Database Schema
Tables
Section titled “Tables”credentials
Section titled “credentials”Stores metadata and encrypted credential payload:
- identity and metadata fields (
title,credential_type,priority,tags, etc.) - encrypted payload field:
secret_blob(JSONB) - encryption timestamp:
encrypted_at
vault_config
Section titled “vault_config”Stores vault unlock metadata by user:
- new format:
raw_dek,bcrypt_hash - legacy format:
wrapped_dek - unique per
user_id
categories
Section titled “categories”Stores user/category metadata used by dashboard filtering.
RLS behavior
Section titled “RLS behavior”The setup script enables RLS on all three tables. Current self-hosted policies are permissive (USING (true)), while app-level filtering is performed by user_id in client queries.
Functions and triggers
Section titled “Functions and triggers”update_updated_at_column()trigger for timestamp maintenance.get_credential_stats()andcheck_rls_status()helper functions.- Functions are created with
SECURITY DEFINERand constrainedsearch_path.
Source of truth
Section titled “Source of truth”See supabase-setup.sql for canonical schema definitions shipped with current releases.