Install this Claude Code skill.
Name: Supabase Full Stack Setup
Save to: ~/.claude/skills/supabase-full-stack-setup.md

---
---
name: supabase-full-stack-setup
description: Set up a complete Supabase backend — database, auth, RLS, storage, edge functions. Use when user says "set up Supabase", "configure RLS", "add auth with Supabase", or "create Supabase project".
---

Help the user set up a production-ready Supabase backend.

## Instructions

### Step 1: Project Setup
- Create project at supabase.com
- Install client SDK:
  ```bash
  npm install @supabase/supabase-js
  ```
- Set env vars:
  ```
  NEXT_PUBLIC_SUPABASE_URL=https://xxx.supabase.co
  NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...
  SUPABASE_SERVICE_ROLE_KEY=eyJ...  # Server-side only, never expose
  ```

### Step 2: Database Schema
Ask the user about their data model and generate SQL migrations.

Always include:
- UUID primary keys: `id uuid default gen_random_uuid() primary key`
- Timestamps: `created_at timestamptz default now()`, `updated_at timestamptz default now()`
- Soft deletes where appropriate: `deleted_at timestamptz`
- Foreign key constraints with appropriate ON DELETE behavior
- Indexes on frequently queried columns

### Step 3: Row Level Security (RLS)
**CRITICAL**: Enable RLS on every table.

```sql
-- Enable RLS
alter table posts enable row level security;

-- Users can read all published posts
create policy "Public posts are viewable by everyone"
  on posts for select
  using (published = true);

-- Users can only insert their own posts
create policy "Users can create their own posts"
  on posts for insert
  with check (auth.uid() = user_id);

-- Users can only update their own posts
create policy "Users can update their own posts"
  on posts for update
  using (auth.uid() = user_id);

-- Users can only delete their own posts
create policy "Users can delete their own posts"
  on posts for delete
  using (auth.uid() = user_id);
```

Common patterns:
- `auth.uid()` — current user's ID
- `auth.jwt() ->> 'role'` — user's role from JWT
- Service role key bypasses RLS (use server-side only)

### Step 4: Authentication
Configure auth providers:

1. **Email/password**: Enabled by default
2. **OAuth**: Google, GitHub, etc.
   - Set redirect URL: `YOUR_DOMAIN/auth/callback`
   - Configure in Supabase Dashboard → Auth → Providers
3. **Magic link**: Email-based passwordless login

Client-side auth:
```typescript
// Sign up
const { data, error } = await supabase.auth.signUp({ email, password })

// Sign in
const { data, error } = await supabase.auth.signInWithPassword({ email, password })

// OAuth
const { data, error } = await supabase.auth.signInWithOAuth({ provider: 'google' })

// Listen for auth changes
supabase.auth.onAuthStateChange((event, session) => { ... })
```

### Step 5: Storage
Set up file storage with access policies:

```sql
-- Create a bucket
insert into storage.buckets (id, name, public) values ('avatars', 'avatars', true);

-- Allow authenticated uploads
create policy "Users can upload avatars"
  on storage.objects for insert
  with check (bucket_id = 'avatars' and auth.uid()::text = (storage.foldername(name))[1]);

-- Allow public reads
create policy "Public avatar access"
  on storage.objects for select
  using (bucket_id = 'avatars');
```

### Step 6: Edge Functions (if needed)
For server-side logic:
```bash
supabase functions new my-function
supabase functions serve   # local dev
supabase functions deploy my-function
```

### Step 7: Real-time Subscriptions (if needed)
```typescript
const channel = supabase
  .channel('posts')
  .on('postgres_changes', { event: '*', schema: 'public', table: 'posts' }, (payload) => {
    console.log('Change received:', payload)
  })
  .subscribe()
```

Enable in Dashboard → Database → Replication for the tables you need.

### Step 8: Production Checklist
- [ ] RLS enabled on ALL tables (no exceptions)
- [ ] Service role key only used server-side
- [ ] Auth redirect URLs configured for production domain
- [ ] Storage buckets have proper access policies
- [ ] Database backups enabled (automatic on paid plans)
- [ ] Connection pooling configured (use port 6543 for serverless)
- [ ] Rate limiting on auth endpoints