一键在 Manus 中运行任何 Skill

unite-supabase-journey-guard

星标1

分支0

更新时间2026年6月17日 02:49

Apply this skill for Unite-Hub Supabase migrations, PostgREST/Data API visibility, founder-scoped Playwright journeys, or errors such as PGRST205, access=denied, stale Supabase linked refs, or migration history drift. Prevents repeating the SQL/cache/auth loop by enforcing the exact verification sequence for core journeys.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

CleanExpo

CleanExpo/Unite-Hub

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

Unite Supabase Journey Guard

Use this before claiming any Supabase-backed Unite-Hub journey is fixed or GREEN.

Non-Negotiables

Do not use broad supabase db push when only selected migrations should land. This repo has historical migration drift.
Prefer targeted supabase db query --linked --file <migration.sql> for approved additive files, then supabase migration repair --linked --status applied <versions>.
Verify by effect, not file presence:
1. SQL file runs with no errors.
2. supabase_migrations.schema_migrations records the intended version.
3. Postgres shows table exists, RLS enabled, policies present, grants present.
4. Supabase REST/Data API returns HTTP 200; table existence alone is not enough.
5. The relevant Playwright journey passes, or the remaining blocker is logged honestly.
Never print Supabase service-role keys. Load them through existing support helpers or the Supabase CLI only in memory.
Throwaway e2e users use @unite-hub.test. If private access is configured, e2e must run through e2e/support/run-with-supabase-admin.ts, which enables the explicit non-production test access gate.

Migration Checklist

Confirm the linked ref before applying:
- cat supabase/.temp/project-ref
- Expected approved core-journey lane: lksfwktwtmyznckodsau.
Inspect SQL for idempotence:
- CREATE TABLE IF NOT EXISTS
- CREATE INDEX IF NOT EXISTS
- guarded policies, or DROP POLICY IF EXISTS followed by recreate when safe
- explicit grants for authenticated and service_role
- RLS enabled on exposed public tables
Check legacy-name collisions before choosing a table name. In this project, dedicated drip lifecycle tables must use founder_drip_*, not drip_*, because public.drip_campaigns can be legacy workspace-scoped.
Apply only the approved files:
- supabase db query --linked --file supabase/migrations/<file>.sql
Repair history only for versions actually applied:
- supabase migration repair --linked --status applied <version...>

Verification Snippets

Postgres table/RLS/policy/grant proof:

select c.relname as table_name, c.relrowsecurity as rls_enabled,
       array_agg(distinct p.policyname) filter (where p.policyname is not null) as policies,
       array_agg(distinct g.grantee || ':' || g.privilege_type) filter (where g.grantee is not null) as grants
from pg_class c
join pg_namespace n on n.oid = c.relnamespace
left join pg_policies p on p.schemaname = n.nspname and p.tablename = c.relname
left join information_schema.role_table_grants g
  on g.table_schema = n.nspname and g.table_name = c.relname
  and g.grantee in ('authenticated','service_role')
where n.nspname = 'public'
  and c.relname in ('ai_file_cache','ai_file_transcripts','founder_drip_campaigns','founder_drip_steps','founder_drip_enrollments','founder_drip_events')
group by c.relname, c.relrowsecurity
order by c.relname;

Migration history proof:

select version, name, created_by
from supabase_migrations.schema_migrations
where version in ('20260325000001','20260607235936','20260608000000')
order by version;

REST/Data API proof must use the Supabase client and report HTTP status for every target table. A PGRST205 result means the journey is not GREEN yet.

Private Access E2E Gate

If a Playwright journey redirects to /auth/login?access=denied after successful password sign-in:

Do not loosen production private access.
Confirm the test is running through e2e/support/run-with-supabase-admin.ts.
Confirm the test user email ends with @unite-hub.test.
Confirm UNITE_HUB_TEST_ALLOW_PRIVATE_ACCESS=1 is set by the runner.
Re-run the affected e2e spec once. If it still fails, inspect the login/session cookie path instead of retrying blindly.

Done Criteria

git diff --check passes.
pnpm run type-check passes.
pnpm run lint passes.
Affected e2e guard passes, or the remaining blocker is documented with the exact failing URL/status/body.
EVIDENCE.md, STATUS.md, COVERAGE.md, and DECISIONS_NEEDED.md are updated only with verified facts.

同仓库更多 Skills

同仓库

northstar-navigator

CleanExpo/Unite-Hub

The compass for Unite-Hub's road to /shipit. Defines the single NorthStar (a real, comprehensive, working founder CRM in production, every section GREEN), the binding definition of GREEN, and the No-Invaders Manifest that keeps the build honest and surgical. Consult BEFORE deciding what to build/skip/finish — it resolves "200 ≠ real" temptations and scope-creep pressure. P1, auto-loaded.

2026-05-291

cron-pull-template

CleanExpo/Unite-Hub

Apply this skill WHEN scaffolding a new cron "pull" route that syncs external/derived data into Supabase on a schedule (Vercel cron). Encodes the Unite-Hub cron invariants: CRON_SECRET auth, FOUNDER_USER_ID actor, overlap safety, idempotent upsert, last-sync timestamp, and failure surfacing. Generic `cron-scheduler` covers scheduling; this covers the PULL handler body. P3.

