Security Audit Protocol

1. Critical "Guard" Files

WARNING: The following files are OFF-LIMITS for modification without explicit user approval.

• scripts/ai-diff-gate.ts

• .github/workflows/**

• Any file with midlaw or policy in the name.

2. Database Security (Supabase)

• RLS (Row Level Security):

• EVERY table must have RLS enabled.

• Policies must explicitly define USING and WITH CHECK clauses.

• NEVER use service_role key in frontend client code.

• SQL Injection:

• Use parameterized queries or ORM methods (Supabase JS client) only.

• Avoid raw SQL string concatenation.

3. API Security

• Authentication:

• Verify user exists in req (usually populated by middleware/auth helper).

• Check permissions before performing actions (e.g. checkPermission(user.id, 'post.create') ).

• Input Validation:

• Validate ALL inputs using zod schemas.

• Sanitize HTML inputs if rendering user content (use DOMPurify ).

4. Audit Checklist

• Are guards/policies untouched?

• Is RLS enabled and tested?

• Is input validation (zod ) in place?

• Are no secrets committed to code?

• Did I run /security-review (if available) or manual check?