Jace · Rivetz

Rivetz has officially launched on ProductHunt! We would appreciate if you checked it out and gave us some feedback! producthunt.com/products/rivet…

@Devesh143 @compileandpush anytime 🤝 the webhook sig one is sneaky because it works perfectly in testing, the fake events only show up when someone goes looking. quick to add though.

yep, inference keys are sneaky because people assume the call runs server-side when half the lovable setups fire it straight from the browser. anything with an "sk-" or bearer token showing up in the network tab on a user action is the tell. good call blocking the vendor out in the screenshot.

@JaceFromHI @WisprFlow 💯. But the inference api key is yet another one exposed. I have blocked out the vendor used for inference

@WisprFlow if you are 100% vibe coding, be wary of security holes that can compromise your product.

yeah the skip rate is brutal, and i think it's because rls failing is invisible. no error, no crash, the app works perfectly while the table's wide open. founders optimize for what they can see. solid guide too, the "enabled but weak" middle case is the one almost nobody gets, a using (true) policy looks secured but isn't.

@JaceFromHI Have talked about Supabase RLS policies in detail over here! I think most founders do not care at all and give this a skip x.com/i/status/20422…

Shipping products has never been easier. Especially with Lovable Connectors After shipping 25+ products in 18 months... Here are 5 Lovable Connectors we use regularly at our dev agency for client projects 👇

@ArtificialAva @ProductHunt @Lovable anytime 🙌 takes 30 seconds, and if it's clean that's one less thing to think about post-launch

@JaceFromHI @ProductHunt @Lovable Thanks for the tip! gonna check it out :)

Launched Breadmaxxing com on @ProductHunt today! Its basically a Focus music player layered with money sounds to keep you motivated to keep stacking bread. Built with @Lovable in like 2 hours so it's more of a fun project rather than a serious business Upvote for respect 🫡

@nostrinsurer @Kyriakos_Pelek oh that's clean, "filter to what fits instead of submitting blindly" is exactly the problem. half the founders in your datasets are probably shipping on lovable too, so we're basically downstream of the same person. would be down to compare notes sometime

ServiceGraph. datasets for founders trying to figure out where to launch, who to email, who to hire. directories, newsletters, agencies with metrics on every row, so you filter to what fits instead of submitting blindly. and yeah, the pattern's real. both about surfacing data founders can't argue with on screen.

Building in public and want to meet more people doing the same 🤝 Looking to connect with: 🚀 Founders & indie hackers 🤖 AI agents & dev tools 📊 Data & B2B SaaS 🛠️ Anyone shipping something right now I'm building ServiceGraph with my co-founder, datasets for founders on where to launch and who to reach. What are you working on? Drop it below 👇 let's connect and grow together

@dantoruno good reminder. on the vibe-coding side specifically, the bigger risk isn't the chat settings, it's what got hardcoded into the deployed app. service_role keys and openai keys baked into the frontend bundle are the default failure mode right now, fast to check with view-source.

Reminder to update your favorite LLM or vibe coding platforms security settings. You are probably sharing way more with them than you need to right now.

good thread. one thing worth adding for anyone shipping these mvps: enabling rls in supabase is not the same as having a policy. an empty rls table blocks reads from the anon key, but a permissive 'true' policy quietly opens everything to anyone with the publishable key. people miss that gap constantly.

4/ Supabase Every MVP that is shipped, the backend is connected via Supabase inside Lovable Supabase provides: > Auth > Database > Storage and is used by millions of startups across the globe! and with an ever expanding community, its a no brainer to choose it as your backend.

@Devesh143 @compileandpush stacking lovable cloud + brevo + dodo on top of supabase, the spot to watch is webhook auth. each provider sends a signing secret and lovable usually drops them into edge function env, but it's easy to ship without actually verifying the signature in code. easy hole, easy fix.

@trendai_RSRCH the mcp angle is underrated. same pattern is showing up one layer down too: vibe-coded supabase apps shipping with the service_role key sitting in the frontend bundle and rls tables that have rls enabled but no actual policy. both fail silently until someone looks.

42.6% of MCP server repositories with confirmed exploitable vulnerabilities show signs of AI-generated code. AI vibe coding is shipping production security gaps at scale. TrendAI™ Research breaks it down: research.trendmicro.com/4v7RCQW

this is the single most common vibe-coded leak in the wild right now. exposed openai key and a stray supabase service_role tend to travel together because both end up in the frontend bundle by default. view-source plus ctrl+f for 'sk-' or 'service_role' on any live lovable site catches it in under a minute.

Company I might start working with. $150M+ valuation. 30 minutes of poking around. Found their OpenAI key in a Lovable experiment. I'm as far from a security expert as it gets. But this is the AI-native world — you're one prompt away from being dangerously expertable. These are transition-phase problems. Everyone has them. But you have to move fast. Three rules: 1. Never paste credentials into any chat tool. 2. Use Doppler. Or Infisical. Or anything that remove the risk of waking up to a $20K bill because your key is sitting on the open web. 3. If your org is doing real AI work, hire someone who builds the AI-native life practice. Engaged, secure, proactive. Here's a skill that runs this kind of recon — funny artifacts + real vulnerabilities. github -> 0xSteph/pentest-ai-agents Use it on your own company, or the one about to hire you. Strong way to show up. More AI-native life posts coming.

