npm - superkit-mcp-server - Versions diffs - 1.2.1 → 1.2.3 - Mend

superkit-mcp-server 1.2.1 → 1.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/ARCHITECTURE.md +102 -102
package/README.md +71 -71
package/SUPERKIT.md +168 -168
package/agents/code-archaeologist.md +106 -106
package/agents/coder.md +90 -90
package/agents/data-engineer.md +28 -28
package/agents/devops-engineer.md +242 -242
package/agents/git-manager.md +203 -203
package/agents/orchestrator.md +420 -420
package/agents/penetration-tester.md +188 -188
package/agents/performance-optimizer.md +187 -187
package/agents/planner.md +270 -270
package/agents/qa-automation-engineer.md +103 -103
package/agents/quant-developer.md +32 -32
package/agents/reviewer.md +100 -100
package/agents/scout.md +222 -222
package/agents/security-auditor.md +3 -2
package/agents/tester.md +274 -274
package/agents/ui-designer.md +208 -208
package/build/index.js +21 -2
package/build/tools/__tests__/loggerTools.test.js +5 -5
package/build/tools/archTools.js +2 -19
package/build/tools/autoPreview.js +2 -2
package/build/tools/compoundTools.js +4 -4
package/build/tools/docsTools.js +5 -10
package/build/tools/loggerTools.js +1 -1
package/build/tools/todoTools.js +39 -39
package/build/tools/validators/__tests__/apiSchema.test.js +23 -23
package/build/tools/validators/__tests__/convertRules.test.js +5 -5
package/build/tools/validators/__tests__/frontendDesign.test.js +12 -12
package/build/tools/validators/__tests__/geoChecker.test.js +19 -19
package/build/tools/validators/__tests__/mobileAudit.test.js +12 -12
package/build/tools/validators/__tests__/reactPerformanceChecker.test.js +17 -17
package/build/tools/validators/__tests__/securityScan.test.js +6 -6
package/build/tools/validators/__tests__/seoChecker.test.js +16 -16
package/build/tools/validators/__tests__/typeCoverage.test.js +14 -14
package/build/tools/validators/convertRules.js +2 -2
package/commands/README.md +122 -122
package/commands/ask.toml +72 -72
package/commands/brainstorm.toml +119 -119
package/commands/chat.toml +77 -77
package/commands/code-preview.toml +37 -37
package/commands/code.toml +28 -28
package/commands/content.toml +200 -200
package/commands/cook.toml +77 -77
package/commands/copywrite.toml +131 -131
package/commands/db.toml +192 -192
package/commands/debug.toml +166 -166
package/commands/design.toml +158 -158
package/commands/dev-rules.toml +14 -14
package/commands/do.toml +117 -117
package/commands/doc-rules.toml +14 -14
package/commands/docs.toml +148 -148
package/commands/fix.toml +440 -440
package/commands/fullstack.toml +175 -175
package/commands/git.toml +235 -235
package/commands/help.toml +84 -84
package/commands/integrate.toml +127 -127
package/commands/journal.toml +136 -136
package/commands/kit-setup.toml +40 -40
package/commands/mcp.toml +183 -183
package/commands/orchestration.toml +15 -15
package/commands/plan.toml +171 -171
package/commands/pm.toml +148 -148
package/commands/pr.toml +50 -50
package/commands/project.toml +32 -32
package/commands/research.toml +117 -117
package/commands/review-pr.toml +63 -63
package/commands/review.toml +190 -190
package/commands/scout-ext.toml +97 -97
package/commands/scout.toml +79 -79
package/commands/screenshot.toml +65 -65
package/commands/session.toml +102 -102
package/commands/skill.toml +384 -384
package/commands/status.toml +22 -22
package/commands/team.toml +56 -56
package/commands/test.toml +164 -164
package/commands/ticket.toml +70 -70
package/commands/use.toml +106 -106
package/commands/video.toml +83 -83
package/commands/watzup.toml +71 -71
package/commands/workflow.toml +14 -14
package/package.json +35 -35
package/skills/meta/README.md +30 -30
package/skills/meta/api-design/SKILL.md +134 -134
package/skills/meta/code-review/SKILL.md +44 -44
package/skills/meta/code-review/checklists/pre-merge.md +25 -25
package/skills/meta/code-review/workflows/architecture-pass.md +26 -26
package/skills/meta/code-review/workflows/performance-pass.md +27 -27
package/skills/meta/code-review/workflows/security-pass.md +29 -29
package/skills/meta/compound-docs/SKILL.md +133 -133
package/skills/meta/debug/SKILL.md +40 -40
package/skills/meta/debug/templates/bug-report.template.md +31 -31
package/skills/meta/debug/workflows/reproduce-issue.md +20 -20
package/skills/meta/docker/SKILL.md +126 -126
package/skills/meta/examples/supabase/SKILL.md +46 -46
package/skills/meta/examples/supabase/references/best-practices.md +319 -319
package/skills/meta/examples/supabase/references/common-patterns.md +373 -373
