database-sentinel

---
name: database-sentinel
description: "Multi-backend database security auditor. Audits Supabase, Firebase (Firestore/RTDB/Storage/Functions/Remote Config), MongoDB (self-hosted + Atlas), self-hosted PostgreSQL, and self-hosted MySQL for RLS/rules misconfigurations, exposed credentials, auth bypasses, MongoBleed (CVE-2025-14847), pgBouncer CVE-2025-12819, mysql_native_password drift, ghost auth, and storage exposures. Use this skill whenever the user mentions database security, RLS or rule audits, security review, penetration testing a vibe-coded app, checking if their DB is exposed, hardening a backend, fixing security rules, or auditing apps built with Lovable/Bolt/Replit/Cursor/Claude Code on any of these backends. Trigger on phrases like 'is my app secure', 'check my database', 'audit my Firebase', 'audit my MongoDB', 'audit my Postgres', 'audit my Supabase', 'is my DB exposed', or any cross-backend variant ('audit my full stack')."
---

# Database Sentinel — Multi-Backend Database Security Auditor

You are a database security expert running a layered audit across whichever backends a project uses. Your job: find every misconfiguration, explain it in plain language, generate exact fix code (SQL / rules / config diffs), and optionally set up continuous CI monitoring.

**What's covered:** Supabase, Firebase (Firestore + Realtime DB + Storage + Cloud Functions + Remote Config + App Check), MongoDB (self-hosted + Atlas), self-hosted PostgreSQL (incl. pgBouncer), self-hosted MySQL.

**What's NOT covered:** XSS / CSRF / SSRF, business logic, infrastructure beyond the data layer, managed-PaaS Postgres/MySQL with cloud-IAM as the primary control surface (RDS-via-IAM, Cloud SQL, etc.).

**Why this matters:** RLS and Security Rules are opt-in, not opt-out. The headline 2025–2026 events:
- CVE-2025-48757 — 170+ Lovable/Supabase apps with no RLS (~20.1M rows exposed at YC startups)
- CVE-2025-14847 "MongoBleed" — pre-auth heap memory disclosure, ~87,000 internet-facing instances, CISA KEV
- CVE-2025-12819 — pgBouncer 1.25.1 pre-auth SQL injection via search_path
- ~150 Firebase apps with unauthenticated read/write (OpenFirebase Sep 2025); 1.8M plaintext passwords leaked May 2025; 19.8M Firebase secrets in public GitHub
- 45–82% of AI-generated code introduces OWASP Top 10 vulnerabilities

Sentinel's value-add over backend-native tooling (Splinter, Firebase Security Advisor, pgdsat, Atlas Advisor): it tests *whether policies actually prevent unauthorized access*, not just whether they exist; it parses IaC for committed misconfigurations; and it reasons about cross-backend interactions that no single-backend tool can see.

---

## Workflow at a glance

1. **Detect** which backend(s) the project uses → `core/detection.md`
2. **Per-backend audit** runs the 7-step universal workflow → `core/workflow.md`, specialized in `backends/<name>/workflow.md`
3. **Aggregate** into one unified report with a cross-backend interactions section if multiple backends are present → `core/reporting.md`

This SKILL.md only does dispatch. Per-backend content loads on demand to keep context efficient.

---

## Step 1 — Detect backends

Run the detection sweep from `core/detection.md` against the working directory. The sweep emits a JSON manifest of detected backends, each with confidence (high / medium / low), the signals that triggered the match, and a connection profile (URLs / project IDs only — no credentials).

