security-audit-pro

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

🛡️ Skill: security-audit-pro (v1.0.0)

🛡️ Skill：security-audit-pro（v1.0.0）

Executive Summary

执行摘要

Senior Data Security Architect & Forensic Auditor for 2026. Specialized in Row Level Security (RLS) enforcement, Zero-Trust database architecture, and automated data access auditing. Expert in neutralizing unauthorized access in Convex, Supabase, and Postgres environments through strict policy validation, JIT (Just-in-Time) access controls, and forensic trace analysis.

2026年资深数据安全架构师与法医审计师。专长于行级安全（RLS）实施、零信任数据库架构以及自动化数据访问审计。擅长通过严格的策略验证、JIT（即时）访问控制和法医追踪分析，消除Convex、Supabase和Postgres环境中的未授权访问。

📋 The Conductor's Protocol

📋 指挥协议

Attack Surface Mapping: Identify all entry points to the data layer (Public APIs, Internal Dashboards, AI Agents).
Policy Audit: Review existing RLS policies or Convex function permissions for logical bypasses.

Sequential Activation:

activate_skill(name="security-audit-pro")

→

activate_skill(name="auditor-pro")

→

activate_skill(name="db-enforcer")

Verification: Execute "Shadow Access" simulations to verify that an unauthenticated or unauthorized user cannot retrieve sensitive rows.

攻击面映射：识别数据层的所有入口点（公开API、内部仪表板、AI Agent）。
策略审计：审查现有RLS策略或Convex函数权限，检查是否存在逻辑绕过漏洞。

顺序激活:

activate_skill(name="security-audit-pro")

→

activate_skill(name="auditor-pro")

→

activate_skill(name="db-enforcer")

。

验证：执行“影子访问”模拟，验证未认证或未授权用户无法获取敏感行数据。

🛠️ Mandatory Protocols (2026 Standards)

🛠️ 强制协议（2026年标准）

1. RLS by Default (Supabase/Postgres)

1. 默认启用RLS（Supabase/Postgres）

As of 2026, every table in a public schema must have RLS enabled.

Rule: Never use the
```
service_role
```
key for client-side operations.
Protocol: Use Asymmetric JWTs and rotate secret keys monthly. Enable
```
pgaudit
```
for high-sensitivity tables.

截至2026年，公开架构中的每个表都必须启用RLS。

规则：永远不要在客户端操作中使用
```
service_role
```
密钥。
协议：使用非对称JWT，每月轮换密钥。对高敏感度表启用
```
pgaudit
```
。

2. Explicit Auth Validation (Convex)

2. 显式身份验证验证（Convex）

Rule: Every Convex function must explicitly call
```
ctx.auth.getUserIdentity()
```
.
Protocol: Favor granular "Action-Based" functions (e.g.,
```
transferOwnership
```
) over generic "Update" functions to ensure precise permission checks.

规则：每个Convex函数必须显式调用
```
ctx.auth.getUserIdentity()
```
。
协议：优先使用细粒度的“基于操作”函数（如
```
transferOwnership
```
），而非通用的“更新”函数，以确保精确的权限检查。

3. Just-in-Time (JIT) Data Access

3. 即时（JIT）数据访问

Rule: Avoid "Standing Privileges" for administrative tasks.
Protocol: Implement time-bound access grants that expire automatically after the task is complete.

规则：避免为管理任务设置“长期权限”。
协议：实施有时间限制的访问授权，任务完成后自动过期。

4. Forensic Audit Trails

4. 法医审计追踪

Rule: "Who accessed what and when" must be logged in a non-repudiable format.
Protocol: Use database triggers to maintain an immutable
```
audit_log
```
table containing
```
old_data
```
,
```
new_data
```
, and
```
actor_id
```
.

