--- name: supabase-pentest description: Orchestrate a complete Supabase security audit with guided step-by-step execution and ownership confirmation. --- # Supabase Security Audit Orchestrator > 🔵 **RECOMMENDED: USE PLAN MODE FOR COMPLEX AUDITS** > > When your environment supports **Plan Mode**, it is strongly recommended to activate it before starting the audit: > - Use the `EnterPlanMode` tool at the start of the orchestration > - Plan Mode enables better organization of multi-phase audits > - It allows the user to validate the approach before execution > - If Plan Mode is not available, proceed directly with execution > > **Plan Mode provides better traceability and user control over the audit process.** > 🔴 **CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED** > > You MUST write to context files **AS YOU GO**, not just at the end. > - Write to `.sb-pentest-context.json` **IMMEDIATELY after each discovery** > - Log to `.sb-pentest-audit.log` **BEFORE and AFTER each action** > - **DO NOT** wait until a phase or skill completes to update files > - If the audit crashes or is interrupted, all prior findings must already be saved > > **This is not optional. Failure to write progressively is a critical error.** This skill orchestrates a complete security audit of a Supabase-based application, guiding you through each phase with validation checkpoints. ## ⚠️ MANDATORY: Progressive Context File Management **BEFORE starting any audit, you MUST:** 1. Create `.sb-pentest-context.json` if it doesn't exist 2. Create `.sb-pentest-audit.log` if it doesn't exist 3. Create `.sb-pentest-evidence/` directory structure 4. Initialize context with target URL and timestamp **DURING execution - WRITE AS YOU GO:** 1. **BEFORE each action** → Log to `.sb-pentest-audit.log` 2. **AFTER each discovery** → IMMEDIATELY update `.sb-pentest-context.json` 3. **AFTER each test** → Save evidence to `.sb-pentest-evidence/` 4. **DO NOT batch writes** → Each finding must be saved as it's discovered 5. **Verify after each skill** → Check that ALL files were updated before proceeding ## 📋 SYSTEMATIC DOCUMENTATION REQUIREMENTS > **All tracking files MUST be systematically maintained throughout the entire audit.** ### Required Files (MANDATORY) | File | Purpose | Update Frequency | |------|---------|------------------| | `.sb-pentest-context.json` | Centralized state and findings | After EVERY discovery | | `.sb-pentest-audit.log` | Chronological action log | BEFORE and AFTER every action | | `.sb-pentest-evidence/timeline.md` | Timestamped findings narrative | After EVERY significant finding | | `.sb-pentest-evidence/curl-commands.sh` | Reproducible test commands | After EVERY curl/HTTP request | ### Verification Checklist (Before Each Phase Transition) Before moving to the next phase, the orchestrator MUST verify: - [ ] `.sb-pentest-context.json` contains all discoveries from current phase - [ ] `.sb-pentest-audit.log` has entries for all actions performed - [ ] Evidence files exist in `.sb-pentest-evidence/XX-phase-name/` - [ ] `timeline.md` is updated with any P0/P1/P2 findings - [ ] `curl-commands.sh` contains all HTTP requests made **If any file is missing or incomplete, DO NOT proceed to the next phase.** ### Progressive Write Pattern Each skill MUST follow this pattern: ``` 1. [LOG] Write START entry to audit.log 2. [CONTEXT] Update context.json with "phase_in_progress" 3. [ACTION] Perform the test/scan 4. [EVIDENCE] Save evidence file IMMEDIATELY 5. [CURL] Append curl command to curl-commands.sh 6. [TIMELINE] Update timeline.md if significant finding 7. [CONTEXT] Update context.json with results 8. [LOG] Write COMPLETE entry to audit.log ``` ### Failure Recovery If a skill or phase fails: - All files updated up to the failure point are preserved - The audit can be resumed from the last successful checkpoint - Context file indicates exactly where the audit stopped ⚠️ **WHY THIS MATTERS:** - If the audit is interrupted, crashes, or times out, findings up to that point are preserved - Long-running skills must save progress incrementally, not just at the end - Users can monitor progress in real-time by watching the log file **FAILURE TO UPDATE CONTEXT FILES PROGRESSIVELY IS NOT ACCEPTABLE.