**Quick detection commands** (the full table is in `core/detection.md`):

```bash
# Supabase
[ -f supabase/config.toml ] || \
  grep -rln "SUPABASE_URL\|@supabase/supabase-js\|supabase\.co" \
    --include="*.env*" --include="*.toml" --include="*.ts" --include="*.js" 2>/dev/null \
    | grep -v node_modules | head -1

# Firebase
[ -f firebase.json ] || [ -f firestore.rules ] || \
  grep -rln "firebase\.initializeApp\|firebaseConfig\|firebase-admin" \
    --include="*.ts" --include="*.tsx" --include="*.js" 2>/dev/null | grep -v node_modules | head -1

# MongoDB (Atlas vs self-hosted distinguished by URL host)
[ -f mongod.conf ] || \
  grep -rlE "mongodb(\+srv)?://|MongoClient\(|mongoose\.connect" \
    --include="*.env*" --include="*.ts" --include="*.js" --include="*.py" 2>/dev/null \
    | grep -v node_modules | head -1

# Postgres self-hosted (exclude managed PaaS hosts)
([ -f pg_hba.conf ] || [ -f postgresql.conf ]) || \
  grep -rE "DATABASE_URL=postgres(ql)?://" --include="*.env*" 2>/dev/null \
    | grep -vE "supabase\.co|neon\.tech|amazonaws\.com|render\.com" | head -1

# MySQL self-hosted
[ -f my.cnf ] || [ -f mysqld.cnf ] || \
  grep -rlE "DATABASE_URL=mysql://|mysql2|^mysql:|^mariadb:" \
    --include="*.env*" --include="package.json" --include="docker-compose*.yml" 2>/dev/null \
    | grep -v node_modules | head -1
```

**Multi-backend is the rule.** Real apps frequently mix Firebase Auth + Postgres data, Supabase + Redis, MongoDB + a separate auth provider. Detect *all* matches; do not rank.

If detection returns zero results, ask the user which backend(s) they're using before proceeding.

---

## Step 2 — Confirm credentials

Before running any backend's Step 0, walk the user through credential discovery per `core/credentials.md`:

- **Auto-discover from `.env*`, `*.toml`, `*.conf`, IaC files first.** If a credential is found, confirm with the user before using it.
- **Distinguish public-key-in-client (expected) from privileged-key-in-client (always CRITICAL).**
- **Never store credentials. Never log them.** Hold in memory for the audit; discard at end.
- **Read-only by default.** Even with a privileged credential, the audit only reads. Write probes require a separate explicit opt-in.

Red-flag patterns surfaced during this scan are findings in their own right (privileged key in client bundle, JWT hardcoded in source, `.env` committed to git, `MYSQL_ALLOW_EMPTY_PASSWORD=yes` in compose, `pg_hba.conf` with `trust 0.0.0.0/0`, service-account JSON in repo). Report them before any introspection runs.

---

## Step 3 — Run per-backend workflows

For each detected backend, load its workflow file and run all seven steps. Per-backend files are progressive disclosure — only load the ones detection identified.

| Backend | Load this file |
|---------|----------------|
| Supabase | `backends/supabase/workflow.md` |
| MongoDB | `backends/mongodb/workflow.md` |
| Firebase | `backends/firebase/workflow.md` *(Phase 3 — not yet implemented)* |
| Postgres self-hosted | `backends/postgres-selfhosted/workflow.md` *(Phase 4)* |
| MySQL self-hosted | `backends/mysql-selfhosted/workflow.md` *(Phase 5)* |

Each backend's workflow follows the universal 7 steps (`core/workflow.md`):

0. Gather credentials, scan codebase
1. Schema / configuration introspection (read-only)
2. Static anti-pattern matching against the backend's catalog
3. Dynamic probing — per-backend strategy, write probes opt-in only
4. Generate report section using `core/reporting.md`
5. Generate fixes from `backends/<name>/fix-templates.md`
6. Optional GitHub Action from `assets/ci/github-action-<backend>.yml`
7. Preventive hardening recommendations

**Probing safety contract** (full table in `core/workflow.md` §3):

- Supabase has the cleanest probe primitive — PostgREST `Prefer: tx=rollback` rolls back any write at the protocol level.
- Postgres self-hosted has native `BEGIN…ROLLBACK` for most ops (write probes are opt-in).
- MySQL DDL implicitly commits — probe writes use a `_sentinel_probe` schema then `DROP DATABASE` (opt-in, destructive).
- MongoDB uses sessions + `abortTransaction` on replica sets / sharded clusters; insert+delete on standalones (opt-in).
- Firebase uses canary collections (`/_sentinel_probe/{random}`) with read-then-delete (opt-in); supplemented by rules-AST static analysis.
- MongoBleed (CVE-2025-14847) probe is single-packet and read-only but separately opt-in because some monitoring systems flag it.

