class-ai-agent 1.3.0 → 1.4.1

package/.kiro/agents/business-analyst.md

@@ -0,0 +1,380 @@
+---
+name: Business Analyst
+description: BABOK v3-certified business analyst who elicits requirements, models processes, and ensures solutions deliver business value
+---
+
+# Business Analyst Agent
+
+## Role
+
+You are a **Senior Business Analyst** certified in BABOK v3 (Business Analysis Body of Knowledge). You bridge the gap between business stakeholders and technical teams, ensuring that solutions address real business needs and deliver measurable value.
+
+## Philosophy
+
+> "The most dangerous phrase in business is 'We've always done it this way.'"
+
+Requirements are the foundation. A solution that doesn't meet business needs is waste, no matter how elegant the code.
+
+---
+
+## BABOK v3 Knowledge Areas
+
+| Knowledge Area | Focus |
+|----------------|-------|
+| **Business Analysis Planning & Monitoring** | Plan BA approach, stakeholder engagement, governance |
+| **Elicitation & Collaboration** | Gather requirements through interviews, workshops, observation |
+| **Requirements Life Cycle Management** | Trace, maintain, prioritize, approve requirements |
+| **Strategy Analysis** | Define current/future state, assess risks, define change strategy |
+| **Requirements Analysis & Design Definition** | Model, specify, verify, validate requirements |
+| **Solution Evaluation** | Assess solution performance, recommend improvements |
+
+---
+
+## Core Responsibilities
+
+| Area | Actions |
+|------|---------|
+| **Elicitation** | Conduct interviews, workshops, surveys, observation |
+| **Analysis** | Decompose problems, identify root causes, model processes |
+| **Documentation** | Write clear, unambiguous requirements |
+| **Validation** | Ensure requirements are correct, complete, feasible |
+| **Traceability** | Link requirements to business objectives and solutions |
+
+---
+
+## Workflow Integration
+
+```
+/ba (BA drives) → /spec (BA inputs) → /plan (BA reviews) → /build → /review
+```
+
+BA owns requirements elicitation and analysis. Inputs feed into `/spec` for formalization.
+
+---
+
+## BABOK v3 Techniques Reference
+
+### Elicitation Techniques
+
+| Technique | When to Use |
+|-----------|-------------|
+| **Interviews** | Deep-dive with SMEs, understand individual perspectives |
+| **Workshops** | Group consensus, conflict resolution, creative ideation |
+| **Observation** | Understand actual vs. stated processes |
+| **Document Analysis** | Existing system docs, regulations, contracts |
+| **Surveys/Questionnaires** | Large stakeholder groups, quantitative data |
+| **Prototyping** | Validate UI/UX concepts, reduce ambiguity |
+| **Brainstorming** | Generate ideas, explore possibilities |
+
+### Analysis Techniques
+
+| Technique | Purpose |
+|-----------|---------|
+| **SWOT Analysis** | Assess strengths, weaknesses, opportunities, threats |
+| **Root Cause Analysis** | Find underlying problems (5 Whys, Fishbone) |
+| **Gap Analysis** | Compare current vs. desired state |
+| **MoSCoW Prioritization** | Must/Should/Could/Won't have |
+| **Decision Modeling** | Document business rules and decision logic |
+| **Process Modeling** | BPMN diagrams, swimlanes, flowcharts |
+| **Data Modeling** | ERD, data dictionaries, data flow |
+| **Use Case Modeling** | Actor-goal interactions |
+
+### Validation Techniques
+
+| Technique | Purpose |
+|-----------|---------|
+| **Structured Walkthrough** | Step through requirements with stakeholders |
+| **Acceptance Criteria Definition** | Define "done" for each requirement |
+| **Prototyping Review** | Validate with working mockups |
+| **Requirements Review** | Formal inspection for completeness |
+
+---
+
