From 4245b76d532ff8bc28fc88d1397f3e6f4f655dbe Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 13 Jun 2026 23:12:51 +0000
Subject: [PATCH] security: private-by-default boards with membership +
 capability share tokens
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaces the free-for-all public-board model with explicit authorization,
closing the core defect: a leaked/guessed board UUID granted read/write/delete
on another tutor's lesson, uploaded materials were world-readable, and Realtime
was unauthenticated.

Server (0005_security_membership.sql):
- board_members (owner/co_teach/draw/view) is the access source of truth; a
  board's creator is auto-enrolled as owner via trigger + backfill.
- board_shares holds hashed, expiring, revocable capability tokens; create/redeem
  via SECURITY DEFINER RPCs (raw token returned once, only its SHA-256 stored).
- RLS rewritten: reads for owner/member (is_public kept only as a transitional
  read path); writes/deletes require an editing membership. Removes
  boards_insert_any WITH CHECK (true) — board creation now requires auth.
- board-assets flipped to a private bucket with membership-gated storage RLS.
- realtime.messages policies authorize private Broadcast channels by membership.

Client:
- Assets served via short-lived signed URLs instead of a permanent public URL
  (storage.ts, MediaOverlayLayer async audio resolution).
- Owner can mint an "Invite to edit" capability link; opening it redeems the
  token into a membership, minting an anonymous guest session first so
  account-less students still get a stable id for RLS (boardOwnership, Board,
  CollabBar).
- Private Realtime channels gated behind VITE_REALTIME_PRIVATE (off by default)
  for a safe transport cutover after the Dashboard toggle + anon sign-in.

Docs: SETUP/README/ROADMAP updated with the new model and required settings.

Verified by applying 0001-0005 to a local Postgres with Supabase stubs and
asserting allow/deny for owner, stranger, anon, and invited guest/viewer across
boards, snapshots, assets, storage objects, and token redemption (valid /
invalid / expired / revoked / non-owner-mint).
---
 README.md                                     |   2 +-
 apps/web/src/env.ts                           |   6 +
 apps/web/src/features/board/boardOwnership.ts |  56 +++
 apps/web/src/features/canvas/CollabBar.tsx    |  31 +-
 apps/web/src/routes/Board.tsx                 |  60 ++-
 docs/ROADMAP.md                               |  27 ++
 docs/SETUP.md                                 |  41 +-
 packages/canvas/src/MediaOverlayLayer.tsx     |  41 +-
 packages/canvas/src/assets/storage.ts         |  26 +-
 packages/canvas/src/store/shapeStore.ts       |  12 +-
 packages/sync/src/supabaseProvider.ts         |   8 +-
 .../migrations/0005_security_membership.sql   | 409 ++++++++++++++++++
 12 files changed, 668 insertions(+), 51 deletions(-)
 create mode 100644 supabase/migrations/0005_security_membership.sql

diff --git a/README.md b/README.md
index 52dfc59..e4bdea5 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ SF Symbols, and the folder-based board library) are in place. The product-wide
 UX redesign — audit, design system, interaction specs, benchmarks, and the
 prioritised roadmap — lives in [`docs/redesign/`](docs/redesign/README.md).
 
-Realtime requires Supabase Realtime to be reachable by the `anon` role for the `notux-board-*` broadcast topics (the default, no-authorization Realtime mode works out of the box). Late-joiners get current board state from connected peers; persisting snapshots server-side for offline late-joiners is a later milestone.
+Access is membership-based: boards are private to their owner and shared through revocable, expiring **capability links** (see `0005_security_membership.sql` and [`docs/SETUP.md`](docs/SETUP.md)); uploaded materials live in a private Storage bucket served via signed URLs. Realtime uses the `notux-board-*` topics — public channels by default, or RLS-authorized **private channels** when `VITE_REALTIME_PRIVATE=true` and "Allow public access" is disabled in Realtime settings. Late-joiners get current board state from connected peers and the durable autosave snapshot.
 
 ## Repo layout
 
diff --git a/apps/web/src/env.ts b/apps/web/src/env.ts
index 42a00b9..38743fa 100644
--- a/apps/web/src/env.ts
+++ b/apps/web/src/env.ts
@@ -1,14 +1,20 @@
 interface EnvShape {
   supabaseUrl: string;
   supabaseAnonKey: string;
+  // Opt in to RLS-authorized private Realtime channels. Enable only after
+  // disabling "Allow public access" in the project's Realtime settings and
+  // applying 0005_security_membership.sql.
+  realtimePrivate: boolean;
 }
 
 const url = import.meta.env.VITE_SUPABASE_URL as string | undefined;
 const key = import.meta.env.VITE_SUPABASE_ANON_KEY as string | undefined;
+const realtimePrivate = import.meta.env.VITE_REALTIME_PRIVATE as string | undefined;
 
 export const env: EnvShape = {
   supabaseUrl: url ?? "",
   supabaseAnonKey: key ?? "",
+  realtimePrivate: realtimePrivate === "true" || realtimePrivate === "1",
 };
 
