HeyRoyal Intel
Competitive intelligence system — Supabase DB, Cloudflare Worker MCP, and n8n workflows for competitor tracking and newsletter generation.
Site Reference
| Project Paths | ~/Projects/heyroyal-data/ (DB + MCP), ~/Projects/ai-clients/clients/heyroyal/ (n8n workflows) |
| Supabase project | sxbogpopuggodyzpezyj (heyroyal-intel) |
| MCP Worker | heyroyal-intel-mcp.eric-downs.workers.dev |
| System docs | ~/Projects/workflow-docs/systems/heyroyal-intel.md |
| CLAUDE.md | ~/Projects/heyroyal-data/CLAUDE.md |
Project Info
- Phase: Active (Harvis intel agent consumes this DB)
- Stack: Supabase Postgres, Cloudflare Workers MCP, n8n workflows, Brevo email
- Consumers: Harvis intel agent (read-only via MCP), Intel Dashboard (Skill Hub), n8n newsletter workflow
Project Status
Apr 13, 2026 — RLS + ops table rename + Harvis intel agent integration
The HeyRoyal Intel Supabase DB is now also the backing store for the Harvis intel specialist agent (via heyroyal-intel-mcp CF Worker, service-role key). Two changes today:
-
RLS enabled on all 7 public tables (
ai_services,competitor_content,competitor_urls,intel_newsletter_feedback,intel_newsletter_history,ops_workflow_registry,ops_workflow_run_log). Resolves Supabase security advisor's "table publicly accessible" alert. Service-role bypasses RLS so the MCP Worker + Skill Hub + n8n keep working; anon key is locked out (was never used anyway). -
Ops tables prefix-renamed:
workflow_registry→ops_workflow_registry,workflow_run_log→ops_workflow_run_log. Considered splitting into a separate Supabase project but stopped — would require paid Pro tier ($25/mo) with no real security upside (no PII, service-role keys live in trusted env vars, RLS enabled). Prefix grouping in the dashboard is enough.
Consumers updated: Skill Hub server.js (two paths), ~/Projects/ai-clients/clients/heyroyal/workflows/ai-agency-newsletter.json, live n8n workflow (PATCHed via session-auth /rest/workflows/ endpoint).
Status: DB stable. 7 tables, 5 HeyRoyal domain + 2 ops infra. All with RLS on. Harvis intel agent reads via MCP; newsletter workflow writes ops_workflow_run_log.
Infrastructure Notes
Supabase Management API DDL: Use the PAT saved in 1Password (Claude Bot vault, item ywyyctiqkzakszhtxnl62iui5u) via POST https://api.supabase.com/v1/projects/{ref}/database/query for schema changes. The service-role JWT can NOT do DDL through PostgREST — PostgREST is CRUD-only. Common mistake.
Connection endpoints:
- PostgREST: https://sxbogpopuggodyzpezyj.supabase.co/rest/v1/... (CRUD with service-role or anon key)
- Management API: https://api.supabase.com/v1/projects/sxbogpopuggodyzpezyj/... (DDL, project settings — PAT required)
Ideas / Future Work
- Write tools for the intel MCP (add competitor, update AI stack) — currently read-only
- Split ops tables into their own project IF the org ever goes Pro for other reasons (not worth upgrading just for this)
- Intel dashboard could show Harvis agent query history pulled from the Harvis feedback table
Known Issues
- Intel MCP Worker uses service_role; any leaked secret gives full DB access. Mitigated by storing in CF Worker secrets (not checked in).
- Free tier: 2 active projects in
oyldqohklrbkhwbutzzuorg. Adding a 3rd requires Pro.
Docs
| File | Description |
|---|---|
| README.md | This file — status and infra notes |
~/Projects/workflow-docs/systems/heyroyal-intel.md |
System architecture + workflow details |
~/Projects/heyroyal-data/CLAUDE.md |
DB schema, column mappings, MCP tool index |