@nextsparkjs/ai-workflow 0.1.0-beta.164 → 0.1.0-beta.167

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/claude/skills/README.md +72 -47
  2. package/claude/skills/anthropics-mcp-builder/LICENSE.txt +202 -0
  3. package/claude/skills/anthropics-mcp-builder/SKILL.md +236 -0
  4. package/claude/skills/anthropics-mcp-builder/reference/evaluation.md +602 -0
  5. package/claude/skills/anthropics-mcp-builder/reference/mcp_best_practices.md +249 -0
  6. package/claude/skills/anthropics-mcp-builder/reference/node_mcp_server.md +970 -0
  7. package/claude/skills/anthropics-mcp-builder/reference/python_mcp_server.md +719 -0
  8. package/claude/skills/anthropics-mcp-builder/scripts/connections.py +151 -0
  9. package/claude/skills/anthropics-mcp-builder/scripts/evaluation.py +373 -0
  10. package/claude/skills/anthropics-mcp-builder/scripts/example_evaluation.xml +22 -0
  11. package/claude/skills/anthropics-mcp-builder/scripts/requirements.txt +2 -0
  12. package/claude/skills/anthropics-skill-creator/LICENSE.txt +202 -0
  13. package/claude/skills/anthropics-skill-creator/SKILL.md +485 -0
  14. package/claude/skills/anthropics-skill-creator/agents/analyzer.md +274 -0
  15. package/claude/skills/anthropics-skill-creator/agents/comparator.md +202 -0
  16. package/claude/skills/anthropics-skill-creator/agents/grader.md +223 -0
  17. package/claude/skills/anthropics-skill-creator/assets/eval_review.html +146 -0
  18. package/claude/skills/anthropics-skill-creator/eval-viewer/generate_review.py +471 -0
  19. package/claude/skills/anthropics-skill-creator/eval-viewer/viewer.html +1325 -0
  20. package/claude/skills/anthropics-skill-creator/references/schemas.md +430 -0
  21. package/claude/skills/anthropics-skill-creator/scripts/__init__.py +0 -0
  22. package/claude/skills/anthropics-skill-creator/scripts/aggregate_benchmark.py +401 -0
  23. package/claude/skills/anthropics-skill-creator/scripts/generate_report.py +326 -0
  24. package/claude/skills/anthropics-skill-creator/scripts/improve_description.py +247 -0
  25. package/claude/skills/anthropics-skill-creator/scripts/package_skill.py +136 -0
  26. package/claude/skills/anthropics-skill-creator/scripts/quick_validate.py +103 -0
  27. package/claude/skills/anthropics-skill-creator/scripts/run_eval.py +310 -0
  28. package/claude/skills/anthropics-skill-creator/scripts/run_loop.py +328 -0
  29. package/claude/skills/anthropics-skill-creator/scripts/utils.py +47 -0
  30. package/claude/skills/api-bypass-layers/SKILL.md +20 -7
  31. package/claude/skills/database-migrations/SKILL.md +23 -8
  32. package/claude/skills/entity-system/SKILL.md +2 -2
  33. package/claude/skills/entity-system/scripts/generate-migration.py +64 -54
  34. package/claude/skills/nextjs-api-development/SKILL.md +6 -1
  35. package/claude/skills/permissions-system/SKILL.md +11 -2
  36. package/claude/skills/rls-enforcement/SKILL.md +192 -0
  37. package/claude/skills/rls-enforcement/evals/RESULTS.md +24 -0
  38. package/claude/skills/rls-enforcement/evals/evals.json +56 -0
  39. package/claude/skills/service-layer/SKILL.md +13 -2
  40. package/package.json +1 -1
  41. package/LICENSE +0 -21
@@ -0,0 +1,328 @@
1
+ #!/usr/bin/env python3
2
+ """Run the eval + improve loop until all pass or max iterations reached.
3
+
4
+ Combines run_eval.py and improve_description.py in a loop, tracking history
5
+ and returning the best description found. Supports train/test split to prevent
6
+ overfitting.
