Optimizes RLS policies by enforcing SELECT-wrapped auth.uid() calls, mandatory B-Tree/GIN indexes on policy-referenced columns, and SECURITY DEFINER encapsulation of deep JOINs. Use when optimizing RLS performance, fixing policy full table scans, wrapping auth.uid in SELECT, or indexing columns used in RLS policies.

Configures pgsodium Vault extension for API key and secret storage. Creates SECURITY DEFINER functions assigned to service_role for secure access. Eliminates hardcoded secrets. Use when storing API keys, managing secrets in Supabase, implementing pgsodium Vault, or replacing hardcoded credentials with Vault references.

Creates PL/pgSQL RPC implementing Reciprocal Rank Fusion (score = 1/(k+rank)) to fuse semantic pgvector results with full-text tsvector results. Use when implementing hybrid search, RRF search, semantic plus keyword search, exact SKU and conceptual queries, or vector and full-text fusion.

Configures TUS resumable upload client for files over 6MB with Postgres Advisory Lock 409 Conflict handling. Enforces tenant-scoped bucket paths. Use when implementing large file uploads, resumable uploads, TUS protocol, uploads over unstable networks, or files larger than 6MB in Supabase Storage.

Creates RLS policies enforcing tenant_id isolation on shared-schema tables. Verifies ALTER TABLE ENABLE ROW LEVEL SECURITY before policy creation. Requires tenant_id column and custom-access-token-hook JWT claims. Use when implementing multi-tenant data isolation, tenant-safe queries, shared schema RLS, or tenant_id policy creation.

Inspects database health by analyzing slow queries, identifying bottlenecks, and checking Postgres performance indicators. Use when diagnosing database issues, checking slow queries, inspecting DB health, finding performance bottlenecks, or troubleshooting Supabase Postgres problems.

Configures pgvector HNSW indexes with correct distance operators. Enforces inner product operator for normalized embeddings instead of cosine distance. Use when setting up vector search, creating embedding indexes, configuring semantic search, or choosing between HNSW and IVFFlat index types.

Generates code verifier/challenge pairs, exchanges authorization codes for sessions, sets secure HTTP-only session cookies, and configures server-side callback handling to implement the Proof Key for Code Exchange auth flow. Replaces implicit token-in-fragment flows by removing hash-based token extraction and localStorage usage. Use when implementing Supabase authentication, OAuth login, secure browser auth, SSR auth setup, or modern auth flow migration.

Use when working with Schema Registry for Apache Kafka, Confluent Platform, or Confluent Cloud. Covers schema management (Avro, Protobuf, JSON Schema), compatibility modes, schema evolution, REST API, serializer/deserializer configuration, Kafka Connect converters, and Flink SQL integration with Schema Registry. Trigger this skill whenever the user mentions schema registry, schema evolution, Avro/Protobuf/JSON Schema serialization with Kafka, subject naming strategies, compatibility checking, or Flink SQL with Confluent formats (avro-confluent). Also trigger when users ask about data contracts, schema validation, or serializer/deserializer configuration for Kafka producers and consumers.

Author high-quality Markdown documentation with deterministic structure, lint compliance, and CI integration. Use when writing README files, creating docs pages, fixing markdownlint failures, defining style rules, or wiring markdown checks into pre-commit and pipelines. Keywords: markdown, markdownlint, readme, docs, headings, lists, code fences, links, images, lint config, ci, documentation style.

Expert OpenTelemetry guidance for collector configuration, pipeline design, and production telemetry instrumentation. Use when configuring collectors, designing pipelines, instrumenting applications, implementing sampling, managing cardinality, securing telemetry, writing OTTL transformations, or setting up AI coding agent observability (Claude Code, Codex, Gemini CLI, GitHub Copilot).

Configures NotificationClient handlers, implements async dispatch workflows, and handles DispatchError failures for the pidge v3 notification library in async Python services. Use when working with pidge, pidge v3, pidge notifications, NotificationClient, async notifications, or pidge integration — including setting up API keys, dispatching messages, and handling delivery errors.