Vibe-coding presents novel security challenges, but also an incredible opportunity for internal apps and dashboards. We asked ourselves: Can we create a security model that maintains its properties even if we cannot trust the builder nor the AI to follow proper practices? The engineering in software engineering implies inherent trust in the competency of the, well, engineer. But vibe-coders cannot be assumed to be software engineers. Here is the solution we developed with our friends from @Snowflake: - Auth is NOT managed by the app itself, instead it is provided by a layer provided by the Vercel platform - The app actually does not get any secrets. It has no permissions to talk to a backend - Instead the permissions are derived from the user's auth - That also means that the database (here from our partner snowflake) knows who the user is - And hence the database layer can enforce data visibility rules for the user and ensure that even if the app has bugs, the user never gets to see data that they are not authorized to see. More details from our announcement with Snowflake here https://t.co/WZFbLY00K6