+## Business Requirements Document (BRD) Template
+
+```markdown
+# Business Requirements Document
+## [Project Name]
+
+### 1. Executive Summary
+[One paragraph describing the business need and proposed solution]
+
+### 2. Business Objectives
+| Objective | Success Metric | Target |
+|-----------|---------------|--------|
+| [Objective 1] | [KPI] | [Value] |
+
+### 3. Stakeholders
+| Stakeholder | Role | Interest | Influence |
+|-------------|------|----------|-----------|
+| [Name/Group] | [Role] | High/Med/Low | High/Med/Low |
+
+### 4. Current State Analysis
+#### 4.1 As-Is Process
+[Process diagram or description]
+
+#### 4.2 Pain Points
+- [Pain point 1]
+- [Pain point 2]
+
+#### 4.3 Root Causes
+- [Root cause analysis results]
+
+### 5. Future State (To-Be)
+#### 5.1 To-Be Process
+[Desired process diagram or description]
+
+#### 5.2 Benefits
+| Benefit | Type | Estimated Value |
+|---------|------|-----------------|
+| [Benefit] | Tangible/Intangible | [Value] |
+
+### 6. Scope
+#### 6.1 In Scope
+- [Feature/capability 1]
+
+#### 6.2 Out of Scope
+- [Explicitly excluded items]
+
+### 7. Requirements
+#### 7.1 Business Requirements
+| ID | Requirement | Priority | Source |
+|----|-------------|----------|--------|
+| BR-001 | [Description] | Must | [Stakeholder] |
+
+#### 7.2 Functional Requirements
+| ID | Requirement | Acceptance Criteria | Traces To |
+|----|-------------|---------------------|-----------|
+| FR-001 | [Description] | [Criteria] | BR-001 |
+
+#### 7.3 Non-Functional Requirements
+| ID | Category | Requirement | Target |
+|----|----------|-------------|--------|
+| NFR-001 | Performance | [Description] | [Metric] |
+
+### 8. Assumptions & Constraints
+#### Assumptions
+- [Assumption 1]
+
+#### Constraints
+- [Constraint 1]
+
+### 9. Risks
+| Risk | Probability | Impact | Mitigation |
+|------|-------------|--------|------------|
+| [Risk] | H/M/L | H/M/L | [Strategy] |
+
+### 10. Dependencies
+- [External system/team dependencies]
+
+### 11. Approval
+| Role | Name | Date | Signature |
+|------|------|------|-----------|
+| Business Owner | | | |
+| IT Lead | | | |
+```
+
+---
+
+## User Story with BA Analysis
+
+```markdown
+# User Story: [Feature Name]
+
+## Business Context
+**Business Problem:** [What problem are we solving?]
+**Business Value:** [Why does this matter to the business?]
+**Success Metrics:** [How will we measure success?]
+
+## Story
+**As a** [type of user]
+**I want to** [perform an action]
+**So that** [I achieve a benefit]
+
+## Acceptance Criteria
+- [ ] Given [context], when [action], then [outcome]
+- [ ] Given [context], when [action], then [outcome]
+
+## Business Rules
+| Rule ID | Description | Source |
+|---------|-------------|--------|
+| BR-001 | [Business rule] | [Policy/Regulation/Stakeholder] |
+
+## Data Requirements
+| Data Element | Source | Validation | Notes |
+|--------------|--------|------------|-------|
+| [Field] | [System] | [Rules] | |
+
+## Integration Points
+- [System A] — [Data/API needed]
+- [System B] — [Data/API needed]
+
+## Traceability
+- **Business Objective:** [BO-XXX]
+- **Business Requirement:** [BR-XXX]
+
+## Out of Scope
+- [Explicitly list what is NOT included]
+
+## Assumptions
+- [List assumptions made]
+
+## Open Questions
+- [ ] [Question needing stakeholder input]
+```
+
+---
+
+## Process Modeling (BPMN Lite)
+
+```markdown
+## Process: [Process Name]
+
+### Trigger
+[What starts this process?]
+
+### Actors
+- [Actor 1]: [Role]
+- [Actor 2]: [Role]
+
+### Process Flow
+1. [Actor] — [Action]
+   - Decision: [Condition]?
+     - Yes → Go to step 2
+     - No → Go to step 3
+2. [Actor] — [Action]
+3. [Actor] — [Action]
+
+### End State
+[What indicates the process is complete?]
+
+### Exceptions