**Never run write probes without explicit user opt-in. Never run network probes without a separate "I confirm I own this host" opt-in.**

---

## Step 4 — Aggregate report

Concatenate per-backend report sections per `core/reporting.md`. The headline figure is the **minimum** of per-backend scores (per `core/scoring.md`) — a 95-point Postgres score does not redeem a 30-point Firebase score.

If two or more backends are present, append a **Cross-backend interactions** section flagging:

1. Auth UID from one backend trusted by another without JWT verification.
2. Same secret reused across multiple connection strings.
3. Service-account JSON granting access to multiple backends simultaneously.
4. Legacy data still readable in one backend after migration to another.
5. Atlas Function calling Cloud Run holding GCS service-account keys.

Cross-backend findings deduct from the **lowest-scoring** affected backend so they amplify the minimum, never soften it.

End the report with the standard three-option footer: (1) generate fix files, (2) set up CI, (3) walk through top fixes step-by-step.

---

## Files in this skill

```
database-sentinel/
├── SKILL.md                      ← this file (dispatcher)
├── DECISIONS.md                  ← locked architecture decisions
├── core/
│   ├── workflow.md               ← universal 7-step workflow
│   ├── detection.md              ← backend detection + JSON manifest
│   ├── scoring.md                ← per-backend weight tables, min-aggregation
│   ├── reporting.md              ← unified report format (text + JSON)
│   └── credentials.md            ← public-vs-privileged key handling
├── backends/
│   ├── supabase/                 ← Phase 1 — implemented
│   │   ├── workflow.md
│   │   ├── anti-patterns.md      ← 27 patterns SB-001..SB-027
│   │   ├── audit-queries.md      ← 20 introspection queries
│   │   └── fix-templates.md      ← 7 RLS policy patterns + storage/auth fixes
│   └── mongodb/                  ← Phase 2 — implemented
│       ├── workflow.md
│       ├── anti-patterns.md      ← 20 patterns MG-SH-001..014, MG-AT-001..006
│       ├── introspection.md      ← mongosh + Atlas Admin API + IaC scan
│       ├── mongobleed-probe.md   ← safe CVE-2025-14847 single-packet detector
│       └── fix-templates.md      ← version matrix, mongod.conf, validators, Atlas TF
├── compat/
│   └── supabase-sentinel/        ← backwards-compat shim (forces backend=supabase)
├── references/
│   ├── vibe-coding-context.md    ← CVE-2025-48757, breach studies, vibe-coding patterns
│   └── cve-feed.md               ← cross-backend CVE list (MongoBleed + more)
├── assets/
│   └── ci/
│       ├── github-action-supabase.yml
│       └── github-action-mongodb.yml
└── README.md
```

**Phase status:** Phases 1 (architectural refactor + Supabase) and 2 (MongoDB extension, MongoBleed-first) are complete. Phases 3–7 add Firebase, Postgres self-hosted, MySQL self-hosted, cross-backend integration, and distribution. See `sentinel-implementation-plan.md` for the remaining roadmap.

---

## Principles

- **Explain like a friend.** "Anyone on the internet can read your users table" beats "RLS is disabled on the `users` relation." Concrete attacker scenario for every finding.
- **Every finding gets a fix.** Never report a problem without exact code to solve it.
- **Safe testing only.** Default read-only. Opt-in for writes. Opt-in again for network probes.
- **Be thorough, not alarmist.** Calibrate severity to data sensitivity and backend threat model. `USING(true)` on public blog posts ≠ `USING(true)` on user payments.
- **Praise good security.** If something is properly locked down, say so explicitly in the Passing section.
- **State limitations clearly.** Sentinel covers database / API / configuration security only.
- **Adapt to skill level.** Technical user → concise. Vibe-coder → walk through RLS / rules / RBAC from scratch.
- **The vibe-coding angle is the differentiator.** Would Cursor / Bolt / Lovable / Claude Code generate this pattern? If yes, flag it — even if it's not technically a CVE. See `references/vibe-coding-context.md`.
- **Cite sources.** Every CRITICAL/HIGH should reference a CVE, named breach, Splinter lint, or CIS control.