$750 to $2,000. One night. A planner-and-verifier agent fleet maps every route, replays your auth and payment flows, probes your database access, and finds what leaks. Every finding ships with a reproducible proof, so you can re-run it yourself and so can anyone you show it to.
Every finding is independently re-derived, not just re-stated. Live findings are re-run, code findings are re-hashed. Two honesty labels on each: behavior-confirmed (we re-ran it) or evidence-pinned (the code is real and unchanged, the interpretation is ours, review it). Anything we cannot independently verify is withheld and disclosed, never silently dropped. The report is yours, hand it to a developer, an investor, or an insurer.
Never your Supabase service_role. Never an all-access role. You watch your own agent grant least-privilege access in three steps. We never get your service key, and never see your data, only the database's own structure.
One SQL block creates a Postgres role with no table grants at all. It can read the database’s own catalog metadata and nothing else, not auth.users, not vault secrets, not your app tables.
The block includes a check you run yourself that confirms the new role cannot read any of your data. You see the proof before anything connects.
Paste the scoped read-only connection string. When the audit is done, DROP ROLE removes it. Repo access, if you want code-level findings, is a per-repo GitHub App with one-click revoke, never a collaborator.
The model plans and reads. It never decides what is true, a re-runnable proof does. A finding that carries the query hash or the code hash that produced it cannot be a hallucination. The machine never signs off on your behalf and never tells you you're fine. That is the trust model: re-runnable evidence, not a stranger's robot saying “looks good.”
Start with a free Ship Check to see the surface, then book the full audit. Price scales with the size and surface of your app.
→ Keep watching what we just audited · Monitor from $19/mo