Skip to main content
Version: 1.1.0
Last Updated: 2026-03-23
How to set up and configure Supabase for the Encore OS Platform in development, staging, and production.

Table of Contents

  1. Overview
  2. Project Setup
  3. Database Configuration
  4. Connection Pooling
  5. Edge Functions Deployment
  6. Storage Buckets
  7. Authentication Configuration
  8. Realtime Subscriptions
  9. Backup and Recovery
  10. Performance Tuning
  11. Security Best Practices
  12. Environment-Specific Setup
  13. Branching Setup
  14. Troubleshooting

Overview

Supabase serves as the primary backend for Encore OS Platform, providing:
  • PostgreSQL Database - Multi-tenant data storage with RLS
  • Authentication - User management and JWT tokens
  • Storage - File storage for documents, attachments, avatars
  • Edge Functions - Serverless functions for complex processing
  • Realtime - Live data subscriptions
  • API - Auto-generated REST API

Project Setup

1. Create Supabase Project

1
  • Go to Supabase Dashboard
  • Click New Project
  • Fill in:
    • Name: encoreos-production (or encoreos-staging, encoreos-dev)
    • Database Password: Generate strong password (save securely)
    • Region: Choose closest to users
    • Pricing Plan: Select appropriate plan

    2. Get Project Credentials

    After project creation, get credentials from SettingsAPI:
    • Project URL: https://{project-ref}.supabase.co
    • anon public key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
    • service_role key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... ⚠️ Keep secret!

    3. Configure Environment Variables

    Set in .env.local (development) or Vercel (production):
    Never commit service role key to client code!

    Database Configuration

    1. Run Migrations

    Local Development:
    Production:
    Migration Files: Located in supabase/migrations/

    2. Verify Database Setup

    Check Tables:
    Check RLS:
    Check Functions:

    3. Seed Data (Development Only)

    Never seed production with real PHI/PII!

    Connection Pooling

    Why Connection Pooling?

    Supabase has connection limits. Connection pooling allows multiple clients to share database connections efficiently.

    Supabase Connection Pooler

    Direct Connection (Development):
    Pooled Connection (Production):
    Port Differences:
    • 5432 - Direct connection (no pooling)
    • 6543 - Pooled connection (pgbouncer)

    Configuration

    For Edge Functions:
    For Client Applications:
    Connection Pool Settings:
    • Transaction Mode: Default (recommended)
    • Max Connections: 200 (Supabase default)
    • Idle Timeout: 10 minutes

    Edge Functions Deployment

    1. Deploy All Functions

    2. Set Function Secrets

    List Secrets:

    3. Configure JWT Verification

    Edit supabase/config.toml:
    Functions Requiring JWT (verify_jwt = true):
    • execute-report
    • process-entity-mapping
    • ai-assistant
    • workflow-debug-control
    • sandbox-execute
    • test-* functions
    • ai-document-analyze
    • workflow-metrics-aggregate
    • workflow-path-aggregate
    • workflow-version-compare
    Functions Without JWT (verify_jwt = false):
    • Scheduled tasks (cron jobs)
    • Database trigger invocations
    • Batch processing functions

    4. Test Edge Functions

    See: docs/integrations/EDGE_FUNCTIONS.md for complete function documentation

    Storage Buckets

    Current Storage Buckets

    Create Storage Bucket

    Via Migration:
    Via Supabase Dashboard:
    1
  • Go to StorageBuckets
  • Click New Bucket
  • Configure:
    • Name: Follow pattern {core}-{purpose}
    • Public: false (unless public access needed)
    • File Size Limit: Set appropriate limit
    • Allowed MIME Types: Restrict to needed types

    Storage RLS Policies

    Example: Organization-Scoped Access
    Example: User-Scoped Uploads
    Bucket Naming Convention:
    • Format: {core}-{purpose}
    • Examples: pf-avatars, fw-submission-attachments, fa-report-exports
    • See: constitution.md §5.2 (Storage Buckets)

    Authentication Configuration

    1. Email Authentication

    Enable Email Auth:
    1
  • Go to AuthenticationProviders
  • Enable Email
  • Configure:
    • Enable email confirmations: true (production)
    • Secure email change: true
    • Double confirm email changes: true
    Email Templates:
    • Customize in AuthenticationEmail Templates
    • Templates: Confirmation, Invite, Magic Link, Password Reset

