惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Google DeepMind News
Google DeepMind News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
宝玉的分享
宝玉的分享
量子位
博客园 - 叶小钗
博客园_首页
Know Your Adversary
Know Your Adversary
S
Schneier on Security
罗磊的独立博客
C
Cyber Attacks, Cyber Crime and Cyber Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Simon Willison's Weblog
Simon Willison's Weblog
美团技术团队
WordPress大学
WordPress大学
大猫的无限游戏
大猫的无限游戏
Hacker News: Ask HN
Hacker News: Ask HN
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Security Latest
Security Latest
月光博客
月光博客
Spread Privacy
Spread Privacy
C
Cybersecurity and Infrastructure Security Agency CISA
人人都是产品经理
人人都是产品经理
J
Java Code Geeks
C
CERT Recently Published Vulnerability Notes
Last Week in AI
Last Week in AI
Attack and Defense Labs
Attack and Defense Labs
NISL@THU
NISL@THU
H
Hacker News: Front Page
N
News and Events Feed by Topic
小众软件
小众软件
T
Threatpost
V2EX - 技术
V2EX - 技术
T
Tailwind CSS Blog
阮一峰的网络日志
阮一峰的网络日志
Project Zero
Project Zero
L
LINUX DO - 热门话题
Apple Machine Learning Research
Apple Machine Learning Research
C
CXSECURITY Database RSS Feed - CXSecurity.com
TaoSecurity Blog
TaoSecurity Blog
P
Privacy International News Feed
Latest news
Latest news
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
酷 壳 – CoolShell
酷 壳 – CoolShell
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
AWS News Blog
AWS News Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 【当耐特】
Hugging Face - Blog
Hugging Face - Blog

Supabase Blog

AI Agents Know About Supabase. They Don't Always Use It Right. Custom OIDC Providers for Supabase Auth 100,000 GitHub stars Supabase docs over SSH Navigating Regional Network Blocks Supabase Joins the Stripe Projects Developer Preview Log Drains: Now available on Pro Supabase Storage: major performance, security, and reliability updates Supabase incident on February 12, 2026 Hydra joins Supabase X / Twitter OAuth 2.0 is now available for Supabase Auth BKND joins Supabase Supabase is now an official Claude connector Supabase PrivateLink is now available When to use Read Replicas vs. bigger compute Introducing TRAE SOLO integration with Supabase Supabase Security Retro: 2025 Sync Stripe Data to Your Supabase Database in One Click Building ChatGPT Apps with Supabase Edge Functions and mcp-use Own Your Observability: Supabase Metrics API Introducing iceberg-js: A JavaScript Client for Apache Iceberg Introducing Supabase for Platforms Adding Async Streaming to Postgres Foreign Data Wrappers Build "Sign in with Your App" using Supabase Auth Introducing Seven New Email Templates for Supabase Auth The new Supabase power for Kiro Introducing Supabase ETL Introducing Analytics Buckets Introducing Vector Buckets Snap, Inc. Launches Snap Cloud, Powered by Supabase Triplit joins Supabase Supabase Series E 1000 Y Combinator Founders Choose Supabase gm 👋 web3, welcome aboard to Sign in with Web3 (Solana, Ethereum) Announcing the Supabase Remote MCP Server Enterprise speed, enterprise standards with Bolt Cloud + Supabase PostgREST 13 Lovable Cloud + Supabase: The Default Platform for AI Builders Processing large jobs with Edge Functions, Cron, and Queues Defense in Depth for MCP Servers OrioleDB Patent: now freely available to the Postgres community Supabase Launch Week 15 Hackathon Winner Announcement The Vibe Coder's Guide to Supabase Environments Testing for Vibe Coders: From Zero to Production Confidence The Vibe Coding Master Checklist Vibe Coding: Best Practices for Prompting Supabase Auth: Build vs. Buy Top 10 Launches of Launch Week 15 Supabase Launch Week 15 Hackathon Storage: 10x Larger Uploads, 3x Cheaper Cached Egress, and 2x Egress Quota Persistent Storage and 97% Faster Cold Starts for Edge Functions Algolia Connector for Supabase New Observability Features in Supabase Improved Security Controls and A New Home for Security Introducing Branching 2.0 Stripe-To-Postgres Sync Engine as standalone Library Supabase Analytics Buckets with Iceberg Support Create a Supabase backend using Figma Make Introducing JWT Signing Keys Supabase UI: Platform Kit Build a Personalized AI Assistant with Postgres Announcing Multigres: Vitess for Postgres Building on open table formats Open Data Standards: Postgres, OTel, and Iceberg Simplifying back-end complexity with Supabase Data APIs PostgreSQL Event Triggers without superuser access Top 10 Launches of Launch Week 14 Supabase MCP Server Data API Routes to Nearest Read Replica Declarative Schemas for Simpler Database Management Realtime: Broadcast from Database Keeping Tabs on What's New in Supabase Studio Edge Functions: Deploy from the Dashboard + Deno 2.1 Automatic Embeddings in Postgres Introducing the Supabase UI Library Supabase Auth: Bring Your Own Clerk Postgres Language Server: Initial Release Migrating from Fauna to Supabase Migrating from the MongoDB Data API to Supabase Dedicated Poolers Postgres as a Graph Database: (Ab)using pgRouting AI Hackathon at Y Combinator Calendars in Postgres using Foreign Data Wrappers Supabase Launch Week 13 Hackathon Winners How to Hack the Base! Running Durable Workflows in Postgres using DBOS database.build v2: Bring-your-own-LLM Restore to a New Project Hack the Base! with Supabase Top 10 Launches of Launch Week 13 Supabase Queues High Performance Disk Supabase Cron Supabase CLI v2: Config as Code Supabase Edge Functions: Introducing Background Tasks, Ephemeral Storage, and WebSockets Supabase AI Assistant v2 OrioleDB Public Alpha Executing Dynamic JavaScript Code on Supabase with Edge Functions ClickHouse Partnership, improved Postgres Replication, and Disk Management Live Share: Connect to in-browser PGlite with any Postgres client
Introducing: Postgres Best Practices
Pedro Rodrigues · 2026-01-21 · via Supabase Blog

