Realtime Authorization Rules

FATAL Constraints

• Uncontrolled channel proliferation is FATAL. Agents MUST NOT allow arbitrary channel name creation. All channels MUST follow a predefined multiplexed topic pattern (e.g., {resource}:{tenant_id}:{sub_topic}).
• Public channels carrying tenant data are FATAL. Any channel transmitting tenant-scoped data MUST be configured as private. Using public access level for tenant data exposes it to all connected clients.
• Missing RLS on realtime.messages is FATAL. The realtime.messages table MUST have RLS enabled with tenant-scoped policies before any private channel is deployed.

Mandatory Behaviors

• MUST multiplex topics to reduce total channel count. One channel per resource type per tenant, not one channel per entity.
• MUST secure Private Channels via RLS policies on realtime.messages using (SELECT auth.jwt() ->> 'tenant_id') for tenant scoping.
• MUST include tenant_id in Presence track payloads to enable server-side filtering.
• MUST wrap all auth.jwt() calls in policy expressions with a subselect: (SELECT auth.jwt()).
• MUST NOT expose internal channel metadata (connection IDs, server nodes) to client payloads.
• MUST NOT grant INSERT on realtime.messages to the anon role.