mirror of
https://github.com/supabase/supabase.git
synced 2026-06-27 11:02:53 -04:00
create-pull-request/patch
37069 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 dnywh
|
ef8e64728c | [create-pull-request] automated change | ||
|
Danny White
|
a074b62ed1 |
chore(studio): use sentence case for Data API access label (#47353)
## What kind of change does this PR introduce? UI copy + agent guidance. ## What is the current behavior? - The Table Editor labels the Data API setting as "Data API Access" (title case). - Agents have no scoped pointer to our copywriting rules ## What is the new behavior? - Label uses sentence case: "Data API access" (e2e and test docs updated). - Agents are pointed at `apps/design-system/content/docs/copywriting.mdx` via `studio-copy.instructions.md` and `studio-ui-patterns` skill. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Standardized the **“Data API access”** label casing across the Studio UI. * Updated end-to-end tests to assert the corrected label text. * **Documentation** * Updated Studio E2E test review instructions and examples to use **“Data API access”**. * Added/expanded Studio UI copywriting guidance, including where to source copy and how to apply consistent casing. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Cursor <cursoragent@cursor.com> |
||
|
Vaibhav
|
d5fde192d5 |
examples: migrate Edge Functions to @supabase/server (#46890)
- extends/supersedes: #46665 - towards COM-269 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Standardized Edge Function entrypoints across examples to a consistent `export default` shape, with runtime-provided admin access for storage/database operations. * Updated public endpoint handling to use appropriate auth modes. * **Bug Fixes** * Improved error handling to return structured JSON responses with correct HTTP status codes for invalid requests and failures. * Harmonized local invocation examples to use the right header format. * **Chores** * Updated example `verify_jwt` settings to disable JWT verification for public/demo endpoints. * **Documentation** * Fixed README typo and refreshed invocation curl examples. * **Tests** * None. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Tomas Pozo <tomaspozogarzon@gmail.com> |
||
|
Miranda Limonczenko
|
5fc0c86007 |
feat(studio) Link observability pages to relevant docs (#47351)
Closes DOCS-488 <img width="1266" height="353" alt="Screenshot 2026-06-26 at 11 02 57 AM" src="https://github.com/user-attachments/assets/67b5d47b-249e-4e53-9230-2bbcb7f037b7" /> ## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## Problem We have helpful documentation that delves into each observability metric, but it is not easily findable in the moment it is needed while viewing the dashboards. ## Solution Solution includes: - Add a docs link in Studio in every relevant place with the `DocsButton` component - Add aria-hidden on the `DocsButton` icon - An added `constants.ts` to see all of the docs links in one place - A contextual aria-label for the docs so that screenreader users know where they're going | Page | Docs link | |------|-----------| | Overview | `/guides/telemetry/reports` | | Query Performance / Query Insights | `/guides/platform/performance#examining-query-performance` | | API Gateway | `/guides/telemetry/reports#api-gateway` | | Database | `/guides/telemetry/reports#database` | | Data API | `/guides/telemetry/reports#postgrest` | | Auth | `/guides/telemetry/reports#auth` | | Edge Functions | `/guides/telemetry/reports#edge-functions` | | Storage | `/guides/telemetry/reports#storage` | | Realtime | `/guides/realtime/reports` | | Custom reports | `/guides/telemetry/reports#using-reports` | Query Performance and Query Insights already had the button in their custom headers. They now use the shared constants. ## Tophatting 1. Go to a project `/observability`. 2. Click into each of the panels and see a **Docs** link in the top right. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added direct documentation links across observability report pages, making it easier to open relevant help content from each view. * Added clearer, page-specific labels for observability headers and docs links. * **Bug Fixes** * Improved accessibility for icon buttons so icons are hidden from assistive technologies while button labels remain clear. * Adjusted report navigation layouts to keep controls aligned with the new docs buttons. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Gildas Garcia
|
f78c9db32e |
Make mfa lockout risk clear in dashboard (#47344)
## Problem #47330 is not enough. We want the alert to really catch users attention ## Solution <img width="1670" height="1138" alt="image" src="https://github.com/user-attachments/assets/3dab5145-2abf-4213-a591-45116eeacb6a" /> <img width="1634" height="1048" alt="image" src="https://github.com/user-attachments/assets/c70ac8cc-2af0-4778-a68b-3ea9ea8f8166" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Moved the “permanently locked out” MFA warning to the account security page when only one authenticator app is configured. * Removed the duplicate warning from the authenticator factor list so the message is shown in a single, consistent location. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: mo khan <mo@mokhan.ca> Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com> |
||
|
Ali Waseem
|
f1f80dd0bf |
fix(studio): restore email template source editor height (#47350)
## What Restores the email template **source editor** height, which had collapsed to a single line. ## Root cause Earlier today, #47339 ("prevent Monaco editor collapse after visiting GraphiQL") appended `h-full` to the shared `CodeEditor`: ```ts className={cn(className, 'monaco-editor', 'h-full')} ``` `cn` is `twMerge(clsx(...))`. tailwind-merge resolves conflicting height utilities by keeping the **last** one, so the trailing `h-full` clobbered any caller-supplied height. The email template editor (`TemplateEditor.tsx`) passes `h-96`, and its wrapper has no explicit height — so `h-full` resolved to 0 and the editor collapsed to a single line. ## Fix Reorder so `h-full` is a default that a caller's height wins over: ```ts className={cn('monaco-editor', 'h-full', className)} ``` - Email editor passes `h-96` → comes last → wins → 384px height restored. - Callers that set no height (GraphiQL, etc.) → `h-full` still applies → #47339 fix preserved. ## Testing - [ ] Email template source editor renders at full height again - [ ] GraphiQL → editor navigation still does not collapse Fixes FE-3728 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved editor sizing so custom height classes are respected instead of being overridden by the default full-height styling. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Nik Richers
|
032a368221 |
fix(docs): overhaul Ionic Vue tutorial auth flow and example app (#47142)
## I have read the CONTRIBUTING.md file.
YES
## What kind of change does this PR introduce?
Bug fix, docs update
Closes DOCS-353.
