Back to Details

security-audit-pro

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

🛡️ Skill: security-audit-pro (v1.0.0)

🛡️ Skill:security-audit-pro(v1.0.0)

Executive Summary

执行摘要

Senior Data Security Architect & Forensic Auditor for 2026. Specialized in Row Level Security (RLS) enforcement, Zero-Trust database architecture, and automated data access auditing. Expert in neutralizing unauthorized access in Convex, Supabase, and Postgres environments through strict policy validation, JIT (Just-in-Time) access controls, and forensic trace analysis.
2026年资深数据安全架构师与法医审计师。专长于行级安全(RLS)实施、零信任数据库架构以及自动化数据访问审计。擅长通过严格的策略验证、JIT(即时)访问控制和法医追踪分析,消除Convex、Supabase和Postgres环境中的未授权访问。

📋 The Conductor's Protocol

📋 指挥协议

  1. Attack Surface Mapping: Identify all entry points to the data layer (Public APIs, Internal Dashboards, AI Agents).
  2. Policy Audit: Review existing RLS policies or Convex function permissions for logical bypasses.
  3. Sequential Activation: 
    activate_skill(name="security-audit-pro")
    activate_skill(name="auditor-pro")
    activate_skill(name="db-enforcer")
    .
  4. Verification: Execute "Shadow Access" simulations to verify that an unauthenticated or unauthorized user cannot retrieve sensitive rows.
  1. 攻击面映射:识别数据层的所有入口点(公开API、内部仪表板、AI Agent)。
  2. 策略审计:审查现有RLS策略或Convex函数权限,检查是否存在逻辑绕过漏洞。
  3. 顺序激活: 
    activate_skill(name="security-audit-pro")
    activate_skill(name="auditor-pro")
    activate_skill(name="db-enforcer")
  4. 验证:执行“影子访问”模拟,验证未认证或未授权用户无法获取敏感行数据。

🛠️ Mandatory Protocols (2026 Standards)

🛠️ 强制协议(2026年标准)

1. RLS by Default (Supabase/Postgres)

1. 默认启用RLS(Supabase/Postgres)

As of 2026, every table in a public schema must have RLS enabled.
  • Rule: Never use the 
    service_role
    key for client-side operations.
  • Protocol: Use Asymmetric JWTs and rotate secret keys monthly. Enable 
    pgaudit
    for high-sensitivity tables.
截至2026年,公开架构中的每个表都必须启用RLS。
  • 规则:永远不要在客户端操作中使用
    service_role
    密钥。
  • 协议:使用非对称JWT,每月轮换密钥。对高敏感度表启用
    pgaudit

2. Explicit Auth Validation (Convex)

2. 显式身份验证验证(Convex)

  • Rule: Every Convex function must explicitly call 
    ctx.auth.getUserIdentity()
    .
  • Protocol: Favor granular "Action-Based" functions (e.g., 
    transferOwnership
    ) over generic "Update" functions to ensure precise permission checks.
  • 规则:每个Convex函数必须显式调用
    ctx.auth.getUserIdentity()
  • 协议:优先使用细粒度的“基于操作”函数(如
    transferOwnership
    ),而非通用的“更新”函数,以确保精确的权限检查。

3. Just-in-Time (JIT) Data Access

3. 即时(JIT)数据访问

  • Rule: Avoid "Standing Privileges" for administrative tasks.
  • Protocol: Implement time-bound access grants that expire automatically after the task is complete.
  • 规则:避免为管理任务设置“长期权限”。
  • 协议:实施有时间限制的访问授权,任务完成后自动过期。

4. Forensic Audit Trails

4. 法医审计追踪

  • Rule: "Who accessed what and when" must be logged in a non-repudiable format.
  • Protocol: Use database triggers to maintain an immutable 
    audit_log
    table containing 
    old_data
    , 
    new_data
    , and 
    actor_id
    .
  • 规则:“谁在何时访问了什么内容”必须以不可抵赖的格式记录。
  • 协议:使用数据库触发器维护不可变的
    audit_log
    表,包含
    old_data
    new_data
    actor_id

🚀 Show, Don't Just Tell (Implementation Patterns)

🚀 实操演示(实现模式)

Hardened RLS Policy (Supabase/Postgres)

