一键在 Manus 中运行任何 Skill

supabase-integration

星标0

分支0

更新时间2026年6月15日 06:48

Wire a Supabase backend into a freshly created app the right way the first time — schema, RLS, auth, migrations, and type-safe client — driven by the Supabase MCP. Use when the /design app-creation flow (or any task) needs to give a new app a working, secure Postgres backend. Triggers: 'add a backend', 'store data', 'save submissions', 'log in', 'user accounts', 'database', Supabase, RLS, migrations, auth, edge functions. Respond to designers/PMs in plain language; do the engineering underneath.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

potenlab

potenlab/designer-workflow

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

SKILL.md

readonly

同仓库更多 Skills

同仓库

goal-loop

potenlab/designer-workflow

Use after plan-and-spec to build a planned change to completion. Scales to size: a small single-issue change is built directly (one story, verify, one PR); a new/large epic is walked one child story at a time (build via design, verify in a browser, open one PR per story), then reports. Triggered by plan-and-spec ONLY after the user has confirmed the FILED GitHub issue is correct; or use directly when a spec (/docs/plan) and a filed, user-approved issue already exist. Execution only — it does not plan or file issues.

2026-06-180

plan-and-spec

potenlab/designer-workflow

You MUST use this before ANY change to the project's code or UI — building something new, OR editing, restyling, tweaking, fixing, or refactoring anything that already exists — before you touch any file. Clarifies the change through questions, writes a technical spec to /docs/plan, and ALWAYS files a GitHub issue with gh, then hands off to goal-loop to build. Skip ONLY for pure questions, explanations, or read-only code review with no change.

2026-06-180

using-designer-workflow

potenlab/designer-workflow

Use when starting any conversation - establishes how the designer-workflow plugin's skills are found and used, requiring a Skill-tool check before responding whenever a request involves building an app or any Supabase/Postgres work.

2026-06-180

design

potenlab/designer-workflow

Build ONE app or story full-stack from an already-agreed plan — backend, UI, assets, and wiring inside an isolated sandbox branch, then run it and open a PR. Normally called by goal-loop once per child story; use directly only for a single explicit one-off build. For any fresh change request — building OR editing/restyling/fixing — use plan-and-spec FIRST, not this. Responds only in plain product language and a working app, never raw code.

2026-06-180

higgsfield-assets

potenlab/designer-workflow

Use whenever a visual or media ASSET is needed for an app or page — an image, icon, logo, illustration, hero/background, avatar, texture, video clip, sound effect, or voiceover. Higgsfield is the ONE path for generating assets: never use stock photos, emoji, placeholder boxes, hand-drawn SVGs, or another generator, and never ask the user to go find assets. AUTO-TRIGGER on asset intent: 'add an image/icon/logo/illustration', 'needs a hero', 'a background for…', 'generate a picture/video/sound', or any build step that requires visual/media content. Scope is assets ONLY — do NOT use this for code, data, schema, copywriting, or UI layout.

2026-06-150

supabase-postgres-best-practices

potenlab/designer-workflow

Postgres performance optimization and best practices from Supabase. Use this skill when writing, reviewing, or optimizing Postgres queries, schema designs, or database configurations.

2026-06-150

name	supabase-integration
description	Wire a Supabase backend into a freshly created app the right way the first time — schema, RLS, auth, migrations, and type-safe client — driven by the Supabase MCP. Use when the /design app-creation flow (or any task) needs to give a new app a working, secure Postgres backend. Triggers: 'add a backend', 'store data', 'save submissions', 'log in', 'user accounts', 'database', Supabase, RLS, migrations, auth, edge functions. Respond to designers/PMs in plain language; do the engineering underneath.
metadata	{"author":"dev@potenlab.dev","version":"0.1.0","date":"2026-06-12T00:00:00.000Z","builds-on":"supabase/agent-skills (supabase, supabase-postgres-best-practices)"}

Supabase Integration (best-practice backend for new apps)

This skill gives a newly created app (from /design) a backend that is secure and correct on the first try, so it actually runs. It is the engineer's half of the designer/PM workflow:

Think as a database engineer. Respond as a designer/PM. Never show raw SQL or migration files unless asked. Translate "save the brief" → a table + RLS + a typed client call, and report back in plain language ("Briefs are now saved per user; nobody can see anyone else's.").

It builds on the official Supabase skills (supabase, supabase-postgres-best-practices), which now ship bundled with this plugin — no separate install. Defer to them for deep Postgres performance rules and current Supabase API details; this skill is the opinionated app-creation path on top.

0. Verify before you build (do not trust training data)

Supabase changes often. Before writing schema or auth code:

Fetch https://supabase.com/changelog.md, scan for breaking-change tags relevant to the task.
Look up the specific topic via the MCP search_docs tool (preferred), or fetch any docs page as markdown by appending .md to its URL.
Confirm which project you are targeting — call list_projects / get_project. For a new sandbox app, never point at a production project. Create a dedicated project/branch.

