policy · supabase_json
BezelIQ Studio policy
policy artifact · for BezelIQ Studio · status approved
rules
| id | check | category | severity | rationale | applies to |
|---|---|---|---|---|---|
| no-external-fonts | grep -r 'fonts.googleapis.com\|fonts.gstatic.com\|typekit.net\|use.typekit' {output_dir}/ | security | hard | Privacy, performance, and offline reliability. Dreamborn Forge self-hosts DM Sans and Fira Code. | frontend |
| forge-tokens-only | grep -rn '#[0-9a-fA-F]\{3,6\}\|rgb(\|rgba(' {output_dir}/src/ --include='*.vue' --include='*.css' | typography | hard | Design system consistency. Hardcoded values diverge from the design system and break theme coherence. | frontend |
| forge-register-attribute | grep -r "data-register" {output_dir}/src/ --include='*.vue' --include='*.html' | patterns | hard | Dreamborn CSS uses the data-register attribute to scope token sets. Without it, forge tokens do not apply. | frontend |
| no-service-role-key | grep -r 'SERVICE_ROLE\|service_role\|eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIi' {output_dir}/src/ | security | hard | Service role key bypasses RLS and grants full database access. Frontend must use anon key only. | frontend |
| supabase-client-only | grep -rn "fetch.*supabase.co" {output_dir}/src/ --include='*.vue' --include='*.js' --include='*.ts' | patterns | hard | Raw fetch bypasses the client's auth header injection and type safety. All queries go through the initialized client. | frontend |
| studio-artifacts-write-only | grep -rn "\.from('agent_tasks').*insert\|\.from('agent_tasks').*update\|\.from('projects').*insert\|\.from('stages').*insert" {output_dir}/src/ | patterns | hard | Platform table state is owned by the runner and listener. Direct writes from Studio bypass the HCS audit trail and break the event-driven state machine. | frontend |
| exec-gate-confirm | manual — verify approve/reject flows show a confirmation step before the HCS post call | patterns | hard | Exec gate approval is irreversible on HCS. An accidental approval advances the workflow immediately. A confirmation step prevents mis-clicks. | frontend |
| realtime-cleanup | grep -rn 'supabase.channel\|supabase.on' {output_dir}/src/ --include='*.vue' | grep -v 'onUnmounted\|removeChannel' | patterns | hard | Leaked subscriptions accumulate across route navigation, causing duplicate events and memory growth. | frontend |
| script-setup-only | grep -rn '<script lang\|<script>' {output_dir}/src/ --include='*.vue' | grep -v '<script setup' | patterns | warn | Consistency. script setup is the Vue 3 standard, more concise, better TypeScript inference. | frontend |
| env-vars-documented | grep -rn 'import.meta.env\.' {output_dir}/src/ --include='*.vue' --include='*.js' --include='*.ts' | patterns | hard | Deployment reliability — no surprise missing vars on Cloudflare Pages. | all |
| no-raw-topic-ids-in-labels | grep -rn '0\.0\.[0-9]\{7\}' {output_dir}/src/ --include='*.vue' | patterns | warn | Two-World Model — the machine layer (HCS IDs) is invisible to Justin. Studio renders human-readable names. | frontend |
| artifact-render-not-raw | grep -rn 'JSON.stringify.*content\|<pre>.*content\|v-text.*content' {output_dir}/src/ --include='*.vue' | patterns | hard | Two-World Model — Justin never reads raw JSON. ArtifactView renders structured, human-readable views from the JSON content. | frontend |
| whitespace-over-density | grep -rn 'padding:\s*[0-9]\{1,2\}px\|padding:\s*var(--db-space-[12])' {output_dir}/src/ --include='*.vue' | typography | warn | Dev Studio is an interpretation workspace. Density appropriate for a monitoring dashboard is wrong here. Spacious layout aids comprehension of complex artifacts. | frontend |
Agent Handoff
Start Here
policy artifact · for BezelIQ Studio · status approved
Completion Evidence
No explicit evidence field yet. Require tests, screenshots, linked PRs, or reviewed outputs before marking complete.
