Commit Graph

645 Commits

Author SHA1 Message Date
Gildas Garcia cabe14e5ca chore: remove _Shadcn_ suffix from ui tabs components (#47628)
## Problem

Now that we migrated all usages of the deprecated `Tabs` component, we
don't need the `_Shadcn_` suffix anymore.

## Solution

Remove `_Shadcn_` suffix from `ui` tabs components. That's all this PR
does, no visual nor functional changes

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Standardized tab components across the app so pages and dialogs now
use the same consistent tab UI.
* Improved tab-based views in design, docs, studio, learn, and website
experiences for a more uniform interface.

* **Chores**
* Updated shared UI exports to expose tab components directly,
simplifying future usage across the product.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-06 15:29:16 +02:00
Vaibhav 804475fd3a fix: redirect urls (#47487)
## TL;DR

fixes redirect url  normalization..

## PS:

| Before | After |
| --- | --- |
| Broken: whitespace could make the same redirect URL appear as a
separate entry and break delete behavior | Fixed: equivalent redirect
URLs are normalized consistently, so display, save, and delete behavior
stay in sync |
| <img width="800" height="274" alt="Before redirect URLs behavior"
src="https://github.com/user-attachments/assets/47dbb1ca-7c7d-482b-a67e-08c2eb2cd030"
/> | ![After redirect URLs
behavior](https://github.com/user-attachments/assets/b90dfad3-9ec2-4431-8412-34d4faca62da)
|

## ref:
- closes https://github.com/supabase/supabase/issues/47478

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved redirect URL handling so saved and displayed URLs are
consistently trimmed, normalized, deduplicated, and parsed from
comma-separated allow lists.
* Tightened redirect URL validation to better catch invalid formats and
prevent duplicates both against the existing allow list and within a new
submission.
* Fixed redirect URL deletion to remove the exact set of URLs confirmed
by the user.
* **Tests**
* Added/updated tests to cover redirect URL normalization and parsing
behavior for stored comma-separated allow lists.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-07-01 08:24:17 -06:00
Joshen Lim 1de298ff31 Reinstate https://github.com/supabase/supabase/pull/45143 into latest master (#47433)
## Context

Previous PR was [here](https://github.com/supabase/supabase/pull/45143)
but it got stale with lots of conflicts so figured it'll be easier redo
it off the latest master

Moves policies page from Auth to Database under an Access Control
section along with Roles. This moves all existing files, applies
redirects, and updates urls to point to the new route

<img width="274" height="412" alt="image"
src="https://github.com/user-attachments/assets/7952c185-64ae-4355-ba36-45397efe1787"
/>

<img width="453" height="471" alt="image"
src="https://github.com/user-attachments/assets/04b3dcb3-48a5-4049-9893-d01109fb46a9"
/>


## To test
- [ ] Verify that policies now live under Database correctly

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a quick navigation shortcut to open **Database > Policies
(RLS)**.
* **Bug Fixes**
* Updated Policies and RLS-related links across the product to open the
**Database policies** area (menus, command palette, context actions,
alerts, and link-outs).
* Added a permanent redirect from the old **auth policies** URL to the
new **database policies** URL.
* **Documentation**
* Updated RLS Dashboard and security checklist instructions to reference
**Database > Policies**.
* **Tests**
  * Adjusted automated tests to validate the new Policies route.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-30 18:49:33 +08:00
Gildas Garcia b30db91d71 chore: cleanup UI patterns exports (#47406)
## Problem

We now export components under a subpath in ui-patterns to avoid barrel
files as they slow down every tools (from IDE to linters, etc.) and may
also affect bundles our users have to download.

## Solution

- Remove the UI patterns index file
- Fix invalid impors
2026-06-30 09:23:17 +02:00
Danny White 3acc53cca3 chore(studio): minor database UI polish (#47356)
## What kind of change does this PR introduce?

Chore

## What is the current behavior?

- Add-column uses implicit button styling
- Replication row tooltip says "Open in Table Editor"

## What is the new behavior?

- Add-column explicitly uses `variant="default"`
- Auth Users explicitly uses `variant="default"`
- Replication row tooltip says "Table Editor"

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-30 03:47:35 +10:00
Ivan Vasilov fd85c81e6c chore: Bump all rate limits in Auth to match the API (#47405)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Increased the allowed maximum values for rate-limit settings, enabling
much larger numeric inputs.
* Updated validation messages so error text matches the new limits and
time-window wording.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-29 15:54:11 +00:00
Gildas Garcia c6fc456910 chore: cleanup duplicate exports studio (#47387)
## Problem

Knip reports many duplicate exports (both named and default). Besides,
we're moving away from default exports and even have an eslint rule to
enforce it on new code.

## Solution

- Cleanup those exports
- Update imports when necessary

No functional changes. If it builds, it's fine
2026-06-29 15:46:16 +02:00
Danny White 8192d97008 feat: surface send-email hook status in template UI and hook deletion dialog (#46319)
## What kind of change does this PR introduce?

Feature. Implements
[AUTH-1215](https://linear.app/supabase/issue/AUTH-1215/improve-studio-ui-when-send-email-hook-is-active-or-deleted).
Follow-up to #45396.

## What is the current behavior?

When a send-email hook is configured, email templates are bypassed
entirely. Auth passes event metadata to the hook, not rendered HTML. The
template list and editor give no indication of this.

Deleting the send-email hook silently reverts Auth to using email
templates with no warning. For post-cutoff Free plan projects without
custom SMTP, this also locks template editing.

## What is the new behavior?

### Admonition when send-email hook is active

A new `SendEmailHookActiveAdmonition` is shown on both the template list
and individual template editor pages when `HOOK_SEND_EMAIL_ENABLED` and
`HOOK_SEND_EMAIL_URI` are set:

> **Email templates are not used**
> A Send Email hook is active. Event metadata is passed directly to your
hook, meaning these templates are bypassed entirely.

With a **Manage hook** link to the hooks page.

### AlertDialog for Send Email hook deletion

Deleting the Send Email hook now uses a dedicated
`DeleteSendEmailHookConfirmationDialog`:

- **Always:** "The {default or built-in} email templates will be used to
send auth emails."
- **Post-cutoff Free plan, no custom SMTP:** adds "Email templates
cannot be edited on the Free plan without custom SMTP."

The dialog stays open with a loading state while the deletion is
in-flight and closes on success.

| After |
| --- |
| <img width="1862" height="880" alt="CleanShot 2026-05-25 at 15 57
41@2x"
src="https://github.com/user-attachments/assets/8a441bb2-9112-4b19-bd0b-02c9d1989ec1"
/> |
| <img width="884" height="578" alt="CleanShot 2026-05-25 at 15 57
21@2x"
src="https://github.com/user-attachments/assets/44e5bd79-2bd9-44ee-8f53-5fdaeefd68c6"
/> |

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a Send Email hook warning in the template editor with “Manage
hook” and “Learn more” links.
* **UI Improvements**
* Refined template editor alerts to reflect when templates are bypassed
vs blocked.
* Updated hook cards/actions to a dropdown with separate Edit and Delete
flows, including documentation links.
* **Bug Fixes**
* Improved template editor and hook deletion flows to better reflect
pending states and current authentication configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-29 17:09:31 +08:00
Chris Stockton d46a9c43fd feat(Auth/EmailTemplates): Add SiteURL variable for notifications (#46393)
This will make email templates more consistent and may be merged after
https://github.com/supabase/auth/pull/2532 is deployed.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Authentication notification emails now include access to site URL
references. This enhancement applies to multiple notification types:
password change alerts, email change confirmations, phone number change
notifications, identity linking and unlinking events, and multi-factor
authentication enrollment and unenrollment notifications.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46393?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>
2026-06-25 15:20:01 +00:00
Nik Richers 32d1bdd534 fix(studio): reduce doc link density in auth email template builder (#47250)
## I have read the CONTRIBUTING.md file.

YES

## What kind of change does this PR introduce?

- Studio UI update (auth email template builder)
- Docs update (hosted email templates guide + local dev cross-link)

Closes DOCS-1086.

