## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Add myself to humans.txt
## What is the current behavior?
My name is not in humans.txt
## What is the new behavior?
My name will be in humans.txt
## Additional context
None
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added "David Whittington" to the public HUMANS team list in the
documentation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Tiny grammar followup
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Documentation
* Updated blog post with clearer explanations of Supabase Server
functionality and improved TypeScript usage examples.
* Enhanced environment variable guidance for local development and
platform configuration.
* Refined migration guidance with updated terminology and more
consistent phrasing throughout the post.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Converts ~27 `executeSql` call sites in `apps/studio/data/**` to build
SQL through `safeSql` / `ident` / `literal` / `keyword` /
`joinSqlFragments` instead of raw template-string interpolation.
- Tightens the `useDatabaseCronJobCreateMutation` and
`useDatabaseEventTriggerCreateMutation` `sql`/`query` parameter types
from `string` to `SafeSqlFragment` (callers already produce one).
- Updates `getDeleteEnumeratedTypeSQL` in `packages/pg-meta` to return
`SafeSqlFragment`.
- Fixes a bug noticed while testing where Queues integration does not
correctly handle queues with uppercase names.
## Pages to manually test
- Integrations > Cron Jobs
- Integrations > Queues
- Database > Triggers > Event Triggers
- Database > Indexes
- Reports > Query Performance
- Storage
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Queue lookups now correctly handle case-insensitive queue names.
* Queue table references are now properly managed and consistently
applied throughout the queue management interface.
* Improved queue name display normalization in the user interface.
* **Chores**
* Enhanced SQL query safety across the database layer through
parameterized query construction and safer templating approaches.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The connect button was missing its text
Before:
<img width="833" height="244" alt="Screenshot 2026-05-06 at 17 46 23"
src="https://github.com/user-attachments/assets/c03e972f-bef6-4bd7-8819-dd51509c58eb"
/>
After:
<img width="678" height="208" alt="Screenshot 2026-05-06 at 17 46 58"
src="https://github.com/user-attachments/assets/5b020017-133e-47c3-8138-925c27299665"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved screen reader accessibility in the Connect button by refining
how text visibility is handled based on button display mode.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
Clicking button does nothing. toggling back to enable shows error
related to pool size
## Solution
Fix the form validation schema
## How to test
- Go to Realtime Settings `/realtime/settings`
- Try disabling it
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Two-step save: clicking Save opens a confirmation before changes are
applied.
* Warning displayed when database pool size exceeds 50% of max
connections (max shown dynamically).
* **Improvements**
* Form adapts to suspended vs. active realtime states with fewer
required fields when suspended.
* Better field labeling and accessibility; form resets and consistent
feedback after successful updates.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
As per PR title - just updates the NoticeBanner component for TOS update
information
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a Terms of Service update notification banner to inform users
about recent policy changes.
* Notification includes a dialog/modal with full update details, links,
and effective date; it replaces the previous maintenance notification so
users receive clear, actionable information.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Adds a reusable `<LegalDocVersions />` component (dropdown below the
page header) that swaps the active legal doc version inline via shallow
query-param routing (`?version=v1`).
- Converts `/terms` and `/enterprise-terms` from MDX to TSX pages and
moves their content into versioned MDX under
`apps/www/data/legal/<doc>/v1.mdx`.
- Seeds `v2.mdx` for both docs as a copy of v1 with the effective date
bumped to 6 May 2026 — the actual v2 language edits from legal will land
in a follow-up commit.
## Behavior
- `/terms` and `/enterprise-terms` default to v2 (latest); search
engines and bare URLs always see the latest.
- `/terms?version=v1` (and equivalent for enterprise) renders v1.
- Selecting a version updates the URL via `router.replace({ shallow:
true })` — no full page reload, browser back/forward works.
- Selecting the latest version clears the `version` query param.
- Existing `/docs/company/terms → /terms` redirect still works.
`noindex/nofollow` preserved on `/enterprise-terms` (both via meta and
the existing header rule).
## Out of scope
- The 5 v2 provision edits per agreement (lands in a follow-up once
Legal hands over the final language).
- `/privacy` and other legal pages — those keep their current pattern.
Linear:
[FE-3121](https://linear.app/supabase/issue/FE-3121/update-legal-terms-pages-and-add-version-selector)
## Test plan
- [ ] Visit `/terms` — defaults to v2, dropdown shows "Version 2 — May
6, 2026" and "Version 1 — July 11, 2025"
- [ ] Visit `/terms?version=v1` — renders v1
- [ ] Select v1 from the dropdown — URL becomes `?version=v1`, content
swaps without full page reload (no document request in Network tab)
- [ ] Select v2 — URL drops the `version` param, latest renders
- [ ] Browser back/forward steps through prior selections
- [ ] Repeat the above on `/enterprise-terms`
- [ ] Confirm `/enterprise-terms` is still `noindex, nofollow`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Version selector and new Terms & Enterprise Terms pages allowing users
to switch between historical agreement versions.