Artifact Shape
- rules: 13 items
- version: 1
- project id: bezeliq-studio
- updated at: 2026-04-28
Structured Payload
Machine-readable source fields
rules
| id | check | category | severity | rationale | applies to |
|---|---|---|---|---|---|
| no-external-fonts | grep -r 'fonts.googleapis.com\|fonts.gstatic.com\|typekit.net\|use.typekit' {output_dir}/ | security | hard | Privacy, performance, and offline reliability. Dreamborn Forge self-hosts DM Sans and Fira Code. | frontend |
| forge-tokens-only | grep -rn '#[0-9a-fA-F]\{3,6\}\|rgb(\|rgba(' {output_dir}/src/ --include='*.vue' --include='*.css' | typography | hard | Design system consistency. Hardcoded values diverge from the design system and break theme coherence. | frontend |
| forge-register-attribute | grep -r "data-register" {output_dir}/src/ --include='*.vue' --include='*.html' | patterns | hard | Dreamborn CSS uses the data-register attribute to scope token sets. Without it, forge tokens do not apply. | frontend |
| no-service-role-key | grep -r 'SERVICE_ROLE\|service_role\|eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIi' {output_dir}/src/ | security | hard | Service role key bypasses RLS and grants full database access. Frontend must use anon key only. | frontend |
| supabase-client-only | grep -rn "fetch.*supabase.co" {output_dir}/src/ --include='*.vue' --include='*.js' --include='*.ts' | patterns | hard | Raw fetch bypasses the client's auth header injection and type safety. All queries go through the initialized client. | frontend |
| studio-artifacts-write-only | grep -rn "\.from('agent_tasks').*insert\|\.from('agent_tasks').*update\|\.from('projects').*insert\|\.from('stages').*insert" {output_dir}/src/ | patterns | hard | Platform table state is owned by the runner and listener. Direct writes from Studio bypass the HCS audit trail and break the event-driven state machine. | frontend |
| exec-gate-confirm | manual — verify approve/reject flows show a confirmation step before the HCS post call | patterns | hard | Exec gate approval is irreversible on HCS. An accidental approval advances the workflow immediately. A confirmation step prevents mis-clicks. | frontend |
| realtime-cleanup | grep -rn 'supabase.channel\|supabase.on' {output_dir}/src/ --include='*.vue' | grep -v 'onUnmounted\|removeChannel' | patterns | hard | Leaked subscriptions accumulate across route navigation, causing duplicate events and memory growth. | frontend |
| script-setup-only | grep -rn '<script lang\|<script>' {output_dir}/src/ --include='*.vue' | grep -v '<script setup' | patterns | warn | Consistency. script setup is the Vue 3 standard, more concise, better TypeScript inference. | frontend |
| env-vars-documented | grep -rn 'import.meta.env\.' {output_dir}/src/ --include='*.vue' --include='*.js' --include='*.ts' | patterns | hard | Deployment reliability — no surprise missing vars on Cloudflare Pages. | all |
| no-raw-topic-ids-in-labels | grep -rn '0\.0\.[0-9]\{7\}' {output_dir}/src/ --include='*.vue' | patterns | warn | Two-World Model — the machine layer (HCS IDs) is invisible to Justin. Studio renders human-readable names. | frontend |
| artifact-render-not-raw | grep -rn 'JSON.stringify.*content\|<pre>.*content\|v-text.*content' {output_dir}/src/ --include='*.vue' | patterns | hard | Two-World Model — Justin never reads raw JSON. ArtifactView renders structured, human-readable views from the JSON content. | frontend |
| whitespace-over-density | grep -rn 'padding:\s*[0-9]\{1,2\}px\|padding:\s*var(--db-space-[12])' {output_dir}/src/ --include='*.vue' | typography | warn | Dev Studio is an interpretation workspace. Density appropriate for a monitoring dashboard is wrong here. Spacious layout aids comprehension of complex artifacts. | frontend |
version
1
project id
bezeliq-studio
updated at
2026-04-28