7
+ """
8
+
9
+ import argparse
10
+ import json
11
+ import random
12
+ import sys
13
+ import tempfile
14
+ import time
15
+ import webbrowser
16
+ from pathlib import Path
17
+
18
+ from scripts.generate_report import generate_html
19
+ from scripts.improve_description import improve_description
20
+ from scripts.run_eval import find_project_root, run_eval
21
+ from scripts.utils import parse_skill_md
22
+
23
+
24
+ def split_eval_set(eval_set: list[dict], holdout: float, seed: int = 42) -> tuple[list[dict], list[dict]]:
25
+ """Split eval set into train and test sets, stratified by should_trigger."""
26
+ random.seed(seed)
27
+
28
+ # Separate by should_trigger
29
+ trigger = [e for e in eval_set if e["should_trigger"]]
30
+ no_trigger = [e for e in eval_set if not e["should_trigger"]]
31
+
32
+ # Shuffle each group
33
+ random.shuffle(trigger)
34
+ random.shuffle(no_trigger)
35
+
36
+ # Calculate split points
37
+ n_trigger_test = max(1, int(len(trigger) * holdout))
38
+ n_no_trigger_test = max(1, int(len(no_trigger) * holdout))
39
+
40
+ # Split
41
+ test_set = trigger[:n_trigger_test] + no_trigger[:n_no_trigger_test]
42
+ train_set = trigger[n_trigger_test:] + no_trigger[n_no_trigger_test:]
43
+
44
+ return train_set, test_set
45
+
46
+
47
+ def run_loop(
48
+ eval_set: list[dict],
49
+ skill_path: Path,
50
+ description_override: str | None,
51
+ num_workers: int,
52
+ timeout: int,
53
+ max_iterations: int,
54
+ runs_per_query: int,
55
+ trigger_threshold: float,
56
+ holdout: float,
57
+ model: str,
58
+ verbose: bool,
59
+ live_report_path: Path | None = None,
60
+ log_dir: Path | None = None,
61
+ ) -> dict:
62
+ """Run the eval + improvement loop."""
63
+ project_root = find_project_root()
64
+ name, original_description, content = parse_skill_md(skill_path)
65
+ current_description = description_override or original_description
66
+
67
+ # Split into train/test if holdout > 0
68
+ if holdout > 0:
69
+ train_set, test_set = split_eval_set(eval_set, holdout)
70
+ if verbose:
71
+ print(f"Split: {len(train_set)} train, {len(test_set)} test (holdout={holdout})", file=sys.stderr)
72
+ else:
73
+ train_set = eval_set
74
+ test_set = []
75
+
76
+ history = []
77
+ exit_reason = "unknown"
78
+
79
+ for iteration in range(1, max_iterations + 1):
80
+ if verbose:
81
+ print(f"\n{'='*60}", file=sys.stderr)
82
+ print(f"Iteration {iteration}/{max_iterations}", file=sys.stderr)
83
+ print(f"Description: {current_description}", file=sys.stderr)
84
+ print(f"{'='*60}", file=sys.stderr)
85
+
86
+ # Evaluate train + test together in one batch for parallelism
87
+ all_queries = train_set + test_set
88
+ t0 = time.time()
89
+ all_results = run_eval(
90
+ eval_set=all_queries,
91
+ skill_name=name,
92
+ description=current_description,
93
+ num_workers=num_workers,
94
+ timeout=timeout,
95
+ project_root=project_root,
96
+ runs_per_query=runs_per_query,
97
+ trigger_threshold=trigger_threshold,
98
+ model=model,
99
+ )
100
+ eval_elapsed = time.time() - t0
101
+
102
+ # Split results back into train/test by matching queries
103
+ train_queries_set = {q["query"] for q in train_set}
104
+ train_result_list = [r for r in all_results["results"] if r["query"] in train_queries_set]
105
+ test_result_list = [r for r in all_results["results"] if r["query"] not in train_queries_set]
106
+
107
+ train_passed = sum(1 for r in train_result_list if r["pass"])
108
+ train_total = len(train_result_list)
109
+ train_summary = {"passed": train_passed, "failed": train_total - train_passed, "total": train_total}
110
+ train_results = {"results": train_result_list, "summary": train_summary}
111
+
112
+ if test_set:
113
+ test_passed = sum(1 for r in test_result_list if r["pass"])
114
+ test_total = len(test_result_list)
115