* MDX-based legal documents now render as components for improved
content loading.
* **Documentation**
* Added v2 Terms and v2 Enterprise subscription agreements; v1 documents
adjusted and typography normalized for consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Tidying up the bottom panel in unified logs. Taking care of some visual
quirks etc. Also preparing this area to house some other future concepts
via tabs.
| Before | After |
|--------|--------|
| <img width="828" height="384" alt="Screenshot 2026-04-30 at 11 24 09"
src="https://github.com/user-attachments/assets/804bdf1c-7cdb-4dd8-bf1e-31c434ef1436"
/> | <img width="830" height="407" alt="Screenshot 2026-04-30 at 11 22
53"
src="https://github.com/user-attachments/assets/28555efe-f893-4bae-bcb0-284e6db733e6"
/> |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Redesigned service flow panel with Overview and Raw JSON tabs
* Added Previous/Next navigation controls with Arrow Up/Down keyboard
support
* New detail components and section headers with icons for clearer
organization
* Improved Postgres detail view and message/session display
* **Bug Fixes / Changes**
* Removed legacy header UI and related controls
* **UI / Style**
* Enhanced copy-to-clipboard feedback animation
* Updated "Load more" button styling
* Adjusted panel sizing for improved resizing behavior
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ali Waseem <waseema393@gmail.com>
Prevents the AI assistant from helping with local git/filesystem
operations, and adds explicit warnings before irreversible database
operations (DROP TABLE, DELETE without WHERE, etc.).
Adds a `safetyScorer` and eval cases to cover these behaviours.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a Safety metric to evaluations so assistant responses are scored
for safe handling of destructive or risky requests
* Assistant guidance updated to refuse destructive local VCS/filesystem
actions and require clear warnings for irreversible database operations
* **Tests**
* Added evaluation cases covering safe refusals, clear warnings, and
correct handling of destructive or risky prompts
* **Chores**
* Enabled Safety metric in online evaluation manifests/handlers
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Adds a note explaining that skills install at **project scope by
default** (committed to git, shared with team and cloud agents) and that
`--global` installs across all projects
- Mentions `--all` for users who work across multiple AI agents
- Cross-links the [Supabase agent
plugin](/docs/guides/getting-started/plugins) from both the agent skills
and MCP docs for users who want the MCP server and skills in a single
install
Closes
[AI-672](https://linear.app/supabase/issue/AI-672/add-other-plugins-to-docs-with-clearer-project-vs-global-level)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated AI skills installation guide with detailed instructions for
project-scoped, global, and multi-agent installation options
* Enhanced MCP setup guide with recommendation to install the Supabase
agent plugin for streamlined configuration
* Added direct link to the skills npm package for improved resource
accessibility
* Refined compatibility information in AI skills guide
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Jeremias Menichelli <jmenichelli@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Clarified API key changes (new publishable/secret scheme, where to
obtain each, legacy keys valid through end of 2026) and updated many
getting-started tutorials with clearer setup, flow, and auth guidance.
* **New Features**
* Added/expanded profile photo/avatar upload and account integration
steps across multiple tutorials.
* **Guides**
* Added guidance on auth helper methods and when to use them.
* **Examples**
* Example app updated to use token claims for auth state.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Katerina Skroumpelou <mandarini@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Logo field now accepts/editable logo URL, plus a new storage-based
Logo Picker to select or remove images from project storage.
* Full storage picker: browse buckets, columns/list views, search,
drag‑and‑drop uploads, file previews (image/audio/video), and
single-file selection with responsive mobile/desktop layouts.
* **Refactor**
* Logo submission streamlined to send the provided URL directly (legacy
file-read/upload flow removed).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
We want to upgrade to react 19. However some libraries aren't compatible
with it. Besides, `next-mdx-remote` is now archived and not maintained
anymore.
## Solution
The [NextJS
documentation)[https://nextjs.org/docs/15/app/guides/mdx#remote-mdx]
suggest using
[`next-mdx-remote-client`](https://github.com/ipikuka/next-mdx-remote-client)
which was a fork of `next-mdx-remote`.
