- PostgreSQL RLS recursion/cycle detection -- Detects circular dependencies between RLS policies that cause infinite evaluation and 500 errors. Traces the policy dependency graph (A -> B -> C -> A cycles) and flags potential recursion sources with a concrete detection query.
POSTGRES_RLSauto-detection flag -- RLS-specific checks now run for any PostgreSQL project using Row-Level Security, not just Supabase. Triggered byCREATE POLICYorENABLE ROW LEVEL SECURITYin SQL/migration files, covering direct PostgreSQL, Neon, and ORM-backed projects.- RLS policy testing guidance --
SET LOCAL role = 'authenticated'pattern for verifying policies as the actual runtime role instead of as superuser (which bypasses RLS entirely). - SECURITY DEFINER cycle-breaker fix pattern --
LANGUAGE sql STABLE SECURITY DEFINERtemplate for lightweight helper functions that break RLS recursion by bypassing RLS internally. - Detection query for tables missing RLS --
pg_tables+pg_class.relrowsecurityquery added to Phase 6.1. - Warning about tightening permissive policies -- Documents that replacing
USING(true)with a restrictive policy can unmask latent circular dependencies, sinceUSING(true)acts as a circuit breaker.
- Phase 6.1 broadened from "Supabase Checks" to "Supabase / PostgreSQL RLS Checks", scoping RLS-specific checks to trigger on either
SUPABASEorPOSTGRES_RLSflag while keeping Supabase-only checks (client-side mutations, Edge Function auth, service role key,getUser()vsgetSession()) gated onSUPABASE.
Initial release. 8-phase security audit skill covering 40+ technologies, built from 77+ real vulnerability findings across 6 production applications.