| name | database-schema-review |
| description | Use when reviewing or changing ERTZU Supabase schema, migrations, RLS policies, views, RPCs, storage policies, indexes, or data model alignment. |
Database Schema Review
When To Use
Use this skill for Supabase SQL, migrations, RLS, RPCs, table columns, views, storage buckets, database grants, seed data, and TypeScript model alignment.
ERTZU-Specific Instructions
- Identify the latest relevant SQL before making assumptions. Later schema files often override earlier RPCs and policies.
- Keep marketplace state transitions in RPCs where atomic locking is required.
- Enable and review RLS for exposed tables.
- Use
security_invoker = true for exposed views when the view should respect caller permissions.
- Keep TypeScript types in
src/lib/market.ts aligned with SQL columns and check constraints.
Files And Areas To Inspect
supabase/schema.sql
supabase/schema-v2.sql through supabase/schema-v20-community-ranking-votes.sql
supabase/migrations/*.sql
supabase/patch-*.sql
supabase/fix-*.sql
.github/workflows/supabase-migrations.yml
src/lib/market.ts
src/lib/matching.ts
src/lib/supabase-server.ts
- Routes that call
.from() or .rpc()
Concrete Checks
- Verify every public/exposed table has RLS enabled.
- Verify policies match actual ERTZU roles: buyer, seller, admin, public visitor, blocked user.
- Verify RPCs set
search_path and check authorization internally when security definer is used.
- Verify grants are scoped to required roles and columns.
- Verify views exposing marketplace summaries do not leak private seller, buyer, payment, or shipping data.
- Verify table check constraints match TypeScript union values such as fill-level categories and statuses.
- Verify indexes support product/fill/size/status matching and market summaries.
- Verify migrations are applied in deterministic order by the GitHub workflow.
Mistakes To Avoid
- Do not delete or rewrite committed migrations without approval.
- Do not add
security definer functions that depend on caller-controlled role fields.
- Do not create a public view over private profile or order data.
- Do not leave obsolete enum/check values out of sync with TypeScript.
- Do not rely on direct client table updates for payment or order-critical transitions.
- Do not create migration filenames by memory when using Supabase CLI; use the CLI when available.