zilmate 1.7.8 → 1.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.agents/skills/agent-browser/SKILL.md +55 -0
- package/.agents/skills/agentmail/SKILL.md +282 -0
- package/.agents/skills/agentmail/references/webhooks.md +220 -0
- package/.agents/skills/agentmail/references/websockets.md +263 -0
- package/.agents/skills/ai-elements/SKILL.md +160 -0
- package/.agents/skills/ai-elements/references/agent.md +134 -0
- package/.agents/skills/ai-elements/references/artifact.md +84 -0
- package/.agents/skills/ai-elements/references/attachments.md +190 -0
- package/.agents/skills/ai-elements/references/audio-player.md +134 -0
- package/.agents/skills/ai-elements/references/canvas.md +34 -0
- package/.agents/skills/ai-elements/references/chain-of-thought.md +81 -0
- package/.agents/skills/ai-elements/references/checkpoint.md +183 -0
- package/.agents/skills/ai-elements/references/code-block.md +170 -0
- package/.agents/skills/ai-elements/references/commit.md +177 -0
- package/.agents/skills/ai-elements/references/confirmation.md +262 -0
- package/.agents/skills/ai-elements/references/connection.md +34 -0
- package/.agents/skills/ai-elements/references/context.md +126 -0
- package/.agents/skills/ai-elements/references/controls.md +32 -0
- package/.agents/skills/ai-elements/references/conversation.md +224 -0
- package/.agents/skills/ai-elements/references/edge.md +52 -0
- package/.agents/skills/ai-elements/references/environment-variables.md +102 -0
- package/.agents/skills/ai-elements/references/file-tree.md +72 -0
- package/.agents/skills/ai-elements/references/image.md +146 -0
- package/.agents/skills/ai-elements/references/inline-citation.md +299 -0
- package/.agents/skills/ai-elements/references/jsx-preview.md +104 -0
- package/.agents/skills/ai-elements/references/message.md +237 -0
- package/.agents/skills/ai-elements/references/mic-selector.md +189 -0
- package/.agents/skills/ai-elements/references/model-selector.md +112 -0
- package/.agents/skills/ai-elements/references/node.md +73 -0
- package/.agents/skills/ai-elements/references/open-in-chat.md +67 -0
- package/.agents/skills/ai-elements/references/package-info.md +95 -0
- package/.agents/skills/ai-elements/references/panel.md +33 -0
- package/.agents/skills/ai-elements/references/persona.md +166 -0
- package/.agents/skills/ai-elements/references/plan.md +79 -0
- package/.agents/skills/ai-elements/references/prompt-input.md +579 -0
- package/.agents/skills/ai-elements/references/queue.md +172 -0
- package/.agents/skills/ai-elements/references/reasoning.md +238 -0
- package/.agents/skills/ai-elements/references/sandbox.md +129 -0
- package/.agents/skills/ai-elements/references/schema-display.md +102 -0
- package/.agents/skills/ai-elements/references/shimmer.md +48 -0
- package/.agents/skills/ai-elements/references/snippet.md +64 -0
- package/.agents/skills/ai-elements/references/sources.md +209 -0
- package/.agents/skills/ai-elements/references/speech-input.md +163 -0
- package/.agents/skills/ai-elements/references/stack-trace.md +224 -0
- package/.agents/skills/ai-elements/references/suggestion.md +124 -0
- package/.agents/skills/ai-elements/references/task.md +222 -0
- package/.agents/skills/ai-elements/references/terminal.md +103 -0
- package/.agents/skills/ai-elements/references/test-results.md +157 -0
- package/.agents/skills/ai-elements/references/tool.md +285 -0
- package/.agents/skills/ai-elements/references/toolbar.md +32 -0
- package/.agents/skills/ai-elements/references/transcription.md +120 -0
- package/.agents/skills/ai-elements/references/voice-selector.md +241 -0
- package/.agents/skills/ai-elements/references/web-preview.md +200 -0
- package/.agents/skills/ai-elements/scripts/agent.tsx +61 -0
- package/.agents/skills/ai-elements/scripts/artifact.tsx +127 -0
- package/.agents/skills/ai-elements/scripts/attachments-inline.tsx +128 -0
- package/.agents/skills/ai-elements/scripts/attachments-list.tsx +95 -0
- package/.agents/skills/ai-elements/scripts/attachments.tsx +85 -0
- package/.agents/skills/ai-elements/scripts/audio-player-remote.tsx +35 -0
- package/.agents/skills/ai-elements/scripts/audio-player.tsx +68 -0
- package/.agents/skills/ai-elements/scripts/chain-of-thought.tsx +82 -0
- package/.agents/skills/ai-elements/scripts/checkpoint.tsx +110 -0
- package/.agents/skills/ai-elements/scripts/code-block-dark.tsx +46 -0
- package/.agents/skills/ai-elements/scripts/code-block.tsx +120 -0
- package/.agents/skills/ai-elements/scripts/commit.tsx +94 -0
- package/.agents/skills/ai-elements/scripts/confirmation-accepted.tsx +40 -0
- package/.agents/skills/ai-elements/scripts/confirmation-rejected.tsx +40 -0
- package/.agents/skills/ai-elements/scripts/confirmation-request.tsx +54 -0
- package/.agents/skills/ai-elements/scripts/confirmation.tsx +55 -0
- package/.agents/skills/ai-elements/scripts/context.tsx +45 -0
- package/.agents/skills/ai-elements/scripts/conversation.tsx +177 -0
- package/.agents/skills/ai-elements/scripts/environment-variables.tsx +62 -0
- package/.agents/skills/ai-elements/scripts/file-tree-basic.tsx +18 -0
- package/.agents/skills/ai-elements/scripts/file-tree-expanded.tsx +21 -0
- package/.agents/skills/ai-elements/scripts/file-tree-selection.tsx +24 -0
- package/.agents/skills/ai-elements/scripts/file-tree.tsx +42 -0
- package/.agents/skills/ai-elements/scripts/image.tsx +20 -0
- package/.agents/skills/ai-elements/scripts/inline-citation.tsx +97 -0
- package/.agents/skills/ai-elements/scripts/jsx-preview.tsx +104 -0
- package/.agents/skills/ai-elements/scripts/message.tsx +365 -0
- package/.agents/skills/ai-elements/scripts/mic-selector.tsx +49 -0
- package/.agents/skills/ai-elements/scripts/model-selector.tsx +365 -0
- package/.agents/skills/ai-elements/scripts/open-in-chat.tsx +33 -0
- package/.agents/skills/ai-elements/scripts/package-info.tsx +51 -0
- package/.agents/skills/ai-elements/scripts/persona-command.tsx +110 -0
- package/.agents/skills/ai-elements/scripts/persona-glint.tsx +110 -0
- package/.agents/skills/ai-elements/scripts/persona-halo.tsx +110 -0
- package/.agents/skills/ai-elements/scripts/persona-mana.tsx +110 -0
- package/.agents/skills/ai-elements/scripts/persona-obsidian.tsx +110 -0
- package/.agents/skills/ai-elements/scripts/persona-opal.tsx +110 -0
- package/.agents/skills/ai-elements/scripts/plan.tsx +65 -0
- package/.agents/skills/ai-elements/scripts/prompt-input-cursor.tsx +502 -0
- package/.agents/skills/ai-elements/scripts/prompt-input-tooltip.tsx +44 -0
- package/.agents/skills/ai-elements/scripts/prompt-input.tsx +267 -0
- package/.agents/skills/ai-elements/scripts/queue-prompt-input.tsx +394 -0
- package/.agents/skills/ai-elements/scripts/queue.tsx +295 -0
- package/.agents/skills/ai-elements/scripts/reasoning.tsx +71 -0
- package/.agents/skills/ai-elements/scripts/sandbox.tsx +178 -0
- package/.agents/skills/ai-elements/scripts/schema-display-basic.tsx +9 -0
- package/.agents/skills/ai-elements/scripts/schema-display-body.tsx +20 -0
- package/.agents/skills/ai-elements/scripts/schema-display-nested.tsx +23 -0
- package/.agents/skills/ai-elements/scripts/schema-display-params.tsx +16 -0
- package/.agents/skills/ai-elements/scripts/schema-display.tsx +110 -0
- package/.agents/skills/ai-elements/scripts/shimmer-duration.tsx +31 -0
- package/.agents/skills/ai-elements/scripts/shimmer-elements.tsx +43 -0
- package/.agents/skills/ai-elements/scripts/shimmer.tsx +17 -0
- package/.agents/skills/ai-elements/scripts/snippet-plain.tsx +19 -0
- package/.agents/skills/ai-elements/scripts/snippet.tsx +25 -0
- package/.agents/skills/ai-elements/scripts/sources-custom.tsx +39 -0
- package/.agents/skills/ai-elements/scripts/sources.tsx +32 -0
- package/.agents/skills/ai-elements/scripts/speech-input.tsx +84 -0
- package/.agents/skills/ai-elements/scripts/stack-trace-collapsed.tsx +39 -0
- package/.agents/skills/ai-elements/scripts/stack-trace-no-internal.tsx +41 -0
- package/.agents/skills/ai-elements/scripts/stack-trace.tsx +58 -0
- package/.agents/skills/ai-elements/scripts/suggestion-input.tsx +144 -0
- package/.agents/skills/ai-elements/scripts/suggestion.tsx +32 -0
- package/.agents/skills/ai-elements/scripts/task.tsx +59 -0
- package/.agents/skills/ai-elements/scripts/terminal-basic.tsx +7 -0
- package/.agents/skills/ai-elements/scripts/terminal-clear.tsx +19 -0
- package/.agents/skills/ai-elements/scripts/terminal-streaming.tsx +38 -0
- package/.agents/skills/ai-elements/scripts/terminal.tsx +82 -0
- package/.agents/skills/ai-elements/scripts/test-results-basic.tsx +27 -0
- package/.agents/skills/ai-elements/scripts/test-results-errors.tsx +51 -0
- package/.agents/skills/ai-elements/scripts/test-results-suites.tsx +40 -0
- package/.agents/skills/ai-elements/scripts/test-results.tsx +102 -0
- package/.agents/skills/ai-elements/scripts/tool-input-available.tsx +31 -0
- package/.agents/skills/ai-elements/scripts/tool-input-streaming.tsx +30 -0
- package/.agents/skills/ai-elements/scripts/tool-output-available.tsx +80 -0
- package/.agents/skills/ai-elements/scripts/tool-output-error.tsx +44 -0
- package/.agents/skills/ai-elements/scripts/tool.tsx +222 -0
- package/.agents/skills/ai-elements/scripts/transcription.tsx +290 -0
- package/.agents/skills/ai-elements/scripts/voice-selector.tsx +245 -0
- package/.agents/skills/ai-elements/scripts/web-preview.tsx +115 -0
- package/.agents/skills/ai-sdk/SKILL.md +78 -0
- package/.agents/skills/ai-sdk/references/ai-gateway.md +66 -0
- package/.agents/skills/ai-sdk/references/common-errors.md +443 -0
- package/.agents/skills/ai-sdk/references/devtools.md +52 -0
- package/.agents/skills/ai-sdk/references/type-safe-agents.md +204 -0
- package/.agents/skills/chat-sdk/SKILL.md +240 -0
- package/.agents/skills/composio/AGENTS.md +404 -0
- package/.agents/skills/composio/SKILL.md +55 -0
- package/.agents/skills/composio/rules/_template.md +38 -0
- package/.agents/skills/composio/rules/app-auth-configs.md +224 -0
