fizzgig__rls_checker
checks supabase row-level-security policies for the 8 canonical leak shapes.
the AI ran your supabase migration, the app works, you ship. three weeks later someone reads a user table they shouldn't because the policy was USING (true) and you never noticed. the AI scaffolds RLS like a checkbox: gets the structure right, gets the auth scoping wrong.
scans SQL migrations for 8 RLS misconfiguration patterns: tables with RLS not enabled, RLS explicitly disabled, USING (true) policies, USING with no auth scoping, INSERT/UPDATE missing WITH CHECK (the row-reassignment bug), policies attached to the public role, auth.role() vs auth.uid() confusion, SECURITY DEFINER functions bypassing RLS. Returns ranked findings with copy-paste fix SQL.
run before every migration. the 8 shapes account for the vast majority of vibe-coded supabase leaks.
caught a policy that would have leaked every user's comments. shipped a fix in 4 minutes.
first tool i installed. it's the one that pays for itself.
works great. one false positive on a join table — easy to ignore.
{
"fizzgig": {
"url": "https://mcp.fizzgig.ai",
"tools": ["rls_checker"]
}
}