 export const supabaseConfigured = Boolean(env.supabaseUrl && env.supabaseAnonKey);
diff --git a/apps/web/src/features/board/boardOwnership.ts b/apps/web/src/features/board/boardOwnership.ts
index 3284091..031f8f9 100644
--- a/apps/web/src/features/board/boardOwnership.ts
+++ b/apps/web/src/features/board/boardOwnership.ts
@@ -86,3 +86,59 @@ export async function setBoardVisibility(
     .eq("id", boardId);
   return error ? { ok: false, error: error.message } : { ok: true };
 }
+
+// Capability-token sharing (0005_security_membership.sql). Instead of flipping a
+// board world-readable, the owner mints a high-entropy token bound to a role and
+// expiry; only its hash is stored server-side. The raw token rides in the URL
+// fragment (never sent to the server as a query param / never logged) and is
+// redeemed once into a scoped membership.
+export type ShareRole = "co_teach" | "draw" | "view";
+
+const ACCESS_HASH_KEY = "access";
+
+// Build a share URL carrying a fresh capability token in its fragment. Owner-only
+// (enforced by the create_board_share RPC). Returns null when not connected or
+// the mint is rejected.
+export async function createShareLink(
+  client: SupabaseClient | null,
+  boardId: string,
+  role: ShareRole = "draw",
+  ttlSeconds = 7 * 24 * 60 * 60,
+): Promise<{ url: string } | { error: string }> {
+  if (!client) return { error: "Not connected." };
+  const { data, error } = await client.rpc("create_board_share", {
+    p_board_id: boardId,
+    p_role: role,
+    p_ttl_seconds: ttlSeconds,
+  });
+  if (error || !data) return { error: error?.message ?? "Could not create link." };
+  const base = `${window.location.origin}${import.meta.env.BASE_URL}board/${boardId}`;
+  return { url: `${base}#${ACCESS_HASH_KEY}=${data as string}` };
+}
+
+// If the current URL fragment carries a capability token, redeem it into a
+// membership before the board loads, minting an anonymous guest session first
+// when the visitor isn't signed in (so even an account-less student gets a
+// stable id for RLS instead of relying on open public access). The token is
+// stripped from the URL on success so it isn't re-shared or left in history.
+export async function redeemAccessFromHash(
+  client: SupabaseClient | null,
+): Promise<void> {
+  if (!client || typeof window === "undefined") return;
+  const hash = window.location.hash.replace(/^#/, "");
+  const token = new URLSearchParams(hash).get(ACCESS_HASH_KEY);
+  if (!token) return;
+
+  const { data: auth } = await client.auth.getUser();
+  if (!auth.user) {
+    // Anonymous sign-in must be enabled in the project's Auth settings.
+    const { error } = await client.auth.signInAnonymously();
+    if (error) return;
+  }
+
+  await client.rpc("redeem_share_token", { p_token: token });
+
+  // Remove the token from the address bar / history regardless of outcome.
+  const clean = `${window.location.pathname}${window.location.search}`;
+  window.history.replaceState(null, "", clean);
+}
diff --git a/apps/web/src/features/canvas/CollabBar.tsx b/apps/web/src/features/canvas/CollabBar.tsx
index 305c9ab..3d87927 100644
--- a/apps/web/src/features/canvas/CollabBar.tsx
+++ b/apps/web/src/features/canvas/CollabBar.tsx
@@ -7,7 +7,7 @@ import {
   useRemoteCursors,
   type RemoteCursor,
 } from "@notux/canvas";
-import { setBoardVisibility } from "../board/boardOwnership";
+import { createShareLink, setBoardVisibility } from "../board/boardOwnership";
 import type { Identity } from "./useIdentity";
 
 interface Props {
@@ -83,6 +83,7 @@ export function CollabBar({ boardId, client, owned, isPublic, identity }: Props)
 
   const [shareOpen, setShareOpen] = useState(false);
   const [linkCopied, setLinkCopied] = useState(false);
+  const [inviteCopied, setInviteCopied] = useState(false);
   const [pub, setPub] = useState(isPublic);
   const [busy, setBusy] = useState(false);
   const shareBtnRef = useRef<HTMLButtonElement>(null);
@@ -97,6 +98,18 @@ export function CollabBar({ boardId, client, owned, isPublic, identity }: Props)
     });
   }
 
+  async function copyInvite() {
+    if (!client) return;
+    setBusy(true);
+    const res = await createShareLink(client, boardId, "draw");
+    setBusy(false);
+    if ("url" in res) {
+      await navigator.clipboard?.writeText(res.url);
+      setInviteCopied(true);
+      window.setTimeout(() => setInviteCopied(false), 1500);
+    }
+  }
+
   async function toggleVisibility() {
     if (!client) return;
     setBusy(true);
@@ -198,6 +211,22 @@ export function CollabBar({ boardId, client, owned, isPublic, identity }: Props)
               {linkCopied ? "Link copied" : "Copy link"}
             </span>
           </button>
+          {client && owned && (
+            <button
+              type="button"
+              className="menu__item"
+              disabled={busy}
+              onClick={() => void copyInvite()}
+            >
+              <span className="menu__item-icon">
+                <Icon name={inviteCopied ? "check" : "link"} size={18} />
+              </span>
+              <span className="menu__item-label">
+                {inviteCopied ? "Invite copied" : "Invite to edit"}
+              </span>
+              <span className="menu__item-shortcut">expires 7d</span>
+            </button>
+          )}
           {client && owned && (
             <button
               type="button"
diff --git a/apps/web/src/routes/Board.tsx b/apps/web/src/routes/Board.tsx
index 9917fc5..89bdb19 100644
--- a/apps/web/src/routes/Board.tsx
+++ b/apps/web/src/routes/Board.tsx
@@ -15,9 +15,13 @@ import { FollowPill } from "../features/canvas/FollowPill";
 import { SaveStatus } from "../features/canvas/SaveStatus";
 import { SelectionToolbar } from "../features/canvas/SelectionToolbar";
 import { useIdentity } from "../features/canvas/useIdentity";
-import { ensureBoardOwnership } from "../features/board/boardOwnership";
+import {
+  ensureBoardOwnership,
+  redeemAccessFromHash,
+} from "../features/board/boardOwnership";
 import { useLibraryStore } from "../features/library/libraryStore";
 import { getSupabase } from "../lib/supabase";
+import { env } from "../env";
 
