From b0f21cde4206db6ce0f05aab6312b42a16ecfdd9 Mon Sep 17 00:00:00 2001
From: soloexpert <271378911+soloexpert@users.noreply.github.com>
Date: Sun, 3 May 2026 15:33:48 -0700
Subject: [PATCH] security: add service_role key warning to .env.example

---
 .env.example | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.env.example b/.env.example
index 1607925..3d47971 100644
--- a/.env.example
+++ b/.env.example
@@ -1,3 +1,16 @@
+# =============================================================
+# SECURITY WARNING — Supabase Keys
+# =============================================================
+# NEVER use the service_role key here or in any client-side code.
+# The service_role key bypasses ALL Row Level Security policies,
+# giving anyone who visits your deployed app full admin access
+# to your entire database — reads, writes, deletes, no RLS.
+#
+# CORRECT: use the anon/publishable key in client apps
+# WRONG:   VITE_SUPABASE_KEY="sbp_live_..." or service_role anywhere client-side
+#
+# See: https://supabase.com/docs/guides/api/api-keys
+# =============================================================
 VITE_SUPABASE_PROJECT_ID="your-project-id"
 VITE_SUPABASE_PUBLISHABLE_KEY="your-anon-public-key"
 VITE_SUPABASE_URL="https://your-project-id.supabase.co"