Supabase RLS Gaps We Found Scanning 500 Vibe-Coded Repos
We analyzed 500 repositories built primarily with Cursor and Claude. The majority suffered from the exact same Row Level Security bypass.
This is a stubbed research article. In a production environment, this content would be statically generated from MDX files or a headless CMS.
When AI agents generate code, they heavily bias towards the "happy path." They prioritize feature completion over defense-in-depth, leading to structural anti-patterns like dropping Row Level Security, embedding bare JWT secrets instead of environment vars, and trusting unvalidated input in critical workflows.
The Root Cause
LLMs read standard documentation perfectly. However, they lack contextual state awareness of adjacent files. If an AI writes an endpoint in /api/payment, it often assumes a generalized authentication middleware exists elsewhere. When it doesn't, the route ships entirely open.
Erzo's Recommendation
Always run a specialized static analysis pass over PRs automatically generated by AI. Generic SAST tools often lack the semantic understanding to catch missing RLS policies.