- [x] migrate `apps/www` from `next-mdx-remote` to
`next-mdx-remote-client`
- [x] migrate `apps/www` from `next-mdx-remote` to
`next-mdx-remote-client`
I haven't noticed any change in the pages.
When upgrading to react 19, we'll have to use v2 of
`next-mdx-remote-client`.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Switched MDX rendering/serialization to a newer client-focused
implementation across docs and site for improved compatibility.
* **Bug Fixes**
* Improved handling of serialization errors so MDX failures render clear
fallback messages instead of breaking pages.
* **Chores**
* Updated local environment template value for the public anonymous key.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## TL;DR
The edge function tester was sending service role tokens even when
anonymous was selected,
Fixed by moving the role context provider to wrap both the selector and
the submit handler
## sol:
| Before | After |
|--------|-------|
| <img width="589" alt="Service role JWT sent when Anonymous selected"
src="https://github.com/user-attachments/assets/f4072838-4031-4325-9fd6-7519e50bd080"
/> | <img width="471" alt="Anon JWT correctly sent when Anonymous
selected"
src="https://github.com/user-attachments/assets/86160946-398e-456e-9585-66e3e49f16ed"
/> |
| Selecting "Anonymous" had no effect, always sent `service_role` |
Selecting "Anonymous" correctly sends it now |
## ref:
- Closes https://github.com/supabase/supabase/issues/45619
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Internal code structure improvements to enhance maintainability and
component organization.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
The dashboard renders all timestamps in the browser's local timezone.
When debugging app issues, users often want to see logs and timestamps
in a different timezone (e.g. their app's deployment region) without
changing their OS clock.
## Fix
- New Timezone submenu in the user-avatar dropdown, sitting next to the
existing Theme picker. Search-as-you-type combobox over the full IANA
catalog plus an Auto detect option.
- Selection persists in localStorage (`supabase-ui-timezone`) and
survives `clearLocalStorage()`. No backend schema change.
- New `lib/datetime.tsx` exposes pure timezone-aware formatters
(`formatDateTime`, `formatDate`, `formatTime`, `formatFromNow`,
`toTimezone`) plus a `TimezoneProvider` and matching React hooks
(`useTimezone`, `useFormatDateTime`, ...). The pure functions take `tz`
explicitly so they're easy to unit test (17 vitest cases covering DST
transitions, multi-tz formatting, unix-micro/Date inputs, invalid-tz
fallback).
- The selected timezone propagates to every existing `<TimestampInfo>`
in Studio via a new `TimestampInfoProvider` context exported from
`ui-patterns`. No per-callsite changes needed for those ~20+ surfaces.
- The `UnifiedLogs` date column migrates off `date-fns` to the new
`useFormatDateTime` hook (the rest of the date-fns callers stay as-is,
since they're either internal range math or non-display).
- `ALL_TIMEZONES` (~600 entries) moves out of `PITR.constants.ts` into a
shared `lib/constants/timezones.ts`. PITR keeps a re-export shim so its
callers don't move. New `TIMEZONES_BY_IANA` dedupes the catalog by
primary IANA name (the original list contains both PDT and PST rows for
`America/Los_Angeles`, etc.) and `findTimezoneByIana` provides reverse
lookup.
- Telemetry: `timezone_picker_clicked` PostHog event with
`previousTimezone`, `nextTimezone`, `isAutoDetected` properties.
Notes for reviewers:
- Bare `dayjs(x).format(...)` calls (~157 files) intentionally still
render in browser-local time. Surfaces opt in by switching to the new
wrappers, so this PR is the abstraction plus logs adoption; broader
migration is a follow-up.
- Two `// prettier-ignore` lines (`apps/studio/pages/_app.tsx`,
`apps/studio/components/interfaces/UnifiedLogs/UnifiedLogs.fields.tsx`)
work around a pre-existing local-tooling issue where
`prettier-plugin-sql-cst` strips angle-bracket type arguments under
certain conditions. Project's pinned prettier (3.8.1) does not strip;
the issue surfaces with a globally-installed prettier. Worth tracking
separately.
- Hydration: `guessLocalTimezone()` and `useLocalStorageQuery` are
client-only. Studio is mostly CSR via the Pages Router, but any SSR'd
`<TimestampInfo>` may briefly render in the server's tz before client
hydration. Existing behavior already had this mismatch with `.local()`;
this PR does not regress it.
- Backend timestamps round-tripped through query params and mutations
stay UTC. The picker is display-only.
## How to test
- Run `pnpm dev:studio`, sign in.
- Open the user avatar dropdown (top right). Hover Timezone.
- Search for "tokyo", pick `(UTC+09:00) Osaka, Sapporo, Tokyo`.
