diff --git a/supabase/migrations/20251018_community_likes_comments.sql b/supabase/migrations/20251018_community_likes_comments.sql
new file mode 100644
index 00000000..69c9ea31
--- /dev/null
+++ b/supabase/migrations/20251018_community_likes_comments.sql
@@ -0,0 +1,46 @@
+-- Community post likes and comments
+begin;
+
+-- likes table for community_posts
+create table if not exists public.community_post_likes (
+  post_id uuid not null references public.community_posts(id) on delete cascade,
+  user_id uuid not null references public.user_profiles(id) on delete cascade,
+  created_at timestamptz not null default now(),
+  primary key (post_id, user_id)
+);
+
+-- comments table for community_posts
+create table if not exists public.community_comments (
+  id uuid primary key default gen_random_uuid(),
+  post_id uuid not null references public.community_posts(id) on delete cascade,
+  user_id uuid not null references public.user_profiles(id) on delete cascade,
+  content text not null,
+  created_at timestamptz not null default now()
+);
+
+alter table public.community_post_likes enable row level security;
+alter table public.community_comments enable row level security;
+
+-- policies: users can read all published post likes/comments
+DO $$ BEGIN
+  CREATE POLICY community_post_likes_read ON public.community_post_likes
+    FOR SELECT TO authenticated USING (true);
+EXCEPTION WHEN duplicate_object THEN NULL; END $$;
+
+DO $$ BEGIN
+  CREATE POLICY community_comments_read ON public.community_comments
+    FOR SELECT TO authenticated USING (true);
+EXCEPTION WHEN duplicate_object THEN NULL; END $$;
+
+-- users manage their own likes/comments
+DO $$ BEGIN
+  CREATE POLICY community_post_likes_manage_self ON public.community_post_likes
+    FOR ALL TO authenticated USING (user_id = auth.uid()) WITH CHECK (user_id = auth.uid());
+EXCEPTION WHEN duplicate_object THEN NULL; END $$;
+
+DO $$ BEGIN
+  CREATE POLICY community_comments_manage_self ON public.community_comments
+    FOR ALL TO authenticated USING (user_id = auth.uid()) WITH CHECK (user_id = auth.uid());
+EXCEPTION WHEN duplicate_object THEN NULL; END $$;
+
+commit;