HIGHSecuritymediumNext.js + Supabase Standards

Test RLS policies explicitly

Write tests that verify: User A cannot read User B's data. Anon users cannot read private data. RLS bugs are data breaches.

Why This Matters

RLS policy bugs are silent — they don't throw errors. Instead, they return data that shouldn't be visible. Only tests catch these.

Related Rules

Use route groups to organize app sections

Architecture

HIGH

Colocate page files with their route segment

Architecture

MEDIUM

Use (select auth.uid()) instead of auth.uid() in policies

Performance

MEDIUM

Use kebab-case for file and directory names

Quality

MEDIUM

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

RLS bugs are the most dangerous kind — they're silent data breaches. No error is thrown; you just see data you shouldn't.

Test Scenarios

User A queries → only sees Org A data
User A queries with Org B ID → empty result
Anon user → only sees published public content
User removed from org → immediately loses access

Example

test("user cannot see other org's scans", async () => {
  const clientA = await createAuthenticatedClient(userA)
  const { data } = await clientA.from("scans").select("*")
  expect(data.every(s => s.organization_id === orgA.id)).toBe(true)
})

Test RLS policies explicitly

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Test Scenarios

Example