Introducing: Postgres Best Practices

We are releasing a series of Agent Skills for Postgres Best Practices to teach AI agents how to write better Postgres code. AI coding agents are good at writing code. They struggle with writing correct code for systems they don't understand.

Postgres is one of those systems. It has decades of features, edge cases, and performance characteristics that matter in production. An agent might generate a query that works but creates a full table scan. It might suggest an index that makes writes slower. It might miss Row Level Security entirely.

The Agent Skills we’re releasing today will help guide your coding agent of choice to generate high quality, correct code.

The repository contains rules across 8 categories, prioritized by impact:

  • Query Performance (Critical): Rules for writing efficient queries and avoiding full table scans
  • Connection Management (Critical): Connection pooling, client lifecycle, and resource limits
  • Security and RLS (Critical): Row Level Security policies and access control patterns
  • Schema Design (High): Table structure, data types, and normalization decisions
  • Concurrency and Locking (Medium-High): Transaction isolation, deadlock prevention, and lock management
  • Data Access Patterns (Medium): Pagination, bulk operations, and query design
  • Monitoring and Diagnostics (Low-Medium): Query analysis, performance tracking, and debugging
  • Advanced Features (Low): Postgres-specific capabilities like CTEs, window functions, and extensions

Each rule follows a consistent format. Here is an example for configuring Row Level Security:


_58

---

_58

title: Enable Row Level Security for Multi-Tenant Data

_58

impact: MEDIUM-HIGH

_58

impactDescription: Database-enforced tenant isolation, prevent data leaks

_58

tags: rls, row-level-security, multi-tenant, security

_58

---

_58

_58

## Enable Row Level Security for Multi-Tenant Data

_58

_58

Row Level Security (RLS) enforces data access at the database level, ensuring users only see their own data.

