@@ -15,10 +15,10 @@ RLS policies filter database rows based on JWT claims passed via PostgREST, ensu
1515
1616### Policy Patterns
1717
18- ** Direct Policies** : Tables with direct RLS use the ` match_scope() ` function to evaluate JWT claims against row attributes (tags, agents, names, id) .
18+ ** Direct Policies** : Tables with direct RLS use the ` __scope ` array column and compare it against JWT claims .
1919
20- - Examples: ` config_items ` , ` canaries ` , ` components ` , ` playbooks `
21- - Policy checks row attributes directly using ` match_scope(jwt_claims, row.tags, row.agent_id, row.name, row.id) `
20+ - Examples: ` config_items ` , ` canaries ` , ` components ` , ` playbooks ` , ` views `
21+ - Policy checks scope overlap using ` COALESCE(__scope, '{}'::uuid[]) && rls_scope_access() ` and wildcard via ` rls_has_wildcard('<type>') ` .
2222
2323** Inherited Policies** : Child tables inherit access control from their parent using ` EXISTS ` clauses.
2424
@@ -29,7 +29,7 @@ RLS policies filter database rows based on JWT claims passed via PostgREST, ensu
2929
30301 . Add RLS enable logic to ` @views/9998_rls_enable.sql `
3131 - Enable RLS on the table
32- - Create the policy (either direct with ` match_scope() ` or inherited with ` EXISTS ` )
32+ - Create the policy (either direct with ` __scope ` overlap or inherited with ` EXISTS ` )
33332 . Add counterpart disable logic to ` @views/9999_rls_disable.sql `
3434 - Disable RLS on the table
3535 - Drop the policy
@@ -42,7 +42,7 @@ RLS policies filter database rows based on JWT claims passed via PostgREST, ensu
4242
4343The RLS policies work by injecting JWT claims into PostgreSQL session variables via ` request.jwt.claims ` . The flow is:
4444
45- - Go code builds an RLS Payload (scopes for config, component, playbook, canary, view ) in ` @rls/payload.go `
45+ - Go code builds an RLS Payload (scope UUIDs + wildcard scopes ) in ` @rls/payload.go `
4646- ` SetPostgresSessionRLS() ` serializes the Payload to JSON and executes: ` SET request.jwt.claims TO <json> `
4747- PostgreSQL RLS policies read ` (current_setting('request.jwt.claims')::jsonb) ` to enforce access control
4848
0 commit comments