- package/.agents/skills/composio/rules/app-auth-popup-ui.md +143 -0
- package/.agents/skills/composio/rules/app-connected-accounts.md +240 -0
- package/.agents/skills/composio/rules/app-custom-tools.md +220 -0
- package/.agents/skills/composio/rules/app-execute-tools.md +202 -0
- package/.agents/skills/composio/rules/app-fetch-tools.md +292 -0
- package/.agents/skills/composio/rules/app-modifiers.md +148 -0
- package/.agents/skills/composio/rules/app-tool-versions.md +343 -0
- package/.agents/skills/composio/rules/app-toolkits.md +184 -0
- package/.agents/skills/composio/rules/app-user-context.md +222 -0
- package/.agents/skills/composio/rules/building-with-composio.md +134 -0
- package/.agents/skills/composio/rules/composio-cli.md +223 -0
- package/.agents/skills/composio/rules/setup-api-keys.md +230 -0
- package/.agents/skills/composio/rules/tr-auth-auto.md +110 -0
- package/.agents/skills/composio/rules/tr-auth-connections.md +167 -0
- package/.agents/skills/composio/rules/tr-auth-manual.md +161 -0
- package/.agents/skills/composio/rules/tr-building-chat-ui.md +348 -0
- package/.agents/skills/composio/rules/tr-framework-ai-sdk.md +240 -0
- package/.agents/skills/composio/rules/tr-framework-integration.md +818 -0
- package/.agents/skills/composio/rules/tr-framework-mastra.md +185 -0
- package/.agents/skills/composio/rules/tr-mcp-vs-native.md +248 -0
- package/.agents/skills/composio/rules/tr-session-basic.md +82 -0
- package/.agents/skills/composio/rules/tr-session-config.md +172 -0
- package/.agents/skills/composio/rules/tr-session-lifecycle.md +385 -0
- package/.agents/skills/composio/rules/tr-toolkit-query.md +135 -0
- package/.agents/skills/composio/rules/tr-userid-best-practices.md +476 -0
- package/.agents/skills/composio/rules/triggers-create.md +246 -0
- package/.agents/skills/composio/rules/triggers-manage.md +275 -0
- package/.agents/skills/composio/rules/triggers-subscribe.md +173 -0
- package/.agents/skills/composio/rules/triggers-webhook.md +227 -0
- package/.agents/skills/create-auth-skill/SKILL.md +321 -0
- package/.agents/skills/design-md/README.md +34 -0
- package/.agents/skills/design-md/SKILL.md +172 -0
- package/.agents/skills/design-md/examples/DESIGN.md +154 -0
- package/.agents/skills/expo-tailwind-setup/SKILL.md +480 -0
- package/.agents/skills/expo-tailwind-setup/agents/openai.yaml +4 -0
- package/.agents/skills/find-skills/SKILL.md +142 -0
- package/.agents/skills/firecrawl/SKILL.md +321 -0
- package/.agents/skills/firecrawl/rules/install.md +85 -0
- package/.agents/skills/firecrawl/rules/security.md +26 -0
- package/.agents/skills/frontend-design/LICENSE.txt +177 -0
- package/.agents/skills/frontend-design/SKILL.md +55 -0
- package/.agents/skills/linkup-search/SKILL.md +298 -0
- package/.agents/skills/mcp-builder/LICENSE.txt +202 -0
- package/.agents/skills/mcp-builder/SKILL.md +236 -0
- package/.agents/skills/mcp-builder/reference/evaluation.md +602 -0
- package/.agents/skills/mcp-builder/reference/mcp_best_practices.md +249 -0
- package/.agents/skills/mcp-builder/reference/node_mcp_server.md +970 -0
- package/.agents/skills/mcp-builder/reference/python_mcp_server.md +719 -0
- package/.agents/skills/mcp-builder/scripts/connections.py +151 -0
- package/.agents/skills/mcp-builder/scripts/evaluation.py +373 -0
- package/.agents/skills/mcp-builder/scripts/example_evaluation.xml +22 -0
- package/.agents/skills/mcp-builder/scripts/requirements.txt +2 -0
- package/.agents/skills/mobile-android-design/SKILL.md +101 -0
- package/.agents/skills/mobile-android-design/references/android-navigation.md +698 -0
- package/.agents/skills/mobile-android-design/references/compose-components.md +796 -0
- package/.agents/skills/mobile-android-design/references/details.md +337 -0
- package/.agents/skills/mobile-android-design/references/material3-theming.md +604 -0
- package/.agents/skills/mobile-ios-design/SKILL.md +259 -0
- package/.agents/skills/mobile-ios-design/references/hig-patterns.md +529 -0
- package/.agents/skills/mobile-ios-design/references/ios-navigation.md +556 -0
- package/.agents/skills/mobile-ios-design/references/swiftui-components.md +575 -0
- package/.agents/skills/neon-drizzle/SKILL.md +81 -0
- package/.agents/skills/neon-drizzle/guides/existing-project.md +398 -0
- package/.agents/skills/neon-drizzle/guides/new-project.md +312 -0
- package/.agents/skills/neon-drizzle/guides/schema-only.md +415 -0
- package/.agents/skills/neon-drizzle/guides/troubleshooting.md +539 -0
- package/.agents/skills/neon-drizzle/references/adapters.md +478 -0
- package/.agents/skills/neon-drizzle/references/migrations.md +652 -0
- package/.agents/skills/neon-drizzle/references/query-patterns.md +761 -0
- package/.agents/skills/neon-drizzle/scripts/generate-schema.ts +77 -0
- package/.agents/skills/neon-drizzle/scripts/run-migration.ts +133 -0
- package/.agents/skills/neon-drizzle/templates/db-http.ts +6 -0
- package/.agents/skills/neon-drizzle/templates/db-websocket.ts +24 -0
- package/.agents/skills/neon-drizzle/templates/drizzle-config.ts +96 -0
- package/.agents/skills/neon-drizzle/templates/schema-example.ts +231 -0
- package/.agents/skills/neon-postgres/SKILL.md +376 -0
- package/.agents/skills/next-best-practices/SKILL.md +152 -0
- package/.agents/skills/next-best-practices/async-patterns.md +87 -0
- package/.agents/skills/next-best-practices/bundling.md +180 -0
- package/.agents/skills/next-best-practices/data-patterns.md +297 -0
- package/.agents/skills/next-best-practices/debug-tricks.md +105 -0
- package/.agents/skills/next-best-practices/directives.md +73 -0
- package/.agents/skills/next-best-practices/error-handling.md +227 -0
- package/.agents/skills/next-best-practices/file-conventions.md +140 -0
- package/.agents/skills/next-best-practices/font.md +245 -0
- package/.agents/skills/next-best-practices/functions.md +108 -0
- package/.agents/skills/next-best-practices/hydration-error.md +91 -0
- package/.agents/skills/next-best-practices/image.md +173 -0
- package/.agents/skills/next-best-practices/metadata.md +301 -0
- package/.agents/skills/next-best-practices/parallel-routes.md +287 -0
- package/.agents/skills/next-best-practices/route-handlers.md +146 -0
- package/.agents/skills/next-best-practices/rsc-boundaries.md +159 -0
- package/.agents/skills/next-best-practices/runtime-selection.md +39 -0
- package/.agents/skills/next-best-practices/scripts.md +141 -0
- package/.agents/skills/next-best-practices/self-hosting.md +371 -0
- package/.agents/skills/next-best-practices/suspense-boundaries.md +67 -0
- package/.agents/skills/playwright-best-practices/SKILL.md +303 -0
- package/.agents/skills/playwright-cli/SKILL.md +404 -0
- package/.agents/skills/playwright-cli/references/element-attributes.md +23 -0
- package/.agents/skills/playwright-cli/references/playwright-tests.md +39 -0
- package/.agents/skills/playwright-cli/references/request-mocking.md +87 -0
- package/.agents/skills/playwright-cli/references/running-code.md +241 -0
- package/.agents/skills/playwright-cli/references/session-management.md +225 -0
- package/.agents/skills/playwright-cli/references/spec-driven-testing.md +305 -0
- package/.agents/skills/playwright-cli/references/storage-state.md +275 -0
- package/.agents/skills/playwright-cli/references/test-generation.md +134 -0
- package/.agents/skills/playwright-cli/references/tracing.md +139 -0
- package/.agents/skills/playwright-cli/references/video-recording.md +143 -0
- package/.agents/skills/prisma-client-api/SKILL.md +216 -0
- package/.agents/skills/prisma-client-api/references/client-methods.md +223 -0
- package/.agents/skills/prisma-client-api/references/constructor.md +208 -0
- package/.agents/skills/prisma-client-api/references/filters.md +256 -0
- package/.agents/skills/prisma-client-api/references/model-queries.md +281 -0
- package/.agents/skills/prisma-client-api/references/query-options.md +276 -0
- package/.agents/skills/prisma-client-api/references/raw-queries.md +194 -0
- package/.agents/skills/prisma-client-api/references/relations.md +308 -0
- package/.agents/skills/prisma-client-api/references/transactions.md +184 -0
- package/.agents/skills/prisma-database-setup/SKILL.md +192 -0
- package/.agents/skills/prisma-database-setup/references/cockroachdb.md +89 -0
- package/.agents/skills/prisma-database-setup/references/mongodb.md +90 -0
- package/.agents/skills/prisma-database-setup/references/mysql.md +126 -0
- package/.agents/skills/prisma-database-setup/references/postgresql.md +92 -0
- package/.agents/skills/prisma-database-setup/references/prisma-client-setup.md +47 -0
- package/.agents/skills/prisma-database-setup/references/prisma-postgres.md +130 -0
- package/.agents/skills/prisma-database-setup/references/sqlite.md +106 -0
- package/.agents/skills/prisma-database-setup/references/sqlserver.md +94 -0
- package/.agents/skills/prisma-postgres/SKILL.md +127 -0
- package/.agents/skills/prisma-postgres/references/console-and-connections.md +67 -0
- package/.agents/skills/prisma-postgres/references/create-db-cli.md +136 -0
- package/.agents/skills/prisma-postgres/references/management-api-sdk.md +56 -0
- package/.agents/skills/prisma-postgres/references/management-api.md +61 -0
- package/.agents/skills/remotion-best-practices/SKILL.md +340 -0
- package/.agents/skills/remotion-best-practices/rules/3d.md +86 -0
- package/.agents/skills/remotion-best-practices/rules/assets/charts-bar-chart.tsx +173 -0
- package/.agents/skills/remotion-best-practices/rules/assets/text-animations-typewriter.tsx +100 -0
- package/.agents/skills/remotion-best-practices/rules/assets/text-animations-word-highlight.tsx +103 -0
- package/.agents/skills/remotion-best-practices/rules/audio-visualization.md +198 -0
- package/.agents/skills/remotion-best-practices/rules/audio.md +169 -0
- package/.agents/skills/remotion-best-practices/rules/calculate-metadata.md +134 -0
- package/.agents/skills/remotion-best-practices/rules/compositions.md +133 -0
- package/.agents/skills/remotion-best-practices/rules/display-captions.md +184 -0