## What is the current behavior?
- Linear item: Overhaul Ionic Vue tutorial
- Debug email shown on login page after submit
- Login redirect / route guard issues
- Email missing on account page
- HTML5 `type="url"` blocks profile update for `example.com`
- Tutorial `.env` used `VUE_APP_SUPABASE_KEY` but app expects
`VUE_APP_SUPABASE_PUBLISHABLE_KEY`
## What is the new behavior?
- Removed debug `<p>{{ email }}</p>` from Login.vue
- Route guards in `router/index.ts`; simplified App.vue user sync
- Account email from `getClaims()`; website `type="text"`;
`useIonRouter` for logout
- Store typed as `User | null`
- Tutorial MDX env var fixed
- Audit skills moved to
[supabase/docs-agent-skills](https://github.com/supabase/docs-agent-skills):
[`audit-ionic-vue-tutorial`](https://github.com/supabase/docs-agent-skills/blob/main/.claude/skills/audit-ionic-vue-tutorial/SKILL.md),
[`audit-docs-tutorials`](https://github.com/supabase/docs-agent-skills/blob/main/.claude/skills/audit-docs-tutorials/SKILL.md)
— both require **live Supabase platform** E2E (not just build/lint)
**Tutorial preview:** [Build a User Management App with Ionic
Vue](https://supabase.com/docs/guides/getting-started/tutorials/with-ionic-vue)
## Additional context
- Verification (author): `npm install && npm run build` — **pass**
(warnings only)
- E2E: profiles migration applied to project `moijyfpvgnmgoxvwcikq`; add
`.env` from `.env.example` with publishable key for full auth flow test
### Test plan
- [ ] `cd examples/user-management/ionic-vue-user-management && npm
install && npm run build`
- [ ] Confirm tutorial MDX `.env` uses
`VUE_APP_SUPABASE_PUBLISHABLE_KEY`
- [ ] Copy Project URL + publishable key into `.env`
- [ ] `npm run dev` — login page shows no email after magic-link submit
- [ ] Magic link redirects to `/account`
- [ ] Email displays on account page
- [ ] Update profile with `example.com` and `https://example.com` — both
save
- [ ] Logout returns to `/`; `/account` blocked without auth
- [ ] Install audit skills from
[docs-agent-skills](https://github.com/supabase/docs-agent-skills) (`ln
-sf
~/GitHub/supabase/docs-agent-skills/.claude/skills/audit-ionic-vue-tutorial
~/.claude/skills/audit-ionic-vue-tutorial` and same for
`audit-docs-tutorials`), then run
[audit-ionic-vue-tutorial](https://github.com/supabase/docs-agent-skills/blob/main/.claude/skills/audit-ionic-vue-tutorial/SKILL.md)
platform E2E (magic link, profile update verified via SQL)
- [ ] Run
[audit-docs-tutorials](https://github.com/supabase/docs-agent-skills/blob/main/.claude/skills/audit-docs-tutorials/SKILL.md)
— confirm platform E2E column is filled for with-ionic-vue
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Improved authentication handling in the Ionic Vue user-management
example, with smoother sign-in/sign-out redirects and account access
checks.
* Updated account details to display the user’s email more reliably.
* **Bug Fixes**
* Adjusted navigation so authenticated users are routed to the account
page and unauthenticated users are sent back to the home page.
* **Documentation**
* Updated setup instructions and example environment variables for the
Supabase integration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Nik Richers <nik@validmind.ai>
|
||
|
Ivan Vasilov
|
a9565c1645 |
refactor: Optimize Sentry user ids (#47342)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved signed-in user identification in error tracking to use the current authenticated user ID directly. * Removed reliance on previously stored anonymous identifiers, reducing inconsistent user matching across sessions. * **Tests** * Added coverage to confirm error tracking user identity is set when a user is signed in and not set when signed out. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Alaister Young
|
4f80bb70cd |
fix(studio): prevent Monaco editor collapse after visiting GraphiQL (#47339)
Fixes a pre-existing bug where visiting **GraphiQL** leaves the **SQL editor** (and other Monaco editors) collapsed to a ~5px slit with the background spilling over it, until a full navigation away. ## Root cause GraphiQL (`@graphiql/react`) and the rest of Studio's editors (`@monaco-editor/react`) share one global Monaco instance. Visiting GraphiQL does `import 'graphiql/style.css'`, which injects a **second copy of Monaco's CSS** globally and persists for the session. `CodeEditor` hard-codes a `monaco-editor` class onto the `@monaco-editor/react` **wrapper** div (it's not a real Monaco editor — Monaco creates its own `.monaco-editor` inside it). That makes the wrapper subject to global `.monaco-editor` rules. After GraphiQL's CSS loads, the wrapper flips from `position: relative` to `position: absolute`, drops out of the flex flow, and collapses to `height: 0`. Monaco then lays out against a 0-height container → ~5px editor, and the full-size gutter/background layers spill over the area. Confirmed by inspecting the same wrapper before vs after a GraphiQL visit — identical inline styles, but `position` flips `relative` → `absolute` and height `266px` → `0`. ## Fix Add `h-full` to the wrapper so it fills its (full-height) section even when it's `position: absolute`, instead of collapsing to 0. Monaco then measures the correct height. In the normal `relative` state this is identical to the existing flex-stretch behavior. This is the contained fix. The deeper fix is isolating GraphiQL's Monaco from the shared instance (so it can't inject CSS / mutate global state affecting other editors) — larger, worth a follow-up. ## To test - Open the SQL editor (renders fine). - Go to Integrations → GraphiQL, then back to the SQL editor. - Editor should be full height and fully visible (previously a ~5px slit covered by the background). - Sanity-check other editors that use `CodeEditor` (e.g. RLS policy editor, function editor) still render at the right height. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved the code editor’s sizing so it keeps its full height during navigation and no longer collapses to a near-zero display in some cases. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com> |
||
|
Ivan Vasilov
|
7c1573830b |
fix: Enable some of the Data API settings to be editable on self-hosted variant (#47340)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved permission handling in API settings so exposure-related actions and PostgREST configuration are controlled separately. * The “Automatically expose new tables” option now disables correctly when exposure permissions are unavailable. * Save behavior now avoids updating PostgREST settings unless the user has the required permission, while keeping exposure changes available when allowed. * The form action buttons and helper text now reflect the correct permission state more accurately. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Nik Richers
|
c7c6cca9ed |
chore(docs): align Next.js quickstart demo with monorepo catalog (#47144)
## I have read the CONTRIBUTING.md file. YES ## What kind of change does this PR introduce? Docs update, example maintenance Closes DOCS-362. ## What is the current behavior? - Linear item: Next JS checks (DOCS-362) - `@supabase/ssr: "latest"` and unpinned `next` in nextjs-user-management - Duplicate `next.config.js` + `next.config.ts` - Auth quickstart linked to non-existent `/guides/auth/server-side/nextjs` ## What is the new behavior? - Pinned `next@16.2.6`, `@supabase/ssr@0.10.2` per monorepo catalog - Removed duplicate `next.config.js` - Auth quickstart links to `creating-a-client?framework=nextjs` - Audit skills moved to [supabase/docs-agent-skills](https://github.com/supabase/docs-agent-skills): [`audit-nextjs-docs`](https://github.com/supabase/docs-agent-skills/blob/main/.claude/skills/audit-nextjs-docs/SKILL.md), [`audit-quickstarts`](https://github.com/supabase/docs-agent-skills/blob/main/.claude/skills/audit-quickstarts/SKILL.md) ## Additional context - Verification (author): `npm install && npm run build` in nextjs-user-management — **pass** (Next.js 16.2.6) - Skill audit: no stale `middleware.ts` in Next docs paths; broken link fixed; duplicate config removed | Check | Result | |-------|--------| | Version matrix | Pass (pinned to catalog) | | proxy.ts / no middleware refs | Pass | | nextjs-user-management build | Pass | | Auth quickstart link | Fixed | ### Test plan - [ ] `cd examples/user-management/nextjs-user-management && npm install && npm run build` - [ ] `cd apps/docs && pnpm codegen:examples && pnpm lint:mdx` on changed MDX - [ ] Framework quickstart — `create-next-app -e with-supabase` and publishable key env vars - [ ] Auth quickstart — "Learn more" resolves (no 404) - [ ] Web app tutorial — code samples use `proxy.ts` - [ ] Start nextjs-user-management locally with `.env.local` — login/account flow - [ ] Install audit skills from [docs-agent-skills](https://github.com/supabase/docs-agent-skills) (`ln -sf ~/GitHub/supabase/docs-agent-skills/.claude/skills/audit-nextjs-docs ~/.claude/skills/audit-nextjs-docs` and same for `audit-quickstarts`), then run checklists in [audit-nextjs-docs](https://github.com/supabase/docs-agent-skills/blob/main/.claude/skills/audit-nextjs-docs/SKILL.md) and [audit-quickstarts](https://github.com/supabase/docs-agent-skills/blob/main/.claude/skills/audit-quickstarts/SKILL.md) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated resource links in authentication quickstart guides for improved navigation. * **Chores** * Updated dependencies in the Next.js user management example to latest stable versions. * Removed unused configuration settings from the example application. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Nik Richers <nik@validmind.ai> |
||
