Service Role Rules

FATAL Constraints

• NEVER expose SUPABASE_SERVICE_ROLE_KEY to client-side code, browser bundles, or public environment variables. HALT immediately upon detection.
• NEVER prefix the service role key with NEXT_PUBLIC_, VITE_, NUXT_PUBLIC_, or any client-exposed env prefix.
• NEVER import a server-side admin Supabase client from a client component or client-loaded module.
• NEVER create RPCs callable by anon or authenticated that internally use service_role without explicit authorization guards.
• HALT if supabase-mcp-verification is not installed or not passing.

Mandatory Behaviors

• MUST instantiate the service_role Supabase client exclusively in server-only modules.
• MUST use framework-level server guards (e.g., import 'server-only' in Next.js) to prevent client import of admin modules.
• MUST route all privileged/admin database operations through the server-side client or SECURITY DEFINER functions.
• MUST restrict SECURITY DEFINER function execution grants — REVOKE from public, grant only to required roles.
• MUST store SUPABASE_SERVICE_ROLE_KEY only in server-scoped environment variables and secrets managers.
• MUST audit CI/CD pipelines to confirm the service role key is injected only into server-side build contexts.