCADE,
  role text NOT NULL DEFAULT 'member', -- 'admin' | 'member'
  PRIMARY KEY (user_id, org_id)
);

CREATE TABLE projects (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  org_id uuid REFERENCES organizations(id) NOT NULL,
  name text NOT NULL
);

RLS Policies:

ALTER TABLE projects ENABLE ROW LEVEL SECURITY;

-- Members can read their org's projects
CREATE POLICY "read own org projects" ON projects
  FOR SELECT USING (
    org_id IN (
      SELECT org_id FROM org_members WHERE user_id = auth.uid()
    )
  );

-- Only org admins can create/delete projects
CREATE POLICY "admins manage projects" ON projects
  FOR ALL USING (
    org_id IN (
      SELECT org_id FROM org_members
      WHERE user_id = auth.uid() AND role = 'admin'
    )
  );

Performance — add index on the membership lookup:

CREATE INDEX org_members_user_id ON org_members(user_id);

Without this index, every RLS check is a sequential scan on org_members.

Test policies with SET LOCAL role = authenticated:

BEGIN;
SET LOCAL role = authenticated;
SET LOCAL request.jwt.claims = '{"sub": "user-uuid-here"}';
SELECT * FROM projects; -- should only return org's projects
ROLLBACK;

You

My Supabase Edge Function calls an external API but throws 'Failed to fetch' in production. Works fine locally with supabase functions serve.

Agent

Three common causes in production Edge Functions:

Cause 1 — Missing --allow-net in Deno permissions (most common) Supabase Edge Functions run in Deno with permission flags. If your function calls external APIs, verify your config.toml:

[functions.my-function]
verify_jwt = true
# Deno net permissions are granted automatically in hosted Supabase
# but if you see fetch errors, check the function logs for "PermissionDenied"

Check logs: supabase functions logs my-function --project-ref your-ref

Cause 2 — Environment variable not set in production

# Set secrets for production (not in config, not committed)
supabase secrets set MY_API_KEY=sk-live-...
# Verify
supabase secrets list

Locally supabase/functions/.env is loaded automatically. In production, only supabase secrets variables are injected.

Cause 3 — Incorrect fetch inside Edge Function

// Wrong — relative URL doesn't work in Edge Functions
const res = await fetch('/api/internal');

// Correct — always use absolute URLs
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const res = await fetch(`${supabaseUrl}/rest/v1/users`, {
  headers: {
    'apikey': Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!,
    'Authorization': `Bearer ${Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')}`,
  },
});

Run supabase functions logs my-function immediately after the failed request — the Deno error message will identify which of these three it is.

Get Started

How to install and use this skill in your preferred environment.

Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase.

Models & Context

Which AI models and context windows work best with this skill.

Recommended Models

Works well with Claude Sonnet or GPT-4o. Supabase-specific patterns (RLS, Edge Functions) are well-covered by frontier models with recent training data.

Context Window

SKILL.md is ~10KB. Load your schema, current RLS policies, and Edge Function code in context for debugging and policy review sessions.

Pro tips for best results

1

Be specific

Include numbers — users, budget, RPS — so the skill can size the architecture.

2

Share constraints

Compliance needs, team size, and existing stack all improve the output.

3

Iterate

Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.

4

Combine skills

Pair with companion skills below for end-to-end coverage.

Works Great With

These skills complement Supabase Architect for end-to-end coverage. Install them together for better results.

Senior Backend

REST APIs, database optimization, authentication, and microservices.

BackendAPIs

Senior Frontend

React, Next.js, TypeScript, Tailwind CSS, accessibility, and performance.

FrontendReact

Database Designer

Schema analysis, ERD generation, index optimization, and migrations.

DatabaseSchema

SaaS Scaffolder

Generate complete, production-ready SaaS projects from a product brief.

SaaSScaffolding

$ skillfish add johnefemer/skillfish --all # install all skills at once

Ready to try Supabase Architect?

Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.