Supabase service_role key in app code

2026-06-08

enforcement hook — dance studio SaaS · 2026-06-08

[composure:enforcement] The write you just attempted to waitlist.ts matches a pattern this codebase doesn't want shipped. What the rule caught (1 item): - [supabase-service-role] Never expose service_role key in client code — it bypasses RLS. Use PUBLISHABLE_KEY for client, service_role only in server actions or edge functions.

This is the entry where the hook changed the architecture, not just the line. After repeated blocks the agent stopped pushing: “I won't force a hook-violating hack. Reverting the waitlist action to its clean committed state and re-targeting the rule-compliant way, with the dynamic resolution flagged as the RPC follow-up.” The privileged operation moved to a SECURITY DEFINER RPC instead of an exposed key.

Why this matters: Keys & accessThe failure mode this catch prevents — in App architecture, in practice.

Composure enforcement hook, firing mid-session on a dance studio SaaS build (client work). Catch message reproduced verbatim.