Didn’t Supabase just have a bit of an issue where the default permissions on their MCP/Backend AI agent were elevated and someone could just prompt inject a ticket and if a dev with access was using Cursor, it would just silently reply to the ticket with raw database records?