Skip to content
suparbase
v3.0 + v3.1 · Live now

Your AI agent will do something stupid eventually.

Agent Sentry watches your Supabase project with the actual anon key, attributes every write to the agent that made it, and gives you one button to undo a whole Cursor / Claude Code / Replit Agent session, before it ends up on the Hacker News frontpage.

Protect a projectSee pricing
The 2026 incident pattern

The same three failure modes keep destroying production databases.

Every other week there's a new post-mortem. The shape is always the same: an AI agent did something, and the existing tooling caught it weekly via email instead of in 30 seconds.

Jan 2026

Moltbook

1.5M API keys + every user record leaked, three days after launch

Root cause: AI generated the schema but never enabled RLS. The anon key was a skeleton key to the whole REST surface.

Read the post-mortem
Feb 2026

Lovable (170 production apps)

CVE-2025-48757: inverted access logic exposed user rows across 170 live apps in a single scan

Root cause: RLS was on, but the policy was inverted, "if you're logged in, you can read every row." 80% of vibe-coded apps share this exact mistake.

We scanned 1,764 apps
Apr 2026

PocketOS

Production database + every backup deleted in 9 seconds

Root cause: Cursor's Claude Opus agent encountered a credential mismatch, found a Railway token in an unrelated file, and used it to delete the volume. No way to undo, no per-agent attribution.

Tom's Hardware coverage
How it works

Probe, attribute, undo.

Two halves: the security watchdog (v3.0) catches RLS drift before it leaks. The safety net (v3.1) lets you reverse what a bad agent already did.

  1. 1. Probe with the actual anon key

    Sentry continuously fires unauthenticated GETs at every public-schema table through your project's REST endpoint. If anything that was hidden yesterday starts returning rows, RLS got disabled, a permissive policy slipped through, a brand-new table never had policies wired, you find out before someone's HN frontpage moment does.

  2. 2. Escalate on PII

    Anon-readable tables get matched against a conservative PII pattern (password / secret / api_key / refresh_token / ssn / credit_card / phone / email / address / dob / passport). Hits jump from warn to critical instantly. No more 'looks fine to me' review.

  3. 3. One-click quarantine

    When a finding lands, the Quarantine button applies `ALTER TABLE ENABLE RLS` + a RESTRICTIVE `USING (false)` policy named `suparbase_sentry_<id>`. Anon and authenticated callers are denied instantly. You buy time to fix the root cause without paging the on-call engineer.

  4. 4. Fingerprint every AI write

    Cursor, Claude Code, Replit Agent, Lovable, v0, Vercel AI SDK, Suparbase identifies them all from the User-Agent on every authenticated proxy write. Writes within a 5-minute window from the same agent get grouped into a single `agent_session` row, with mutation counts and tables touched.

  5. 5. Undo the whole session in one click

    Every write was already in your audit log. Sentry's undo engine walks those rows newest-first, builds reverse SQL (INSERT → DELETE, DELETE → INSERT, UPDATE → UPDATE back to beforeRow), and runs every reversal in a single transaction via the Direct Postgres URL. PocketOS would have had a button. You do.

What it looks like

One panel. One button. One transaction.

The Sentry page surfaces findings by severity. The Agents page groups every AI write into named sessions. Both live in the connection sidebar, nothing else to install.

Sentry · 3 critical · 2 warnlast scan 12s ago
  • anon_read_piicritical

    public.users

    Anon REST returned 3 rows containing password_hash, email.

    Quarantine Acknowledge
  • policy_overly_permissivewarn

    public.messages

    Policy read_all_authed uses USING (true).

Cursor · 47 mutations · 3 tablesactive · 12 min ago
  • DELETEpublic.ordersid=ord_8a32…
  • UPDATEpublic.usersid=u_1c…
  • INSERTpublic.auditid=4711
  • UPDATEpublic.ordersid=ord_22cf…
… 43 more mutationsUndo session
vs. everything else

What other tools catch, and what they miss.

Most existing options are scanners (point-in-time) or loggers (no remediation). Sentry is the only one combining continuous probing, agent attribution, and one-click undo.

