Security: Add warning — never use service_role key in client-side code

[soloexpert]

Security Warning Addition

Vulnerability class: Supabase service_role key exposure in client-side code

Why this PR: We scanned 100 public repos built with Lovable + Supabase templates and found 65% (65/100) had Supabase service_role keys committed to client-side code — often because developers filled their actual keys into template .env placeholders without knowing the danger.

This template is the upstream source for many of those apps. Adding a prominent warning here prevents the mistake at the root.

What changed:

• .env.example — added comment block warning: never use service_role in client apps, with a link to Supabase docs

The danger (CWE-312: Cleartext Storage of Sensitive Information):

- # WRONG — service_role bypasses ALL Row Level Security
- VITE_SUPABASE_KEY="sbp_live_..."
+ # CORRECT — anon key is safe for client-side use
+ VITE_SUPABASE_PUBLISHABLE_KEY="your-anon-public-key"

The service_role key grants full database admin access with no RLS enforcement. If committed and deployed, any visitor to the app can read, write, or delete ALL data in the database via direct API calls.

Evidence: 65 of 100 scanned Lovable-generated repos had this issue. The DHTMLX template already does this correctly — this PR adds a warning comment so developers who copy the template understand why the anon key is used and never substitute the service_role key.

---

Found by Frogeye — security knowledge graph for AI-generated code. Try it free: claude mcp add --transport sse --scope user frogeye https://mcp.frogeye.ai/sse