Migration & Security Pain Signals
Users reported painful migration and security failures when switching AI and DB services — one user said they reverted from GPT 5.4 back to Claude after losing system context and credentials, and another reported Supabase flagged tables due to a loose RLS policy. These public posts highlight real migration friction and compliance risks during vendor switches. The complaints were surfaced on X today. (x.com) (x.com)
Two posts on X on April 9, 2026 described the same ugly pattern from two different angles: one developer said an artificial intelligence model switch broke saved instructions and exposed credentials, and another said Supabase marked database tables as insecure because of a weak access rule. (x.com 1) (x.com 2) That pairing is useful because these are two layers of the same stack. One layer is the model that reads prompts and tools, and the other layer is the database that decides who can see rows and files. (openai.com) (supabase.com) OpenAI launched GPT‑5.4 on March 5, 2026 with a 1 million token context window and native computer-use features, which means teams can pack more instructions, memory, and tool calls into one system. A migration into a model like that is not just swapping engines in a car; it is moving the map, the keys, and the driver habits at the same time. (openai.com) A system prompt is the hidden instruction layer that tells a model how to behave before a user types anything. If that layer gets dropped, shortened, or reformatted during a switch, the model can suddenly forget house rules that used to block secrets or preserve workflow context. (openai.com) Credentials are even less forgiving than prompts because a single leaked key can open real services. Supabase’s own documentation says projects use publishable keys, anonymous keys, and service role keys, and those keys carry very different levels of access. (supabase.com) On the database side, Supabase relies on Row Level Security, which is a rule system inside PostgreSQL that acts like a bouncer checking every row before it is returned. Supabase says Row Level Security must always be enabled on tables in an exposed schema, which by default is the public schema. (supabase.com) That matters because a loose Row Level Security policy does not look dramatic at first. A table can keep working normally for developers while still allowing reads or writes that should have been blocked for ordinary users. (supabase.com) The same logic applies to storage. Supabase says private buckets depend on Row Level Security policies on the `storage.objects` table, so one bad rule can spill from database records into uploaded files and signed links. (supabase.com 1) (supabase.com 2) What these posts show is that vendor migration risk is often not the headline feature list. It is the invisible glue: prompt formatting, tool permissions, secret handling, schema exposure, and row policies that were tuned over months and then tested all over again in one stressful week. (x.com 1) (x.com 2) (openai.com) (supabase.com) The posts were small, but the lesson is not. When a company changes models or databases in 2026, the dangerous part is rarely the demo prompt or the import script; it is whether the old guardrails survived the move with the exact same rules attached. (openai.com) (supabase.com) (supabase.com)
