npm - @polymorphism-tech/morph-spec - Versions diffs - 3.2.0 → 4.3.0 - Mend

@polymorphism-tech/morph-spec 3.2.0 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (386) hide show

package/stacks/nextjs-supabase/.morph/standards/nextjs-patterns.md DELETED Viewed

@@ -1,193 +0,0 @@
-# Next.js 15 Patterns Standard
-> Stack: Next.js 15 + Supabase + .NET Backend
-## Core Rules
-- ALWAYS use App Router (not Pages Router)
-- Default to Server Components -- add `'use client'` only when needed
-- ALWAYS colocate loading.tsx and error.tsx with page.tsx
-- NEVER call Supabase directly from client -- use Route Handlers as BFF
-- ALWAYS validate inputs with Zod on both client and server
-- Use TypeScript strict mode (`"strict": true`)
-## Server vs Client Components
-| Aspect | Server Component (default) | Client Component (`'use client'`) |
-|--------|---------------------------|-----------------------------------|
-| Renders | Server only | Server SSR + Client hydration |
-| Access to | DB, env vars, fs, async/await | Browser APIs, useState, useEffect, events |
-| Bundle | Not included | Included in JS bundle |
-| Use when | Data fetching, static content | Interactivity, forms, real-time |
-Decision: Need useState/useEffect/onClick/browser APIs? Client Component. Otherwise Server Component.
-## File-Based Routing
-```
-app/
-  layout.tsx              # Root layout
-  page.tsx                # / (home)
-  loading.tsx / error.tsx # Loading UI / Error boundary
-  not-found.tsx           # 404
-  dashboard/
-    layout.tsx            # Nested layout
-    page.tsx              # /dashboard
-    loading.tsx
-  api/documents/
-    route.ts              # GET/POST /api/documents
-    [id]/route.ts         # GET/PUT/DELETE /api/documents/:id
-```
-## Layout and Error Boundaries
-```tsx
-export default function RootLayout({ children }: { children: React.ReactNode }) {
-  return <html lang="en"><body><Providers>{children}</Providers></body></html>;
-}
-// loading.tsx
-export default function Loading() { return <div className="animate-pulse">Loading...</div>; }
-// error.tsx — MUST be 'use client'
-'use client';
-export default function Error({ error, reset }: { error: Error; reset: () => void }) {
-  return <div><h2>Something went wrong</h2><button onClick={reset}>Try again</button></div>;
-}
-```
-## Route Handlers (BFF Pattern)
-```ts
-// app/api/documents/route.ts
-import { createClient } from "@/lib/supabase/server";
-import { NextResponse } from "next/server";
-import { z } from "zod";
-const CreateSchema = z.object({
-  title: z.string().min(1).max(200),
-  content: z.string().min(1),
-});
-export async function GET() {
-  const supabase = await createClient();
-  const { data: { user } } = await supabase.auth.getUser();
-  if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  const { data, error } = await supabase.from("documents").select("*");
-  if (error) return NextResponse.json({ error: error.message }, { status: 500 });
-  return NextResponse.json(data);
-}
-export async function POST(request: Request) {
-  const supabase = await createClient();
-  const { data: { user } } = await supabase.auth.getUser();
-  if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  const parsed = CreateSchema.safeParse(await request.json());
-  if (!parsed.success) return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 });
-  const { data, error } = await supabase
-    .from("documents").insert({ ...parsed.data, user_id: user.id }).select().single();
-  if (error) return NextResponse.json({ error: error.message }, { status: 500 });
-  return NextResponse.json(data, { status: 201 });
-}
-```
-## React Query + Supabase
-```tsx
-// providers/query-provider.tsx
-'use client';
-import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
-import { useState } from "react";
-export function QueryProvider({ children }: { children: React.ReactNode }) {
-  const [client] = useState(() => new QueryClient({
-    defaultOptions: { queries: { staleTime: 60_000, retry: 1 } },
-  }));
-  return <QueryClientProvider client={client}>{children}</QueryClientProvider>;
