mirror of
https://github.com/supabase/supabase.git
synced 2026-07-07 19:57:06 -04:00
create-pull-request/patch
645 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
cabe14e5ca |
chore: remove _Shadcn_ suffix from ui tabs components (#47628)
## Problem Now that we migrated all usages of the deprecated `Tabs` component, we don't need the `_Shadcn_` suffix anymore. ## Solution Remove `_Shadcn_` suffix from `ui` tabs components. That's all this PR does, no visual nor functional changes <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Standardized tab components across the app so pages and dialogs now use the same consistent tab UI. * Improved tab-based views in design, docs, studio, learn, and website experiences for a more uniform interface. * **Chores** * Updated shared UI exports to expose tab components directly, simplifying future usage across the product. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
804475fd3a |
fix: redirect urls (#47487)
## TL;DR fixes redirect url normalization.. ## PS: | Before | After | | --- | --- | | Broken: whitespace could make the same redirect URL appear as a separate entry and break delete behavior | Fixed: equivalent redirect URLs are normalized consistently, so display, save, and delete behavior stay in sync | | <img width="800" height="274" alt="Before redirect URLs behavior" src="https://github.com/user-attachments/assets/47dbb1ca-7c7d-482b-a67e-08c2eb2cd030" /> |  | ## ref: - closes https://github.com/supabase/supabase/issues/47478 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved redirect URL handling so saved and displayed URLs are consistently trimmed, normalized, deduplicated, and parsed from comma-separated allow lists. * Tightened redirect URL validation to better catch invalid formats and prevent duplicates both against the existing allow list and within a new submission. * Fixed redirect URL deletion to remove the exact set of URLs confirmed by the user. * **Tests** * Added/updated tests to cover redirect URL normalization and parsing behavior for stored comma-separated allow lists. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
1de298ff31 |
Reinstate https://github.com/supabase/supabase/pull/45143 into latest master (#47433)
## Context Previous PR was [here](https://github.com/supabase/supabase/pull/45143) but it got stale with lots of conflicts so figured it'll be easier redo it off the latest master Moves policies page from Auth to Database under an Access Control section along with Roles. This moves all existing files, applies redirects, and updates urls to point to the new route <img width="274" height="412" alt="image" src="https://github.com/user-attachments/assets/7952c185-64ae-4355-ba36-45397efe1787" /> <img width="453" height="471" alt="image" src="https://github.com/user-attachments/assets/04b3dcb3-48a5-4049-9893-d01109fb46a9" /> ## To test - [ ] Verify that policies now live under Database correctly <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a quick navigation shortcut to open **Database > Policies (RLS)**. * **Bug Fixes** * Updated Policies and RLS-related links across the product to open the **Database policies** area (menus, command palette, context actions, alerts, and link-outs). * Added a permanent redirect from the old **auth policies** URL to the new **database policies** URL. * **Documentation** * Updated RLS Dashboard and security checklist instructions to reference **Database > Policies**. * **Tests** * Adjusted automated tests to validate the new Policies route. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
b30db91d71 |
chore: cleanup UI patterns exports (#47406)
## Problem We now export components under a subpath in ui-patterns to avoid barrel files as they slow down every tools (from IDE to linters, etc.) and may also affect bundles our users have to download. ## Solution - Remove the UI patterns index file - Fix invalid impors |
||
|
|
3acc53cca3 |
chore(studio): minor database UI polish (#47356)
## What kind of change does this PR introduce? Chore ## What is the current behavior? - Add-column uses implicit button styling - Replication row tooltip says "Open in Table Editor" ## What is the new behavior? - Add-column explicitly uses `variant="default"` - Auth Users explicitly uses `variant="default"` - Replication row tooltip says "Table Editor" --------- Co-authored-by: Cursor <cursoragent@cursor.com> |
||
|
|
fd85c81e6c |
chore: Bump all rate limits in Auth to match the API (#47405)
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Increased the allowed maximum values for rate-limit settings, enabling much larger numeric inputs. * Updated validation messages so error text matches the new limits and time-window wording. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
c6fc456910 |
chore: cleanup duplicate exports studio (#47387)
## Problem Knip reports many duplicate exports (both named and default). Besides, we're moving away from default exports and even have an eslint rule to enforce it on new code. ## Solution - Cleanup those exports - Update imports when necessary No functional changes. If it builds, it's fine |
||
|
|
8192d97008 |
feat: surface send-email hook status in template UI and hook deletion dialog (#46319)
## What kind of change does this PR introduce? Feature. Implements [AUTH-1215](https://linear.app/supabase/issue/AUTH-1215/improve-studio-ui-when-send-email-hook-is-active-or-deleted). Follow-up to #45396. ## What is the current behavior? When a send-email hook is configured, email templates are bypassed entirely. Auth passes event metadata to the hook, not rendered HTML. The template list and editor give no indication of this. Deleting the send-email hook silently reverts Auth to using email templates with no warning. For post-cutoff Free plan projects without custom SMTP, this also locks template editing. ## What is the new behavior? ### Admonition when send-email hook is active A new `SendEmailHookActiveAdmonition` is shown on both the template list and individual template editor pages when `HOOK_SEND_EMAIL_ENABLED` and `HOOK_SEND_EMAIL_URI` are set: > **Email templates are not used** > A Send Email hook is active. Event metadata is passed directly to your hook, meaning these templates are bypassed entirely. With a **Manage hook** link to the hooks page. ### AlertDialog for Send Email hook deletion Deleting the Send Email hook now uses a dedicated `DeleteSendEmailHookConfirmationDialog`: - **Always:** "The {default or built-in} email templates will be used to send auth emails." - **Post-cutoff Free plan, no custom SMTP:** adds "Email templates cannot be edited on the Free plan without custom SMTP." The dialog stays open with a loading state while the deletion is in-flight and closes on success. | After | | --- | | <img width="1862" height="880" alt="CleanShot 2026-05-25 at 15 57 41@2x" src="https://github.com/user-attachments/assets/8a441bb2-9112-4b19-bd0b-02c9d1989ec1" /> | | <img width="884" height="578" alt="CleanShot 2026-05-25 at 15 57 21@2x" src="https://github.com/user-attachments/assets/44e5bd79-2bd9-44ee-8f53-5fdaeefd68c6" /> | <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a Send Email hook warning in the template editor with “Manage hook” and “Learn more” links. * **UI Improvements** * Refined template editor alerts to reflect when templates are bypassed vs blocked. * Updated hook cards/actions to a dropdown with separate Edit and Delete flows, including documentation links. * **Bug Fixes** * Improved template editor and hook deletion flows to better reflect pending states and current authentication configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: Cursor <cursoragent@cursor.com> |
||
|
|
d46a9c43fd |
feat(Auth/EmailTemplates): Add SiteURL variable for notifications (#46393)
This will make email templates more consistent and may be merged after https://github.com/supabase/auth/pull/2532 is deployed. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Authentication notification emails now include access to site URL references. This enhancement applies to multiple notification types: password change alerts, email change confirmations, phone number change notifications, identity linking and unlinking events, and multi-factor authentication enrollment and unenrollment notifications. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46393?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Chris Stockton <chris.stockton@supabase.io> |
||
|
|
32d1bdd534 |
fix(studio): reduce doc link density in auth email template builder (#47250)
## I have read the CONTRIBUTING.md file. YES ## What kind of change does this PR introduce? - Studio UI update (auth email template builder) - Docs update (hosted email templates guide + local dev cross-link) Closes DOCS-1086. ## What is the current behavior? - Linear item: Reduce link density in the template builder UI - Page header shows a **Terminology** link and **Docs** button (local development guide) - Template variables footer shows **Terminology** · **Local development** - Local development editing is only mentioned in one sentence on the hosted docs page; easy to miss once Studio no longer links there directly ## What is the new behavior? - Page header: **Docs** button only → `/guides/auth/auth-email-templates` - Template variables: single **Terminology** link → `#terminology` (variable pills still have hover tooltips) - Hosted docs: **Editing email templates** split into hosted vs local/self-hosted, with a callout linking to the local development guide - Local dev guide: opening paragraph links back to the hosted guide for shared terminology and patterns ### Proof: Template builder has fewer outbound doc links | Before | After | |--------|-------| | Header Terminology + Docs (local dev guide); footer Terminology · Local development <img width="1440" height="1100" alt="image" src="https://github.com/user-attachments/assets/3325f43b-5830-4b85-ba56-2ba4c5b04bcd" /> | Docs button only (hosted guide); single Terminology link above variables <img width="1440" height="1100" alt="image" src="https://github.com/user-attachments/assets/90c8cfff-89bd-46d5-b336-2f9dd50d37e3" /> | **Before (`origin/master`)** - Header: **Terminology** link + **Docs** button → local development guide - Template variables: **Terminology** · **Local development** **After (this PR)** - Header: **Docs** button only → [Email templates](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/auth/auth-email-templates) (preview) - Template variables: single **Terminology** link → [Terminology](https://supabase.com/docs/guides/auth/auth-email-templates#terminology) - Local development path documented at [Editing email templates](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/auth/auth-email-templates#editing-email-templates) (preview; replacing the in-builder Local development link) **Capture notes:** Content-area screenshots were captured locally from component markup because the template editor body requires platform auth config in self-hosted Studio. Local files: worktree `.pr-screenshots/template-builder-links-{before,after}.png`. ### Proof: Docs clarify local development path **Verified:** Vercel docs preview (pass) · `supa-mdx-lint` (pass) | Page | Before (production) | After (PR preview) | |------|---------------------|--------------------| | Email templates — Editing | [Editing email templates](https://supabase.com/docs/guides/auth/auth-email-templates#editing-email-templates) | [Editing email templates](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/auth/auth-email-templates#editing-email-templates) | | Customizing email templates | [Customizing email templates](https://supabase.com/docs/guides/local-development/customizing-email-templates) | [Customizing email templates](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/local-development/customizing-email-templates) | ## Additional context ### Test plan - [ ] Open **Authentication → Emails → Confirm sign up** on a hosted project - [ ] Confirm header has **Docs** only (no Terminology link) - [ ] Confirm **Docs** opens `/docs/guides/auth/auth-email-templates` - [ ] In source view, confirm template variables show one **Terminology** link (no Local development) - [ ] Hover variable pills — tooltips still explain each placeholder - [ ] Compare [production Editing email templates](https://supabase.com/docs/guides/auth/auth-email-templates#editing-email-templates) vs [preview](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/auth/auth-email-templates#editing-email-templates) — hosted vs local/self-hosted sections and local dev callout are clear - [ ] Compare [production Customizing email templates](https://supabase.com/docs/guides/local-development/customizing-email-templates) vs [preview](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/local-development/customizing-email-templates) — intro links back to hosted email templates guide <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Summary by CodeRabbit * **Documentation** * Clarified how to edit authentication email templates for hosted vs. self-hosted and local development setups. * Added clearer navigation to template terminology and customization guidance, with updated examples and notes. * **New Features** * Updated the email template UI to use centralized documentation links for the terminology section. * **Tests** * Added coverage to ensure the “Terminology” docs anchor stays consistent. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Nik Richers <nik@validmind.ai> Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com> |
||
|
|
3db42a805f |
Joshen/fe 3652 replace direct renders of editor component from monaco to (#47268)
## Context Part of consolidating all our code editors - removes all direct renders of the `Editor` component and use `CodeEditor` instead ## UIs affected - [ ] Query performance advisor -> query block - [ ] Table Editor -> Table definition - [ ] Table Editor -> Text + JSON editor (From RowEditorSidePanel, expand input field) - [ ] Auth -> RLS -> Create/edit policy code sections - [ ] Storage policies -> Anywhere that has a code section <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Rolled out a consistent PostgreSQL code editor experience across policy, storage policy, trigger function, table definitions, and query performance screens. * Updated policy/template previews to use the shared editor for cleaner read-only viewing. * **Bug Fixes** * Removed extra left padding in the query performance editor wrapper. * Improved the JSON editor action control with clearer icon behavior. * **Refactor** * Standardized editor usage by replacing legacy SQL/Monaco-based editors with the shared CodeEditor and simplifying related editor components. * Updated CodeEditor capabilities (read-only handling, wrapper styling, markdown support) and tightened editor prop contracts. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
f2e20eac34 |
Joshen/fe 3651 deprecate monacoeditor from grid folder to use codeeditor (#47179)
## Context Part of efforts to consolidate all the code editors that we have in the repository `CodeEditor` will serve as the base monaco editor file that all UIs should consume from It's aimed to be generic and just stores the common logic that will be generally used where-ever we need a code editor (editor options, base editor set up on mount, etc) The idea is that `CodeEditor` holds just 3 default actions (run queyr, format document and placeholder fill) If any editor needs specific behaviours (e.g SQL Editor), they can declare them in the `onMount` prop of `CodeEditor` which gives some flexibility ## Changes involved - Use `CodeEditor` component for SQL Editor's `MonacoEditor` - Shifted Cmd K behaviour into `CodeEditor` since that's probably needed everywhere that we render that UI - Deprecate `MonacoEditor` from the table editor's `grid` folder - All files that were using that component to use `CodeEditor` component instead <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Refactor** * Migrated the studio’s code editing UI (including JSON, text, and payload viewers) to a unified CodeEditor experience. * **New Features** * Added plaintext language support for read-only/truncated views. * **Behavior Changes** * Improved editor startup by setting cursor position consistently and deferring autofocus. * Streamlined editor context-menu actions to the core set (run query, format, placeholder fill). * Updated SQL editor wiring for more consistent command/menu and selection handling. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
516dc12676 |
fix(docs): improve email template terminology table readability (#47143)
## I have read the CONTRIBUTING.md file.
YES
## What kind of change does this PR introduce?
Bug fix, docs update, Studio UX improvement.
Closes DOCS-400.
## What is the current behavior?
- Linear item: Docs: can't read Terminology table name column
- `break-all` on all `.prose td code` breaks `{{ .ConfirmationURL }}`
mid-token
- Studio template editor only linked to local-development
customizing-email-templates
## What is the new behavior?
- First-column code uses `break-words`; other columns keep `break-all`
- First column `min-width: 12rem` / `width: 30%`
- Studio TemplateEditor: **Terminology** + **Local development** links
- Template detail page: **Terminology** InlineLink beside Docs button
- `Table.tsx` MDX wiring deferred
On desktop:
<img width="864" height="1086" alt="image"
src="https://github.com/user-attachments/assets/f8439d1a-f607-4925-a250-ff142a357a2a"
/>
On mobile:
<img width="400" height="1383" alt="image"
src="https://github.com/user-attachments/assets/334769e8-3821-4bf4-8256-f4fae9ce45ea"
/>
Correct link:
<img width="1502" height="710" alt="Capto_Capture
2026-06-22_03-34-48_PM"
src="https://github.com/user-attachments/assets/87506751-d72b-4892-a8fb-63ef298a8260"
/>
## Additional context
- Verification (author): CSS diff only; table fixture screenshots
captured
- Frontend note: docs-only CSS in `apps/docs/styles/globals.css`; Studio
shadcn tables unchanged
### Test plan
- [ ] Check out worktree branch and run docs app locally (`cd apps/docs
&& pnpm dev`)
- [ ] Open `/docs/guides/auth/auth-email-templates#terminology` at
desktop width — Name column readable
- [ ] Same page at mobile/narrow width — first column has adequate
min-width
- [ ] Spot-check 1–2 other docs pages with code in table first column —
no regression
- [ ] Open Studio → Auth → Email Templates → edit any template
- [ ] Confirm new link to
`/guides/auth/auth-email-templates#terminology` opens correct anchor
- [ ] Confirm existing link to `customizing-email-templates` still works
- [ ] Confirm `apps/docs/components/Table.tsx` was **not** wired into
MDX
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Improved table cell code wrapping behavior in documentation to prevent
width expansion
* **Documentation & UI**
* Updated email templates editor with enhanced documentation links for
Terminology and Local development
* Added Terminology documentation link to email templates page header
for convenient access to reference materials
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Nik Richers <nik@validmind.ai>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
|
||
|
|
7f1298e35e |
chore: dead code cleanup (#47129)
## Problem We have many unused files, left overs from features refactoring ## Solution - Remove unused files - Move some files closer to their usage <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Removed multiple legacy Studio UI components and placeholders to streamline the interface (including onboarding panels, navigation elements, docs layout helpers, and various UI building blocks). * **UI Updates** * Updated the layout’s API keys section to use the Project-specific presentation. * **Maintenance** * Adjusted internal sourcing for documentation tab menu logic without changing visible behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
5babf1092a |
feat(auth): accept Android app origins for WebAuthn RP origins (#47043)
Allow `android:apk-key-hash:<base64url SHA-256>` entries in `WEBAUTHN_RP_ORIGINS` alongside https/localhost-http origins. Non-http(s) origins are matched as-is downstream and Android is responsible to binding the origin to the RP ID via digital asset links. |
||
|
|
097f220c5c |
Add support for managing stored procedures under database functions (#46977)
## Context Dashboard currently doesn't have any support for managing stored procedures. In the event that the security advisor surfaces a warning about a stored procedure, users hence run into a dead-end as there's currently no way to self-remediate via the dashboard ## Changes involved We're hence adding support for managing stored procedures within Database Functions <img width="1082" height="546" alt="image" src="https://github.com/user-attachments/assets/2598a5fe-e58f-4e8a-ad2f-9cb6d0eb2f53" /> Creating a function now shows a dropdown to select the type <img width="500" alt="image" src="https://github.com/user-attachments/assets/acc9249d-7b25-4416-aae8-89c630e1c62b" /> In which if stored procedure is selected, the following fields will be hidden since they're irrelevant for stored procedures - Return type - Behaviour (Under advanced settings) Some other minor UI changes as well: - Field inputs are re-ordered a little, opting to group "Schema" and "Name" into one section, followed by "Type" and "Return type" - Opting to show "Return type" when editing a function but disabled - Add schema filter for fetching database functions to reduce unnecessary load on the database ## To test - [ ] Can create, update, delete, read stored procedures via database functions page <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Summary - **New Features** - Added PostgreSQL **procedure** support alongside functions, including a **Type** selector in the create/edit flow. - Updated Functions UI with a new **Type** column and procedure-aware return/argument details. - **Improvements** - Refreshed create/edit headers and language help text for clearer context. - Improved argument parsing/display, including better handling of procedure argument modes. - **Bug Fixes** - Corrected routine-type handling during function/procedure delete and update SQL operations. - **Tests** - Updated unit snapshots and end-to-end UI flows/labels for the new “New function” control. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
96d43099bb |
chore: refactor Button API so that it can be used a standard button (#46880)
## Problem Our `<Button>` component breaks the default `button` contract by redefining the `type` prop to set its variant (`primary`, `default`, etc) instead of the button type (`submit`, `button`, etc). This is confusing and forces to write more code when using it with shadcn components that expect/inject the standard button props. ## Solution - rename the `type` prop to `variant` - rename the `htmlType` prop to `type` - propagate the changes where necessary - format code ## How to test As this is just prop renaming, if it builds it's ok --------- Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com> |
||
|
|
7e25c27e02 |
fix(studio): map email template anchors to docs (#46952)
## What kind of change does this PR introduce? Bug fix. Resolves FE-3469. ## What is the current behavior? On auth email template pages, the Docs button builds anchor hashes from the Studio URL slug (derived from user-facing titles), not from canonical template IDs. E.g. **Reset password** links to `#authemailtemplateresetpassword`, but the docs section is `#authemailtemplaterecovery`. 12 of 13 templates had broken Docs links. ## What is the new behavior? Docs links use an explicit `EMAIL_TEMPLATE_DOCS_ANCHORS` map keyed by `template.id`, matching the anchors in [customizing-email-templates.mdx](https://supabase.com/docs/guides/local-development/customizing-email-templates). Examples: - Reset password → `#authemailtemplaterecovery` - Magic link or OTP → `#authemailtemplatemagic_link` - Password changed → `#authemailnotificationpassword_changed` Dashboard URL slugs (`reset-password`, etc.) are unchanged. ## Additional context - Added `EMAIL_TEMPLATE_DOCS_ANCHORS` in `EmailTemplates.constants.ts` with `satisfies Record<AuthTemplateType, string>` for exhaustiveness - Added `EmailTemplates.constants.test.ts` to verify all template types are covered and anchors match docs heading paths **Test plan** - [x] `pnpm --filter studio test EmailTemplates.constants` - [ ] Spot-check Docs button on Reset password, Magic link or OTP, and Password changed templates <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Added automated checks to ensure every authentication email template has the correct documentation anchor mapping. * **Chores** * Updated the documentation link behavior for email templates to use a consistent, predefined anchor mapping—improving reliability and maintainability of the docs button. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
1baaded0bb |
Consolidate execute-sql-query into execute-sql-mutation (#46944)
## Context Just some clean up as I was going through stuff - `useExecuteSqlQuery` is deprecated and not used at all - As such `execute-sql-query` is technically irrelevant, the more relevant file is `execute-sql-mutation` - Hence opting to consolidate `execute-sql-query` into `execute-sql-mutation` - Also removing `ExecuteSqlError` since its just re-exporting the `ResponseError` type There's a lot of file changes but its essentially just updating the importing statements across the files |
||
|
|
ff34a6753c |
chore: remove unnecessary <PreventNavigationOnUnsavedChanges> (#46763)
## Problem Since the refactor done in #43900, the `<PreventNavigationOnUnsavedChanges>` does not bring much value. ## Solution Remove `PreventNavigationOnUnsavedChanges` and update consumers to leverage `usePreventNavigationOnUnsavedChanges` and `DiscardChangesConfirmationDialog` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Improved the architecture of unsaved-changes navigation handling across multiple features. Components now use a more modular hook-based approach for better code organization and consistency. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
714f0ad8e9 |
fix: Don't use the custom domain when resolving OpenID config (#46637)
When setting up an OAuth Server app, the Studio fetches OpenID config from the URL. If the project uses custom domain, it'll cause a CORS because the custom domain is not whitelisted. This PR changes to use the `<ref>.supabase.co` URL to resolve the config. How to test: 1. Have a project with custom domain 2. Open `/project/_/auth/oauth-server` 3. Enable the Supabase OAuth Server 4. The OAuth endpoints in the bottom should appear BEFORE: <img width="1172" height="412" alt="Screenshot 2026-06-04 at 10 43 35" src="https://github.com/user-attachments/assets/d6157281-dc80-4a55-9356-10efb7953b7c" /> AFTER: <img width="1182" height="406" alt="Screenshot 2026-06-04 at 10 42 20" src="https://github.com/user-attachments/assets/6222124e-5f9e-4898-9fae-41d295211403" /> Fixes https://linear.app/supabase/issue/FE-2987/oauth-endpoint-fields-are-empty-with-custom-domains |
||
|
|
2b1ba50753 |
bugfix: timezone issue with template block cutoff date (#46601)
Fix to small issue with our block to free tier. The /project endpoint does not return a timestamp so it is being interpreted as local. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Bug Fixes** * Resolved timezone handling inconsistencies in email template availability checks to ensure accurate and consistent results across all geographic locations and server configurations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
fd1f437eca |
feat(logs): brand remaining analytics SQL callers with SafeLogSqlFragment (#46476)
## Summary
PR 10 of the analytics SQL safety series. Migrates the last surface of
analytics queries that flowed through plain
`get(.../analytics/endpoints/logs.all, { query: { sql } })` or the
`fetchLogs(projectRef, sql: string, ...)` helper over to
`executeAnalyticsSql` with branded `SafeLogSqlFragment` inputs.
After this PR, every analytics SQL call site builds its query through
the safe-analytics-sql helpers and hits the wire through the single
`executeAnalyticsSql` boundary. User-controlled values (filter
operators, numeric thresholds, function IDs, regions, provider names)
all flow through `analyticsLiteral` / branded operator maps; static
fragments are wrapped in `safeSql`. PR 11 (ESLint / vitest rule
forbidding direct analytics-endpoint POST/GET outside
`executeAnalyticsSql`) is the next and final step.
## Changes
- **`hooks/analytics/useProjectUsageStats.tsx`** — route the
already-branded `genChartQuery` output through `executeAnalyticsSql`
(parallels `useLogsPreview`).
- **`data/reports/report.utils.ts`** — tighten `fetchLogs(sql)` from
`string` to `SafeLogSqlFragment`; the wire boundary is now the same
single `executeAnalyticsSql` wrapper used by the rest of the analytics
path. Adds two pre-branded fragment maps reused by the report configs:
- `SAFE_GRANULARITY_SQL` — closed set returned by
`analyticsIntervalToGranularity`.
- `SAFE_COMPARISON_OPERATOR_SQL` — closed set on
`NumericFilter.operator`.
- **`components/interfaces/Auth/Overview/OverviewErrors.constants.ts`**
— wrap the two static `AUTH_TOP_*_SQL` fragments in `safeSql` (no
interpolation, but the type now flows).
- **`data/reports/v2/edge-functions.config.ts`** — `filterToWhereClause`
and every entry in `METRIC_SQL` now return `SafeLogSqlFragment`.
User-controlled values (`status_code.value`, `execution_time.value`,
function IDs, regions) pass through `analyticsLiteral`; operators look
up the branded map; the granularity uses the branded map. The
wire-format strings are unchanged, so the existing
`edge-functions.test.tsx` exact-string expectations still hold.
- **`data/reports/v2/auth.config.ts`** — same shape applied to all ten
`AUTH_REPORT_SQL` entries. The legacy `whereClause.replace(/^WHERE\s+/,
'')` pattern is replaced by two helpers that emit `AND`-prefixed
predicate fragments directly (`authFiltersToAndPredicates`,
`edgeLogsFiltersToAndPredicates`). Static provider SELECT / GROUP BY
fragments are pre-branded.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Enhanced security for analytics and reporting queries by updating
query construction methods across auth, edge functions, and project
usage reports.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46476?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
|
7e9badc6b8 |
chore(studio): migrate useStaticEffectEvent to React 19 useEffectEvent (#46415)
Studio is on `react@^19.2.6`, and `useEffectEvent` shipped stable in React 19.2 with the same signature as the userland polyfill. This drops the local hook in `apps/studio` and `apps/www` in favor of the built-in. **Removed:** - `apps/studio/hooks/useStaticEffectEvent.ts` - `apps/www/hooks/useStaticEffectEvent.ts` - `.claude/skills/use-static-effect-event/` — skill is obsolete **Changed:** - 26 call sites: dropped the `useStaticEffectEvent` import, added `useEffectEvent` to the existing `react` import, renamed call sites - `.claude/CLAUDE.md`: `apps/studio` row updated React 18 → React 19 - `.claude/skills/vercel-composition-patterns/SKILL.md`: removed stale "Studio uses React 18, skip these patterns" warning ## To test - `pnpm typecheck --filter=studio` — passes locally - `pnpm typecheck --filter=www` — passes locally - `grep -rn "useStaticEffectEvent"` returns nothing outside `node_modules` - Smoke-test areas that use the hook: schema visualizer edges (intersection check), spreadsheet import, sign-in/CLI login flows, side panels with unsaved-changes prompts **Out of scope:** pre-existing Tailwind lint warning on `DefaultEdge.tsx:141` (`outline` + `outline-1` conflict) — unrelated to this migration <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Internal event handling migrated to React’s built-in event hooks across the Studio app; no user-facing changes. * **Documentation** * Clarified React 19 compatibility and noted Studio now targets React 19. * Removed obsolete documentation for a deprecated internal hook. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46415?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
|
a45776ecb9 |
feat(studio): restrict auth email template editing for free projects (#45396)
## What kind of change does this PR introduce? Feature / abuse-prevention update. Resolves DEPR-198. ## What is the current behaviour? Free projects using Supabase's built-in email service can edit raw Auth email template subjects and HTML in Studio. That is the risky cohort this project is trying to constrain. ## What is the new behaviour? ### Template editing restrictions For free projects using Supabase's built-in email service, Studio keeps Auth email templates viewable and previewable but disables subject/body editing and saving. Editing is unlocked by setting up Custom SMTP, configuring a send-email hook, or upgrading to a paid plan. **Grandfathering:** projects created before `2026-06-01T00:00:00Z` (the platform enforcement cutoff) are exempt; their editing UI stays unlocked. This mirrors `FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE` in the platform PR exactly. | After | | --- | | <img width="1024" height="759" alt="Emails Authentication Fizz Test Supabase-173BB09B-0FB9-4133-8202-9E310DDB347A" src="https://github.com/user-attachments/assets/c966212d-ed0c-443b-8197-440cc2937ef6" /> | | <img width="1024" height="759" alt="Emails Authentication Fizz Test Supabase-CD5845EB-0E45-4779-8989-44E775B2411A" src="https://github.com/user-attachments/assets/055a64d6-b5e8-4d37-a261-6e280f04536a" /> | ### Warning dialogs on transitions that reset templates Two flows now surface a warning before the user commits to a state change that resets their custom email templates to defaults: 1. **Disabling custom SMTP** (SMTP settings page): a confirmation dialog warns that templates will be reset to defaults and the email rate limit reduced to 2 per hour. On confirm, Studio resets all 13 templates via the existing per-template reset endpoint (`Promise.allSettled`). The "won't be able to edit" sentence is shown only for post-cutoff projects; grandfathered projects skip it. The corresponding server-side enforcement is in the Platform PR: https://github.com/supabase/platform/pull/33129 2. **Downgrading to the Free plan** (billing settings): an admonition in the existing downgrade confirmation modal warns that custom templates will be reset to defaults and won't be editable without custom SMTP. The admonition is shown only when the org has at least one post-cutoff project; orgs whose projects are all grandfathered skip it. | Custom SMTP | Downgrading | | --- | --- | | <img width="862" height="586" alt="66764" src="https://github.com/user-attachments/assets/6470c8a6-2f79-40a5-ad3b-bfe5b0ba9c54" /> | <img width="1268" height="1552" alt="CleanShot 2026-05-22 at 17 28 37@2x-FEB1901E-38E6-42DF-8C27-0A036D8A1B94" src="https://github.com/user-attachments/assets/e8caa9e6-c3ed-4787-b771-af77a43eb854" /> | ### Informational admonition when enabling SMTP When a user enables custom SMTP for the first time, a sandwiched admonition above the save footer informs them that the email rate limit will be increased to 30 per hour and can be adjusted. _This is just a minor cosmetic change, unrelated to the email template disabling. Sorry._ | Before | After | | --- | --- | | <img width="1024" height="759" alt="Emails Authentication Chisel Toolshed Supabase-54317D18-803C-4A58-8211-2359355D083B" src="https://github.com/user-attachments/assets/29eff649-02dc-40f3-a379-0b4d484a76c7" /> | <img width="1024" height="759" alt="Emails Authentication Chisel Toolshed Supabase-9E12399E-E9FB-4F9A-B029-A08008EA4B50" src="https://github.com/user-attachments/assets/e542ed86-4da6-407e-8293-0f4c0f071e18" /> | ## How to test All existing projects pre-date the enforcement cutoff (`2026-06-01T00:00:00Z`) and are grandfathered, so the restriction UI won't appear by default. To force the restricted state locally, back-date the cutoff in one file: In `apps/studio/components/interfaces/Auth/EmailTemplates/EmailTemplates.utils.ts`, temporarily change: ```ts export const FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE = '2026-06-01T00:00:00Z' ``` to: ```ts export const FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE = '2025-01-01T00:00:00Z' ``` Revert before committing. With the cutoff back-dated, use a free-plan project and: - **Template restriction + admonition:** navigate to Authentication > Emails with no custom SMTP configured. Subject/body fields should be read-only and the "Set up SMTP" admonition should appear, with its dropdown offering upgrade and send-email hook options. - **SMTP disable warning:** enable custom SMTP on a project, then disable it via Authentication > SMTP Settings. The confirmation dialog should warn that templates will reset to defaults and that editing will be restricted after disabling. - **Downgrade warning:** in billing settings, initiate a downgrade to the Free plan. The downgrade modal should include an admonition warning about template reset and restricted editing (only if the org has at least one post-cutoff project). ## Additional context The default Auth email template copy was also improved across docs, examples, and UI library snippets (separate prior commits). The per-template reset button (`ResetTemplateDialog`) was migrated to the async `AlertDialogAction` pattern introduced in #45960; the dialog stays open and shows a loading state while the reset is in-flight, closes on success, and stays open on error. Closes PRODSEC-183 --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: Stephen Morgan <stephen@doublethink.co.nz> |
||
|
|
a6bfa0478c |
chore: migrate auth Modal to Dialog (#46392)
## Problem We still uses the deprecated `Modal` for: - Banning a user - Inviting a user - Adding a redirection URL - Removing a redirection URL ## Test Hard to test the JWT. I had to force its display by settings its `open` prop to `true` in `apps/studio/components/interfaces/JwtSecrets/jwt-settings.tsx` ## Solution - use `Dialog` instead <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Modernized authentication UI components (user management, redirect URL configuration) with updated dialog structures for improved consistency and state handling * Enhanced async operation handling in redirect URL deletion workflows to ensure proper synchronization and state management <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46392?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
bde6a5e745 |
fix: auth users list design (#46413)
## Screenshots Before: <img width="856" height="1140" alt="image" src="https://github.com/user-attachments/assets/d1e04a6f-d3ed-43b3-84f1-3000f2ecac17" /> After: <img width="398" height="107" alt="image" src="https://github.com/user-attachments/assets/6b41663b-31ee-4556-b2e4-6847f705aa38" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Increased CSS specificity in the Users view to reliably remove the top border, ensuring consistent visual rendering across layouts and themes. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46413?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
47c084e51d |
refactor(studio): migrate telemetry to useTrack (#46140)
## Summary
I migrated every `useSendEventMutation` call site in `apps/studio` to
`useTrack`, deleted the legacy hook, and added a lint guardrail so it
can't return. `useTrack` is the type-safe replacement: it auto-injects
`groups: { project, organization }` from the selected project/org and
types `action` + `properties` against `TelemetryEvent`. Existing call
sites built groups manually and were not type-checked at the action
level. The migration covers 81 files (60 trivial swaps, 9 org-only, 3
pre-auth, 5 bespoke, 4 test mocks).
## Changes
- Migrated trivial call sites across `pages/project/[ref]`,
`components/interfaces/*` (Reports, Storage, Realtime/Inspector,
SQLEditor, Functions, EdgeFunctions, Integrations, ProjectAPIDocs,
Branching/BranchManagement, TableGridEditor, Connect, Docs, Auth,
Support, Home, ProjectHome, App), `components/layouts/*`, and
`components/ui/*`.
- Migrated org-only sites (`Organization/Documents/*`,
`Organization/BillingSettings/Subscription/*`,
`Organization/SecuritySettings.tsx`,
`Account/Preferences/DashboardSettingsToggles.tsx`) by dropping the
manual `groups: { organization: ... }` and letting `useTrack`
auto-inject. Verified `useSelectedProjectQuery` is disabled on org
routes (gates on URL `[ref]`).
- Migrated pre-auth sites (`SignInForm.tsx`, `sign-in-mfa.tsx`,
`profile.tsx`) where neither project nor org is resolved.
- Bespoke handling:
- `execute-sql-mutation.ts` and `table-row-create-mutation.ts`: pass `{
project: projectRef }` via `groupOverrides` since the mutation can
target a non-selected project ref.
- `useStudioCommandMenuTelemetry.ts`: kept a direct `sendTelemetryEvent`
call because studio groups must override pre-built event groups
(opposite of `useTrack`'s override direction).
- `AIAssistantOption.tsx`: passes sentinel-aware `groupOverrides` so
`NO_PROJECT_MARKER`/`NO_ORG_MARKER` continue to suppress group emission.
- `SidePanelEditor.utils.tsx`: utility functions `createTable` and
`updateTable` now take a `track: Track` parameter (threaded from
`SidePanelEditor.tsx`); dropped the `organizationSlug` arg since groups
are no longer assembled manually.
- Branch-event attribution: preserved `parentProjectRef` overrides on
`branch_updated`, `branch_merge_completed`, `branch_merge_failed`,
`branch_merge_submitted`, `branch_delete_button_clicked`,
`branch_review_with_assistant_clicked`, and
`branch_*_merge_request_button_clicked`. Original code grouped these
under the parent (production) project, not the branch ref;
auto-injection would have shifted them onto the branch.
- Switched 4 test mocks from `@/data/telemetry/send-event-mutation` to
`@/lib/telemetry/track`. Removed obsolete tests around manual groups and
`try/catch` on telemetry rejection.
- Deleted `apps/studio/data/telemetry/send-event-mutation.ts`. The
deleted module is its own guardrail: any reintroduction of the import
fails at TypeScript module resolution before lint runs.
## Testing
Tested on preview deploy:
- [x] SQL editor `CREATE TABLE` fires `table_created` with method
`sql_editor` and `groups.project` set to the mutation's `projectRef`.
- [x] Table editor creates a table from the side panel; `table_created`
fires from `SidePanelEditor.utils` via threaded `track`.
- [x] Help button (`/project/[ref]/...`) fires `help_button_clicked`
with auto-injected project + org groups.
- [x] Sign-in form fires `sign_in` with empty groups (pre-auth,
expected).
- [x] Org documents page (`/org/[slug]/documents`) fires
`document_view_button_clicked` with org group only, no stale project
ref.
- [x] Command menu (`Cmd+K`) inside a project still fires
`command_menu_opened` with studio's project/org overriding any
event-supplied groups.
- [x] Support form "Ask the Assistant" without selected org fires
`ai_assistant_in_support_form_clicked` with no project/org groups
(sentinels suppress).
- [x] On a branch, "Update branch" / "Merge branch" / "Close merge
request" events fire with `groups.project` set to the parent project
ref, not the branch ref.
Local checks:
- [x] 22/22 tests pass across the 4 updated test files
(`SidePanelEditor.utils.createTable`, `EdgeFunctionRenderer`,
`LayoutSidebar`, `PlanUpdateSidePanel`).
- [x] `rg useSendEventMutation apps/studio` returns 0 hits.
## Linear
- fixes GROWTH-860
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Standardized telemetry across the Studio to a unified tracking system;
events now send simplified payloads with less contextual/grouping data.
* No user-facing flows changed; UI behavior, permissions, and
interactions remain the same.
* **Tests**
* Updated telemetry mocks and tests to align with the new tracking
approach.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46140?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
|
108a7c2c11 |
chore: migrate auth policy editor modal to dialog (#46374)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Refactor ## What is the current behavior? The Auth policy editor flow still uses the deprecated `Modal` component and `Modal.Content` / `Modal.Separator` helpers. ## What is the new behavior? The Auth policy editor flow now uses `Dialog` primitives instead: - `Dialog` - `DialogContent` - `DialogHeader` - `DialogTitle` - `DialogSection` - `DialogSectionSeparator` Behavior is intended to remain unchanged. ## Additional context - Fixes #46375 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Updated the policy editor and review flows to a unified dialog layout for a cleaner, more consistent UI. * Sections and footer controls were reorganized for clearer grouping and improved button placement. * Existing behaviors (viewing templates, review/save flow, and close confirmation) are preserved. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46374?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
1470c51021 |
fix(studio): align rls confirmation dialogs (#45961)
## What kind of change does this PR introduce? Studio UI cleanup and docs update. Resolves FE-3217. ## What is the current behavior? The table RLS confirmation dialogs differ across the Policies page and Table Editor surfaces. The table editor disable flow also uses a verbose confirmation modal with admonitions and repeated warning copy. | Policies | Table Editor | | --- | --- | | <img width="852" height="448" alt="25125" src="https://github.com/user-attachments/assets/baa9fafa-752c-4701-bf54-40da4e32030b" /> | <img width="1108" height="1016" alt="57354" src="https://github.com/user-attachments/assets/b1b88355-be39-49b9-aed2-a60f20c25104" /> | | <img width="866" height="434" alt="CleanShot 2026-05-15 at 18 01 15@2x" src="https://github.com/user-attachments/assets/d67f69ee-0a49-4dbd-939e-ca968361fc33" /> | <img width="840" height="426" alt="CleanShot 2026-05-15 at 18 01 52@2x" src="https://github.com/user-attachments/assets/a0b5f390-abeb-453f-8636-ad097f22308b" /> | ## What is the new behavior? Table RLS enable and disable confirmations now use one shared concise Alert Dialog treatment across the Policies page, Table Editor header, and Table Editor side panel. The server-backed toggles use the async Alert Dialog action behaviour from the stacked base branch, and the design-system docs now clarify when to start with Alert Dialog versus Confirmation Modal. This PR is stacked on #45960. | Before | After | | --- | --- | | <img width="852" height="448" alt="25125" src="https://github.com/user-attachments/assets/baa9fafa-752c-4701-bf54-40da4e32030b" /> | <img width="864" height="518" alt="CleanShot 2026-05-15 at 18 07 21@2x" src="https://github.com/user-attachments/assets/bda53246-164b-4d5b-81a1-25d3bc661eb3" /> | | <img width="1108" height="1016" alt="57354" src="https://github.com/user-attachments/assets/b1b88355-be39-49b9-aed2-a60f20c25104" /> | <img width="864" height="518" alt="CleanShot 2026-05-15 at 18 07 21@2x" src="https://github.com/user-attachments/assets/bda53246-164b-4d5b-81a1-25d3bc661eb3" /> | | <img width="866" height="434" alt="CleanShot 2026-05-15 at 18 01 15@2x" src="https://github.com/user-attachments/assets/d67f69ee-0a49-4dbd-939e-ca968361fc33" /> | <img width="860" height="488" alt="CleanShot 2026-05-15 at 18 08 41@2x" src="https://github.com/user-attachments/assets/4c67f797-e2cd-4d56-a49d-e6c6fc0edff3" /> | | <img width="840" height="426" alt="CleanShot 2026-05-15 at 18 01 52@2x" src="https://github.com/user-attachments/assets/a0b5f390-abeb-453f-8636-ad097f22308b" /> | <img width="860" height="488" alt="CleanShot 2026-05-15 at 18 08 41@2x" src="https://github.com/user-attachments/assets/4c67f797-e2cd-4d56-a49d-e6c6fc0edff3" /> | <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Refined guidance and wording for dialog usage, clarifying when to use Alert Dialog, Confirmation Modal, and modal modality. * **New Features** * Reworked RLS confirmation flow with a streamlined toggle dialog, clearer messaging, and a “Learn more” link to docs. * **Tests** * Updated end-to-end tests to cover the updated RLS dialog flows and explanatory content. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45961?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
38e09e1754 |
chore(studio + docs + ui library): update auth email template copy docs (#45706)
## What kind of change does this PR introduce? Docs update. Part of DEPR-198. ## What is the current behaviour? Auth email template examples and Studio template labels still reflect older default copy in a few places. ## What is the new behaviour? Updates Auth docs, local development docs, related snippets, Studio template labels, and UI Library examples to [match the updated default Auth email copy](https://linear.app/supabase/document/email-template-copywriting-updates-04bba460fd2a). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated authentication email template names and descriptions across guides, replacing "Magic link" with "Sign-in link or code" terminology * Revised security notification email naming from "Identity linked/unlinked" to "Sign-in method linked/removed" and "MFA method" to "Verification method" * Updated email template example content with improved wording (e.g., "Confirm your email address" instead of "Confirm your signup") * **UI Updates** * Refined authentication-related UI text labels and descriptions in the dashboard [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45706) <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
|
02d7454ac9 |
fix: allow email rate limit editing when send email hook is enabled (#46104)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? bug fix: allow email rate limit editing when send email hook is enabled ## What is the current behavior? when send email hook is enabled, users can't customize the send email rate limit. ## What is the new behavior? when send email hook is enabled, users _can_ customize the send email rate limit. ## Additional context backend changes are already in place. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Improvements** * Expanded email rate limit configuration to support Send Email hooks in addition to SMTP providers. * Enhanced user guidance with updated messaging and navigation options for configuring email delivery methods. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46104?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
03a9f51b61 |
chore: migrate storage policies Modal to Dialog (#46222)
## Problem Storage policies edition still uses the deprecated `Modal` ## Solution - use `Dialog` instead - improve accessibility of the templates selection _back_ button - extract the dialog title component in its own file ## Screenshots The only difference is the title font which is larger with `Dialog` Before: <img width="542" height="504" alt="image" src="https://github.com/user-attachments/assets/46a078da-db77-4a14-a7f7-fad20f5b45e5" /> After: <img width="550" height="523" alt="image" src="https://github.com/user-attachments/assets/80c9c6ec-25cd-445a-ad65-f9b659cdfd72" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Modernized policy editing interfaces with updated dialog structure and consistent section separation across policy selection, templates, editor, and review flows for clearer layout and spacing. * **New Features** * Added a unified, context-aware modal header that adapts titles, back action, docs link, and close controls for different policy workflows. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46222?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
243e079a2c |
chore: remove _Shadcn_ suffix from Command components (#46153)
## Problem The `_Shadcn_` suffix isn't needed anymore on `Command` components ## Solution - Remove the `_Shadcn_` suffix - Simplify UI package exports - Apply prettier <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Simplified command component imports and exports across the UI library by removing internal naming aliases and adopting direct component references. Updated the public UI package barrel export to use wildcard re-exports for cleaner API surface. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46153?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
ee64f0abc0 |
fix: update link for OAuth client registration documentation (#46098)
Updates broken link for OAuth client registration |
||
|
|
4c148ea060 |
chore(studio): move short Admonitions to descriptions (#46049)
## What kind of change does this PR introduce? Chore. Follow-up to DEPR-551, #45302, #45535, and #45618. ## What is the current behaviour? Some short Studio Admonitions still put their entire message in `title` or legacy `label`, so body-copy callouts render as headings. ## What is the new behaviour? Moves selected single-message Studio Admonitions to `description`, keeping the follow-up deliberately limited to Studio callsites. This PR does not touch Docs content, shared Alert styling, ui-patterns, design-system registry/docs, or Tailwind config. | Before | After | | --- | --- | | <img width="1818" height="388" alt="Image" src="https://github.com/user-attachments/assets/283a1853-348a-4d74-a408-013957350e5e" /> | <img width="1380" height="462" alt="Image" src="https://github.com/user-attachments/assets/e5761e8e-3697-423b-805b-45110205099a" /> | | <img width="1640" height="716" alt="CleanShot 2026-04-28 at 15 17 25@2x" src="https://github.com/user-attachments/assets/a5be4d5f-2bf7-4dc2-b396-56129fe64ec9" /> | <img width="1630" height="716" alt="CleanShot 2026-04-28 at 15 16 00@2x" src="https://github.com/user-attachments/assets/0d589252-aaf8-4efc-9d81-15ec4f99ec61" /> | <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Refined message displays and admonition styling across settings, database, dashboard, and admin interfaces for improved visual consistency and clarity. * **UI Updates** * Updated search input layouts and form element styling in publications tables and other admin pages. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46049?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
9dc3998fa0 |
RLS Tester sandbox environment (#45839)
## Context Resolves FE-3221 Heavily inspired by what @filipecabaco has done previously here: https://github.com/supabase/supabase/pull/45360 This PR explores the use of pglite to set up a sandbox for RLS testing, which will pave the way for testing mutation based queries so to ensure no disruption to the actual database. Sandbox can be set up within the RLS tester panel as such: <img width="500" alt="image" src="https://github.com/user-attachments/assets/0cfdf8e4-dd99-4dee-ac00-39a32b375c07" /> Which the sandbox will mimic the project's database to the bare minimum required - entities from the `public` schema are copied over (types, tables, functions, policies) - `auth` schema is pseudo setup with `SANDBOX_SETUP_STATEMENTS` - Enough to support role impersonation + querying tables with references to the auth schema (e.g users table) - data is seeded up to 100 rows for each table - More info RE limitations in the last section below Once sandbox is ready, you'll see this UI where you can either leave the sandbox, or re-sync the sandbox from the actual database <img width="500" alt="image" src="https://github.com/user-attachments/assets/d07ce55f-5bc8-4722-8ce9-898b9b458f9b" /> Changes are currently feature flagged, so won't be available publicly just yet until things are ironed out and ready ## To test - [ ] Verify that setting up sandbox works - [ ] Verify that you can query your sandbox, and queries do not touch the actual database (can verify that we're not sending HTTP requests to the /query endpoint) - [ ] Verify correctness of RLS tester as well, should match correctness with testing against actual DB - [ ] Verify that re-syncing sandbox picks up changes - Can test by updating your policies that will affect the output of your select query - e.g SELECT for `authenticated`, change from just `true` to `false` - [ ] RLS tester should work as per normal (against actual DB) with the feature flag off with no additional overhead Let me know of any edge cases you might run into while testing ## Known quirks that will be addressed subsequently Leaving these for now just to not bloat this PR further - Pglite schema needs to be re-synced if updating RLS policies while testing, to ensure that pglite gets the updated policies. Will think about how to make this more seamless - Sandbox has its own limitations, will need to add a dialog to inform users how the sandbox works and what limitations to note of - e.g only the auth schema is mimicked - so policies that reference storage helpers won't work (although i think auth is probably the main use case and the rest might be niche) - We can slowly expand tho where required - Eventually we'll also move forward with figuring out testing mutation queries with this sandbox <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * RLS tester gains an isolated Postgres sandbox with schema/seed import, start/refresh/exit controls, and pre-populated auth data. * Sandbox management UI with setup, loading, active, and error states; refresh and destroy actions. * **Bug Fixes** * Role impersonation now keeps the PostgREST role set to anon while the tester sheet is open. * **Chores** * Content Security Policy updated to allow sandbox/connectivity endpoints. * **Style** * Minor sheet styling adjustment (top border). <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45839) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
f45a6085f4 |
feat(studio): add auth email template reset flow (#45572)
## What kind of change does this PR introduce? Feature. Resolves AUTH-879. ## What is the current behavior? Studio does not provide a way to reset an Auth email template back to the default subject and body once it has been customised. ## What is the new behavior? Studio shows a `Reset template` action when Platform reports that the selected Auth email template subject or body has been customised. The action opens a confirmation dialog, calls the dedicated Platform reset endpoint, and refreshes the editor with the default subject and body returned by the API. The Auth config save/reset mutations now run their user-facing success handling before refreshing Auth lint data, so the success toast and local editor cleanup are not delayed by lint refetches. ## Additional context Depends on supabase/platform#32417. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Reset email templates to defaults via a confirmation dialog; button appears when custom content is detected and respects update permissions. * Typed email-template definitions and improved template variable display and descriptions. * **Tests** * Added tests covering template reset visibility, confirmation flow, state updates, permission handling, and toast notifications. * **Documentation** * Example email template placeholders updated for internationalization and provider snippets. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45572) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
|
e925385415 |
studio,pg-meta: SafeSql for functions/policies/triggers (3/7) (#45990)
## Summary
Third PR in the SafeSql migration stack. Flips the input/output types on
`pgMeta.functions/policies/triggers`'s `.create/.update/.remove` to use
`SafeSqlFragment`, and updates every Studio consumer atomically.
### pg-meta
- `pgMeta.functions/policies/triggers` `.create/.update/.remove` now
return `{ sql: SafeSqlFragment }` and accept branded input parameters
(`PGFunctionCreate`, `PGSavedFunction`, `PolicyCreate/UpdateParams`,
`PGTriggerCreate` with branded condition).
- `QueryModifier.toSql()` returns `SafeSqlFragment`.
### Studio consumers updated to the new branded API
- `data/database-functions/*` (query, create/update/delete mutations)
- `data/database-policies/*` (create, update mutations)
- `data/database-triggers/database-trigger-update-transaction-mutation`
- `components/Database/Triggers/TriggerSheet`
- `components/Database/Functions/CreateFunction`
- `components/Auth/Policies/PolicyEditorPanel`
These consumers land atomically with the pg-meta API change because the
input-type strictness flip (string → `SafeSqlFragment` for SQL fields)
forces every call site to update together.
## Stack
- 1/7: #45897 (merged)
- 2/7: #45903 (merged)
- 3/7: this PR
- 4/7–7/7: upcoming
## Test plan
- [x] `pnpm typecheck` passes
- [x] `pnpm --filter @supabase/pg-meta test` passes
- [x] Dev-server smoke test: function editor, policy editor, trigger
sheet
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Strengthened SQL safety across policy, function, and trigger workflows
by converting raw SQL strings to typed SQL fragments and safer
composition
* Updated editor behavior to handle policy conditions/checks as typed
SQL fragments with improved initialization and template handling
* Aligned query and modifier interfaces to return typed SQL fragments
for safer composition
* **Tests**
* Updated tests to use typed SQL fragments and synchronous builders
where applicable
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45990)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
|
5d97339d41 |
chore: remove <Select> _Shadcn_ suffix (#45988)
## Problem The `_Shadcn_` suffix isn't needed anymore on `Select` components ## Solution Remove it. No other changes <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Updated internal component architecture to standardize and simplify the codebase. These changes improve code maintainability and consistency across the application without affecting existing functionality or user experience. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45988) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
86a3f8b03d |
chore: upgrade to react-19 (#45886)
- Most changes are related to either types or `useRef` usages (it now requires an initial value). - also updated `vaul` to its latest version and haven't noticed any change ([design-system demo](https://design-system-git-react-19-supabase.vercel.app/design-system/docs/components/drawer)) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Upgraded workspace to React 19. * **Bug Fixes** * Improved null-safety and ref handling across editors, UI components, shortcuts, and markdown/image rendering to reduce runtime errors. * Safer event/timeout/interval cleanup and more robust command/context handling. * **Chores** * Bumped vaul dependency versions. * **Documentation** * Type and TypeScript accuracy improvements for clearer developer feedback. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45886) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
8c6d5036ea |
chore: remove <Label> _Shadcn_ suffix (#45986)
## Problem The `_Shadcn_` suffix isn't needed anymore on label component ## Solution Remove it. No other changes <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Standardized Label usage across the codebase by removing the legacy alias and using the direct Label export from the UI package consistently. * **Documentation** * Updated component examples and docs to use the standardized Label component in usage snippets and demos. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45986) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
590ec2bbd4 |
fix: improve accessibility for icon buttons (#45981)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Improving accessibility for icon-only buttons ## What is the current behavior? Icon-only buttons do not have explicit accessible names for screen readers. ## What is the new behavior? All icon-only buttons now have explicit accessible names using visually hidden text (sr-only), ensuring proper screen reader support. ## Additional context Tooltip text is preserved for visual users. No visual changes were introduced. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Added/updated aria-labels across refresh buttons, sidebar controls, dropdown triggers, and navigation links for better accessibility. * Added conditional aria-labels for the “Create with Assistant” control to reflect permission states. * Improved screen-reader descriptions for sidebar toggle and other stateful controls to better convey status changes. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45981) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
d0fd4478c0 |
chore: migrate Popover usages to Shadcn components (#45980)
## Problem We have multiple Popover components ## Solution - [x] migrate Popover usages to Shadcn components - Migrated JSON and text editor in the `TableEditor` (inline row edition) - Migrated the template popover in the logs explorer templates page - [x] remove `_Shadcn_` suffix from Popover components (renaming + prettier) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Unified popover implementation across the app and design system; dropdowns, calendars, menus and tooltips now use a consistent popover API with no visual or interaction changes. * **Chores** * Minor prop typing update for the logs date-picker to align with the consolidated popover content type. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45980) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
4e86c39ea1 |
chore: remove <ContextMenu> _Shadcn_ suffix (#45971)
## Problem The `_Shadcn_` suffix isn't needed anymore on `<ContextMenu_Shadcn_>` and related components ## Solution Remove it. No other changes <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Replaced legacy context-menu component variants with the unified UI context-menu components across the app for consistent rendering and imports; behavior and menu content remain unchanged. * **Tests** * Updated a test mock to track the unified context-menu component mount count. * **Chores** * Simplified UI package re-exports to expose the canonical context-menu symbols. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45971) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
0713a1efc1 |
chore: remove shadcn suffix for Input, Textarea, Alert and Collapsible (#45867)
## Problem Now that we migrated old components to their new shadcn alternatives, we don't need the `_Shadcn_` suffix anymore. ## Solution Remove it <img width="659" height="609" alt="image" src="https://github.com/user-attachments/assets/2d7271a9-066a-4dcc-92fe-729b106d2c2f" /> |
||
|
|
4195b9af27 |
chore: update leaked password button in attack protection (#45975)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Frontend improvement ## What is the current behavior? "Configure email provider" button in the Authentication > Attack Protection: the title doesn't change, only the label on the left depending on whether it's enabled or disabled. <img width="1512" height="148" alt="CleanShot 2026-05-15 at 12 15 57@2x" src="https://github.com/user-attachments/assets/b2069333-6f1a-4503-9b3b-d75c005e4522" /> ## What is the new behavior? "Configure in email provider" - to clarify that this feature is managed in the email provider settings, and not refer to the whole email provider setup. <img width="1668" height="172" alt="CleanShot 2026-05-15 at 12 19 10@2x" src="https://github.com/user-attachments/assets/35fd5b35-8b31-4912-875d-cc9fc7b1968e" /> ## Additional context Relevant ticket where the button title was confusing for the customer: https://supabase.frontapp.com/open/cnv_1mtka5ni?key=-r6o8zPz-3XzuiQ7eh5FfCZBjTuKg78n |
||
|
|
88c43b31b9 |
Support optionally remove custom domain addon when deleting custom domain after activated (#45880)
## Context Related BE PR: https://github.com/supabase/platform/pull/32693 Add support to remove the custom domain add-on when deleting a custom domain after the custom domain is activated. <img width="411" height="310" alt="image" src="https://github.com/user-attachments/assets/23d57fc0-f760-42d4-8383-480ff2b2ec5a" /> We previously had this behaviour by default to address some customer feedback RE confusion that they were still being charged for custom domain add-on despite deleting the custom domain, but not removing the add-on. However this was a bit of confusing UX (RE deleting the add-on implicitly), so this makes the deleting of the custom domain add-on an explicit action instead. ## To test - [ ] Set up custom domain on a project - [ ] Trying deleting the custom domain after activating _without_ removing the add-on - [ ] Trying deleting the custom domain after activating _with_ removing the add-on |
||
|
|
d79a276824 |
studio: ColumnTypeRef cascade + FK type comparison fixes (2/7) (#45903)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Refactor + bug fixes (part of the SafeSql migration stack — PR 2 of 7, stacks on top of #45897). ## What is the current behavior? - `pgMeta.columns.create` and the table-editor SQL builder take column type as a string with array suffix and schema baked in (e.g. `'private.test_enum'`, `'int4[]'`). - The studio table-editor SQL emits the legacy schema-embedded `format` string for enums in non-public schemas, while the pg-meta columns SQL already returns the new shape (bare `format` + separate `format_schema`). The two queries disagree on how to represent the same column, surfacing as a false-positive type mismatch in the FK selector when both ends are an enum from a non-public schema. - The FK selector compares column types by `format` alone — same-named enums in different schemas appear equal, and arrays vs. scalars of the same base type pass the family check. - `displayColumnType` renders arrays as the raw `_typname` pg-meta emits (e.g. `_int4` instead of `int4[]`). ## What is the new behavior? **pg-meta** - Introduce `ColumnTypeRef` (`{ schema?, name, isArray? }`) for column type input, replacing the legacy string-with-array-suffix format. `pgMeta.columns.create` and the table-editor SQL builder consume the new shape. - Add `format_schema` to the column zod schema; pg-meta SQL emits the type's schema for the table editor's ColumnType dropdown. - `pgMeta.columns.create` returns a `SafeSqlFragment`. - Studio table-editor SQL now emits bare `format` + `format_schema`, matching pg-meta's columns SQL. **Studio** - `SafePostgresColumn`/`SafePostgresTable` extend the new `PG*` types (master dropped postgres-meta). - Pipe `ColumnTypeRef` through `SidePanelEditor` → `ColumnEditor` → `TableEditor`, along with the column-create mutation, table retrieve/list queries, and the `TableList`/`ColumnList` surfaces. - `displayColumnType` helper renders arrays as `type[]` (or `schema.type[]`) and handles non-implicit schemas. - FK selector now carries `sourceIsArray`/`targetIsArray` and compares the full `(format, format_schema, isArray)` triple. Family checks for numeric/text/uuid skip when either side is an array (FKs across array boundaries are never compatible). - Type-mismatch and type-notice alerts pass `isArray` to the display helper. - Bundle `Policies.utils` + `Policies.types` + `sql-policy-mutation`, `PolicyEditorModal`, and `SchemaGraph` here because `SidePanelEditor` consumes `acceptGeneratedPolicy`/`AcceptedGeneratedPolicy` — splitting requires temporary overloads with no architectural payoff. ## Additional context Part of the SafeSql migration stack. Stacks on top of #45897. ### Manual test checklist Surfaces touched by this PR — please exercise each: **Table editor** - [x] Create a new table with a mix of column types (scalar, array, enum, foreign key) - [x] Add a column to an existing table; verify the type dropdown lists scalars + arrays separately and shows schema-qualified names for non-public enums - [x] Edit an existing column's type (scalar ↔ array, switch between enums in different schemas) and save - [x] Verify enum types from a non-public schema (e.g. `private.my_enum`) display as `private.my_enum` in the column list **Foreign key selector** - [x] Open the FK selector for a column and pick a target column with a matching type — no mismatch warning - [x] Pick a target column whose type differs only by schema (two same-named enums in different schemas) — should show a type-mismatch alert - [x] Pick a target column where one side is an array and the other is a scalar of the same base type — should show a type-mismatch alert (no auto-cast across array boundary) - [x] When FK target sets the column type, verify `format_schema` and `isArray` are preserved on the source column - [x] Type-mismatch and type-notice alert messages render array types as `type[]` (not `_type`) **Column list / table list** - [x] Schema-qualified type names display correctly for columns whose type lives in a non-public schema - [x] Array columns display as `type[]` (or `schema.type[]`) **Policies (bundled due to import dependency)** - [x] Open the Policies page; create/edit/delete a row-level policy via the modal - [x] Generate a policy via the AI assistant and accept it through `SidePanelEditor` — verify the accepted policy lands in the editor correctly **Schema visualizer** - [x] Open the Schemas → Schema Visualizer page; verify it renders without type errors and shows tables/relationships <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Improvements** * Support for column types in non-public schemas and richer column type presentation (includes schema and array info). * Stronger SQL safety around policies and constraints; draft policy SQL is now promoted explicitly on save. * Improved foreign-key type validation and compatibility checks using enhanced type metadata. * **Tests** * Updated snapshots and tests to reflect new column metadata and SQL fragment handling. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45903) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
d4079083fc |
chore(studio): drop @supabase/postgres-meta in favor of @supabase/pg-meta (#45844)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Refactor / dependency cleanup. ## What is the current behavior? `apps/studio` lists both `@supabase/pg-meta` (workspace package) as a runtime dep and `@supabase/postgres-meta` (external npm package, `^0.64.4`) as a devDependency. The external package is used only for type imports across 44 files — there is no runtime usage and no codegen pipeline that needs it. ## What is the new behavior? Every `Postgres*` type import (`PostgresTable`, `PostgresColumn`, `PostgresPolicy`, `PostgresTrigger`, `PostgresView`, `PostgresMaterializedView`, `PostgresForeignTable`, `PostgresSchema`, `PostgresPublication`, `PostgresRelationship`, `PostgresPrimaryKey`) is replaced with its `PG*` counterpart from `@supabase/pg-meta`, and the external dep is removed from \`apps/studio/package.json\`. Top-level type re-exports were added to \`packages/pg-meta/src/index.ts\` so consumers can import directly from the package root. Two latent issues surfaced by the stricter pg-meta types are also fixed: - \`data/foreign-tables/foreign-tables-query.ts\` was casting foreign-table results as \`PostgresView[]\`; corrected to \`PGForeignTable[]\`. - \`pg-meta\`'s \`PGTrigger\` Zod schema declared \`orientation\`/\`activation\` as \`z.string()\`, inconsistent with pg-meta's own \`getDatabaseTriggerUpdateSQL\` helper that requires the narrow literal unions; tightened to \`z.enum\`. ## Additional context <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated internal TypeScript type definitions across the codebase to use the latest type system from `@supabase/pg-meta`. * Removed `@supabase/postgres-meta` dependency. * Enhanced type validation for database triggers and schemas to enforce stricter constraints. [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45844) <!-- end of auto-generated comment: release notes by coderabbit.ai --> |