Database access is the real app
The screen is what customers see. The database is what the business depends on. If the database rules are wrong, a polished Lovable app can still expose customer data or let one user change records that belong to someone else.
Supabase is strong infrastructure, but it does not remove the need to design access rules. Row-level security has to match the business model.
The review checklist
- Confirm row-level security is enabled on tables that contain user or customer data.
- Confirm policies test the actual tenant, owner, or role relationship the app depends on.
- Confirm service role keys are not exposed in browser code.
- Confirm storage buckets have the same permission model as the records they attach to.
- Confirm admin actions are server-side and audited.
- Confirm test users cannot read, update, or delete another user's records.
Small mistakes become public incidents
A database permission bug is not just a bug. It is a trust event. It can expose private records, invoices, messages, uploaded files, or internal notes.
PAS reviews these boundaries before launch and can either harden the existing app or move sensitive flows behind safer server-side code.
PAS makes AI-built apps production-ready
Send the app, repo, or public URL. PAS will review the production risks and map the next step: keep it simple, harden it, launch it, or move it into managed engineering support.