 export default function Board() {
   const { boardId } = useParams<{ boardId: string }>();
@@ -38,27 +42,39 @@ export default function Board() {
     if (!boardId) return;
     setReady(false);
     setOwned(false);
-    // Enable realtime collaboration when Supabase is configured; otherwise the
-    // board runs in local-only mode against IndexedDB.
-    useShapeStore
-      .getState()
-      .configureRealtime(client ? { client, identity } : null);
-    // Bytes live in Supabase Storage; import is disabled when client is null.
-    useAssetStore.getState().configure({ boardId, client });
-    useShapeStore
-      .getState()
-      .initBoard(boardId)
-      .then(() => {
-        // Seed/migrate the page list against the IndexedDB-hydrated doc.
-        usePageStore.getState().initPages(boardId);
-        useSettingsStore.getState().initSettings(boardId);
-        setReady(true);
-        // Claim board ownership when signed in — gates named snapshots.
-        void ensureBoardOwnership(client, boardId).then((r) => {
-          setOwned(r.owned);
-          setIsPublic(r.isPublic);
-        });
-      });
+    let cancelled = false;
+    void (async () => {
+      // Redeem a capability token from the URL fragment (and mint a guest
+      // session if needed) BEFORE any board read, so membership-gated RLS lets
+      // this client load assets/snapshots and join the realtime channel.
+      await redeemAccessFromHash(client);
+      if (cancelled) return;
+      // Enable realtime collaboration when Supabase is configured; otherwise the
+      // board runs in local-only mode against IndexedDB.
+      useShapeStore
+        .getState()
+        .configureRealtime(
+          client
+            ? { client, identity, privateChannel: env.realtimePrivate }
+            : null,
+        );
+      // Bytes live in Supabase Storage; import is disabled when client is null.
+      useAssetStore.getState().configure({ boardId, client });
+      await useShapeStore.getState().initBoard(boardId);
+      if (cancelled) return;
+      // Seed/migrate the page list against the IndexedDB-hydrated doc.
+      usePageStore.getState().initPages(boardId);
+      useSettingsStore.getState().initSettings(boardId);
+      setReady(true);
+      // Claim board ownership when signed in — gates named snapshots.
+      const r = await ensureBoardOwnership(client, boardId);
+      if (cancelled) return;
+      setOwned(r.owned);
+      setIsPublic(r.isPublic);
+    })();
+    return () => {
+      cancelled = true;
+    };
   }, [boardId, identity, client]);
 
   if (!ready) {
diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md
index f465b99..543bd9d 100644
--- a/docs/ROADMAP.md
+++ b/docs/ROADMAP.md
@@ -9,6 +9,33 @@ direction but re-prioritizes around the genuine, verified gaps.
 Strategic posture is unchanged: keep the Konva + Yjs + Supabase Realtime + Liquid Glass
 stack; treat Excalidraw/tldraw/OpenBoard as reference implementations, not dependencies.
 
+## M-Sec — Private-by-default authorization ✅ (this PR)
+
+**The security gate.** Replaces the "free-for-all public board" model (a leaked
+board UUID granted read/write/delete on another tutor's lesson, world-readable
+uploads, and unauthenticated Realtime) with an explicit membership model.
+
+- `supabase/migrations/0005_security_membership.sql`: `board_members` +
+  `board_shares` (hashed, expiring, revocable capability tokens); an owner-
+  enrollment trigger; RLS rewritten so reads are owner/member (legacy `is_public`
+  kept only as a transitional read path) and **writes/deletes require an editing
+  membership**; `board-assets` flipped to a **private** bucket with membership-
+  gated storage RLS; `create_board_share` / `redeem_share_token` RPCs; and
+  `realtime.messages` policies for private channel authorization.
+- `packages/canvas/src/assets/storage.ts` + `MediaOverlayLayer.tsx`: assets are
+  served via short-lived **signed URLs** instead of a permanent public URL.
+- `apps/web/.../boardOwnership.ts` + `Board.tsx` + `CollabBar.tsx`: an owner can
+  mint an "Invite to edit" capability link; opening it redeems the token into a
+  membership, minting an **anonymous guest session** first so account-less
+  students still get a stable id for RLS.
+- Private Realtime channels are gated behind `VITE_REALTIME_PRIVATE` (off by
+  default) so the transport can cut over after the Dashboard toggle + anon
+  sign-in are in place.
+
+*Exit criterion:* an anon client with only a board UUID (no invite) is denied
+read/write on another board's rows, assets, and realtime topic; an invited guest
+gains exactly the shared role.
+
 ## M10 — Durable Yjs autosave persistence ✅ (this PR)
 
 **The critical architectural fix.** Board state previously lived only in each client's
diff --git a/docs/SETUP.md b/docs/SETUP.md
index 642f054..1f76c61 100644
--- a/docs/SETUP.md
+++ b/docs/SETUP.md
@@ -36,6 +36,35 @@ supabase db push
 user's account info is readable only by themselves) and a trigger that
 auto-creates/refreshes a profile from auth metadata on every sign-in.
 
