I run two SaaS products on Supabase. I've been on the platform for over a year. I'd like to think I know what I'm doing. Then Supabase published the May 2026 update about tables in public no longer auto-exposing to the Data API. Two deadlines: May 30, 2026 — new behavior is the default for all new projects. October 30, 2026 — enforced on all existing projects . My first reaction: "ok cool, doesn't affect me, I have RLS on everything." Then I thought about it for a minute and went, "wait, do I?" So I wrote a 250-line Node.js script to actually check. What it does For a given Supabase project ref + Personal Access Token, it queries pg_class , pg_policies , pg_proc , pg_default_acl , and the storage/auth APIs to detect: Check Severity Table has RLS disabled and anon grants Critical SECURITY DEFINER function executable by anon High Public storage bucket High Default privileges still grant CRUD to anon (the Oct 30 thing) Medium Auth signups with autoconfirm Medium RLS-locked table with stale anon grants…