    2. Password Policy

    Configure Password Requirements:
    1
  • Go to AuthenticationPolicies
  • Set minimum password length: 8 (recommended: 12)
  • Enable password complexity requirements
  • 3. Session Configuration

    Session Settings:
    • JWT expiry: 3600 seconds (1 hour)
    • Refresh token expiry: 604800 seconds (7 days)
    • Auto-refresh: Enabled
    Configure in supabase/config.toml:

    Realtime Subscriptions

    Enable Realtime

    For Tables:
    Example:

    Client-Side Usage

    Best Practices:
    • Unsubscribe when component unmounts
    • Filter by organization_id for multi-tenant isolation
    • Use specific filters to reduce data transfer

    Backup and Recovery

    Automated Backups

    Supabase Pro Plan:
    • Daily automated backups
    • 7-day retention (default)
    • Point-in-time recovery available
    Backup Settings:
    1
  • Go to SettingsDatabase
  • Configure backup schedule
  • Set retention period
  • Manual Backup

    Export Database:
    Export Specific Schema:

    Restore Database

    From Backup:
    Point-in-Time Recovery:
    1
  • Go to DatabaseBackups
  • Select restore point
  • Click Restore

  • Performance Tuning

    1. Database Indexes

    Verify Indexes Exist:
    Create Missing Indexes:

    2. Query Performance

    Enable Query Logging:
    Analyze Query Plans:

    3. Connection Limits

    Monitor Connections:
    Max Connections: 200 (Supabase default)

    4. Materialized Views

    For Heavy Aggregations:

    Security Best Practices

    1. RLS Policies

    Verify RLS is Enabled:
    Test RLS Policies:
    • Use RLS test suite: tests/rls/
    • Verify tenant isolation
    • Test role-based access

    2. Service Role Key

    ⚠️ CRITICAL:
    • Never use in client code
    • Only in edge functions and tests
    • Rotate regularly
    • Monitor usage
    Rotate Service Role Key:
    1
  • Go to SettingsAPI
  • Click Reset service_role key
  • Update edge function secrets
  • Update test environment variables
  • 3. API Keys

    Anon Key:
    • Safe to expose (RLS enforced)
    • Used in client applications
    • Can be regenerated if compromised
    Service Role Key:
    • Never expose
    • Regenerate if compromised
    • Monitor access logs

    4. Network Security

    IP Restrictions (Optional):
    1
  • Go to SettingsDatabase
  • Configure IP allowlist
  • Restrict to known IPs (if needed)
  • SSL/TLS:
    • Always use HTTPS
    • Supabase enforces SSL connections
    • Verify certificate in production

    Environment-Specific Setup

    Development

    Local Supabase:
    Local Credentials:
    • URL: http://localhost:54321
    • Anon key: From supabase status output
    • Service role key: From supabase status output

    Staging

    Staging Project:
    • Separate Supabase project
    • Same migrations as production
    • Test data (no PHI/PII)
    • Monitoring enabled

    Production

    Production Checklist:
    • Separate Supabase project
    • Strong database password
    • Automated backups enabled
    • Monitoring configured
    • Alerts configured
    • SSL/TLS verified
    • RLS policies tested
    • Edge functions deployed
    • Storage buckets configured
    • Secrets set for edge functions

    Branching Setup

    Overview

    Supabase Branches provide isolated database environments that sync with Git branches. This eliminates the need for separate projects for staging/testing and enables automatic migration deployment. Benefits:
    • ✅ Isolated database environments per branch
    • ✅ Automatic migration sync via GitHub integration
    • ✅ Easy branch switching in dashboard
    • ✅ Cost-effective (branches included in plan)
    • ✅ Preview branches for PR testing

    Setup Persistent Staging Branch

    1. Create Branch via CLI:
    2. Create Branch via Dashboard:
    1
  • Go to Supabase Dashboard → Branches
  • Click “Create Branch”
  • Name: staging
  • Type: Persistent
  • Click “Create”
  • 3. Link Local Project:
    4. Apply Migrations:

    GitHub Integration

    Enable GitHub Integration:
    1
  • Go to Supabase Dashboard → Settings → Integrations
  • Click “Connect GitHub”
  • Authorize Supabase to access your repository
  • Select repository: encoreos-platform
  • Enable “Automatic migration deployment”
  • Branch Mapping:
    • main → Production Supabase project
    • staging → Staging persistent branch
    • develop → Development persistent branch (optional)
    • Feature branches → Preview branches (auto-created for PRs)
    How It Works:
    • Pushes to staging branch → Automatically deploys migrations to staging Supabase branch
    • Pushes to main branch → Automatically deploys migrations to production Supabase project
    • Opening PRs → Creates preview branches automatically for testing
    Workflow Example:

    Branch Configuration

    Persistent Branches:
    • Long-lived environments (staging, production)
    • Map to Git branches
    • Sync migrations automatically
    • Use for testing before production
    Preview Branches:
    • Short-lived (deleted after PR merge)
    • Created automatically for PRs
    • Use for testing feature migrations
    • Isolated from other branches

    Branch Naming Convention

    Switching Between Branches

    Via Dashboard:
    1
  • Click branch dropdown in top menu
  • Select target branch
  • All operations now target selected branch
  • Via CLI:

    Branch Isolation

    Each branch has its own:
    • Database instance (isolated data)
    • API endpoints (unique URLs)
    • Authentication settings
    • Storage buckets
    • Edge Functions
    Important: Changes in one branch do not affect others.

    Best Practices

    1
  • Always test migrations in staging before production
  • Use preview branches for PR testing
  • Keep staging branch in sync with production schema
  • Document branch-specific configurations in config.toml
  • Monitor branch usage to avoid unnecessary costs
  • See:

    Troubleshooting

    Issue: Migration Fails

    Symptoms:
    • Migration errors during deployment
    • Schema conflicts
    Solutions:
    1
  • Check migration order (timestamps)
  • Verify no manual schema changes
  • Test migrations locally first
  • Check for breaking changes
  • Issue: RLS Policy Errors

    Symptoms:
    • “permission denied” errors
    • Infinite recursion errors
    Solutions:
    1
  • Verify SECURITY DEFINER functions used
  • Check policy syntax
  • Test with RLS test suite
  • Review constitution.md §5.7
  • Issue: Edge Function Timeout

    Symptoms:
    • Function returns 504 after 60 seconds
    Solutions:
    1
  • Break into smaller functions
  • Use database functions for heavy processing
  • Implement pagination for large datasets
  • Add timeout handling
  • Issue: Storage Upload Fails

    Symptoms:
    • “permission denied” on storage uploads
    Solutions:
    1
  • Verify storage RLS policies
  • Check bucket exists
  • Verify file size within limits
  • Check MIME type is allowed
  • Issue: Connection Pool Exhausted

    Symptoms:
    • “too many connections” errors
    Solutions:
    1
  • Use connection pooling (port 6543)
  • Close connections properly
  • Reduce connection pool size
  • Monitor connection usage

  • Monitoring

    Supabase Dashboard

    Metrics Available:
    • Database CPU/Memory usage
    • API request count
    • Storage usage
    • Edge function invocations
    • Authentication events

    Custom Monitoring

    Set up alerts for:
    • Database CPU > 80%
    • API error rate > 1%
    • Storage usage > 80%
    • Edge function failures
    • Connection pool exhaustion

    • Supabase MCP Usage: docs/development/MCP_USAGE.md - When to use MCP vs CLI
    • Migration Guide: docs/database/migration-workflow.md - Live migration workflow (one-time 2026-01 playbook archived at docs/archive/migration-2026-01/COMPLETION_PLAN.md)
    • Edge Functions: docs/integrations/EDGE_FUNCTIONS.md
    • Environment Variables: docs/development/ENVIRONMENT_VARIABLES.md
    • Secrets Management: docs/security/SECRETS_MANAGEMENT.md
    • Constitution: constitution.md §5.8-5.9 (Edge Function Patterns)
    • Supabase Branching: Official Branching Guide

    Document Owner: Platform Team
    Review Frequency: Quarterly
    Last Updated: 2025-01-07