## What is the current behavior?

- Linear item: Reduce link density in the template builder UI
- Page header shows a **Terminology** link and **Docs** button (local
development guide)
- Template variables footer shows **Terminology** · **Local
development**
- Local development editing is only mentioned in one sentence on the
hosted docs page; easy to miss once Studio no longer links there
directly

## What is the new behavior?

- Page header: **Docs** button only →
`/guides/auth/auth-email-templates`
- Template variables: single **Terminology** link → `#terminology`
(variable pills still have hover tooltips)
- Hosted docs: **Editing email templates** split into hosted vs
local/self-hosted, with a callout linking to the local development guide
- Local dev guide: opening paragraph links back to the hosted guide for
shared terminology and patterns

### Proof: Template builder has fewer outbound doc links

| Before | After |
|--------|-------|
| Header Terminology + Docs (local dev guide); footer Terminology ·
Local development <img width="1440" height="1100" alt="image"
src="https://github.com/user-attachments/assets/3325f43b-5830-4b85-ba56-2ba4c5b04bcd"
/> | Docs button only (hosted guide); single Terminology link above
variables <img width="1440" height="1100" alt="image"
src="https://github.com/user-attachments/assets/90c8cfff-89bd-46d5-b336-2f9dd50d37e3"
/> |

**Before (`origin/master`)**

- Header: **Terminology** link + **Docs** button → local development
guide
- Template variables: **Terminology** · **Local development**

**After (this PR)**

- Header: **Docs** button only → [Email
templates](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/auth/auth-email-templates)
(preview)
- Template variables: single **Terminology** link →
[Terminology](https://supabase.com/docs/guides/auth/auth-email-templates#terminology)
- Local development path documented at [Editing email
templates](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/auth/auth-email-templates#editing-email-templates)
(preview; replacing the in-builder Local development link)

**Capture notes:** Content-area screenshots were captured locally from
component markup because the template editor body requires platform auth
config in self-hosted Studio. Local files: worktree
`.pr-screenshots/template-builder-links-{before,after}.png`.

### Proof: Docs clarify local development path

**Verified:** Vercel docs preview (pass) · `supa-mdx-lint` (pass)

| Page | Before (production) | After (PR preview) |
|------|---------------------|--------------------|
| Email templates — Editing | [Editing email
templates](https://supabase.com/docs/guides/auth/auth-email-templates#editing-email-templates)
| [Editing email
templates](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/auth/auth-email-templates#editing-email-templates)
|
| Customizing email templates | [Customizing email
templates](https://supabase.com/docs/guides/local-development/customizing-email-templates)
| [Customizing email
templates](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/local-development/customizing-email-templates)
|

## Additional context

### Test plan

- [ ] Open **Authentication → Emails → Confirm sign up** on a hosted
project
- [ ] Confirm header has **Docs** only (no Terminology link)
- [ ] Confirm **Docs** opens `/docs/guides/auth/auth-email-templates`
- [ ] In source view, confirm template variables show one
**Terminology** link (no Local development)
- [ ] Hover variable pills — tooltips still explain each placeholder
- [ ] Compare [production Editing email
templates](https://supabase.com/docs/guides/auth/auth-email-templates#editing-email-templates)
vs
[preview](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/auth/auth-email-templates#editing-email-templates)
— hosted vs local/self-hosted sections and local dev callout are clear
- [ ] Compare [production Customizing email
templates](https://supabase.com/docs/guides/local-development/customizing-email-templates)
vs
[preview](https://docs-git-nikrichers-docs-1086-reduce-link-densi-bf6705-supabase.vercel.app/docs/guides/local-development/customizing-email-templates)
— intro links back to hosted email templates guide

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Summary by CodeRabbit

* **Documentation**
* Clarified how to edit authentication email templates for hosted vs.
self-hosted and local development setups.
* Added clearer navigation to template terminology and customization
guidance, with updated examples and notes.

* **New Features**
* Updated the email template UI to use centralized documentation links
for the terminology section.

* **Tests**
* Added coverage to ensure the “Terminology” docs anchor stays
consistent.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Nik Richers <nik@validmind.ai>
Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-25 08:50:05 +02:00
Joshen Lim 3db42a805f Joshen/fe 3652 replace direct renders of editor component from monaco to (#47268)
## Context

Part of consolidating all our code editors - removes all direct renders
of the `Editor` component and use `CodeEditor` instead

## UIs affected
- [ ] Query performance advisor -> query block
- [ ] Table Editor -> Table definition
- [ ] Table Editor -> Text + JSON editor (From RowEditorSidePanel,
expand input field)
- [ ] Auth -> RLS -> Create/edit policy code sections
- [ ] Storage policies -> Anywhere that has a code section

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Rolled out a consistent PostgreSQL code editor experience across
policy, storage policy, trigger function, table definitions, and query
performance screens.
* Updated policy/template previews to use the shared editor for cleaner
read-only viewing.

* **Bug Fixes**
  * Removed extra left padding in the query performance editor wrapper.
  * Improved the JSON editor action control with clearer icon behavior.

* **Refactor**
* Standardized editor usage by replacing legacy SQL/Monaco-based editors
with the shared CodeEditor and simplifying related editor components.
* Updated CodeEditor capabilities (read-only handling, wrapper styling,
markdown support) and tightened editor prop contracts.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-25 14:48:19 +08:00
Joshen Lim f2e20eac34 Joshen/fe 3651 deprecate monacoeditor from grid folder to use codeeditor (#47179)
## Context

Part of efforts to consolidate all the code editors that we have in the
repository

`CodeEditor` will serve as the base monaco editor file that all UIs
should consume from
It's aimed to be generic and just stores the common logic that will be
generally used where-ever we need a code editor (editor options, base
editor set up on mount, etc)

The idea is that `CodeEditor` holds just 3 default actions (run queyr,
format document and placeholder fill)
If any editor needs specific behaviours (e.g SQL Editor), they can
declare them in the `onMount` prop of `CodeEditor` which gives some
flexibility

## Changes involved
- Use `CodeEditor` component for SQL Editor's `MonacoEditor`
- Shifted Cmd K behaviour into `CodeEditor` since that's probably needed
everywhere that we render that UI
- Deprecate `MonacoEditor` from the table editor's `grid` folder
- All files that were using that component to use `CodeEditor` component
instead

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Release Notes

* **Refactor**
* Migrated the studio’s code editing UI (including JSON, text, and
payload viewers) to a unified CodeEditor experience.
* **New Features**
  * Added plaintext language support for read-only/truncated views.
* **Behavior Changes**
* Improved editor startup by setting cursor position consistently and
deferring autofocus.
* Streamlined editor context-menu actions to the core set (run query,
format, placeholder fill).
* Updated SQL editor wiring for more consistent command/menu and
selection handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-23 11:39:24 +08:00
Nik Richers 516dc12676 fix(docs): improve email template terminology table readability (#47143)
## I have read the CONTRIBUTING.md file.
YES

## What kind of change does this PR introduce?
Bug fix, docs update, Studio UX improvement.

Closes DOCS-400.

## What is the current behavior?
- Linear item: Docs: can't read Terminology table name column
- `break-all` on all `.prose td code` breaks `{{ .ConfirmationURL }}`
mid-token
- Studio template editor only linked to local-development
customizing-email-templates

## What is the new behavior?
- First-column code uses `break-words`; other columns keep `break-all`
- First column `min-width: 12rem` / `width: 30%`
- Studio TemplateEditor: **Terminology** + **Local development** links
- Template detail page: **Terminology** InlineLink beside Docs button
- `Table.tsx` MDX wiring deferred

On desktop:

<img width="864" height="1086" alt="image"
src="https://github.com/user-attachments/assets/f8439d1a-f607-4925-a250-ff142a357a2a"
/>

On mobile:

<img width="400" height="1383" alt="image"
src="https://github.com/user-attachments/assets/334769e8-3821-4bf4-8256-f4fae9ce45ea"
/>

Correct link:

<img width="1502" height="710" alt="Capto_Capture
2026-06-22_03-34-48_PM"
src="https://github.com/user-attachments/assets/87506751-d72b-4892-a8fb-63ef298a8260"
/>


## Additional context
- Verification (author): CSS diff only; table fixture screenshots
captured
- Frontend note: docs-only CSS in `apps/docs/styles/globals.css`; Studio
shadcn tables unchanged