- package/.agents/skills/remotion-best-practices/rules/ffmpeg.md +34 -0
- package/.agents/skills/remotion-best-practices/rules/get-audio-duration.md +58 -0
- package/.agents/skills/remotion-best-practices/rules/get-video-dimensions.md +68 -0
- package/.agents/skills/remotion-best-practices/rules/get-video-duration.md +60 -0
- package/.agents/skills/remotion-best-practices/rules/gifs.md +141 -0
- package/.agents/skills/remotion-best-practices/rules/google-fonts.md +72 -0
- package/.agents/skills/remotion-best-practices/rules/html-in-canvas.md +122 -0
- package/.agents/skills/remotion-best-practices/rules/images.md +71 -0
- package/.agents/skills/remotion-best-practices/rules/import-srt-captions.md +69 -0
- package/.agents/skills/remotion-best-practices/rules/light-leaks.md +73 -0
- package/.agents/skills/remotion-best-practices/rules/local-fonts.md +65 -0
- package/.agents/skills/remotion-best-practices/rules/lottie.md +70 -0
- package/.agents/skills/remotion-best-practices/rules/maplibre.md +458 -0
- package/.agents/skills/remotion-best-practices/rules/measuring-dom-nodes.md +34 -0
- package/.agents/skills/remotion-best-practices/rules/measuring-text.md +140 -0
- package/.agents/skills/remotion-best-practices/rules/parameters.md +109 -0
- package/.agents/skills/remotion-best-practices/rules/sequencing.md +144 -0
- package/.agents/skills/remotion-best-practices/rules/sfx.md +30 -0
- package/.agents/skills/remotion-best-practices/rules/silence-detection.md +71 -0
- package/.agents/skills/remotion-best-practices/rules/subtitles.md +36 -0
- package/.agents/skills/remotion-best-practices/rules/tailwind.md +11 -0
- package/.agents/skills/remotion-best-practices/rules/text-animations.md +20 -0
- package/.agents/skills/remotion-best-practices/rules/timing.md +136 -0
- package/.agents/skills/remotion-best-practices/rules/transcribe-captions.md +70 -0
- package/.agents/skills/remotion-best-practices/rules/transitions.md +197 -0
- package/.agents/skills/remotion-best-practices/rules/transparent-videos.md +106 -0
- package/.agents/skills/remotion-best-practices/rules/trimming.md +51 -0
- package/.agents/skills/remotion-best-practices/rules/videos.md +171 -0
- package/.agents/skills/remotion-best-practices/rules/voiceover.md +99 -0
- package/.agents/skills/remotion-render/SKILL.md +212 -0
- package/.agents/skills/skill-creator/LICENSE.txt +202 -0
- package/.agents/skills/skill-creator/SKILL.md +485 -0
- package/.agents/skills/skill-creator/agents/analyzer.md +274 -0
- package/.agents/skills/skill-creator/agents/comparator.md +202 -0
- package/.agents/skills/skill-creator/agents/grader.md +223 -0
- package/.agents/skills/skill-creator/assets/eval_review.html +146 -0
- package/.agents/skills/skill-creator/eval-viewer/generate_review.py +471 -0
- package/.agents/skills/skill-creator/eval-viewer/viewer.html +1325 -0
- package/.agents/skills/skill-creator/references/schemas.md +430 -0
- package/.agents/skills/skill-creator/scripts/__init__.py +0 -0
- package/.agents/skills/skill-creator/scripts/aggregate_benchmark.py +401 -0
- package/.agents/skills/skill-creator/scripts/generate_report.py +326 -0
- package/.agents/skills/skill-creator/scripts/improve_description.py +247 -0
- package/.agents/skills/skill-creator/scripts/package_skill.py +136 -0
- package/.agents/skills/skill-creator/scripts/quick_validate.py +103 -0
- package/.agents/skills/skill-creator/scripts/run_eval.py +310 -0
- package/.agents/skills/skill-creator/scripts/run_loop.py +328 -0
- package/.agents/skills/skill-creator/scripts/utils.py +47 -0
- package/.agents/skills/stripe-best-practices/SKILL.md +54 -0
- package/.agents/skills/stripe-best-practices/references/billing.md +58 -0
- package/.agents/skills/stripe-best-practices/references/connect.md +173 -0
- package/.agents/skills/stripe-best-practices/references/payments.md +79 -0
- package/.agents/skills/stripe-best-practices/references/security.md +109 -0
- package/.agents/skills/stripe-best-practices/references/tax.md +37 -0
- package/.agents/skills/stripe-best-practices/references/treasury.md +16 -0
- package/.agents/skills/stripe-projects/SKILL.md +132 -0
- package/.agents/skills/supabase/CHANGELOG.md +35 -0
- package/.agents/skills/supabase/SKILL.md +135 -0
- package/.agents/skills/supabase/assets/feedback-issue-template.md +17 -0
- package/.agents/skills/supabase/references/skill-feedback.md +17 -0
- package/.agents/skills/supabase-postgres-best-practices/CHANGELOG.md +29 -0
- package/.agents/skills/supabase-postgres-best-practices/SKILL.md +64 -0
- package/.agents/skills/supabase-postgres-best-practices/references/_contributing.md +170 -0
- package/.agents/skills/supabase-postgres-best-practices/references/_sections.md +39 -0
- package/.agents/skills/supabase-postgres-best-practices/references/_template.md +34 -0
- package/.agents/skills/supabase-postgres-best-practices/references/advanced-full-text-search.md +55 -0
- package/.agents/skills/supabase-postgres-best-practices/references/advanced-jsonb-indexing.md +49 -0
- package/.agents/skills/supabase-postgres-best-practices/references/conn-idle-timeout.md +46 -0
- package/.agents/skills/supabase-postgres-best-practices/references/conn-limits.md +44 -0
- package/.agents/skills/supabase-postgres-best-practices/references/conn-pooling.md +41 -0
- package/.agents/skills/supabase-postgres-best-practices/references/conn-prepared-statements.md +46 -0
- package/.agents/skills/supabase-postgres-best-practices/references/data-batch-inserts.md +54 -0
- package/.agents/skills/supabase-postgres-best-practices/references/data-n-plus-one.md +53 -0
- package/.agents/skills/supabase-postgres-best-practices/references/data-pagination.md +50 -0
- package/.agents/skills/supabase-postgres-best-practices/references/data-upsert.md +50 -0
- package/.agents/skills/supabase-postgres-best-practices/references/lock-advisory.md +56 -0
- package/.agents/skills/supabase-postgres-best-practices/references/lock-deadlock-prevention.md +68 -0
- package/.agents/skills/supabase-postgres-best-practices/references/lock-short-transactions.md +50 -0
- package/.agents/skills/supabase-postgres-best-practices/references/lock-skip-locked.md +54 -0
- package/.agents/skills/supabase-postgres-best-practices/references/monitor-explain-analyze.md +45 -0
- package/.agents/skills/supabase-postgres-best-practices/references/monitor-pg-stat-statements.md +55 -0
- package/.agents/skills/supabase-postgres-best-practices/references/monitor-vacuum-analyze.md +55 -0
- package/.agents/skills/supabase-postgres-best-practices/references/query-composite-indexes.md +44 -0
- package/.agents/skills/supabase-postgres-best-practices/references/query-covering-indexes.md +40 -0
- package/.agents/skills/supabase-postgres-best-practices/references/query-index-types.md +48 -0
- package/.agents/skills/supabase-postgres-best-practices/references/query-missing-indexes.md +43 -0
- package/.agents/skills/supabase-postgres-best-practices/references/query-partial-indexes.md +45 -0
- package/.agents/skills/supabase-postgres-best-practices/references/schema-constraints.md +80 -0
- package/.agents/skills/supabase-postgres-best-practices/references/schema-data-types.md +46 -0
- package/.agents/skills/supabase-postgres-best-practices/references/schema-foreign-key-indexes.md +59 -0
- package/.agents/skills/supabase-postgres-best-practices/references/schema-lowercase-identifiers.md +55 -0
- package/.agents/skills/supabase-postgres-best-practices/references/schema-partitioning.md +55 -0
- package/.agents/skills/supabase-postgres-best-practices/references/schema-primary-keys.md +61 -0
- package/.agents/skills/supabase-postgres-best-practices/references/security-privileges.md +54 -0
- package/.agents/skills/supabase-postgres-best-practices/references/security-rls-basics.md +50 -0
- package/.agents/skills/supabase-postgres-best-practices/references/security-rls-performance.md +63 -0
- package/.agents/skills/supermemory/LICENSE +201 -0
- package/.agents/skills/supermemory/README.md +221 -0
- package/.agents/skills/supermemory/SKILL.md +172 -0
- package/.agents/skills/supermemory/references/api-reference.md +591 -0
- package/.agents/skills/supermemory/references/architecture.md +557 -0
- package/.agents/skills/supermemory/references/quickstart.md +293 -0
- package/.agents/skills/supermemory/references/sdk-guide.md +655 -0
- package/.agents/skills/supermemory/references/use-cases.md +1033 -0
- package/.agents/skills/supermemory-cli/SKILL.md +490 -0
- package/.agents/skills/tdd/SKILL.md +108 -0
- package/.agents/skills/tdd/mocking.md +59 -0
- package/.agents/skills/tdd/refactoring.md +10 -0
- package/.agents/skills/tdd/tests.md +61 -0
- package/.agents/skills/ui-ux-pro-max/SKILL.md +661 -0
- package/.agents/skills/ui-ux-pro-max/data +1 -0
- package/.agents/skills/ui-ux-pro-max/scripts +1 -0
- package/.agents/skills/vercel-react-native-skills/AGENTS.md +2897 -0
- package/.agents/skills/vercel-react-native-skills/README.md +165 -0
- package/.agents/skills/vercel-react-native-skills/SKILL.md +121 -0
- package/.agents/skills/vercel-react-native-skills/metadata.json +16 -0
- package/.agents/skills/vercel-react-native-skills/rules/_sections.md +86 -0
- package/.agents/skills/vercel-react-native-skills/rules/_template.md +28 -0
- package/.agents/skills/vercel-react-native-skills/rules/animation-derived-value.md +53 -0
- package/.agents/skills/vercel-react-native-skills/rules/animation-gesture-detector-press.md +95 -0
- package/.agents/skills/vercel-react-native-skills/rules/animation-gpu-properties.md +65 -0
- package/.agents/skills/vercel-react-native-skills/rules/design-system-compound-components.md +66 -0
- package/.agents/skills/vercel-react-native-skills/rules/fonts-config-plugin.md +71 -0
- package/.agents/skills/vercel-react-native-skills/rules/imports-design-system-folder.md +68 -0
- package/.agents/skills/vercel-react-native-skills/rules/js-hoist-intl.md +61 -0
