supabase-security-auditlisted

# Supabase Security Audit Audit the security posture of a Supabase project across its three exposed surfaces: PostgREST (auto-API over Postgres), Storage, and Edge Functions. Defensive find-and-fix focus. ## When this skill applies - Reviewing whether RLS is enabled and policies are correct - Auditing SECURITY DEFINER functions exposed to anon or authenticated roles - Checking grants on `anon` and `authenticated` roles - Looking for `service_role` key exposure in client code - Reviewing edge function code for missing JWT verification - Investigating suspicious activity in a Supabase project (post-incident) Use other skills for: general app-code review (`saas-code-security-review`), multi-tenant patterns (`saas-tenant-isolation`). ## Workflow Follow `../_shared/audit-workflow.md`. Skill-specific notes below. ### Phase 1: Scope confirmation Confirm with the user: - Project ref (`xxxxx.supabase.co`) - Do you have the service_role key available for read-only audits? (Some checks require it.) - Are you the owner/admin of the project? - Is this a production project or a staging/dev project? Never request or store the service_role key in chat. Ask the user to run queries themselves using the SQL editor and paste results. ### Phase 2: Inventory Run the queries in `scripts/inventory.sql` against the project. They produce: - Every table with RLS status - Every policy per table - Every function with `security definer` status and grants - Every grant on `anon` and `authenticat