Current status & focus
Next action
Wire ticket list to Supabase and lock the navigation IA.
Architecture
Next.js App Router + TypeScript + Tailwind. Supabase (Postgres + Auth + RLS) for multi-tenant client data. Vercel hosting. Role-based access (client vs internal).
Design standard
Clean enterprise SaaS. Restrained palette, accessible contrast, dense but readable tables, clear status badges. Consistent with the RobOS design language.
Known issues & blockers
- Auth model for client vs internal users still undecided.
Decisions
All decisionsRLS-first multi-tenancy for ROM Portal
Use Supabase Row Level Security as the primary isolation mechanism, with the service role key server-side only.
10 Jun 2026
Reusable prompts
Prompt libraryROM Portal — build a feature
Build · best with claude
Security audit (any project)
Security · best with claude
AI handover
ROM Portal is the Primary ICT client platform (Next.js + Supabase, multi-tenant with RLS). Open question: client vs internal auth model. Use env vars for all Supabase keys — never inline the service role key. Work happens under the PrimaryICT work browser profile.
Quick launch
cd "C:\dev\rom-platform"Account & profile
Environment map
NEXT_PUBLIC_SUPABASE_URLUsed by app runtime + Vercel · value in Vercel project env
public
NEXT_PUBLIC_SUPABASE_ANON_KEYUsed by app runtime + Vercel · value in Vercel project env
public anon key
SUPABASE_SERVICE_ROLE_KEYUsed by server actions + Vercel · value in Vercel project env (server only)
NEVER expose to client or AI
Credentials map
All credentialsGitHub login
GitHub · Login
- Account
- rob@rob-os.com
- Secret location
- Password manager › RobOS vault › GitHub
- MFA
- Enabled
- Recovery
- Password manager › RobOS vault › GitHub › recovery
- Last reviewed
- 2026-06-13
Shared in a chat transcript on 2026-06-13 — ROTATE soon and enable a passkey. Vercel & Supabase log in via this GitHub account.
AI-safe handover: GitHub is the identity hub — Vercel and Supabase authenticate via 'Continue with GitHub'. Never request or print the GitHub password. Use a fine-grained Personal Access Token in CI via the GITHUB_TOKEN env var instead.
Vercel (via GitHub SSO)
Vercel · Oauth App
- Account
- rob@rob-os.com (GitHub SSO)
- Secret location
- No separate password — logs in via GitHub
- MFA
- Enabled
- Last reviewed
- 2026-06-13
No standalone secret; secured by the GitHub account. Use VERCEL_TOKEN for API automation later.
AI-safe handover: Vercel logs in with GitHub SSO — there is no separate Vercel password. For future API automation use a VERCEL_TOKEN env var; do not request it inline.
Supabase database password
Supabase · Login
- Account
- postgres (per project)
- Secret location
- Password manager › RobOS vault › Supabase DB; also in Supabase project settings
- MFA
- Off
- Last reviewed
- 2026-06-13
Shared in a chat transcript on 2026-06-13 — ROTATE in Supabase project settings. Dashboard login itself is via GitHub SSO.
AI-safe handover: The Supabase Postgres password is a secret. Never request, print or hardcode it. Connect using the pooled connection string from process.env (e.g. DATABASE_URL / SUPABASE_DB_URL) which I configure manually.
Supabase service role key
Supabase · Env Var
- Secret location
- Supabase project › Settings › API; injected via Vercel env (server only)
- Env var
SUPABASE_SERVICE_ROLE_KEY- MFA
- Off
- Last reviewed
- 2026-06-13
Rotate from Supabase API settings if leaked. Server-side only — never in client bundles.
AI-safe handover: Use process.env.SUPABASE_SERVICE_ROLE_KEY on the server only. Do not hardcode, print, expose to the client, or request the value. Assume I configure it manually in Vercel.