-}
-```
-```tsx
-// hooks/use-documents.ts
-export function useDocuments() {
-  return useQuery({
-    queryKey: ["documents"],
-    queryFn: async () => {
-      const res = await fetch("/api/documents");
-      if (!res.ok) throw new Error("Failed to fetch");
-      return res.json();
-    },
-  });
-}
-export function useCreateDocument() {
-  const qc = useQueryClient();
-  return useMutation({
-    mutationFn: async (data: { title: string; content: string }) => {
-      const res = await fetch("/api/documents", {
-        method: "POST", headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(data),
-      });
-      if (!res.ok) throw new Error("Failed to create");
-      return res.json();
-    },
-    onSuccess: () => qc.invalidateQueries({ queryKey: ["documents"] }),
-  });
-}
-```
-## Form Handling (react-hook-form + Zod)
-```tsx
-'use client';
-import { useForm } from "react-hook-form";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { z } from "zod";
-const schema = z.object({
-  title: z.string().min(1, "Required").max(200),
-  content: z.string().min(1, "Required"),
-});
-export function DocumentForm() {
-  const { register, handleSubmit, formState: { errors, isSubmitting } } = useForm<z.infer<typeof schema>>({
-    resolver: zodResolver(schema),
-  });
-  const create = useCreateDocument();
-  return (
-    <form onSubmit={handleSubmit((data) => create.mutateAsync(data))}>
-      <input {...register("title")} />
-      {errors.title && <span>{errors.title.message}</span>}
-      <textarea {...register("content")} />
-      {errors.content && <span>{errors.content.message}</span>}
-      <button type="submit" disabled={isSubmitting}>Save</button>
-    </form>
-  );
-}
-```
-## shadcn/ui
-Install: `npx shadcn@latest init` then `npx shadcn@latest add button input card dialog form`.
-Components are copied to `components/ui/` -- NOT an npm dependency, your code to customize.
-## TypeScript Strict Patterns
-| Pattern | Approach |
-|---------|----------|
-| API responses | Zod schema + `z.infer<typeof schema>` |
-| Props | Explicit interface, no `any` |
-| Event handlers | `React.ChangeEvent<HTMLInputElement>` |
-| Null safety | `?.` over type assertions, `if (!data) return null` |
-## Common Mistakes
-| Wrong | Right | Why |
-|-------|-------|-----|
-| `'use client'` on every component | Default to Server Components | Unnecessary JS bundle size |
-| Direct Supabase from client | Route Handler `/api/*` as BFF | Exposes queries, harder to secure |
-| `any` for API responses | Zod schema + infer | No runtime safety |
-| Missing loading.tsx | Colocate with page.tsx | Blank page during load |
-| `useEffect` for data fetching | React Query `useQuery` | No caching, race conditions |
-| Form validation on submit only | Zod resolver + react-hook-form | Delayed error feedback |
-| shadcn as npm package | `npx shadcn@latest add` | Copy-paste system, not a dependency |

package/stacks/nextjs-supabase/.morph/standards/supabase-auth.md DELETED Viewed

@@ -1,171 +0,0 @@
-# Supabase Authentication Standard
-> Stack: Next.js 15 + Supabase + .NET Backend
-## Core Rules
-- NEVER use `supabase.auth.getSession()` on server -- reads from cookies without validation
-- ALWAYS use `supabase.auth.getUser()` on server -- validates JWT with Supabase
-- NEVER expose `service_role` key on frontend -- bypasses RLS
-- ALWAYS use `@supabase/ssr` for Next.js -- not `@supabase/auth-helpers-nextjs` (deprecated)
-- ALWAYS use PKCE flow for SSR auth
-## Client Setup
-### Browser Client
-```ts
-// lib/supabase/client.ts
-import { createBrowserClient } from "@supabase/ssr";
-export function createClient() {
-  return createBrowserClient(
-    process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
-  );
-}
-```
-### Server Client
-```ts
-// lib/supabase/server.ts
-import { createServerClient } from "@supabase/ssr";
-import { cookies } from "next/headers";
-export async function createClient() {
-  const cookieStore = await cookies();
-  return createServerClient(
-    process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