- package/.agents/skills/vercel-react-native-skills/rules/list-performance-callbacks.md +44 -0
- package/.agents/skills/vercel-react-native-skills/rules/list-performance-function-references.md +132 -0
- package/.agents/skills/vercel-react-native-skills/rules/list-performance-images.md +53 -0
- package/.agents/skills/vercel-react-native-skills/rules/list-performance-inline-objects.md +97 -0
- package/.agents/skills/vercel-react-native-skills/rules/list-performance-item-expensive.md +94 -0
- package/.agents/skills/vercel-react-native-skills/rules/list-performance-item-memo.md +82 -0
- package/.agents/skills/vercel-react-native-skills/rules/list-performance-item-types.md +104 -0
- package/.agents/skills/vercel-react-native-skills/rules/list-performance-virtualize.md +67 -0
- package/.agents/skills/vercel-react-native-skills/rules/monorepo-native-deps-in-app.md +46 -0
- package/.agents/skills/vercel-react-native-skills/rules/monorepo-single-dependency-versions.md +63 -0
- package/.agents/skills/vercel-react-native-skills/rules/navigation-native-navigators.md +188 -0
- package/.agents/skills/vercel-react-native-skills/rules/react-compiler-destructure-functions.md +50 -0
- package/.agents/skills/vercel-react-native-skills/rules/react-compiler-reanimated-shared-values.md +48 -0
- package/.agents/skills/vercel-react-native-skills/rules/react-state-dispatcher.md +91 -0
- package/.agents/skills/vercel-react-native-skills/rules/react-state-fallback.md +56 -0
- package/.agents/skills/vercel-react-native-skills/rules/react-state-minimize.md +65 -0
- package/.agents/skills/vercel-react-native-skills/rules/rendering-no-falsy-and.md +74 -0
- package/.agents/skills/vercel-react-native-skills/rules/rendering-text-in-text-component.md +36 -0
- package/.agents/skills/vercel-react-native-skills/rules/scroll-position-no-state.md +82 -0
- package/.agents/skills/vercel-react-native-skills/rules/state-ground-truth.md +80 -0
- package/.agents/skills/vercel-react-native-skills/rules/ui-expo-image.md +66 -0
- package/.agents/skills/vercel-react-native-skills/rules/ui-image-gallery.md +104 -0
- package/.agents/skills/vercel-react-native-skills/rules/ui-measure-views.md +78 -0
- package/.agents/skills/vercel-react-native-skills/rules/ui-menus.md +174 -0
- package/.agents/skills/vercel-react-native-skills/rules/ui-native-modals.md +77 -0
- package/.agents/skills/vercel-react-native-skills/rules/ui-pressable.md +61 -0
- package/.agents/skills/vercel-react-native-skills/rules/ui-safe-area-scroll.md +65 -0
- package/.agents/skills/vercel-react-native-skills/rules/ui-scrollview-content-inset.md +45 -0
- package/.agents/skills/vercel-react-native-skills/rules/ui-styling.md +87 -0
- package/.agents/skills/web-design-guidelines/SKILL.md +39 -0
- package/dist/index.js +1 -1
- package/package.json +2 -1
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
# Payments
|
|
2
|
+
|
|
3
|
+
## Table of contents
|
|
4
|
+
|
|
5
|
+
- API hierarchy
|
|
6
|
+
- Integration surfaces
|
|
7
|
+
- Payment Element guidance
|
|
8
|
+
- Saving payment methods
|
|
9
|
+
- Dynamic payment methods
|
|
10
|
+
- Deprecated APIs and migration paths
|
|
11
|
+
- PCI compliance
|
|
12
|
+
|
|
13
|
+
## API hierarchy
|
|
14
|
+
|
|
15
|
+
Use the [Checkout Sessions API](https://docs.stripe.com/api/checkout/sessions.md) (`checkout.sessions.create`) for on-session payments. It supports one-time payments and subscriptions and handles taxes, discounts, shipping, and adaptive pricing automatically.
|
|
16
|
+
|
|
17
|
+
Use the [PaymentIntents API](https://docs.stripe.com/payments/paymentintents/lifecycle.md) for off-session payments, or when the merchant needs to model checkout state independently and just create a charge.
|
|
18
|
+
|
|
19
|
+
**Integrations should only use Checkout Sessions, PaymentIntents, SetupIntents, or higher-level solutions (Invoicing, Payment Links, subscription APIs).**
|
|
20
|
+
|
|
21
|
+
## Integration surfaces
|
|
22
|
+
|
|
23
|
+
Prioritize Stripe-hosted or embedded Checkout where possible. Use in this order of preference:
|
|
24
|
+
|
|
25
|
+
1. **Payment Links** — No-code. Best for simple products.
|
|
26
|
+
2. **Checkout** ([docs](https://docs.stripe.com/payments/checkout.md)) — Stripe-hosted or embedded form. Best for most web apps.
|
|
27
|
+
3. **Payment Element** ([docs](https://docs.stripe.com/payments/payment-element.md)) — Embedded UI component for advanced customization.
|
|
28
|
+
- When using the Payment Element, back it with the Checkout Sessions API (via `ui_mode: 'custom'`) over a raw PaymentIntent where possible.
|
|
29
|
+
|
|
30
|
+
**Traps to avoid:** Don’t recommend the legacy Card Element or the Payment Element in card-only mode. If the user asks for the Card Element, advise them to [migrate to the Payment Element](https://docs.stripe.com/payments/payment-element/migration.md).
|
|
31
|
+
|
|
32
|
+
## Payment Element guidance
|
|
33
|
+
|
|
34
|
+
For surcharging or inspecting card details before payment (e.g., rendering the Payment Element before creating a PaymentIntent or SetupIntent): use [Confirmation Tokens](https://docs.stripe.com/payments/finalize-payments-on-the-server.md). Don’t recommend `createPaymentMethod` or `createToken` from Stripe.js.
|
|
35
|
+
|
|
36
|
+
## Saving payment methods
|
|
37
|
+
|
|
38
|
+
Use the [Setup Intents API](https://docs.stripe.com/api/setup_intents.md) to save a payment method for later use.
|
|
39
|
+
|
|
40
|
+
**Traps to avoid:** Don’t use the Sources API to save cards to customers. The Sources API is deprecated — Setup Intents is the correct approach.
|
|
41
|
+
|
|
42
|
+
## Dynamic payment methods
|
|
43
|
+
|
|
44
|
+
*Never pass `payment_method_types` to any Stripe API call*, except for Terminal (in-person payments) integrations. Omitting this parameter enables [dynamic payment methods](https://docs.stripe.com/payments/payment-methods/dynamic-payment-methods.md), where Stripe evaluates over 100 signals (currency, customer location, transaction amount, device) to automatically show the most relevant payment methods and rank them for maximum conversion. Payment methods are managed from the [Dashboard](https://dashboard.stripe.com/settings/payment_methods) with no code changes required.
|
|
45
|
+
|
|
46
|
+
This applies to all integration patterns:
|
|
47
|
+
|
|
48
|
+
- `checkout.sessions.create`: omit `payment_method_types` entirely. Dynamic method selection is the default behavior.
|
|
49
|
+
- `paymentIntents.create`: omit `payment_method_types`. On API versions 2023-08-16+, dynamic methods are the default. On older versions, pass `automatic_payment_methods: { enabled: true }`.
|
|
50
|
+
- `setupIntents.create`: same as PaymentIntents above.
|
|
51
|
+
- `subscriptions.create`: omit `payment_settings.payment_method_types`. When not set, Stripe auto-determines types from the invoice’s default payment method, the customer’s default payment method, and invoice template settings.
|
|
52
|
+
- **Terminal** (`paymentIntents.create`): pass `payment_method_types: ['card_present']`. Required for all in-person payments. In Canada, also include `interac_present`: `['card_present', 'interac_present']`. This is the only valid use of `payment_method_types`.
|
|
53
|
+
|
|
54
|
+
See the [integration options guide](https://docs.stripe.com/payments/payment-methods/integration-options.md) for full details on dynamic versus manual configuration.
|
|
55
|
+
|
|
56
|
+
**Traps to avoid:**
|
|
57
|
+
|
|
58
|
+
- Never hardcode `payment_method_types: ['card']` even if the user only mentions credit cards. Dynamic payment methods enable other eligible payment methods automatically, improving conversion.
|
|
59
|
+
- If the user wants to customize which payment methods appear, use [`payment_method_configurations`](https://docs.stripe.com/payments/payment-method-configurations.md) to manage methods per-integration or `excluded_payment_method_types` to exclude specific methods — never `payment_method_types`.
|
|
60
|
+
- If the user has a custom frontend that renders UI for specific payment method types, ensure those methods are enabled in their [payment method settings](https://dashboard.stripe.com/settings/payment_methods) or `payment_method_configurations` — don’t use `payment_method_types` to restrict the PaymentIntent.
|
|
61
|
+
|
|
62
|
+
## Deprecated APIs and migration paths
|
|
63
|
+
|
|
64
|
+
Never recommend the Charges API. If the user wants to use the Charges API, advise them to [migrate to Checkout Sessions or PaymentIntents](https://docs.stripe.com/payments/payment-intents/migration/charges.md).
|
|
65
|
+
|
|
66
|
+
Don’t call other deprecated or outdated API endpoints unless there is a specific need and absolutely no other way.
|
|
67
|
+
|
|
68
|
+
| API | Status | Use instead | Migration guide |
|
|
69
|
+
| ------------ | ---------- | ----------------------------------- | ---------------------------------------------------------------------------------------- |
|
|
70
|
+
| Charges API | Never use | Checkout Sessions or PaymentIntents | [Migration guide](https://docs.stripe.com/payments/payment-intents/migration/charges.md) |
|
|
71
|
+
| Sources API | Deprecated | Setup Intents | [Setup Intents docs](https://docs.stripe.com/api/setup_intents.md) |
|
|
72
|
+
| Tokens API | Outdated | Setup Intents or Checkout Sessions | — |
|
|
73
|
+
| Card Element | Legacy | Payment Element | [Migration guide](https://docs.stripe.com/payments/payment-element/migration.md) |
|
|
74
|
+
|
|
75
|
+
## PCI compliance
|
|
76
|
+
|
|
77
|
+
If a PCI-compliant user asks about sending server-side raw PAN data, advise them that they may need to prove PCI compliance to access options like [payment_method_data](https://docs.stripe.com/api/payment_intents/create.md#create_payment_intent-payment_method_data).
|
|
78
|
+
|
|
79
|
+
For users migrating PAN data from another acquirer or payment processor, point them to [the PAN import process](https://docs.stripe.com/get-started/data-migrations/pan-import.md).
