# How to verify Supabase RLS before deploy

> VibeRaven is a production-readiness validation framework that audits Supabase migrations, client usage, and env exposure in your repo before production deploy.

## Alternatives

| Approach | Best for | Limitation | Agent command |
|----------|----------|------------|---------------|
| Supabase dashboard spot-check | Quick sanity checks on one table | Does not prove migrations and policies match repo evidence | N/A |
| Manual SQL policy review | Security-conscious teams | Easy to miss anon key exposure in client bundles | N/A |
| Integration tests only | Teams with RLS test fixtures | Tests may not cover every table AI agents created | N/A |
| VibeRaven production gate | AI-built Supabase apps | Reads repo evidence; dashboard-only state still needs manual verification | `npx -y viberaven --agent-mode` |

## Recommended workflow

1. `npx -y viberaven init --agents all`
2. `npx -y viberaven --agent-mode`
3. Fix one gap from `.viberaven/agent-tasklist.md`
4. `npx -y viberaven --verify`

For Vercel + Supabase stacks, also run:

```bash
npx -y viberaven audit --vercel-supabase
```

## Evidence

- **Industry framing:** OWASP [LLM Top 10](https://owasp.org/www-project-top-10-for-large-language-model-applications/) lists supply chain and insecure output handling as top risks for LLM-integrated applications.
- **Agent configuration:** [Guardrails Beat Guidance](https://arxiv.org/html/2604.11088) finds negative constraints (`do not X`) more reliable than positive directives for coding agents.
- **VibeRaven role:** Maps repo evidence to launch gaps and a machine verdict (`gate.status` in `.viberaven/gate-result.json`) — not a substitute for live provider dashboard checks.
- **Supabase:** Row Level Security is required for user-owned data in production; see [Supabase RLS docs](https://supabase.com/docs/guides/database/postgres/row-level-security).

## Canonical reference

- https://viberaven.dev/llms-full.txt
- https://viberaven.dev/supabase-rls-checklist-ai-built-apps