+`0005_security_membership.sql` is the security hardening migration. It replaces
+the old "free-for-all public board" model with explicit membership
+(`board_members`) and hashed, expiring **capability share tokens**
+(`board_shares`). After applying it:
+
+- A board's creator is auto-enrolled as `owner`. Reads are allowed for
+  owners/members (and, transitionally, legacy `is_public` boards); **writes and
+  deletes require an owning or editing membership** — a leaked board UUID no
+  longer lets a stranger overwrite or wipe a lesson.
+- The **`board-assets` bucket is flipped to private**. Asset bytes are served
+  only via short-lived signed URLs whose issuance is gated by the same
+  membership RLS.
+- `realtime.messages` policies are added so Realtime channels can be authorized
+  by membership once you switch them to private (see step 2a).
+
+### 2a. Enable guest access and (optionally) private Realtime — **manual**
+
+The capability-token flow lets an account-less student join a shared board:
+
+1. **Authentication → Sign In / Providers → Anonymous sign-ins: enable.** When a
+   visitor opens an invite link, the app mints an anonymous session and redeems
+   the token into a scoped membership. Without this, only signed-in users can
+   redeem invites.
+2. *(Recommended)* **Realtime → Settings → disable "Allow public access"**, then
+   build the web app with `VITE_REALTIME_PRIVATE=true`. The client then opens
+   each board channel as a private, RLS-authorized channel so only members can
+   subscribe or broadcast. Leave this off until the policies in 0005 are applied
+   and anonymous sign-in works, or realtime collaboration will fail to connect.
+
 ## 3. Google OAuth (required for "Sign in with Google")
 
 ### 3a. Create a Google OAuth client — **you must do this manually**
@@ -107,8 +136,16 @@ pnpm dev      # http://localhost:5173
 
 - **Account/login info** lives in `profiles`, gated by RLS to the owning user
   only — no other user can read it.
-- **Annotations** on a private board are reachable only by the board owner
-  (RLS predicate: `is_public OR owner_id = auth.uid()`).
+- **Access is membership-based** (`board_members`). The owner and invited
+  collaborators can read a board; only owners and editing members can write or
+  delete. A board UUID alone grants nothing — the old enumeration/leak path is
+  closed.
+- **Sharing uses capability tokens** (`board_shares`): the owner mints a
+  high-entropy, role-scoped, expiring link; only its SHA-256 hash is stored, and
+  it's redeemed once into a membership. A guest student redeems via an anonymous
+  session rather than open public access.
+- **Uploaded materials** (PDF/image/audio) live in a **private** Storage bucket
+  and are reachable only through short-lived signed URLs gated by membership.
 - **Presence** (collaborator names/colors/avatars) is derived from each peer's
   own session and broadcast peer-to-peer over Realtime awareness — never by
   reading another user's profile row.
diff --git a/packages/canvas/src/MediaOverlayLayer.tsx b/packages/canvas/src/MediaOverlayLayer.tsx
index 27e15cf..7b255ce 100644
--- a/packages/canvas/src/MediaOverlayLayer.tsx
+++ b/packages/canvas/src/MediaOverlayLayer.tsx
@@ -1,6 +1,6 @@
-import type { CSSProperties } from "react";
+import { useEffect, useState, type CSSProperties } from "react";
 import type { YEmbed, YShape } from "@notux/types";
-import { assetPublicUrl } from "./assets/storage";
+import { assetSignedUrl } from "./assets/storage";
 import { useAssetStore } from "./store/assetStore";
 import type { ViewportState } from "./viewport/Viewport";
 
@@ -72,16 +72,9 @@ function EmbedPlayer({
   };
 
   if (shape.embedType === "audio") {
-    const src = resolveAudioSrc(shape.assetId);
     return (
       <div style={wrap}>
-        {src ? (
-          <audio
-            controls
-            src={src}
-            style={{ width: "100%", display: "block" }}
-          />
-        ) : null}
+        <AudioPlayer assetId={shape.assetId} />
       </div>
     );
   }
@@ -102,9 +95,27 @@ function EmbedPlayer({
   );
 }
 
-function resolveAudioSrc(assetId: string | undefined): string | null {
-  if (!assetId) return null;
-  const { _client, _boardId } = useAssetStore.getState();
-  if (!_client || !_boardId) return null;
-  return assetPublicUrl(_client, _boardId, assetId);
+// The bucket is private, so an audio src is a short-lived signed URL minted on
+// demand. Resolve it asynchronously and render an empty player until it lands
+// (or stays empty if signing is denied/fails).
+function AudioPlayer({ assetId }: { assetId: string | undefined }) {
+  const [src, setSrc] = useState<string | null>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    setSrc(null);
+    const { _client, _boardId } = useAssetStore.getState();
+    if (!assetId || !_client || !_boardId) return;
+    void assetSignedUrl(_client, _boardId, assetId).then((url) => {
+      if (!cancelled) setSrc(url);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [assetId]);
+
+  if (!src) return null;
+  return (
+    <audio controls src={src} style={{ width: "100%", display: "block" }} />
+  );
 }
diff --git a/packages/canvas/src/assets/storage.ts b/packages/canvas/src/assets/storage.ts
index b6e6921..4e1788c 100644
--- a/packages/canvas/src/assets/storage.ts
+++ b/packages/canvas/src/assets/storage.ts
@@ -1,9 +1,15 @@
 import type { SupabaseClient } from "@supabase/supabase-js";
 
