security-auditlisted

# Security Audit This is a *defensive* audit: the goal is to find weaknesses in your own app so you can fix them before launch, not to attack anyone. The highest-value findings for a Supabase + Stripe + Next.js booking app cluster in four places — leaked secrets, RLS gaps, broken object-level authorization (IDOR), and webhook trust. Those four are where real incidents on this stack actually happen, so weight the audit there. ## Workflow 1. **Scan for exposed secrets and risky config** (fast, static, no dependencies): ```bash python3 ${CLAUDE_PLUGIN_ROOT}/scripts/security/scan_secrets.py <project-dir> ``` It flags: Supabase service-role keys / JWT secrets in client-reachable code, Stripe **secret** keys (`sk_live`/`sk_test`) outside server-only files, generic API keys and private keys, `.env` files that look committed, and use of the `NEXT_PUBLIC_` prefix on values that must stay server-side (this prefix ships the value to the browser — a service-role key behind it is a full database breach). 2. **Review the four high-risk areas by hand** using `references/threat-model.md`, which walks each one with what to grep for and what "good" looks like: - **Secrets & env** — confirm service-role key is server-only; client uses anon key. - **Supabase RLS** — every table with user data has RLS *enabled* and policies that scope rows to the owner. RLS disabled = the anon key reads everything. - **Authorization / IDOR** — route handlers check that