|
Francesco Sansalvadore
|
cd62b0b9d4 |
www: product pages (#47271)
Update product pages in marketing website. PR breakdown of #43455 Related: #47226 #47227 #47228 #47236 |
||
|
hallidayo
|
7cbd540681 |
fix: self hosted cmdk organizations (#47308)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Supabase Studio > CMD K ## What is the current behavior? When on self hosted and using CMD K the organization options are available. ## What is the new behavior? Organization options now hidden on self hosted/local ## Additional context Closes #40106 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Updated the organization switcher and related command entry to appear only when the platform-specific conditions are met, helping prevent it from showing up in unsupported environments. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Andrew Valleteau
|
b12fe6ea1b |
docs: note cron.log_statement requires a database restart (#47313)
## What Documents that `cron.log_statement` is a Management-API-configurable Postgres parameter that **requires a database restart** to take effect. ## Why While aligning the platform's `RESTART_REQUIRED_KEYS` with `pg_settings.context` (supabase/platform#34691), `cron.log_statement` surfaced as a parameter that: - is accepted by the Management API `PUT /v1/projects/{ref}/config/database/postgres` endpoint (it's in the request schema), so project Owners/Admins can set it — though it's **not** exposed via the CLI; - is registered by pg_cron as `PGC_POSTMASTER` (context `postmaster`), so it only takes effect after a restart. It wasn't documented anywhere user-facing (it only appeared in the auto-generated OpenAPI spec). This adds a short note in the "Management API only parameters" section so the restart requirement is discoverable. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _Generated by [Claude Code](https://claude.ai/code/session_01VaRQMeVMf4g5biiYPoZHLW)_ <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated the database configuration guide to include `cron.log_statement` in the list of Management API-only parameters. * Clarified that this setting requires a database restart before changes take effect. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Claude <noreply@anthropic.com> |
||
|
Alaister Young
|
5c0b627904 |
fix(studio): fix GraphiQL editor layout, gutter bleed and spacing (#47334)
Fixes three GraphiQL/integrations layout issues introduced by the Marketplace layout change (#45856), which dropped the height passthrough on the integration page content wrapper. **Changed:** - **Full-height integration pages** — the content wrapper had no height, so GraphiQL's `h-full` editor collapsed instead of filling the page. Added `flex-1 min-h-0` to the wrapper in both the legacy (`LegacyIntegrationPage`) and marketplace (`MarketplaceDetail`) render paths. - **GraphiQL gutter bleed** — Monaco's `.overflow-guard` was ending up `overflow: visible` (an inline style Monaco sets at runtime), so the oversized opaque line-number gutter escaped the editor and painted over the page above it. Re-asserted the clip, scoped to GraphiQL so the SQL editor is untouched. - **GraphiQL editor spacing** — removed GraphiQL's default 16px query-editor padding so the scroll shadow sits flush, and restored the content's breathing room via Monaco's own `padding` (top/bottom) and `glyphMargin` (line-number left inset) options, which leave the scroll shadow pinned to the top edge. Before: <img width="2056" height="814" alt="Screenshot 2026-06-26 at 5 27 24 PM" src="https://github.com/user-attachments/assets/573856bf-2bfb-4bf2-9dd7-59c29b423ec9" /> ## To test - Open a project → **Integrations → GraphiQL** (the `graphiql` tab). The editor should fill the full page height. - Scroll the query editor — the scroll shadow should sit flush at the top edge, not float inset, and the white gutter should not bleed over the page header above. - Confirm line numbers have left padding and content has top/bottom padding. - Trigger autocomplete in the editor — the suggestion popup should still appear (not clipped by the gutter `overflow: hidden`). - Toggle the **Marketplace** feature preview (Account dropdown → Feature Previews) and re-check the GraphiQL page in both states, since it renders through two different page components. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved the GraphQL in-browser editor layout to prevent the editor gutter from overlapping surrounding content. * Removed unnecessary query-editor padding so scrolling and shadow effects display correctly in the available space. * Ensured Monaco editor spacing/settings are applied consistently to both existing and newly created editors. * Fixed full-height sizing for integration pages so content stays correctly constrained and doesn’t collapse or overflow. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
Jonathan Fulton
|
759dde2176 |
docs(auth): fix Dart signInWithOtp return type in email passwordless docs (#42339)
## What kind of change does this PR introduce? Bug fix for incorrect documentation. ## What is the current behavior? The Dart/Flutter examples in the email passwordless authentication documentation incorrectly show `signInWithOtp` returning an `AuthResponse`: ```dart final AuthResponse res = await supabase.auth.signInWithOtp(email: 'valid.email@supabase.io'); ``` However, according to the [official Flutter package documentation](https://pub.dev/documentation/supabase_flutter/latest/supabase_flutter/GoTrueClient/signInWithOtp.html), `signInWithOtp` returns `Future<void>`, not `AuthResponse`. ## What is the new behavior? Updated the Dart examples to correctly show that `signInWithOtp` returns `Future<void>`: ```dart await supabase.auth.signInWithOtp(email: 'valid.email@supabase.io'); ``` Also fixed a typo in the method name (`signinwithotp` -> `signInWithOtp`). ## Additional context - [Flutter Package Docs - signInWithOtp](https://pub.dev/documentation/supabase_flutter/latest/supabase_flutter/GoTrueClient/signInWithOtp.html) - shows return type is `Future<void>` - [Flutter Package Docs - verifyOTP](https://pub.dev/documentation/supabase_flutter/latest/supabase_flutter/GoTrueClient/verifyOTP.html) - this method returns `AuthResponse` Fixes #39447 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated passwordless email authentication guide with corrected API method naming conventions in code examples. Examples now properly reference the current public API standards, ensuring developers follow best practices when implementing email-based authentication flows. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Lukas Klingsbo <lukas.klingsbo@gmail.com> |
||
|
Gildas Garcia
|
77bf0a4ec9 |
chore: more dead code cleanup (#47312)
## Problem There's still more unused code in the repository which slows down everything: - checkouts - tooling - probably builds (not sure how good turbopack is at handling this) ## Solution - remove old unused code - remove more recent code after checking git history to ensure it's not unfinished/ongoing work <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Removed several outdated UI components and helper utilities to streamline the app. * Cleaned up unused analytics, database, and observability hooks and queries. * **Refactor** * Simplified data table, unified logs, and assistant panel internals by removing legacy display and navigation pieces. * **Bug Fixes** * Reduced the chance of showing stale or inconsistent status, chart, and metric views by eliminating obsolete display paths. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
ChloeGarciaMillerand
|
b1b29ad011 |
Fix: improve accessibility for icon buttons (#47214)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Bug fix (accessibility improvement) ## What is the current behavior? Icon-only buttons do not have explicit accessible names for screen readers. ## What is the new behavior? All icon-only buttons now have explicit accessible names using visually hidden text (sr-only), ensuring proper screen reader support. ## Additional context Tooltip text is preserved or added for visual users. No visual changes were introduced. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Added hover tooltips across the database editor and SQL editor, including “More options” menus, table filter controls, and the “Create a new query” action. * **Accessibility** * Improved button accessibility by adding/expanding `aria-label`s for Intellisense, favorites (add/remove), and “Prettify SQL.” <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Saxon Fletcher