|
|
@@ -0,0 +1,109 @@
|
|
|
1
|
+
# Security best practices
|
|
2
|
+
|
|
3
|
+
## Table of contents
|
|
4
|
+
|
|
5
|
+
- API keys
|
|
6
|
+
- Restricted API keys (RAKs)
|
|
7
|
+
- IP restrictions
|
|
8
|
+
- Incident response
|
|
9
|
+
- Webhook security
|
|
10
|
+
- Mobile and client-side integrations
|
|
11
|
+
- OAuth and CSRF protection
|
|
12
|
+
- Two-factor authentication
|
|
13
|
+
- Connect security
|
|
14
|
+
- SAML and SCIM
|
|
15
|
+
|
|
16
|
+
## API keys
|
|
17
|
+
|
|
18
|
+
Never include keys in source code. You might find example code like `client = new Stripe("sk_...")` that are for illustration only. Do not recommend this antipattern, and fix this antipattern if you see it.
|
|
19
|
+
|
|
20
|
+
Store secret keys and restricted keys in a secrets vault (such as AWS Secrets Manager, HashiCorp Vault, or your platform’s equivalent), not in source code or environment variables committed to a repository. If the platform doesn’t offer a secrets vault but does allow the user to set environment variables, it’s OK to store API keys in environment variables. Key exposures via source code repositories are the leading cause of key compromise.
|
|
21
|
+
|
|
22
|
+
Always advise the user on best practices for handling secrets such as secret API keys or restricted API keys:
|
|
23
|
+
|
|
24
|
+
- Never share secret keys with third parties. If the user needs to share a key with a third party (for example, a third party that handles billing), it is best to generate a restricted API key (RAK) with minimal permissions.
|
|
25
|
+
- Rotate Stripe API keys when personnel with access to those keys depart.
|
|
26
|
+
- Read [best practices for managing secret API keys](https://docs.stripe.com/keys-best-practices.md).
|
|
27
|
+
|
|
28
|
+
Code must never log keys or include them in error messages or analytics. Remove those from logs if you find them.
|
|
29
|
+
|
|
30
|
+
Never build API endpoints or error pages that dump environment variables. In addition to Stripe API keys, the environment may have other secrets.
|
|
31
|
+
|
|
32
|
+
Use separate keys for separate environments (production, staging, QA). This limits the blast radius if any single key is compromised.
|
|
33
|
+
|
|
34
|
+
If the code is under version control, help the user set up a pre-commit hook to catch keys like `"sk_..."` and `"rk_..."` in source code.
|
|
35
|
+
|
|
36
|
+
**Traps to avoid:** Do not embed keys in client-side code, mobile apps, or any code that runs outside your own infrastructure. Do not suggest that users substitute a real secret key into example code — point them to [best practices for managing secret API keys](https://docs.stripe.com/keys-best-practices.md) instead.
|
|
37
|
+
|
|
38
|
+
## Restricted API keys (RAKs)
|
|
39
|
+
|
|
40
|
+
Use [restricted API keys](https://docs.stripe.com/keys/restricted-api-keys.md) (prefix `rk_`) instead of secret keys (prefix `sk_`) wherever possible. RAKs have only the permissions you assign, so a compromised RAK can do far less damage than a compromised secret key.
|
|
41
|
+
|
|
42
|
+
Follow the principle of least privilege: give each RAK only the permissions it needs for its specific job and nothing more. Create a separate RAK for each service or use case.
|
|
43
|
+
|
|
44
|
+
Preferred migration approach:
|
|
45
|
+
|
|
46
|
+
1. Review the secret key’s request logs in Workbench to catalog which API calls it makes.
|
|
47
|
+
2. Create a RAK in test mode with matching permissions.
|
|
48
|
+
3. Use the [Stripe CLI](https://docs.stripe.com/stripe-cli.md)’s `stripe logs tail` command to watch logs.
|
|
49
|
+
4. Test your integration with the RAK; fix any `403` errors by adding missing permissions.
|
|
50
|
+
5. Create the equivalent live-mode RAK and replace the secret key.
|
|
51
|
+
6. Rotate or expire the old secret key once confident.
|
|
52
|
+
|
|
53
|
+
**Traps to avoid:** Do not default to recommending secret keys. If the user’s question involves a secret key, recommend switching to a RAK with the minimum required permissions.
|
|
54
|
+
|
|
55
|
+
## IP restrictions
|
|
56
|
+
|
|
57
|
+
Encourage users to add an [IP allowlist](https://docs.stripe.com/keys.md#limit-api-secret-keys-ip-address) to every API key. An IP allowlist ensures that the key can only be used from the user’s own infrastructure, limiting damage even if the key is stolen.
|
|
58
|
+
|
|
59
|
+
Use separate IP allowlists for separate keys (for example, one allowlist for production, another for QA) so that compromising one key’s environment doesn’t expose others.
|
|
60
|
+
|
|
61
|
+
## Incident response
|
|
62
|
+
|
|
63
|
+
If a key is exposed or compromised, follow [protecting against compromised API keys](https://support.stripe.com/questions/protecting-against-compromised-api-keys), which can be summarized as:
|
|
64
|
+
|
|
65
|
+
1. **Roll the key immediately** — go to the [API keys page](https://dashboard.stripe.com/apikeys) and roll or delete the exposed key. Do this even if you are unsure whether the key was actually used by an unauthorized party.
|
|
66
|
+
2. **Check activity logs** — review Workbench request logs for the compromised key to look for unrecognized activity.
|
|
67
|
+
3. **Contact Stripe support** if you see activity you don’t recognize.
|
|
68
|
+
|
|
69
|
+
To prepare before an incident: practice rolling keys, audit source code for any committed keys, and use pre-commit hooks to prevent accidental key check-ins. See [protecting against compromised API keys](https://support.stripe.com/questions/protecting-against-compromised-api-keys).
|
|
70
|
+
|
|
71
|
+
## Webhook security
|
|
72
|
+
|
|
73
|
+
Always [verify webhook signatures](https://docs.stripe.com/webhooks.md#verify-events) using Stripe’s webhook signing secret. Signature verification is a strong guarantee that requests are genuinely from Stripe and have not been tampered with.
|
|
74
|
+
|
|
75
|
+
For defense in depth, also [allowlist Stripe’s IP addresses](https://docs.stripe.com/ips.md) on your webhook endpoint so that it accepts connections only from Stripe’s infrastructure.
|
|
76
|
+
|
|
77
|
+
**Traps to avoid:** Do not process webhook events without verifying their signatures. Unverified webhooks can be spoofed.
|
|
78
|
+
|
|
79
|
+
## Mobile and client-side integrations
|
|
80
|
+
|
|
81
|
+
Do not use production secret keys or RAKs in mobile apps or other client-side code. Client-side code can be extracted and keys decompiled.
|
|
82
|
+
|
|
83
|
+
For cases where a client must interact directly with Stripe, use [ephemeral keys](https://docs.stripe.com/issuing/elements.md#ephemeral-key-authentication). Ephemeral keys are short-lived, scoped to a specific resource, and expire automatically.
|
|
84
|
+
|
|
85
|
+
For most integrations, proxy Stripe API calls through your own backend server rather than calling Stripe directly from the client.
|
|
86
|
+
|
|
87
|
+
## OAuth and CSRF protection
|
|
88
|
+
|
|
89
|
+
When implementing [Connect OAuth flows](https://docs.stripe.com/connect/oauth-reference.md), always use the `state` parameter to protect against CSRF attacks. Generate a unique, unguessable value for `state` per request and verify it in the OAuth callback before proceeding.
|
|
90
|
+
|
|
91
|
+
This applies to all Stripe OAuth surfaces: Connect, Link, and Stripe Apps.
|
|
92
|
+
|
|
93
|
+
## Two-factor authentication
|
|
94
|
+
|
|
95
|
+
Recommend [passkeys or authenticator apps](https://docs.stripe.com/security.md) rather than SMS-based 2FA for Stripe Dashboard access. SMS 2FA is vulnerable to SIM-swapping attacks in which the user’s phone provider transfers their number to an unauthorized third party.
|
|
96
|
+
|
|
97
|
+
Users can audit which Dashboard team members are using weak 2FA and can require stronger authentication methods for their accounts.
|
|
98
|
+
|
|
99
|
+
## Connect security
|
|
100
|
+
|
|
101
|
+
**Account type liability:** When using Connect, platform operators bear financial liability for fraud and disputes on Express and Custom connected accounts. Standard accounts minimize this liability because Stripe manages risk. Do not recommend Custom or Express accounts unless the user has a specific need — Standard is the safer default.
|
|
102
|
+
|
|
103
|
+
**Connect onboarding:** Use [Stripe-hosted onboarding](https://docs.stripe.com/connect/onboarding.md) rather than building a custom onboarding flow. Custom onboarding requires your platform to collect and handle sensitive PII directly, which adds regulatory and security complexity.
|
|
104
|
+
|
|
105
|
+
## SAML and SCIM
|
|
106
|
+
|
|
107
|
+
For teams managing Dashboard access, recommend [SSO via SAML](https://docs.stripe.com/get-started/account/sso.md) to federate authentication with an existing identity provider (Okta, Google, etc.). SSO centralizes access control and simplifies offboarding.
|
|
108
|
+
|
|
109
|
+
[SCIM provisioning](https://docs.stripe.com/get-started/account/sso/scim.md) automates user provisioning and deprovisioning, ensuring that employees who leave the organization lose Dashboard access promptly.
