KnowledgeVault AI policy
policy artifact · for KnowledgeVault AI · status approved
policy artifact · for KnowledgeVault AI · status approved
No explicit evidence field yet. Require tests, screenshots, linked PRs, or reviewed outputs before marking complete.
- body: # KnowledgeVault AI — Code & Merge Policy
> Quinn: This policy is your pre-merge checklist. Hard rules block merges. Warn rules require human sign-off. Run each applicable check before closing any module PR.
---
## Rules
### POL-SEC-001 — Row-Level Security on All User Tables
| Field | Value |
|---|---|
| Category | security |
| Severity | HARD |
| Applies to | supabase/migrations, apps/web/src/lib, apps/web/src/app/api |
Description: RLS must be ENABLED on every Supabase table storing user data (experts, sessions, transcripts, knowledge_items, assets, payouts, companies). No user-facing query may bypass RLS via service_role except in explicitly named admin server actions.
Check:
``sql
-- Must return empty result set (all user tables have at least one policy)
SELECT tablename FROM pg_tables
WHERE schemaname = 'public'
AND tablename NOT IN (
SELECT tablename FROM pg_catalog.pg_policies
WHERE schemaname = 'public'
);
`
Also:
`bash
grep -r 'supabaseAdmin\|service_role' apps/web/src \
| grep -v '/api/admin/\|/lib/server/admin.ts'
# Must return zero matches
``
Rationale: KnowledgeVault stores proprietary trade knowledge and PII. A missing RLS policy is a full data breach — any authenticated user can read all rows.
Machine-readable source fields
# KnowledgeVault AI — Code & Merge Policy project_id: 572d75d0-3088-4055-be75-601d25442c61 artifact_type: policy generated_by: vikram generated_at: 2026-04-30 status: draft
> Quinn: This policy is your pre-merge checklist. Hard rules block merges. Warn rules require human sign-off. Run each applicable check before closing any module PR.
---
## Rules
### POL-SEC-001 — Row-Level Security on All User Tables
| Field | Value |
|---|---|
| Category | security |
| Severity | HARD |
| Applies to | supabase/migrations, apps/web/src/lib, apps/web/src/app/api |
Description: RLS must be ENABLED on every Supabase table storing user data (experts, sessions, transcripts, knowledge_items, assets, payouts, companies). No user-facing query may bypass RLS via service_role except in explicitly named admin server actions.
Check:
``sql
-- Must return empty result set (all user tables have at least one policy)
SELECT tablename FROM pg_tables
WHERE schemaname = 'public'
AND tablename NOT IN (
SELECT tablename FROM pg_catalog.pg_policies
WHERE schemaname = 'public'
);
`
Also:
`bash
grep -r 'supabaseAdmin\|service_role' apps/web/src \
| grep -v '/api/admin/\|/lib/server/admin.ts'
# Must return zero matches
``
Rationale: KnowledgeVault stores proprietary trade knowledge and PII. A missing RLS policy is a full data breach — any authenticated user can read all rows.
2026-04-30
vikram