1. The MCP-first workflow

Use the Supabase MCP as the primary interface. Tool names you will use most:

Step	MCP tool	Why
Understand current schema	`list_tables`, `list_extensions`, `list_migrations`	Never invent on top of an unknown schema.
Iterate on schema (dev)	`execute_sql`	Runs SQL directly, no migration history — iterate freely.
Audit security/perf	`get_advisors`	Catches missing RLS, exposed `SECURITY DEFINER`, etc. Run after every schema change.
Commit final schema	`apply_migration`	Writes the migration entry once, when the design is settled.
Type-safe client	`generate_typescript_types`	Regenerate after every committed schema change.
Debug	`get_logs`, `get_advisors`	Check before guessing.
Client config	`get_project_url`, `get_publishable_keys`	For wiring the frontend.

Iterate with execute_sql, commit with apply_migration. Do not call apply_migration while still designing the schema — every call writes a history entry and you cannot iterate cleanly. Shape the schema with execute_sql until it is right, run get_advisors, then apply_migration once with a descriptive name.

2. Schema design defaults (apply unless told otherwise)

Lowercase, snake_case identifiers. Unquoted Postgres folds to lowercase; mixed case bites later.
Primary key: id uuid primary key default gen_random_uuid() (or bigint generated always as identity for internal high-volume tables).
Always created_at timestamptz not null default now(); add updated_at with a trigger when the app edits rows.
Ownership column on any user-owned data: user_id uuid not null references auth.users(id) on delete cascade default auth.uid(). This is what RLS keys on.
Foreign keys get indexes — Postgres does not auto-index the referencing side.
Pick precise types: text (not varchar(n)), timestamptz (never timestamp), numeric for money, an enum or a check constraint for fixed status sets.
Constraints (not null, unique, check, FK) are free correctness — add them at creation.

3. RLS & security — the part that makes or breaks the app

Enable RLS on every table in an exposed schema (public by default), at creation. No exceptions. A table without RLS in public is reachable through the Data API. Then write policies that match the real access model — don't blanket every table with the same auth.uid() and call it done.

Hard rules (from the official Supabase security checklist — internalize all of them):

Specify the role with TO authenticated / TO anon — auth.role() is deprecated and breaks when anonymous sign-ins are on.
TO authenticated alone is auth-without-authorization (IDOR). Always pair it with an ownership predicate: using ( (select auth.uid()) = user_id ).
UPDATE needs both USING and WITH CHECK — without WITH CHECK a user can reassign a row to someone else. Without a SELECT policy, UPDATE silently affects 0 rows.
Views bypass RLS — create them WITH (security_invoker = true) (PG15+).
SECURITY DEFINER functions bypass RLS and are PUBLIC-callable in public. Don't reach for SECURITY DEFINER to fix a permission error. Prefer SECURITY INVOKER; if genuinely needed, put the function in a non-exposed schema, set search_path = '', and check auth.uid() inside.
Never use user_metadata / raw_user_meta_data in authz — it is user-editable. Use app_metadata / raw_app_meta_data.
Storage upsert needs INSERT + SELECT + UPDATE policies, not just INSERT.
Wrap auth.uid() as (select auth.uid()) in policies so the planner caches it per-statement — a real performance rule at scale.

Canonical per-user table policy set:

alter table public.briefs enable row level security;

create policy "owner can read"   on public.briefs for select
  to authenticated using ( (select auth.uid()) = user_id );
create policy "owner can insert" on public.briefs for insert
  to authenticated with check ( (select auth.uid()) = user_id );
create policy "owner can update" on public.briefs for update
  to authenticated using ( (select auth.uid()) = user_id )
                        with check ( (select auth.uid()) = user_id );
create policy "owner can delete" on public.briefs for delete
  to authenticated using ( (select auth.uid()) = user_id );

After any schema/policy change: run get_advisors (security + performance) and fix what it flags before moving on.

4. Auth & client wiring

Use @supabase/ssr for Next.js (the app's stack). Never the legacy auth-helpers.
Use getClaims() / getUser() for trust decisions — not getSession() in server code.
Only ever ship the publishable key to the browser. service_role / secret keys stay server-side; in Next.js anything NEXT_PUBLIC_ is public. Never put a secret behind that prefix.
Regenerate types with generate_typescript_types after every committed migration and import them so client calls are type-checked.

5. Commit & verify

When the schema is settled:

get_advisors (security + performance) → fix everything.
apply_migration with a descriptive name (one coherent change).
generate_typescript_types → save into the app.
Verify it works — run a real execute_sql insert/select as the intended role, confirm RLS lets the owner in and keeps others out. A backend without a verifying query is not done.

6. Reporting back (designer/PM mode)

Translate the result, never dump SQL:

"Done. Briefs are now saved to a database. Each person only ever sees their own — I tested that someone else's account can't read them. Login is wired up. This all lives in the app's own sandbox, nothing touches our live customer data."

If a request would cross the sandbox boundary (touch a production DB, real customer data, shared secrets, billing/auth of an existing system), stop and write a dev-handoff note instead — same guardrail as the rest of /design.

Reference

Official skills: supabase, supabase-postgres-best-practices — bundled in this plugin under skills/ (vendored from supabase/agent-skills, MIT). Stand-alone install: npx skills add supabase/agent-skills.
Security index: https://supabase.com/docs/guides/security/product-security.md
RLS guide: https://supabase.com/docs/guides/database/postgres/row-level-security.md
MCP setup: https://supabase.com/docs/guides/getting-started/mcp