@bygregorr @shaunralston @theo rls debugging in chat eats credits because the model can't actually see what postgres saw. quicker path: paste the failing query plus select auth.uid(), auth.role() into the supabase sql editor with set local role authenticated. you usually find the bug in one shot.

@shaunralston @theo hit the same wall on pennywise last week, two hours of supabase RLS debugging burned through my limit way faster than i expected. but what were you running to blow $100 in under an hour? that's way heavier than anything in my normal daily sessions

after last night's sesh, no doubt Opus 4.8 is insanely smart, but NOT better than GPT-5.5 for real dev work; hit my $100/mo cap in < hour, and 'Fast Mode' not included in sub (srsly?), so, for actual daily work, GPT-5.5 Codex still is he powerhouse ~ watch @theo’s YT, spot on 👇

@InsiderPhD the most common one i'm catching in vibe-coded apps isn't even a code bug. it's the supabase service_role key dropped into the frontend bundle. ctrl+f for 'service_role' on a live site and it's there way more often than you'd guess.

Are you vibe coding? Are you actually keeping track of what your agents do? Yep me neither, thankfully you don’t have to! I’ll be speaking tomorrow about how to make sure your agents don’t go off the (guard)rails and ship security vulnerabilities. I’ll be sharing: 1️⃣ What vulnerabilities AI agents actually implement 2️⃣ How you can prevent these vulnerabilities while you vibe code 3️⃣ How to support vibe coding developers and make sure what they ship is secure 4️⃣ Tips for testing your vibe coded applications and workflows that prevent bugs from ever shipping Limited spaces so jump in now! This code will also give you a discount! eventbrite.co.uk/e/hack-before-…

@HeyGen @Lovable not the avatar side yet, looks slick though. i mostly run into the oauth part when auditing lovable apps. redirect uri scoping is one of those invisible-until-it-isn't things. want to try the full flow now tbh

@JaceFromHI @Lovable Good insights! Have you tried this before?

You can build an app in an afternoon. Until now, adding video still meant APIs, auth, and production work. HeyGen is now integrated with @Lovable via MCP + OAuth. Prompt avatar video directly into your app and ship with a face and voice. What would you build first?

@nostrinsurer @Kyriakos_Pelek yeah the screenshot is the whole unlock, nobody argues with their own data on screen. curious what you're building in this space? feels like you're circling the same problem from a different angle

@JaceFromHI @Kyriakos_Pelek that *.lovable.app subdomain tell plus the incognito-leak check is sharp. founders can't argue with a screenshot of their own data. buildinpublic + lovable showcase is where the supply is too, you're right on both fronts.

exposed service_role key first. view source, search "service_role". if it's there nothing else matters, that key bypasses every rule you set. 60 second check, worst possible impact. then RLS. it's off by default and it's the one that leaks everyone's data. the public/private tables thing you said is basically this. then auth on your actual api routes, not just hiding buttons in the UI. if a beginner only ever checks two, make it those first two.

@JaceFromHI @martinfowler yeah that’s the nightmare case. for a beginner building with Lovable/Supabase/Cursor, what would you make them check before calling an app safe: RLS policies, public/private tables, API keys, or something else first?

NEW POST Four of my colleagues share their experiences in applying good security practices to vibe coding. martinfowler.com/articles/vibes…

You don't need to read code to find the most common lovable security hole. Open your live site. view source. ctrl+f "service_role".if a long string shows up, every visitor to your site can read your database. rotate that key today.that's the whole test. If you built on lovable: what's the one security thing that quietly stresses you out?genuinely curious, no pitch. trying to understand what the real fears are.

@TrustVanta The 20% number tracks. what most builders skip is that ai-written code tends to leave the same 4 or 5 holes (rls off by default, exposed service role key, no auth on api routes, secrets in client bundles). that audit is fast once, brutal after 6 months of unreviewed prompts.

Sometimes unlimited tokens and rippin' guitar riffs can't solve every problem. The best builders know what NOT to build. Vibe coding might cut down on time, but that's only a fraction (20%) of the total software lifecycle cost. The other 70–80%? Maintenance, security patches, compliance updates. The slow grind of keeping it alive in production. When it comes to something as complex and critical as keeping your security airtight, depth wins over speed every time. New episode of Security Theater with @yayalexisgay just dropped!👇

@bygregorr @cline rls debugging is brutal because the policies fail silent on the client. one thing that's saved me hours: hit pgrest's /rest/v1 with your anon key in curl and read the raw response. the permission error comes back cleaner than what the supabase-js client surfaces.

@cline ran both on a supabase RLS bug last week in pennywise, claude got the context faster but GPT closed the fix. not sure 3.6% on terminal-bench translates to actual codebase work the same way. did the gap hold on file edits or mainly the terminal tasks?

Anthropic's new Opus 4.8 scores 3.6% lower than GPT 5.5 on Terminal-Bench 2.1. Available to compare side-by-side in Cline now. (They also announced a plan to release new models with higher intelligence than Opus after adding stronger cyber safeguards in the coming weeks.)