- Open any project, navigate to Logs (e.g. `Project > Logs > Edge
Functions`). Hover a log row's timestamp; the popover should show UTC,
the chosen tz (`Asia/Tokyo`), and the relative time. Visible cell text
should be in JST.
- Visit any page that uses `<TimestampInfo>` (Database > Backups,
Project Pause state, Edge Function details). Same tooltip should reflect
Asia/Tokyo.
- Refresh the page; timezone is still Asia/Tokyo.
- Reopen the picker, choose Auto detect; timestamps revert to browser
local.
- Run `pnpm --filter studio test lib/datetime.test.ts`. 17 tests should
pass.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Timezone selector added to the user menu with auto-detect and manual
override
* App-wide timezone provider and hooks plus a shared timezone catalog
for consistent timezone-aware display
* Timestamp components accept an optional timezone prop and respect user
preference (persisted)
* **Bug Fixes / Improvements**
* Logs and timestamp displays now use the new timezone formatting hooks
* **Tests**
* Added comprehensive datetime and timezone catalog tests
* **Telemetry**
* Telemetry event added for timezone picker interactions
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
Two visual regressions surfaced after the Tailwind v4 migration
(#45318):
1. The Postgres upgrade-failed banner used the deprecated `Alert`
component, whose `warning` variant relies on custom `amber-1100` /
`amber-1200` color tokens that no longer resolve. The title rendered as
near-white on the yellow background.
2. The sonner toast close button forced `bg-transparent!
hover:bg-transparent!`, letting the library's default translucent circle
bleed through against the toast's overlay background on hover.
## Fix
- Migrate `ProjectUpgradeFailedBanner` to `Admonition` (the recommended
replacement per the deprecation note on `Alert`), which uses semantic
`warning-*` tokens defined in the theme.
- Drop the transparent-bg overrides on the sonner close button and give
it a proper `hover:bg-surface-200` with a fixed `size-6` hit area so the
X has a clean hover target.
## Before
<img width="2940" height="338" alt="image"
src="https://github.com/user-attachments/assets/2cf2cf52-cdf2-429d-b50c-5dc4e5b9c84b"
/>
## After
<img width="1642" height="506" alt="CleanShot 2026-05-06 at 11 14 03@2x"
src="https://github.com/user-attachments/assets/b6c9b3e2-9d3e-437d-92a6-95d12730e842"
/>
## Testing
- [ ] Trigger a failed Postgres upgrade state and confirm the banner
title/description/actions are all readable on the amber background.
- [ ] Fire a toast and hover the close button — the hover should show a
subtle square background, not a translucent circle.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fix**
* Project upgrade failure banner now only appears when an upgrade has
failed and no longer supports dismissing.
* **Style**
* Replaced the warning banner UI with a streamlined admonition that
shows only a “Contact support” action.
* Improved toast close-button styling for clearer sizing, color, and
interaction states.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated core SDK dependencies to latest compatible versions for
improved system stability and security.
* Enhanced workspace dependency configuration management by expanding
and reorganizing package constraints to optimize compatibility across
all modules and reduce potential build conflicts.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update to add additional guidance when Edge Functions service shows
unhealthy.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added troubleshooting guide for Edge Functions unhealthy state,
including steps to verify functions, check invocation logs, and
potential solutions for resolving the issue.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
The new-logs counter badge on the Logs refresh button became hard to
read. The number rendered as 0.6rem white text positioned absolutely
over two stacked semi-transparent green circles (`bg-green-800
opacity-60` ping plus `bg-green-900 opacity-80` solid). After the
Tailwind v4 upgrade shifted the default palette to OKLCH, the greens
rendered darker and the digit was nearly invisible.
## Fix
Replace the stacked opacity layers with a single solid `bg-brand-500`
pill, with a sized container (`h-4 min-w-4`), centered `text-[10px]
text-white`, and the ping animation rendered behind it instead of
layered on top. Same change applied to both `PreviewFilterPanel` and
`PreviewFilterPanelWithUniversal`.
## Before
<img width="274" height="194" alt="CleanShot 2026-05-05 at 13 55 53@2x"
src="https://github.com/user-attachments/assets/a5967091-b60f-42a9-9394-890c41df544c"
/>
## After
<img width="384" height="198" alt="CleanShot 2026-05-05 at 13 57 22@2x"
src="https://github.com/user-attachments/assets/30c440ce-f46f-4fda-8b96-08b068552da2"
/>
## How to test
- Open Studio and navigate to any Logs page (e.g. Logs > API Gateway).
- Wait for new log events to arrive, or trigger some traffic against the
project.
- Look at the refresh icon button in the filter bar.
- Expected result: the green badge in the top-right of the refresh icon
shows the new-event count clearly readable in white text, with a subtle
ping animation behind it.
- Verify counts in the 1, 10, 100, and 1000+ ranges (the 1000+ formats
as e.g. `1.2K`).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Refined the "new logs" count badge: simplified markup, adjusted
positioning, color and opacity for a cleaner look.
* Updated refresh button badge to a brand-colored design with an
animated ping ring; count formatting and visibility rules (including
K-format for >1000) remain unchanged.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Added myself to humans.txt
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Doc update
## What is the current behavior?
N/A
## What is the new behavior?
N/A
## Additional context
Add any other context or screenshots.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated contributor information in team documentation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What kind of change does this PR introduce?
docs update
## What is the current behavior?
Current docs using `authType`
## What is the new behavior?
Using new `authMode` syntax
## Summary
- Adds a new `/guides/getting-started/plugins` docs page with an
`AgentPluginsPanel` component
- Per-client install instructions for Claude Code, Codex, Cursor, and
Gemini CLI
- Adds the page to the navigation under AI Tools
- Removes the Claude Code plugin subsection from the AI Skills page (now
covered here)
Closes
[AI-690](https://linear.app/supabase/issue/AI-690/agent-plugins-documentation)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Interactive plugin installation panel to choose from multiple AI
coding agents with agent-specific setup instructions and quick links for
help/feedback.
* **Documentation**
* New "Supabase Agent Plugin" guide describing features, included
components, and one‑click installation UI.
* Navigation updated to include the Supabase Agent Plugin guide under
Getting Started → AI Tools.
* AI skills guide streamlined by removing a specific plugin install
snippet and clarifying agent compatibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## What changed
Adds a **matrix (table) view** toggle to `supabase.com/features`
alongside the existing card grid. The new view surfaces feature stage
and self-hosted availability at a glance — the same information
previously shown on the now-deprecated
`docs/guides/getting-started/features` page — but richer and integrated
into the live features page.
Also adds `products` and `stage` badges on feature cards in gallery view.
https://github.com/user-attachments/assets/9214204b-85e7-4ad4-acfe-b39970a928af
## What kind of change does this PR introduce?
UI polish.
## What is the current behavior?
- A few product sidebar areas render menu rows outside the shared
ProductMenu/Menu.Item styling path, so their hover and selected states
differ from the rest of Studio.
- Database product menu shortcut tooltips are also scoped to the text
label instead of the full hoverable row.
## What is the new behavior?
- Integrations Explore/Installed, Observability, and Reports sidebar
rows now use the shared ProductMenu or Menu.Item pill styling.
- Observability spacing is tightened after the ProductMenu conversion.
- Product menu shortcut tooltips now wrap the full row trigger, so the
entire Database sidebar row opens the tooltip.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Enhanced navigation menu components with improved loading and error
state handling across the dashboard.
* Streamlined menu structure and styling consistency for integrations,
reports, and observability sections.
* Added enhanced tooltip support for navigation items.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
As per PR title - for consistency
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Updated contact email addresses from supabase.io to supabase.com for
Legal, Privacy, Abuse & Acceptable Use, Security, and Grievance Officer
channels.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Consolidate Table Editor grid header actions into a single row
https://github.com/user-attachments/assets/1020c385-8fa9-4ef1-b5e7-03983111508b
## Changes involved
- Index advisor, Realtime, and API docs are now behind a dropdown menu
button (Treated as secondary actions)
- Grid header actions shifted into the same row as filter bar (more
space for data grid)
- Header actions will hide while filter bar is in focus (remove
distractions, more space for filter bar)
## Changes to filter bar
- Filter bar will refocus when deleting a filter
- Clicking on the search icon will focus on the free form input of the
filter bar
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a “More” dropdown in grid actions to access Realtime, API docs,
and Index Advisor.
* New dialogs for enabling Index Advisor and toggling Realtime are now
consistently managed.
* **Improvements**
* Improved filter focus handling with auto-refocus when conditions
change and responsive header behavior.
* Adjusted popover alignment, separator visuals,
header/footer/pagination layout and sizing.
* Filter bar now supports programmatic focus; Connect button supports
icon-only mode.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Gildas Garcia <1122076+djhi@users.noreply.github.com>
## Summary
- Adds a hover-revealed expand button to SQL result cells whose value is
unlikely to fit on one line (objects, arrays, strings >60 chars, or
strings with newlines). Clicking opens the existing `CellDetailPanel`
for that cell.
- Switches the expand state from a boolean tied to the selected cell to
a direct `{ column, value }` reference, so the context menu and the new
button both target the right-clicked / clicked cell.
- Extracts the per-cell renderer into its own `ResultCell` component to
keep `Results.tsx` digestible and the new affordance isolated.
- Covers the new logic with exhaustive `isLargeValue` unit tests and a
`ResultCell` component test (visibility, click, right-click).
Linear: [FE-3130](https://linear.app/supabase/issue/FE-3130)
## Test plan
- [x] Run a SQL query that returns mixed cell types (short strings, long
strings, JSON objects, arrays, nulls) and confirm the expand button
appears only on cells where content is likely truncated.
- [x] Hover a large cell and click the expand button — `CellDetailPanel`
opens with the correct column + value.
- [x] Right-click a large cell and choose "View cell content" — same
panel opens with the right cell.
- [x] Right-click a small cell and "Copy cell content" — clipboard
contains the raw value.
- [x] Resize a column wider than its content and confirm the button
still positions correctly.
- [x] `pnpm vitest` for `Results.utils.test.ts`, `Results.test.tsx`,
`ResultCell.test.tsx` — all green.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Enhanced SQL result cells with automatic detection and expansion
functionality for large values (exceeding 60 characters or containing
line breaks)
* Added expand button to view full cell content directly in results
* Integrated right-click context menu for cell content options
* Improved display of null values in query results
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Feature
## What is the current behavior?
`/go` page form submissions can be routed to HubSpot and Customer.io,
but there's no way to send the same data to a Notion database.
Partnerships needs Notion as a third destination.
Relates to
[DEBR-265](https://linear.app/supabase/issue/DEBR-265/notion-database-for-go-pages).
## What is the new behavior?
Adds a `notion` provider alongside `hubspot` and `customerio` in the
form CRM config. Each page can now declare:
```ts
notion: {
database_id: '21b5004b775f8058872fe8fa81e2c7ac',
columnMap: { email_address: 'email', first_name: 'first_name' },
staticProperties: { source: 'Website Go Page' },
}
```
A new `NotionClient` fetches the target database schema once per
submission to auto-detect each column's property type (`title`,
`rich_text`, `email`, `number`, `select`, etc.) so the config stays a
plain string→string map. Unknown columns are silently skipped. The
submit action reads `NOTION_API_KEY` from env and dispatches in parallel
with the existing providers.
## Additional context
- New env var required on Vercel: `NOTION_API_KEY` (a Notion internal
integration token with write access to the target database).
- Simplified `CRMConfig` from a discriminated-union-of-all-combinations
to a plain object with optional providers; the "at least one provider"
invariant still lives in the Zod schema refinement. This avoided a 2^3 -
1 = 7 member union and a generic `CRMClient<T>` whose call site was
already casting to `any`.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added Notion as a CRM provider for form submissions with schema-backed
mapping, validation, and automatic creation of Notion database pages.
* Exposed a typed Notion form config for configuration and validation;
example lead-gen form includes a Notion mapping.
* **Bug Fixes / Improvements**
* Simplified CRM option handling and made submission behavior clearer.
* HubSpot submissions now URI-encode identifiers to avoid endpoint
errors.
* Improved Notion request handling, caching, and error reporting; Notion
sends in parallel when configured.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Refactor / security improvement
## What is the current behavior?
SQL fragments across Studio are built from plain `string` values with no
type-level distinction between developer-authored SQL, DB-sourced
identifiers, and user-typed or externally-influenced content.