package/skills/meta/examples/supabase/templates/migration-template.sql +49 -49
package/skills/meta/examples/supabase/templates/rls-policy-template.sql +77 -77
package/skills/meta/examples/supabase/workflows/debugging.md +260 -260
package/skills/meta/examples/supabase/workflows/migration-workflow.md +211 -211
package/skills/meta/examples/supabase/workflows/rls-policies.md +244 -244
package/skills/meta/examples/supabase/workflows/schema-design.md +321 -321
package/skills/meta/file-todos/SKILL.md +88 -88
package/skills/meta/mobile/SKILL.md +140 -140
package/skills/meta/nextjs/SKILL.md +101 -101
package/skills/meta/performance/SKILL.md +130 -130
package/skills/meta/react-patterns/SKILL.md +83 -83
package/skills/meta/security/SKILL.md +114 -114
package/skills/meta/session-resume/SKILL.md +96 -96
package/skills/meta/tailwind/SKILL.md +139 -139
package/skills/meta/testing/SKILL.md +43 -43
package/skills/meta/testing/references/vitest-patterns.md +45 -45
package/skills/meta/testing/templates/component-test.template.tsx +37 -37
package/skills/tech/alpha-vantage/SKILL.md +142 -142
package/skills/tech/alpha-vantage/references/commodities.md +153 -153
package/skills/tech/alpha-vantage/references/economic-indicators.md +158 -158
package/skills/tech/alpha-vantage/references/forex-crypto.md +154 -154
package/skills/tech/alpha-vantage/references/fundamentals.md +223 -223
package/skills/tech/alpha-vantage/references/intelligence.md +138 -138
package/skills/tech/alpha-vantage/references/options.md +93 -93
package/skills/tech/alpha-vantage/references/technical-indicators.md +374 -374
package/skills/tech/alpha-vantage/references/time-series.md +157 -157
package/skills/tech/doc.md +6 -6
package/skills/tech/financial-modeling/SKILL.md +18 -18
package/skills/tech/financial-modeling/skills/3-statements/SKILL.md +368 -368
package/skills/tech/financial-modeling/skills/3-statements/references/formatting.md +118 -118
package/skills/tech/financial-modeling/skills/3-statements/references/formulas.md +292 -292
package/skills/tech/financial-modeling/skills/3-statements/references/sec-filings.md +125 -125
package/skills/tech/financial-modeling/skills/dcf-model/SKILL.md +1210 -1210
package/skills/tech/financial-modeling/skills/dcf-model/TROUBLESHOOTING.md +40 -40
package/skills/tech/financial-modeling/skills/dcf-model/requirements.txt +8 -8
package/skills/tech/financial-modeling/skills/dcf-model/scripts/validate_dcf.py +292 -292
package/skills/tech/financial-modeling/skills/lbo-model/SKILL.md +236 -236
package/skills/tech/financial-modeling/skills/merger-model/SKILL.md +108 -108
package/skills/workflows/README.md +203 -203
package/skills/workflows/adr.md +174 -174
package/skills/workflows/changelog.md +74 -74
package/skills/workflows/compound.md +323 -323
package/skills/workflows/compound_health.md +74 -74
package/skills/workflows/create-agent-skill.md +138 -139
package/skills/workflows/cycle.md +144 -144
package/skills/workflows/deploy-docs.md +84 -84
package/skills/workflows/development-rules.md +42 -42
package/skills/workflows/doc.md +95 -95
package/skills/workflows/documentation-management.md +34 -34
package/skills/workflows/explore.md +146 -146
package/skills/workflows/generate_command.md +106 -106
package/skills/workflows/heal-skill.md +97 -97
package/skills/workflows/housekeeping.md +229 -229
package/skills/workflows/kit-setup.md +102 -102
package/skills/workflows/map-codebase.md +78 -78
package/skills/workflows/orchestration-protocol.md +43 -43
package/skills/workflows/plan-compound.md +439 -439
package/skills/workflows/plan_review.md +269 -269
package/skills/workflows/primary-workflow.md +37 -37
package/skills/workflows/promote_pattern.md +86 -86
package/skills/workflows/release-docs.md +82 -82
package/skills/workflows/report-bug.md +135 -135
package/skills/workflows/reproduce-bug.md +118 -118
package/skills/workflows/resolve_pr.md +133 -133
package/skills/workflows/resolve_todo.md +128 -128
package/skills/workflows/review-compound.md +376 -376
package/skills/workflows/skill-review.md +127 -127
package/skills/workflows/specs.md +257 -257
package/skills/workflows/triage-sprint.md +102 -102
package/skills/workflows/triage.md +152 -152
package/skills/workflows/work.md +399 -399
package/skills/workflows/xcode-test.md +93 -93

package/skills/meta/examples/supabase/references/best-practices.md CHANGED Viewed

@@ -1,319 +1,319 @@
-# Supabase Best Practices for [PROJECT_NAME]
-[PROJECT_NAME]-specific guidelines for working with Supabase.