** Each individual skill is responsible for updating these files **AS IT WORKS**, not just at completion. If a skill does not update the context progressively, the orchestrator must do it immediately after each discovery. ## When to Use This Skill - Running a complete security assessment on a Supabase application - Performing internal security self-assessment before production - Auditing an application after security concerns are raised - Conducting periodic security reviews ## Prerequisites - A public URL of the application to audit - **Authorization to test the target application** (you must own it or have explicit permission) - Internet access to reach the target URL ## Important Security Notice ``` ⚠️ AUTHORIZATION REQUIRED Before proceeding, you must confirm: 1. I own this application, OR 2. I have explicit written authorization to perform security testing Unauthorized security testing may violate laws and terms of service. Type "I confirm I am authorized to test this application" to proceed. ``` ## Audit Phases The orchestrator runs these phases sequentially with confirmation between each. > 📁 **REMINDER: After EVERY phase, verify that:** > - `.sb-pentest-context.json` is updated with phase results > - `.sb-pentest-audit.log` has START and COMPLETE entries > - Evidence files are saved to `.sb-pentest-evidence/XX-phase/` > - `timeline.md` reflects any significant findings > - `curl-commands.sh` contains all HTTP requests made ### Phase 0: Initialization Sets up the audit environment and evidence collection. **Pre-Phase Action (if supported):** - **Use `EnterPlanMode`** if the environment supports it - This allows the user to validate the audit approach before execution - If Plan Mode is not available, proceed directly **Actions:** - Create `.sb-pentest-context.json` - Create `.sb-pentest-audit.log` - Create `.sb-pentest-evidence/` directory structure - Initialize `curl-commands.sh` with header - Initialize `timeline.md` with audit start - Log initialization to `.sb-pentest-audit.log` **Skills invoked:** - `supabase-evidence` (initialization) **Verification before proceeding:** - [ ] All 4 tracking files exist - [ ] Evidence directory structure is complete - [ ] User authorization confirmed **Output:** Ready to collect evidence with full directory structure ### Phase 1: Detection Determines if the target uses Supabase and extracts basic information. **Skills invoked:** - `supabase-detect` **Output:** Confirmation of Supabase usage, project URL identified **Evidence saved to:** `.sb-pentest-evidence/01-detection/` ### Phase 2: Key Extraction Scans client-side code for exposed credentials. **Skills invoked:** - `supabase-extract-url` - `supabase-extract-anon-key` - `supabase-extract-service-key` - `supabase-extract-jwt` - `supabase-extract-db-string` **Output:** List of all discovered credentials with severity assessment **Evidence saved to:** `.sb-pentest-evidence/02-extraction/` ### Phase 3: API Audit Tests PostgREST API exposure and RLS policies. **Skills invoked:** - `supabase-audit-tables-list` - `supabase-audit-tables-read` - `supabase-audit-rls` - `supabase-audit-rpc` **Output:** Tables accessible, data exposure assessment, RLS gaps **Evidence saved to:** `.sb-pentest-evidence/03-api-audit/` ### Phase 4: Storage Audit Checks storage bucket configurations and access. **Skills invoked:** - `supabase-audit-buckets-list` - `supabase-audit-buckets-read` - `supabase-audit-buckets-public` **Output:** Bucket inventory, public exposure, accessible files **Evidence saved to:** `.sb-pentest-evidence/04-storage-audit/` ### Phase 5: Auth Audit Analyzes authentication configuration and potential weaknesses. **Skills invoked:** - `supabase-audit-auth-config` - `supabase-audit-auth-signup` - `supabase-audit-auth-users` - `supabase-audit-authenticated` ← **NEW: Creates test user (with consent) to detect IDOR** **Output:** Auth provider analysis, signup restrictions, enumeration risks, authenticated vs anonymous comparison **Evidence saved to:** `.sb-pentest-evidence/05-auth-audit/` > ⚠️ **Note:** `supabase-audit-authenticated` will ask for explicit consent before creating a test user. This is optional but highly recommended to detect IDOR and cross-user access vulnerabilities. ### Phase 6: Realtime & Functions Audit Tests WebSocket channels and Edge Functions. **Skills invoked:** - `supabase-audit-realtime` - `supabase-audit-functions` **Output:** Exposed channels, function endpoints, access control issues **Evidence saved to:** `.sb-pentest-evidence/06-realtime-audit/` and `.sb-pentest-evidence/07-functions-audit/` ### Phase 7: Report Generation Compiles all findings into a comprehensive report. **Skills invoked:** - `supabase-report` **Output:** Full Markdown report with executive summary, findings, and remediation ## Workflow with Plan Mode When Plan Mode is supported, the recommended workflow is: ``` 1. User requests audit → Agent uses EnterPlanMode 2. Agent explores target superficially (detect Supabase, extract URL) 3. Agent writes plan to plan file with: - Target URL - Detected Supabase configuration - Proposed phases to execute - Estimated scope 4. Agent uses ExitPlanMode → User reviews and approves 5. Agent executes phases with systematic file