Scope all mutations to the authenticated organization
Every insert/update/delete must include organization_id from requireAuth(). RLS is defense-in-depth, not the only defense.
Why This Matters
Without explicit org scoping, a bug in RLS policies could expose cross-org writes. Defense-in-depth requires both application and database checks.
Tags
nextjssupabaseserver-actions
Related Rules
Catch this automatically on every PR
BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.