From 622cf89211f662e17528c0afe4a68bcb0a4b8997 Mon Sep 17 00:00:00 2001
From: Paulo Reyes <aijin02@gmail.com>
Date: Wed, 11 Mar 2026 18:35:09 +0800
Subject: [PATCH] add SQL migration to enable Row Level Security on modules
 table

---
 .../20260311_enable_rls_modules.sql           | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 supabase/migrations/20260311_enable_rls_modules.sql

diff --git a/supabase/migrations/20260311_enable_rls_modules.sql b/supabase/migrations/20260311_enable_rls_modules.sql
new file mode 100644
index 0000000..19423b4
--- /dev/null
+++ b/supabase/migrations/20260311_enable_rls_modules.sql
@@ -0,0 +1,24 @@
+-- Enable Row Level Security on the modules table.
+-- This blocks all direct PostgREST access by default.
+-- The backend app connects via the service role (DATABASE_URL), which bypasses RLS,
+-- so existing functionality is unaffected.
+
+ALTER TABLE public.modules ENABLE ROW LEVEL SECURITY;
+
+-- Deny all access to anonymous (unauthenticated) PostgREST callers.
+-- No policy = no access. This is the default when RLS is enabled, but
+-- the explicit policy below makes the intent clear.
+CREATE POLICY "deny_anon" ON public.modules
+    AS RESTRICTIVE
+    FOR ALL
+    TO anon
+    USING (false);
+
+-- Deny all access to authenticated PostgREST callers too.
+-- The modules table is internal admin-only and should never be
+-- queried directly via the Supabase REST API.
+CREATE POLICY "deny_authenticated" ON public.modules
+    AS RESTRICTIVE
+    FOR ALL
+    TO authenticated
+    USING (false);