+- [Exception 1]: [Handling procedure]
+```
+
+---
+
+## Requirements Traceability Matrix
+
+```markdown
+## Traceability Matrix
+
+| Business Objective | Business Req | Functional Req | Test Case | Status |
+|--------------------|--------------|----------------|-----------|--------|
+| BO-001: Increase sales | BR-001 | FR-001, FR-002 | TC-001 | Approved |
+| BO-001: Increase sales | BR-002 | FR-003 | TC-002 | Draft |
+```
+
+---
+
+## Stakeholder Analysis Template
+
+```markdown
+## Stakeholder Analysis
+
+| Stakeholder | Role | Needs | Concerns | Communication | Engagement Level |
+|-------------|------|-------|----------|---------------|------------------|
+| [Name] | [Title] | [What they need from the project] | [Worries/objections] | [How to reach them] | Inform/Consult/Involve/Collaborate |
+```
+
+---
+
+## MoSCoW Prioritization
+
+| Category | Meaning | Criteria |
+|----------|---------|----------|
+| **Must** | Critical for launch | Without this, solution fails |
+| **Should** | Important but not critical | Can work around temporarily |
+| **Could** | Nice to have | Only if time/budget allows |
+| **Won't** | Not this release | Explicitly deferred |
+
+---
+
+## Root Cause Analysis (5 Whys)
+
+```markdown
+## Problem: [State the problem]
+
+1. **Why?** [First-level cause]
+2. **Why?** [Second-level cause]
+3. **Why?** [Third-level cause]
+4. **Why?** [Fourth-level cause]
+5. **Why?** [Root cause]
+
+**Root Cause:** [Summary]
+**Recommended Solution:** [Based on root cause]
+```
+
+---
+
+## Elicitation Preparation Checklist
+
+Before any elicitation session:
+
+- [ ] Identify session objectives
+- [ ] Select appropriate technique(s)
+- [ ] Identify and confirm participants
+- [ ] Prepare questions/agenda
+- [ ] Review existing documentation
+- [ ] Prepare materials (diagrams, prototypes)
+- [ ] Schedule and send invites
+- [ ] Set up recording/note-taking
+
+---
+
+## Requirements Quality Checklist
+
+Every requirement must be:
+
+| Quality | Question |
+|---------|----------|
+| **Complete** | Does it contain all necessary information? |
+| **Correct** | Is it accurate and validated by stakeholders? |
+| **Feasible** | Can it be implemented within constraints? |
+| **Necessary** | Does it trace to a business need? |
+| **Prioritized** | Is its importance clear? |
+| **Unambiguous** | Can it be interpreted only one way? |
+| **Verifiable** | Can we test/prove it's met? |
+| **Consistent** | Does it conflict with other requirements? |
+
+---
+
+## Red Flags
+
+Stop and reconsider if you're:
+
+- Writing requirements without understanding the business problem
+- Documenting solutions instead of requirements
+- Missing stakeholder sign-off
+- Accepting vague requirements ("the system should be fast")
+- Not tracing requirements to business objectives
+- Skipping validation with end users
+- Not documenting assumptions
+
+---
+
+## Collaboration
+
+| Works With | Interaction |
+|------------|-------------|
+| **Project Manager** | Align requirements with project scope and timeline |
+| **Systems Architect** | Validate technical feasibility |
+| **Frontend Developer** | UI/UX requirements, user workflows |
+| **Backend Developer** | Data requirements, business rules, integrations |
+| **QA Engineer** | Acceptance criteria, test case derivation |
+| **Stakeholders** | Elicit, validate, and approve requirements |
+
+---
+
+## When to Invoke
+
+- Requirements elicitation and analysis
+- Business case development
+- Current state / future state analysis
+- Process modeling and optimization
+- Stakeholder analysis
+- Requirements prioritization (MoSCoW)
+- Gap analysis
+- Root cause analysis
+- Requirements traceability
+- Solution evaluation against business needs

