KnowledgeVault AI policy
internal prototype · canonical JSON + Dreamborn Forge HTML
internal generated
policy · supabase_json

KnowledgeVault AI policy

policy artifact · for KnowledgeVault AI · status approved

Planning Surface

Use this to decide what happens next.

Status

approved

Agent Handoff
Start Here

policy artifact · for KnowledgeVault AI · status approved

Completion Evidence

No explicit evidence field yet. Require tests, screenshots, linked PRs, or reviewed outputs before marking complete.

Artifact Shape
  • body: # KnowledgeVault AI — Code & Merge Policy

> Quinn: This policy is your pre-merge checklist. Hard rules block merges. Warn rules require human sign-off. Run each applicable check before closing any module PR.

---

## Rules

### POL-SEC-001 — Row-Level Security on All User Tables | Field | Value | |---|---| | Category | security | | Severity | HARD | | Applies to | supabase/migrations, apps/web/src/lib, apps/web/src/app/api |

Description: RLS must be ENABLED on every Supabase table storing user data (experts, sessions, transcripts, knowledge_items, assets, payouts, companies). No user-facing query may bypass RLS via service_role except in explicitly named admin server actions.

Check: ``sql -- Must return empty result set (all user tables have at least one policy) SELECT tablename FROM pg_tables WHERE schemaname = 'public' AND tablename NOT IN ( SELECT tablename FROM pg_catalog.pg_policies WHERE schemaname = 'public' ); ` Also: `bash grep -r 'supabaseAdmin\|service_role' apps/web/src \ | grep -v '/api/admin/\|/lib/server/admin.ts' # Must return zero matches ``

Rationale: KnowledgeVault stores proprietary trade knowledge and PII. A missing RLS policy is a full data breach — any authenticated user can read all rows.

Structured Payload

Machine-readable source fields

body

# KnowledgeVault AI — Code & Merge Policy project_id: 572d75d0-3088-4055-be75-601d25442c61 artifact_type: policy generated_by: vikram generated_at: 2026-04-30 status: draft

> Quinn: This policy is your pre-merge checklist. Hard rules block merges. Warn rules require human sign-off. Run each applicable check before closing any module PR.

---

## Rules

### POL-SEC-001 — Row-Level Security on All User Tables | Field | Value | |---|---| | Category | security | | Severity | HARD | | Applies to | supabase/migrations, apps/web/src/lib, apps/web/src/app/api |

Description: RLS must be ENABLED on every Supabase table storing user data (experts, sessions, transcripts, knowledge_items, assets, payouts, companies). No user-facing query may bypass RLS via service_role except in explicitly named admin server actions.

Check: ``sql -- Must return empty result set (all user tables have at least one policy) SELECT tablename FROM pg_tables WHERE schemaname = 'public' AND tablename NOT IN ( SELECT tablename FROM pg_catalog.pg_policies WHERE schemaname = 'public' ); ` Also: `bash grep -r 'supabaseAdmin\|service_role' apps/web/src \ | grep -v '/api/admin/\|/lib/server/admin.ts' # Must return zero matches ``

Rationale: KnowledgeVault stores proprietary trade knowledge and PII. A missing RLS policy is a full data breach — any authenticated user can read all rows.

generated at

2026-04-30

generated by

vikram