# Code Style and Conventions Standards for Supabase

This document outlines the coding style and conventions to be followed when developing for Supabase. Adhering to these standards will help ensure code consistency, readability, maintainability, and overall project quality. These guidelines are designed to be used by both human developers and AI coding assistants such as GitHub Copilot, Cursor, and similar tools.

## 1. General Principles

* **Consistency:** Strive for a consistent code style across the entire project. Use a code formatter (e.g., Prettier) and linter (e.g., ESLint) to automate style enforcement.

* **Readability:** Code should be easy to understand and follow for other developers (and yourself in the future). Use meaningful names, clear comments, and appropriate whitespace.

* **Maintainability:** Code should be organized in a way that makes it easy to modify, extend, and debug. Follow established design principles like SOLID.

* **Testability:** Write code that is easy to test. Follow dependency injection practices.

* **Simplicity:** Prefer simple solutions over complex ones. "Keep It Simple, Stupid" (KISS) is a guiding principle. Avoid over-engineering.

* **Specific to Supabase:** Employ patterns and functionalities in line with Supabase’s architecture. Utilize libraries and features effectively.

## 2. Project Structure

### 2.1. Directory Structure

* Follow a modular structure that separates concerns. A suggested top-level structure:

"""

├── functions/ # Edge Functions

├── migrations/ # Database migrations

├── policies/ # Row Level Security (RLS) policies (SQL files or Terraform)

├── types/ # TypeScript type definitions (if using TypeScript)

├── utils/ # Utility functions

├── tests/ # Test files

"""

* Within each directory, group related files together in subdirectories. For instance, in "functions":

"""

├── functions/

│ ├── auth/

│ │ ├── signup.ts

│ │ ├── login.ts

│ ├── payments/

│ │ ├── create_payment_intent.ts

│ │ ├── webhook.ts

"""

### 2.2. File Naming

* Use descriptive and consistent file names.

* Use snake_case for file names (e.g., "user_profile.ts", "database_utils.js").

* For components (if building a frontend with Supabase integration) prefix with component name and end with ".(component).(js|jsx|ts|tsx)". e.g. "UserProfile.component.tsx"

* For functions, use a verb-noun structure to indicate the function's purpose (e.g., "get_users.ts", "create_order.js").

## 3. Language-Specific Standards

### 3.1. SQL (PostgreSQL)

#### 3.1.1. Formatting

* Use consistent indentation (2 or 4 spaces).

* Capitalize SQL keywords (e.g., "SELECT", "FROM", "WHERE").

* Use lowercase for table and column names.

* Use aliases for clarity, especially in joins.

* Use comments to explain complex queries.

* Use "psql" formatting options in your editor.

* Use "EXPLAIN ANALYZE" to identify and optimize slow queries.

"""sql

-- Do This:

SELECT

u.id AS user_id,

u.name AS user_name,

COUNT(o.id) AS order_count

FROM

users u

LEFT JOIN

orders o ON u.id = o.user_id

WHERE

u.active = TRUE

GROUP BY

u.id, u.name

ORDER BY

order_count DESC;

-- Don't Do This:

select u.id,u.name,count(o.id)from users u left join orders o on u.id=o.userid where u.active=true group by u.id,u.name order by count(o.id) desc; -- Hard to read

"""

#### 3.1.2. Naming Conventions

* Table names: Plural, lowercase (e.g., "users", "products").

* Column names: Singular, lowercase (e.g., "id", "name", "email").

* Primary key: "id" (integer, auto-incrementing).

* Foreign keys: "table_name_id" (e.g., "user_id", "product_id").

* Indexes: Prefix with "idx_" followed by relevant columns (e.g., "idx_users_email").

* Constraints: Prefix with "ck_" for CHECK constraints, "fk_" for foreign key constraints, "pk_" for primary keys, "uq_" for unique constraints. (e.g., "ck_users_email_format", "fk_orders_user_id")

* Functions/Stored Procedures: snake_case with a descriptive verb (e.g., "calculate_order_total", "get_user_by_email").

#### 3.1.3. RLS Policies

* Policies should be clearly named and follow the format "table_name_policy_purpose".

* Always include comments explaining the policy's purpose and logic.

* Be explicit and use "WITH CHECK" clause when needed to prevent data anomalies.