|
1392cc0952 |
Temporarily disable network bans and network restrictions on HA (#47325)
Temporarily disables network bans and network restrictions on HA projects until they are supported. Requires https://github.com/supabase/supabase/pull/47322 to be merged first. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added High Availability-aware empty and notice states for database settings screens. * Introduced project-aware handling so unavailable actions are clearly indicated in High Availability projects. * Added support for filtering out unsupported schemas when High Availability is enabled. * **Bug Fixes** * Disabled network restriction and banned IP actions when they are not available, with clearer tooltip messaging. * Updated action states so access controls and unban options consistently reflect project permissions and High Availability status. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Alaister Young <alaister@users.noreply.github.com> |
||
|
Gildas Garcia
|
1ec86503fa |
fix: make mfa lockout risk clear in dashboard (#47330)
## Problem Lots of users are getting locked out of their accounts, with no way to get back in. The current warning after setting up an MFA is not visible enough: <img width="1484" height="836" alt="image" src="https://github.com/user-attachments/assets/944093f0-b912-4eb9-9955-a012be1a5248" /> ## Solution First part of the solution is to make the warning more visible: <img width="1612" height="930" alt="image" src="https://github.com/user-attachments/assets/06d334dc-ee6a-4bf3-a8b3-3d4282a275b7" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Updated the two-factor authentication setup warning to use a clearer warning style and horizontal layout. * Improved the guidance shown when only one authenticator app is configured, making the message easier to read. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Gildas Garcia
|
3ffc446824 |
chore: delete unused bucket picker dialogs (#47331)
## Problem Cleaning up dead code. Those two dialogs are not used. Other components in their directories are though. ## Solution Remove them <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Removed two storage picker dialog components from the app. * This may affect how bucket and file selection screens are presented in the Studio interface. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Alaister Young
|
7b5e976c9f |
chore: manage CodeRabbit config in .coderabbit.yaml (#47328)
Sets up `.coderabbit.yaml` so our CodeRabbit configuration lives in the repo — version-controlled, visible to contributors, and reviewable — instead of split between the dashboard and nowhere. Three parts: 1. **Skills as code guidelines** — wires our `.claude/skills/` into reviews. 2. **Path instructions** — migrates the telemetry rules out of the CodeRabbit dashboard UI. 3. **Path filters** — skips machine-generated files so reviews focus on hand-written code. Supersedes #47327 (closed). ## 1. Skills as review guidelines CodeRabbit's code-guidelines feature reads guideline files and, by default, **directory-scopes** them — a file applies only to its own folder and below. Our skills live in `.claude/skills/` (no code), so they'd never reach `apps/studio`. The `applyTo` field on `filePatterns` decouples *where the guideline lives* from *which code it governs*, so we point CodeRabbit straight at the skills: | Skills | Apply to | | --- | --- | | `studio-best-practices`, `studio-ui-patterns`, `vercel-composition-patterns`, `studio-queries`, `studio-error-handling` | `apps/studio/**/*.{ts,tsx}` | | `studio-testing`, `studio-mock-api-tests` | `apps/studio/**/*.test.{ts,tsx}` | | `studio-e2e-tests` | `e2e/studio/**/*.spec.ts` | Skills stay the **single source of truth** — consumed directly, no duplicated/generated copy. ## 2. Path instructions (migrated from the dashboard) Moved the two existing telemetry path instructions into the file so they're version-controlled: - `packages/common/telemetry-constants.ts` — event-naming enforcement (`[object]_[verb]` snake_case, approved verb list, camelCase props, `useSendEventMutation` flag, JSDoc + union-type checks). - `apps/studio/components/**/*.tsx` — only suggest PostHog tracking for growth-relevant interactions, not passive/UI-only ones. ## 3. Path filters (skip generated files) Excludes machine-generated / vendored paths from review (mirrors `.prettierignore`): API types, generated DB types, route trees, design-system / icons / ui-library registries, generated icon components, and the lockfile. Keeps reviews focused on hand-written code and preserves OSS rate-limit budget on large codegen diffs. ## Notes - Cost is \$0 — CodeRabbit Pro (incl. code guidelines) is free for public repos. - `vitest` skill left out (generic framework reference, not our conventions). - The `telemetry-standards` skill is intentionally **not** also wired as a guideline — the migrated path instruction above is the curated version; wiring both would double up. ## To test - PR touching `apps/studio/**/*.tsx` → CodeRabbit cites Studio conventions - PR touching `e2e/studio/**/*.spec.ts` → cites E2E conventions - PR editing `telemetry-constants.ts` with a bad verb / non-camelCase prop → flagged - PR that regenerates e.g. `packages/api-types/types/**` → those files not reviewed - Confirm Studio guidelines don't bleed into unrelated areas (docs, www) ## Follow-ups (not here) - Extend `filePatterns` to other scopes: `dev-toolbar-review` → `packages/dev-tools/**` - Optionally skip bot PRs via `auto_review.ignore_title_keywords` - Move any remaining dashboard settings into this file as we find them <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Added/updated automated review configuration to disable org-level inheritance and enable automatic issue enrichment. * Excluded generated/vendor artifacts (e.g., lockfiles, API/type outputs, generated docs/www, UI registry/icon sources) from review. * Added path-scoped review guidance for telemetry event naming/verification and tighter review focus for production UI event-tracking suggestions. * Extended internal coding guidelines to apply local skill docs across Studio source, unit/component tests, and Studio Playwright E2E specs. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
Saxon Fletcher
|
791fa6fa1b |
Temporarily disable backups and realtime on HA (#47323)
Temporarily disables backups/pitr and realtime on HA projects until they are supported. Requires https://github.com/supabase/supabase/pull/47322 to be merged first. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added reusable High Availability empty-state and notice components for consistent messaging across the studio. * High Availability projects now show a dedicated blocked state in Realtime and PITR views. * Updated schema handling so certain schemas are hidden when High Availability is enabled. * **Bug Fixes** * Improved loading behavior on the PITR page by waiting for project, backup, and entitlement checks. * Refined upgrade messaging to better match the user’s current access level. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Alaister Young <alaister@users.noreply.github.com> |
||
|
Saxon Fletcher
|
01902156ce |
Temporarily disable replication on HA (#47324)
Temporarily disables replication on HA projects until they are supported. Requires https://github.com/supabase/supabase/pull/47322 to be merged first. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added reusable High Availability UI components for an empty-state message and an availability notice. * Introduced shared High Availability helpers to determine availability status and adjust schema lists accordingly. * Updated the replication page to use the new High Availability flow with a dedicated empty state when enabled. * **Bug Fixes** * Improved High Availability detection consistency, including safer fallback behavior when project data is missing or null. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Alaister Young <alaister@users.noreply.github.com> |
||
|
Saxon Fletcher
|
143769afac |
feat(studio): shared High Availability disabled hook and UI primitives (#47322)
Add generic building blocks for blocking features on High Availability projects: - useHighAvailability hook: HA state only (isHighAvailability, isPending) - HighAvailabilityDisabledEmptyState (full-page empty state) - HighAvailabilityDisabledSectionNotice (in-section admonition) The components carry a generic default title/description; consuming pages pass their own copy via props. HA state is read from the project's high_availability flag (same source as the High Availability badge on the project home page). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added clearer messaging for features that aren’t available in High Availability projects. * Introduced a standard High Availability status check to help the app adapt what it shows. * **Bug Fixes** * Hid non-applicable schema options when High Availability is enabled, reducing confusion in selection lists. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> |
||
|
Alaister Young
|
072add9945 |
