Supabase Checklists | Development Standards

New Table

Creating any new database table — schema, constraints, indexes, RLS, migration

RLS Policies

Writing or reviewing Row Level Security policies — patterns, role matrix, testing

New API Endpoint

Building any new endpoint — choosing API type, auth, validation, error format, documentation

Edge Function

Building an Edge Function — structure, auth, validation, secrets, webhooks, logging

RPC Function

Writing any Postgres RPC function — SECURITY mode, parameter types, validation order, error format, transaction safety, documentation

Storage Bucket

Creating a storage bucket — visibility, RLS policies, file path structure, signed URLs, upload/delete flow

Database Trigger

Writing a database trigger — BEFORE vs AFTER, trigger function standards, timestamps pattern, audit log pattern

Quick Reference — Core Supabase Rules

Every exposed table has RLS enabled
No table accessible without a matching RLS policy
Service role key never appears in frontend code
Role always read from the database — never from request payload
workspace_id verified via membership subquery, not just matched against payload
created_by set in RLS INSERT policy WITH CHECK — not from request body
Every API endpoint has documentation before frontend handoff
Every endpoint tested for success, unauthorized, forbidden, not found, duplicate, validation error

Related Standards

Supabase Standards Backend-First Logic Code Reusability Standards