Buy this when
You are about to ship a Supabase-backed app generated or edited by Lovable, Bolt, Cursor, Replit, Claude, Codex, or an MCP migration tool.
Fixed-scope Supabase launch review
Check the Supabase risk before your AI-coded app ships.
A 24-hour Markdown report for one redacted Supabase launch packet: Data API grants, RLS policies, anonymous sign-in, public views, RPC functions, default EXECUTE exposure, Security Advisor warnings, and generated migration drift.
Best input
Redacted SQL, RLS snippets, grant notes, Security Advisor text, signup failure notes, or generated migration diffs. Placeholder names are fine.
Not included
No penetration test, incident response, compliance certification, live database access, or legal advice.
Best buyer fit
This is for one launch decision, not an open-ended database audit.
Free tool found a high or medium finding
Send the redacted generated packet and get a second-pass read on the highest-risk grant, policy, view, function, or trigger.
New project depends on Data API access
The May 30, 2026 new-project default makes explicit grants part of the launch checklist instead of an afterthought.
Existing project needs migration confidence
Before the October 30, 2026 existing-project rollout, use one redacted migration packet to catch broad grants, missing grants, and RLS/grant confusion.
Why this is narrow
The scope comes from public Supabase launch and migration failure patterns checked on May 25, 2026. These links are evidence of the problem shape, not customer endorsements.
Default RPC EXECUTE
Open Supabase issue #43884 reports functions remaining callable after default EXECUTE revocation, with proacl evidence.
Security Advisor tradeoffs
Open issue #33131 shows Function Search Path Mutable hardening can conflict with SQL-function inlining and query plans.
Local advisor drift
Open issue #37566 separates missing search_path from fixed but still review-worthy paths in local or self-hosted advisor output.
View RLS migration drift
Open Supabase CLI issue #3973 shows generated or replayed view SQL can lose security_invoker behavior.
What the report covers
The scope is intentionally narrow so the report can be useful without collecting sensitive material.
Data API grants
Separate missing grants from RLS failures before the 2026 default-exposure change causes surprise permission errors.
RLS and anonymous auth
Find policies that treat every authenticated role user the same when anonymous sign-in is enabled.
Views and RPCs
Review public views missing security_invoker, broad SELECT/EXECUTE grants, default EXECUTE exposure evidence, and Security Definer functions that can bypass caller expectations.
Security Advisor warnings
Translate Function Search Path Mutable, signup trigger, and handle_new_user findings into launch checks.
Free triage first
Use the free pages if you only need a quick local check. They run in the browser and do not intentionally send pasted text anywhere.
API grants readinessMissing grants, broad grants, disabled RLS, and service-role review markers.
Grant migration builderDefault-privilege revoke block, narrow grants, and role-matrix test packet.
Anonymous RLS matrixAuthenticated-role drift, is_anonymous checks, and sensitive write paths.
View drift checkerDashboard, SQL editor, and db diff changes that drop security_invoker.
RPC/view RLS auditSecurity Definer, broad EXECUTE, search_path, and RLS-bypass risk.
Security Advisor plannerFunction Search Path Mutable, search_path evidence, and signup smoke tests.
Signup trigger debuggerDatabase error saving new user, handle_new_user, and profile insert side effects.
Before checkout
The safest purchase is one where the launch packet is specific and already redacted.
Do not send live credentials, connection strings, service-role strings, OAuth material, customer records, payment records, private screenshots, full names, private handles, or full transaction identifiers.
- Send one redacted packet: SQL snippets, grant notes, RLS policy excerpts, Security Advisor text, or generated migration output.
- Get back one Markdown report with severity, likely failure mode, and the concrete smoke tests to run before launch.
- Use the free checker first if you are not sure whether the packet is narrow enough.