Eval Labs is a role-based human evaluation platform for Lucia. Clerk role metadata drives product behavior, and persisted evidence must remain protected by Supabase RLS.
Role metadata
Eval Labs reads the current role from Clerk public metadata:owner, admin, evaluator, tester, or missing/unassigned. Missing, unassigned, or unknown role metadata must fail closed.
Access matrix
Access widens by role — from a single prompt test up to the full owner/admin workspace.| Role | Custom Prompt | Auto-generated | Verification Check | Verification Results | Controlled Batch | Team Review | Global Analysis |
|---|---|---|---|---|---|---|---|
| owner 7 / 7 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| admin 7 / 7 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| evaluator 5 / 7 | ✓ | ✓ | ✓ | ✓ | ✓ | – | – |
| tester 2 / 7 | ✓ | ✓ | – | – | – | – | – |
| unassigned 0 / 7 | – | – | – | – | – | – | – |
Role definitions
| Role | Access | Scope |
|---|---|---|
| owner | 7 / 7 | Full platform access, oversight, and final product judgment. |
| admin | 7 / 7 | Full surface access; trusted operational oversight. |
| evaluator | 5 / 7 | Full evaluator workbench. No Team Review or Global Analysis. |
| tester | 2 / 7 | Entry-level prompt-testing lane only (Custom + Auto-generated). |
| unassigned | 0 / 7 | No recognized role. Fails closed — no protected access. |
Supabase RLS protects persisted evidence. The Clerk session token includes
eval_labs_role so RLS can recognize privileged owner/admin access. Real runs must persist to Supabase before they count as durable evidence.