----
-## Migration Conventions
-### Naming
-**Format:** `YYYYMMDD_description.sql`
-**Examples:**
-- `20251203_create_profiles_and_app_role.sql`
-- `20251129_multi_fund_architecture.sql`
-- `20251124_add_lot_performance.sql`
-**Rules:**
-- Use current date (not future dates)
-- Use underscores, not hyphens
-- Be descriptive but concise
-- Use `create`, `add`, `update`, `remove` prefixes
-### Header Comments
-**Always include:**
-```sql
--- Migration: {Description}
--- Date: {YYYY-MM-DD}
--- Purpose: {Why this is needed}
--- Requirements: {IDs if applicable}
--- Feature: {feature-name if applicable}
-```
-**Example:**
-```sql
--- Migration: Create app_role ENUM and profiles table for Identity Fortress
--- Date: 2025-12-03
--- Purpose: Establish role-based authentication foundation with JWT custom claims
--- Requirements: 4.1
--- Feature: identity-fortress
-```
-### Idempotency
-**All operations must be safe to re-run:**
-```sql
--- ✅ GOOD: Safe to re-run
-CREATE TABLE IF NOT EXISTS ...
-CREATE INDEX IF NOT EXISTS ...
-ALTER TABLE ... ADD COLUMN IF NOT EXISTS ...
--- ✅ GOOD: Type handling
-DO $$ BEGIN
-    CREATE TYPE status_type AS ENUM ('active', 'inactive');
-EXCEPTION
-    WHEN duplicate_object THEN null;
-END $$;
--- ❌ BAD: Fails on re-run
-CREATE TABLE ...
-CREATE INDEX ...
-CREATE TYPE ...
-```
----
-## Auth Integration
-### Stateless Client Pattern
-[PROJECT_NAME] uses a **stateless Supabase client** with SessionStore as single source of truth.
-**Architecture:**
-```
-SessionStore (localStorage)
-    ↓ hydrates ↓
-Supabase Client (in-memory only)
-```
-**Configuration (`lib/supabaseClient.ts`):**
-```typescript
-export const supabase = createClient(url, anonKey, {
-    auth: {
-        persistSession: false,  // ← SessionStore handles persistence
-        autoRefreshToken: true,
-        detectSessionInUrl: true,
-    },
-});
-```
-**Why this pattern?**
-- Single source of truth (no sync issues)
-- Explicit session management
-- No localStorage conflicts
-- Proper session validation
-**See:** `lib/supabaseClient.ts` for full implementation
----
-## RLS Security
-### Enable by Default
-**On all tables with sensitive data:**
-```sql
-CREATE TABLE table_name (...);
-ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;
-```
-### Policy Naming
-**Use descriptive names:**
-```sql
--- ✅ GOOD
-CREATE POLICY "Users can view own profile" ...
-CREATE POLICY "Fund Managers can view all profiles" ...
--- ❌ BAD
-CREATE POLICY "select_policy" ...
-CREATE POLICY "policy1" ...