[FE-3682] feat(studio): warn on Vercel preview/dev env var sync (#47298)
Clarifies what the Vercel environment-variable sync toggles actually do and guards the risky path. Enabling Preview/Development sync pushes this project's **production** credentials into those Vercel environments — previously this wasn't clear, so users expected isolated preview deployments and were surprised when previews hit production. Addresses **FE-3682** (support case SU-385292). **Changed:** - Reworded the sync section: a single heading + intro that makes clear the toggles sync this project's production credentials to the selected Vercel environments, and that most projects only need `production`. - Recommend Branching for preview isolation, linking to the in-dashboard branches page (`/project/<ref>/branches`) instead of docs. - Switched the toggle rows to `FormItemLayout` (`flex-row-reverse`) for consistent layout/spacing; descriptions now clarify these are the **Vercel** environments. **Added:** - Inline `Admonition` warning when Preview/Development sync is enabled, with branching-aware copy (a "Not recommended with Branching" variant when Branching is on, explaining production creds are used until a branch finishes provisioning). - Confirmation dialog before saving whenever Preview/Development sync is on, naming exactly which credentials get exposed (project ref, API URL, anon + service role keys, DB connection strings). Production-only saves skip the dialog. ## Screenshots <img width="707" height="630" alt="Screenshot 2026-06-25 at 6 43 23 PM" src="https://github.com/user-attachments/assets/30d45527-5a48-44c2-bdb7-2e576f5e4c7d" /> **Default state (production only)** <img width="704" height="786" alt="Screenshot 2026-06-25 at 6 43 46 PM" src="https://github.com/user-attachments/assets/75a12f65-99d0-4aad-9360-a7a6e6c91ca1" /> **Preview + Development enabled — inline warning (no Branching)** <img width="535" height="373" alt="Screenshot 2026-06-25 at 6 44 18 PM" src="https://github.com/user-attachments/assets/29d75804-fa93-402b-8cee-1faedd0ac9c7" /> **Confirmation dialog (no Branching)** <img width="705" height="824" alt="Screenshot 2026-06-25 at 6 48 09 PM" src="https://github.com/user-attachments/assets/c3f7bf97-7c6e-4be4-9a5b-90d422b03f81" /> **Inline warning — Branching enabled** <img width="530" height="415" alt="Screenshot 2026-06-25 at 6 48 20 PM" src="https://github.com/user-attachments/assets/a5ede69e-6186-488e-bf1e-49007b231201" /> **Confirmation dialog — Branching enabled** ## To test - Open a project's **Integrations → Vercel** settings with a connected Vercel project (the project-scoped connection form). - Toggle **Preview** and/or **Development** on → inline warning appears; toggle both off → it disappears. - On a project with **Branching enabled**, confirm the warning shows the "Not recommended with Branching" variant. - Click **Save** with Preview/Dev on → confirmation dialog appears naming the credentials. **Cancel** aborts (no save), **Sync credentials** saves. - Save with **only Production** on → no dialog, saves directly. - Confirm the **Branching** links navigate to `/project/<ref>/branches`. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a confirmation step before syncing Preview or Development environment variables. * Improved the sync settings UI with clearer descriptions and a warning message when these environments are enabled. * Made the sync flow aware of project branching status, with guidance that adapts to the project setup. * **Bug Fixes** * Improved the save flow so successful updates now reset the form, close the dialog, and show a success message consistently. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
Joshen Lim
|
f6afd8b2e4 |
Use CodeEditor in AIEditor (#47297)
## Context More clean up / housekeeping - to use `CodeEditor` in `AIEditor` and remove duplicated logic <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Expanded supported editor file types, including CSS, CSV, and JavaScript (with improved syntax highlighting). * The updated editor experience now provides a readily available “run query” action. * **UI Improvements** * Tightened editor panel spacing and adjusted padding for a cleaner layout. * **Bug Fixes** * Improved file-to-language detection so files open with the correct syntax highlighting more consistently. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Charis
|
5cb81123ae |
refactor(studio): move SQL editor save trigger into a scheduler + provider (5/9) (#47316)
## What
PR 5 of a stacked refactor. Moves *when to save* out of a module-load
`subscribe` and into an injectable **scheduler** armed by a headless
**provider**, splits the save queue, and adds an unsaved-close warning.
### Scheduler (`sql-editor-save-scheduler.ts`)
`createSaveScheduler({ state, saveMechanism, notify, getSaveMode })`
owns the save *policy*:
- **auto** mode drains the dirty snippet queue as edits land; **manual**
mode (the seam for a future opt-in; defaults to `auto`) leaves snippets
queued until `requestSave`. Folder saves always drain.
- `start()` returns an unsubscribe; `requestSave(id)` is the
explicit-save entry.
### Provider (`sql-editor-save-coordinator.tsx`)
Headless `SqlEditorSaveCoordinatorProvider` instantiates the mechanism
(invalidation via the **React Query client from context**, not the
global `getQueryClient`) + scheduler, `start()`s it in an effect
(start/stop with the provider), and exposes `requestSave` via
`useSqlEditorSaveCoordinator()`. Mounted in `ProjectContext` (under the
app's QueryClientProvider). Cmd+S and the SavingIndicator Retry now go
through `requestSave`.
### Queue split
`needsSaving` (snippets) and `pendingFolderSaves` (folders) are separate
queues, drained independently — the old snippet-vs-folder `if/else` is
gone.
### Unsaved-close warning
A `beforeunload` guard triggers the browser's native "Leave site?"
prompt while any snippet's `status !== 'saved'` (failed / in-flight /
never-saved).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Improved SQL editor saving with a centralized save flow, including
automatic/manual save handling and immediate “Save Query” requests.
* Added unsaved-change detection so the app can warn before closing or
reloading when edits are still pending.
* **Bug Fixes**
* Retry actions now use the updated save flow for more reliable
re-saving.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
Taryn King
|
f2f346dfde |
feat(docs): add page documenting free project pausing behavior (#47279)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Docs update ## What is the new behavior? Adds a page to Platform > Project & Account Management subsection to covers project pausing behavior for the Free plan. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a new “Project Pausing” guide link under **Platform → Project & Account Management**. * Published a new guide explaining Free Plan automatic project pausing, the 7-day inactivity determination, the warning/confirmation email flow, how to prevent pausing via activity, restoration within 90 days, and how to avoid future pauses by upgrading. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Chris Chinchilla <chris.ward@supabase.io> Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com> |
||
|
Shane
|
e9888de2c0 |
Updated Supabase Pipelines blog post images (#47314)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? OG and thumb image update ## What is the current behavior? Old image: "Supabase ETL" ## What is the new behavior? Refreshed images with "Supabase Pipelines" ## Additional context Add any other context or screenshots. |
||
|
Gildas Garcia
|
968fa3f052 |
chore: remove old Input component (#47259)
## Problem Every inputs and textarea have been migrated to the new shadcn components. This `Input` is no longer needed ## Solution - Delete it - Clean up the `defaultTheme` accordingly <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Breaking Changes** * Removed the built-in Input component from the UI library, including its attached TextArea export. * Removed input styling support from the default theme (standard/error variants and related icon/action/textarea spacing). * Cleared the Input module styles, so prior textarea action UI styling is no longer available. * Removed the Reports filtering UI in Studio (including the popover component and the associated report-filter hook), which may affect report filtering screens. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Shane
|
235e56e0c7 |
Updated brand-assets.zip (#47310)
Added full white and black logos in .png and .svg formats to brand-assets.zip linked at https://supabase.com/brand-assets ## I have read the CONTRIBUTING.md file. YES ## What kind of change does this PR introduce? Asset update ## What is the current behavior? The brand-assets.zip downloadable on supabase.com/brand-assets contains the previous set of brand logos. ## What is the new behavior? Updated brand-assets.zip with the latest brand assets, including full white and black logo variants in .png and .svg (DEBR-337). ## Additional context File replaced at apps/www/public/brand-assets.zip. Served statically — no code changes required. |
