FlowState369
Security & Trust

Trust you can check,
not trust you are asked for.

Every app is audited, every finding is recorded, and a verifier has to prove the scary ones are real before anyone acts on them.

The differentiator, told straight

Two independent security teams audited the same apps. Both raised the same false-alarm Critical. A required verification step caught it before it turned into a fire drill. That skeptic-in-the-loop is the product.

What it prevents

Four ways real harm reaches real people

These are not abstractions. Each one is a class of failure this method is built to catch before it ships.

The harm

A database left open lets a stranger read or change every family’s record.

What the method does

Access control is enforced at the database with deny-by-default row-level security, so an app bug alone cannot expose or alter records.

The harm

A secret key in the code hands an outsider the master password to your data.

What the method does

Deployed bundles and git history are scanned for live keys, and the scary hits are verified before anyone panics or, worse, ignores them.

The harm

A fix that never ships leaves the live site broken while the code looks patched.

What the method does

The audit checks what is actually deployed, not just what is committed, so a stale production build cannot hide behind a clean repo.

The harm

A silent failure means the alarm never rings and no one knows the door is open.

What the method does

Every finding is written down with a date and a verdict, and repeat classes are tracked, so nothing quietly falls off the list.

The two-register dashboard

One set of findings, two ways to read them

The real 2026-07-05 cross-audit, exactly as it landed. Flip the switch to read the same findings as an engineer or as a person who just wants to know what could go wrong.

Verdict
Production-acceptable
Critical
0
High
3
Medium
2
2
Criticals refuted by verification

Both teams raised them. The skeptic pass proved neither was real: zero live keys in history, zero secrets in the browser. Caught before they cost a single hour of panic.

Read as
H1HighChristina's Childcare
OWASP A01: Broken Access Control

Anonymous write access to cacfp_records and 9 other tables

The anon role held INSERT and UPDATE grants on cacfp_records plus nine sibling tables. No row-level security policy stood between an unauthenticated request and a write.

H2HighFlowState hub / Intelligence
OWASP A01 / A09: Access Control, Logging

Eight database functions run past row-level security

Eight functions execute with elevated rights that bypass RLS. One of them accepts writes from any caller, so a request could reach data the caller should never touch.

H3HighFlowState Intelligence
OWASP A08: Software and Data Integrity

Security fixes committed but not deployed, prod 10 days stale

The fixes were merged to the repository but never shipped. Production ran code that was ten days behind the fixed source, so the repo looked patched while the live site was not.

M1MediumChristina's Childcare
OWASP A05: Security Misconfiguration

Application repository is public

The source repository was world-readable. No secrets were exposed in it, but the full application structure and logic were visible to anyone.

M2MediumFlowState hub
OWASP A01: Broken Access Control

Loop tables carry permissive row-level security

The loop_* tables had RLS enabled but with broad policies. Access was governed, yet wider than the data strictly required.

Refuted by the verification pass
RefutedR1
Secret keys committed to git history
Flagged Critical by both independent teams

The verification pass scanned the full history and found zero live keys. The pattern that tripped both scanners was placeholder and example strings. A real alarm here would be a genuine breach; this was not one.

RefutedR2
Service-role key exposed in the browser bundle
Flagged Critical, one team

The verifier pulled the deployed bundle and searched it. The service-role key was not present. Only the public anon key ships to the browser, which is expected and safe.

RefutedR3
Public read of children’s data
Flagged High, one team

The verifier queried the table as an anonymous caller. It returned zero rows. The read path was already closed; the finding was theoretical, not live.

Sources, triangulated and validated

The standards this is built on

Every finding is triangulated across two independent audit teams plus a dedicated verification pass, then mapped to a published standard. Nothing here rests on one person’s opinion.

Want this run on your app?

The same audit, the same skeptic-in-the-loop, the same two-register report your engineers and your families can both read. That is the offer.

Talk to us