KnowledgeVault AI policy
policy artifact · for KnowledgeVault AI · status approved
- body: # KnowledgeVault AI — Code & Merge Policy
> Quinn: This policy is your pre-merge checklist. Hard rules block merges. Warn rules require human sign-off. Run each applicable check before closing any module PR.
---
## Rules
### POL-SEC-001 — Row-Level Security on All User Tables
| Field | Value |
|---|---|
| Category | security |
| Severity | HARD |
| Applies to | supabase/migrations, apps/web/src/lib, apps/web/src/app/api |
Description: RLS must be ENABLED on every Supabase table storing user data (experts, sessions, transcripts, knowledge_items, assets, payouts, companies). No user-facing query may bypass RLS via service_role except in explicitly named admin server actions.
Check:
``sql
-- Must return empty result set (all user tables have at least one policy)
SELECT tablename FROM pg_tables
WHERE schemaname = 'public'
AND tablename NOT IN (
SELECT tablename FROM pg_catalog.pg_policies
WHERE schemaname = 'public'
);
`
Also:
`bash
grep -r 'supabaseAdmin\|service_role' apps/web/src \
| grep -v '/api/admin/\|/lib/server/admin.ts'
# Must return zero matches
``
Rationale: KnowledgeVault stores proprietary trade knowledge and PII. A missing RLS policy is a full data breach — any authenticated user can read all rows.