* Write tests for your RLS policies to ensure they behave as expected.

* Consider using "SECURITY DEFINER" for functions that bypass RLS when necessary, but use sparingly and with caution.

"""sql

-- Policy example:

CREATE POLICY users_select_own ON users

FOR SELECT

TO authenticated

USING (auth.uid() = id);

COMMENT ON POLICY users_select_own ON users IS 'Allow each user to only select their own record.';

-- Function example with SECURITY DEFINER:

CREATE FUNCTION get_admin_data()

RETURNS TABLE (column1 type1, column2 type2)

LANGUAGE plpgsql

SECURITY DEFINER

AS $$

BEGIN

-- Your complex logic here

END;

$$;

"""

#### 3.1.4. Migrations

* Use Supabase CLI for managing migrations.

* Each migration should be atomic (do one thing only).

* Use descriptive names for migration files (e.g., "20240101000000_create_users_table.sql").

* Include comments explaining the purpose of the migration.

* Avoid destructive changes in migrations (e.g., dropping columns) unless absolutely necessary. If required, consider creating a new table and migrating data.

* Prefer reversible migrations (with "up" and "down" functions). Supabase handles this automatically.

* Test migrations thoroughly in a development environment before applying them to production. Automated testing is highly recommended.

"""sql

-- 20241027120000_add_email_column.sql (example migration)

-- UP

ALTER TABLE users ADD COLUMN email VARCHAR(255);

ALTER TABLE users ALTER COLUMN email SET NOT NULL;

CREATE UNIQUE INDEX idx_users_email ON users (email);

-- DOWN

DROP INDEX idx_users_email;

ALTER TABLE users DROP COLUMN email;

"""

#### 3.1.5. Data Types

* Use appropriate data types for each column (e.g., "TEXT" for variable-length strings, "INTEGER" for whole numbers, "TIMESTAMP WITH TIME ZONE" for dates and times).

* Prefer "UUID" for primary keys to avoid collisions.

* Use "JSONB" for storing JSON data.

* Use "ENUM" types for constrained values where appropriate.

* Carefully choose the length of "VARCHAR" columns.

"""sql

CREATE TABLE products (

id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),

name VARCHAR(255) NOT NULL,

description TEXT,

price DECIMAL(10, 2) NOT NULL,

category VARCHAR(50) CHECK (category IN ('electronics', 'clothing', 'books')) --ENUM alternative

);

"""

#### 3.1.6. Common Anti-Patterns and Mistakes

* **SELECT ***: Avoid using "SELECT *" in production code. Explicitly list the columns you need to improve performance and avoid unexpected data exposure.

* **Implicit Joins**: Use explicit "JOIN" syntax (e.g., "INNER JOIN", "LEFT JOIN") for better readability and maintainability.

* **Missing Indexes**: Ensure that frequently queried columns have appropriate indexes to improve query performance. Use "EXPLAIN ANALYZE" to identify missing indexes.

* **Over-fetching Data**: Avoid retrieving more data than you need. Use "LIMIT" and "OFFSET" clauses for pagination when retrieving large datasets. Consider using server-side pagination within Supabase functions/edges to limit data transfer.

* **Hardcoding Values**: Avoid hardcoding values in SQL queries. Use parameterized queries to prevent SQL injection vulnerabilities. Supabase client libraries handle parameterization automatically.

"""javascript

// Example of parameterized query

const { data, error } = await supabase

.from('users')

.select('*')

.eq('email', userEmail); // userEmail provided by user input.

if (error) {

console.error("Error fetching user:", error);

} else {

console.log("User data:", data);

}

"""

### 3.2. JavaScript/TypeScript (Frontend & Edge Functions)

#### 3.2.1. Formatting

* Use Prettier configured consistently across the project.

* Use ESLint with a configuration that enforces best practices (e.g., Airbnb, Standard).

* Use TypeScript for type safety, especially in larger projects.

* Use 2 spaces for indentation.