-```
-### Always Use WITH CHECK
-**For UPDATE/INSERT operations:**
-```sql
--- ✅ GOOD: Enforces ownership on write
-CREATE POLICY "Users can update own profile"
-ON profiles
-FOR UPDATE
-TO authenticated
-USING (id = auth.uid())
-WITH CHECK (id = auth.uid());  -- ← Prevents claiming other data
--- ❌ BAD: Allows escalation
-CREATE POLICY "Users can update own profile"
-ON profiles
-FOR UPDATE
-TO authenticated
-USING (id = auth.uid());  -- Missing WITH CHECK
-```
----
-## Performance
-### Index Foreign Keys
-**Always create indexes for foreign keys:**
-```sql
-CREATE TABLE transactions (
-    id UUID PRIMARY KEY,
-    fund_id UUID NOT NULL REFERENCES funds(id),
-    investor_id UUID NOT NULL REFERENCES profiles(id)
-);
--- Required indexes
-CREATE INDEX idx_transactions_fund_id ON transactions (fund_id);
-CREATE INDEX idx_transactions_investor_id ON transactions (investor_id);
-```
-### Composite Indexes for Common Queries
-```sql
--- If querying by fund_id + created_at frequently
-CREATE INDEX idx_transactions_fund_date
-ON transactions (fund_id, created_at DESC);
-```
-### Avoid N+1 Queries
-**Use Supabase joins:**
-```typescript
-// ❌ BAD: N+1 queries
-const funds = await supabase.from('funds').select('*');
-for (const fund of funds.data) {
-    const transactions = await supabase
-        .from('transactions')
-        .select('*')
-        .eq('fund_id', fund.id);
-}
-// ✅ GOOD: Single query
-const funds = await supabase
-    .from('funds')
-    .select('*, transactions(*)');
-```
----
-## Data Types
-### Standard Types
-| Use Case | Type | Notes |
-|----------|------|-------|
-| Primary Key | `UUID DEFAULT gen_random_uuid()` | Always UUID |
-| Money | `NUMERIC(12,2)` | Never FLOAT |
-| Timestamps | `TIMESTAMPTZ` | Always with timezone |
-| Booleans | `BOOLEAN` | Not TEXT |
-| Enums | `CREATE TYPE` | Not TEXT strings |
-| IP Address | `INET` | Native support |
-| JSON | `JSONB` | Not TEXT |
-### Always Add Timestamps
-```sql
-CREATE TABLE table_name (
-    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    -- ... columns
-    created_at TIMESTAMPTZ DEFAULT NOW() NOT NULL,
-    updated_at TIMESTAMPTZ DEFAULT NOW() NOT NULL
-);
--- Trigger for updated_at
-CREATE TRIGGER update_table_updated_at
-    BEFORE UPDATE ON table_name
-    FOR EACH ROW
-    EXECUTE FUNCTION public.update_updated_at_column();
-```
----
-## Documentation
-### Comment Everything
-```sql
-COMMENT ON TABLE profiles IS
-'Extended user profiles with role-based access control';
-COMMENT ON COLUMN profiles.role IS
-'User role (fund_manager or investor) for authorization';
-COMMENT ON COLUMN profiles.kyc_status IS
-'KYC verification status (PENDING, APPROVED, REJECTED)';
-```
-**Why?**
-- Helps future developers
-- Shows up in database tools
-- Documents business logic
----
-## Common Pitfalls
-### ❌ Missing ON DELETE Actions
-```sql
--- BAD: No ON DELETE action
-user_id UUID REFERENCES users(id)
--- GOOD: Explicit cascade or restrict
-user_id UUID REFERENCES users(id) ON DELETE CASCADE
-```
-### ❌ TIMESTAMP Instead of TIMESTAMPTZ
-```sql
--- BAD: Loses timezone info
-created_at TIMESTAMP
--- GOOD: Preserves timezone
-created_at TIMESTAMPTZ
-```
-### ❌ No RLS on Sensitive Tables
-```sql
--- BAD: Anyone can read all data
-CREATE TABLE sensitive_data (...);
--- GOOD: RLS enforced
-CREATE TABLE sensitive_data (...);
-ALTER TABLE sensitive_data ENABLE ROW LEVEL SECURITY;
-CREATE POLICY "..." ON sensitive_data ...;
-```
-### ❌ Using Service Role in Client
-```typescript
-// ❌ BAD: Bypasses ALL RLS policies
-const supabase = createClient(url, serviceRoleKey);
-// ✅ GOOD: Enforces RLS
-const supabase = createClient(url, anonKey);
-```
-**Service role only for:**
-- Admin operations
-- Server-side code
-- Database migrations
----
-## Migration Workflow
-1. **Plan** - Document what needs to change
-2. **Create file** - Use date prefix naming
-3. **Write SQL** - Use idempotent operations
-4. **Add indexes** - For foreign keys and queries
-5. **Enable RLS** - On sensitive tables
-6. **Add comments** - Document tables and columns
-7. **Test locally** - Verify migration works
-8. **Review** - Check against this guide
-9. **Deploy** - Apply to production
----
-## References
-- **Existing migrations:** `backend/migrations/`
-- **Supabase client:** `lib/supabaseClient.ts`
-- **Auth context:** `context/AuthContext.tsx`
-- **Session storage:** `lib/auth/SessionStore.ts`
+# Supabase Best Practices for [PROJECT_NAME]
+[PROJECT_NAME]-specific guidelines for working with Supabase.
