A team audited 1,764 apps built with AI coding tools like Lovable and Bolt. The numbers are bad. 7% had publicly accessible Supabase databases. Anyone with the URL could read the data. 15% of Bolt-generated apps shipped with hardcoded API keys in source. Source: r/netsec post summarizing the audit. If you've shipped a vibe-coded side project in the last six months, there is a real chance you are one of those apps. Why this happens AI coding tools optimize for the demo. Make it work. Make it look good. Get the user to "wow" in under five minutes. Security is friction. So it gets skipped. The two failure modes are predictable: Hardcoded secrets. The model writes const SUPABASE_KEY = "eyJhbGciOi..." because it gets the demo working in one file. The user copies the code, ships it to GitHub or a public Vercel deploy, and the key is now in the world. Open Supabase RLS. The default Supabase project lets you read every table from any client with the anon key.…