### Test plan
- [ ] Check out worktree branch and run docs app locally (`cd apps/docs
&& pnpm dev`)
- [ ] Open `/docs/guides/auth/auth-email-templates#terminology` at
desktop width — Name column readable
- [ ] Same page at mobile/narrow width — first column has adequate
min-width
- [ ] Spot-check 1–2 other docs pages with code in table first column —
no regression
- [ ] Open Studio → Auth → Email Templates → edit any template
- [ ] Confirm new link to
`/guides/auth/auth-email-templates#terminology` opens correct anchor
- [ ] Confirm existing link to `customizing-email-templates` still works
- [ ] Confirm `apps/docs/components/Table.tsx` was **not** wired into
MDX

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Style**
* Improved table cell code wrapping behavior in documentation to prevent
width expansion

* **Documentation & UI**
* Updated email templates editor with enhanced documentation links for
Terminology and Local development
* Added Terminology documentation link to email templates page header
for convenient access to reference materials

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Nik Richers <nik@validmind.ai>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
2026-06-22 16:42:04 -07:00
Gildas Garcia 7f1298e35e chore: dead code cleanup (#47129)
## Problem

We have many unused files, left overs from features refactoring

## Solution

- Remove unused files
- Move some files closer to their usage

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Removed multiple legacy Studio UI components and placeholders to
streamline the interface (including onboarding panels, navigation
elements, docs layout helpers, and various UI building blocks).
* **UI Updates**
* Updated the layout’s API keys section to use the Project-specific
presentation.
* **Maintenance**
* Adjusted internal sourcing for documentation tab menu logic without
changing visible behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-22 10:36:21 +02:00
fadymak 5babf1092a feat(auth): accept Android app origins for WebAuthn RP origins (#47043)
Allow `android:apk-key-hash:<base64url SHA-256>` entries in
`WEBAUTHN_RP_ORIGINS` alongside https/localhost-http origins.

Non-http(s) origins are matched as-is downstream and Android is
responsible to binding the origin to the RP ID via digital asset links.
2026-06-17 18:10:30 +02:00
Joshen Lim 097f220c5c Add support for managing stored procedures under database functions (#46977)
## Context

Dashboard currently doesn't have any support for managing stored
procedures. In the event that the security advisor surfaces a warning
about a stored procedure, users hence run into a dead-end as there's
currently no way to self-remediate via the dashboard

## Changes involved

We're hence adding support for managing stored procedures within
Database Functions
<img width="1082" height="546" alt="image"
src="https://github.com/user-attachments/assets/2598a5fe-e58f-4e8a-ad2f-9cb6d0eb2f53"
/>

Creating a function now shows a dropdown to select the type
<img width="500" alt="image"
src="https://github.com/user-attachments/assets/acc9249d-7b25-4416-aae8-89c630e1c62b"
/>

In which if stored procedure is selected, the following fields will be
hidden since they're irrelevant for stored procedures
- Return type
- Behaviour (Under advanced settings)

Some other minor UI changes as well:
- Field inputs are re-ordered a little, opting to group "Schema" and
"Name" into one section, followed by "Type" and "Return type"
- Opting to show "Return type" when editing a function but disabled
- Add schema filter for fetching database functions to reduce
unnecessary load on the database

## To test
- [ ] Can create, update, delete, read stored procedures via database
functions page

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Summary

- **New Features**
- Added PostgreSQL **procedure** support alongside functions, including
a **Type** selector in the create/edit flow.
- Updated Functions UI with a new **Type** column and procedure-aware
return/argument details.

- **Improvements**
- Refreshed create/edit headers and language help text for clearer
context.
- Improved argument parsing/display, including better handling of
procedure argument modes.

- **Bug Fixes**
- Corrected routine-type handling during function/procedure delete and
update SQL operations.

- **Tests**
- Updated unit snapshots and end-to-end UI flows/labels for the new “New
function” control.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-17 19:15:54 +08:00
Gildas Garcia 96d43099bb chore: refactor Button API so that it can be used a standard button (#46880)
## Problem

Our `<Button>` component breaks the default `button` contract by
redefining the `type` prop to set its variant (`primary`, `default`,
etc) instead of the button type (`submit`, `button`, etc).
This is confusing and forces to write more code when using it with
shadcn components that expect/inject the standard button props.

## Solution

- rename the `type` prop to `variant`
- rename the `htmlType` prop to `type`
- propagate the changes where necessary
- format code

## How to test

As this is just prop renaming, if it builds it's ok

---------

Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
2026-06-16 23:59:58 +02:00
Danny White 7e25c27e02 fix(studio): map email template anchors to docs (#46952)
## What kind of change does this PR introduce?

Bug fix. Resolves FE-3469.

## What is the current behavior?

On auth email template pages, the Docs button builds anchor hashes from
the Studio URL slug (derived from user-facing titles), not from
canonical template IDs.

E.g. **Reset password** links to `#authemailtemplateresetpassword`, but
the docs section is `#authemailtemplaterecovery`.

12 of 13 templates had broken Docs links.

## What is the new behavior?

Docs links use an explicit `EMAIL_TEMPLATE_DOCS_ANCHORS` map keyed by
`template.id`, matching the anchors in
[customizing-email-templates.mdx](https://supabase.com/docs/guides/local-development/customizing-email-templates).

Examples:
- Reset password → `#authemailtemplaterecovery`
- Magic link or OTP → `#authemailtemplatemagic_link`
- Password changed → `#authemailnotificationpassword_changed`

Dashboard URL slugs (`reset-password`, etc.) are unchanged.

## Additional context

- Added `EMAIL_TEMPLATE_DOCS_ANCHORS` in `EmailTemplates.constants.ts`
with `satisfies Record<AuthTemplateType, string>` for exhaustiveness
- Added `EmailTemplates.constants.test.ts` to verify all template types
are covered and anchors match docs heading paths

**Test plan**
- [x] `pnpm --filter studio test EmailTemplates.constants`
- [ ] Spot-check Docs button on Reset password, Magic link or OTP, and
Password changed templates

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Tests**
* Added automated checks to ensure every authentication email template
has the correct documentation anchor mapping.

* **Chores**
* Updated the documentation link behavior for email templates to use a
consistent, predefined anchor mapping—improving reliability and
maintainability of the docs button.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-15 13:39:53 -06:00
Joshen Lim 1baaded0bb Consolidate execute-sql-query into execute-sql-mutation (#46944)
## Context

Just some clean up as I was going through stuff
- `useExecuteSqlQuery` is deprecated and not used at all
- As such `execute-sql-query` is technically irrelevant, the more
relevant file is `execute-sql-mutation`
- Hence opting to consolidate `execute-sql-query` into
`execute-sql-mutation`
- Also removing `ExecuteSqlError` since its just re-exporting the
`ResponseError` type

There's a lot of file changes but its essentially just updating the
importing statements across the files
2026-06-16 00:07:16 +08:00
Gildas Garcia ff34a6753c chore: remove unnecessary <PreventNavigationOnUnsavedChanges> (#46763)
## Problem

Since the refactor done in #43900, the
`<PreventNavigationOnUnsavedChanges>` does not bring much value.

## Solution

Remove `PreventNavigationOnUnsavedChanges` and update consumers to
leverage `usePreventNavigationOnUnsavedChanges` and
`DiscardChangesConfirmationDialog`

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Refactor**
* Improved the architecture of unsaved-changes navigation handling
across multiple features. Components now use a more modular hook-based
approach for better code organization and consistency.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-09 15:30:18 +02:00
Ivan Vasilov 714f0ad8e9 fix: Don't use the custom domain when resolving OpenID config (#46637)
When setting up an OAuth Server app, the Studio fetches OpenID config
from the URL. If the project uses custom domain, it'll cause a CORS
because the custom domain is not whitelisted. This PR changes to use the
`<ref>.supabase.co` URL to resolve the config.