+---
+## Migration Conventions
+### Naming
+**Format:** `YYYYMMDD_description.sql`
+**Examples:**
+- `20251203_create_profiles_and_app_role.sql`
+- `20251129_multi_fund_architecture.sql`
+- `20251124_add_lot_performance.sql`
+**Rules:**
+- Use current date (not future dates)
+- Use underscores, not hyphens
+- Be descriptive but concise
+- Use `create`, `add`, `update`, `remove` prefixes
+### Header Comments
+**Always include:**
+```sql
+-- Migration: {Description}
+-- Date: {YYYY-MM-DD}
+-- Purpose: {Why this is needed}
+-- Requirements: {IDs if applicable}
+-- Feature: {feature-name if applicable}
+```
+**Example:**
+```sql
+-- Migration: Create app_role ENUM and profiles table for Identity Fortress
+-- Date: 2025-12-03
+-- Purpose: Establish role-based authentication foundation with JWT custom claims
+-- Requirements: 4.1
+-- Feature: identity-fortress
+```
+### Idempotency
+**All operations must be safe to re-run:**
+```sql
+-- ✅ GOOD: Safe to re-run
+CREATE TABLE IF NOT EXISTS ...
+CREATE INDEX IF NOT EXISTS ...
+ALTER TABLE ... ADD COLUMN IF NOT EXISTS ...
+-- ✅ GOOD: Type handling
+DO $$ BEGIN
+    CREATE TYPE status_type AS ENUM ('active', 'inactive');
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+-- ❌ BAD: Fails on re-run
+CREATE TABLE ...
+CREATE INDEX ...
+CREATE TYPE ...
+```
+---
+## Auth Integration
+### Stateless Client Pattern
+[PROJECT_NAME] uses a **stateless Supabase client** with SessionStore as single source of truth.
+**Architecture:**
+```
+SessionStore (localStorage)
+    ↓ hydrates ↓
+Supabase Client (in-memory only)
+```
+**Configuration (`lib/supabaseClient.ts`):**
+```typescript
+export const supabase = createClient(url, anonKey, {
+    auth: {
+        persistSession: false,  // ← SessionStore handles persistence
+        autoRefreshToken: true,
+        detectSessionInUrl: true,
+    },
+});
+```
+**Why this pattern?**
+- Single source of truth (no sync issues)
+- Explicit session management
+- No localStorage conflicts
+- Proper session validation
+**See:** `lib/supabaseClient.ts` for full implementation
+---
+## RLS Security
+### Enable by Default
+**On all tables with sensitive data:**
+```sql
+CREATE TABLE table_name (...);
+ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;
+```
+### Policy Naming
+**Use descriptive names:**
+```sql
+-- ✅ GOOD
+CREATE POLICY "Users can view own profile" ...
+CREATE POLICY "Fund Managers can view all profiles" ...
+-- ❌ BAD
+CREATE POLICY "select_policy" ...
+CREATE POLICY "policy1" ...
