> So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.

Claude Code will do this, and actively encourage bypassing any verification before pushing to prod. I saw that first hand with its attempted handling of a major CIAM provider, and then Vercel using whatever OAuth provider in the ol' transitive breach

That is common knowledge now, right? Or am I just smoking yellow tops

Yeah but Supabase yells really loudly if you have RLS turned off with their own AI agent, plus you can ask Claude to red team the platform to have it lock it down.