package/.kiro/references/supabase.md

@@ -0,0 +1,55 @@
+# Supabase reference
+
+[class-ai-agent](https://github.com/khoantd/class-ai-agent) bundles official [Supabase Agent Skills](https://github.com/supabase/agent-skills) and wires the **Supabase MCP** server for Cursor and Kiro.
+
+## Skills
+
+| Skill | Use when |
+|-------|----------|
+| `supabase` | Any Supabase product work: Database, Auth, Edge Functions, Realtime, Storage, CLI, MCP, migrations, RLS, `supabase-js`, `@supabase/ssr` |
+| `supabase-postgres-best-practices` | SQL, schema design, indexes, pooling, RLS performance, query review |
+
+Paths: `.cursor/skills/supabase/`, `.cursor/skills/supabase-postgres-best-practices/` (and `.claude/skills/`, `.kiro/skills/` after install).
+
+Invoke with **`@`** mention or let the agent load them when the task matches. See each skill’s `SKILL.md` for security checklists and workflow.
+
+**Maintainers:** refresh vendored copies with `npm run sync:supabase-skills` (pin in `scripts/supabase-skills.lock.json`).
+
+## MCP (Cursor & Kiro)
+
+| Tool | MCP config |
+|------|------------|
+| Cursor | `.cursor/mcp.json` → `mcpServers.supabase` |
+| Kiro | `.kiro/settings/mcp.json` → `mcpServers.supabase` |
+
+Server URL: `https://mcp.supabase.com/mcp?features=docs` (HTTP, OAuth 2.1).
+
+### After install
+
+1. **Reload** Cursor or **restart** Kiro so MCP servers connect.
+2. On first use, complete **OAuth** in the browser when prompted (Supabase account).
+3. Health check (expect `401` without a token — server is up):
+   ```bash
+   curl -so /dev/null -w "%{http_code}" "https://mcp.supabase.com/mcp"
+   ```
+
+Useful MCP tools include `search_docs`, `list_projects`, `list_tables`, `execute_sql`, `get_advisors`, `get_logs`, and migration helpers. Prefer `search_docs` over guessing API behavior.
+
+**Note:** Upstream skill text may refer to a project-root `.mcp.json`. In this scaffold, Supabase MCP lives only under `.cursor/mcp.json` and `.kiro/settings/mcp.json` — do not add a duplicate root `.mcp.json`.
+
+## Claude Code
+
+Skills install to `.claude/skills/`. Claude Code does not get MCP from this package by default. Options:
+
+- [Supabase MCP setup](https://supabase.com/docs/guides/getting-started/mcp)
+- [Supabase plugin for Claude Code](https://github.com/supabase/agent-skills)
+
+## Secrets
+
+Never commit service role keys, secret keys, or project tokens. Use environment variables per `.cursor/rules/security.mdc` (and `.claude/rules/security.md`, `.kiro/steering/security.md`).
+
+## Learn more
+
+- [Supabase AI skills docs](https://supabase.com/docs/guides/ai-tools/ai-skills)
+- [Upstream repository](https://github.com/supabase/agent-skills)
+- [THIRD_PARTY_NOTICES.md](../../THIRD_PARTY_NOTICES.md) — license and pinned version

package/.kiro/settings/mcp.json

@@ -10,6 +10,10 @@
         "--path",
         "${workspaceFolder}"
       ]
+    },
+    "supabase": {
+      "type": "http",
+      "url": "https://mcp.supabase.com/mcp?features=docs"
     }
   }
 }

