Security Audit Protocol

1. Critical "Guard" Files

WARNING: The following files are OFF-LIMITS for modification without explicit user approval.

• scripts/ai-diff-gate.ts
• .github/workflows/**
• Any file with midlaw or policy in the name.

2. Database Security (Supabase)

• RLS (Row Level Security):
  • EVERY table must have RLS enabled.
  • Policies must explicitly define USING and WITH CHECK clauses.
  • NEVER use service_role key in frontend client code.
• SQL Injection:
  • Use parameterized queries or ORM methods (Supabase JS client) only.
  • Avoid raw SQL string concatenation.