-    {
-      cookies: {
-        getAll() { return cookieStore.getAll(); },
-        setAll(cookiesToSet) {
-          cookiesToSet.forEach(({ name, value, options }) =>
-            cookieStore.set(name, value, options));
-        },
-      },
-    }
-  );
-}
-```
-## Auth Flows
-```ts
-// Email/Password sign up
-await supabase.auth.signUp({ email, password,
-  options: { emailRedirectTo: `${origin}/auth/callback` } });
-// Email/Password sign in
-await supabase.auth.signInWithPassword({ email, password });
-// OAuth (Google / GitHub)
-await supabase.auth.signInWithOAuth({
-  provider: "google", // or "github"
-  options: { redirectTo: `${origin}/auth/callback`,
-    queryParams: { access_type: "offline", prompt: "consent" } } // Google-specific
-});
-// Magic Link
-await supabase.auth.signInWithOtp({ email,
-  options: { emailRedirectTo: `${origin}/auth/callback` } });
-```
-## Auth Callback Route (PKCE)
-```ts
-// app/auth/callback/route.ts
-import { createClient } from "@/lib/supabase/server";
-import { NextResponse } from "next/server";
-export async function GET(request: Request) {
-  const { searchParams, origin } = new URL(request.url);
-  const code = searchParams.get("code");
-  const next = searchParams.get("next") ?? "/dashboard";
-  if (code) {
-    const supabase = await createClient();
-    const { error } = await supabase.auth.exchangeCodeForSession(code);
-    if (!error) return NextResponse.redirect(`${origin}${next}`);
-  }
-  return NextResponse.redirect(`${origin}/auth/error`);
-}
-```
-## Middleware Pattern
-```ts
-// middleware.ts
-import { createServerClient } from "@supabase/ssr";
-import { NextResponse, type NextRequest } from "next/server";
-export async function middleware(request: NextRequest) {
-  let supabaseResponse = NextResponse.next({ request });
-  const supabase = createServerClient(
-    process.env.NEXT_PUBLIC_SUPABASE_URL!,
-    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
-    {
-      cookies: {
-        getAll() { return request.cookies.getAll(); },
-        setAll(cookiesToSet) {
-          cookiesToSet.forEach(({ name, value, options }) => {
-            request.cookies.set(name, value);
-            supabaseResponse.cookies.set(name, value, options);
-          });
-        },
-      },
-    }
-  );
-  const { data: { user } } = await supabase.auth.getUser();
-  if (!user && request.nextUrl.pathname.startsWith("/dashboard"))
-    return NextResponse.redirect(new URL("/login", request.url));
-  return supabaseResponse;
-}
-export const config = {
-  matcher: ["/((?!_next/static|_next/image|favicon.ico|api/webhooks).*)"],
-};
-```
-## .NET JWT Validation
-```csharp
-builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-    .AddJwtBearer(options => {
-        options.TokenValidationParameters = new TokenValidationParameters {
-            ValidateIssuer = true,
-            ValidIssuer = $"https://{supabaseProjectRef}.supabase.co/auth/v1",
-            ValidateAudience = true,
-            ValidAudience = "authenticated",
-            ValidateIssuerSigningKey = true,
-            IssuerSigningKey = new SymmetricSecurityKey(
-                Encoding.UTF8.GetBytes(supabaseJwtSecret)),
-            ValidateLifetime = true,
-            ClockSkew = TimeSpan.FromSeconds(30)
-        };
-    });
-// Extract user ID: maps to auth.uid()
-var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
-```
-## Environment Variables
-| Variable | Where | Purpose |
-|----------|-------|---------|
-| `NEXT_PUBLIC_SUPABASE_URL` | Frontend | Supabase project URL |
-| `NEXT_PUBLIC_SUPABASE_ANON_KEY` | Frontend | Public anon key (respects RLS) |
-| `SUPABASE_SERVICE_ROLE_KEY` | Backend ONLY | Bypasses RLS -- NEVER on frontend |
-| `SUPABASE_JWT_SECRET` | Backend ONLY | JWT validation secret |
-## Common Mistakes
-| Wrong | Right | Why |
-|-------|-------|-----|
-| `getSession()` on server | `getUser()` on server | getSession reads unvalidated cookie data |
-| `@supabase/auth-helpers-nextjs` | `@supabase/ssr` | auth-helpers is deprecated |
