I also published a recap of what Supabase has been doing over the last year to improve all of this: https://supaexplorer.com/dev-notes/supabase-security-2025-wh... I now think it makes sense to include it in the top notice I added to my report, next to where it says "Supabase is NOT insecure by design," since key revocation was one of those changes.
I believe we all know, at least the ones who care about this topic, that you've been making a lot of improvements and adding extra annoying (but justified!) UI features to make this issue more prominent and push people to fix it.
"- contractually requiring Vibe coding platforms to expose our Security Advisors if they are integrating with us" - I like this, and I honestly would love to see those platforms truly enforce it, even when the user is just building an MVP not ready for production, which most of the time ends up there.
And definitely, any improvement in authz will be very helpful, especially if it can be pushed via external coding platforms.