How to test:

1. Have a project with custom domain
2. Open `/project/_/auth/oauth-server`
3. Enable the Supabase OAuth Server
4. The OAuth endpoints in the bottom should appear

BEFORE:
<img width="1172" height="412" alt="Screenshot 2026-06-04 at 10 43 35"
src="https://github.com/user-attachments/assets/d6157281-dc80-4a55-9356-10efb7953b7c"
/>

AFTER:
<img width="1182" height="406" alt="Screenshot 2026-06-04 at 10 42 20"
src="https://github.com/user-attachments/assets/6222124e-5f9e-4898-9fae-41d295211403"
/>

Fixes
https://linear.app/supabase/issue/FE-2987/oauth-endpoint-fields-are-empty-with-custom-domains
2026-06-04 11:17:14 +02:00
Stephen Morgan 2b1ba50753 bugfix: timezone issue with template block cutoff date (#46601)
Fix to small issue with our block to free tier. The /project endpoint
does not return a timestamp so it is being interpreted as local.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Release Notes

* **Bug Fixes**
* Resolved timezone handling inconsistencies in email template
availability checks to ensure accurate and consistent results across all
geographic locations and server configurations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-03 15:56:20 +12:00
Charis fd1f437eca feat(logs): brand remaining analytics SQL callers with SafeLogSqlFragment (#46476)
## Summary

PR 10 of the analytics SQL safety series. Migrates the last surface of
analytics queries that flowed through plain
`get(.../analytics/endpoints/logs.all, { query: { sql } })` or the
`fetchLogs(projectRef, sql: string, ...)` helper over to
`executeAnalyticsSql` with branded `SafeLogSqlFragment` inputs.

After this PR, every analytics SQL call site builds its query through
the safe-analytics-sql helpers and hits the wire through the single
`executeAnalyticsSql` boundary. User-controlled values (filter
operators, numeric thresholds, function IDs, regions, provider names)
all flow through `analyticsLiteral` / branded operator maps; static
fragments are wrapped in `safeSql`. PR 11 (ESLint / vitest rule
forbidding direct analytics-endpoint POST/GET outside
`executeAnalyticsSql`) is the next and final step.

## Changes

- **`hooks/analytics/useProjectUsageStats.tsx`** — route the
already-branded `genChartQuery` output through `executeAnalyticsSql`
(parallels `useLogsPreview`).
- **`data/reports/report.utils.ts`** — tighten `fetchLogs(sql)` from
`string` to `SafeLogSqlFragment`; the wire boundary is now the same
single `executeAnalyticsSql` wrapper used by the rest of the analytics
path. Adds two pre-branded fragment maps reused by the report configs:
- `SAFE_GRANULARITY_SQL` — closed set returned by
`analyticsIntervalToGranularity`.
- `SAFE_COMPARISON_OPERATOR_SQL` — closed set on
`NumericFilter.operator`.
- **`components/interfaces/Auth/Overview/OverviewErrors.constants.ts`**
— wrap the two static `AUTH_TOP_*_SQL` fragments in `safeSql` (no
interpolation, but the type now flows).
- **`data/reports/v2/edge-functions.config.ts`** — `filterToWhereClause`
and every entry in `METRIC_SQL` now return `SafeLogSqlFragment`.
User-controlled values (`status_code.value`, `execution_time.value`,
function IDs, regions) pass through `analyticsLiteral`; operators look
up the branded map; the granularity uses the branded map. The
wire-format strings are unchanged, so the existing
`edge-functions.test.tsx` exact-string expectations still hold.
- **`data/reports/v2/auth.config.ts`** — same shape applied to all ten
`AUTH_REPORT_SQL` entries. The legacy `whereClause.replace(/^WHERE\s+/,
'')` pattern is replaced by two helpers that emit `AND`-prefixed
predicate fragments directly (`authFiltersToAndPredicates`,
`edgeLogsFiltersToAndPredicates`). Static provider SELECT / GROUP BY
fragments are pre-branded.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Refactor**
* Enhanced security for analytics and reporting queries by updating
query construction methods across auth, edge functions, and project
usage reports.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46476?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-29 09:26:06 -04:00
Alaister Young 7e9badc6b8 chore(studio): migrate useStaticEffectEvent to React 19 useEffectEvent (#46415)
Studio is on `react@^19.2.6`, and `useEffectEvent` shipped stable in
React 19.2 with the same signature as the userland polyfill. This drops
the local hook in `apps/studio` and `apps/www` in favor of the built-in.

**Removed:**
- `apps/studio/hooks/useStaticEffectEvent.ts`
- `apps/www/hooks/useStaticEffectEvent.ts`
- `.claude/skills/use-static-effect-event/` — skill is obsolete

**Changed:**
- 26 call sites: dropped the `useStaticEffectEvent` import, added
`useEffectEvent` to the existing `react` import, renamed call sites
- `.claude/CLAUDE.md`: `apps/studio` row updated React 18 → React 19
- `.claude/skills/vercel-composition-patterns/SKILL.md`: removed stale
"Studio uses React 18, skip these patterns" warning

## To test

- `pnpm typecheck --filter=studio` — passes locally
- `pnpm typecheck --filter=www` — passes locally
- `grep -rn "useStaticEffectEvent"` returns nothing outside
`node_modules`
- Smoke-test areas that use the hook: schema visualizer edges
(intersection check), spreadsheet import, sign-in/CLI login flows, side
panels with unsaved-changes prompts

**Out of scope:** pre-existing Tailwind lint warning on
`DefaultEdge.tsx:141` (`outline` + `outline-1` conflict) — unrelated to
this migration

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Internal event handling migrated to React’s built-in event hooks
across the Studio app; no user-facing changes.

* **Documentation**
* Clarified React 19 compatibility and noted Studio now targets React
19.
  * Removed obsolete documentation for a deprecated internal hook.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46415?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
2026-05-28 23:30:42 +08:00
Danny White a45776ecb9 feat(studio): restrict auth email template editing for free projects (#45396)
## What kind of change does this PR introduce?

Feature / abuse-prevention update. Resolves DEPR-198.

## What is the current behaviour?

Free projects using Supabase's built-in email service can edit raw Auth
email template subjects and HTML in Studio. That is the risky cohort
this project is trying to constrain.

## What is the new behaviour?

### Template editing restrictions

For free projects using Supabase's built-in email service, Studio keeps
Auth email templates viewable and previewable but disables subject/body
editing and saving. Editing is unlocked by setting up Custom SMTP,
configuring a send-email hook, or upgrading to a paid plan.

**Grandfathering:** projects created before `2026-06-01T00:00:00Z` (the
platform enforcement cutoff) are exempt; their editing UI stays
unlocked. This mirrors `FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE` in the
platform PR exactly.

| After |
| --- |
| <img width="1024" height="759" alt="Emails Authentication Fizz Test
Supabase-173BB09B-0FB9-4133-8202-9E310DDB347A"
src="https://github.com/user-attachments/assets/c966212d-ed0c-443b-8197-440cc2937ef6"
/> |
| <img width="1024" height="759" alt="Emails Authentication Fizz Test
Supabase-CD5845EB-0E45-4779-8989-44E775B2411A"
src="https://github.com/user-attachments/assets/055a64d6-b5e8-4d37-a261-6e280f04536a"
/> |

### Warning dialogs on transitions that reset templates

Two flows now surface a warning before the user commits to a state
change that resets their custom email templates to defaults:

1. **Disabling custom SMTP** (SMTP settings page): a confirmation dialog
warns that templates will be reset to defaults and the email rate limit
reduced to 2 per hour. On confirm, Studio resets all 13 templates via
the existing per-template reset endpoint (`Promise.allSettled`). The
"won't be able to edit" sentence is shown only for post-cutoff projects;
grandfathered projects skip it. The corresponding server-side
enforcement is in the Platform PR:
https://github.com/supabase/platform/pull/33129

2. **Downgrading to the Free plan** (billing settings): an admonition in
the existing downgrade confirmation modal warns that custom templates
will be reset to defaults and won't be editable without custom SMTP. The
admonition is shown only when the org has at least one post-cutoff
project; orgs whose projects are all grandfathered skip it.

| Custom SMTP | Downgrading |
| --- | --- |
| <img width="862" height="586" alt="66764"
src="https://github.com/user-attachments/assets/6470c8a6-2f79-40a5-ad3b-bfe5b0ba9c54"
/> | <img width="1268" height="1552" alt="CleanShot 2026-05-22 at 17 28
37@2x-FEB1901E-38E6-42DF-8C27-0A036D8A1B94"
src="https://github.com/user-attachments/assets/e8caa9e6-c3ed-4787-b771-af77a43eb854"
/> |

### Informational admonition when enabling SMTP

When a user enables custom SMTP for the first time, a sandwiched
admonition above the save footer informs them that the email rate limit
will be increased to 30 per hour and can be adjusted.