+ test_summary = {"passed": test_passed, "failed": test_total - test_passed, "total": test_total}
116
+ test_results = {"results": test_result_list, "summary": test_summary}
117
+ else:
118
+ test_results = None
119
+ test_summary = None
120
+
121
+ history.append({
122
+ "iteration": iteration,
123
+ "description": current_description,
124
+ "train_passed": train_summary["passed"],
125
+ "train_failed": train_summary["failed"],
126
+ "train_total": train_summary["total"],
127
+ "train_results": train_results["results"],
128
+ "test_passed": test_summary["passed"] if test_summary else None,
129
+ "test_failed": test_summary["failed"] if test_summary else None,
130
+ "test_total": test_summary["total"] if test_summary else None,
131
+ "test_results": test_results["results"] if test_results else None,
132
+ # For backward compat with report generator
133
+ "passed": train_summary["passed"],
134
+ "failed": train_summary["failed"],
135
+ "total": train_summary["total"],
136
+ "results": train_results["results"],
137
+ })
138
+
139
+ # Write live report if path provided
140
+ if live_report_path:
141
+ partial_output = {
142
+ "original_description": original_description,
143
+ "best_description": current_description,
144
+ "best_score": "in progress",
145
+ "iterations_run": len(history),
146
+ "holdout": holdout,
147
+ "train_size": len(train_set),
148
+ "test_size": len(test_set),
149
+ "history": history,
150
+ }
151
+ live_report_path.write_text(generate_html(partial_output, auto_refresh=True, skill_name=name))
152
+
153
+ if verbose:
154
+ def print_eval_stats(label, results, elapsed):
155
+ pos = [r for r in results if r["should_trigger"]]
156
+ neg = [r for r in results if not r["should_trigger"]]
157
+ tp = sum(r["triggers"] for r in pos)
158
+ pos_runs = sum(r["runs"] for r in pos)
159
+ fn = pos_runs - tp
160
+ fp = sum(r["triggers"] for r in neg)
161
+ neg_runs = sum(r["runs"] for r in neg)
162
+ tn = neg_runs - fp
163
+ total = tp + tn + fp + fn
164
+ precision = tp / (tp + fp) if (tp + fp) > 0 else 1.0
165
+ recall = tp / (tp + fn) if (tp + fn) > 0 else 1.0
166
+ accuracy = (tp + tn) / total if total > 0 else 0.0
167
+ print(f"{label}: {tp+tn}/{total} correct, precision={precision:.0%} recall={recall:.0%} accuracy={accuracy:.0%} ({elapsed:.1f}s)", file=sys.stderr)
168
+ for r in results:
169
+ status = "PASS" if r["pass"] else "FAIL"
170
+ rate_str = f"{r['triggers']}/{r['runs']}"
171
+ print(f" [{status}] rate={rate_str} expected={r['should_trigger']}: {r['query'][:60]}", file=sys.stderr)
172
+
173
+ print_eval_stats("Train", train_results["results"], eval_elapsed)
174
+ if test_summary:
175
+ print_eval_stats("Test ", test_results["results"], 0)
176
+
177
+ if train_summary["failed"] == 0:
178
+ exit_reason = f"all_passed (iteration {iteration})"
179
+ if verbose:
180
+ print(f"\nAll train queries passed on iteration {iteration}!", file=sys.stderr)
181
+ break
182
+
183
+ if iteration == max_iterations:
184
+ exit_reason = f"max_iterations ({max_iterations})"
185
+ if verbose:
186
+ print(f"\nMax iterations reached ({max_iterations}).", file=sys.stderr)
187
+ break
188
+
189
+ # Improve the description based on train results
190
+ if verbose:
191
+ print(f"\nImproving description...", file=sys.stderr)
192
+
193
+ t0 = time.time()
194
+ # Strip test scores from history so improvement model can't see them
195
+ blinded_history = [
196
+ {k: v for k, v in h.items() if not k.startswith("test_")}
197
+ for h in history
198
+ ]
199
+ new_description = improve_description(
200
+ skill_name=name,
201
+ skill_content=content,
202
+ current_description=current_description,
203
+ eval_results=train_results,
204
+ history=blinded_history,
205
+ model=model,
206
+ log_dir=log_dir,
207
+ iteration=iteration,
208
+ )
209
