The biggest problem I see with vibecoded apps attached to a db is that the db is configured with exactly 0 access control (even if whatever backend does support it), and anyone can turn up and SELECT * FROM users, or even DROP TABLE users. How do you mitigate this?

Good question. Two ways:

1. For the users table specifically, we have a default rule that says `"view": "auth.id == data.id"`. This way even if the the user (or AI) did not set access controls, user data is protected by default.

2. In the instructions file given to the agent (https://www.getadb.com/provision/new), we specifically mention permissions and how to push them. We found this prods the agent to push perms.