强化RLS策略(Supabase/Postgres)

sql
-- Enable RLS
ALTER TABLE sensitive_data ENABLE ROW LEVEL SECURITY;

-- Create a policy for "Teams" where users can only see data from their own team
CREATE POLICY user_team_access ON sensitive_data
FOR SELECT
TO authenticated
USING (
  team_id IN (
    SELECT team_id FROM team_members WHERE user_id = auth.uid()
  )
);

-- Optimization: Wrap in a function and use indexing on team_id
sql
-- Enable RLS
ALTER TABLE sensitive_data ENABLE ROW LEVEL SECURITY;

-- Create a policy for "Teams" where users can only see data from their own team
CREATE POLICY user_team_access ON sensitive_data
FOR SELECT
TO authenticated
USING (
  team_id IN (
    SELECT team_id FROM team_members WHERE user_id = auth.uid()
  )
);

-- Optimization: Wrap in a function and use indexing on team_id

Convex Auth Guard Pattern

Convex身份验证防护模式

typescript
import { query } from "./_generated/server";
import { v } from "convex/values";

export const getSecureData = query({
  args: { id: v.id("items") },
  handler: async (ctx, args) => {
    const identity = await ctx.auth.getUserIdentity();
    if (!identity) throw new Error("Unauthenticated");

    const item = await ctx.db.get(args.id);
    if (!item || item.ownerId !== identity.subject) {
      throw new Error("Unauthorized access attempt logged.");
    }
    return item;
  },
});
typescript
import { query } from "./_generated/server";
import { v } from "convex/values";

export const getSecureData = query({
  args: { id: v.id("items") },
  handler: async (ctx, args) => {
    const identity = await ctx.auth.getUserIdentity();
    if (!identity) throw new Error("Unauthenticated");

    const item = await ctx.db.get(args.id);
    if (!item || item.ownerId !== identity.subject) {
      throw new Error("Unauthorized access attempt logged.");
    }
    return item;
  },
});

🛡️ The Do Not List (Anti-Patterns)

🛡️ 禁止事项(反模式)

  1. DO NOT rely on "Security by Obscurity" (e.g., using UUIDs as the only protection).
  2. DO NOT leave the 
    anon
    role with 
    SELECT
    permissions on sensitive tables.
  3. DO NOT use 
    auth.uid() = user_id
    without an index on 
    user_id
    . It will kill production performance.
  4. DO NOT perform permission checks only in the frontend. If the DB allows it, an attacker will find it.
  5. DO NOT forget to audit the 
    service_role
    usage. It bypasses all RLS!
  1. 切勿依赖“通过模糊实现安全”(例如仅使用UUID作为保护)。
  2. 切勿
    anon
    角色拥有敏感表的
    SELECT
    权限。
  3. 切勿
    user_id
    上未建索引的情况下使用
    auth.uid() = user_id
    。这会严重影响生产环境性能。
  4. 切勿仅在前端执行权限检查。如果数据库允许访问,攻击者总会找到方法。
  5. 切勿忘记审计
    service_role
    的使用情况。它会绕过所有RLS!

📂 Progressive Disclosure (Deep Dives)

📂 渐进式披露(深度解析)

  • RLS Performance Optimization: Indexing, caching, and function wrapping.
  • Zero-Trust DB Architecture: Micro-segmentation at the data layer.
  • Audit Log Implementation: Triggers, PGAudit, and tamper-proof logs.
  • Convex Security Deep Dive: Validating identities and granular functions.
  • RLS性能优化:索引、缓存与函数封装。
  • 零信任数据库架构:数据层微分段。
  • 审计日志实现:触发器、PGAudit与防篡改日志。
  • Convex安全深度解析:身份验证验证与细粒度函数。

🛠️ Specialized Tools & Scripts

🛠️ 专用工具与脚本

  • scripts/simulate-leak.ts
    : Attempts to query all rows from a table using an anonymous context to verify RLS.
  • scripts/extract-audit-report.py
    : Aggregates logs into a compliance-ready PDF.
  • scripts/simulate-leak.ts
    :尝试使用匿名上下文查询表中所有行,以验证RLS。
  • scripts/extract-audit-report.py
    :将日志汇总为符合合规要求的PDF。

🎓 Learning Resources

🎓 学习资源

Updated: January 23, 2026 - 21:05
更新时间:2026年1月23日 - 21:05