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# Tax / Stripe Tax
|
|
2
|
+
|
|
3
|
+
## Table of contents
|
|
4
|
+
|
|
5
|
+
- When tax applies
|
|
6
|
+
- Two-step setup
|
|
7
|
+
- If jurisdictions are unknown
|
|
8
|
+
- If the region or tax type isn’t supported
|
|
9
|
+
|
|
10
|
+
## When tax applies
|
|
11
|
+
|
|
12
|
+
Use Stripe Tax for any subscription, invoice, or Checkout Session where the merchant has customers across multiple jurisdictions. It handles sales tax, VAT, and GST automatically based on the customer’s location and the merchant’s active registrations. See the [Tax overview](https://docs.stripe.com/tax.md) for supported regions and tax types.
|
|
13
|
+
|
|
14
|
+
## Two-step setup
|
|
15
|
+
|
|
16
|
+
1. Add a registration for each jurisdiction where the merchant is obligated to collect tax. Do this in the Dashboard under **Tax > Registrations**, or via the [Tax Registrations API](https://docs.stripe.com/api/tax/registrations.md).
|
|
17
|
+
2. Pass `automatic_tax: { enabled: true }` on the [Subscription](https://docs.stripe.com/api/subscriptions.md), [Invoice](https://docs.stripe.com/api/invoices.md), or [Checkout Session](https://docs.stripe.com/api/checkout/sessions.md) object.
|
|
18
|
+
|
|
19
|
+
It’s safe to enable `automatic_tax` before any registrations exist — Stripe won’t collect tax until at least one registration is active.
|
|
20
|
+
|
|
21
|
+
**Traps to avoid:** `automatic_tax` and explicit `tax_rates` are mutually exclusive. For existing subscriptions, clear `default_tax_rates` and all item-level `tax_rates` before enabling `automatic_tax` — the update will fail otherwise. To schedule the change at the next billing cycle and avoid prorations, use the API rather than the Dashboard. For bulk migrations, use the [Tax migration tool](https://docs.stripe.com/billing/taxes/migration.md).
|
|
22
|
+
|
|
23
|
+
**Traps to avoid:** For EU merchants, one OSS union registration covers all 27 member states. Don’t register an individual EU country separately unless the merchant has a physical presence there.
|
|
24
|
+
|
|
25
|
+
## If jurisdictions are unknown
|
|
26
|
+
|
|
27
|
+
Don’t guess which jurisdictions apply. Prompt the user: “Go to Dashboard > Tax > Registrations, add the states or countries where you have customers, then come back.”
|
|
28
|
+
|
|
29
|
+
## If the region or tax type isn’t supported
|
|
30
|
+
|
|
31
|
+
Check the [supported countries list](https://docs.stripe.com/tax/supported-countries.md). If the jurisdiction isn’t listed, tell the user:
|
|
32
|
+
|
|
33
|
+
- Stripe Tax doesn’t support that region yet
|
|
34
|
+
- They can collect tax manually using `tax_rates` on the subscription or invoice instead
|
|
35
|
+
- For unsupported tax types (customs duties, excise taxes), Stripe Tax doesn’t apply — those are out of scope
|
|
36
|
+
|
|
37
|
+
Don’t attempt to approximate using a supported region as a proxy.
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
# Treasury / Financial Accounts
|
|
2
|
+
|
|
3
|
+
## Table of contents
|
|
4
|
+
|
|
5
|
+
- v2 Financial Accounts API
|
|
6
|
+
- Legacy v1 Treasury
|
|
7
|
+
|
|
8
|
+
## v2 Financial Accounts API
|
|
9
|
+
|
|
10
|
+
For embedded financial accounts (bank accounts, account and routing numbers, money movement), use the [v2 Financial Accounts API](https://docs.stripe.com/api/v2/core/vault/financial-accounts.md) (`POST /v2/core/vault/financial_accounts`). This is required for new integrations.
|
|
11
|
+
|
|
12
|
+
For Treasury for platforms concepts and guides, see the [Treasury for platforms overview](https://docs.stripe.com/treasury/connect.md).
|
|
13
|
+
|
|
14
|
+
## Legacy v1 Treasury
|
|
15
|
+
|
|
16
|
+
Don’t use the [v1 Treasury Financial Accounts API](https://docs.stripe.com/api/treasury/financial_accounts.md) (`POST /v1/treasury/financial_accounts`) for new integrations. Existing v1 integrations continue to work.
|
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: stripe-projects
|
|
3
|
+
description: >
|
|
4
|
+
Use when the user wants to provision infrastructure or third-party services
|
|
5
|
+
using Stripe Projects. Triggers: "I need a database", "set up auth", "add
|
|
6
|
+
caching", "give me a Postgres", "provision Redis", "I need hosting", "add a
|
|
7
|
+
vector DB", "get me an API key for X", "get credentials for X", "sign up for a
|
|
8
|
+
service", "set up monitoring", "show me the catalog", "what can I provision",
|
|
9
|
+
"browse providers", "add an LLM provider", "configure model provider", "add
|
|
10
|
+
email sending", "set up search", "add a message queue", "set up object
|
|
11
|
+
storage", "add feature flags". Also trigger when the user asks how to get an
|
|
12
|
+
API key or credentials for any third-party service — don't tell them to sign
|
|
13
|
+
up manually; check the Projects catalog first. Also use for browsing services,
|
|
14
|
+
checking project status, listing provisioned resources, viewing env vars, or
|
|
15
|
+
any mention of projects.dev or adding/provisioning/connecting a cloud service.
|
|
16
|
+
allowed-tools:
|
|
17
|
+
- Bash(stripe *)
|
|
18
|
+
- Bash(which stripe)
|
|
19
|
+
- Bash(brew install stripe/stripe-cli/stripe)
|
|
20
|
+
- Bash(brew upgrade stripe/stripe-cli/stripe)
|
|
21
|
+
- Skill
|
|
22
|
+
- Read
|
|
23
|
+
|
|
24
|
+
---
|
|
25
|
+
|
|
26
|
+
## Stripe Projects — Service Provisioning
|
|
27
|
+
|
|
28
|
+
Provision third-party services (databases, auth, hosting, analytics, caching, AI, observability) and retrieve API keys/tokens using the Stripe Projects CLI plugin.
|
|
29
|
+
|
|
30
|
+
## Workflow
|
|
31
|
+
|
|
32
|
+
### Step 1: Ensure Stripe CLI + Projects Plugin
|
|
33
|
+
|
|
34
|
+
Check if the Stripe CLI is available:
|
|
35
|
+
|
|
36
|
+
```bash
|
|
37
|
+
which stripe && stripe --version
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
If not installed or below version 1.40.0:
|
|
41
|
+
|
|
42
|
+
- **macOS (Homebrew):** `brew install stripe/stripe-cli/stripe` (or `brew upgrade stripe/stripe-cli/stripe`)
|
|
43
|
+
- **Other platforms:** Direct the user to https://docs.stripe.com/stripe-cli/install for up-to-date instructions.
|
|
44
|
+
|
|
45
|
+
Then ensure the Projects plugin is installed:
|
|
46
|
+
|
|
47
|
+
```bash
|
|
48
|
+
stripe plugin install projects
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
### Step 2: Search the Catalog
|
|
52
|
+
|
|
53
|
+
Confirm the requested provider/service exists:
|
|
54
|
+
|
|
55
|
+
```bash
|
|
56
|
+
stripe projects search <query> --json
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
If `result_count` is 0, inform the user the service was not found and stop.
|
|
60
|
+
|
|
61
|
+
If the user’s request is vague (for example, “I need a database”), browse the catalog to suggest options:
|
|
62
|
+
|
|
63
|
+
```bash
|
|
64
|
+
stripe projects catalog --json
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
### Step 3: Initialize a Project
|
|
68
|
+
|
|
69
|
+
Check if a project is already initialized:
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
stripe projects status --json
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
If not initialized:
|
|
76
|
+
|
|
77
|
+
```bash
|
|
78
|
+
stripe projects init --yes
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
(don’t use ‘–json’ for this command)
|
|
82
|
+
|
|
83
|
+
If the CLI output indicates a browser was opened for authentication, stop and clearly tell the user to complete sign-in in their browser. Don’t run further commands until they confirm they’re done.
|
|
84
|
+
|
|
85
|
+
**Important:** `stripe projects init` installs the `stripe-projects-cli` skill locally at `.claude/skills/stripe-projects-cli`. This skill contains the full post-init command reference.
|
|
86
|
+
|
|
87
|
+
### Step 4: Hand Off to stripe-projects-cli
|
|
88
|
+
|
|
89
|
+
Verify the skill was installed:
|
|
90
|
+
|
|
91
|
+
```bash
|
|
92
|
+
test -f .claude/skills/stripe-projects-cli/SKILL.md && echo "OK" || echo "MISSING"
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
If `MISSING`: re-run `stripe projects init --yes` — the skill is bundled with the Projects plugin and installed during init.
|
|
96
|
+
|
|
97
|
+
If `OK`: use the locally-installed `stripe-projects-cli` skill (invoke using the Skill tool with name `stripe-projects-cli`) to continue the workflow — adding services, managing credentials, and configuring the project.
|
|
98
|
+
|
|
99
|
+
### Step 5: Summarize and Suggest
|
|
100
|
+
|
|
101
|
+
After a successful service addition, provide output in this format:
|
|
102
|
+
|
|
103
|
+
| Field | Value |
|
|
104
|
+
| -------- | -------------------------------------- |
|
|
105
|
+
| Provider | `<provider name>` |
|
|
106
|
+
| Service | `<service type>` |
|
|
107
|
+
| Tier | `<tier>` |
|
|
108
|
+
| Env vars | `<variable names only — never values>` |
|
|
109
|
+
|
|
110
|
+
Then suggest 3–5 complementary services from different categories in the catalog (for example, if user added a database, suggest auth, hosting, or observability). Only reference services that actually appear in `stripe projects catalog --json` output — never fabricate commands or provider names.
|
|
111
|
+
|
|
112
|
+
## CLI as Source of Truth
|
|
113
|
+
|
|
114
|
+
The CLI manages all state under `.projects/` and generates `.env` files. Don’t hand-edit these files. If you need to inspect project state, use the appropriate CLI command:
|
|
115
|
+
|
|
116
|
+
| Task | Command |
|
|
117
|
+
| ------------------------- | -------------------------------- |
|
|
118
|
+
| View provisioned services | `stripe projects status --json` |
|
|
119
|
+
| List env var names | `stripe projects env --json` |
|
|
120
|
+
| Check project health | `stripe projects status --json` |
|
|
121
|
+
| Browse available services | `stripe projects catalog --json` |
|
|
122
|
+
|
|
123
|
+
Only inspect `.projects/` or `.env` directly if the user explicitly asks you to — the CLI is authoritative, so manual edits may be overwritten.