+ improve_elapsed = time.time() - t0
210
+
211
+ if verbose:
212
+ print(f"Proposed ({improve_elapsed:.1f}s): {new_description}", file=sys.stderr)
213
+
214
+ current_description = new_description
215
+
216
+ # Find the best iteration by TEST score (or train if no test set)
217
+ if test_set:
218
+ best = max(history, key=lambda h: h["test_passed"] or 0)
219
+ best_score = f"{best['test_passed']}/{best['test_total']}"
220
+ else:
221
+ best = max(history, key=lambda h: h["train_passed"])
222
+ best_score = f"{best['train_passed']}/{best['train_total']}"
223
+
224
+ if verbose:
225
+ print(f"\nExit reason: {exit_reason}", file=sys.stderr)
226
+ print(f"Best score: {best_score} (iteration {best['iteration']})", file=sys.stderr)
227
+
228
+ return {
229
+ "exit_reason": exit_reason,
230
+ "original_description": original_description,
231
+ "best_description": best["description"],
232
+ "best_score": best_score,
233
+ "best_train_score": f"{best['train_passed']}/{best['train_total']}",
234
+ "best_test_score": f"{best['test_passed']}/{best['test_total']}" if test_set else None,
235
+ "final_description": current_description,
236
+ "iterations_run": len(history),
237
+ "holdout": holdout,
238
+ "train_size": len(train_set),
239
+ "test_size": len(test_set),
240
+ "history": history,
241
+ }
242
+
243
+
244
+ def main():
245
+ parser = argparse.ArgumentParser(description="Run eval + improve loop")
246
+ parser.add_argument("--eval-set", required=True, help="Path to eval set JSON file")
247
+ parser.add_argument("--skill-path", required=True, help="Path to skill directory")
248
+ parser.add_argument("--description", default=None, help="Override starting description")
249
+ parser.add_argument("--num-workers", type=int, default=10, help="Number of parallel workers")
250
+ parser.add_argument("--timeout", type=int, default=30, help="Timeout per query in seconds")
251
+ parser.add_argument("--max-iterations", type=int, default=5, help="Max improvement iterations")
252
+ parser.add_argument("--runs-per-query", type=int, default=3, help="Number of runs per query")
253
+ parser.add_argument("--trigger-threshold", type=float, default=0.5, help="Trigger rate threshold")
254
+ parser.add_argument("--holdout", type=float, default=0.4, help="Fraction of eval set to hold out for testing (0 to disable)")
255
+ parser.add_argument("--model", required=True, help="Model for improvement")
256
+ parser.add_argument("--verbose", action="store_true", help="Print progress to stderr")
257
+ parser.add_argument("--report", default="auto", help="Generate HTML report at this path (default: 'auto' for temp file, 'none' to disable)")
258
+ parser.add_argument("--results-dir", default=None, help="Save all outputs (results.json, report.html, log.txt) to a timestamped subdirectory here")
259
+ args = parser.parse_args()
260
+
261
+ eval_set = json.loads(Path(args.eval_set).read_text())
262
+ skill_path = Path(args.skill_path)
263
+
264
+ if not (skill_path / "SKILL.md").exists():
265
+ print(f"Error: No SKILL.md found at {skill_path}", file=sys.stderr)
266
+ sys.exit(1)
267
+
268
+ name, _, _ = parse_skill_md(skill_path)
269
+
270
+ # Set up live report path
271
+ if args.report != "none":
272
+ if args.report == "auto":
273
+ timestamp = time.strftime("%Y%m%d_%H%M%S")
274
+ live_report_path = Path(tempfile.gettempdir()) / f"skill_description_report_{skill_path.name}_{timestamp}.html"
275
+ else:
276
+ live_report_path = Path(args.report)
277
+ # Open the report immediately so the user can watch
278
+ live_report_path.write_text("<html><body><h1>Starting optimization loop...</h1><meta http-equiv='refresh' content='5'></body></html>")
279
+ webbrowser.open(str(live_report_path))
280
+ else:
281
+ live_report_path = None
282
+
283