_This is just a minor cosmetic change, unrelated to the email template
disabling. Sorry._

| Before | After |
| --- | --- |
| <img width="1024" height="759" alt="Emails Authentication Chisel
Toolshed Supabase-54317D18-803C-4A58-8211-2359355D083B"
src="https://github.com/user-attachments/assets/29eff649-02dc-40f3-a379-0b4d484a76c7"
/> | <img width="1024" height="759" alt="Emails Authentication Chisel
Toolshed Supabase-9E12399E-E9FB-4F9A-B029-A08008EA4B50"
src="https://github.com/user-attachments/assets/e542ed86-4da6-407e-8293-0f4c0f071e18"
/> |

## How to test

All existing projects pre-date the enforcement cutoff
(`2026-06-01T00:00:00Z`) and are grandfathered, so the restriction UI
won't appear by default. To force the restricted state locally,
back-date the cutoff in one file:

In
`apps/studio/components/interfaces/Auth/EmailTemplates/EmailTemplates.utils.ts`,
temporarily change:

```ts
export const FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE = '2026-06-01T00:00:00Z'
```

to:

```ts
export const FREE_TIER_TEMPLATE_BLOCK_CUTOFF_DATE = '2025-01-01T00:00:00Z'
```

Revert before committing. With the cutoff back-dated, use a free-plan
project and:

- **Template restriction + admonition:** navigate to Authentication >
Emails with no custom SMTP configured. Subject/body fields should be
read-only and the "Set up SMTP" admonition should appear, with its
dropdown offering upgrade and send-email hook options.
- **SMTP disable warning:** enable custom SMTP on a project, then
disable it via Authentication > SMTP Settings. The confirmation dialog
should warn that templates will reset to defaults and that editing will
be restricted after disabling.
- **Downgrade warning:** in billing settings, initiate a downgrade to
the Free plan. The downgrade modal should include an admonition warning
about template reset and restricted editing (only if the org has at
least one post-cutoff project).

## Additional context

The default Auth email template copy was also improved across docs,
examples, and UI library snippets (separate prior commits).

The per-template reset button (`ResetTemplateDialog`) was migrated to
the async `AlertDialogAction` pattern introduced in #45960; the dialog
stays open and shows a loading state while the reset is in-flight,
closes on success, and stays open on error.

Closes PRODSEC-183

---------

Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Stephen Morgan <stephen@doublethink.co.nz>
2026-05-28 17:23:45 +12:00
Gildas Garcia a6bfa0478c chore: migrate auth Modal to Dialog (#46392)
## Problem

We still uses the deprecated `Modal` for:
- Banning a user
- Inviting a user
- Adding a redirection URL
- Removing a redirection URL

## Test

Hard to test the JWT. I had to force its display by settings its `open`
prop to `true` in
`apps/studio/components/interfaces/JwtSecrets/jwt-settings.tsx`

## Solution

- use `Dialog` instead

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Refactor**
* Modernized authentication UI components (user management, redirect URL
configuration) with updated dialog structures for improved consistency
and state handling
* Enhanced async operation handling in redirect URL deletion workflows
to ensure proper synchronization and state management

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46392?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-27 14:08:51 +02:00
Gildas Garcia bde6a5e745 fix: auth users list design (#46413)
## Screenshots

Before:
<img width="856" height="1140" alt="image"
src="https://github.com/user-attachments/assets/d1e04a6f-d3ed-43b3-84f1-3000f2ecac17"
/>

After:
<img width="398" height="107" alt="image"
src="https://github.com/user-attachments/assets/6b41663b-31ee-4556-b2e4-6847f705aa38"
/>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Style**
* Increased CSS specificity in the Users view to reliably remove the top
border, ensuring consistent visual rendering across layouts and themes.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46413?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-27 10:53:09 +02:00
Pamela Chia 47c084e51d refactor(studio): migrate telemetry to useTrack (#46140)
## Summary

I migrated every `useSendEventMutation` call site in `apps/studio` to
`useTrack`, deleted the legacy hook, and added a lint guardrail so it
can't return. `useTrack` is the type-safe replacement: it auto-injects
`groups: { project, organization }` from the selected project/org and
types `action` + `properties` against `TelemetryEvent`. Existing call
sites built groups manually and were not type-checked at the action
level. The migration covers 81 files (60 trivial swaps, 9 org-only, 3
pre-auth, 5 bespoke, 4 test mocks).

## Changes

- Migrated trivial call sites across `pages/project/[ref]`,
`components/interfaces/*` (Reports, Storage, Realtime/Inspector,
SQLEditor, Functions, EdgeFunctions, Integrations, ProjectAPIDocs,
Branching/BranchManagement, TableGridEditor, Connect, Docs, Auth,
Support, Home, ProjectHome, App), `components/layouts/*`, and
`components/ui/*`.
- Migrated org-only sites (`Organization/Documents/*`,
`Organization/BillingSettings/Subscription/*`,
`Organization/SecuritySettings.tsx`,
`Account/Preferences/DashboardSettingsToggles.tsx`) by dropping the
manual `groups: { organization: ... }` and letting `useTrack`
auto-inject. Verified `useSelectedProjectQuery` is disabled on org
routes (gates on URL `[ref]`).
- Migrated pre-auth sites (`SignInForm.tsx`, `sign-in-mfa.tsx`,
`profile.tsx`) where neither project nor org is resolved.
- Bespoke handling:
- `execute-sql-mutation.ts` and `table-row-create-mutation.ts`: pass `{
project: projectRef }` via `groupOverrides` since the mutation can
target a non-selected project ref.
- `useStudioCommandMenuTelemetry.ts`: kept a direct `sendTelemetryEvent`
call because studio groups must override pre-built event groups
(opposite of `useTrack`'s override direction).
- `AIAssistantOption.tsx`: passes sentinel-aware `groupOverrides` so
`NO_PROJECT_MARKER`/`NO_ORG_MARKER` continue to suppress group emission.
- `SidePanelEditor.utils.tsx`: utility functions `createTable` and
`updateTable` now take a `track: Track` parameter (threaded from
`SidePanelEditor.tsx`); dropped the `organizationSlug` arg since groups
are no longer assembled manually.
- Branch-event attribution: preserved `parentProjectRef` overrides on
`branch_updated`, `branch_merge_completed`, `branch_merge_failed`,
`branch_merge_submitted`, `branch_delete_button_clicked`,
`branch_review_with_assistant_clicked`, and
`branch_*_merge_request_button_clicked`. Original code grouped these
under the parent (production) project, not the branch ref;
auto-injection would have shifted them onto the branch.
- Switched 4 test mocks from `@/data/telemetry/send-event-mutation` to
`@/lib/telemetry/track`. Removed obsolete tests around manual groups and
`try/catch` on telemetry rejection.
- Deleted `apps/studio/data/telemetry/send-event-mutation.ts`. The
deleted module is its own guardrail: any reintroduction of the import
fails at TypeScript module resolution before lint runs.

## Testing

Tested on preview deploy:

- [x] SQL editor `CREATE TABLE` fires `table_created` with method
`sql_editor` and `groups.project` set to the mutation's `projectRef`.
- [x] Table editor creates a table from the side panel; `table_created`
fires from `SidePanelEditor.utils` via threaded `track`.
- [x] Help button (`/project/[ref]/...`) fires `help_button_clicked`
with auto-injected project + org groups.
- [x] Sign-in form fires `sign_in` with empty groups (pre-auth,
expected).
- [x] Org documents page (`/org/[slug]/documents`) fires
`document_view_button_clicked` with org group only, no stale project
ref.
- [x] Command menu (`Cmd+K`) inside a project still fires
`command_menu_opened` with studio's project/org overriding any
event-supplied groups.
- [x] Support form "Ask the Assistant" without selected org fires
`ai_assistant_in_support_form_clicked` with no project/org groups
(sentinels suppress).
- [x] On a branch, "Update branch" / "Merge branch" / "Close merge
request" events fire with `groups.project` set to the parent project
ref, not the branch ref.

Local checks:
- [x] 22/22 tests pass across the 4 updated test files
(`SidePanelEditor.utils.createTable`, `EdgeFunctionRenderer`,
`LayoutSidebar`, `PlanUpdateSidePanel`).
- [x] `rg useSendEventMutation apps/studio` returns 0 hits.

## Linear
- fixes GROWTH-860


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Standardized telemetry across the Studio to a unified tracking system;
events now send simplified payloads with less contextual/grouping data.
* No user-facing flows changed; UI behavior, permissions, and
interactions remain the same.
* **Tests**
* Updated telemetry mocks and tests to align with the new tracking
approach.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46140?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-27 15:19:54 +08:00
hasithasandun 108a7c2c11 chore: migrate auth policy editor modal to dialog (#46374)
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Refactor

## What is the current behavior?

The Auth policy editor flow still uses the deprecated `Modal` component
and `Modal.Content` / `Modal.Separator` helpers.

