Extensions

Four primitives that aren't in Cinderblock's v1 hot path but are common production needs. Each one is documented as a forkable swap with the trade-off named.

JWT-embedded roles (Auth Hook)

Embed app_metadata.workspaces[].{id, role} in the JWT via a custom-access-token-hook Edge Function. Policies read the JSON instead of doing a per-row DB lookup.

Trade-off:faster reads, slower role revocation (up to 60min stale until next token refresh). Cinderblock picks the DB-lookup default for the "immediate revocation" story; this extension is the swap for read-latency-sensitive workloads.

Audit via Edge Function

For deployments without a persistent DB connection (Vercel serverless), the direct cb_audit_writerconnection isn't practical. The extension routes audit writes through an Edge Function instead.

Trade-off: one HTTP round-trip per server action. For low-frequency mutations the cost is negligible; for high-write APIs the direct connection wins.

Realtime tenant scoping

Supabase Realtime channels need explicit authorization for tenant-scoped subscriptions. The extension walks the channel topology and shows how to gate Postgres-CDC and Broadcast channels on is_workspace_member().

Storage tenant scoping

Supabase Storage RLS on the storage.objects table with a path convention like {workspace_id}/... + a policy that gates on is_workspace_member(uuid_of_path_root). Includes a worked example for tenant-scoped file uploads.

Full extension pages land as each one is fully tested. The forking instructions in Getting started work as-is for all four.