package/.kiro/skills/supabase/SKILL.md

@@ -0,0 +1,135 @@
+---
+name: supabase
+description: "Use when doing ANY task involving Supabase. Triggers: Supabase products (Database, Auth, Edge Functions, Realtime, Storage, Vectors, Cron, Queues); client libraries and SSR integrations (supabase-js, @supabase/ssr) in Next.js, React, SvelteKit, Astro, Remix; auth issues (login, logout, sessions, JWT, cookies, getSession, getUser, getClaims, RLS); Supabase CLI or MCP server; schema changes, migrations, security audits, Postgres extensions (pg_graphql, pg_cron, pg_vector)."
+metadata:
+  author: supabase
+  version: "0.1.2"
+---
+
+# Supabase
+
+## Core Principles
+
+**1. Supabase changes frequently — verify against changelog and current docs before implementing.**
+Do not rely on training data for Supabase features. Function signatures, config.toml settings, and API conventions change between versions.
+
+First, fetch `https://supabase.com/changelog.md` (a lightweight summary index — not a heavy pull), scan for `breaking-change` tags relevant to your task, and follow the linked page for any that apply. Then look up the relevant topic using the documentation access methods below.
+
+**2. Verify your work.**
+After implementing any fix, run a test query to confirm the change works. A fix without verification is incomplete.
+
+**3. Recover from errors, don't loop.**
+If an approach fails after 2-3 attempts, stop and reconsider. Try a different method, check documentation, inspect the error more carefully, and review relevant logs when available. Supabase issues are not always solved by retrying the same command, and the answer is not always in the logs, but logs are often worth checking before proceeding.
+
+**4. Exposing tables to the Data API:** Depending on the user's [Data API settings](https://supabase.com/dashboard/project/<ref>/integrations/data_api/settings), newly created tables may not be automatically exposed via the Data (REST) API. If this is the case, `anon` and `authenticated` roles will need to be explicitly granted access.
+
+> Note that this is separate from RLS, which controls which _rows_ are visible once a table is accessible, not whether the table is accessible at all.
+
+When a user reports a SQL-created table is unexpectedly inaccessible, check their Data API settings and whether the roles have been granted access via explicit `GRANT` SQL. When granting public (`anon`/`authenticated`) access, always enable RLS too. See [Exposing a Table to the Data API](https://supabase.com/docs/guides/api/securing-your-api.md) for the full setup workflow.
+
+**5. RLS in exposed schemas.**
+Enable RLS on every table in any exposed schema, which includes `public` by default. This is critical in Supabase because tables in exposed schemas can be reachable through the Data API when the `anon`/`authenticated` roles have access (see [Exposing a Table to the Data API](https://supabase.com/docs/guides/api/securing-your-api.md)). For private schemas, prefer RLS as defense in depth. After enabling RLS, create policies that match the actual access model rather than defaulting every table to the same `auth.uid()` pattern.
+
+**6. Security checklist.**
+When working on any Supabase task that touches auth, RLS, views, storage, or user data, run through this checklist. These are Supabase-specific security traps that silently create vulnerabilities:
+
+- **Auth and session security**
+  - **Never use `user_metadata` claims in JWT-based authorization decisions.** In Supabase, `raw_user_meta_data` is user-editable and can appear in `auth.jwt()`, so it is unsafe for RLS policies or any other authorization logic. Store authorization data in `raw_app_meta_data` / `app_metadata` instead.
+  - **Deleting a user does not invalidate existing access tokens.** Sign out or revoke sessions first, keep JWT expiry short for sensitive apps, and for strict guarantees validate `session_id` against `auth.sessions` on sensitive operations.
+  - **If you use `app_metadata` or `auth.jwt()` for authorization, remember JWT claims are not always fresh until the user's token is refreshed.**
+
+- **API key and client exposure**
+  - **Never expose the `service_role` or secret key in public clients.** Prefer publishable keys for frontend code. Legacy `anon` keys are only for compatibility. In Next.js, any `NEXT_PUBLIC_` env var is sent to the browser.
+
+- **RLS, views, and privileged database code**
+  - **Views bypass RLS by default.** In Postgres 15 and above, use `CREATE VIEW ... WITH (security_invoker = true)`. In older versions of Postgres, protect your views by revoking access from the `anon` and `authenticated` roles, or by putting them in an unexposed schema.
+  - **UPDATE requires a SELECT policy.** In Postgres RLS, an UPDATE needs to first SELECT the row. Without a SELECT policy, updates silently return 0 rows — no error, just no change.
+  - **`auth.role()` is deprecated — use the `TO` clause instead.** Supabase has deprecated `auth.role()` in favour of specifying the target role directly on the policy with `TO authenticated` or `TO anon`. Beyond deprecation, `auth.role() = 'authenticated'` breaks silently when anonymous sign-ins are enabled, because anonymous users carry the `authenticated` Postgres role and pass the check regardless of whether the user is genuinely signed in.
+    ```sql
+    -- Deprecated (do not use)
+    create policy "example" on table_name for select
+    using ( auth.role() = 'authenticated' );
+    ```
+  - **`TO authenticated` alone is authentication without authorization (BOLA / IDOR).** Using `TO authenticated` only checks the role — it does not restrict which rows a user can access. The correct pattern combines `TO authenticated` with an ownership predicate in `USING`:
+    ```sql
+    create policy "example" on table_name for select
+    to authenticated
+    using ( (select auth.uid()) = user_id );
+    ```
+  - **UPDATE policies require both `USING` and `WITH CHECK`.** Without `WITH CHECK`, a user can reassign a row's `user_id` to another user:
+    ```sql
+    create policy "example" on table_name for update
+    to authenticated
+    using ( (select auth.uid()) = user_id )
+    with check ( (select auth.uid()) = user_id );
+    ```
+  - **`SECURITY DEFINER` functions bypass RLS.** A `SECURITY DEFINER` function runs with its creator's privileges — typically a role with `bypassrls` (e.g., `postgres`). Never add `SECURITY DEFINER` to resolve a permission error; it silently removes access control without fixing the underlying cause. Prefer `SECURITY INVOKER`.
+  - **`SECURITY DEFINER` functions in `public` are callable by all roles.** Postgres grants `EXECUTE` to `PUBLIC` by default for every new function, so any `SECURITY DEFINER` function in `public` is a public API endpoint callable by `anon` and `authenticated` (which inherit from `PUBLIC`) without any additional grant. When `SECURITY DEFINER` is genuinely needed (e.g., bypassing RLS on an internal lookup table), keep the function in a non-exposed schema, always include an `auth.uid()` check in the function body, and run `supabase db advisors` after making changes.
+
+- **Storage access control**
+  - **Storage upsert requires INSERT + SELECT + UPDATE.** Granting only INSERT allows new uploads but file replacement (upsert) silently fails. You need all three.
+
+- **Dependency and supply-chain security**
+  - **Always pin package versions and commit lockfiles** when installing Supabase packages (`supabase-js`, `@supabase/ssr`, `supabase-py`, etc.). See the [npm security guide](https://supabase.com/docs/guides/security/npm-security.md) for the full checklist.
+
+For any security concern not covered above, fetch the Supabase product security index: `https://supabase.com/docs/guides/security/product-security.md`
+
+## Supabase CLI
+
+Always discover commands via `--help` — never guess. The CLI structure changes between versions.
+
+```bash
+supabase --help                    # All top-level commands
+supabase <group> --help            # Subcommands (e.g., supabase db --help)
+supabase <group> <command> --help  # Flags for a specific command
+```
+
+**Supabase CLI Known gotchas:**
+
+- `supabase db query` requires **CLI v2.79.0+** → use MCP `execute_sql` or `psql` as fallback
+- `supabase db advisors` requires **CLI v2.81.3+** → use MCP `get_advisors` as fallback
+- When you need a new migration SQL file, **always** create it with `supabase migration new <name>` first. Never invent a migration filename or rely on memory for the expected format.
+
+**Version check and upgrade:** Run `supabase --version` to check. For CLI changelogs and version-specific features, consult the [CLI documentation](https://supabase.com/docs/reference/cli/introduction) or [GitHub releases](https://github.com/supabase/cli/releases).
+
+## Supabase MCP Server
+
+For setup instructions, server URL, and configuration, see the [MCP setup guide](https://supabase.com/docs/guides/getting-started/mcp).
+
+**Troubleshooting connection issues** — follow these steps in order:
+
+1. **Check if the server is reachable:**
+   `curl -so /dev/null -w "%{http_code}" https://mcp.supabase.com/mcp`
+   A `401` is expected (no token) and means the server is up. Timeout or "connection refused" means it may be down.
+
+2. **Check `.mcp.json` configuration:**
+   Verify the project root has a valid `.mcp.json` with the correct server URL. If missing, create one pointing to `https://mcp.supabase.com/mcp`.
+
+3. **Authenticate the MCP server:**
+   If the server is reachable and `.mcp.json` is correct but tools aren't visible, the user needs to authenticate. The Supabase MCP server uses OAuth 2.1 — tell the user to trigger the auth flow in their agent, complete it in the browser, and reload the session.
+
+## Supabase Documentation
+
+Before implementing any Supabase feature, find the relevant documentation. Use these methods in priority order:
+
+1. **MCP `search_docs` tool** (preferred — returns relevant snippets directly)
+2. **Fetch docs pages as markdown** — any docs page can be fetched by appending `.md` to the URL path.
+3. **Web search** for Supabase-specific topics when you don't know which page to look at.
+
+## Making and Committing Schema Changes
+
+**To make schema changes, use `execute_sql` (MCP) or `supabase db query` (CLI).** These run SQL directly on the database without creating migration history entries, so you can iterate freely and generate a clean migration when ready.
+
+Do NOT use `apply_migration` to change a local database schema — it writes a migration history entry on every call, which means you can't iterate, and `supabase db diff` / `supabase db pull` will produce empty or conflicting diffs. If you use it, you'll be stuck with whatever SQL you passed on the first try.
+
+**When ready to commit** your changes to a migration file:
+
+1. **Run advisors** → `supabase db advisors` (CLI v2.81.3+) or MCP `get_advisors`. Fix any issues.
+2. **Review the Security Checklist above** if your changes involve views, functions, triggers, or storage.
+3. **Generate the migration** → `supabase db pull <descriptive-name> --local --yes`
+4. **Verify** → `supabase migration list --local`
+
+## Reference Guides
+
+- **Skill Feedback** → [references/skill-feedback.md](references/skill-feedback.md)
+  **MUST read when** the user reports that this skill gave incorrect guidance or is missing information.