## What is the new behavior?

The Auth policy editor flow now uses `Dialog` primitives instead:

- `Dialog`
- `DialogContent`
- `DialogHeader`
- `DialogTitle`
- `DialogSection`
- `DialogSectionSeparator`

Behavior is intended to remain unchanged.

## Additional context

- Fixes #46375 


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Updated the policy editor and review flows to a unified dialog layout
for a cleaner, more consistent UI.
* Sections and footer controls were reorganized for clearer grouping and
improved button placement.
* Existing behaviors (viewing templates, review/save flow, and close
confirmation) are preserved.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46374?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-26 18:18:21 +02:00
Danny White 1470c51021 fix(studio): align rls confirmation dialogs (#45961)
## What kind of change does this PR introduce?

Studio UI cleanup and docs update. Resolves FE-3217.

## What is the current behavior?

The table RLS confirmation dialogs differ across the Policies page and
Table Editor surfaces. The table editor disable flow also uses a verbose
confirmation modal with admonitions and repeated warning copy.

| Policies | Table Editor |
| --- | --- |
| <img width="852" height="448" alt="25125"
src="https://github.com/user-attachments/assets/baa9fafa-752c-4701-bf54-40da4e32030b"
/> | <img width="1108" height="1016" alt="57354"
src="https://github.com/user-attachments/assets/b1b88355-be39-49b9-aed2-a60f20c25104"
/> |
| <img width="866" height="434" alt="CleanShot 2026-05-15 at 18 01
15@2x"
src="https://github.com/user-attachments/assets/d67f69ee-0a49-4dbd-939e-ca968361fc33"
/> | <img width="840" height="426" alt="CleanShot 2026-05-15 at 18 01
52@2x"
src="https://github.com/user-attachments/assets/a0b5f390-abeb-453f-8636-ad097f22308b"
/> |

## What is the new behavior?

Table RLS enable and disable confirmations now use one shared concise
Alert Dialog treatment across the Policies page, Table Editor header,
and Table Editor side panel. The server-backed toggles use the async
Alert Dialog action behaviour from the stacked base branch, and the
design-system docs now clarify when to start with Alert Dialog versus
Confirmation Modal.

This PR is stacked on #45960.

| Before | After |
| --- | --- |
| <img width="852" height="448" alt="25125"
src="https://github.com/user-attachments/assets/baa9fafa-752c-4701-bf54-40da4e32030b"
/> | <img width="864" height="518" alt="CleanShot 2026-05-15 at 18 07
21@2x"
src="https://github.com/user-attachments/assets/bda53246-164b-4d5b-81a1-25d3bc661eb3"
/> |
| <img width="1108" height="1016" alt="57354"
src="https://github.com/user-attachments/assets/b1b88355-be39-49b9-aed2-a60f20c25104"
/> | <img width="864" height="518" alt="CleanShot 2026-05-15 at 18 07
21@2x"
src="https://github.com/user-attachments/assets/bda53246-164b-4d5b-81a1-25d3bc661eb3"
/> |
| <img width="866" height="434" alt="CleanShot 2026-05-15 at 18 01
15@2x"
src="https://github.com/user-attachments/assets/d67f69ee-0a49-4dbd-939e-ca968361fc33"
/> | <img width="860" height="488" alt="CleanShot 2026-05-15 at 18 08
41@2x"
src="https://github.com/user-attachments/assets/4c67f797-e2cd-4d56-a49d-e6c6fc0edff3"
/> |
| <img width="840" height="426" alt="CleanShot 2026-05-15 at 18 01
52@2x"
src="https://github.com/user-attachments/assets/a0b5f390-abeb-453f-8636-ad097f22308b"
/> | <img width="860" height="488" alt="CleanShot 2026-05-15 at 18 08
41@2x"
src="https://github.com/user-attachments/assets/4c67f797-e2cd-4d56-a49d-e6c6fc0edff3"
/> |

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Refined guidance and wording for dialog usage, clarifying when to use
Alert Dialog, Confirmation Modal, and modal modality.

* **New Features**
* Reworked RLS confirmation flow with a streamlined toggle dialog,
clearer messaging, and a “Learn more” link to docs.

* **Tests**
* Updated end-to-end tests to cover the updated RLS dialog flows and
explanatory content.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45961?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-25 22:47:40 +00:00
Danny White 38e09e1754 chore(studio + docs + ui library): update auth email template copy docs (#45706)
## What kind of change does this PR introduce?

Docs update. Part of DEPR-198.

## What is the current behaviour?

Auth email template examples and Studio template labels still reflect
older default copy in a few places.

## What is the new behaviour?

Updates Auth docs, local development docs, related snippets, Studio
template labels, and UI Library examples to [match the updated default
Auth email
copy](https://linear.app/supabase/document/email-template-copywriting-updates-04bba460fd2a).


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Updated authentication email template names and descriptions across
guides, replacing "Magic link" with "Sign-in link or code" terminology
* Revised security notification email naming from "Identity
linked/unlinked" to "Sign-in method linked/removed" and "MFA method" to
"Verification method"
* Updated email template example content with improved wording (e.g.,
"Confirm your email address" instead of "Confirm your signup")

* **UI Updates**
* Refined authentication-related UI text labels and descriptions in the
dashboard

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45706)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
2026-05-22 11:47:36 +10:00
Cemal Kılıç 02d7454ac9 fix: allow email rate limit editing when send email hook is enabled (#46104)
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

bug fix: allow email rate limit editing when send email hook is enabled

## What is the current behavior?

when send email hook is enabled, users can't customize the send email
rate limit.

## What is the new behavior?

when send email hook is enabled, users _can_ customize the send email
rate limit.

## Additional context
backend changes are already in place.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Improvements**
* Expanded email rate limit configuration to support Send Email hooks in
addition to SMTP providers.
* Enhanced user guidance with updated messaging and navigation options
for configuring email delivery methods.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46104?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-21 18:47:44 +02:00
Gildas Garcia 03a9f51b61 chore: migrate storage policies Modal to Dialog (#46222)
## Problem

Storage policies edition still uses the deprecated `Modal`

## Solution

- use `Dialog` instead
- improve accessibility of the templates selection _back_ button
- extract the dialog title component in its own file

## Screenshots

The only difference is the title font which is larger with `Dialog`

Before:
<img width="542" height="504" alt="image"
src="https://github.com/user-attachments/assets/46a078da-db77-4a14-a7f7-fad20f5b45e5"
/>

After:
<img width="550" height="523" alt="image"
src="https://github.com/user-attachments/assets/80c9c6ec-25cd-445a-ad65-f9b659cdfd72"
/>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Modernized policy editing interfaces with updated dialog structure and
consistent section separation across policy selection, templates,
editor, and review flows for clearer layout and spacing.
* **New Features**
* Added a unified, context-aware modal header that adapts titles, back
action, docs link, and close controls for different policy workflows.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46222?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-21 17:30:13 +02:00
Gildas Garcia 243e079a2c chore: remove _Shadcn_ suffix from Command components (#46153)
## Problem

The `_Shadcn_` suffix isn't needed anymore on `Command` components

## Solution

- Remove the `_Shadcn_` suffix
- Simplify UI package exports
- Apply prettier

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Refactor**
* Simplified command component imports and exports across the UI library
by removing internal naming aliases and adopting direct component
references. Updated the public UI package barrel export to use wildcard
re-exports for cleaner API surface.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46153?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-20 15:45:32 +02:00
fadymak ee64f0abc0 fix: update link for OAuth client registration documentation (#46098)
Updates broken link for OAuth client registration
2026-05-19 14:31:49 +02:00
Danny White 4c148ea060 chore(studio): move short Admonitions to descriptions (#46049)
## What kind of change does this PR introduce?

Chore. Follow-up to DEPR-551, #45302, #45535, and #45618.

## What is the current behaviour?

Some short Studio Admonitions still put their entire message in `title`
or legacy `label`, so body-copy callouts render as headings.

## What is the new behaviour?

Moves selected single-message Studio Admonitions to `description`,
keeping the follow-up deliberately limited to Studio callsites.

