Skip to content

stash-supabase skill lacks raw-pg / no-ORM guidance (only covers the encryptedSupabase JS wrapper) #601

Description

@coderdan

Summary

The stash-supabase agent skill only documents the encryptedSupabase (Supabase JS SDK) wrapper. For a Supabase app whose data layer is plain pg / raw SQL (no ORM, no supabase-js), there is no guidance on the actual EQL SQL surface, so an integrating agent has to reverse-engineer it from pg_operator / pg_cast / the EQL SQL. This is the lowest-level (and most foot-gun-prone) integration path, and it's undocumented.

What's missing

A raw-SQL reference for reading/querying eql_v2_encrypted columns:

  • Binding an encrypted query term: $n::jsonb::eql_v2_encrypted
  • Operator → index mapping:
    • ~~ / ~~* → free-text match (bloom filter)
    • =equality (hmac)
    • < <= > >=order/range (ORE)
  • Reading a value back: col::jsonb, then decrypt in app code
  • abs() over ORE: ORE can't express abs(), so an absolute-value bucket must be decomposed into signed ranges, e.g. ((c >= min AND c < max) OR (c <= -min AND c > -max))

Suggestion

Add a raw-pg / no-ORM section to the Supabase skill (or a general encryption skill), and ideally ship a thin term → SQL operator helper — analogous to the Drizzle / Supabase adapters — so the no-ORM path isn't hand-written EQL SQL. Two independent agents (implementer + assessor) both flagged this as the largest DX gap for this surface.


Found via a CipherStash integration eval on cipherstash/supabase-nextjs-starter (hono-pg surface, plain pg). Full report: https://github.com/cipherstash/supabase-nextjs-starter/blob/feat/multi-surface-starters/docs/evals/hono-pg/2026-07-09-self-assessment.md (see "Docs gaps").

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions