Defense-in-Depth in a Tiny Supabase App: 5 Patterns I Baked Into Altair Before Open-Sourcing It

I open-sourced a Supabase PSA tool last week. To trust the click, I layered five auth patterns — middleware JWT check, withAuth wrappers, role-scoped column whitelists, CI-enforced architecture, and RLS — so any single layer failing wouldn't matter. Plus the one mistake I almost shipped: a service-role key in client code.