This PR does not touch Docs content, shared Alert styling, ui-patterns,
design-system registry/docs, or Tailwind config.

| Before | After |
| --- | --- |
| <img width="1818" height="388" alt="Image"
src="https://github.com/user-attachments/assets/283a1853-348a-4d74-a408-013957350e5e"
/> | <img width="1380" height="462" alt="Image"
src="https://github.com/user-attachments/assets/e5761e8e-3697-423b-805b-45110205099a"
/> |
| <img width="1640" height="716" alt="CleanShot 2026-04-28 at 15 17
25@2x"
src="https://github.com/user-attachments/assets/a5be4d5f-2bf7-4dc2-b396-56129fe64ec9"
/> | <img width="1630" height="716" alt="CleanShot 2026-04-28 at 15 16
00@2x"
src="https://github.com/user-attachments/assets/0d589252-aaf8-4efc-9d81-15ec4f99ec61"
/> |


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Style**
* Refined message displays and admonition styling across settings,
database, dashboard, and admin interfaces for improved visual
consistency and clarity.

* **UI Updates**
* Updated search input layouts and form element styling in publications
tables and other admin pages.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46049?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-19 10:20:54 +10:00
Joshen Lim 9dc3998fa0 RLS Tester sandbox environment (#45839)
## Context

Resolves FE-3221

Heavily inspired by what @filipecabaco has done previously here:
https://github.com/supabase/supabase/pull/45360

This PR explores the use of pglite to set up a sandbox for RLS testing,
which will pave the way for testing mutation based queries so to ensure
no disruption to the actual database. Sandbox can be set up within the
RLS tester panel as such:
<img width="500" alt="image"
src="https://github.com/user-attachments/assets/0cfdf8e4-dd99-4dee-ac00-39a32b375c07"
/>

Which the sandbox will mimic the project's database to the bare minimum
required
- entities from the `public` schema are copied over (types, tables,
functions, policies)
- `auth` schema is pseudo setup with `SANDBOX_SETUP_STATEMENTS`
- Enough to support role impersonation + querying tables with references
to the auth schema (e.g users table)
- data is seeded up to 100 rows for each table
- More info RE limitations in the last section below

Once sandbox is ready, you'll see this UI where you can either leave the
sandbox, or re-sync the sandbox from the actual database
<img width="500" alt="image"
src="https://github.com/user-attachments/assets/d07ce55f-5bc8-4722-8ce9-898b9b458f9b"
/>

Changes are currently feature flagged, so won't be available publicly
just yet until things are ironed out and ready

## To test
- [ ] Verify that setting up sandbox works
- [ ] Verify that you can query your sandbox, and queries do not touch
the actual database (can verify that we're not sending HTTP requests to
the /query endpoint)
- [ ] Verify correctness of RLS tester as well, should match correctness
with testing against actual DB
- [ ] Verify that re-syncing sandbox picks up changes
- Can test by updating your policies that will affect the output of your
select query
  - e.g SELECT for `authenticated`, change from just `true` to `false`
- [ ] RLS tester should work as per normal (against actual DB) with the
feature flag off with no additional overhead

Let me know of any edge cases you might run into while testing

## Known quirks that will be addressed subsequently
Leaving these for now just to not bloat this PR further
- Pglite schema needs to be re-synced if updating RLS policies while
testing, to ensure that pglite gets the updated policies. Will think
about how to make this more seamless
- Sandbox has its own limitations, will need to add a dialog to inform
users how the sandbox works and what limitations to note of
- e.g only the auth schema is mimicked - so policies that reference
storage helpers won't work (although i think auth is probably the main
use case and the rest might be niche)
  - We can slowly expand tho where required
- Eventually we'll also move forward with figuring out testing mutation
queries with this sandbox

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* RLS tester gains an isolated Postgres sandbox with schema/seed import,
start/refresh/exit controls, and pre-populated auth data.
* Sandbox management UI with setup, loading, active, and error states;
refresh and destroy actions.

* **Bug Fixes**
* Role impersonation now keeps the PostgREST role set to anon while the
tester sheet is open.

* **Chores**
* Content Security Policy updated to allow sandbox/connectivity
endpoints.

* **Style**
  * Minor sheet styling adjustment (top border).

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45839)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-18 16:22:12 +07:00
Danny White f45a6085f4 feat(studio): add auth email template reset flow (#45572)
## What kind of change does this PR introduce?

Feature. Resolves AUTH-879.

## What is the current behavior?

Studio does not provide a way to reset an Auth email template back to
the default subject and body once it has been customised.

## What is the new behavior?

Studio shows a `Reset template` action when Platform reports that the
selected Auth email template subject or body has been customised. The
action opens a confirmation dialog, calls the dedicated Platform reset
endpoint, and refreshes the editor with the default subject and body
returned by the API.

The Auth config save/reset mutations now run their user-facing success
handling before refreshing Auth lint data, so the success toast and
local editor cleanup are not delayed by lint refetches.

## Additional context

Depends on supabase/platform#32417.



<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Reset email templates to defaults via a confirmation dialog; button
appears when custom content is detected and respects update permissions.
* Typed email-template definitions and improved template variable
display and descriptions.

* **Tests**
* Added tests covering template reset visibility, confirmation flow,
state updates, permission handling, and toast notifications.

* **Documentation**
* Example email template placeholders updated for internationalization
and provider snippets.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45572)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
2026-05-18 14:33:26 +10:00
Charis e925385415 studio,pg-meta: SafeSql for functions/policies/triggers (3/7) (#45990)
## Summary

Third PR in the SafeSql migration stack. Flips the input/output types on
`pgMeta.functions/policies/triggers`'s `.create/.update/.remove` to use
`SafeSqlFragment`, and updates every Studio consumer atomically.

### pg-meta
- `pgMeta.functions/policies/triggers` `.create/.update/.remove` now
return `{ sql: SafeSqlFragment }` and accept branded input parameters
(`PGFunctionCreate`, `PGSavedFunction`, `PolicyCreate/UpdateParams`,
`PGTriggerCreate` with branded condition).
- `QueryModifier.toSql()` returns `SafeSqlFragment`.

### Studio consumers updated to the new branded API
- `data/database-functions/*` (query, create/update/delete mutations)
- `data/database-policies/*` (create, update mutations)
- `data/database-triggers/database-trigger-update-transaction-mutation`
- `components/Database/Triggers/TriggerSheet`
- `components/Database/Functions/CreateFunction`
- `components/Auth/Policies/PolicyEditorPanel`

These consumers land atomically with the pg-meta API change because the
input-type strictness flip (string → `SafeSqlFragment` for SQL fields)
forces every call site to update together.

## Stack

- 1/7: #45897 (merged)
- 2/7: #45903 (merged)
- 3/7: this PR
- 4/7–7/7: upcoming

## Test plan

- [x] `pnpm typecheck` passes
- [x] `pnpm --filter @supabase/pg-meta test` passes
- [x] Dev-server smoke test: function editor, policy editor, trigger
sheet

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Strengthened SQL safety across policy, function, and trigger workflows
by converting raw SQL strings to typed SQL fragments and safer
composition
* Updated editor behavior to handle policy conditions/checks as typed
SQL fragments with improved initialization and template handling
* Aligned query and modifier interfaces to return typed SQL fragments
for safer composition

* **Tests**
* Updated tests to use typed SQL fragments and synchronous builders
where applicable

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45990)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-15 12:08:20 -04:00
Gildas Garcia 5d97339d41 chore: remove <Select> _Shadcn_ suffix (#45988)
## Problem

The `_Shadcn_` suffix isn't needed anymore on `Select` components

## Solution

Remove it. No other changes

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Refactor**
* Updated internal component architecture to standardize and simplify
the codebase. These changes improve code maintainability and consistency
across the application without affecting existing functionality or user
experience.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45988)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-15 16:39:57 +02:00
Gildas Garcia 86a3f8b03d chore: upgrade to react-19 (#45886)
- Most changes are related to either types or `useRef` usages (it now
requires an initial value).
- also updated `vaul` to its latest version and haven't noticed any
change ([design-system
demo](https://design-system-git-react-19-supabase.vercel.app/design-system/docs/components/drawer))

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
  * Upgraded workspace to React 19.

* **Bug Fixes**
* Improved null-safety and ref handling across editors, UI components,
shortcuts, and markdown/image rendering to reduce runtime errors.
* Safer event/timeout/interval cleanup and more robust command/context
handling.

