Supabase Security Audit & Fix — RLS, Storage Buckets, Key Exposure (Next.js/Vercel app)

We run a live SaaS web + mobile app (music software) built on Supabase, Next.js, and Vercel. The app was built fast and we need a Supabase security specialist to audit it and FIX the vulnerabilities — not just hand us a report. WHAT WE NEED FIXED: 1. Row Level Security (RLS) - Review RLS on every table in our public schema - Identify any table where users can read, write, or delete data they shouldn't - Write/correct the policies so each user can only access their own data 2. Service-role key exposure - Confirm our Supabase service-role key is NOT present anywhere in client/frontend code - If exposed, help us rotate it and move it to server-side only - Same check for any other secrets leaking into the browser bundle 3. Storage buckets - Audit all storage bucket policies (we store audio files, images, avatars) - Lock down so objects can't be listed, downloaded, or deleted by unauthorized users - Restrict who/what can delete objects in production 4. Auth & access - Review Supabase auth configuration for misconfigurations - Check that no role or shared key allows mass-deletion of production data DELIVERABLE: - Vulnerabilities fixed directly in our project (we'll give scoped access) - A short written summary of what was wrong and what you changed - A list of the recurring patterns we should avoid so our team stops reintroducing the same issues ABOUT OUR STACK: - Database/Auth/Storage: Supabase - Frontend: Next.js, deployed on Vercel - Payments: Stripe TO APPLY: - Tell us about a Supabase project where you fixed RLS or storage security - Roughly how you'd approach a fast-built app like ours - Your fixed-price quote and timeline Please do NOT apply if your plan is to run an automated scanner and send a PDF. We want hands-on fixes by someone who knows Supabase deeply.