-| `service_role` in `NEXT_PUBLIC_*` | `anon` key in `NEXT_PUBLIC_*` | service_role bypasses all RLS |
-| Implicit flow for SSR | PKCE flow with code exchange | Implicit exposes tokens in URL fragments |
-| Auth only in page components | Auth check in middleware.ts | Middleware prevents flash of content |
-| Missing `setAll` in cookie config | Both `getAll` and `setAll` | Session refresh silently fails without setAll |

package/stacks/nextjs-supabase/.morph/standards/supabase-pgvector.md DELETED Viewed

@@ -1,164 +0,0 @@
-# Supabase pgvector Standard
-> Stack: Next.js 15 + Supabase + .NET Backend
-## Core Rules
-- ALWAYS use HNSW indexes for production (faster queries, no training required)
-- ALWAYS match dimensions to embedding model (e.g., 1536 for text-embedding-3-small)
-- NEVER store embeddings without an index -- full table scan at query time
-- Use `halfvec` for large datasets to halve storage (16-bit vs 32-bit per dimension)
-- ALWAYS use RLS on tables containing embeddings
-## Setup and Table Design
-```sql
-CREATE EXTENSION IF NOT EXISTS vector;
-CREATE TABLE documents (
-  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  user_id UUID NOT NULL REFERENCES auth.users(id),
-  title TEXT NOT NULL,
-  content TEXT NOT NULL,
-  metadata JSONB DEFAULT '{}',
-  embedding vector(1536),
-  created_at TIMESTAMPTZ DEFAULT now()
-);
-ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
-CREATE POLICY "owner_access" ON documents FOR ALL
-  USING (user_id = auth.uid()) WITH CHECK (user_id = auth.uid());
-CREATE INDEX idx_documents_user_id ON documents (user_id);
-```
-### halfvec Optimization
-| Type | Storage/dim | 1536-dim | Best for |
-|------|------------|----------|----------|
-| `vector` | 4 bytes | 6 KB | High precision, small datasets |
-| `halfvec` | 2 bytes | 3 KB | Large datasets, cost optimization |
-## Index Types
-```sql
--- HNSW (recommended)
-CREATE INDEX idx_docs_embedding ON documents
-  USING hnsw (embedding vector_cosine_ops) WITH (m = 16, ef_construction = 64);
--- IVFFlat (legacy, requires existing data)
-CREATE INDEX idx_docs_ivf ON documents
-  USING ivfflat (embedding vector_cosine_ops) WITH (lists = 100);
-```
-| Feature | HNSW | IVFFlat |
-|---------|------|---------|
-| Query speed | Faster | Slower |
-| Requires training | No | Yes |
-| Recall quality | Higher | Lower |
-| Recommended | Yes | Only for very large datasets |
-## HNSW Parameters
-| Parameter | Default | Tuning |
-|-----------|---------|--------|
-| `m` | 16 | Higher = better recall, more memory |
-| `ef_construction` | 64 | Higher = better index, slower build |
-| `ef_search` | 40 | `SET hnsw.ef_search = 100;` per session |
-## Distance Functions
-| Operator | Function | Index Ops | Use Case |
-|----------|----------|-----------|----------|
-| `<=>` | Cosine distance | `vector_cosine_ops` | Normalized embeddings (most common) |
-| `<->` | L2 (Euclidean) | `vector_l2_ops` | Spatial/positional data |
-| `<#>` | Inner product (neg) | `vector_ip_ops` | Pre-normalized, max similarity |
-## Similarity Search
-```sql
-CREATE OR REPLACE FUNCTION match_documents(
-  query_embedding vector(1536),
-  match_threshold float DEFAULT 0.78,
-  match_count int DEFAULT 10,
-  p_user_id uuid DEFAULT auth.uid()
-) RETURNS TABLE (id uuid, title text, content text, similarity float)
-LANGUAGE sql STABLE AS $$
-  SELECT d.id, d.title, d.content,
-    1 - (d.embedding <=> query_embedding) AS similarity
-  FROM documents d
-  WHERE d.user_id = p_user_id
-    AND 1 - (d.embedding <=> query_embedding) > match_threshold
-  ORDER BY d.embedding <=> query_embedding
-  LIMIT match_count;
-$$;
-```
-## Hybrid Search (Vector + Full-Text)
-```sql
-CREATE OR REPLACE FUNCTION hybrid_search(
-  query_text text, query_embedding vector(1536),
-  match_count int DEFAULT 10,
-  text_weight float DEFAULT 0.3, vector_weight float DEFAULT 0.7
-) RETURNS TABLE (id uuid, title text, content text, score float)
-LANGUAGE sql STABLE AS $$
-  WITH vector_results AS (
-    SELECT id, title, content,
-      1 - (embedding <=> query_embedding) AS vector_score