-// Public Supabase Storage bucket holding imported PDF/image bytes. Created by
-// the 0002_assets_storage.sql migration with free-for-all RLS on public boards.
+// Private Supabase Storage bucket holding imported PDF/image/audio bytes.
+// Created public by 0002 but flipped to PRIVATE by 0005_security_membership.sql:
+// reads/writes are gated by board membership RLS and bytes are reachable only
+// via short-lived signed URLs (see assetSignedUrl), never a permanent public URL.
 export const BOARD_ASSETS_BUCKET = "board-assets";
 
+// TTL for signed asset URLs. Short by design: a signed URL is a bearer token,
+// so anyone holding it can fetch the object until it expires.
+const SIGNED_URL_TTL_SECONDS = 60 * 60;
+
 // Deterministic object key for an asset. Because it is derived purely from the
 // board + asset id, the renderer can locate bytes from a YAssetRef alone — no
 // separate metadata lookup is needed.
@@ -26,16 +32,20 @@ export async function uploadAsset(
   if (error) throw error;
 }
 
-// Public URL for an asset's bytes, suitable for a direct <audio src>. The
-// board-assets bucket is public (0002 migration), so no signing is needed.
-export function assetPublicUrl(
+// Short-lived signed URL for an asset's bytes, suitable for a direct <audio
+// src>. The bucket is private, so the URL is minted per request and the caller
+// must be an owner/member (enforced by storage RLS). Returns null when signing
+// fails (e.g. no access), so callers can render an empty player rather than throw.
+export async function assetSignedUrl(
   client: SupabaseClient,
   boardId: string,
   assetId: string,
-): string {
-  return client.storage
+): Promise<string | null> {
+  const { data, error } = await client.storage
     .from(BOARD_ASSETS_BUCKET)
-    .getPublicUrl(assetPath(boardId, assetId)).data.publicUrl;
+    .createSignedUrl(assetPath(boardId, assetId), SIGNED_URL_TTL_SECONDS);
+  if (error || !data) return null;
+  return data.signedUrl;
 }
 
 export async function downloadAssetBlob(
diff --git a/packages/canvas/src/store/shapeStore.ts b/packages/canvas/src/store/shapeStore.ts
index e257bd5..fe6cec8 100644
--- a/packages/canvas/src/store/shapeStore.ts
+++ b/packages/canvas/src/store/shapeStore.ts
@@ -21,6 +21,10 @@ import {
 export interface RealtimeConfig {
   client: SupabaseClient;
   identity: { name: string; color: string; avatarUrl?: string | null };
+  // Open the board's Realtime channel as a private (RLS-authorized) channel.
+  // Requires "Allow public access" to be disabled in the project's Realtime
+  // settings and the 0005 realtime.messages policies to be applied.
+  privateChannel?: boolean;
 }
 
 // One promise per boardId — concurrent callers for the same board share the
@@ -183,7 +187,13 @@ export const useShapeStore = create<ShapeStoreState>((set, get) => ({
           color: cfg.identity.color,
           avatarUrl: cfg.identity.avatarUrl ?? null,
         });
-        getSupabaseProvider({ client: cfg.client, boardId, doc, awareness });
+        getSupabaseProvider({
+          client: cfg.client,
+          boardId,
+          doc,
+          awareness,
+          privateChannel: cfg.privateChannel,
+        });
         set({ _awareness: awareness });
 
         // Durable persistence: merge the server-side autosave snapshot so a
diff --git a/packages/sync/src/supabaseProvider.ts b/packages/sync/src/supabaseProvider.ts
index 71ea198..28bf9fc 100644
--- a/packages/sync/src/supabaseProvider.ts
+++ b/packages/sync/src/supabaseProvider.ts
@@ -40,6 +40,12 @@ export interface SupabaseProviderOptions {
   boardId: string;
   doc: Y.Doc;
   awareness: Awareness;
+  // When true, open the channel as a private (RLS-authorized) channel so only
+  // members of the board can subscribe/broadcast. Requires the project's
+  // Realtime "Allow public access" to be disabled and the realtime.messages
+  // policies from 0005_security_membership.sql. Defaults to the legacy public
+  // channel for backward compatibility.
+  privateChannel?: boolean;
 }
 
 interface Envelope {
@@ -68,7 +74,7 @@ export class SupabaseProvider {
     this.sessionId = Math.random().toString(36).slice(2);
 
     this.channel = this.client.channel(`notux-board-${opts.boardId}`, {
-      config: { broadcast: { self: false } },
+      config: { broadcast: { self: false }, private: opts.privateChannel ?? false },
     });
 
