Lock down Supabase RLS policies

Replace overpermissive 'always true' policies with org-scoped RLS across six tables until security advisor clears all findings.

prompt
→ Claude
/goal In Supabase prod project udooysjajglluvuxkijp, replace each authenticated write <table> ALL policy on public.customers/orders/order items/quotes/quote items/products (currently USING + WITH CHECK both literally true) with an org/tenant-scoped USING + WITH CHECK, or drop the policy if the table is unused in RA. End state: get advisors(project id=udooysjajglluvuxkijp, type:security) returns 0 rls policy always true findings for those 6 tables. Or stop after 6 turns if the owning tenant column cannot be confirmed
claude-code

Source: CleanExpo

More security loops

Secrets scan until clean

/goalloopreponew

Run a secrets scanner over the working tree and drive the findings to zero: real secrets get flagged for rotation, false positives get baselined.

prompt
→ Claude
/goal `gitleaks detect --no-git` reports zero findings — for each finding, tell me whether it looks like a real credential (flag it for rotation and replace it with an env var lookup) or a false positive (add it to the baseline with a comment); never print the secret value itself; stop after 8 turns
securitylow risk

Burn down critical security findings

/looploopreponew

Run your static analyzer on the security ruleset, fix one high-severity finding at a time, re-verify, and loop until zero remain or 10 turns pass.

prompt
→ Claude
/loop run the repo's static analyzer (semgrep, CodeQL, or whatever is already configured) with the security ruleset; take ONE finding — highest severity first — and fix it minimally, then re-run the analyzer to verify the finding is gone and run the test suite. Never suppress or downgrade a rule to make a finding disappear; anything that needs a design change gets flagged for human review instead. Continue until the analyzer reports zero findings at high severity — stop after 10 turns and propose the fixes as one PR.
securitymedium risk

Weekly dependency vulnerability audit

/scheduleloopreponew

Every Monday morning, run the dependency vulnerability audit, open one PR fixing what auto-fix can handle safely, and file issues for the rest.

prompt
→ Claude
/schedule every Monday at 8am, run `npm audit`, open a single PR applying only non-breaking fixes with tests passing, and file one issue per remaining high or critical advisory with its CVE link and affected paths
securitymedium risk