-    FROM documents WHERE user_id = auth.uid()
-    ORDER BY embedding <=> query_embedding LIMIT match_count * 2
-  ),
-  text_results AS (
-    SELECT id, title, content,
-      ts_rank(to_tsvector('english', content), plainto_tsquery('english', query_text)) AS text_score
-    FROM documents WHERE user_id = auth.uid()
-      AND to_tsvector('english', content) @@ plainto_tsquery('english', query_text)
-    LIMIT match_count * 2
-  )
-  SELECT COALESCE(v.id, t.id), COALESCE(v.title, t.title), COALESCE(v.content, t.content),
-    (COALESCE(v.vector_score, 0) * vector_weight + COALESCE(t.text_score, 0) * text_weight)
-  FROM vector_results v FULL OUTER JOIN text_results t ON v.id = t.id
-  ORDER BY score DESC LIMIT match_count;
-$$;
-```
-## .NET Integration (Npgsql)
-```csharp
-public sealed class DocumentRepository(AppDbContext db)
-{
-    public async Task StoreEmbeddingAsync(
-        Guid documentId, float[] embedding, CancellationToken ct = default)
-    {
-        await db.Database.ExecuteSqlInterpolatedAsync(
-            $"UPDATE documents SET embedding = {new Vector(embedding)} WHERE id = {documentId}", ct);
-    }
-    public async Task<List<DocumentMatch>> SearchSimilarAsync(
-        float[] queryEmbedding, int limit = 10, float threshold = 0.78f,
-        CancellationToken ct = default)
-    {
-        return await db.Database.SqlQuery<DocumentMatch>($"""
-            SELECT id, title, content,
-              1 - (embedding <=> {new Vector(queryEmbedding)}::vector) AS similarity
-            FROM documents
-            WHERE 1 - (embedding <=> {new Vector(queryEmbedding)}::vector) > {threshold}
-            ORDER BY embedding <=> {new Vector(queryEmbedding)}::vector LIMIT {limit}
-            """).ToListAsync(ct);
-    }
-}
-// EF Core registration
-builder.Services.AddDbContext<AppDbContext>(o =>
-    o.UseNpgsql(connectionString, npg => npg.UseVector()));
-```
-## Common Mistakes
-| Wrong | Right | Why |
-|-------|-------|-----|
-| No index on embedding column | HNSW index | Full table scan, extremely slow |
-| `ORDER BY similarity DESC` | `ORDER BY embedding <=> query ASC` | Operator returns distance, not similarity |
-| Mixing embedding dimensions | Consistent dimensions per column | Dimension mismatch causes runtime errors |
-| Full-precision for millions of rows | `halfvec` for large datasets | 2x storage savings, minimal quality loss |
-| Missing RLS on embedding tables | RLS with user/tenant policies | Embeddings contain sensitive content context |

package/stacks/nextjs-supabase/.morph/standards/supabase-rls.md DELETED Viewed

@@ -1,179 +0,0 @@
-# Supabase Row Level Security Standard
-> Stack: Next.js 15 + Supabase + .NET Backend
-## Core Rules
-- ALWAYS enable RLS on every table: `ALTER TABLE t ENABLE ROW LEVEL SECURITY`
-- NEVER rely solely on application-level filtering — RLS is the security boundary
-- `service_role` key bypasses ALL RLS — use only on trusted backend
-- ALWAYS create at least one policy after enabling RLS — otherwise no rows are accessible
-- ALWAYS add indexes on columns used in RLS policies
-## Policy Syntax
-### USING vs WITH CHECK
-| Clause | Applies To | Purpose |
-|--------|-----------|---------|
-| `USING (expr)` | SELECT, UPDATE, DELETE | Filter which existing rows are visible |
-| `WITH CHECK (expr)` | INSERT, UPDATE | Validate new/modified row data |
-```sql
--- SELECT: only see your own rows
-CREATE POLICY "users_select_own" ON documents
-  FOR SELECT USING (user_id = auth.uid());
--- INSERT: can only insert rows owned by you
-CREATE POLICY "users_insert_own" ON documents
-  FOR INSERT WITH CHECK (user_id = auth.uid());
--- UPDATE: can only see AND modify your own rows
-CREATE POLICY "users_update_own" ON documents
-  FOR UPDATE
-  USING (user_id = auth.uid())
-  WITH CHECK (user_id = auth.uid());
--- DELETE: can only delete your own rows
-CREATE POLICY "users_delete_own" ON documents
-  FOR DELETE USING (user_id = auth.uid());
-```
-## Auth Functions
-| Function | Returns | Use Case |
-|----------|---------|----------|
-| `auth.uid()` | UUID of authenticated user | Ownership checks |