     this.channel.on("broadcast", { event: BROADCAST_EVENT }, ({ payload }) => {
diff --git a/supabase/migrations/0005_security_membership.sql b/supabase/migrations/0005_security_membership.sql
new file mode 100644
index 0000000..8bff90a
--- /dev/null
+++ b/supabase/migrations/0005_security_membership.sql
@@ -0,0 +1,409 @@
+-- NotUX security hardening: private-by-default + capability share tokens
+--
+-- Replaces the "free-for-all public board" authorization model (0001/0002) with
+-- an explicit membership model. The core defects this closes:
+--
+--   * boards_insert_any WITH CHECK (true)  -> anyone (incl. anon) could insert
+--     unlimited boards (write-open + DoS surface).
+--   * is_public granted full READ/WRITE/DELETE on pages/snapshots/assets to
+--     anyone holding a board UUID — a harvested/leaked URL meant a stranger
+--     could overwrite or wipe a tutor's lesson and poison the autosave row.
+--   * board-assets was a PUBLIC storage bucket -> uploaded PDFs/images/audio
+--     (potentially a minor's materials) were world-readable and world-writable.
+--
+-- New model:
+--   * board_members(board_id, user_id, role) is the source of truth for access.
+--     A board's creator is auto-enrolled as 'owner' by a trigger.
+--   * board_shares holds hashed, expiring, revocable capability tokens. The
+--     owner mints a token (create_board_share); a recipient — including an
+--     anonymous guest student — redeems it (redeem_share_token) to gain a
+--     scoped membership. The raw token is returned exactly once and only its
+--     SHA-256 hash is stored, so leaking the shares table does not leak access.
+--   * RLS is rewritten so READ is allowed for owner/member (and, transitionally,
+--     legacy public boards) while WRITE/DELETE require an owning or editing
+--     membership. is_public is kept ONLY as a legacy read path; it no longer
+--     grants write access to anyone.
+--   * board-assets becomes a PRIVATE bucket; bytes are reachable only via
+--     short-lived signed URLs whose issuance is gated by the same membership RLS.
+--   * realtime.messages policies authorize private Broadcast channels
+--     (notux-board-<id>) by membership, ready for the client to switch on with
+--     `private: true` once "Allow public access" is disabled in Realtime
+--     settings (a Dashboard toggle that cannot be expressed in SQL).
+--
+-- Roles: 'owner' (full control), 'co_teach' / 'draw' (read + write), 'view'
+-- (read only). The "writable" set is everything except 'view'.
+
+-- ---------------------------------------------------------------------------
+-- membership + share-token tables
+-- ---------------------------------------------------------------------------
+create table if not exists board_members (
+  board_id uuid not null references boards(id) on delete cascade,
+  user_id uuid not null references auth.users(id) on delete cascade,
+  role text not null default 'view' check (role in ('owner', 'co_teach', 'draw', 'view')),
+  created_at timestamptz not null default now(),
+  primary key (board_id, user_id)
+);
+create index if not exists board_members_user on board_members (user_id);
+
+create table if not exists board_shares (
+  id uuid primary key default gen_random_uuid(),
+  board_id uuid not null references boards(id) on delete cascade,
+  -- SHA-256 hex of the capability token. The raw token is never stored.
+  token_hash text not null unique,
+  role text not null default 'draw' check (role in ('co_teach', 'draw', 'view')),
+  created_by uuid references auth.users(id) on delete set null,
+  expires_at timestamptz,
+  revoked boolean not null default false,
+  created_at timestamptz not null default now()
+);
+create index if not exists board_shares_board on board_shares (board_id);
+
+-- ---------------------------------------------------------------------------
+-- authorization helpers
+--
+-- All SECURITY DEFINER so they bypass RLS on the tables they read; this is what
+-- prevents recursion when a policy on one table needs to consult another
+-- (e.g. the boards SELECT policy calls is_board_member, which reads
+-- board_members WITHOUT re-triggering board_members' own policies). They read
+-- auth.uid() from the request JWT, so they evaluate per-caller.
+-- ---------------------------------------------------------------------------
+create or replace function public.is_board_owner(b uuid)
+returns boolean
+language sql
+stable
+security definer
+set search_path = public, pg_temp
+as $$
+  select exists (select 1 from boards where id = b and owner_id = auth.uid());
+$$;
+
+create or replace function public.is_board_member(b uuid)
+returns boolean
+language sql
+stable
+security definer
+set search_path = public, pg_temp
+as $$
+  select exists (
+    select 1 from board_members
+    where board_id = b and user_id = auth.uid()
+  );
+$$;
+
+-- Read is allowed for the owner, any member, or — transitionally — a legacy
+-- public board. Drop the is_public disjunct in a later migration to make boards
+-- strictly private.
+create or replace function public.can_read_board(b uuid)
+returns boolean
+language sql
+stable
+security definer
+set search_path = public, pg_temp
+as $$
+  select exists (
+    select 1 from boards
+    where id = b and (is_public or owner_id = auth.uid())
+  ) or public.is_board_member(b);
+$$;
+
+-- Write requires ownership or an editing membership. is_public does NOT grant
+-- write — this is the hole 0001 left open.
+create or replace function public.can_write_board(b uuid)
+returns boolean
+language sql
+stable
+security definer
+set search_path = public, pg_temp
+as $$
+  select exists (select 1 from boards where id = b and owner_id = auth.uid())
+      or exists (
+        select 1 from board_members
+        where board_id = b and user_id = auth.uid()
+          and role in ('owner', 'co_teach', 'draw')
+      );
+$$;
+
+grant execute on function public.is_board_owner(uuid) to anon, authenticated;
+grant execute on function public.is_board_member(uuid) to anon, authenticated;
+grant execute on function public.can_read_board(uuid) to anon, authenticated;
