Skip to content

Add spinners#19

Merged
wmadden merged 1 commit into
mainfrom
spinners
Nov 18, 2025
Merged

Add spinners#19
wmadden merged 1 commit into
mainfrom
spinners

Conversation

@wmadden
Copy link
Copy Markdown
Contributor

@wmadden wmadden commented Nov 18, 2025

No description provided.

@wmadden wmadden merged commit f54efc4 into main Nov 18, 2025
6 of 7 checks passed
@wmadden wmadden deleted the spinners branch November 18, 2025 13:59
wmadden added a commit that referenced this pull request May 12, 2026
@wmadden
docs(supabase-integration): pin RLS verifier semantics via content-ad…
540eb6c 
…dressed wire names

Settle the last blocking RLS design hole (#19 RLS verifier check
semantics) and three smaller working-assumption items.

Design choice: policy wire names carry an 8-hex SHA-256 suffix over the
canonical content tuple (using, withCheck, sort(roles), operation, as).
Predicate equivalence collapses to a name match; the verifier never
compares bodies for equivalence purposes. One body-level check remains
(the per-row tamper check that recomputes the suffix against the
introspected body).

Three structural wins:

- Predicate-equivalence false positives are eliminated by construction.
  Postgres-side expression-printer normalization (parens, whitespace,
  cast forms) no longer surfaces as policy_mismatch noise.
- Policy rename detection is structurally free (matching hash, different
  prefix → ALTER POLICY ... RENAME TO). Closes the earlier
  defer-and-ship-drop+create working assumption.
- No version marker needed; the contract storage hash already signals
  normalizer changes through VERIFY_CODE_HASH_MISMATCH (per ADR 004).

Pinned decisions:

- A8: TS as field, default permissive (mirrors PSL B2).
- C9: content-addressed policy wire names.
- C10: RLS verifier semantics built on C9 (rls_policy_renamed,
  rls_policy_tampered, rls_not_enabled issue kinds).
- C11: implicit ENABLE RLS via model-level rls: auto|enabled|disabled.
- OC4: content-addressed naming pattern as a future-project backport
  target for indexes, functions, views, check constraints.

Artifacts:

- New ADR draft at projects/supabase-integration/specs/ (promotes at
  close-out with assigned number).
- rls.md verifier section rewritten to the content-addressed model.
- design-holes.md #19 marked decided; verifier cluster closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wmadden