Lock down Supabase RLS policies
Replace overpermissive 'always true' policies with org-scoped RLS across six tables until security advisor clears all findings.
/goal In Supabase prod project udooysjajglluvuxkijp, replace each authenticated write <table> ALL policy on public.customers/orders/order items/quotes/quote items/products (currently USING + WITH CHECK both literally true) with an org/tenant-scoped USING + WITH CHECK, or drop the policy if the table is unused in RA. End state: get advisors(project id=udooysjajglluvuxkijp, type:security) returns 0 rls policy always true findings for those 6 tables. Or stop after 6 turns if the owning tenant column cannot be confirmed
claude-code
More security loops
Secrets scan until clean
Run a secrets scanner over the working tree and drive the findings to zero: real secrets get flagged for rotation, false positives get baselined.
/goal `gitleaks detect --no-git` reports zero findings — for each finding, tell me whether it looks like a real credential (flag it for rotation and replace it with an env var lookup) or a false positive (add it to the baseline with a comment); never print the secret value itself; stop after 8 turns
securitylow risk
Burn down critical security findings
Run your static analyzer on the security ruleset, fix one high-severity finding at a time, re-verify, and loop until zero remain or 10 turns pass.
/loop run the repo's static analyzer (semgrep, CodeQL, or whatever is already configured) with the security ruleset; take ONE finding — highest severity first — and fix it minimally, then re-run the analyzer to verify the finding is gone and run the test suite. Never suppress or downgrade a rule to make a finding disappear; anything that needs a design change gets flagged for human review instead. Continue until the analyzer reports zero findings at high severity — stop after 10 turns and propose the fixes as one PR.
securitymedium risk
Weekly dependency vulnerability audit
Every Monday morning, run the dependency vulnerability audit, open one PR fixing what auto-fix can handle safely, and file issues for the rest.
/schedule every Monday at 8am, run `npm audit`, open a single PR applying only non-breaking fixes with tests passing, and file one issue per remaining high or critical advisory with its CVE link and affected paths
securitymedium risk