Free tool · Vibe Check

Is your app leaking user data?

Most apps built with AI tools ship with the setting that decides who can see your data turned off — so anyone on the internet can read everything. Check yours in 60 seconds. Free, no signup — your data never leaves this page.

The check reads only your security settings — table names, policies, grants. Never your data.

Step 1 — Copy this query

Open your Supabase project → SQL Editor → paste → Run. Copy the single JSON result it returns.

-- ============================================================
-- BriefKit Vibe Check — Security Export (v1)
-- Paste this entire query into your Supabase SQL Editor and run it.
-- It reads ONLY your security configuration (table names, column
-- names, RLS policies, grants). It never reads your data.
-- Copy the single JSON result back into the Vibe Check scanner.
-- ============================================================
SELECT json_build_object(
  'vibe_check_version', 1,
  'generated_at', now(),
  'tables', (
    SELECT coalesce(json_agg(t ORDER BY t.table_name), '[]'::json)
    FROM (
      SELECT
        c.relname AS table_name,
        c.relrowsecurity AS rls_enabled,
        c.relforcerowsecurity AS rls_forced,
        -- column names only (lets the scanner flag sensitive columns)
        (SELECT coalesce(json_agg(a.attname ORDER BY a.attnum), '[]'::json)
         FROM pg_attribute a
         WHERE a.attrelid = c.oid AND a.attnum > 0 AND NOT a.attisdropped
        ) AS columns,
        -- all RLS policies on this table
        (SELECT coalesce(json_agg(json_build_object(
            'name', pol.policyname,
            'command', pol.cmd,                  -- SELECT/INSERT/UPDATE/DELETE/ALL
            'permissive', pol.permissive,
            'roles', pol.roles,
            'using_expr', pol.qual,              -- NULL for INSERT-only policies
            'check_expr', pol.with_check
          )), '[]'::json)
         FROM pg_policies pol
         WHERE pol.schemaname = 'public' AND pol.tablename = c.relname
        ) AS policies,
        -- privileges granted to Supabase API roles
        (SELECT coalesce(json_agg(json_build_object(
            'role', g.grantee, 'privilege', g.privilege_type)), '[]'::json)
         FROM information_schema.role_table_grants g
         WHERE g.table_schema = 'public' AND g.table_name = c.relname
           AND g.grantee IN ('anon', 'authenticated')
        ) AS api_grants
      FROM pg_class c
      JOIN pg_namespace n ON n.oid = c.relnamespace
      WHERE n.nspname = 'public' AND c.relkind = 'r'
    ) t
  )
) AS vibe_check_export;

Step 2 — Paste your result