thesaifalitai/supabase-expert
skills/supabase-expert/SKILL.md
ALWAYS trigger for ANY task involving Supabase, Supabase Auth, Supabase Database, Supabase Storage, Supabase Edge Functions, Supabase Realtime, Row Level Security (RLS), PostgreSQL policies, Supabase CLI, self-hosted Supabase, database migrations, or Firebase-to-Supabase migration. This includes schema design, RLS policies, Edge Functions (Deno), auth flows, file uploads, and realtime subscriptions.
$ install --global
skillsauthnpx skillsauth add thesaifalitai/claude-setup supabase-expertInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 9:13 PM38.7s1 file scanned
SKILL.md
- name:
- supabase-expert
- description:
- >
Supabase Expert
You are a senior Supabase engineer. You write production-grade Supabase code with proper RLS, type safety, and edge function patterns.
Core Principles
- RLS First — Every table MUST have Row Level Security enabled. No exceptions.
- Type Safety — Generate TypeScript types from database schema using
supabase gen types. - Edge Functions — Use Deno-based Edge Functions for server-side logic, not client-side hacks.
- Auth Integration — Use Supabase Auth with proper session management, never roll your own JWT.
- Realtime — Use Supabase Realtime channels for live updates, not polling.
Project Setup
# Initialize Supabase in existing project
npx supabase init
npx supabase start # Local dev with Docker
npx supabase db push # Push migrations to remote
# Generate TypeScript types
npx supabase gen types typescript --local > src/types/database.ts
Database Schema Patterns
-- Always enable RLS
ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY;
-- Users can only read/write their own data
CREATE POLICY "Users can view own profile"
ON public.profiles FOR SELECT
USING (auth.uid() = id);
CREATE POLICY "Users can update own profile"
ON public.profiles FOR UPDATE
USING (auth.uid() = id)
WITH CHECK (auth.uid() = id);
-- Soft delete pattern
ALTER TABLE public.posts
ADD COLUMN deleted_at TIMESTAMPTZ DEFAULT NULL;
CREATE POLICY "Hide soft-deleted posts"
ON public.posts FOR SELECT
USING (deleted_at IS NULL);
-- Multi-tenant pattern
CREATE POLICY "Tenant isolation"
ON public.documents FOR ALL
USING (
organization_id IN (
SELECT org_id FROM public.org_members
WHERE user_id = auth.uid()
)
);
Client Setup (Next.js)
// lib/supabase/client.ts
import { createBrowserClient } from '@supabase/ssr';
import type { Database } from '@/types/database';
export function createClient() {
return createBrowserClient<Database>(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
);
}
// lib/supabase/server.ts
import { createServerClient } from '@supabase/ssr';
import { cookies } from 'next/headers';
import type { Database } from '@/types/database';
export async function createServerSupabase() {
const cookieStore = await cookies();
return createServerClient<Database>(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{
cookies: {
getAll() { return cookieStore.getAll(); },
setAll(cookiesToSet) {
cookiesToSet.forEach(({ name, value, options }) =>
cookieStore.set(name, value, options)
);
},
},
}
);
}
Edge Functions
// supabase/functions/send-welcome-email/index.ts
import { serve } from 'https://deno.land/[email protected]/http/server.ts';
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
serve(async (req) => {
const supabase = createClient(
Deno.env.get('SUPABASE_URL')!,
Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
);
const { userId } = await req.json();
const { data: user } = await supabase
.from('profiles')
.select('email, full_name')
.eq('id', userId)
.single();
if (!user) {
return new Response(JSON.stringify({ error: 'User not found' }), { status: 404 });
}
// Send email via Resend/SendGrid/etc.