+```
+### Always Use WITH CHECK
+**For UPDATE/INSERT operations:**
+```sql
+-- ✅ GOOD: Enforces ownership on write
+CREATE POLICY "Users can update own profile"
+ON profiles
+FOR UPDATE
+TO authenticated
+USING (id = auth.uid())
+WITH CHECK (id = auth.uid());  -- ← Prevents claiming other data
+-- ❌ BAD: Allows escalation
+CREATE POLICY "Users can update own profile"
+ON profiles
+FOR UPDATE
+TO authenticated
+USING (id = auth.uid());  -- Missing WITH CHECK
+```
+---
+## Performance
+### Index Foreign Keys
+**Always create indexes for foreign keys:**
+```sql
+CREATE TABLE transactions (
+    id UUID PRIMARY KEY,
+    fund_id UUID NOT NULL REFERENCES funds(id),
+    investor_id UUID NOT NULL REFERENCES profiles(id)
+);
+-- Required indexes
+CREATE INDEX idx_transactions_fund_id ON transactions (fund_id);
+CREATE INDEX idx_transactions_investor_id ON transactions (investor_id);
+```
+### Composite Indexes for Common Queries
+```sql
+-- If querying by fund_id + created_at frequently
+CREATE INDEX idx_transactions_fund_date
+ON transactions (fund_id, created_at DESC);
+```
+### Avoid N+1 Queries
+**Use Supabase joins:**
+```typescript
+// ❌ BAD: N+1 queries
+const funds = await supabase.from('funds').select('*');
+for (const fund of funds.data) {
+    const transactions = await supabase
+        .from('transactions')
+        .select('*')
+        .eq('fund_id', fund.id);
+}
+// ✅ GOOD: Single query
+const funds = await supabase
+    .from('funds')
+    .select('*, transactions(*)');
+```
+---
+## Data Types
+### Standard Types
+| Use Case | Type | Notes |
+|----------|------|-------|
+| Primary Key | `UUID DEFAULT gen_random_uuid()` | Always UUID |
+| Money | `NUMERIC(12,2)` | Never FLOAT |
+| Timestamps | `TIMESTAMPTZ` | Always with timezone |
+| Booleans | `BOOLEAN` | Not TEXT |
+| Enums | `CREATE TYPE` | Not TEXT strings |
+| IP Address | `INET` | Native support |
+| JSON | `JSONB` | Not TEXT |
+### Always Add Timestamps
+```sql
+CREATE TABLE table_name (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    -- ... columns
+    created_at TIMESTAMPTZ DEFAULT NOW() NOT NULL,
+    updated_at TIMESTAMPTZ DEFAULT NOW() NOT NULL
+);
+-- Trigger for updated_at
+CREATE TRIGGER update_table_updated_at
+    BEFORE UPDATE ON table_name
+    FOR EACH ROW
+    EXECUTE FUNCTION public.update_updated_at_column();
+```
+---
+## Documentation
+### Comment Everything
+```sql
+COMMENT ON TABLE profiles IS
+'Extended user profiles with role-based access control';
+COMMENT ON COLUMN profiles.role IS
+'User role (fund_manager or investor) for authorization';
+COMMENT ON COLUMN profiles.kyc_status IS
+'KYC verification status (PENDING, APPROVED, REJECTED)';
+```
+**Why?**
+- Helps future developers
+- Shows up in database tools
+- Documents business logic
+---
+## Common Pitfalls
+### ❌ Missing ON DELETE Actions
+```sql
+-- BAD: No ON DELETE action
+user_id UUID REFERENCES users(id)
+-- GOOD: Explicit cascade or restrict
+user_id UUID REFERENCES users(id) ON DELETE CASCADE
+```
+### ❌ TIMESTAMP Instead of TIMESTAMPTZ
+```sql
+-- BAD: Loses timezone info
+created_at TIMESTAMP
+-- GOOD: Preserves timezone
+created_at TIMESTAMPTZ
+```
+### ❌ No RLS on Sensitive Tables
+```sql
+-- BAD: Anyone can read all data
+CREATE TABLE sensitive_data (...);
+-- GOOD: RLS enforced
+CREATE TABLE sensitive_data (...);
+ALTER TABLE sensitive_data ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "..." ON sensitive_data ...;
+```
+### ❌ Using Service Role in Client
+```typescript
+// ❌ BAD: Bypasses ALL RLS policies
+const supabase = createClient(url, serviceRoleKey);
+// ✅ GOOD: Enforces RLS
+const supabase = createClient(url, anonKey);
+```
+**Service role only for:**
+- Admin operations
+- Server-side code
+- Database migrations
+---
+## Migration Workflow
+1. **Plan** - Document what needs to change
+2. **Create file** - Use date prefix naming
+3. **Write SQL** - Use idempotent operations
+4. **Add indexes** - For foreign keys and queries
+5. **Enable RLS** - On sensitive tables
+6. **Add comments** - Document tables and columns
+7. **Test locally** - Verify migration works
+8. **Review** - Check against this guide
+9. **Deploy** - Apply to production
+---
+## References
+- **Existing migrations:** `backend/migrations/`
+- **Supabase client:** `lib/supabaseClient.ts`
+- **Auth context:** `context/AuthContext.tsx`
+- **Session storage:** `lib/auth/SessionStore.ts`