feat: database schema, RLS policies, and sign-up trigger (#23)

[zacharias-ona]

Closes #23

What

Creates the foundational database schema for Memo — all five tables, Row Level Security policies, and database triggers needed before any feature work can begin.

How

Single migration (supabase/migrations/20260415092907_create_schema.sql) containing:

Tables: profiles, workspaces, members, workspace_invites, pages — matching the data model in docs/product-spec.md.

Custom enums: member_role (owner/admin/member), invite_role (admin/member).

RLS policies on all tables:

• profiles — users read own + co-members' profiles, update own
• workspaces — members read, authenticated create (own), admins update, admins delete (non-personal only)
• members — members read, admins manage
• workspace_invites — admins manage, invited users read own by email
• pages — members full CRUD (insert requires created_by = auth.uid())

Helper functions: is_workspace_member(ws_id) and is_workspace_admin(ws_id) — security definer SQL functions used by RLS policies to check membership.

Triggers:

• handle_new_user — fires on auth.users insert, atomically creates profile + personal workspace (is_personal = true, name = "{display_name}'s Workspace") + owner membership
• enforce_workspace_limit — BEFORE INSERT on workspaces, raises exception if user already has 3 workspaces
• update_updated_at — auto-updates updated_at on workspaces and pages

TypeScript types in src/lib/types.ts matching all database entities.

Testing

• pnpm lint ✅
• pnpm typecheck ✅
• pnpm test ✅ (no test files — this is a schema-only change)
• npx supabase db lint — cannot run without local Supabase instance; will be validated on deploy

Acceptance Criteria

• profiles table with correct columns and FK to auth.users
• workspaces table with is_personal, created_by FK, partial unique index
• members table with role enum, unique constraint on (workspace_id, user_id)
• workspace_invites table with token, expiry, accepted_at
• pages table with parent_id self-reference, content jsonb, position integer
• RLS enabled on all tables with workspace membership enforcement
• handle_new_user trigger creates profile + personal workspace + owner membership
• Workspace creation limit enforced via BEFORE INSERT trigger (max 3)
• Personal workspace protection: DELETE policy requires is_personal = false
• npx supabase db lint — requires local instance, deferred to deploy

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
memo	Ready	Preview, Comment	Apr 15, 2026 9:33am

[zacharias-ona]

Review: ✅ Approved

Schema, RLS policies, triggers, and TypeScript types all look correct.

Checked:

• All 5 tables match the product spec data model column-for-column
• RLS enabled on all tables with appropriate membership-based policies
• security definer + set search_path = '' on all functions (prevents search_path injection)
• handle_new_user trigger atomically creates profile + personal workspace + owner membership
• Workspace limit trigger (max 3) and personal workspace protection (delete policy requires is_personal = false)
• Partial unique index enforces one personal workspace per user
• TypeScript types in src/lib/types.ts match the schema
• Scope is clean — only migration, types, and architecture doc update

No blocking issues found.

[zacharias-ona]

✅ UI verification skipped — no UI files changed (no src/components/*, src/app/**/page.tsx, or src/app/**/layout.tsx modifications).

[zacharias-ona]

❌ Post-merge verification failed. See #36.

Smoke test results:

Route	Result
/ (landing page)	✅ Passed
/login	⏭️ Skipped (not yet built)
/api/health	❌ Failed — DB reports {"status":"down","db":{"connected":false}}
/dashboard	⏭️ Skipped (not yet built)

Failure: The Supabase database connection is failing in production. The health endpoint's catch branch is hit, indicating the client cannot connect at all.