"""javascript

// Do This:

async function fetchUserData(userId: string): Promise {

try {

const { data, error } = await supabase

.from('users')

.select('*')

.eq('id', userId)

.single();

if (error) {

console.error('Error fetching user data:', error);

return null;

}

return data;

} catch (error) {

console.error('Unexpected error:', error);

return null;

}

// Don't Do This:

async function fetchUserData(userId){try{const{data,error}=await supabase.from("users").select("*").eq("id",userId).single();if(error){console.error("Error:",error);return null;}return data;}catch(error){console.error("Unexpected error:",error);return null;}} // Hard to read

"""

#### 3.2.2. Naming Conventions

* Variables: camelCase (e.g., "userName", "orderTotal").

* Constants: UPPER_SNAKE_CASE (e.g., "API_URL", "MAX_RETRIES").

* Functions: camelCase (e.g., "getUserData", "calculateTotal").

* Classes: PascalCase (e.g., "UserProfile", "OrderService").

* Interfaces/Types: PascalCase (e.g., "User", "Product").

* Boolean variables and functions should start with "is", "has", "should" or "can" to indicate their boolean nature (e.g., "isActive", "hasPermission", "shouldUpdate").

#### 3.2.3. Error Handling

* Use "try...catch" blocks for handling potential errors.

* Log errors using a consistent logging mechanism (e.g., "console.error", a dedicated logging library).

* Provide informative error messages that include context.

* Implement retry logic for transient errors.

* Use appropriate HTTP status codes in Edge Functions to signal errors to the client.

"""typescript

async function createOrder(orderData: Order): Promise {

try {

const { data, error } = await supabase

.from('orders')

.insert([orderData])

.select('*')

.single();

if (error) {

console.error('Error creating order:', error);

//Re-throw error

throw new Error("Failed to create order")

}

return data;

} catch (error : any) {

console.error('Unexpected error:', error);

return null;

}

"""

#### 3.2.4. Asynchronous Programming

* Use "async/await" syntax for asynchronous operations.

* Handle promises correctly using ".then()" and ".catch()" blocks or "try...catch" with "await".

* Avoid unnecessary nesting of asynchronous operations.

* Use "Promise.all()" to perform multiple asynchronous operations in parallel when possible.

* Use "AbortController" to cancel ongoing requests when necessary.

"""typescript

async function processOrders(orderIds: string[]): Promise {

try {

const results = await Promise.all(orderIds.map(async (orderId) => {

return await updateOrderStatus(orderId, 'processing');

}));

console.log('All orders processed successfully.');

} catch (error) {

console.error('Error processing orders:', error);

}

"""

#### 3.2.5. Edge Functions Best Practices

* Keep Edge Functions small and focused.

* Avoid long-running operations in Edge Functions. Use background workers or queues for computationally intensive tasks.

* Use environment variables for configuration options.

* Validate input data to prevent security vulnerabilities.

* Use the Supabase client library for interacting with the database.

* Cache frequently accessed data.

* Consider using Deno KV if appropriate for the data volume.

* Test your Edge Functions thoroughly using unit tests and integration tests.

"""typescript

// Example Edge Function

import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';

import { createClient } from '@supabase/supabase-js';

serve(async (req) => {

const { name } = await req.json();

const supabaseClient = createClient(

Deno.env.get('SUPABASE_URL') ?? '',

Deno.env.get('SUPABASE_ANON_KEY') ?? '',

{ global: { headers: { Authorization: req.headers.get('Authorization')! } } }

);

const { data, error } = await supabaseClient

.from('greetings')

.insert([{ message: "Hello ${name}!" }])

.select();

if (error) {

return new Response(JSON.stringify({ error }), {

status: 500,

headers: { 'Content-Type': 'application/json' },

});

}

return new Response(JSON.stringify({ data }), {

status: 200,

headers: { 'Content-Type': 'application/json' },

});

"""

#### 3.2.6 Component Best Practices

* Follow UI framework standards such as React's guidelines on Controlled and Uncontrolled components.

* Make use of Supabase's built-in auth helpers for user management operations.

* Implement a way to handle loading/error states to provide a good user experience during Supabase calls.

* Split large components into smaller, re-usable components for maintainability.

* Use TypeScript to type props for components

* Secure components where necessary with Supabase auth.