+ # Determine output directory (create before run_loop so logs can be written)
284
+ if args.results_dir:
285
+ timestamp = time.strftime("%Y-%m-%d_%H%M%S")
286
+ results_dir = Path(args.results_dir) / timestamp
287
+ results_dir.mkdir(parents=True, exist_ok=True)
288
+ else:
289
+ results_dir = None
290
+
291
+ log_dir = results_dir / "logs" if results_dir else None
292
+
293
+ output = run_loop(
294
+ eval_set=eval_set,
295
+ skill_path=skill_path,
296
+ description_override=args.description,
297
+ num_workers=args.num_workers,
298
+ timeout=args.timeout,
299
+ max_iterations=args.max_iterations,
300
+ runs_per_query=args.runs_per_query,
301
+ trigger_threshold=args.trigger_threshold,
302
+ holdout=args.holdout,
303
+ model=args.model,
304
+ verbose=args.verbose,
305
+ live_report_path=live_report_path,
306
+ log_dir=log_dir,
307
+ )
308
+
309
+ # Save JSON output
310
+ json_output = json.dumps(output, indent=2)
311
+ print(json_output)
312
+ if results_dir:
313
+ (results_dir / "results.json").write_text(json_output)
314
+
315
+ # Write final HTML report (without auto-refresh)
316
+ if live_report_path:
317
+ live_report_path.write_text(generate_html(output, auto_refresh=False, skill_name=name))
318
+ print(f"\nReport: {live_report_path}", file=sys.stderr)
319
+
320
+ if results_dir and live_report_path:
321
+ (results_dir / "report.html").write_text(generate_html(output, auto_refresh=False, skill_name=name))
322
+
323
+ if results_dir:
324
+ print(f"Results saved to: {results_dir}", file=sys.stderr)
325
+
326
+
327
+ if __name__ == "__main__":
328
+ main()
@@ -0,0 +1,47 @@
1
+ """Shared utilities for skill-creator scripts."""
2
+
3
+ from pathlib import Path
4
+
5
+
6
+
7
+ def parse_skill_md(skill_path: Path) -> tuple[str, str, str]:
8
+ """Parse a SKILL.md file, returning (name, description, full_content)."""
9
+ content = (skill_path / "SKILL.md").read_text()
10
+ lines = content.split("\n")
11
+
12
+ if lines[0].strip() != "---":
13
+ raise ValueError("SKILL.md missing frontmatter (no opening ---)")
14
+
15
+ end_idx = None
16
+ for i, line in enumerate(lines[1:], start=1):
17
+ if line.strip() == "---":
18
+ end_idx = i
19
+ break
20
+
21
+ if end_idx is None:
22
+ raise ValueError("SKILL.md missing frontmatter (no closing ---)")
23
+
24
+ name = ""
25
+ description = ""
26
+ frontmatter_lines = lines[1:end_idx]
27
+ i = 0
28
+ while i < len(frontmatter_lines):
29
+ line = frontmatter_lines[i]
30
+ if line.startswith("name:"):
31
+ name = line[len("name:"):].strip().strip('"').strip("'")
32
+ elif line.startswith("description:"):
33
+ value = line[len("description:"):].strip()
34
+ # Handle YAML multiline indicators (>, |, >-, |-)
35
+ if value in (">", "|", ">-", "|-"):
36
+ continuation_lines: list[str] = []
37
+ i += 1
38
+ while i < len(frontmatter_lines) and (frontmatter_lines[i].startswith(" ") or frontmatter_lines[i].startswith("\t")):
39
+ continuation_lines.append(frontmatter_lines[i].strip())
40
+ i += 1
41
+ description = " ".join(continuation_lines)
42
+ continue
43
+ else:
44
+ description = value.strip('"').strip("'")
45
+ i += 1
46
+
47
+ return name, description, content
@@ -1,11 +1,12 @@
1
1
  ---
2
2
  name: api-bypass-layers
3
3
  description: |
4
- Multi-layer security architecture for API bypass (superadmin/developer).
5
- Covers authentication layers, authorization, team context, RLS policies, and three-layer bypass validation.
4
+ Multi-layer security architecture for API bypass (superadmin/developer): can_bypass_rls(),
5
+ three-layer bypass validation, team context, and the RLS final-defense layer.
6
6
  Use this skill when implementing admin bypass features or validating security architecture.
7
+ For the runtime RLS plumbing (service connection pool, nextspark_app cutover) see rls-enforcement.
