Name: Security Review
Author: hamiltonmoreno

Perform a comprehensive security audit of the Fiskix codebase:

Check for exposed secrets (API keys, Supabase service_role key, Twilio credentials, CRON_SECRET)
Look for SQL injection vulnerabilities in Supabase queries
Check for XSS vulnerabilities in user input handling
Verify CSRF protection on forms and state-changing operations
Check authentication and authorization logic (auth.uid() usage)
Verify RLS is active on all 10 tables — any table missing RLS is critical
Check that service_role key is never in client-side code
Check API key validation in /api/v1/* routes
Look for insecure dependencies (npm audit)
Verify environment variables are not committed (.env.local, secrets)
Scoring engine parity: verify src/modules/scoring/engine.ts and supabase/functions/scoring-engine/ implement the same R1–R9 logic and thresholds — divergence is a silent data integrity bug

For each finding:

Perform a comprehensive security audit of the Fiskix codebase:

Check for exposed secrets (API keys, Supabase service_role key, Twilio credentials, CRON_SECRET)
Look for SQL injection vulnerabilities in Supabase queries
Check for XSS vulnerabilities in user input handling
Verify CSRF protection on forms and state-changing operations
Check authentication and authorization logic (auth.uid() usage)
Verify RLS is active on all 10 tables — any table missing RLS is critical
Check that service_role key is never in client-side code
Check API key validation in /api/v1/* routes
Look for insecure dependencies (npm audit)
Verify environment variables are not committed (.env.local, secrets)
Scoring engine parity: verify src/modules/scoring/engine.ts and supabase/functions/scoring-engine/ implement the same R1–R9 logic and thresholds — divergence is a silent data integrity bug

For each finding:

Security Review