_58

_58

**Incorrect (application-level filtering only):**

_58

_58

```sql

_58

-- Relying only on application to filter

_58

select *

_58

from orders

_58

where user_id = $current_user_id;

_58

_58

-- Bug or bypass means all data is exposed!

_58

-- Returns ALL orders:

_58

select *

_58

from orders;

_58

```

_58

_58

**Correct (database-enforced RLS):**

_58

_58

```sql

_58

-- Enable RLS on the table

_58

alter table orders

_58

enable row level security;

_58

_58

-- Create policy for users to see only their orders

_58

create policy orders_user_policy on orders

_58

for all

_58

using (

_58

user_id = current_setting('app.current_user_id')::bigint

_58

);

_58

_58

-- Force RLS even for table owners

_58

alter table orders

_58

force row level security;

_58

_58

-- Set user context and query

_58

set app.current_user_id = '123';

_58

select * from orders; -- Only returns orders for user 123

_58

```

_58

_58

Policy for authenticated role:

_58

_58

```sql

_58

create policy orders_user_policy on orders

_58

for all

_58

to authenticated

_58

using (user_id = auth.uid());

_58

```

_58

_58

Reference: [Row Level Security](https://supabase.com/docs/guides/database/postgres/row-level-security)


This repo follows the Agent Skills format, an open standard for giving agents domain expertise. The format works with Claude Code, Cursor, GitHub Copilot, VS Code, Gemini CLI, and other tools.

Agent Skills are folders of instructions and examples that agents can discover and use on demand. Think of them as documentation written for machines. Instead of hoping an agent learned the right patterns from its training data, you give it explicit rules to follow. The agent reads the skill when it needs guidance and applies the rules to its work.

The format was developed by Anthropic and released as an open standard. It has since been adopted across the industry. Vercel used it to publish react-best-practices, packaging ten years of React and Next.js optimization knowledge into 40 rules that agents can reference. Cloudflare released skills for Workers, Pages, D1, R2, and 40 other services. We're applying the same approach to Postgres.

When you install the skill, your agent gains access to all 30 rules. It can reference them when writing queries, reviewing code, or suggesting schema changes. The agent treats the rules as authoritative guidance rather than generating advice from its training data.

Supabase runs Postgres for hundreds of thousands of projects. We see the same mistakes repeatedly:

  • Missing indexes on foreign keys
  • Queries that bypass RLS by accident
  • Migrations that lock tables in production
  • Connection pool exhaustion from poorly managed clients
  • Full table scans hidden behind ORMs

Our support team, database advisors, and documentation already contain this knowledge. We packaged it into a format that agents can use directly.

If you've used the Supabase MCP server, you know it lets AI agents connect directly to your Supabase project. Agents can create tables, run queries, manage schemas, and configure settings through natural language.

The MCP server gives agents the ability to work with your database. These best practices teach them to do it correctly.

Think of it this way: the MCP server is the steering wheel, and the best practices are the driving lessons. An agent with MCP access can execute any query you ask for. An agent with both MCP access and these rules will warn you before creating an index that locks your table, suggest RLS policies before you ship insecure code, and structure queries to avoid performance problems.

They work well together. The MCP server handles the connection and execution. The best practices handle the judgment.

The rules in this repo came from our internal knowledge base, but we know the community has insights we've missed.

If you've hit a Postgres gotcha that agents should know about, open a PR. Each rule needs:

  • A clear title
  • A priority level (critical, high, medium, low)
  • An explanation of why it matters
  • Good and bad code examples

The CONTRIBUTING.md file has the full template.

The repo is live at github.com/supabase/agent-skills.

To install a skill, you can use Vercel’s skills npm package to interactively install this skill on your agent.


_10

npx skills add supabase/agent-skills


If you’re using Claude Code, you can also install this skill as a plugin.


_10

/plugin marketplace add supabase/agent-skills

_10

/plugin install postgres-best-practices@supabase-agent-skills


Try it on your next Postgres project, and let us know what rules are missing.