Supabase RBAC and subscription plans in SvelteKit: database roles, JWT claims, and typed locals

You define roles and permissions in Postgres, attach user_role and user_plan to each access token with a custom access token hook, then read those claims on the server with jwt-decode and expose them through userWithRole() in hooks.server.ts, app.d.ts, and the root layout so SvelteKit pages get a single, typed snapshot of who the user is—while Postgres Row Level Security and authorize() stay the real gate for data.