Last updated: 2025-04-15
This document describes the data models, access patterns, security protocols, and integration details for the project's two primary databases: Supabase (PostgreSQL) and Neo4j (Graph Database). It is maintained as a living document and will be updated as the implementation progresses.
Tables & Relationships:
(To be updated after TDD Green Phase implementation)
users: Stores user profile and authentication data.research_surveys: Survey definitions and metadata.survey_responses: User-submitted survey answers.- (Additional tables as required by features)
Relationships:
users1---*survey_responsesresearch_surveys1---*survey_responses
- Authentication: Managed by Supabase Auth (JWT-based).
- Authorization: Row-Level Security (RLS) policies enforced for all tables.
- API Key: Used for service-to-service backend operations.
- Session Tracking: User login sessions are recorded in the
user_sessionstable.
Related Documentation:
- Supabase Setup Guide - Complete setup instructions for authentication and tables
- Authentication Flow Fixes - Solutions for registration flow issues
- Auth Sessions Update - Implementation of session tracking
- Sessions Table RLS Fix - Fix for RLS policies on the sessions table
- OAuth Authentication Fix - Fix for "Anonymous signins are disabled" error with OAuth
- Only authenticated users can access their own data.
- Service role key required for privileged backend operations.
- Custom RLS policies for specific tables (e.g.,
profiles,user_sessions). - SQL scripts for RLS policies are stored in the sql directory.
Example RLS Policy:
-- Allow users to insert their own session records
CREATE POLICY "Allow authenticated users to insert their own sessions"
ON public.user_sessions FOR INSERT
TO authenticated
WITH CHECK (auth.uid() = user_id);- Indexes on primary/foreign keys and frequently queried columns.
- (Specific index definitions will be documented after schema migration.)
- Audit triggers for sensitive tables (e.g.,
users,survey_responses). - Custom functions for business logic (e.g., survey scoring).
- (Definitions to be added after implementation.)
- Frontend: Uses Supabase JS client with JWT auth.
- Backend: Uses Supabase service role key for privileged operations.
- GraphQL API: All data access via NestJS GraphQL resolvers.
-- Fetch all surveys for a user
SELECT * FROM survey_responses WHERE user_id = auth.uid();
-- Insert a new survey response
INSERT INTO survey_responses (user_id, survey_id, answers) VALUES (...);- All input validated via backend and Supabase RLS.
- No sensitive data exposed in logs or error messages.
- Environment variables used for all secrets/keys.
Node Types:
UserSurveyResponseConcept(for graph visualization features)
Relationship Types:
:SUBMITTED(User)-[:SUBMITTED]->(Response):ANSWERS(Response)-[:ANSWERS]->(Survey):LINKED_TO(Concept)-[:LINKED_TO]->(Concept)
(Detailed property keys and constraints to be added post-implementation.)
- Unique constraints on node IDs.
- Indexes on frequently queried properties (e.g.,
email,surveyId).
- Initial graph nodes/relationships for development/testing.
- (Cypher seed scripts to be documented after implementation.)
- Database credentials managed via environment variables.
- Role-based access for backend services.
- No direct client access; all queries routed through backend API.
- Backend: Uses Neo4j driver via NestJS module.
- GraphQL API: Exposes graph queries/mutations for frontend.
// Find all responses submitted by a user
MATCH (u:User {id: $userId})-[:SUBMITTED]->(r:Response) RETURN r;
// Get all concepts linked to a given concept
MATCH (c:Concept {id: $conceptId})-[:LINKED_TO]->(related:Concept) RETURN related;- All queries parameterized to prevent injection.
- No sensitive data in error messages.
- Access restricted to backend service account.
- All configuration values are sourced from the central
config/directory or environment variables. - No hardcoded secrets or connection strings in code.
- All database access is performed via backend services (NestJS), never directly from the client.
- Follow TDD: Schema and logic are implemented only after failing tests are written.
- This document is updated after each Green Phase completion.
- All changes to data models or access patterns must be reflected here.
- Coordinate with the Documentation Scribe for review and consistency.