Last Updated: 2026-03-23 How to set up and configure Supabase for the Encore OS Platform in development, staging, and production.
Table of Contents
- Overview
- Project Setup
- Database Configuration
- Connection Pooling
- Edge Functions Deployment
- Storage Buckets
- Authentication Configuration
- Realtime Subscriptions
- Backup and Recovery
- Performance Tuning
- Security Best Practices
- Environment-Specific Setup
- Branching Setup
- Troubleshooting
Overview
Supabase serves as the primary backend for Encore OS Platform, providing:- PostgreSQL Database - Multi-tenant data storage with RLS
- Authentication - User management and JWT tokens
- Storage - File storage for documents, attachments, avatars
- Edge Functions - Serverless functions for complex processing
- Realtime - Live data subscriptions
- API - Auto-generated REST API
Project Setup
1. Create Supabase Project
1
- Name:
encoreos-production(orencoreos-staging,encoreos-dev) - Database Password: Generate strong password (save securely)
- Region: Choose closest to users
- Pricing Plan: Select appropriate plan
2. Get Project Credentials
After project creation, get credentials from Settings → API:- Project URL:
https://{project-ref}.supabase.co - anon public key:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... - service_role key:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...⚠️ Keep secret!
3. Configure Environment Variables
Set in.env.local (development) or Vercel (production):
Database Configuration
1. Run Migrations
Local Development:supabase/migrations/
2. Verify Database Setup
Check Tables:3. Seed Data (Development Only)
Never seed production with real PHI/PII!Connection Pooling
Why Connection Pooling?
Supabase has connection limits. Connection pooling allows multiple clients to share database connections efficiently.Supabase Connection Pooler
Direct Connection (Development):5432- Direct connection (no pooling)6543- Pooled connection (pgbouncer)
Configuration
For Edge Functions:- Transaction Mode: Default (recommended)
- Max Connections: 200 (Supabase default)
- Idle Timeout: 10 minutes
Edge Functions Deployment
1. Deploy All Functions
2. Set Function Secrets
3. Configure JWT Verification
Editsupabase/config.toml:
verify_jwt = true):
execute-reportprocess-entity-mappingai-assistantworkflow-debug-controlsandbox-executetest-*functionsai-document-analyzeworkflow-metrics-aggregateworkflow-path-aggregateworkflow-version-compare
verify_jwt = false):
- Scheduled tasks (cron jobs)
- Database trigger invocations
- Batch processing functions
4. Test Edge Functions
docs/integrations/EDGE_FUNCTIONS.md for complete function documentation
Storage Buckets
Current Storage Buckets
Create Storage Bucket
Via Migration:1
- Name: Follow pattern
{core}-{purpose} - Public:
false(unless public access needed) - File Size Limit: Set appropriate limit
- Allowed MIME Types: Restrict to needed types
Storage RLS Policies
Example: Organization-Scoped Access- Format:
{core}-{purpose} - Examples:
pf-avatars,fw-submission-attachments,fa-report-exports - See:
constitution.md§5.2 (Storage Buckets)
Authentication Configuration
1. Email Authentication
Enable Email Auth:1
- Enable email confirmations:
true(production) - Secure email change:
true - Double confirm email changes:
true
- Customize in Authentication → Email Templates
- Templates: Confirmation, Invite, Magic Link, Password Reset
2. Password Policy
Configure Password Requirements:1
8 (recommended: 12)3. Session Configuration
Session Settings:- JWT expiry:
3600seconds (1 hour) - Refresh token expiry:
604800seconds (7 days) - Auto-refresh: Enabled
supabase/config.toml:
Realtime Subscriptions
Enable Realtime
For Tables:Client-Side Usage
- Unsubscribe when component unmounts
- Filter by
organization_idfor multi-tenant isolation - Use specific filters to reduce data transfer
Backup and Recovery
Automated Backups
Supabase Pro Plan:- Daily automated backups
- 7-day retention (default)
- Point-in-time recovery available
1
Manual Backup
Export Database:Restore Database
From Backup:1
Performance Tuning
1. Database Indexes
Verify Indexes Exist:2. Query Performance
Enable Query Logging:3. Connection Limits
Monitor Connections:4. Materialized Views
For Heavy Aggregations:Security Best Practices
1. RLS Policies
Verify RLS is Enabled:- Use RLS test suite:
tests/rls/ - Verify tenant isolation
- Test role-based access
2. Service Role Key
⚠️ CRITICAL:- Never use in client code
- Only in edge functions and tests
- Rotate regularly
- Monitor usage
1
3. API Keys
Anon Key:- Safe to expose (RLS enforced)
- Used in client applications
- Can be regenerated if compromised
- Never expose
- Regenerate if compromised
- Monitor access logs
4. Network Security
IP Restrictions (Optional):1
- Always use HTTPS
- Supabase enforces SSL connections
- Verify certificate in production
Environment-Specific Setup
Development
Local Supabase:- URL:
http://localhost:54321 - Anon key: From
supabase statusoutput - Service role key: From
supabase statusoutput
Staging
Staging Project:- Separate Supabase project
- Same migrations as production
- Test data (no PHI/PII)
- Monitoring enabled
Production
Production Checklist:- Separate Supabase project
- Strong database password
- Automated backups enabled
- Monitoring configured
- Alerts configured
- SSL/TLS verified
- RLS policies tested
- Edge functions deployed
- Storage buckets configured
- Secrets set for edge functions
Branching Setup
Overview
Supabase Branches provide isolated database environments that sync with Git branches. This eliminates the need for separate projects for staging/testing and enables automatic migration deployment. Benefits:- ✅ Isolated database environments per branch
- ✅ Automatic migration sync via GitHub integration
- ✅ Easy branch switching in dashboard
- ✅ Cost-effective (branches included in plan)
- ✅ Preview branches for PR testing
Setup Persistent Staging Branch
1. Create Branch via CLI:1
stagingGitHub Integration
Enable GitHub Integration:1
encoreos-platformmain→ Production Supabase projectstaging→ Staging persistent branchdevelop→ Development persistent branch (optional)- Feature branches → Preview branches (auto-created for PRs)
- Pushes to
stagingbranch → Automatically deploys migrations to staging Supabase branch - Pushes to
mainbranch → Automatically deploys migrations to production Supabase project - Opening PRs → Creates preview branches automatically for testing
Branch Configuration
Persistent Branches:- Long-lived environments (staging, production)
- Map to Git branches
- Sync migrations automatically
- Use for testing before production
- Short-lived (deleted after PR merge)
- Created automatically for PRs
- Use for testing feature migrations
- Isolated from other branches
Branch Naming Convention
Switching Between Branches
Via Dashboard:1
Branch Isolation
Each branch has its own:- Database instance (isolated data)
- API endpoints (unique URLs)
- Authentication settings
- Storage buckets
- Edge Functions
Best Practices
1
config.toml- Supabase Branching Guide
- GitHub Integration Guide
docs/database/migration-workflow.mdfor the live migration workflow (the one-time 2026-01 playbook is archived atdocs/archive/migration-2026-01/COMPLETION_PLAN.md)
Troubleshooting
Issue: Migration Fails
Symptoms:- Migration errors during deployment
- Schema conflicts
1
Issue: RLS Policy Errors
Symptoms:- “permission denied” errors
- Infinite recursion errors
1
constitution.md §5.7Issue: Edge Function Timeout
Symptoms:- Function returns 504 after 60 seconds
1
Issue: Storage Upload Fails
Symptoms:- “permission denied” on storage uploads
1
Issue: Connection Pool Exhausted
Symptoms:- “too many connections” errors
1
Monitoring
Supabase Dashboard
Metrics Available:- Database CPU/Memory usage
- API request count
- Storage usage
- Edge function invocations
- Authentication events
Custom Monitoring
Set up alerts for:- Database CPU > 80%
- API error rate > 1%
- Storage usage > 80%
- Edge function failures
- Connection pool exhaustion
Related Documentation
- Supabase MCP Usage:
docs/development/MCP_USAGE.md- When to use MCP vs CLI - Migration Guide:
docs/database/migration-workflow.md- Live migration workflow (one-time 2026-01 playbook archived atdocs/archive/migration-2026-01/COMPLETION_PLAN.md) - Edge Functions:
docs/integrations/EDGE_FUNCTIONS.md - Environment Variables:
docs/development/ENVIRONMENT_VARIABLES.md - Secrets Management:
docs/security/SECRETS_MANAGEMENT.md - Constitution:
constitution.md§5.8-5.9 (Edge Function Patterns) - Supabase Branching: Official Branching Guide
Document Owner: Platform Team
Review Frequency: Quarterly
Last Updated: 2025-01-07