Phase 1: Security Discovery
What this phase does
Scan the codebase and produce a prioritized findings list. Output lives in SECURITY_PLAN.md.
Instructions
- •
Scan
src/app(or configured API folder) for:- •Mutable endpoints (POST/PUT/DELETE)
- •Missing input validation (e.g. Zod schemas)
- •Authorization gaps (missing auth checks, overly permissive RLS)
- •Exposed secrets or service role keys in client code
- •See
supabase-security/SKILL.mdfor Supabase-specific patterns to check
- •
Output: Create or overwrite
SECURITY_PLAN.mdin the project root. List all findings asPendingwith severity (Critical / High / Medium / Low) and file location. - •
Stop. Display a summary of findings to the user.
The next step is Phase 2: /2-security-critique