Hey all ๐ RLS is the security boundary of a Supabase app, but writing pgTAP tests for it by hand is tedious โ you fake each identity, seed matching rows for every policy, and assert who can do what โ so it usually gets skipped, and a wrong policy ships as a silent data leak. I built rlsautotest to close that gap.
You point it at your database and it:
The key idea: a generated test only means something if the data behind it matches the policy and the identity. So it works backward from each policy to the exact rows that satisfy and violate it ("reverse-predicate seeding"). "Owner can see their row" is checked against a row that's actually theirs; "another tenant can't" against a real, different tenant. bash pip install rlsautotest
rlsautotest --db-url "$DATABASE_URL" --schema public --html rls-report.html
rlsautotest --db-url "$DATABASE_URL" --schema public --emit supabase/
It's free and open source (Apache-2.0), built on pgTAP and the basejump test helpers (thank you ๐). It's beta โ I've run it against real Supabase schemas and a multi-tenant corpus, and it's built to never emit a false-passing test: anything it can't prove soundly is marked, not faked.
A deeper write-up on testing RLS with pgTAP: https://unitautogen.com/blog/most-postgres-rls-ships-untested.html
Would love feedback โ especially policies/edge cases it doesn't handle well. Happy to dig into any schema you throw at it.
Munaf Khatri introduces 'rlsautotest', a tool to automate pgTAP tests for RLS policies in Supabase. It generates tests and seed data to ensure policies are correctly enforced, providing an access report and CI gate. The tool is open source and seeks feedback on its handling of policies and edge cases.