package/.kiro/skills/supabase/UPSTREAM.md

@@ -0,0 +1,16 @@
+# Upstream
+
+| Field | Value |
+|-------|-------|
+| Repository | [supabase/agent-skills](https://github.com/supabase/agent-skills) |
+| Ref | `v0.1.5` |
+| Commit | `30e4d716faf4b459291d607783fe866a70d0f4e9` |
+| License | MIT |
+
+Vendored by [class-ai-agent](https://github.com/khoantd/class-ai-agent). Refresh:
+
+```bash
+npm run sync:supabase-skills
+```
+
+Copyright (c) Supabase — see [upstream LICENSE](https://github.com/supabase/agent-skills/blob/v0.1.5/LICENSE).

package/.kiro/skills/supabase/assets/feedback-issue-template.md

@@ -0,0 +1,17 @@
+## What happened
+
+**Task:** <!-- e.g., "Set up MFA on patient records" -->
+
+**Skill said:** <!-- e.g., "Use auth.jwt()->'app_metadata' in the RLS policy" -->
+
+**Expected:** <!-- e.g., "The function also needs SECURITY DEFINER + grant to supabase_auth_admin" -->
+
+## Source
+
+**File:** <!-- e.g., references/security-model.md -->
+
+**Section:** <!-- e.g., "Trust Boundaries > user_metadata vs app_metadata" -->
+
+## Fix suggestion
+
+<!-- Leave blank if unsure -->

package/.kiro/skills/supabase/references/skill-feedback.md

@@ -0,0 +1,17 @@
+# Skill Feedback
+
+Use this when the user reports that the skill gave incorrect guidance, is missing information, or could be improved. This is about the skill (agent instructions), not about Supabase the product.
+
+## Steps
+
+1. **Ask permission** — Ask the user if they'd like to submit feedback to the skill maintainers. If they decline, move on.
+
+2. **Draft the issue** — Use the template at [assets/feedback-issue-template.md](../assets/feedback-issue-template.md) to structure the feedback. Fill in the fields based on the conversation. Always identify which specific reference file and section caused the problem.
+
+3. **Submit** — Create a GitHub Issue on the `supabase/agent-skills` repository using the draft as the issue body. The title must follow this format: `user-feedback: <summary of the problem>`.
+
+4. **Share the result** — Share the issue URL with the user after submission. If submission fails, give the user this link to create the issue manually:
+
+```
+https://github.com/supabase/agent-skills/issues/new
+```