||
|
Jordi Enric
|
d5bceb8db8 |
feat(studio): route Logs Explorer to OTEL endpoint via flag DEBUG-145 (#47265)
## Problem The Logs Explorer (SQL editor) queries the BigQuery-backed `logs.all` endpoint and exposed a manual "OTEL endpoint" toggle behind a separate flag. ## Fix - Drive the explorer endpoint purely from the `otelLegacyLogs` flag: on -> `logs.all.otel`, off -> `logs.all`. - Remove the manual toggle from `LogsQueryPanel` (and its `showChToggleInLogExplorer` gate). ## Dependencies None. Standalone, behind `otelLegacyLogs` (off by default), so no user-facing change. Part of DEBUG-145 (split from #47087). Note: PR for the deterministic BigQuery->ClickHouse rewrite + banner builds on top of this one. ## How to test - Enable `otelLegacyLogs`, open `/project/[ref]/logs/explorer`, confirm queries hit the OTEL endpoint and run. Toggle off, confirm BigQuery path unchanged. Confirm the old manual OTEL switch is gone. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Simplified the Logs Explorer experience by removing the OTEL endpoint toggle from query settings. * OTEL behavior now follows the configured feature flag, driving the editor’s initial placeholder/query shape. * On first load, the editor automatically switches to the OTEL placeholder only if the content is still the untouched default (not after user navigation or custom edits). <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|
Chris Stockton
|
d46a9c43fd |
feat(Auth/EmailTemplates): Add SiteURL variable for notifications (#46393)
This will make email templates more consistent and may be merged after https://github.com/supabase/auth/pull/2532 is deployed. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Authentication notification emails now include access to site URL references. This enhancement applies to multiple notification types: password change alerts, email change confirmations, phone number change notifications, identity linking and unlinking events, and multi-factor authentication enrollment and unenrollment notifications. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46393?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Chris Stockton <chris.stockton@supabase.io> |
||
|
Joshen Lim
|
0038f303f2 |
Track is initialized in feature preview context (#47309)
## Context Noticed that while default opted into unified logs, if you refresh while on the page, you'll get redirected back to the old logs URL (logs/explorer) Happening due to a inconsistent tracking of loading states for feature flags and feature previews. Just need to track whether the feature previews have been initialized <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved the loading behavior for unified logs preview so it only finishes loading after preview settings are fully initialized. * Added a more reliable initialization state to better reflect when feature-based defaults are ready. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Charis
|
16526bd6bf |
refactor(studio): extract SQL editor save mechanism + model folder lifecycle (4/9) (#47276)
## What
PR 4 of a stacked refactor of the SQL editor snippet/folder state. It
pulls the persistence logic out of the store into an injectable
mechanism, and replaces the folder `'new-folder'` id sentinel with an
explicit lifecycle — plus a concurrency bug fix that surfaced along the
way.
### Save mechanism (`sql-editor-save.ts`)
`createSaveMechanism({ state, upsertContent, createSQLSnippetFolder,
updateSQLSnippetFolder, invalidate, notify, debounceMs })` → `{
saveSnippet, createFolder, updateFolder }`. The store's subscribe now
dispatches to it; *when* to save still lives in the subscribe (the
scheduler/provider move is PR 5). Per-id debounce cache lives in the
factory closure (no module-global leak).
- **`saveSnippet`** reads the live store snippet, guards
`isLoadedSnippet` so a content-less snippet can **never PUT an empty
body** (directly unit-tested), then builds the payload + drives status
transitions + gated invalidation.
- **`toast` is injected** as a `Notifier` (new generic DI contract in
`lib/notifier.ts`) — the mechanism no longer imports sonner.
- **create vs rename are two named-arg functions**, not an `isNew`
branch; rollback is deterministic per operation instead of matching on
`error.message` text.
- **caught errors are `unknown`**, narrowed via the existing
`getErrorMessage` util with a generic fallback — no `any`.
### Folder lifecycle (replaces the `NEW_FOLDER_ID` sentinel)
- **`FolderStatus`** enum (`new_editing | new_saving | editing | saving
| idle`) collapses the persistence and progress axes into one enum —
same pattern as `SnippetStatus` — with `isNewFolder` / `isFolderEditing`
/ `isFolderSaving` predicates. Tagging a folder as new/persisted is now
an explicit field, not an id convention.
- New placeholders get a **unique local id** (`crypto.randomUUID`);
`NEW_FOLDER_ID` is deleted, which also lifts the accidental
one-unsaved-folder-at-a-time limit.
### Bug fix: folder-rename rollback race
The shared `lastUpdatedFolderName` field let two in-flight renames
clobber each other's rollback target (and a shared `finally` could wipe
it). Replaced by a **per-folder `previousName`** on
`StateSnippetFolder`, so concurrent renames of different folders are
isolated. A new test runs two failing renames concurrently and asserts
each restores its own previous name.
## Tests
`sql-editor-save.test.ts` (mechanism — fakes + fake timers, incl.
content-less no-PUT and concurrent-rename isolation) and
folder-lifecycle predicate tests. `pnpm --filter studio typecheck`
clean; 82 state/sql-editor unit tests pass.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Improved SQL editor folder handling with clearer create, rename, and
save states.
* Added a more consistent notification flow for successful and failed
save actions.
* **Bug Fixes**
* Improved rollback handling when folder renames fail, helping restore
the previous name reliably.
* Updated save behavior to better protect against duplicate or
out-of-order updates.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
obchain
|
7007a8e5e8 |
fix(studio): raise body size limit for saving SQL snippets (#47032)
## What kind of change does this PR introduce? Bug fix — closes #45060. ## What is the current behavior? Saving a large SQL snippet from the SQL Editor fails when the content exceeds ~1 MB. The content API route (`PUT /platform/projects/{ref}/content`) relies on Next.js's default API body-parser limit of `1mb`, so large snippets — for example a multi-thousand-line RPC — are rejected with a `413 Payload Too Large` before the handler runs, and the snippet can't be saved. ## What is the new behavior? The route now sets an explicit body size limit of `5mb`, matching the limit already used by the AI SQL endpoint (`pages/api/ai/sql/generate-v4.ts`). Large SQL snippets save successfully, and the value is consistent with existing SQL-handling routes in the app. ```ts export const config = { api: { bodyParser: { sizeLimit: '5mb', }, }, } ``` ## Additional context - Only the content route's `PUT` handler accepts the snippet body; the sibling `item/[id].ts` route doesn't take a content body, so no change is needed there. - Supersedes the stale #45101 (no activity in ~8 weeks); this version documents the rationale and aligns the limit with the existing precedent in the codebase. --- - [x] I have read the [CONTRIBUTING](https://github.com/supabase/supabase/blob/master/apps/studio/CONTRIBUTING.md) guidelines. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Fixed an issue preventing users from uploading or processing large content, such as SQL snippets, which would previously result in rejection errors. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Joshen Lim
|
ccf84da968 |
Ensure that pathname in unified logs is solely server side filtered (#47307)
## Context Filtering on pathname in unified logs shows no data despite the network request returning some data Happening due to missing `filterFn` on pathname in `Columns.tsx` (should just return true so that the react table doesn't bother with client side filtering, since filtering is done on the server side) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Updated log table filter handling for several always-visible columns, with no change to the displayed data or user experience. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Joshen Lim
|
2bac064adf |
Joshen/fe 3697 progressively default opt in to unified logs (#47296)