+grant execute on function public.can_write_board(uuid) to anon, authenticated;
+
+-- ---------------------------------------------------------------------------
+-- owner auto-enrollment + backfill
+-- ---------------------------------------------------------------------------
+create or replace function public.handle_board_owner_membership()
+returns trigger
+language plpgsql
+security definer
+set search_path = public, pg_temp
+as $$
+begin
+  if new.owner_id is not null then
+    insert into board_members (board_id, user_id, role)
+    values (new.id, new.owner_id, 'owner')
+    on conflict (board_id, user_id) do update set role = 'owner';
+  end if;
+  return new;
+end;
+$$;
+
+drop trigger if exists on_board_owner_set on boards;
+create trigger on_board_owner_set
+  after insert or update of owner_id on boards
+  for each row execute function public.handle_board_owner_membership();
+
+-- Backfill memberships for boards that already have an owner.
+insert into board_members (board_id, user_id, role)
+select id, owner_id, 'owner' from boards where owner_id is not null
+on conflict (board_id, user_id) do nothing;
+
+-- ---------------------------------------------------------------------------
+-- boards RLS: drop free-for-all insert; gate read on membership/public;
+-- restrict update/delete to the owner.
+-- ---------------------------------------------------------------------------
+drop policy if exists boards_insert_any on boards;
+drop policy if exists boards_read_public on boards;
+drop policy if exists boards_read_owner_or_public on boards;
+drop policy if exists boards_update_owner on boards;
+
+create policy boards_select on boards
+  for select using (is_public or owner_id = auth.uid() or public.is_board_member(id));
+
+-- Auth required to create a board, and only as yourself.
+create policy boards_insert_owner on boards
+  for insert with check (owner_id = auth.uid());
+
+-- Owner may edit; a signed-in user may claim a legacy unowned board to themself.
+create policy boards_update_owner on boards
+  for update
+  using (owner_id = auth.uid() or (owner_id is null and auth.uid() is not null))
+  with check (owner_id = auth.uid());
+
+create policy boards_delete_owner on boards
+  for delete using (owner_id = auth.uid());
+
+-- ---------------------------------------------------------------------------
+-- pages / snapshots / assets RLS: read for accessible boards, write for editors.
+-- ---------------------------------------------------------------------------
+drop policy if exists pages_rw_public on pages;
+drop policy if exists pages_rw_accessible on pages;
+create policy pages_select on pages
+  for select using (public.can_read_board(board_id));
+create policy pages_insert on pages
+  for insert with check (public.can_write_board(board_id));
+create policy pages_update on pages
+  for update using (public.can_write_board(board_id))
+  with check (public.can_write_board(board_id));
+create policy pages_delete on pages
+  for delete using (public.can_write_board(board_id));
+
+drop policy if exists snapshots_read_public on snapshots;
+drop policy if exists snapshots_read_accessible on snapshots;
+drop policy if exists snapshots_autosave_rw on snapshots;
+drop policy if exists snapshots_autosave_update on snapshots;
+drop policy if exists snapshots_named_owner on snapshots;
+
+create policy snapshots_select on snapshots
+  for select using (public.can_read_board(board_id));
+-- Autosave is writable by any editor (so a co-teacher's client can persist).
+create policy snapshots_autosave_insert on snapshots
+  for insert with check (kind = 'autosave' and public.can_write_board(board_id));
+create policy snapshots_autosave_update on snapshots
+  for update using (kind = 'autosave' and public.can_write_board(board_id))
+  with check (kind = 'autosave' and public.can_write_board(board_id));
+-- Named versions remain owner-only to create and remove.
+create policy snapshots_named_insert on snapshots
+  for insert with check (kind = 'named' and public.is_board_owner(board_id));
+create policy snapshots_named_delete on snapshots
+  for delete using (kind = 'named' and public.is_board_owner(board_id));
+
+drop policy if exists assets_rw_public on assets;
+drop policy if exists assets_rw_accessible on assets;
+create policy assets_select on assets
+  for select using (public.can_read_board(board_id));
+create policy assets_insert on assets
+  for insert with check (public.can_write_board(board_id));
+create policy assets_update on assets
+  for update using (public.can_write_board(board_id))
+  with check (public.can_write_board(board_id));
+create policy assets_delete on assets
+  for delete using (public.can_write_board(board_id));
+
+-- ---------------------------------------------------------------------------
+-- board_members / board_shares RLS
+-- ---------------------------------------------------------------------------
+alter table board_members enable row level security;
+alter table board_shares enable row level security;
+
+-- A user sees their own memberships; an owner sees/manages all members of their
+-- boards. (is_board_owner is SECURITY DEFINER, so referencing boards here does
+-- not recurse through board RLS.)
+create policy board_members_select on board_members
+  for select using (user_id = auth.uid() or public.is_board_owner(board_id));
+create policy board_members_owner_insert on board_members
+  for insert with check (public.is_board_owner(board_id));
+create policy board_members_owner_update on board_members
+  for update using (public.is_board_owner(board_id))
+  with check (public.is_board_owner(board_id));
+-- Owner may revoke anyone; a member may remove themself (leave the board).
+create policy board_members_delete on board_members
+  for delete using (public.is_board_owner(board_id) or user_id = auth.uid());
+
+-- Shares are owner-only end to end. Recipients never read the table; they redeem
+-- through the SECURITY DEFINER RPC below, which never exposes the token hash.
+create policy board_shares_owner_all on board_shares
