Loisirs du Faubourg
Executive summary
No cross-tenant leak was proven.
Tenant isolation could not be fully machine-verified, see coverage below.
Scope: 616 files, 137 RLS policies across 34 tables.
USING (true)A live two-tenant probe can settle these.
Coverage
53% machine-verified · target 80%Coverage is 27 points below the 80% target. Closing the gap means resolving the 16 unverified tables with a live two-tenant probe (neogen probe) or a review of their helper functions.
Tenant isolation map
Each square is one table — click to inspect its verdict. A dot marks a by-design super-admin bypass.
Inventory
What was scannedRoles & permissions
Who can see what across organizations.
Cross-organization bypasses present on 16 tables. These roles can see data from other organizations — confirm each one is intentional.
Table verdicts
34 tablesMethodology
Unlike an AI-written review, these results come from real checks you can verify yourself. Each step below is automated and produces the same answer every time.
Automated access-rule check
We read every access rule in your database and ask: can someone from Organization A see Organization B's data? The checker gives a clear answer — safe, leak found, or needs a live test. (Technical: RLS policies are composed and checked with the Z3 SMT solver.)
neogen audit --source <repo> --target <out>Math-backed correctness
The logic behind our checker is proven correct in Lean 4 — not just for your app, but for any database we analyze. This means the checker itself can't give wrong answers. (Technical: 25 theorems including hold_sound and fail_has_roleless_leak.)
cd pipeline/proofs/tenant-isolation && lake buildTamper-proof report seal
The full results are cryptographically signed. If anyone changes a result after the audit — for example, upgrading 'needs live test' to 'confirmed safe' — the signature breaks and you'll know. (Technical: Ed25519 signature over the coverage ledger.)
neogen verify --envelope audit.envelope.jsonLive test with two real accounts
For tables our automatic checker can't finish, we run a real-world test: create two organizations, log in as each, and see what they can actually access. This is labeled Live test in the report — it's practical confirmation, not a mathematical proof.
neogen probe --clone <staging>Recommendations
4 actions to close the gap
neogen probe --stagingCheck the Supabase bypass surfaces not covered by RLS analysis: a service-role key embedded in the client bundle, public Storage buckets, SECURITY DEFINER views, and Edge Functions that use the service role.
Verify this report offline — anyone with the public key can confirm it against the signed attestation.
neogen verify audit.envelope.jsonSigned, reproducible, deterministic.
Schema extraction, SMT verdicts and the signature don't depend on the LLM. The bundle is Ed25519-signed over a coverage ledger — anyone can verify it offline, no trust in the model required.