updates 6. After each phase → Agent confirms files are updated 7. Final report generation ``` **Benefits of Plan Mode:** - User can adjust scope before execution starts - Better visibility into what will be tested - Clearer audit trail from planning to execution ## Usage ### Basic Full Audit (with Plan Mode) ``` Run a Supabase security audit on https://myapp.example.com ``` The agent SHOULD: 1. Use `EnterPlanMode` if available 2. Present the audit plan for approval 3. Execute with systematic file updates ### Basic Full Audit (without Plan Mode) ``` Run a Supabase security audit on https://myapp.example.com --no-plan ``` ### Resume from Phase ``` Continue Supabase audit from Phase 3 (API Audit) ``` ### Skip Specific Phases ``` Run Supabase audit on https://myapp.example.com, skip auth audit ``` ## Context Files and Evidence (MANDATORY) ⚠️ **CRITICAL: Updating tracking files and collecting evidence is MANDATORY.** The orchestrator creates and manages: | File/Directory | Purpose | |----------------|---------| | `.sb-pentest-context.json` | Stores extracted data between phases | | `.sb-pentest-audit.log` | Logs all actions with timestamps | | `.sb-pentest-evidence/` | **Evidence directory for professional audits** | ### Evidence Collection The orchestrator initializes the evidence directory at the start of every audit: ``` .sb-pentest-evidence/ ├── README.md # Evidence index ├── curl-commands.sh # All reproducible curl commands ├── timeline.md # Chronological findings ├── 01-detection/ # Detection evidence ├── 02-extraction/ # Key extraction evidence ├── 03-api-audit/ # API audit evidence │ ├── tables/ │ ├── data-samples/ │ ├── rls-tests/ │ └── rpc-tests/ ├── 04-storage-audit/ # Storage audit evidence │ ├── buckets/ │ └── public-url-tests/ ├── 05-auth-audit/ # Auth audit evidence │ ├── signup-tests/ │ └── enumeration-tests/ ├── 06-realtime-audit/ # Realtime audit evidence ├── 07-functions-audit/ # Functions audit evidence └── screenshots/ # Optional screenshots ``` **Each skill MUST save evidence to its respective directory as it works.** ### Mandatory Update Rules 1. **After each skill execution**, `.sb-pentest-context.json` MUST be updated with results 2. **Every action** MUST be logged in `.sb-pentest-audit.log` with timestamp 3. **If files don't exist**, they MUST be created at audit start 4. **Never complete a skill** without updating context files ### Mandatory Log Format Each entry in `.sb-pentest-audit.log` must follow this format: ``` [YYYY-MM-DD HH:MM:SS] [SKILL_NAME] [STATUS] Message ``` Example: ``` [2025-01-31 14:00:00] [supabase-detect] [START] Starting Supabase detection [2025-01-31 14:00:05] [supabase-detect] [SUCCESS] Supabase detected [2025-01-31 14:00:05] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json updated ``` ### Context File Structure ```json { "target_url": "https://myapp.example.com", "started_at": "2025-01-31T10:00:00Z", "authorization_confirmed": true, "supabase": { "detected": true, "project_url": "https://abc123.supabase.co", "anon_key": "eyJ...", "service_key_exposed": false }, "phases_completed": ["detection", "extraction"], "findings": [] } ``` ## Rate Limiting The orchestrator implements adaptive rate limiting: 1. Starts with normal request speed 2. If HTTP 429 (Too Many Requests) is detected, backs off exponentially 3. Respects Supabase's rate limit headers ## Output Format After each phase: ``` ═══════════════════════════════════════════════════════════ PHASE 2 COMPLETE: Key Extraction ═══════════════════════════════════════════════════════════ Findings: ├── ✅ Anon key found (expected) ├── ❌ P0: Service role key EXPOSED in main.js:1247 └── ⚠️ P1: JWT secret pattern detected Proceed to Phase 3 (API Audit)? [Y/n] ═══════════════════════════════════════════════════════════ ``` ## Best Practices - Run audits in non-production hours to minimize impact - Save the context file for audit trail purposes - Review findings with your security team before remediation - Re-run the audit after implementing fixes to verify ## Common Issues ❌ **Problem:** Audit stops at Phase 1 with "Supabase not detected" ✅ **Solution:** The app may use a custom domain. Manually provide the Supabase URL: ``` Run audit with Supabase URL https://myproject.supabase.co ``` ❌ **Problem:** Rate limited during audit ✅ **Solution:** The orchestrator auto-adjusts. If persistent, wait 5 minutes and resume. ❌ **Problem:** Context file corrupted ✅ **Solution:** Delete `.sb-pentest-context.json` and restart the audit. ## Related Skills - `supabase-help` — Quick reference for all skills - `supabase-evidence` — Evidence collection management - `supabase-report` — Generate report from existing context - `supabase-report-compare` — Compare with previous audits