规则：“谁在何时访问了什么内容”必须以不可抵赖的格式记录。
协议：使用数据库触发器维护不可变的
```
audit_log
```
表，包含
```
old_data
```
、
```
new_data
```
和
```
actor_id
```
。

🚀 Show, Don't Just Tell (Implementation Patterns)

🚀 实操演示（实现模式）

Hardened RLS Policy (Supabase/Postgres)

强化RLS策略（Supabase/Postgres）

sql

-- Enable RLS
ALTER TABLE sensitive_data ENABLE ROW LEVEL SECURITY;

-- Create a policy for "Teams" where users can only see data from their own team
CREATE POLICY user_team_access ON sensitive_data
FOR SELECT
TO authenticated
USING (
  team_id IN (
    SELECT team_id FROM team_members WHERE user_id = auth.uid()
  )
);

-- Optimization: Wrap in a function and use indexing on team_id

sql

-- Enable RLS
ALTER TABLE sensitive_data ENABLE ROW LEVEL SECURITY;

-- Create a policy for "Teams" where users can only see data from their own team
CREATE POLICY user_team_access ON sensitive_data
FOR SELECT
TO authenticated
USING (
  team_id IN (
    SELECT team_id FROM team_members WHERE user_id = auth.uid()
  )
);

-- Optimization: Wrap in a function and use indexing on team_id

Convex Auth Guard Pattern

Convex身份验证防护模式

typescript

import { query } from "./_generated/server";
import { v } from "convex/values";

export const getSecureData = query({
  args: { id: v.id("items") },
  handler: async (ctx, args) => {
    const identity = await ctx.auth.getUserIdentity();
    if (!identity) throw new Error("Unauthenticated");

    const item = await ctx.db.get(args.id);
    if (!item || item.ownerId !== identity.subject) {
      throw new Error("Unauthorized access attempt logged.");
    }
    return item;
  },
});

typescript

import { query } from "./_generated/server";
import { v } from "convex/values";

export const getSecureData = query({
  args: { id: v.id("items") },
  handler: async (ctx, args) => {
    const identity = await ctx.auth.getUserIdentity();
    if (!identity) throw new Error("Unauthenticated");

    const item = await ctx.db.get(args.id);
    if (!item || item.ownerId !== identity.subject) {
      throw new Error("Unauthorized access attempt logged.");
    }
    return item;
  },
});

🛡️ The Do Not List (Anti-Patterns)

🛡️ 禁止事项（反模式）

DO NOT rely on "Security by Obscurity" (e.g., using UUIDs as the only protection).
DO NOT leave the
```
anon
```
role with
```
SELECT
```
permissions on sensitive tables.
DO NOT use
```
auth.uid() = user_id
```
without an index on
```
user_id
```
. It will kill production performance.
DO NOT perform permission checks only in the frontend. If the DB allows it, an attacker will find it.
DO NOT forget to audit the
```
service_role
```
usage. It bypasses all RLS!

切勿依赖“通过模糊实现安全”（例如仅使用UUID作为保护）。
切勿让
```
anon
```
角色拥有敏感表的
```
SELECT
```
权限。
切勿在
```
user_id
```
上未建索引的情况下使用
```
auth.uid() = user_id
```
。这会严重影响生产环境性能。
切勿仅在前端执行权限检查。如果数据库允许访问，攻击者总会找到方法。
切勿忘记审计
```
service_role
```
的使用情况。它会绕过所有RLS！

📂 Progressive Disclosure (Deep Dives)

📂 渐进式披露（深度解析）

RLS Performance Optimization: Indexing, caching, and function wrapping.
Zero-Trust DB Architecture: Micro-segmentation at the data layer.
Audit Log Implementation: Triggers, PGAudit, and tamper-proof logs.
Convex Security Deep Dive: Validating identities and granular functions.

RLS性能优化：索引、缓存与函数封装。
零信任数据库架构：数据层微分段。
审计日志实现：触发器、PGAudit与防篡改日志。
Convex安全深度解析：身份验证验证与细粒度函数。

🛠️ Specialized Tools & Scripts

🛠️ 专用工具与脚本

```
scripts/simulate-leak.ts
```
: Attempts to query all rows from a table using an anonymous context to verify RLS.
```
scripts/extract-audit-report.py
```
: Aggregates logs into a compliance-ready PDF.

```
scripts/simulate-leak.ts
```
：尝试使用匿名上下文查询表中所有行，以验证RLS。
```
scripts/extract-audit-report.py
```
：将日志汇总为符合合规要求的PDF。

🎓 Learning Resources

🎓 学习资源

Updated: January 23, 2026 - 21:05

更新时间：2026年1月23日 - 21:05