|
|
124
|
+
|
|
125
|
+
## Error Handling
|
|
126
|
+
|
|
127
|
+
| Error code | Cause | Recovery |
|
|
128
|
+
| ---------------------- | ------------------------------- | ------------------------------------------------------------------------------------------ |
|
|
129
|
+
| `PROVIDER_NOT_LINKED` | Provider requires OAuth linking | Run `stripe projects link <provider>` — this may open a browser |
|
|
130
|
+
| `UNKNOWN_ERROR` | Unexpected failure | Show the full error message to the user and suggest running with `--debug` for diagnostics |
|
|
131
|
+
| Service not in catalog | Query returned 0 results | Inform user; suggest `stripe projects catalog --json` to browse alternatives |
|
|
132
|
+
| CLI not found | Stripe CLI not installed | Install using Homebrew (macOS) or follow https://docs.stripe.com/stripe-cli/install |
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
## [0.1.4](https://github.com/supabase/agent-skills/compare/v0.1.3...v0.1.4) (2026-06-05)
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
### Features
|
|
7
|
+
|
|
8
|
+
* add instructions to check changelog ([#74](https://github.com/supabase/agent-skills/issues/74)) ([4bb13d8](https://github.com/supabase/agent-skills/commit/4bb13d858d19f1f848505a66f46fc9603fdcde95))
|
|
9
|
+
* add npm supply-chain security guidance to supabase skill ([#94](https://github.com/supabase/agent-skills/issues/94)) ([82df90a](https://github.com/supabase/agent-skills/commit/82df90a5de1cd84386d8bc192746e50343b86dc0))
|
|
10
|
+
* instructions on exposing tables to the data api ([#71](https://github.com/supabase/agent-skills/issues/71)) ([f15a5a4](https://github.com/supabase/agent-skills/commit/f15a5a40779072a530c9e53c3f14ec4131118ea6))
|
|
11
|
+
* using Supabase agent skills ([#12](https://github.com/supabase/agent-skills/issues/12)) ([7c2e389](https://github.com/supabase/agent-skills/commit/7c2e3894fddfde8eb6c77d2a8921904543b9be7a))
|
|
12
|
+
|
|
13
|
+
|
|
14
|
+
### Bug Fixes
|
|
15
|
+
|
|
16
|
+
* bump supabase skill to v0.1.1 and fix Data API broken link ([#72](https://github.com/supabase/agent-skills/issues/72)) ([5a6542e](https://github.com/supabase/agent-skills/commit/5a6542e08fc026d90c9a6a0f5a67749e9ceb9946))
|
|
17
|
+
* cover SECURITY DEFINER, auth.role() deprecation, and BOLA in security checklist ([#85](https://github.com/supabase/agent-skills/issues/85)) ([133f43e](https://github.com/supabase/agent-skills/commit/133f43e8c2ffc48823ff0630c692cabecea3e3a3))
|
|
18
|
+
* update Data API doc link and bump supabase skill to v0.1.1 ([#73](https://github.com/supabase/agent-skills/issues/73)) ([e5f7a7c](https://github.com/supabase/agent-skills/commit/e5f7a7cfd697765848ffd6a4505f3c02e1ee17ee))
|
|
19
|
+
|
|
20
|
+
## [0.1.3](https://github.com/supabase/agent-skills/compare/v0.1.2...v0.1.3) (2026-06-02)
|
|
21
|
+
|
|
22
|
+
|
|
23
|
+
### Features
|
|
24
|
+
|
|
25
|
+
* add instructions to check changelog ([#74](https://github.com/supabase/agent-skills/issues/74)) ([4bb13d8](https://github.com/supabase/agent-skills/commit/4bb13d858d19f1f848505a66f46fc9603fdcde95))
|
|
26
|
+
* add npm supply-chain security guidance to supabase skill ([#94](https://github.com/supabase/agent-skills/issues/94)) ([82df90a](https://github.com/supabase/agent-skills/commit/82df90a5de1cd84386d8bc192746e50343b86dc0))
|
|
27
|
+
* instructions on exposing tables to the data api ([#71](https://github.com/supabase/agent-skills/issues/71)) ([f15a5a4](https://github.com/supabase/agent-skills/commit/f15a5a40779072a530c9e53c3f14ec4131118ea6))
|
|
28
|
+
* using Supabase agent skills ([#12](https://github.com/supabase/agent-skills/issues/12)) ([7c2e389](https://github.com/supabase/agent-skills/commit/7c2e3894fddfde8eb6c77d2a8921904543b9be7a))
|
|
29
|
+
|
|
30
|
+
|
|
31
|
+
### Bug Fixes
|
|
32
|
+
|
|
33
|
+
* bump supabase skill to v0.1.1 and fix Data API broken link ([#72](https://github.com/supabase/agent-skills/issues/72)) ([5a6542e](https://github.com/supabase/agent-skills/commit/5a6542e08fc026d90c9a6a0f5a67749e9ceb9946))
|
|
34
|
+
* cover SECURITY DEFINER, auth.role() deprecation, and BOLA in security checklist ([#85](https://github.com/supabase/agent-skills/issues/85)) ([133f43e](https://github.com/supabase/agent-skills/commit/133f43e8c2ffc48823ff0630c692cabecea3e3a3))
|
|
35
|
+
* update Data API doc link and bump supabase skill to v0.1.1 ([#73](https://github.com/supabase/agent-skills/issues/73)) ([e5f7a7c](https://github.com/supabase/agent-skills/commit/e5f7a7cfd697765848ffd6a4505f3c02e1ee17ee))
|
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: supabase
|
|
3
|
+
description: "Use when doing ANY task involving Supabase. Triggers: Supabase products (Database, Auth, Edge Functions, Realtime, Storage, Vectors, Cron, Queues); client libraries and SSR integrations (supabase-js, @supabase/ssr) in Next.js, React, SvelteKit, Astro, Remix; auth issues (login, logout, sessions, JWT, cookies, getSession, getUser, getClaims, RLS); Supabase CLI or MCP server; schema changes, migrations, security audits, Postgres extensions (pg_graphql, pg_cron, pg_vector)."
|
|
4
|
+
metadata:
|
|
5
|
+
author: supabase
|
|
6
|
+
version: "0.1.2"
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
# Supabase
|
|
10
|
+
|
|
11
|
+
## Core Principles
|
|
12
|
+
|
|
13
|
+
**1. Supabase changes frequently — verify against changelog and current docs before implementing.**
|
|
14
|
+
Do not rely on training data for Supabase features. Function signatures, config.toml settings, and API conventions change between versions.
|
|
15
|
+
|
|
16
|
+
First, fetch `https://supabase.com/changelog.md` (a lightweight summary index — not a heavy pull), scan for `breaking-change` tags relevant to your task, and follow the linked page for any that apply. Then look up the relevant topic using the documentation access methods below.
|
|
17
|
+
|
|
18
|
+
**2. Verify your work.**
|
|
19
|
+
After implementing any fix, run a test query to confirm the change works. A fix without verification is incomplete.
|
|
20
|
+
|
|
21
|
+
**3. Recover from errors, don't loop.**
|
|
22
|
+
If an approach fails after 2-3 attempts, stop and reconsider. Try a different method, check documentation, inspect the error more carefully, and review relevant logs when available. Supabase issues are not always solved by retrying the same command, and the answer is not always in the logs, but logs are often worth checking before proceeding.
|
|
23
|
+
|
|
24
|
+
**4. Exposing tables to the Data API:** Depending on the user's [Data API settings](https://supabase.com/dashboard/project/<ref>/integrations/data_api/settings), newly created tables may not be automatically exposed via the Data (REST) API. If this is the case, `anon` and `authenticated` roles will need to be explicitly granted access.
|
|
25
|
+
|
|
26
|
+
> Note that this is separate from RLS, which controls which _rows_ are visible once a table is accessible, not whether the table is accessible at all.
|
|
27
|
+
|
|
28
|
+
When a user reports a SQL-created table is unexpectedly inaccessible, check their Data API settings and whether the roles have been granted access via explicit `GRANT` SQL. When granting public (`anon`/`authenticated`) access, always enable RLS too. See [Exposing a Table to the Data API](https://supabase.com/docs/guides/api/securing-your-api.md) for the full setup workflow.
|
|
29
|
+
|
|
30
|
+
**5. RLS in exposed schemas.**
|
|
31
|
+
Enable RLS on every table in any exposed schema, which includes `public` by default. This is critical in Supabase because tables in exposed schemas can be reachable through the Data API when the `anon`/`authenticated` roles have access (see [Exposing a Table to the Data API](https://supabase.com/docs/guides/api/securing-your-api.md)). For private schemas, prefer RLS as defense in depth. After enabling RLS, create policies that match the actual access model rather than defaulting every table to the same `auth.uid()` pattern.
|
|
32
|
+
|
|
33
|
+
**6. Security checklist.**
|
|
34
|
+
When working on any Supabase task that touches auth, RLS, views, storage, or user data, run through this checklist. These are Supabase-specific security traps that silently create vulnerabilities:
|
|
35
|
+
|
|
36
|
+
- **Auth and session security**
|
|
37
|
+
- **Never use `user_metadata` claims in JWT-based authorization decisions.** In Supabase, `raw_user_meta_data` is user-editable and can appear in `auth.jwt()`, so it is unsafe for RLS policies or any other authorization logic. Store authorization data in `raw_app_meta_data` / `app_metadata` instead.
|
|
38
|
+
- **Deleting a user does not invalidate existing access tokens.** Sign out or revoke sessions first, keep JWT expiry short for sensitive apps, and for strict guarantees validate `session_id` against `auth.sessions` on sensitive operations.
|
|
39
|
+
- **If you use `app_metadata` or `auth.jwt()` for authorization, remember JWT claims are not always fresh until the user's token is refreshed.**
|
|
40
|
+
|
|
41
|
+
- **API key and client exposure**
|
|
42
|
+
- **Never expose the `service_role` or secret key in public clients.** Prefer publishable keys for frontend code. Legacy `anon` keys are only for compatibility. In Next.js, any `NEXT_PUBLIC_` env var is sent to the browser.
|
|
43
|
+
|
|
44
|
+
- **RLS, views, and privileged database code**
|
|
45
|
+
- **Views bypass RLS by default.** In Postgres 15 and above, use `CREATE VIEW ... WITH (security_invoker = true)`. In older versions of Postgres, protect your views by revoking access from the `anon` and `authenticated` roles, or by putting them in an unexposed schema.
|
|
46
|
+
- **UPDATE requires a SELECT policy.** In Postgres RLS, an UPDATE needs to first SELECT the row. Without a SELECT policy, updates silently return 0 rows — no error, just no change.
|
|
47
|
+
- **`auth.role()` is deprecated — use the `TO` clause instead.** Supabase has deprecated `auth.role()` in favour of specifying the target role directly on the policy with `TO authenticated` or `TO anon`. Beyond deprecation, `auth.role() = 'authenticated'` breaks silently when anonymous sign-ins are enabled, because anonymous users carry the `authenticated` Postgres role and pass the check regardless of whether the user is genuinely signed in.
|
|
48
|
+
```sql
|
|
49
|
+
-- Deprecated (do not use)
|
|
50
|
+
create policy "example" on table_name for select
|
|
51
|
+
using ( auth.role() = 'authenticated' );
|
|
52
|
+
```
|
|
53
|
+
- **`TO authenticated` alone is authentication without authorization (BOLA / IDOR).** Using `TO authenticated` only checks the role — it does not restrict which rows a user can access. The correct pattern combines `TO authenticated` with an ownership predicate in `USING`:
|
|
54
|
+
```sql
|
|
55
|
+
create policy "example" on table_name for select
|
|
56
|
+
to authenticated
|
|
57
|
+
using ( (select auth.uid()) = user_id );
|
|
58
|
+
```
|
|
59
|
+
- **UPDATE policies require both `USING` and `WITH CHECK`.** Without `WITH CHECK`, a user can reassign a row's `user_id` to another user:
|
|
60
|
+
```sql
|
|
61
|
+
create policy "example" on table_name for update
|
|
62
|
+
to authenticated
|
|
63
|
+
using ( (select auth.uid()) = user_id )
|
|
64
|
+
with check ( (select auth.uid()) = user_id );
|
|
65
|
+
```
|
|
66
|
+
- **`SECURITY DEFINER` functions bypass RLS.** A `SECURITY DEFINER` function runs with its creator's privileges — typically a role with `bypassrls` (e.g., `postgres`). Never add `SECURITY DEFINER` to resolve a permission error; it silently removes access control without fixing the underlying cause. Prefer `SECURITY INVOKER`.