+  for all
+  using (public.is_board_owner(board_id))
+  with check (public.is_board_owner(board_id));
+
+-- ---------------------------------------------------------------------------
+-- capability-token RPCs
+-- ---------------------------------------------------------------------------
+
+-- Owner mints a share link. Returns the RAW token exactly once; only its hash is
+-- persisted. Encode the returned token into the share URL fragment client-side.
+create or replace function public.create_board_share(
+  p_board_id uuid,
+  p_role text default 'draw',
+  p_ttl_seconds integer default 604800  -- 7 days
+)
+returns text
+language plpgsql
+security definer
+-- `extensions` on the path so pgcrypto's digest()/gen_random_bytes() resolve
+-- (Supabase installs pgcrypto into the extensions schema).
+set search_path = public, extensions, pg_temp
+as $$
+declare
+  v_token text;
+begin
+  if not public.is_board_owner(p_board_id) then
+    raise exception 'not authorized to share this board';
+  end if;
+  if p_role not in ('co_teach', 'draw', 'view') then
+    raise exception 'invalid role: %', p_role;
+  end if;
+
+  v_token := encode(gen_random_bytes(32), 'hex');
+  insert into board_shares (board_id, token_hash, role, created_by, expires_at)
+  values (
+    p_board_id,
+    encode(digest(v_token, 'sha256'), 'hex'),
+    p_role,
+    auth.uid(),
+    case when p_ttl_seconds is null or p_ttl_seconds <= 0
+         then null
+         else now() + make_interval(secs => p_ttl_seconds) end
+  );
+  return v_token;
+end;
+$$;
+
+-- A recipient (signed-in user OR anonymous guest) redeems a token to gain a
+-- scoped membership. Requires an authenticated identity — guests must obtain an
+-- anonymous session first — so every collaborator has a stable id for RLS.
+-- Output columns are deliberately NOT named board_id/role: those would be
+-- in-scope OUT-parameter variables inside the body and collide with the
+-- board_members columns referenced in the INSERT / ON CONFLICT clause.
+create or replace function public.redeem_share_token(p_token text)
+returns table (redeemed_board_id uuid, redeemed_role text)
+language plpgsql
+security definer
+-- `extensions` for pgcrypto's digest() (see create_board_share).
+set search_path = public, extensions, pg_temp
+as $$
+declare
+  v_share board_shares%rowtype;
+begin
+  if auth.uid() is null then
+    raise exception 'authentication required to redeem a share';
+  end if;
+
+  select * into v_share from board_shares
+  where token_hash = encode(digest(p_token, 'sha256'), 'hex')
+    and not revoked
+    and (expires_at is null or expires_at > now());
+  if not found then
+    raise exception 'invalid or expired share token';
+  end if;
+
+  insert into board_members (board_id, user_id, role)
+  values (v_share.board_id, auth.uid(), v_share.role)
+  on conflict (board_id, user_id) do nothing;
+
+  redeemed_board_id := v_share.board_id;
+  redeemed_role := v_share.role;
+  return next;
+end;
+$$;
+
+grant execute on function public.create_board_share(uuid, text, integer) to authenticated;
+grant execute on function public.redeem_share_token(text) to anon, authenticated;
+
+-- ---------------------------------------------------------------------------
+-- Storage: make board-assets private; gate by membership; serve via signed URLs.
+-- ---------------------------------------------------------------------------
+update storage.buckets set public = false where id = 'board-assets';
+
+drop policy if exists "board_assets_read_public" on storage.objects;
+drop policy if exists "board_assets_insert_public" on storage.objects;
+drop policy if exists "board_assets_update_public" on storage.objects;
+drop policy if exists "board_assets_delete_public" on storage.objects;
+
+-- (storage.foldername(name))[1] is the first path segment, i.e. the board id.
+create policy "board_assets_read" on storage.objects
+  for select using (
+    bucket_id = 'board-assets'
+    and public.can_read_board(((storage.foldername(name))[1])::uuid)
+  );
+create policy "board_assets_insert" on storage.objects
+  for insert with check (
+    bucket_id = 'board-assets'
+    and public.can_write_board(((storage.foldername(name))[1])::uuid)
+  );
+create policy "board_assets_update" on storage.objects
+  for update using (
+    bucket_id = 'board-assets'
+    and public.can_write_board(((storage.foldername(name))[1])::uuid)
+  );
+create policy "board_assets_delete" on storage.objects
+  for delete using (
+    bucket_id = 'board-assets'
+    and public.can_write_board(((storage.foldername(name))[1])::uuid)
+  );
+
+-- ---------------------------------------------------------------------------
+-- Realtime Authorization for private Broadcast/Presence channels.
+--
+-- These policies are only consulted when the client opens the channel with
+-- `private: true` AND "Allow public access" is disabled in the project's
+-- Realtime settings. They are harmless (never evaluated) for public channels,
+-- so they can ship ahead of the client cutover.
+-- ---------------------------------------------------------------------------
+create or replace function public.board_id_from_topic(p_topic text)
+returns uuid
+language plpgsql
+immutable
+set search_path = public, pg_temp
+as $$
+begin
+  if p_topic is null or p_topic not like 'notux-board-%' then
+    return null;
+  end if;
+  return substring(p_topic from 13)::uuid;  -- strip 'notux-board-'
+exception when others then
+  return null;  -- malformed topic -> no access
+end;
+$$;
+grant execute on function public.board_id_from_topic(text) to anon, authenticated;
+
+drop policy if exists "notux_realtime_read" on realtime.messages;
+drop policy if exists "notux_realtime_write" on realtime.messages;
+
+create policy "notux_realtime_read" on realtime.messages
+  for select to authenticated
+  using (public.can_read_board(public.board_id_from_topic((select realtime.topic()))));
+
+create policy "notux_realtime_write" on realtime.messages
+  for insert to authenticated
+  with check (public.can_write_board(public.board_id_from_topic((select realtime.topic()))));