Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Supabase Deployment Guide

Documentation

Supabase Deployment Guide

Project-Agent / SUPABASE_DEPLOYMENT_GUIDE.md

Project-Agent repo-root SUPABASE_DEPLOYMENT_GUIDE.md

Prerequisites

  • Supabase CLI installed: npm install -g @supabase/cli
  • OR access to Supabase Dashboard
  • Project linked: supabase link --project-ref <project-ref>

Step 1: Deploy Migrations

All SQL migrations in arxsec-api/migrations/ must be applied to your Supabase instance.

Option A: Using Supabase Dashboard

  1. Go to https://app.supabase.com
  2. Select your project
  3. Navigate to SQL Editor
  4. For each migration file (in order):
  • Click "New Query"
  • Copy entire contents of migration file
  • Click "Run"

Option B: Using Supabase CLI

``bash cd arxsec-api supabase db push --linked ``

Migration Order (IMPORTANT):

  1. 001_initial_schema.sql
  2. 002_connector_credentials.sql
  3. 002_sso_providers.sql
  4. 003_enterprise_features.sql
  5. 003_scim.sql
  6. 004_ip_allowlist_rate_limits.sql
  7. 004_slack_approval_fields.sql
  8. 005_framework_mappings.sql
  9. 005_mcp_tokens.sql
  10. 005_siem_integrations.sql
  11. 006_cmek_notifications.sql
  12. 007_connector_discoveries.sql
  13. 008_onboarding.sql
  14. 009_geordie_integration.sql
  15. 010_agents_geordie_columns.sql
  16. 011_llm_provider_ha.sql
  17. 012_enforcement_audit.sql
  18. 013_approval_escalation_chain.sql
  19. approval_mitl_schema.sql
  20. inventory_schema.sql

Step 2: Deploy Edge Functions

Option A: Using Supabase Dashboard

  1. Go to https://app.supabase.com
  2. Select your project
  3. Navigate to Edge Functions
  4. For each function:
  • Click "Create new function"
  • Copy contents of index.ts
  • Deploy

Option B: Using Supabase CLI

``bash cd arxsec-api/supabase supabase functions deploy drift-check --linked supabase functions deploy approval-notify --linked supabase functions deploy on-signup --linked ``

Option C: Contracted deploy helper

``bash SUPABASE_PROJECT_REF=<project-ref> \ SUPABASE_URL=https://<project>.supabase.co \ SUPABASE_SERVICE_ROLE_KEY=<service-role-key> \ ARX_EDGE_FUNCTION_SECRET=<shared-secret> \ bash arxsec-api/scripts/deploy_edge_functions.sh ``

Step 3: Configure Webhooks & Triggers

For approval-notify function:

  1. Go to Database → Webhooks
  2. Create webhook:
  • Table: approval_requests
  • Events: INSERT
  • URL: https://<project>.supabase.co/functions/v1/approval-notify
  • Headers: Authorization: Bearer <anon-key>

For on-signup function:

  1. Go to Auth → Webhooks
  2. Create webhook:
  • Event: User signed up
  • URL: https://<project>.supabase.co/functions/v1/on-signup

For drift-check function (Scheduled):

Option A: Using Supabase Enterprise Scheduled Functions

  1. Go to Edge Functions → drift-check
  2. Enable scheduled function
  3. Set schedule: 0 * * * * (hourly)

Option B: Using External Cron Service ```bash

Call every hour

curl -X POST https://<project>.supabase.co/functions/v1/drift-check \ -H "Authorization: Bearer <anon-key>" \ -H "Content-Type: application/json" ```

Step 4: Set Environment Variables

In Supabase Dashboard → Project Settings → Environment Variables:

`` SUPABASE_URL=https://<project>.supabase.co SUPABASE_SERVICE_ROLE_KEY=<service-role-key> ARX_EDGE_FUNCTION_SECRET=<shared-secret-for-webhooks-and-cron> SLACK_WEBHOOK_URL=https://hooks.slack.com/services/... (for approval notifications) DRIFT_CHECK_ENFORCEMENT_ENABLED=false ARX_EDGE_FUNCTION_LIVE_HEALTH_ENABLED=true ``

drift-check runs in shadow/review mode by default. Set DRIFT_CHECK_ENFORCEMENT_ENABLED=true only after Axiom approval workflow and customer launch gates are complete, then invoke with {"mode":"enforce"}.

Each function responds to GET /functions/v1/<name> with a lightweight health payload. Mutating webhook/cron invocations should include:

`` X-ARX-Edge-Secret: <ARX_EDGE_FUNCTION_SECRET> ``

Verification

Check Edge Function Contracts

``bash python arxsec-api/scripts/validate_edge_function_contracts.py ``

Check Migrations

``bash supabase status --linked ``

Check Edge Functions

``bash supabase functions list --linked supabase functions logs drift-check --linked ``

Test drift-check

``bash curl https://<project>.supabase.co/functions/v1/drift-check \ -H "Authorization: Bearer <anon-key>" \ -H "Content-Type: application/json" ``

Troubleshooting

Migration fails: Check for syntax errors and ensure migrations run in order Function deployment fails: Verify function has valid TypeScript and imports Webhook not triggering: Check webhook logs in Supabase dashboard Scheduled function not running: Verify cron schedule and function logs

Support

Check Supabase logs:

  • Dashboard → Function Details → Logs
  • Dashboard → Database → Webhooks → Logs
  • CLI: supabase functions logs <function-name> --linked -n 100