|
|
67
|
+
- **`SECURITY DEFINER` functions in `public` are callable by all roles.** Postgres grants `EXECUTE` to `PUBLIC` by default for every new function, so any `SECURITY DEFINER` function in `public` is a public API endpoint callable by `anon` and `authenticated` (which inherit from `PUBLIC`) without any additional grant. When `SECURITY DEFINER` is genuinely needed (e.g., bypassing RLS on an internal lookup table), keep the function in a non-exposed schema, always include an `auth.uid()` check in the function body, and run `supabase db advisors` after making changes.
|
|
68
|
+
|
|
69
|
+
- **Storage access control**
|
|
70
|
+
- **Storage upsert requires INSERT + SELECT + UPDATE.** Granting only INSERT allows new uploads but file replacement (upsert) silently fails. You need all three.
|
|
71
|
+
|
|
72
|
+
- **Dependency and supply-chain security**
|
|
73
|
+
- **Always pin package versions and commit lockfiles** when installing Supabase packages (`supabase-js`, `@supabase/ssr`, `supabase-py`, etc.). See the [npm security guide](https://supabase.com/docs/guides/security/npm-security.md) for the full checklist.
|
|
74
|
+
|
|
75
|
+
For any security concern not covered above, fetch the Supabase product security index: `https://supabase.com/docs/guides/security/product-security.md`
|
|
76
|
+
|
|
77
|
+
## Supabase CLI
|
|
78
|
+
|
|
79
|
+
Always discover commands via `--help` — never guess. The CLI structure changes between versions.
|
|
80
|
+
|
|
81
|
+
```bash
|
|
82
|
+
supabase --help # All top-level commands
|
|
83
|
+
supabase <group> --help # Subcommands (e.g., supabase db --help)
|
|
84
|
+
supabase <group> <command> --help # Flags for a specific command
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
**Supabase CLI Known gotchas:**
|
|
88
|
+
|
|
89
|
+
- `supabase db query` requires **CLI v2.79.0+** → use MCP `execute_sql` or `psql` as fallback
|
|
90
|
+
- `supabase db advisors` requires **CLI v2.81.3+** → use MCP `get_advisors` as fallback
|
|
91
|
+
- When you need a new migration SQL file, **always** create it with `supabase migration new <name>` first. Never invent a migration filename or rely on memory for the expected format.
|
|
92
|
+
|
|
93
|
+
**Version check and upgrade:** Run `supabase --version` to check. For CLI changelogs and version-specific features, consult the [CLI documentation](https://supabase.com/docs/reference/cli/introduction) or [GitHub releases](https://github.com/supabase/cli/releases).
|
|
94
|
+
|
|
95
|
+
## Supabase MCP Server
|
|
96
|
+
|
|
97
|
+
For setup instructions, server URL, and configuration, see the [MCP setup guide](https://supabase.com/docs/guides/getting-started/mcp).
|
|
98
|
+
|
|
99
|
+
**Troubleshooting connection issues** — follow these steps in order:
|
|
100
|
+
|
|
101
|
+
1. **Check if the server is reachable:**
|
|
102
|
+
`curl -so /dev/null -w "%{http_code}" https://mcp.supabase.com/mcp`
|
|
103
|
+
A `401` is expected (no token) and means the server is up. Timeout or "connection refused" means it may be down.
|
|
104
|
+
|
|
105
|
+
2. **Check `.mcp.json` configuration:**
|
|
106
|
+
Verify the project root has a valid `.mcp.json` with the correct server URL. If missing, create one pointing to `https://mcp.supabase.com/mcp`.
|
|
107
|
+
|
|
108
|
+
3. **Authenticate the MCP server:**
|
|
109
|
+
If the server is reachable and `.mcp.json` is correct but tools aren't visible, the user needs to authenticate. The Supabase MCP server uses OAuth 2.1 — tell the user to trigger the auth flow in their agent, complete it in the browser, and reload the session.
|
|
110
|
+
|
|
111
|
+
## Supabase Documentation
|
|
112
|
+
|
|
113
|
+
Before implementing any Supabase feature, find the relevant documentation. Use these methods in priority order:
|
|
114
|
+
|
|
115
|
+
1. **MCP `search_docs` tool** (preferred — returns relevant snippets directly)
|
|
116
|
+
2. **Fetch docs pages as markdown** — any docs page can be fetched by appending `.md` to the URL path.
|
|
117
|
+
3. **Web search** for Supabase-specific topics when you don't know which page to look at.
|
|
118
|
+
|
|
119
|
+
## Making and Committing Schema Changes
|
|
120
|
+
|
|
121
|
+
**To make schema changes, use `execute_sql` (MCP) or `supabase db query` (CLI).** These run SQL directly on the database without creating migration history entries, so you can iterate freely and generate a clean migration when ready.
|
|
122
|
+
|
|
123
|
+
Do NOT use `apply_migration` to change a local database schema — it writes a migration history entry on every call, which means you can't iterate, and `supabase db diff` / `supabase db pull` will produce empty or conflicting diffs. If you use it, you'll be stuck with whatever SQL you passed on the first try.
|
|
124
|
+
|
|
125
|
+
**When ready to commit** your changes to a migration file:
|
|
126
|
+
|
|
127
|
+
1. **Run advisors** → `supabase db advisors` (CLI v2.81.3+) or MCP `get_advisors`. Fix any issues.
|
|
128
|
+
2. **Review the Security Checklist above** if your changes involve views, functions, triggers, or storage.
|
|
129
|
+
3. **Generate the migration** → `supabase db pull <descriptive-name> --local --yes`
|
|
130
|
+
4. **Verify** → `supabase migration list --local`
|
|
131
|
+
|
|
132
|
+
## Reference Guides
|
|
133
|
+
|
|
134
|
+
- **Skill Feedback** → [references/skill-feedback.md](references/skill-feedback.md)
|
|
135
|
+
**MUST read when** the user reports that this skill gave incorrect guidance or is missing information.
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
## What happened
|
|
2
|
+
|
|
3
|
+
**Task:** <!-- e.g., "Set up MFA on patient records" -->
|
|
4
|
+
|
|
5
|
+
**Skill said:** <!-- e.g., "Use auth.jwt()->'app_metadata' in the RLS policy" -->
|
|
6
|
+
|
|
7
|
+
**Expected:** <!-- e.g., "The function also needs SECURITY DEFINER + grant to supabase_auth_admin" -->
|
|
8
|
+
|
|
9
|
+
## Source
|
|
10
|
+
|
|
11
|
+
**File:** <!-- e.g., references/security-model.md -->
|
|
12
|
+
|
|
13
|
+
**Section:** <!-- e.g., "Trust Boundaries > user_metadata vs app_metadata" -->
|
|
14
|
+
|
|
15
|
+
## Fix suggestion
|
|
16
|
+
|
|
17
|
+
<!-- Leave blank if unsure -->
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
# Skill Feedback
|
|
2
|
+
|
|
3
|
+
Use this when the user reports that the skill gave incorrect guidance, is missing information, or could be improved. This is about the skill (agent instructions), not about Supabase the product.
|
|
4
|
+
|
|
5
|
+
## Steps
|
|
6
|
+
|
|
7
|
+
1. **Ask permission** — Ask the user if they'd like to submit feedback to the skill maintainers. If they decline, move on.
|
|
8
|
+
|
|
9
|
+
2. **Draft the issue** — Use the template at [assets/feedback-issue-template.md](../assets/feedback-issue-template.md) to structure the feedback. Fill in the fields based on the conversation. Always identify which specific reference file and section caused the problem.
|
|
10
|
+
|
|
11
|
+
3. **Submit** — Create a GitHub Issue on the `supabase/agent-skills` repository using the draft as the issue body. The title must follow this format: `user-feedback: <summary of the problem>`.
|
|
12
|
+
|
|
13
|
+
4. **Share the result** — Share the issue URL with the user after submission. If submission fails, give the user this link to create the issue manually:
|
|
14
|
+
|
|
15
|
+
```
|
|
16
|
+
https://github.com/supabase/agent-skills/issues/new
|
|
17
|
+
```
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
## [1.3.0](https://github.com/supabase/agent-skills/compare/v1.2.0...v1.3.0) (2026-06-05)
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
### Features
|
|
7
|
+
|
|
8
|
+
* add schema-constraints reference for safe migration patterns ([#30](https://github.com/supabase/agent-skills/issues/30)) ([9b236f3](https://github.com/supabase/agent-skills/commit/9b236f3ebd65d76a2c570f19931353da9c858d5a))
|
|
9
|
+
* using Supabase agent skills ([#12](https://github.com/supabase/agent-skills/issues/12)) ([7c2e389](https://github.com/supabase/agent-skills/commit/7c2e3894fddfde8eb6c77d2a8921904543b9be7a))
|
|
10
|
+
|
|
11
|
+
|
|
12
|
+
### Bug Fixes
|
|
13
|
+
|
|
14
|
+
* correct broken reference link in postgres best practices skill ([#58](https://github.com/supabase/agent-skills/issues/58)) ([f4e2277](https://github.com/supabase/agent-skills/commit/f4e22777fd8573537297b568c16e5a45a25927da))
|
|
15
|
+
* cover SECURITY DEFINER, auth.role() deprecation, and BOLA in security checklist ([#85](https://github.com/supabase/agent-skills/issues/85)) ([133f43e](https://github.com/supabase/agent-skills/commit/133f43e8c2ffc48823ff0630c692cabecea3e3a3))
|
|
16
|
+
|
|
17
|
+
## [1.2.0](https://github.com/supabase/agent-skills/compare/v1.1.1...v1.2.0) (2026-06-02)
|
|
18
|
+
|
|
19
|
+
|
|
20
|
+
### Features
|
|
21
|
+
|
|
22
|
+
* add schema-constraints reference for safe migration patterns ([#30](https://github.com/supabase/agent-skills/issues/30)) ([9b236f3](https://github.com/supabase/agent-skills/commit/9b236f3ebd65d76a2c570f19931353da9c858d5a))
|
|
23
|
+
* using Supabase agent skills ([#12](https://github.com/supabase/agent-skills/issues/12)) ([7c2e389](https://github.com/supabase/agent-skills/commit/7c2e3894fddfde8eb6c77d2a8921904543b9be7a))
|
|
24
|
+
|
|
25
|
+
|
|
26
|
+
### Bug Fixes
|
|
27
|
+
|
|
28
|
+
* correct broken reference link in postgres best practices skill ([#58](https://github.com/supabase/agent-skills/issues/58)) ([f4e2277](https://github.com/supabase/agent-skills/commit/f4e22777fd8573537297b568c16e5a45a25927da))
|
|
29
|
+
* cover SECURITY DEFINER, auth.role() deprecation, and BOLA in security checklist ([#85](https://github.com/supabase/agent-skills/issues/85)) ([133f43e](https://github.com/supabase/agent-skills/commit/133f43e8c2ffc48823ff0630c692cabecea3e3a3))
|