From 2aaed4400312b19a07dd97173d1da8129c2fb53e Mon Sep 17 00:00:00 2001
From: "DESKTOP-738DBED\\tomsl" <tom.slenders@gmail.com>
Date: Wed, 25 Feb 2026 20:48:36 +0100
Subject: [PATCH 1/3] Enable Row Level Security on all tables

Locks out Supabase anon/authenticated roles from direct REST API access.
The app connects via the postgres superuser through Prisma, which bypasses
RLS, so existing behaviour is unchanged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../20260225194600_enable_rls/migration.sql     | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 prisma/migrations/20260225194600_enable_rls/migration.sql

diff --git a/prisma/migrations/20260225194600_enable_rls/migration.sql b/prisma/migrations/20260225194600_enable_rls/migration.sql
new file mode 100644
index 0000000..1aab787
--- /dev/null
+++ b/prisma/migrations/20260225194600_enable_rls/migration.sql
@@ -0,0 +1,17 @@
+-- Enable Row Level Security on all tables.
+-- The app connects via the postgres superuser (Prisma) which bypasses RLS,
+-- so existing behaviour is unchanged. This locks out Supabase's anon/
+-- authenticated roles from accessing tables directly via the REST API.
+
+ALTER TABLE "User" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Account" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Session" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "VerificationToken" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Category" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Resource" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Tag" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Like" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Comment" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Submission" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "_ResourceToTag" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "_AuthoredBy" ENABLE ROW LEVEL SECURITY;

From 39fa247f70ebd31a91f41a863d8691621a4000f9 Mon Sep 17 00:00:00 2001
From: "DESKTOP-738DBED\\tomsl" <tom.slenders@gmail.com>
Date: Wed, 25 Feb 2026 20:51:09 +0100
Subject: [PATCH 2/3] Add _prisma_migrations to RLS migration

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 prisma/migrations/20260225194600_enable_rls/migration.sql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/prisma/migrations/20260225194600_enable_rls/migration.sql b/prisma/migrations/20260225194600_enable_rls/migration.sql
index 1aab787..cd1a56d 100644
--- a/prisma/migrations/20260225194600_enable_rls/migration.sql
+++ b/prisma/migrations/20260225194600_enable_rls/migration.sql
@@ -15,3 +15,4 @@ ALTER TABLE "Comment" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "Submission" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "_ResourceToTag" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "_AuthoredBy" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "_prisma_migrations" ENABLE ROW LEVEL SECURITY;

From 4be82e2b109edf3e2fbff899870a14aada2ac89c Mon Sep 17 00:00:00 2001
From: "DESKTOP-738DBED\\tomsl" <tom.slenders@gmail.com>
Date: Wed, 25 Feb 2026 20:53:58 +0100
Subject: [PATCH 3/3] Add separate migration to enable RLS on
 _prisma_migrations

The previous migration was already applied to preprod without this table,
so a new migration is needed to cover it on all environments.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 prisma/migrations/20260225194600_enable_rls/migration.sql      | 1 -
 .../20260225195338_enable_rls_prisma_migrations/migration.sql  | 3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 prisma/migrations/20260225195338_enable_rls_prisma_migrations/migration.sql

diff --git a/prisma/migrations/20260225194600_enable_rls/migration.sql b/prisma/migrations/20260225194600_enable_rls/migration.sql
index cd1a56d..1aab787 100644
--- a/prisma/migrations/20260225194600_enable_rls/migration.sql
+++ b/prisma/migrations/20260225194600_enable_rls/migration.sql
@@ -15,4 +15,3 @@ ALTER TABLE "Comment" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "Submission" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "_ResourceToTag" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "_AuthoredBy" ENABLE ROW LEVEL SECURITY;
-ALTER TABLE "_prisma_migrations" ENABLE ROW LEVEL SECURITY;
diff --git a/prisma/migrations/20260225195338_enable_rls_prisma_migrations/migration.sql b/prisma/migrations/20260225195338_enable_rls_prisma_migrations/migration.sql
new file mode 100644
index 0000000..cb12abc
--- /dev/null
+++ b/prisma/migrations/20260225195338_enable_rls_prisma_migrations/migration.sql
@@ -0,0 +1,3 @@
+-- Enable RLS on Prisma's own migrations table.
+-- The postgres superuser bypasses RLS so migrate deploy continues to work.
+ALTER TABLE "_prisma_migrations" ENABLE ROW LEVEL SECURITY;