Add recommended security policies for tool-level enforcement

[L1AD]

Summary

Adds three YAML policy files for use with PolicyLayer Intercept, an open-source MCP proxy that enforces rate limits, daily caps, and access control on individual tool calls.

The Supabase MCP server exposes execute_sql (arbitrary SQL including DDL/DML), apply_migration (schema changes), deploy_edge_function (executable code deployment), and destructive branch operations. The existing security recommendations cover read-only mode, project scoping, and feature groups — these policies add a complementary layer: deterministic, per-tool enforcement that controls how aggressively tools are used once access is granted.

What's included

policies/
├── recommended.yaml   # Blocks destructive SQL, rate limits writes, reads allowed freely
├── strict.yaml        # Default deny — only read tools and SELECT queries allowed
└── permissive.yaml    # Everything allowed, rate limits on destructive operations

recommended.yaml highlights:

• execute_sql: blocks DROP TABLE/SCHEMA/..., TRUNCATE, DELETE without WHERE, and DROP COLUMN — 10/min burst, 120/hour cap
• apply_migration: 3/min burst, 20/day cap
• deploy_edge_function: 3/min burst, 10/hour cap
• delete_branch / reset_branch / merge_branch: 2/min burst, 10/day cap
• create_project / pause_project: 3/hour
• Global safety net: 60/min across all tools

strict.yaml — read-only mode with teeth:

• Default deny, only read/list/get tools allowed
• execute_sql permits only SELECT, EXPLAIN, and SHOW queries — all other SQL blocked
• Complements Supabase's built-in read_only mode with explicit per-tool allowlisting

permissive.yaml — for development:

• Everything allowed
• Rate limits only on SQL execution, migrations, deployments, and branch operations

Usage

Wrap the MCP server with Intercept (one line):

npx -y @policylayer/intercept \
  --policy policies/recommended.yaml \
  -- npx -y @supabase/mcp-server-supabase

Or in MCP client config:

{
  "mcpServers": {
    "supabase": {
      "command": "npx",
      "args": [
        "-y", "@policylayer/intercept",
        "--policy", "policies/recommended.yaml",
        "--", "npx", "-y", "@supabase/mcp-server-supabase"
      ]
    }
  }
}

Also added a README section under "Tool-level policy enforcement" within the Security risks section.

Why this matters

Supabase MCP is uniquely powerful because execute_sql accepts arbitrary SQL — an agent can DROP TABLE, TRUNCATE, or run destructive DELETE statements with no guardrails beyond manual approval clicks. Read-only mode is an all-or-nothing switch. These policies add graduated enforcement: block the most dangerous patterns, rate limit writes, and cap deployments — without removing write access entirely.

About PolicyLayer Intercept

• Open source (MIT): github.com/policylayer/intercept
• npm: @policylayer/intercept
• Sub-millisecond evaluation, fail-closed, deterministic (not prompt-based)
• Supports all MCP clients: Claude Desktop, Claude Code, Cursor, VS Code, Windsurf, etc.
• Zero changes to the MCP server — wraps the command transparently
• Structured JSON audit logs for every tool call decision