7
8
  allowed-tools: Read, Glob, Grep
8
- version: 1.1.0
9
+ version: 1.2.0
9
10
  ---
10
11
 
11
12
  # API Bypass Layers Skill
@@ -18,8 +19,9 @@ Security architecture for superadmin and developer bypass access in the API laye
18
19
  |------|---------|
19
20
  | `packages/core/src/lib/api/auth/dual-auth.ts` | App-level bypass (canBypassTeamContext) |
20
21
  | `packages/core/src/lib/api/entity/generic-handler.ts` | CRUD handler (validateTeamContextWithBypass) |
21
- | `packages/core/migrations/001_better_auth_and_functions.sql` | get_auth_user_id() function |
22
- | `packages/core/migrations/010_teams_functions_triggers.sql` | can_bypass_rls(), get_user_team_ids(), RLS policies |
22
+ | `packages/core/migrations/001_better_auth_and_functions.sql` | get_auth_user_id(), **can_bypass_rls(), is_superadmin(), auth_user_can_see_user()** (moved here in beta.167) |
23
+ | `packages/core/migrations/010_teams_functions_triggers.sql` | get_user_team_ids(), teams RLS policies |
24
+ | `packages/core/src/lib/db.ts` | service connection pool (RLS-bypass) for system ops — see rls-enforcement |
23
25
  | `packages/core/migrations/090_sample_data.sql` | System Admin Team (team-nextspark-001) |
24
26
 
25
27
  ## Architecture Overview
@@ -80,6 +82,16 @@ Security architecture for superadmin and developer bypass access in the API laye
80
82
  └─────────────────────────────────────────────────────────────────┘
81
83
  ```
82
84
 
85
+ > **beta.167 additions (see the `rls-enforcement` skill):**
86
+ > - **Service connection (RLS-bypass):** system operations without a user GUC (Better Auth,
87
+ > scheduler/processor, webhooks, the `checkSystemAdminMembership` bypass check, team/
88
+ > subscription bootstrap) run on a separate pool (`DATABASE_SERVICE_URL`). This is the
89
+ > plumbing that keeps the bypass paths working once the app connects as the non-owner
90
+ > `nextspark_app` role.
91
+ > - **Fail-closed permission check:** in `generic-handler.ts`, LIST/READ now enforce session
92
+ > permissions and a thrown permission check returns `500 PERMISSION_CHECK_FAILED` (never
93
+ > "allow"). Admin-bypass and api-key paths are skipped.
94
+
83
95
  ## When to Use This Skill
84
96
 
85
97
  - Understanding the multi-layer security model
@@ -210,7 +222,7 @@ if (userId && !entityConfig.access?.shared && !skipUserFilter && !isBypass) {
210
222
 
211
223
  ## Database-Level Bypass: can_bypass_rls()
212
224
 
213
- **File:** `packages/core/migrations/010_teams_functions_triggers.sql:115-147`
225
+ **File:** `packages/core/migrations/001_better_auth_and_functions.sql` (moved here in beta.167 so the hardened auth-table policies in `002` can use it; it was previously in `010`)
214
226
 
215
227
  **CRITICAL DIFFERENCE from App-Level:**
216
228
  - **Superadmin:** ALWAYS bypasses RLS (no team membership check)
@@ -418,7 +430,7 @@ const headers = {
418
430
  │ LAYER 4: Query Building (generic-handler.ts:509+) │
419
431
  │ └─ Add teamId/userId filters based on isBypass flag │
420
432
  │ │
421
- │ LAYER 5: Database RLS (010_teams_functions_triggers.sql:115-147)
433
+ │ LAYER 5: Database RLS (can_bypass_rls() defined in 001, beta.167)
422
434
  │ └─ can_bypass_rls() OR teamId = ANY(get_user_team_ids()) │
423
435
  │ │
424
436
  └──────────────────────────────────────────────────────────────────────────┘
@@ -546,5 +558,6 @@ Before finalizing bypass implementation:
546
558
  - `better-auth` - Authentication patterns and session management
547
559
  - `permissions-system` - RBAC + Features + Quotas permission model
548
560
  - `database-migrations` - PostgreSQL RLS policies
561
+ - `rls-enforcement` - Runtime RLS: service connection pool, nextspark_app cutover, fail-closed
549
562
  - `nextjs-api-development` - API route patterns with dual auth
550
563
  - `cypress-api` - API testing with bypass scenarios
@@ -1,11 +1,12 @@
1
1
  ---
2
2
  name: database-migrations
3
3
  description: |
4
- PostgreSQL migration patterns with RLS, Better Auth integration, and TIMESTAMPTZ.
