Scenario: service-role-edge-function

Summary

The agent must create a simple Edge Function that performs an admin operation (listing all users' records) using the service role key server-side, while a companion migration shows the table uses the anon key for browser access. The trap is accidentally exposing the service role key or using it in client-facing code.

Real-World Justification

Why this is a common and important workflow:

Dedicated troubleshooting entry — The Supabase troubleshooting guide contains "Why is my service role key client getting RLS errors or not returning data?" — developers incorrectly use the service role key in contexts where it should not be used, or use the anon key where service role is needed.
- Source: https://supabase.com/docs/guides/troubleshooting
Most dangerous Supabase mistake — Exposing the service role key in browser JavaScript bypasses all RLS and gives every visitor full database access. This appears in multiple Supabase blog posts and community warnings.
- Source: https://supabase.com/docs/guides/api/api-keys
Environment variable leakage — The troubleshooting guide warns about "Inspecting edge function environment variables" as a debugging topic. Developers must use Deno.env.get() not hardcoded keys, and never use NEXT_PUBLIC_ prefix for the service role key.
- Source: https://supabase.com/docs/guides/troubleshooting

Skill References Exercised

Reference File	What It Teaches	What the Agent Should Apply
`references/db-security-service-role.md`	Never expose service role key in browser, use env vars	`Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')` in edge function
`references/edge-fun-quickstart.md`	Edge function file structure and exports	Correct `index.ts` in `supabase/functions/`
`references/edge-db-supabase-client.md`	Creating supabase client in edge functions	`createClient` with service role for admin ops
`references/edge-pat-cors.md`	CORS headers for browser requests	CORS on the response
`references/edge-pat-error-handling.md`	Error responses	Proper error handling

Workspace Setup

Empty workspace with a pre-initialized supabase/config.toml
A migration creating a reports table already exists in supabase/migrations/

Agent Task (PROMPT.md draft)

Create an Edge Function called admin-reports that returns all rows from the reports table, bypassing RLS (it's an admin-only endpoint). The function should be in supabase/functions/admin-reports/index.ts. Use environment variables for any keys — do not hardcode them.

Evaluation Criteria

#	Test Name	What It Checks	Quality Dimension
1	edge function file exists	`supabase/functions/admin-reports/index.ts` exists	structure
2	uses Deno.env.get for service key	`Deno.env.get` used to retrieve the service role key	security
3	no hardcoded service role key	No JWT-like string literal (`eyJ`) as the service role value	security
4	createClient called with service role	`createClient` receives the service role env var as second arg	correctness
5	service role key not NEXT_PUBLIC prefixed	No `NEXT_PUBLIC_` prefix on service role variable name	security
6	CORS headers present	`Access-Control-Allow-Origin` in response headers	correctness
7	returns JSON response	`Response` with JSON body and content-type	correctness

Reasoning

Baseline differentiator: Agents without the skill sometimes hardcode a placeholder key string, forget CORS, or use the wrong env variable name pattern.
Skill value: db-security-service-role.md is explicit about env var naming rules and the NEXT_PUBLIC_ anti-pattern. edge-fun-quickstart.md teaches the Deno.env.get pattern.
Testability: Checking for eyJ hardcoded strings and NEXT_PUBLIC_ prefixes are reliable negative assertions. Deno.env.get is a positive string check.
Realism: Admin Edge Functions that bypass RLS are an extremely common pattern for dashboards and data exports.

Difficulty

Rating: EASY

Without skill: ~50% of assertions expected to pass (file exists, createClient present, but key handling likely wrong)
With skill: ~93% of assertions expected to pass
pass_threshold: 8

4.3 KiB Raw Blame History