"""tsx

// Example user profile component.

import { useState, useEffect } from 'react';

import { useSupabaseClient, useSession } from '@supabase/auth-helpers-react'

interface UserProfileProps {

userId: string; //Example of typed props for the component

}

const UserProfile : React.FC = ({userId}) => {

const [profile, setProfile] = useState(null);

const [loading, setLoading] = useState(true);

const [error, setError] = useState(null);

const supabase = useSupabaseClient();

const session = useSession()

useEffect(() => {

const fetchProfile = async () => {

setLoading(true);

setError(null)

try {

if (!session) {

throw new Error("Not authenticated")

}

const { data, error } = await supabase

.from('profiles')

.select('*')

.eq('id', userId)

.single();

if (error) {

setError(error);

} else {

setProfile(data);

}

} catch (error : any) {

setError(new Error("Failed to fetch profile")) //Explicitly handle errors

} finally {

setLoading(false);

}

};

fetchProfile();

}, [userId, supabase, session]);

if (!session) {

return Not Authenticated //Secured Component

}

if (loading) {

return Loading profile...; //Loading State

}

if (error) {

return Error: {error.message}; //Error State

}

return (

User Profile

<p>Name: {profile?.name}</p>

<p>Email: {profile?.email}</p>

{/* Display other profile information */}

);

};

export default UserProfile;

"""

#### 3.2.7. Common Anti-Patterns and Mistakes

* **Global Variables**: Avoid using global variables. Use dependency injection or module imports instead.

* **Magic Numbers**: Avoid using magic numbers in your code. Define constants with meaningful names instead.

* **Ignoring Errors**: Always handle errors appropriately. Don't ignore errors or swallow exceptions.

* **Over-Complicating Code**: Keep your code simple and easy to understand. Avoid unnecessary complexity.

* **Leaking Secrets**: Never commit secrets (e.g., API keys, passwords) to your code repository. Use environment variables instead.

* **Not Validating Input**: Always validate input data to prevent security vulnerabilities. Use a validation library (e.g., Joi, Yup).

* **Not Using Types**: Avoid using Javascript when possible or use JSDoc. Instead utilize Typescript for type checking.

## 4. Security Considerations

* **Principle of Least Privilege**: Grant users only the minimum necessary permissions.

* **Input Validation**: Validate all user input to prevent injection attacks.

* **Output Encoding**: Encode all output data to prevent cross-site scripting (XSS) vulnerabilities.

* **Authentication and Authorization**: Use strong authentication and authorization mechanisms to protect sensitive data. Supabase Auth makes this easier.

* **Regular Security Audits**: Conduct regular security audits to identify and address potential vulnerabilities.

## 5. Documentation

* Write clear and concise documentation for all code.

* Use JSDoc or similar tools for documenting JavaScript/TypeScript code.

* Document the purpose, inputs, and outputs of each function.

* Document any assumptions or limitations of the code.

* Keep documentation up-to-date as the code evolves.

* Use comments to explain complex logic or non-obvious code.

## 6. Testing

* Write unit tests for individual functions/components.

* Write integration tests to test interactions between different parts of the system.

* Write end-to-end tests to test the entire application flow.

* Use a testing framework for your codebase (Jest, Mocha, Cypress, etc.).

* Automate your tests using a CI/CD pipeline.

* Test your RLS policies to ensure they behave as expected.

* Write comprehensive test cases, including positive and negative scenarios.

## 7. Code Review

* Conduct code reviews for all code changes.

* Use a code review tool (e.g., GitHub pull requests, GitLab merge requests).

* Focus on code quality, security, and performance during code reviews.

* Look for areas of improvement and potential security risks.

* Ensure that the documentation is kept updated.

* Encourage constructive feedback and collaboration.

## 8. Version Control

* Use Git for version control.

* Follow a branching strategy (e.g., Gitflow, GitHub flow).

* Write clear and concise commit messages.

* Use pull requests for code review and merging.

* Ensure compliance with conventional commits.

By adhering to these coding standards and conventions, Supabase developers can create high-quality, maintainable, and secure applications. These guidelines are essential for ensuring code consistency and promoting collaboration within the development team. This document should also act as a reference point for AI coding assistants, enabling them to generate code that aligns with these established best practices within the Supabase ecosystem.

Cline

This guide explains how to effectively use .clinerules with Cline, the AI-powered coding assistant.