2026-05-291

mock-vs-real-detector

CleanExpo/Unite-Hub

Apply this skill WHEN verifying that a route, page, or integration serves REAL data and not silent mock/placeholder data. Detects the "false-green" failure mode: an endpoint returns 200 (or a page renders) while the underlying data is fabricated because a provider is unconnected. Trigger WHENEVER classifying a section's readiness, reviewing integration wrappers, or before marking anything GREEN. P2 — load on audit/verify tasks.

2026-05-291

context-partitioning

CleanExpo/Unite-Hub

Manifest-first context isolation — each subagent receives only its scope, never the full codebase

2026-03-261

council-of-logic

CleanExpo/Unite-Hub

Apply this skill for ANY decision with non-obvious tradeoffs: architectural choices, debugging without a clear root cause, performance strategies, security decisions, feature design with competing constraints, refactoring scope decisions. Forces multi-perspective analysis before committing to a solution. P1 auto-load — always active on complex reasoning tasks.

2026-03-261

execution-guardian

CleanExpo/Unite-Hub

Apply this skill before executing ANY irreversible action: bash commands that delete, reset, or overwrite; database migrations; git destructive operations (push --force, reset --hard, branch -D); environment variable changes; deployment triggers. Apply before proposing solutions when requirements are ambiguous. Blocks unsafe execution defaults. P1 auto-load — always active.

2026-03-261

name	unite-supabase-journey-guard
description	Apply this skill for Unite-Hub Supabase migrations, PostgREST/Data API visibility, founder-scoped Playwright journeys, or errors such as PGRST205, access=denied, stale Supabase linked refs, or migration history drift. Prevents repeating the SQL/cache/auth loop by enforcing the exact verification sequence for core journeys.

Unite Supabase Journey Guard

Use this before claiming any Supabase-backed Unite-Hub journey is fixed or GREEN.

Non-Negotiables

Do not use broad supabase db push when only selected migrations should land. This repo has historical migration drift.
Prefer targeted supabase db query --linked --file <migration.sql> for approved additive files, then supabase migration repair --linked --status applied <versions>.
Verify by effect, not file presence:
1. SQL file runs with no errors.
2. supabase_migrations.schema_migrations records the intended version.
3. Postgres shows table exists, RLS enabled, policies present, grants present.
4. Supabase REST/Data API returns HTTP 200; table existence alone is not enough.
5. The relevant Playwright journey passes, or the remaining blocker is logged honestly.
Never print Supabase service-role keys. Load them through existing support helpers or the Supabase CLI only in memory.
Throwaway e2e users use @unite-hub.test. If private access is configured, e2e must run through e2e/support/run-with-supabase-admin.ts, which enables the explicit non-production test access gate.

Migration Checklist

Confirm the linked ref before applying:
- cat supabase/.temp/project-ref
- Expected approved core-journey lane: lksfwktwtmyznckodsau.
Inspect SQL for idempotence:
- CREATE TABLE IF NOT EXISTS
- CREATE INDEX IF NOT EXISTS
- guarded policies, or DROP POLICY IF EXISTS followed by recreate when safe
- explicit grants for authenticated and service_role
- RLS enabled on exposed public tables
Check legacy-name collisions before choosing a table name. In this project, dedicated drip lifecycle tables must use founder_drip_*, not drip_*, because public.drip_campaigns can be legacy workspace-scoped.
Apply only the approved files:
- supabase db query --linked --file supabase/migrations/<file>.sql
Repair history only for versions actually applied:
- supabase migration repair --linked --status applied <version...>

Verification Snippets

Postgres table/RLS/policy/grant proof:

select c.relname as table_name, c.relrowsecurity as rls_enabled,
       array_agg(distinct p.policyname) filter (where p.policyname is not null) as policies,
       array_agg(distinct g.grantee || ':' || g.privilege_type) filter (where g.grantee is not null) as grants
from pg_class c
join pg_namespace n on n.oid = c.relnamespace
left join pg_policies p on p.schemaname = n.nspname and p.tablename = c.relname
left join information_schema.role_table_grants g
  on g.table_schema = n.nspname and g.table_name = c.relname
  and g.grantee in ('authenticated','service_role')
where n.nspname = 'public'
  and c.relname in ('ai_file_cache','ai_file_transcripts','founder_drip_campaigns','founder_drip_steps','founder_drip_enrollments','founder_drip_events')
group by c.relname, c.relrowsecurity
order by c.relname;

Migration history proof:

select version, name, created_by
from supabase_migrations.schema_migrations
where version in ('20260325000001','20260607235936','20260608000000')
order by version;

REST/Data API proof must use the Supabase client and report HTTP status for every target table. A PGRST205 result means the journey is not GREEN yet.

Private Access E2E Gate

If a Playwright journey redirects to /auth/login?access=denied after successful password sign-in:

Do not loosen production private access.
Confirm the test is running through e2e/support/run-with-supabase-admin.ts.
Confirm the test user email ends with @unite-hub.test.
Confirm UNITE_HUB_TEST_ALLOW_PRIVATE_ACCESS=1 is set by the runner.
Re-run the affected e2e spec once. If it still fails, inspect the login/session cookie path instead of retrying blindly.

Done Criteria

git diff --check passes.
pnpm run type-check passes.
pnpm run lint passes.
Affected e2e guard passes, or the remaining blocker is documented with the exact failing URL/status/body.
EVIDENCE.md, STATUS.md, COVERAGE.md, and DECISIONS_NEEDED.md are updated only with verified facts.