diff --git a/supabase/migrations/20260311_enable_rls_modules.sql b/supabase/migrations/20260311_enable_rls_modules.sql
new file mode 100644
index 0000000..19423b4
--- /dev/null
+++ b/supabase/migrations/20260311_enable_rls_modules.sql
@@ -0,0 +1,24 @@
+-- Enable Row Level Security on the modules table.
+-- This blocks all direct PostgREST access by default.
+-- The backend app connects via the service role (DATABASE_URL), which bypasses RLS,
+-- so existing functionality is unaffected.
+
+ALTER TABLE public.modules ENABLE ROW LEVEL SECURITY;
+
+-- Deny all access to anonymous (unauthenticated) PostgREST callers.
+-- No policy = no access. This is the default when RLS is enabled, but
+-- the explicit policy below makes the intent clear.
+CREATE POLICY "deny_anon" ON public.modules
+    AS RESTRICTIVE
+    FOR ALL
+    TO anon
+    USING (false);
+
+-- Deny all access to authenticated PostgREST callers too.
+-- The modules table is internal admin-only and should never be
+-- queried directly via the Supabase REST API.
+CREATE POLICY "deny_authenticated" ON public.modules
+    AS RESTRICTIVE
+    FOR ALL
+    TO authenticated
+    USING (false);