## What is the new behavior?
Extends the safe SQL model to additional Studio interfaces, using
`SafeSqlFragment`, `safeSql`, `ident()`, `literal()`, `untrustedSql()`,
and `acceptUntrustedSql()` from `@supabase/pg-meta/src/pg-format`:
- **Policy editor**: template constants typed as `SafeSqlFragment` via
`safeSql` tagged literals; Monaco editor `onInputChange` emits
`untrustedSql()`; `acceptUntrustedSql()` called only at the Save
gesture; roles selector emits a composed `SafeSqlFragment` via `ident()`
+ `joinSqlFragments()`
- **Auth hooks**: grant/revoke SQL statements use `ident()` for schema
and function names
- **Docs description editor**: `COMMENT ON` queries use `ident()` and
`literal()` for table/column/function names and values
- **Cron jobs**: `cron.schedule()` call and HTTP request builder use
`literal()` for all user-provided values
- **GraphQL linter CTA**: `REVOKE` statement uses `ident()` for schema,
table, and role
- **Storage public bucket warning**: `DROP POLICY` uses `ident()` for
policy name
- **View security autofix modal**: `ALTER VIEW` uses `ident()` for
schema and view name
- **API settings**: `CREATE SCHEMA` mutation uses `safeSql` tagged
literal
- **Database event trigger delete**: `DROP EVENT TRIGGER` uses `ident()`
for trigger name
- **Database queues query**: queue list query uses `safeSql` tagged
literal
- **Role impersonation**: function invocation SQL uses `ident()` and
`literal()`
## Manual testing checklist
- Authentication > Policies
- Authentication > Hooks
- Integrations > Queues
- Database > Event Triggers
- Integrations > Cron Jobs
- Table Editor > View entity security autofix
- API Settings > expose schema
- Linter > GraphQL exposure CTA
- Docs > table/column description editor
- Role impersonation (user impersonation panel)
## Additional context
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Replaced ad-hoc SQL string building with a safer, fragment-based SQL
construction across auth, policies, integrations, storage, and DB
operations to improve SQL safety while preserving behavior.
* **Bug Fixes / UX**
* Policy editor and code editor now propagate role and input changes
more reliably, improving editor responsiveness and policy handling
without UI changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Adds `breadcrumbListSchema(items)` helper to `apps/www/lib/json-ld.ts`
and a hand-curated `apps/www/lib/breadcrumbs.ts` route map.
- Wires inline `<script type="application/ld+json">` BreadcrumbList
blocks into 18 marketing surfaces: blog (index + slug), customers (index
+ slug), events (index + slug), 5 product pages (database, auth,
storage, edge-functions, realtime), 3 modules (vector, cron, queues),
pricing, careers, company, features.
- Pages router callers wrap the script in `<Head>`; app router callers
place it directly in JSX. Dynamic surfaces append a leaf at render time
using the page's title (`frontmatter.title` for blog, `meta_title ??
title` for customers, `event.meta_title ?? event.title` for events).
- Modules sit at `Home > {Name}` since no `/modules` index page exists;
products sit at `Home > {Product}` (no shared products parent). Absolute
`https://supabase.com` URLs match the existing `CANONICAL_ORIGIN`
convention so anchors stay stable across Vercel previews.
Linear:
[GROWTH-822](https://linear.app/supabase/issue/GROWTH-822/add-breadcrumblist-json-ld-to-www-marketing-surfaces)
(sub-issue under
[GROWTH-724](https://linear.app/supabase/issue/GROWTH-724)).
> **Note on branch name:** the branch is
`pamela/growth-820-www-breadcrumb-jsonld`; the actual Linear issue is
GROWTH-822. The branch was named before the sub-issue was created.
Ignore the `820` in the branch.
Explicitly deferred (separate PRs / low SEO ROI): `/launch-week/*`,
`/solutions/*`, `/partners/*`, `/alternatives/*`, `/changelog`,
`/legal/dpa`, `/aws-reinvent-2025`, `/wrapped`, `/contribute/*`,
`/brand-assets`, `/ga`, `/ga-week`, `/state-of-startups*`, and the
homepage (Organization + WebSite already cover homepage entity signals;
single-item BreadcrumbList is ignored by Google).
## Test plan
- [x] On the Vercel preview, `curl -s https://<preview>/database | grep
'"BreadcrumbList"'` returns the script block with `Home > Database`.
- [x] `curl -s https://<preview>/blog/<recent-slug> | grep
'"BreadcrumbList"'` returns `Home > Blog > {post title}`.
- [x] `curl -s https://<preview>/customers/<slug> | grep
'"BreadcrumbList"'` returns `Home > Customer Stories > {customer
title}`.
- [x] `curl -s https://<preview>/events/<slug> | grep
'"BreadcrumbList"'` returns `Home > Events > {event title}`.
- [x] `curl -s https://<preview>/modules/vector | grep
'"BreadcrumbList"'` returns `Home > Vector`.
## Summary
Adds a contextual `D + <letter>` chord pattern for jumping between
Database sub-pages, mounted only while `DatabaseLayout` is active.
Establishes the pattern we can repeat for other sections (Auth, Storage,
Functions, etc.).
Linear:
[FE-3140](https://linear.app/supabase/issue/FE-3140/define-subnavigation-pattern-for-database-management-page)
## Pattern
- Chords are 2-key sequences (`D`, `<letter>`) — no global leader, no
`G` prefix.
- Registration is contextual: `<DatabaseNavShortcuts />` lives inside
`DatabaseLayout`, so the leading `D` is only "owned" while the user is
under `/project/<ref>/database/*`. Doesn't burn a global key.