4
+ PostgreSQL migration patterns: writing RLS policy SQL, Better Auth integration, and TIMESTAMPTZ.
5
5
  Covers main tables, meta tables, child entities, and sample data.
6
6
  Use this skill when creating migrations, validating SQL, or generating sample data.
7
+ For the RUNTIME RLS model (service pool, nextspark_app cutover, fail-closed) see rls-enforcement.
7
8
  allowed-tools: Read, Glob, Grep, Bash(python:*)
8
- version: 1.0.0
9
+ version: 1.1.0
9
10
  ---
10
11
 
11
12
  # Database Migrations Skill
@@ -110,6 +111,15 @@ REFERENCES public."Parent"(id) ON DELETE CASCADE
110
111
 
111
112
  ## RLS Patterns (4 Cases)
112
113
 
114
+ > **Before writing core-table policies (beta.167):**
115
+ > - RLS primitives (`can_bypass_rls`, `auth_user_can_see_user`, `is_superadmin`) live in
116
+ > migration **`001`** — a policy on an early table (e.g. `002`) that references a function
117
+ > or table defined later fails at `CREATE POLICY` time. Wrap forward-dependent logic in a
118
+ > `SECURITY DEFINER` helper in `001` (table refs resolve at call time).
119
+ > - **`team_role` is `TEXT`** (not an ENUM): `role TEXT NOT NULL DEFAULT 'member'`. Never
120
+ > `ALTER TYPE team_role`.
121
+ > - For the runtime model (service pool, `nextspark_app`, cutover) see the **rls-enforcement** skill.
122
+
113
123
  ### Case 1: Private to Owner
114
124
  ```sql
115
125
  CREATE POLICY "Entity owner can do all"
@@ -144,19 +154,24 @@ WITH CHECK (true);
144
154
 
145
155
  ### Case 4: Public Read with Auth Write
146
156
  ```sql
147
- -- Anonymous can read published
148
- CREATE POLICY "Entity public can select"
149
- ON public."Entity"
150
- FOR SELECT TO anon
151
- USING (published = TRUE);
152
-
153
157
  -- Authenticated can manage all
154
158
  CREATE POLICY "Entity auth can do all"
155
159
  ON public."Entity"
156
160
  FOR ALL TO authenticated
157
161
  USING (true)
158
162
  WITH CHECK (true);
163
+
164
+ -- (Supabase Data API ONLY) anonymous can read published rows
165
+ CREATE POLICY "Entity public can select"
166
+ ON public."Entity"
167
+ FOR SELECT TO anon
168
+ USING (published = TRUE);
159
169
  ```
170
+ > ⚠️ The **app does NOT use the `anon` role**. Public/unauthenticated reads enter with
171
+ > `userId = null` → **service pool (bypass)** and are filtered in SQL by the handler
172
+ > (e.g. `published = TRUE`). The `TO anon` policy above only matters if you expose the
173
+ > **Supabase PostgREST / Data API** (migration `022` revokes `anon` as defense for that
174
+ > surface). Don't rely on it for the app's public-read path.
160
175
 
161
176
  ## Meta Tables Pattern
162
177
 
@@ -5,7 +5,7 @@ description: |
5
5
  Includes: config, fields, types, service, messages (i18n), migrations.
6
6
  Use this skill to create, modify, or understand system entities.
7
7
  allowed-tools: Read, Glob, Grep, Bash(python:*)
8
- version: 1.0.0
8
+ version: 1.1.0
9
9
  ---
10
10
 
11
11
  # Entity System Skill
@@ -313,7 +313,7 @@ interface ActionConfig {
313
313
  2. **Team**: teamId from httpOnly cookie `activeTeamId`
314
314
  3. **Permissions**: Verified against `permissions.config.ts`
315
315
  4. **Validation**: Fields validated against entity schema
316
- 5. **RLS**: Queries executed with Row-Level Security
316
+ 5. **RLS**: Queries executed with Row-Level Security (user-scoped reads pass `userId` → app pool; see the `rls-enforcement` skill for the runtime service-pool model and LIST/READ fail-closed enforcement)
317
317
  6. **Team Isolation**: All operations filter by active teamId (prevents cross-team access for multi-team users)
318
318
 
319
319
  ### Team Isolation (Multi-Team Users)