-| `auth.jwt()` | Full JWT claims as JSON | Custom claims, roles, tenant ID |
-| `auth.role()` | Current role string | Distinguish anon vs authenticated |
-```sql
--- Access custom JWT claims
-auth.jwt() ->> 'tenant_id'
-auth.jwt() -> 'app_metadata' ->> 'role'
-```
-## Common Patterns
-### 1. Ownership
-```sql
-ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
-CREATE POLICY "owner_all" ON documents
-  FOR ALL USING (user_id = auth.uid())
-  WITH CHECK (user_id = auth.uid());
-```
-### 2. Tenant Isolation
-```sql
--- Requires tenant_id in JWT app_metadata
-CREATE POLICY "tenant_isolation" ON orders
-  FOR ALL
-  USING (tenant_id = (auth.jwt() -> 'app_metadata' ->> 'tenant_id')::uuid)
-  WITH CHECK (tenant_id = (auth.jwt() -> 'app_metadata' ->> 'tenant_id')::uuid);
-```
-### 3. Role-Based Access
-```sql
--- Admins see everything, users see own
-CREATE POLICY "admin_full_access" ON documents
-  FOR ALL USING (
-    auth.jwt() -> 'app_metadata' ->> 'role' = 'admin'
-  );
-CREATE POLICY "user_own_access" ON documents
-  FOR ALL USING (user_id = auth.uid())
-  WITH CHECK (user_id = auth.uid());
-```
-### 4. Public Read, Authenticated Write
-```sql
-CREATE POLICY "public_read" ON posts
-  FOR SELECT USING (published = true);
-CREATE POLICY "auth_write" ON posts
-  FOR INSERT WITH CHECK (auth.role() = 'authenticated');
-```
-### 5. Team/Organization Access
-```sql
-CREATE POLICY "team_access" ON projects
-  FOR SELECT USING (
-    EXISTS (
-      SELECT 1 FROM team_members
-      WHERE team_members.team_id = projects.team_id
-      AND team_members.user_id = auth.uid()
-    )
-  );
-```
-## Index Recommendations
-Always index columns used in RLS policies for performance:
-```sql
-CREATE INDEX idx_documents_user_id ON documents (user_id);
-CREATE INDEX idx_orders_tenant_id ON orders (tenant_id);
-CREATE INDEX idx_team_members_lookup ON team_members (team_id, user_id);
-```
-## Testing RLS Policies
-### Via SQL (Supabase SQL Editor)
-```sql
--- Test as a specific user
-SET request.jwt.claims = '{"sub": "user-uuid-here", "role": "authenticated",
-  "app_metadata": {"tenant_id": "tenant-uuid", "role": "admin"}}';
-SET role = 'authenticated';
-SELECT * FROM documents; -- should only return rows matching policy
-RESET role;
-RESET request.jwt.claims;
-```
-### Via Client (different auth contexts)
-```ts
-// Test with anon key (unauthenticated)
-const anonClient = createClient(url, anonKey);
-const { data } = await anonClient.from("documents").select("*");
-// Should return empty if no public policy
-// Test with authenticated user
-const { data: userData } = await authClient.from("documents").select("*");
-// Should return only user's rows
-```
-## Migration Pattern
-```sql
--- migration: 001_enable_rls.sql
-ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
-ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
-ALTER TABLE team_members ENABLE ROW LEVEL SECURITY;
--- Always pair with policies
-CREATE POLICY "documents_owner" ON documents
-  FOR ALL USING (user_id = auth.uid())
-  WITH CHECK (user_id = auth.uid());
-```
-## Common Mistakes
-| Wrong | Right | Why |
-|-------|-------|-----|
-| Enable RLS without policies | Enable RLS + create policies | No policies = no access at all |
-| `FOR ALL USING (true)` | Specific conditions per operation | Grants unrestricted access, defeats RLS |
-| UPDATE with only USING | UPDATE with USING + WITH CHECK | User could change user_id to another user |
-| Complex subqueries in policies | Simple conditions + indexed columns | Subqueries in policies cause N+1 perf issues |
-| Using `anon` key as service_role | Separate keys, service_role only on backend | anon key respects RLS (correct), don't confuse |
-| RLS on some tables but not others | RLS on ALL tables with user data | Attackers target unprotected tables |
-| `auth.uid()` without null check | `auth.uid() IS NOT NULL AND user_id = auth.uid()` | Prevents anon access when policy is permissive |
-| Forgetting junction table RLS | RLS on junction tables too | team_members without RLS leaks membership |