I kept seeing Supabase apps accidentally expose emails, API keys, or internal tables due to small RLS or config mistakes. Not hacks—just easy-to-miss defaults. So I built Supaguard, a simple scanner that checks for exposed PII, PCI, and hardcoded keys. It’s early, but it’s already catching issues I didn’t expect. Feedback welcome.