g14wxz/service-role-boundary
Enforces strict isolation of service_role key to server-side contexts only.
97
Quality
97%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Securityby
Passed
No known issues
index.mddocs/
Service Role Boundary
Enforces strict isolation of service_role key to server-side contexts only.
Overview
The service_role key bypasses Row Level Security and has full database access. This tile enforces that the key is NEVER present in client-side code, browser bundles, or public environment variables. All privileged operations MUST route through server-only contexts — either server-side Supabase clients or SECURITY DEFINER Postgres functions with restricted grants.
Reference
Server-Only Client Pattern (Next.js)
// lib/supabase-admin.ts
import 'server-only';
import { createClient } from '@supabase/supabase-js';
export const supabaseAdmin = createClient(
process.env.SUPABASE_URL!,
process.env.SUPABASE_SERVICE_ROLE_KEY!
);Environment Variable Scoping
| Variable | Scope | Exposed to Client |
|---|---|---|
SUPABASE_URL | Both | Yes |
SUPABASE_ANON_KEY | Both | Yes |
SUPABASE_SERVICE_ROLE_KEY | Server only | NEVER |
SECURITY DEFINER Grant Pattern
REVOKE EXECUTE ON FUNCTION admin_operation FROM public, anon, authenticated;
GRANT EXECUTE ON FUNCTION admin_operation TO service_role;Dependencies
- supabase-mcp-verification — Root prerequisite. MUST be installed and passing.
Composition Position
- Stage: security-boundary
- Priority: CRITICAL
- Executes after
supabase-mcp-verification. All tiles that perform admin operations MUST comply with this boundary.