Cookies

We use analytics cookies to understand how the site is used. Decline and analytics stays off — your choice. See our Privacy Policy.

Vibe-Code Rescue

Vibe-Code Rescue · Supabase

Supabase RLS audit —
find the leaks before your users do.

In a Supabase app, Row Level Security is the security model — and in most AI-built apps it’s misconfigured or switched off entirely. We audit every table, policy, bucket and function the way an attacker would, fix what’s broken, and leave you with tests that prove it stays closed.

The situation

Red flags we find every week

RLS disabled on new tables

AI builders create tables faster than they secure them. One unprotected table means every row is readable through the auto-generated API.

Policies that look right but aren’t

USING (true), missing WITH CHECK clauses, or policies keyed to user metadata the client can edit itself.

The service_role key in client code

The key that bypasses RLS entirely, shipped to the browser. Game over — and more common than you’d think.

Storage buckets wide open

Table policies got attention; the buckets holding invoices, uploads and exports didn’t.

Views and functions that bypass RLS

SECURITY DEFINER functions and views quietly ignore your table policies — a favourite hiding place for leaks.

No tests, so no proof

You changed a policy last week and hope nothing broke. Hope is not a security model.

What we do

Everything between your prototype and production.

Complete policy review: every table, view & function
Storage bucket & Edge Function permission audit
Auth review: JWT claims, roles, metadata trust
Anon / service_role key exposure check across the codebase
Attack simulation with real API calls per role
Rewritten policies with proper WITH CHECK constraints
Automated RLS test suite so it stays closed
Written report: finding → severity → fix

How it works

Audit → Go-Live → SLA.

01

Audit

€1,500

fixed · part of the Production Readiness Audit

We map your permission model, read every policy, and attack your API with each role. You get a report of every hole, rated by severity.

02

Fix & harden

flat quote

scoped from the audit · audit credited

We rewrite the policies around your actual product rules, lock down storage and functions, rotate exposed keys — and prove it with a re-test.

03

Keep it closed

from €290/mo

SLA · optional but recommended

Every schema change can reopen a hole. Under the SLA, the RLS test suite runs in CI and we stay accountable for what we secured.

Why THE SWARM

The difference is who’s accountable.

01

We think like an attacker

We don’t read policies and nod — we call your API with each role and try to pull data we shouldn’t. Findings come with working proof.

02

Fixes, not just findings

A PDF of problems doesn’t protect anyone. We rewrite the policies, migrate safely with data in place, and re-test.

03

Proof it stays closed

You get an automated RLS test suite wired into CI — the next schema change can’t silently reopen yesterday’s leak.

Questions

Supabase RLS Audit, answered.

Read access to the repository and a member invite to the Supabase project are enough. We test against staging or a branch database where possible; anything that touches production is read-only and coordinated with you.

It’s our most common case. AI tools generate working queries but rarely correct policies — the app looks fine because the happy path works, while the API allows far more than the UI shows.

A written report (finding, severity, plain-language impact, fix), corrected policies, an automated test suite, and a re-test that proves the holes are closed.

Yes — that’s the point. The audit is €1,500 fixed and fully credited toward the fix work, which we quote flat once we know the scope.

Good start. It flags tables without RLS, but it can’t judge whether your policies match your product’s actual permission model — who may see which rows and why. That takes a human reading both the product and the schema.

Ship it — properly.

Send us the link or the repo. You’ll get a clear read on where the app stands, a fixed audit price, and a plan to take it live.

Book the audit