Overview

The .clinerules file is a powerful configuration file that helps Cline understand your project's requirements, coding standards, and constraints. When placed in your project's root directory, it automatically guides Cline's behavior and ensures consistency across your codebase.

Key Concepts

Purpose of .clinerules

Defines project-specific guidelines and requirements
Enforces consistent coding standards
Establishes documentation practices
Sets testing and quality requirements
Configures error handling preferences

File Location

Place the .clinerules file in your project's root directory. Cline automatically detects and follows these rules for all files within the project.

Rule Structure

1. Project Overview

# Project Overview
project:
  name: 'Your Project Name'
  description: 'Brief project description'
  stack:
    - technology: 'Framework/Language'
      version: 'X.Y.Z'
    - technology: 'Database'
      version: 'X.Y.Z'

2. Code Standards

# Code Standards
standards:
  style:
    - 'Use consistent indentation (2 spaces)'
    - 'Follow language-specific naming conventions'
  documentation:
    - 'Include JSDoc comments for all functions'
    - 'Maintain up-to-date README files'
  testing:
    - 'Write unit tests for all new features'
    - 'Maintain minimum 80% code coverage'

3. Security Rules

# Security Guidelines
security:
  authentication:
    - 'Implement proper token validation'
    - 'Use environment variables for secrets'
  dataProtection:
    - 'Sanitize all user inputs'
    - 'Implement proper error handling'

Best Practices

Writing Effective Rules

Be Specific
- Use clear, actionable language
- Provide examples where helpful
- Define measurable criteria
Maintain Organization
- Group related rules together
- Use consistent formatting
- Keep critical rules at the top
Regular Updates
- Review rules periodically
- Update based on team feedback
- Document changes in version control

Common Patterns

# Common Patterns Example
patterns:
  components:
    - pattern: 'Use functional components by default'
    - pattern: 'Implement error boundaries for component trees'
  stateManagement:
    - pattern: 'Use React Query for server state'
    - pattern: 'Implement proper loading states'

Integration with Development Workflow

Using with Version Control

Commit the Rules
- Include .clinerules in version control
- Document rule changes in commit messages
- Review rule changes as part of PR process
Team Collaboration
- Discuss rule changes with team
- Maintain changelog for rule updates
- Ensure all team members understand rules

Troubleshooting

Common Issues

Rules Not Being Applied
- Verify file location (must be in root directory)
- Check file formatting
- Ensure Cline has access to the file
Conflicting Rules
- Review rule hierarchy
- Resolve conflicts explicitly
- Document rule precedence
Performance Considerations
- Keep rules concise and focused
- Avoid overly complex rule structures
- Regular cleanup of obsolete rules

Examples

Basic Project Setup

# Basic .clinerules Example
project:
  name: 'Web Application'
  type: 'Next.js Frontend'
  standards:
    - 'Use TypeScript for all new code'
    - 'Follow React best practices'
    - 'Implement proper error handling'

testing:
  unit:
    - 'Jest for unit tests'
    - 'React Testing Library for components'
  e2e:
    - 'Cypress for end-to-end testing'

documentation:
  required:
    - 'README.md in each major directory'
    - 'JSDoc comments for public APIs'
    - 'Changelog updates for all changes'

Advanced Configuration

# Advanced .clinerules Example
project:
  name: 'Enterprise Application'
  compliance:
    - 'GDPR requirements'
    - 'WCAG 2.1 AA accessibility'

architecture:
  patterns:
    - 'Clean Architecture principles'
    - 'Domain-Driven Design concepts'

security:
  requirements:
    - 'OAuth 2.0 authentication'
    - 'Rate limiting on all APIs'
    - 'Input validation with Zod'

Code Style and Conventions Standards for Supabase

Cline

Overview

Key Concepts

Purpose of .clinerules

File Location

Rule Structure

1. Project Overview

2. Code Standards

3. Security Rules

Best Practices

Writing Effective Rules

Common Patterns

Integration with Development Workflow

Using with Version Control

Troubleshooting

Common Issues

Examples

Basic Project Setup

Advanced Configuration

Related Rules

Guidelines for writing Supabase database functions

Guidelines for writing Postgres Row Level Security policies

Guidelines for writing Postgres migrations

Guidelines for writing Postgres SQL

Coding rules for Supabase Edge Functions