The multi-tenant Supabase starter whose Row-Level-Security suite survives hostile fixtures.

Most Supabase multi-tenant deliveries trust the client to send the right tenant ID, use the service-role key to bypass RLS "for performance," or write policies that pass against the owner's own data and silently leak under joins. Cinderblock doesn't.

Try the demo Use this template

What's in the box

Workspace + member + role data model
~45 pgtap policy tests against a 5×8 hostile fixture
Magic-link auth + TOTP MFA for owners
Admin impersonation with 60-min server-minted JWT
Append-only audit log via a single-purpose Postgres role
Insert-first Stripe webhook idempotency