Blog

Notes on testing your database: Row-Level Security, pgTAP, tSQLt, and generating the tests instead of hand-writing them.

RSS / Atom feed

July 1, 2026

Your Postgres RLS is a compliance control. Is it tested?

RLS is your HIPAA and SOC 2 access-control safeguard on any PostgreSQL, but only if you can show it works. Untested RLS is an assumption; here's what auditable evidence looks like.

Read →
June 22, 2026

Testing Supabase RLS locally when it depends on JWT custom claims

It works on Cloud, fails in local Studio, because the local Dashboard isn't GoTrue-integrated, so auth.jwt() has no custom claims. Here's how to test it correctly at the database level.

Read →
June 22, 2026

Most Postgres RLS ships untested. Here's how to test it with pgTAP.

The mechanics, the traps, and the handful of Row-Level Security cases that bite you: becoming each identity, USING vs WITH CHECK, "0 rows" vs "denied," and the seed-data trap.

Read →