## Context We're progressively opting in users to use the new Unified Logs UI 🙂🙏 ## Changes involved - [ ] Removed flag for controlling visibility of unified logs feature preview - [ ] Added flag for controlling default opt in behaviour of unified logs - [ ] Small tweak to Unified Logs banner is default opted in (Just show "New" and more info CTA) - Disabling, then enabling again will thereafter show the existing "Go back to old logs CTA" <img width="290" height="166" alt="image" src="https://github.com/user-attachments/assets/a2c46ce1-63c3-490c-bc7d-fc1254982dbe" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Unified Logs preview now derives default opt-in state from a new default-opt-in flag and exposes `isDefaultOptIn`. * **Bug Fixes** * Removed eligibility-based gating so the “Beta” badge and Unified Logs banner render consistently across logs screens. * Unified Logs banner was refactored to handle enable/disable and navigation internally, while remaining shown unconditionally. * **Tests** * Updated mocks and assertions to reflect the revised preview/banner enablement and dismissal logic. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
Pamela Chia
|
0a797ef4ea |
feat(studio): add creation funnel telemetry (#47291)
## Summary Adds frontend funnel telemetry to the organization-creation and project-creation flows in Studio, so each is measurable as a funnel (form exposed → completed) entirely from frontend events. Feeds the KPI 3 FE Benchmark Friction dashboard. Org creation had zero frontend funnel events before this (only a backend event that fires across every surface), and project creation had no clean form-view impression. ## Changes - Define `organization_creation_form_exposed`, `organization_creation_completed`, and `project_creation_form_exposed` in the telemetry constants. - Fire `organization_creation_form_exposed` when the new-org form renders, gated on the profile resolving so pre-auth redirects are not counted. Fire `organization_creation_completed` from the create success callback, covering both the free and the paid pending-payment-intent paths, attaching the new org slug as the organization group. - Fire `project_creation_form_exposed` once the org and the create-project permission have resolved, so it anchors on the form being visible rather than the route loading. Project completion reuses the existing client-side success event, so no duplicate completion event was added. ## Notes I chose exposed → completed over exposed → submitted. The org slug only exists after the create API resolves, so the completion event is the only org-funnel event that can carry the organization group; a submit-time event cannot, which would break org-level segmentation. A pageview is not a sufficient exposure anchor either: pageview capture is off, and the manual pageview fires on route change before the form is interactive (pre-auth redirect, async permission load, the no-org redirect). The `completed` verb follows the repo's approved-verb list (`.claude/skills/telemetry-standards`); the repo previously migrated `branch_merge_succeeded` to `branch_merge_completed` for the same reason. ## Testing Tested on the preview deploy: - [x] `/dashboard/new` while signed in → `organization_creation_form_exposed` fires once. - [x] Create a free org → `organization_creation_completed` fires with the organization group set. - [x] `/dashboard/new/[slug]` with create permission → `project_creation_form_exposed` fires once with `surface=main` and the organization group. - [x] No event re-fires on re-render or tab refocus. Post-deploy: confirm in PostHog prod (project 34344) via HogQL that each event fires with the expected properties and the organization / project group set. ## Linear - fixes FE-3690 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added improved tracking for organization and project creation flows, including when forms are shown and when organization creation completes. * Captures creation metadata to support better reporting on onboarding and setup progress. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Pamela Chia
|
2d0bcd4714 |
feat(telemetry): classify funnel creation errors (#47293)
## Summary The KPI-3 friction dashboard needs to know *why* users hit errors on the signup, project-creation, and org-creation funnels, not just that they did. The existing `dashboard_error_created` event already fires for these paths (10% sampled, with `$pathname`), but carries no reason: ~98.5% of events have no `errorType` and no property carries an error message. This adds PII-safe classification computed client-side from a controlled vocabulary, so raw error text never leaves the browser. Validation errors (previously invisible, since they are inline form errors that never raise a toast) are now captured on invalid submit. ## Changes - Extend `dashboard_error_created` with `origin`, `errorCategory`, `errorReason`, `errorCode`, and a `form` source value - Add a pure, unit-tested classifier (`funnel-errors.ts`) and a 10%-sampled tracking hook (`use-track-funnel-error.ts`); the classifier maps errors to stable slugs and emits only slugs + HTTP status, never raw message text - Classify signup errors (API failures + validation) in `SignUpForm` - Classify project-creation errors (API failures, OrioleDB guard, validation) in the new-project wizard - Classify org-creation errors (API failures, payment/card declines, confirm-subscription, validation) in `NewOrgForm` ## Testing 13 unit tests cover every classifier branch (validation / api / network / payment, status-code handling, message-pattern matching, and fallbacks). To verify on the Vercel preview (events are 10% sampled; set the sample rate to 1 locally to observe each fire): - Signup with a weak but non-empty password: `origin=signup, source=form, errorCategory=validation, errorReason=password_invalid` - Signup with an already-registered email: `origin=signup, source=toast, errorCategory=api, errorReason=email_already_registered` - New project with an empty name: `origin=project_creation, source=form, errorReason=project_name_invalid` - New org with an empty name: `origin=org_creation, source=form, errorReason=org_name_missing` - New org with a declined test card: `origin=org_creation, errorCategory=payment` PII: raw `error.message` is never sent; only controlled slugs and HTTP status. Dashboard consumers must filter `origin IS NOT NULL` so these do not collide with the generic toast events the global tracker still emits. ## Linear - fixes FE-3691 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added improved, categorized telemetry for signup, project creation, and organization creation errors, including payment, subscription-change, and validation failures. * Extended dashboard error events with optional structured diagnostics (origin, category, reason, and optional error code) and support for form-origin reporting. * **Bug Fixes** * Improved project-creation handling to record a validation telemetry event when an Oriole image is unavailable. * Ensured payment-related and subscription-change failures are captured consistently alongside existing user toasts. * **Tests** * Added unit tests covering API/network/validation/Stripe error classification and reason mapping. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Jordi Enric
|
e0ba04caf4 |
feat(studio): migrate per-service log pages to OTEL endpoint behind a flag DEBUG-145 (#47264)
## Problem The legacy per-service log pages (postgres, auth, api, edge functions, storage, realtime, cron, etc.) and the single-log detail panel query the BigQuery-backed `logs.all` analytics endpoint. We are moving these reads onto the OTEL ClickHouse endpoint (`logs.all.otel`). ## Fix - Add `Logs.utils.otel.ts`: ClickHouse query builders (rows/count/chart/single) + row mappers that target the single `logs` table keyed by `source`, reading fields from the `log_attributes` map and aliasing columns to the leaf names the renderers expect. - Parameterize `buildWhereClauses` / `genWhereStatement` in `Logs.utils.ts` so the OTEL builders reuse the shared nested AND/OR filter grouping. Defaults keep the BigQuery behavior unchanged. - Gate `useLogsPreview` (rows, count, chart) and `useSingleLog` (detail) on the new `otelLegacyLogs` flag. BigQuery stays the default when the flag is off. - Extract the OTEL timestamp parser into `parseOtelTimestamp` (`otel-inspection.utils.ts`) and reuse it in `unified-logs-infinite-query.ts` (replaces an inline copy of the same logic; no behavior change). ## Dependencies None. Standalone, safe to merge on its own. Behind `otelLegacyLogs` (off by default), so no user-facing change. Part of DEBUG-145 (split from #47087). ## How to test - In staging, go to Legacy Logs. - All logs pages should work the same as before. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OTEL-backed logs support for preview, count, chart, and single-log details when enabled. * **Bug Fixes** * Improved timestamp parsing/normalization for OTEL data to ensure correct display and pagination. * Enhanced filtering behavior, including safer handling of unknown filter keys and invalid values across OTEL queries. * Improved single-log result shaping to preserve expected API/database metadata in OTEL mode. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|
Chris Chinchilla
|
bce47daeea |
docs: Only build reference docs if feature is enabled (#47273)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Reference documentation generation now only includes feature-enabled SDK pages, so published docs better match what’s available. * Legacy SDK reference pages are now shown selectively based on enabled feature flags. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Gildas Garcia
