The story A week ago I built supabase-security , a small Node.js auditor that scans Supabase projects for over-permissive RLS policies. To test it, I scanned 100 random Supabase projects from GitHub. 22 out of 100 leaked user data anonymously. The pattern was consistent: dashboard says "RLS enabled ✅", policies say USING (true) , anonymous curl returns the full table. Then I ran the tool against my own production CRM (FitCRM, an e-commerce ops platform I've been running for 2 years). Found 14 critical leaks . Order tables open to anon. Storage buckets with predictable signed URLs. RPCs with SECURITY DEFINER bypassing RLS. I wrote the postmortem yesterday. After that, two thoughts: If this many random Supabase projects leak, what about every other BaaS? The "keyless" mode (parse repo + probe anon, no admin creds) is the magic — anyone can run it on any project, including ones they don't own. What I shipped today Five sister tools. All MIT, all on npm, all use the same --discover pattern: 1.…