ToolWhat it catchesWhat it misses
Manual scans (AuditYourApp / SupaSec)
RLS-disabled tables, exposed buckets, leaked keysDrift after the scan finishes. No quarantine. No agent attribution. No undo.
Supabase Security Advisors (Splinter)
Static linting of schema + policiesWeekly emails, dashboard alerts. By the time you read them, the leak has been live for days.
PGAudit + Postgres logs
Every SQL statement, server-sideNo agent attribution, no session grouping, no UI, no reverse. You'd need to grep a log file and hand-write reverse SQL.
Replit checkpoints
Project state per Replit AppOnly works inside Replit. Useless for Cursor / Claude Code / Lovable / v0 / your own MCP server.
Agent Sentry (Suparbase)
Continuous anon probe + pg_policies inspection + PII heuristic + per-agent session attribution + one-click undo for any sessionNothing in the failure modes above. This is the whole pitch.
What's in the box

Two surfaces, the same telemetry.

Sentry and Agents are sibling pages inside every connection workspace. They share the audit log, the encrypted vault, and the Direct Postgres URL, no extra credentials, no extra installs.

  • Sentry · the watchdog

    On-demand probe with the actual anon key + pg_policies inspection. PII heuristic escalates findings to critical. One-click quarantine applies a RESTRICTIVE deny-all policy until you fix the root cause.

  • Agents · the safety net

    Every AI write fingerprinted from User-Agent, grouped into named sessions, with the full audit trail per session. The Undo button reverses every mutation in one transaction.

Honest answers

FAQ

If you're about to deploy this on top of real customer data, these are the questions you should be asking.

Do I have to share my database password to use this?+

No, Sentry runs in two modes. The anon REST probe needs only your existing stored apikey (already encrypted in the vault). The pg_policies inspection and the one-click undo both need the optional Direct Postgres URL, which you can add when you create the connection or on the settings page later. The plaintext URL is AES-256-GCM encrypted at rest the same way the apikey is.

What does "undo a session" actually do?+

It reads every row Suparbase's audit log captured for that agent_session (every INSERT, UPDATE, and DELETE that flowed through the proxy), builds reverse SQL for each one, and runs all of them inside a single Postgres transaction. INSERTs become DELETEs, DELETEs become INSERTs from the `beforeRow` snapshot, UPDATEs are reset to the `beforeRow` column values. Either every reversal succeeds or none of them does.

Will Sentry catch schema changes (CREATE TABLE, ALTER, DROP)?+

Sentry will *quarantine* the affected table when a probe detects new anon-readable rows, even if it was just created. We don't currently undo DDL, those statements aren't in the audit log yet, but a follow-up release will capture them via pg_event_trigger and offer reverse migrations for the simple cases (add column, drop column, etc.).

What happens if my AI tool sends a custom User-Agent?+

If it matches a known pattern (Cursor, Claude Code, Replit Agent, Lovable, v0, Vercel AI SDK, OpenRouter), Sentry attributes the session correctly. If it just mentions an LLM (openai / anthropic / agent / llm / etc.), it lands in `ai_unknown` so you still get a single bucket to undo. If nothing matches, it falls through to browser / cli / unknown, useful so you can spot a human bash session vs an agent's fetch.

Is this only for Supabase?+

Today, yes. Sentry is built on Suparbase's existing PostgREST proxy + Direct Postgres URL plumbing, which Supabase projects ship with out of the box. The probe + undo logic isn't Supabase-specific, if there's interest in adapting it for plain PostgREST / pg-meta / Hasura / Nhost, drop us an issue.

How do I know the probe didn't miss something?+

Every scan writes a `sentry_scan` row with the list of tables it touched, the duration, and any errors. You can inspect the scan history collapsible at the bottom of /c/<id>/sentry to see exactly what was checked. If a critical finding ever lands silently, it'll still show up under Open findings, Sentry never auto-resolves a finding without your action.

The button you wish PocketOS had.

Five minutes to set up. Free hosted tier for solo projects. Probe today, undo tomorrow.

Start freeRead the incident retro