Vibe-Code Rescue · Supabase
Supabase RLS audit —
find the leaks before your users do.
In a Supabase app, Row Level Security is the security model — and in most AI-built apps it’s misconfigured or switched off entirely. We audit every table, policy, bucket and function the way an attacker would, fix what’s broken, and leave you with tests that prove it stays closed.
The situation
Red flags we find every week
RLS disabled on new tables
AI builders create tables faster than they secure them. One unprotected table means every row is readable through the auto-generated API.
Policies that look right but aren’t
USING (true), missing WITH CHECK clauses, or policies keyed to user metadata the client can edit itself.
The service_role key in client code
The key that bypasses RLS entirely, shipped to the browser. Game over — and more common than you’d think.
Storage buckets wide open
Table policies got attention; the buckets holding invoices, uploads and exports didn’t.
Views and functions that bypass RLS
SECURITY DEFINER functions and views quietly ignore your table policies — a favourite hiding place for leaks.
No tests, so no proof
You changed a policy last week and hope nothing broke. Hope is not a security model.
What we do
Everything between your prototype and production.
How it works
Audit → Go-Live → SLA.
Audit
€1,500
fixed · part of the Production Readiness Audit
We map your permission model, read every policy, and attack your API with each role. You get a report of every hole, rated by severity.
Fix & harden
flat quote
scoped from the audit · audit credited
We rewrite the policies around your actual product rules, lock down storage and functions, rotate exposed keys — and prove it with a re-test.
Keep it closed
from €290/mo
SLA · optional but recommended
Every schema change can reopen a hole. Under the SLA, the RLS test suite runs in CI and we stay accountable for what we secured.
Why THE SWARM
The difference is who’s accountable.
We think like an attacker
We don’t read policies and nod — we call your API with each role and try to pull data we shouldn’t. Findings come with working proof.
Fixes, not just findings
A PDF of problems doesn’t protect anyone. We rewrite the policies, migrate safely with data in place, and re-test.
Proof it stays closed
You get an automated RLS test suite wired into CI — the next schema change can’t silently reopen yesterday’s leak.
Questions
Supabase RLS Audit, answered.
Read access to the repository and a member invite to the Supabase project are enough. We test against staging or a branch database where possible; anything that touches production is read-only and coordinated with you.
It’s our most common case. AI tools generate working queries but rarely correct policies — the app looks fine because the happy path works, while the API allows far more than the UI shows.
A written report (finding, severity, plain-language impact, fix), corrected policies, an automated test suite, and a re-test that proves the holes are closed.
Yes — that’s the point. The audit is €1,500 fixed and fully credited toward the fix work, which we quote flat once we know the scope.
Good start. It flags tables without RLS, but it can’t judge whether your policies match your product’s actual permission model — who may see which rows and why. That takes a human reading both the product and the schema.
More rescue services
All servicesVibe-Code Rescue · Lovable
Lovable App Rescue
Built an app with Lovable you can’t quite ship? We audit it for a fixed €1,500, fix Supabase RLS, security and GDPR, take it live — then run it under an SLA.
Read moreVibe-Code Rescue · MVP
MVP → Production
An MVP that demos well and a product you can charge for are two different things.
Read moreShip it — properly.
Send us the link or the repo. You’ll get a clear read on where the app stands, a fixed audit price, and a plan to take it live.
Book the audit