|
f34aa108d5 |
chore: dead code cleanup (#47294)
## Problem There's still more unused code in the repository which slows down everything: - checkouts - tooling - probably builds (not sure how good turbopack is at handling this) ## Solution - remove old unused code - remove more recent code after checking git history to ensure it's not unfinished/ongoing work <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Removed several unused interface, onboarding, and helper components from the studio app. * Cleaned up outdated branching, integrations, query performance, support, and table/grid UI elements. * Removed a few unused utility hooks and key-mapping logic. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Joshen Lim
|
afe405962e |
Joshen/fe 3698 observability overview links to logs should use unified logs (#47295)
## Context Found some links pointing to the old logs pages. Should point to unified logs if unified logs have been enabled Also deprecates the old `ServiceStatus` file that's no longer used <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Updated observability “logs” links to open the correct view when unified logs are enabled, including service-specific filtering. * Fixed navigation from log views to correctly preserve query strings. * Refreshed project service status log links and health indicators to stay consistent with the latest unified logs behavior. * **Refactor** * Consolidated service status UI and related logic into the project home experience, replacing the prior shared implementation. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
pgburhan
|
8e2ce64c69 |
Add Burhan A to humans.txt (#47277)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES/NO ## What kind of change does this PR introduce? Bug fix, feature, docs update, ... ## What is the current behavior? Please link any relevant issues here. ## What is the new behavior? Feel free to include screenshots if it includes visual changes. ## Additional context Add any other context or screenshots. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated the site’s credits/team listing to include an additional team member name. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Alaister Young
|
6946ec2b2d |
build(studio): Next-compat shims (stack 2/6, from #46424) (#47110)
**Stack 2/6** of the TanStack Start migration (#46424). Stacked on **#47107** (S1) — review that first; this PR's diff is just the compat shims. > [!NOTE] > Purely additive. Next never imports these files — under TanStack they're wired in via Vite aliases (`next/*` → `@/compat/next/*`). No routes consume them yet (that begins in stack 3). ## What's in this PR `apps/studio/compat/next/*` — drop-in shims so the existing pages-router code runs unchanged under TanStack Start: - `link`, `router`, `navigation`, `head`, `image`, `legacy/image`, `script`, `dynamic`, `server`, `_router-events` — React/runtime shims over `@tanstack/react-router`. - `api.ts` — `toWebHandler`, which adapts a pages-router API handler `(req, res)` into a TanStack server-route Web `fetch` handler. ## Verification On top of S1: `studio` typecheck ✓, lint (0 errors) ✓. Next build is unaffected (nothing imports these under tsc). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added broad Next.js compatibility support for routing, links, dynamic imports, images, scripts, head metadata, navigation hooks, server responses, and API handlers. * Improved handling of redirects, pathname/search params, base paths, and event callbacks for smoother app behavior. * **Tests** * Added coverage for URL resolution and dynamic route interpolation to verify Next-style routing behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com> |
||
|
Gildas Garcia
|
1059b726ce |
use Admonition instead of deprecated NoticeBar (#47262)
## Problem The `NoticeBar` component is flagged as deprecated and should be replaced by `Admonition` ## Solution - Refactor `NoticeBar` usages to `Admonition` (no visual changes detected) - Delete `NoticeBar` You can see one easily in _Project Settings/Compute and Disks_ and opening the _Advanced disk settings_ collapsible section <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **UI Improvements** * Updated disk management alerts and guidance to use a newer, more consistent notification style. * Improved visibility of messages for pending disk changes, permission limits, AWS availability, and advanced disk requirements. * Refreshed the compute-size upgrade prompt with the same updated alert styling. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Danny White
|
ef148b6504 |
fix(studio): org MFA enforcement toggle visibility and UX (DEPR-606) (#47285)
## What kind of change does this PR introduce? Bug fix. Resolves DEPR-606. ## What is the current behavior? On org Security settings, the MFA enforcement switch could appear on without a green track. Users without personal MFA saw a disabled toggle with a tooltip. ## What is the new behavior? - Switch checked state renders correctly (removed tooltip trigger from the switch). - Users who need personal MFA first see an admonition with a link to account security instead of a disabled toggle. I felt this was a better user experience and more straightforward than the alternative: fighting the TooltipTrigger’s `data-state` conflict with the Switch’s checked state. | Before | After | | --- | --- | | <img width="1024" height="563" alt="Security Organization Settings Toolshed Supabase-4413F7B1-C7DC-4958-8C6F-ADEFDE4F310C" src="https://github.com/user-attachments/assets/8c71b0d8-db49-4af5-874b-5372df03379d" /> | <img width="1024" height="563" alt="Security Organization Settings Toolshed Supabase-ADD5BC82-B433-4EA0-A6BB-874703150663" src="https://github.com/user-attachments/assets/3c6d3545-fd58-426b-afaf-edd8f7ac4789" /> | | <img width="1024" height="563" alt="Security Organization Settings Toolshed Supabase-F57ED4AA-5A56-4F6A-8F35-569CAC26AFA2" src="https://github.com/user-attachments/assets/2bc49f34-7819-49fa-ac32-7e59678041fd" /> | <img width="1024" height="563" alt="Security Organization Settings Toolshed Supabase-AA795D85-1C17-4C08-9ED1-BBF08C28F2B4" src="https://github.com/user-attachments/assets/db1822b0-17fc-42df-bdec-0935e46ab5ff" /> | | <img width="1024" height="563" alt="Security Organization Settings Toolshed Supabase-8D8A196F-FA27-4FD3-BC52-DB933E61D59A" src="https://github.com/user-attachments/assets/bae30a9e-eda9-4a97-845c-0c4751f03a05" /> | <img width="1024" height="563" alt="Security Organization Settings Toolshed Supabase-5BD4F063-B402-4E03-ACE4-254BB28C232C" src="https://github.com/user-attachments/assets/0a3c4d6b-2981-47e9-9679-56bfcd7faf5d" /> | ## Additional context Test on `/org/<slug>/security` in light mode with and without personal MFA enabled. Or just hardcode the ternaries to see the various states on local. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added clearer guidance for organization security settings when MFA must first be enabled on a personal account. * Improved loading behavior while member data is fetched. * **Bug Fixes** * Prevented the MFA enforcement form from showing until personal MFA requirements are met. * Refined the MFA toggle disabled logic to apply only when appropriate. * **UI Improvements** * Replaced the MFA tooltip with an in-page notice. * Updated the primary action button label from “Save changes” to “Save.” <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
Joshen Lim
|
9f7d300354 |
Check flags loaded before fetching region data (#47289)
## Context
Realised that we were calling both `useDefaultRegionQuery` and
`useOrganizationAvailableRegionsQuery` in the new project page.
`smartRegionEnabled` defaults to `false` at the beginning while the
flags are still being loaded, to this calls `useDefaultRegionQuery`. But
once the flags are loaded and `smartRegionEnabled` becomes `true`, then
the other hook is called
## Changes involved
- Checks that the flags are loaded first before calling either hooks to
prevent unnecessarily triggering both
- Adjust `defaultRegion` to remove hardcode
- Check smart region first, then default back to default specific region
- Renamed variables to be clearer:
- `autoDefaultRegion` (check based on location)
- `fixedDefaultRegion` (hardcoded in repo)
- Update `useEffect` on `regionError` to only reset the region value if
the default value is not undefined
- Also just a tiny nit to re-arrange to group the `useEffects` together
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Region selection now waits for feature flags to load before fetching
default and “smart” region options, preventing premature or incorrect
region choices.
* New project setup now updates the database region and smart
recommendations more consistently, with improved fallback behavior when
region lookup fails.
* AWS Nimbus default region is now environment-aware: non-prod uses
Southeast Asia, while prod uses East US.
* Default privilege settings now stay in sync more reliably during
setup, updating only when appropriate.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