- Hover tooltips on each sub-menu item show the chord, anchored to the
label text (Linear-style). Powered by `<ShortcutTooltip>` already used
in the main nav.
- Items hidden by feature flags (Roles, Column Privileges, Replication)
auto-disable the chord — no muscle-memory navigating to a 404.
## Shortcuts added
| Sub-page | Chord | Notes |
|---|---|---|
| Tables | `D T` | |
| Functions | `D F` | |
| Triggers | `D R` | t**R**iggers — `T` taken by Tables |
| Indexes | `D I` | |
| Extensions | `D X` | e**X**tensions |
| Schema Visualizer | `D V` | |
| Enumerated Types | `D E` | |
| Publications | `D U` | p**U**blications — avoids collision with Schema
Visualizer's `D P` (Download as PNG) |
| Column Privileges | `D C` | flag-gated |
| Settings | `D ,` | mirrors global `G ,` for project settings — avoids
collision with Schema Visualizer's `D S` (Download as SVG) |
| Replication | `D L` | rep**L**ication — flag-gated |
| Roles | `D O` | r**O**les — flag-gated |
| Backups | `D B` | platform-only |
| Migrations | `D M` | |
External-link sub-menu items (Policies, Wrappers, Webhooks, Security
Advisor, Performance Advisor, Query Performance) are intentionally not
chorded — they route out of `/database/*` and don't belong to the
section's namespace.
## Collision audit
Other shortcuts active on database pages (table-list, schema-visualizer)
were checked against the new chords:
- **Schema Visualizer** (`/database/schemas`): `D P` (Download PNG), `D
S` (Download SVG), `O A`, `O S`. Publications and Settings were remapped
to `D U` and `D ,` to avoid the `D P` / `D S` clashes.
- **List pages** (`/database/tables`, etc.): `Shift+F`, `Shift+N`, `O
S`, `F C` — no overlap with `D + <letter>`.
## Files
- `state/shortcuts/registry/database-nav.ts` — new registry module with
the 14 chord definitions.
- `state/shortcuts/registry.ts` — spreads the new IDs/definitions into
the canonical registry.
- `components/interfaces/DatabaseNavShortcuts.tsx` — null-rendering hook
component that wires `useShortcut` for each chord, keyed off
`useGenerateDatabaseMenu` so URLs and feature gating stay in sync with
the sidebar.
- `components/layouts/DatabaseLayout/DatabaseLayout.tsx` — mounts the
component.
- `components/layouts/DatabaseLayout/DatabaseMenu.utils.tsx` — tags each
menu item with its `shortcutId`.
- `components/ui/ProductMenu/ProductMenu.types.ts` — adds optional
`shortcutId?: ShortcutId` field.
- `components/ui/ProductMenu/ProductMenuItem.tsx` — renders the hover
tooltip when an item has a `shortcutId`, anchored to the label span.
## Test plan
- [ ] On `/project/<ref>/database/tables`, press `D F` — navigates to
`/database/functions`.
- [ ] On `/project/<ref>/database/schemas`, press `D P` — downloads the
PNG (Schema Visualizer wins, no nav conflict).
- [ ] On `/project/<ref>/database/schemas`, press `D U` — navigates to
`/database/publications`.
- [ ] On `/project/<ref>/database/tables`, press `D ,` — navigates to
`/database/settings`.
- [ ] Hover any sub-menu item with a chord — pill appears next to the
label after ~1s.
- [ ] On a project with the Replication flag off — `D L` does nothing.
- [ ] Navigate to `/auth` — pressing `D F` does nothing (chord unmounts
with the layout).
- [ ] Type `D` then `F` slowly inside an input — does not navigate
(input-focus guard).
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
update docs on Realtime Postgres Changes + Authorization interaction
## What is the current behavior?
It can be misleading to say `The `private` Channel option does not apply
to Postgres Changes.` As Postgres Changes can happen under a private
channel.
## What is the new behavior?
Fix docs
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated the authorization guide to clarify how Postgres Changes
interact with Channel authorization, including RLS policy enforcement
and channel type compatibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
New blog post
## What is the current behavior?
N/A
## What is the new behavior?
Adds a new blog post explaining when to use Supabase Realtime vs
Supabase ETL, covering delivery guarantees, destinations, scale
characteristics, and common mistakes.
## Additional context
N/A
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a comprehensive blog post comparing Supabase Realtime and ETL,
covering technical differences, delivery guarantees, use cases, and best
practices to help users select the appropriate tool for their data
integration needs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ana <ana1337x@users.noreply.github.com>
djwhitt