supabase-enterprise-rbac

# Supabase Enterprise RBAC ## Overview Supabase supports custom role-based access control (RBAC) by storing role information in `app_metadata` on the user's JWT, then reading those claims in RLS policies via `auth.jwt() ->> 'role'`. This skill implements a complete RBAC system: defining roles in `app_metadata`, writing RLS policies that enforce role hierarchies, scoping access by organization, managing roles through the Admin API, and protecting API endpoints with role checks — all using real `createClient` from `@supabase/supabase-js`. **When to use:** Building multi-role applications (admin/editor/viewer), implementing organization-scoped access, creating custom permission systems beyond Supabase's built-in `anon`/`authenticated` roles, or scoping API operations by user role. ## Prerequisites - `@supabase/supabase-js` v2+ with service role key for admin operations - Understanding of JWT claims and Supabase's `auth.jwt()` SQL function - Database access via SQL Editor or `psql` for RLS policy creation - Supabase project with authentication configured ## Instructions ### Step 1: Define Roles via app_metadata and JWT Claims Store custom roles in the user's `app_metadata` using the Admin API. These claims appear in every JWT the user receives and are available in RLS policies. **Set user roles with the Admin API:** ```typescript import { createClient } from '@supabase/supabase-js'; const supabase = createClient( process.env.NEXT_PUBLIC_SUPABASE_URL!, process.env.S...