Summary
The stash-supabase agent skill only documents the encryptedSupabase (Supabase JS SDK) wrapper. For a Supabase app whose data layer is plain pg / raw SQL (no ORM, no supabase-js), there is no guidance on the actual EQL SQL surface, so an integrating agent has to reverse-engineer it from pg_operator / pg_cast / the EQL SQL. This is the lowest-level (and most foot-gun-prone) integration path, and it's undocumented.
What's missing
A raw-SQL reference for reading/querying eql_v2_encrypted columns:
- Binding an encrypted query term:
$n::jsonb::eql_v2_encrypted
- Operator → index mapping:
~~ / ~~* → free-text match (bloom filter)
= → equality (hmac)
< <= > >= → order/range (ORE)
- Reading a value back:
col::jsonb, then decrypt in app code
abs() over ORE: ORE can't express abs(), so an absolute-value bucket must be decomposed into signed ranges, e.g. ((c >= min AND c < max) OR (c <= -min AND c > -max))
Suggestion
Add a raw-pg / no-ORM section to the Supabase skill (or a general encryption skill), and ideally ship a thin term → SQL operator helper — analogous to the Drizzle / Supabase adapters — so the no-ORM path isn't hand-written EQL SQL. Two independent agents (implementer + assessor) both flagged this as the largest DX gap for this surface.
Found via a CipherStash integration eval on cipherstash/supabase-nextjs-starter (hono-pg surface, plain pg). Full report: https://github.com/cipherstash/supabase-nextjs-starter/blob/feat/multi-surface-starters/docs/evals/hono-pg/2026-07-09-self-assessment.md (see "Docs gaps").
Summary
The
stash-supabaseagent skill only documents theencryptedSupabase(Supabase JS SDK) wrapper. For a Supabase app whose data layer is plainpg/ raw SQL (no ORM, no supabase-js), there is no guidance on the actual EQL SQL surface, so an integrating agent has to reverse-engineer it frompg_operator/pg_cast/ the EQL SQL. This is the lowest-level (and most foot-gun-prone) integration path, and it's undocumented.What's missing
A raw-SQL reference for reading/querying
eql_v2_encryptedcolumns:$n::jsonb::eql_v2_encrypted~~/~~*→ free-text match (bloom filter)=→ equality (hmac)<<=>>=→ order/range (ORE)col::jsonb, then decrypt in app codeabs()over ORE: ORE can't expressabs(), so an absolute-value bucket must be decomposed into signed ranges, e.g.((c >= min AND c < max) OR (c <= -min AND c > -max))Suggestion
Add a raw-
pg/ no-ORM section to the Supabase skill (or a general encryption skill), and ideally ship a thinterm → SQL operatorhelper — analogous to the Drizzle / Supabase adapters — so the no-ORM path isn't hand-written EQL SQL. Two independent agents (implementer + assessor) both flagged this as the largest DX gap for this surface.Found via a CipherStash integration eval on
cipherstash/supabase-nextjs-starter(hono-pg surface, plainpg). Full report: https://github.com/cipherstash/supabase-nextjs-starter/blob/feat/multi-surface-starters/docs/evals/hono-pg/2026-07-09-self-assessment.md (see "Docs gaps").