Eval Labs uses Clerk role metadata for role-based human evaluation access. Frontend role behavior comes from Clerk public metadata, while persisted evidence protection depends on the matching Clerk session claim reaching Supabase RLS.
Clerk metadata
Current public metadata key:owneradminevaluatortester
Owner
Status: implemented. Owner has full current platform access:- Home dashboard
- Launcher
- Custom Prompt Test
- Auto-generated Prompt Test
- Guest Facing Agent Verification Check
- Verification Results
- Controlled Batch Runner
- Run History
- Team Review
- Global Analysis
- Registry Diagnostics
- Behavioral Observatory
- Single Run Analysis
- review routes
- future user/admin management
- future cleanup/tools
- Global Analysis visibility
Admin
Status: implemented. Admin has similar privileged operational access to owner. Current intent:- access Team Review, Global Analysis, and Single Run Analysis
- access Registry Diagnostics
- access Behavioral Observatory
- use the batch runner and all test surfaces
- review and inspect shared persisted evidence
- support future evaluator/user oversight
Evaluator
Status: implemented; onboarding/workspace polish remains active hardening. Evaluator is the full human evaluation workbench role. Evaluators can:- use Custom Prompt Test
- use Auto-generated Prompt Test
- use Guest Facing Agent Verification Check
- use Verification Results
- use Controlled Batch Runner
- use their own run, review, and history routes
- review and finalize their own assigned work
- see Team Review
- see Global Analysis
- see platform-wide owner/admin evidence
- use Registry Diagnostics unless explicitly widened later
- use Behavioral Observatory unless explicitly widened later
- see owner/admin tools
- use owner/admin cleanup or management surfaces
Tester
Status: implemented as a narrower onboarding role. Tester is the entry-level prompt-testing lane. Testers can:- use Custom Prompt Test
- use Auto-generated Prompt Test
- use Guest Facing Agent Verification Check
- use Verification Results
- use Controlled Batch Runner
- see Team Review
- see Global Analysis
- use Registry Diagnostics
- use Behavioral Observatory
- see owner/admin tools
Unassigned or missing role
Status: implemented fail-closed posture. Users with no recognizedeval_labs_role should have limited or no protected Eval Labs access.
Persistence and RLS requirement
Status: implemented; active hardening continues around verification and rollout safety. Real runs must persist to Supabase. The Clerk session token must includeeval_labs_role so Supabase RLS can recognize owner/admin access to shared persisted evidence.
Frontend role checks and persisted evidence access must agree. If they do not, the UI can look correct while Supabase denies or scopes the data differently.
Verify the Clerk-to-Supabase role claim path whenever role metadata, JWT templates, RLS policies, or privileged evidence hydration changes.
Deferred access work
Not implemented yet:- assignment-based evaluator work
- evaluator access to Behavioral Observatory
- evaluator-reviewing-owner-run RLS policies
- user/admin management
- cleanup/tools
- broader external rollout