Requirements and Threat Model

A schema is not good because its SQL is valid. It is good only if it preserves the product rules under normal use, attack, retry, concurrent requests, and deployment. Before a material change, document actors, ownership, tenancy, visibility, sensitivity, lifecycle, workload, failure impact, and rollout constraints.

• Public: deliberately published content, normally read-only to visitors.
• Account-private: settings, drafts, user uploads; owner or authorized staff only.
• Tenant-private: organization or project records; membership-controlled.
• Sensitive: emails, invoices, logs; narrowly purpose-limited.
• Highly sensitive: tokens, secrets, recovery material; never exposed through general data APIs.

Anonymous visitors can read published cards only.
Signed-in ordinary users cannot update staff-managed content.
A member cannot read another organization's private documents.
Unprocessed media is never returned by public reads.
No client-accessible role can invoke privileged helpers directly.

“Secured with RLS” is not an invariant. RLS is a mechanism; the statement above defines what tests must prove.

Review cross-tenant reads, privilege escalation, exposed service keys, over-broad grants, policy composition, unsafe security-definer functions, SQL injection, public draft media, retry duplication, lock contention, interrupted migrations, drift, and incomplete backup of Storage objects.