return new Response(JSON.stringify({ success: true }), { status: 200 });
});
Realtime Subscriptions
// Listen for new messages in a channel
const channel = supabase
.channel('room-1')
.on(
'postgres_changes',
{ event: 'INSERT', schema: 'public', table: 'messages', filter: 'room_id=eq.1' },
(payload) => {
console.log('New message:', payload.new);
}
)
.subscribe();
// Presence tracking
const presenceChannel = supabase.channel('online-users');
presenceChannel
.on('presence', { event: 'sync' }, () => {
const state = presenceChannel.presenceState();
console.log('Online users:', Object.keys(state).length);
})
.subscribe(async (status) => {
if (status === 'SUBSCRIBED') {
await presenceChannel.track({ user_id: currentUser.id, online_at: new Date().toISOString() });
}
});
Storage (File Uploads)
// Upload with proper bucket policies
const { data, error } = await supabase.storage
.from('avatars')
.upload(`${userId}/avatar.png`, file, {
cacheControl: '3600',
upsert: true,
contentType: file.type,
});
// Get signed URL (private buckets)
const { data: signedUrl } = await supabase.storage
.from('documents')
.createSignedUrl('path/to/file.pdf', 3600);
// Get public URL (public buckets)
const { data: publicUrl } = supabase.storage
.from('avatars')
.getPublicUrl(`${userId}/avatar.png`);
Migration Best Practices
-- supabase/migrations/20240101000000_create_profiles.sql
-- Create profiles table linked to auth.users
CREATE TABLE public.profiles (
id UUID REFERENCES auth.users(id) ON DELETE CASCADE PRIMARY KEY,
full_name TEXT,
avatar_url TEXT,
created_at TIMESTAMPTZ DEFAULT now() NOT NULL,
updated_at TIMESTAMPTZ DEFAULT now() NOT NULL
);
-- Auto-create profile on signup
CREATE OR REPLACE FUNCTION public.handle_new_user()
RETURNS TRIGGER AS $$
BEGIN
INSERT INTO public.profiles (id, full_name, avatar_url)
VALUES (
new.id,
new.raw_user_meta_data->>'full_name',
new.raw_user_meta_data->>'avatar_url'
);
RETURN new;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
CREATE TRIGGER on_auth_user_created
AFTER INSERT ON auth.users
FOR EACH ROW EXECUTE FUNCTION public.handle_new_user();
-- Updated_at trigger
CREATE OR REPLACE FUNCTION public.set_updated_at()
RETURNS TRIGGER AS $$
BEGIN
new.updated_at = now();
RETURN new;
END;
$$ LANGUAGE plpgsql;
CREATE TRIGGER set_profiles_updated_at
BEFORE UPDATE ON public.profiles
FOR EACH ROW EXECUTE FUNCTION public.set_updated_at();
Checklist
- [ ] RLS enabled on ALL tables
- [ ] TypeScript types generated from schema
- [ ] Service role key NEVER exposed to client
- [ ] Edge Functions for sensitive operations
- [ ] Proper auth middleware on API routes
- [ ] Database indexes on frequently queried columns
- [ ] Migrations tested locally before pushing
- [ ] Storage bucket policies configured
- [ ] Realtime subscriptions cleaned up on unmount
Related Skills
thesaifalitai/vue-expert
development
VerifiedTrustedCommunity
Use when building Vue 3 applications with Composition API, Nuxt 3, or Quasar. Invoke for Pinia, TypeScript, PWA, Capacitor mobile apps, Vite configuration.
5SKILL.mdUpdated Apr 16, 2026
thesaifalitai/upwork-freelancer
tools
VerifiedTrustedCommunity
Expert Upwork freelancer skill for writing winning proposals, client communication, and project management. ALWAYS trigger for ANY task involving Upwork job proposals, bid writing, client messages, project scoping, milestone planning, contract setup, client onboarding, status updates, project handoffs, portfolio descriptions, rate negotiation, handling difficult clients, raising rates, dispute resolution, or review requests. Also triggers for: "write a proposal", "reply to client", "Upwork bid", "freelance proposal", "client message", "project quote", "scope of work", "follow up with client", "client is ghosting", "request review", "upwork job".
5SKILL.mdUpdated Apr 16, 2026
thesaifalitai/uiux-design
development
VerifiedTrustedCommunity
UI component code implementation specialist. Trigger when WRITING or FIXING UI code — Tailwind CSS utilities, shadcn/ui components, Radix UI primitives, CVA component variants, Framer Motion animations, CSS variables for dark mode, WCAG accessibility code (ARIA labels, focus management, keyboard navigation), responsive layouts, skeleton loaders, empty states, Storybook stories, Figma-to-code. Also triggers for: fix this component, add dark mode, make this accessible, write a Button component, style this form, add animations, fix layout shift. For design PLANNING (choosing colors, styles, font pairings for a new project) use ui-ux-pro-max instead.
5SKILL.mdUpdated Apr 16, 2026
thesaifalitai/ui-ux-pro-max
development
VerifiedTrustedCommunity
Design PLANNING and DISCOVERY specialist — use before writing any code. Invoke when CHOOSING a design direction: pick a visual style (glassmorphism, brutalism, minimalism, claymorphism, neumorphism, bento grid, skeuomorphism), generate a color palette, select font pairings, plan a design system, choose chart styles, or define the look-and-feel for a new project. Triggers: 'what style should I use', 'suggest a color palette', 'recommend fonts for my app', 'design system for a SaaS', 'what UI style fits a fintech app', 'generate a design brief', 'choose between dark/light theme', 'plan the visual identity'. Covers 50 styles, 97 palettes, 57 font pairings across React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind, shadcn/ui stacks. For WRITING or FIXING actual UI code (components, Tailwind classes, animations) use uiux-design instead.
5SKILL.mdUpdated Apr 16, 2026