Studio 7 — Main Hub

This week — do these five

1Flip Clerk to live keys (pk_live_ / sk_live_) in Vercel envs

2Enable RLS on every Supabase table — pattern below

3npm audit + bump Next.js to latest patched 15.x or 16.x

4Rotate every dev-era secret (Clerk, Supabase service-role, GHL webhooks)

5Drop Cloudflare Turnstile on every public form

Threat model

What specifically wants to hurt this stack — not generic advice, mapped to your Next.js + Supabase + Clerk + GHL + Vercel pipeline.

Cross-tenant data leakage via missing/weak Supabase RLS

Your #1 risk. One bad policy = every tenant sees every other tenant's leads.

Clerk dev keys in production

pk_test_ keys have looser CSRF/cookie rules and shared dev infra. Flip to pk_live_ before any real client logs in.

npm supply-chain attacks via Vercel builds

Sept 2025 chalk/debug, axios RAT injection, Nx token theft — all reached Vercel projects. Postinstall scripts LLM-scan for secrets.

Next.js middleware/RSC CVEs

CVE-2025-29927 bypasses middleware auth via one header. Dec 2025 RSC RCE was CVSS 10.0. Stay on the latest patched release.

GHL webhook URL exposure

If a webhook is hardcoded client-side or echoed in errors, attackers fire fake leads, pollute CRMs, and burn A2P trust.

Bot form spam → A2P 10DLC violation

Fake leads trigger SMS workflows, recipients complain, carrier blocks the campaign. With Ryan + Library already verified, a flood costs the brand registration.

Secret leakage in Git

.env.local committed, service-role key in a client component, GHL webhook in a public repo.

DNS hijacking on Spaceship

Single-factor login on the DNS registrar = total takeover of every client domain.

Hardening checklist

32 concrete actions. Effort estimate per item.

Supabase RLS — the policies you MUST have

RLS is the only thing stopping tenant A from SELECTing tenant B's leads. The SQL editor bypasses RLS — always test policies from the client SDK.

-- 1. Force RLS on (deny by default)
alter table leads enable row level security;
alter table leads force row level security;

-- 2. Helper to read tenant_id from Clerk JWT
create or replace function auth.tenant_id() returns uuid
language sql stable as $$
  select nullif(current_setting('request.jwt.claims', true)::json->>'tenant_id','')::uuid;
$$;

-- 3. SELECT — only your tenant's rows
create policy "tenant_read_own_leads"
on leads for select
using (tenant_id = auth.tenant_id());

-- 4. INSERT — cannot write for another tenant
create policy "tenant_insert_own_leads"
on leads for insert
with check (tenant_id = auth.tenant_id());

-- 5. UPDATE/DELETE — constrain old and new row
create policy "tenant_modify_own_leads"
on leads for update
using (tenant_id = auth.tenant_id())
with check (tenant_id = auth.tenant_id());

-- 6. Index — RLS without this crawls at scale
create index on leads (tenant_id);

Enable RLS on EVERY table — including join tables and audit logs. One un-RLS'd table is a hole through the whole tenancy model.

Service-role key bypasses RLS — only use it in server-only code paths (/api/admin/*), never in code that ships to the browser.

Add a regression test that signs in as Tenant A and tries to read Tenant B's row — assert 0 rows back.

Pre-auth lookups (slug, custom_domain) live in a tenants_public view with only non-sensitive columns.

Per-client security posture

Client	Surfaces	Auth	Storage	A2P / SMS	Notes
K Pro Roofing	2 sites	none	none	—	0 security-adjacent items
AJ Commercial Group	2 sites	none	Supabase · verify RLS	needs review	0 security-adjacent items
Glimpse Vision	1 site	none	none	—	0 security-adjacent items
Island Optique	0 sites	none	none	—	0 security-adjacent items
Captain's Choice	1 site	none	none	—	0 security-adjacent items
Library Historic Hotel	1 site	none	none	needs review	0 security-adjacent items
Dwan Concrete Coatings	1 site	none	none	—	2 security-adjacent items
Ryan Heagney LLC	1 site	Clerk · dev keys	Supabase · verify RLS	needs review	1 security-adjacent items

Compliance landscape

A2P 10DLC + FCC one-to-one consent (Jan 2026)

Yes — Ryan + Library Hotel verified

Every form needs explicit consent naming THAT specific business. Shared multi-client language is now non-compliant. TCPA fines: $500–$1,500/text.

CCPA

Likely not (revenue/record threshold)

Adopt basics anyway: privacy policy, Do Not Sell link, honor Global Privacy Control headers — clients with CA customers may be on the hook.

GDPR

Risk-adjacent (one EU resident submitting triggers it)

US-local clients are low risk; geo-block EU IPs at the form layer for clean hands.

Illinois BIPA

Only if biometric data collected

AJCG (Chicagoland) — standard contact form is fine. If you add face/voice recognition, written consent + retention policy required BEFORE collection. $1k–$5k per violation, retroactive.

FTC marketing rules

Yes for all email/SMS

Truthful claims, clear disclosures, honor opt-outs within 10 days. Virginia SB 1339: store STOP requests forever (10 years minimum).

Incident response playbooks

Leaked secret in Git

1Rotate the key immediately in the source dashboard — don't wait to delete the commit. Old key is already scraped.
2Update value in Vercel env vars; redeploy all affected projects.
3Use BFG or git filter-repo to scrub history, force-push.
4Check Supabase audit logs / Clerk activity / GHL message logs for unauthorized use in the window.
5If service-role key leaked, assume DB compromise — run the breach playbook.

Suspected database breach

1Rotate Supabase service-role and anon keys; revoke all sessions in Clerk.
2Snapshot the database for forensics BEFORE changing anything else.
3Pull access logs from Supabase + Vercel for the window; identify scope.
4Notify affected clients within 72 hours (GDPR clock). If 500+ CA residents, notify CA AG.
5Post-mortem: RLS gap, leaked key, or CVE? Patch root cause before restoring service.

Defaced client site

1Roll back Vercel deployment to last known-good (Deployments → Promote).
2Rotate GitHub repo's deploy keys + your PAT.
3git log since last clean deploy — find bad commit, identify if it's compromised account or a dep.
4If supply chain: check npm advisory feed, pin/replace the package.
5Notify client; if customer data was on the page, trigger DB breach playbook.

SMS compliance complaint / carrier block

1Pause the affected GHL workflow immediately.
2Pull consent record for the complaining number — when, what form, what disclosure.
3Honor opt-out; scrub the number from ALL client lists, not just the complaining one.
4If carrier blocked: re-register with corrected use case + sample messages via TCR in GHL.
5Audit other clients' consent flows for the same gap before it cascades.

Top tools to bolt on

Tool	Solves	Cost
Cloudflare Turnstile	Bot/spam on every form, no CAPTCHA UX tax	Free up to 1M verifications/mo
Upstash Ratelimit	Per-IP rate limits on /api/lead + auth routes	Free 500K commands/mo; $10/mo after
GitGuardian	Real-time secret scanning across GitHub org + historical commits	Free for solo (<25 contributors)
Sentry	Error tracking — surfaces auth failures, RLS denials, broken webhooks before clients notice	Free 5K errors/mo; $26/mo Team
Cloudflare proxy + WAF	DDoS, bot fight mode, auto-mitigates new Next.js/React CVEs via managed rules	Free plan covers everything you need

Studio 7 Security Center

This week — do these five

Threat model

Hardening checklist

Identity & Auth

Secrets

Database (Supabase)

Network & CORS

Forms

Monitoring

Code & Dependencies

Infra