Builder Showcase Security and RLS Boundary Diagram

Diagram type: draw.io-friendly security boundary sketch
Project: DataInsideData™ Builder Showcase
Phase: Current platform before AI layer

Purpose

This diagram shows the security boundaries between the public browser, Supabase Edge Function, database tables, admin scripts, reporting tools, and public site output.

Recommended Draw.io Layout

Use separated trust zones with red dashed boundary lines around areas that use secrets or privileged access.

[Public Browser Zone]
      →
[Edge Function Trust Boundary]
      →
[Supabase Database Boundary]
      →
[Admin Local Boundary]
      →
[Reporting / Publishing Boundary]

Zone 1 — Public Browser Zone

Suggested container label:

Public Browser / Untrusted User Boundary

Shapes inside:

Builder / Student / Contributor
Submit Builder Project Page
Frontend Validation
Preview Submission
Confirm & Submit
Honeypot Field

Security notes:

No database credentials exposed
No direct browser-to-table writes
Public form key is not a secret
User input is treated as untrusted

Allowed action:

Browser sends POST request to Edge Function

Not allowed:

Browser inserts directly into builder_project_submissions
Browser reads internal event logs
Browser writes to builder_projects
Browser writes to builder_submission_events

Zone 2 — Edge Function Trust Boundary

Suggested container label:

Supabase Edge Function / Controlled Intake Boundary

Shapes inside:

submit-builder-project
CORS Handling
POST Method Enforcement
Public Form Key Check
JSON Payload Validation
Honeypot Check
Duplicate Submission Check
Client IP Hashing
Controlled Submission Insert
Controlled Event Insert

Security notes:

Uses server-side environment secrets
Uses DID_SUPABASE_WRITE_KEY
Uses DID_IP_HASH_SALT
Stores salted client IP hash only
Rejects invalid JSON
Rejects invalid payloads
Rejects duplicate submissions
Logs submission_created event

Important connector:

Edge Function
→ builder_project_submissions
→ builder_submission_events

Zone 3 — Supabase Database Boundary

Suggested container label:

Supabase / Postgres Security Boundary

Tables:

builder_project_submissions
builder_submission_events
builder_projects

Security notes:

RLS enabled on workflow tables
Public roles should not directly read/write workflow tables
service_role has intentional backend privileges
postgres/admin role retains owner/admin privileges

Recommended annotation:

RLS + Grants reviewed:
- anon/authenticated direct access removed or restricted
- service_role granted intentional select/insert/update rights
- event insert permission added for service_role

Table relationship notes:

builder_project_submissions.id → builder_submission_events.submission_id
builder_project_submissions.id → builder_projects.submission_id
builder_projects.id → builder_submission_events.builder_project_id

Zone 4 — Admin Local Workflow Boundary

Suggested container label:

Local Admin / Trusted Operations Boundary

Shapes inside:

.env / Local Secrets
check_submission_readme.py
update_submission_status.py
promote_builder_projects.py
export_builder_project.py
view_submission_events.py
view_builder_ops_summary.py

Security notes:

Runs from trusted local environment
Uses privileged database connection
Logs admin activity as local_admin
Does not expose admin credentials publicly
Handles review/promotion/export actions

Admin actions:

README check
Status update
Promotion
YAML export
Page generation
Event review
Ops summary reporting

Zone 5 — Reporting / Dashboard Boundary

Suggested container label:

Internal Reporting + Dashboard Boundary

Shapes inside:

reports.py
pgAdmin Business Queries
Streamlit Builder Ops Dashboard
CSV / Operational Reports

Security notes:

Internal use only in current phase
Reads operational database state
Shows status counts, README health, events, activity, and project drill-down
Should not be public without authentication

Potential future requirement:

Add authentication before remote/dashboard deployment
Add role-based admin permissions before multi-user use

Zone 6 — Public Static Site Boundary

Suggested container label:

Public Static Site Boundary

Shapes inside:

Jekyll / Minimal Mistakes
_data/builder_projects.yml
Generated Project Detail Pages
Public Builder Showcase

Security notes:

Only reviewed/published project metadata should appear here
Internal submission data should not be exposed
Submitter email should not be published
Event logs should remain internal
README content should be sanitized before rendering
Unsafe embedded content should be removed or ignored

Trust Boundaries

Use red dashed lines and labels for these:

Boundary 1: Public Browser → Edge Function
Boundary 2: Edge Function → Supabase Tables
Boundary 3: Local Admin Scripts → Supabase Tables
Boundary 4: Supabase Internal Data → Public Static Site
Boundary 5: Internal Dashboard → Operational Database

Security Controls Callout

CORS handling
POST-only enforcement
Public form key
Payload validation
Honeypot field
Duplicate check
Salted IP hash
README unsafe marker scan
Sanitized README rendering
RLS enabled
Intentional service_role grants
Event audit trail
Private/internal dashboard

Risk Areas / Future Hardening Callout

Dashboard authentication
Admin roles and permissions
Rate limiting
Email verification
Submission moderation queue
AI suggestion review approval
Staging/private preview access control
Audit export
Production monitoring
Error alerting
Multi-tenant separation

Suggested Color Legend

Gray: Public/untrusted area
Purple: Edge Function/API boundary
Green: Database tables
Orange: Local admin scripts
Blue: Internal dashboard/reporting
Cyan: Public static site output
Red dashed line: Trust/security boundary

Diagram Caption

The Builder Showcase security model separates public intake from privileged database operations by routing submissions through a controlled Edge Function, enforcing backend validation, using RLS/grants, and keeping admin workflows and dashboards internal.