* **Chores**
  * Bumped vaul dependency versions.

* **Documentation**
* Type and TypeScript accuracy improvements for clearer developer
feedback.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45886)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-15 16:04:41 +02:00
Gildas Garcia 8c6d5036ea chore: remove <Label> _Shadcn_ suffix (#45986)
## Problem

The `_Shadcn_` suffix isn't needed anymore on label component

## Solution

Remove it. No other changes

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Standardized Label usage across the codebase by removing the legacy
alias and using the direct Label export from the UI package
consistently.
* **Documentation**
* Updated component examples and docs to use the standardized Label
component in usage snippets and demos.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45986)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-15 15:55:33 +02:00
ChloeGarciaMillerand 590ec2bbd4 fix: improve accessibility for icon buttons (#45981)
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Improving accessibility for icon-only buttons

## What is the current behavior?

Icon-only buttons do not have explicit accessible names for screen
readers.

## What is the new behavior?

All icon-only buttons now have explicit accessible names using visually
hidden text (sr-only), ensuring proper screen reader support.

## Additional context

Tooltip text is preserved for visual users.
No visual changes were introduced.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Added/updated aria-labels across refresh buttons, sidebar controls,
dropdown triggers, and navigation links for better accessibility.
* Added conditional aria-labels for the “Create with Assistant” control
to reflect permission states.
* Improved screen-reader descriptions for sidebar toggle and other
stateful controls to better convey status changes.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45981)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-15 15:32:14 +02:00
Gildas Garcia d0fd4478c0 chore: migrate Popover usages to Shadcn components (#45980)
## Problem

We have multiple Popover components

## Solution

- [x] migrate Popover usages to Shadcn components
- Migrated JSON and text editor in the `TableEditor` (inline row
edition)
  - Migrated the template popover in the logs explorer templates page
- [x] remove `_Shadcn_` suffix from Popover components (renaming +
prettier)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Unified popover implementation across the app and design system;
dropdowns, calendars, menus and tooltips now use a consistent popover
API with no visual or interaction changes.

* **Chores**
* Minor prop typing update for the logs date-picker to align with the
consolidated popover content type.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45980)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-15 15:20:28 +02:00
Gildas Garcia 4e86c39ea1 chore: remove <ContextMenu> _Shadcn_ suffix (#45971)
## Problem

The `_Shadcn_` suffix isn't needed anymore on `<ContextMenu_Shadcn_>`
and related components

## Solution

Remove it. No other changes

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Replaced legacy context-menu component variants with the unified UI
context-menu components across the app for consistent rendering and
imports; behavior and menu content remain unchanged.
* **Tests**
* Updated a test mock to track the unified context-menu component mount
count.
* **Chores**
* Simplified UI package re-exports to expose the canonical context-menu
symbols.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45971)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-15 15:09:25 +02:00
Gildas Garcia 0713a1efc1 chore: remove shadcn suffix for Input, Textarea, Alert and Collapsible (#45867)
## Problem

Now that we migrated old components to their new shadcn alternatives, we
don't need the `_Shadcn_` suffix anymore.

## Solution

Remove it

<img width="659" height="609" alt="image"
src="https://github.com/user-attachments/assets/2d7271a9-066a-4dcc-92fe-729b106d2c2f"
/>
2026-05-15 14:55:37 +02:00
Illia Basalaiev 4195b9af27 chore: update leaked password button in attack protection (#45975)
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES

## What kind of change does this PR introduce?
Frontend improvement

## What is the current behavior?
"Configure email provider" button in the Authentication > Attack
Protection: the title doesn't change, only the label on the left
depending on whether it's enabled or disabled.
 
<img width="1512" height="148" alt="CleanShot 2026-05-15 at 12 15 57@2x"
src="https://github.com/user-attachments/assets/b2069333-6f1a-4503-9b3b-d75c005e4522"
/>

## What is the new behavior?
"Configure in email provider" - to clarify that this feature is managed
in the email provider settings, and not refer to the whole email
provider setup.
<img width="1668" height="172" alt="CleanShot 2026-05-15 at 12 19 10@2x"
src="https://github.com/user-attachments/assets/35fd5b35-8b31-4912-875d-cc9fc7b1968e"
/>

## Additional context
Relevant ticket where the button title was confusing for the customer:
https://supabase.frontapp.com/open/cnv_1mtka5ni?key=-r6o8zPz-3XzuiQ7eh5FfCZBjTuKg78n
2026-05-15 13:57:46 +02:00
Joshen Lim 88c43b31b9 Support optionally remove custom domain addon when deleting custom domain after activated (#45880)
## Context

Related BE PR: https://github.com/supabase/platform/pull/32693

Add support to remove the custom domain add-on when deleting a custom
domain after the custom domain is activated.

<img width="411" height="310" alt="image"
src="https://github.com/user-attachments/assets/23d57fc0-f760-42d4-8383-480ff2b2ec5a"
/>

We previously had this behaviour by default to address some customer
feedback RE confusion that they were still being charged for custom
domain add-on despite deleting the custom domain, but not removing the
add-on.

However this was a bit of confusing UX (RE deleting the add-on
implicitly), so this makes the deleting of the custom domain add-on an
explicit action instead.

## To test

- [ ] Set up custom domain on a project
- [ ] Trying deleting the custom domain after activating _without_
removing the add-on
- [ ] Trying deleting the custom domain after activating _with_ removing
the add-on
2026-05-15 16:41:58 +08:00
Charis d79a276824 studio: ColumnTypeRef cascade + FK type comparison fixes (2/7) (#45903)
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Refactor + bug fixes (part of the SafeSql migration stack — PR 2 of 7,
stacks on top of #45897).

## What is the current behavior?

- `pgMeta.columns.create` and the table-editor SQL builder take column
type as a string with array suffix and schema baked in (e.g.
`'private.test_enum'`, `'int4[]'`).
- The studio table-editor SQL emits the legacy schema-embedded `format`
string for enums in non-public schemas, while the pg-meta columns SQL
already returns the new shape (bare `format` + separate
`format_schema`). The two queries disagree on how to represent the same
column, surfacing as a false-positive type mismatch in the FK selector
when both ends are an enum from a non-public schema.
- The FK selector compares column types by `format` alone — same-named
enums in different schemas appear equal, and arrays vs. scalars of the
same base type pass the family check.
- `displayColumnType` renders arrays as the raw `_typname` pg-meta emits
(e.g. `_int4` instead of `int4[]`).

## What is the new behavior?

**pg-meta**

- Introduce `ColumnTypeRef` (`{ schema?, name, isArray? }`) for column
type input, replacing the legacy string-with-array-suffix format.
`pgMeta.columns.create` and the table-editor SQL builder consume the new
shape.
- Add `format_schema` to the column zod schema; pg-meta SQL emits the
type's schema for the table editor's ColumnType dropdown.
- `pgMeta.columns.create` returns a `SafeSqlFragment`.
- Studio table-editor SQL now emits bare `format` + `format_schema`,
matching pg-meta's columns SQL.

**Studio**

- `SafePostgresColumn`/`SafePostgresTable` extend the new `PG*` types
(master dropped postgres-meta).
- Pipe `ColumnTypeRef` through `SidePanelEditor` → `ColumnEditor` →
`TableEditor`, along with the column-create mutation, table
retrieve/list queries, and the `TableList`/`ColumnList` surfaces.
- `displayColumnType` helper renders arrays as `type[]` (or
`schema.type[]`) and handles non-implicit schemas.
- FK selector now carries `sourceIsArray`/`targetIsArray` and compares
the full `(format, format_schema, isArray)` triple. Family checks for
numeric/text/uuid skip when either side is an array (FKs across array
boundaries are never compatible).
- Type-mismatch and type-notice alerts pass `isArray` to the display
helper.
- Bundle `Policies.utils` + `Policies.types` + `sql-policy-mutation`,
`PolicyEditorModal`, and `SchemaGraph` here because `SidePanelEditor`
consumes `acceptGeneratedPolicy`/`AcceptedGeneratedPolicy` — splitting
requires temporary overloads with no architectural payoff.

## Additional context

Part of the SafeSql migration stack. Stacks on top of #45897.

### Manual test checklist

Surfaces touched by this PR — please exercise each:

**Table editor**
- [x] Create a new table with a mix of column types (scalar, array,
enum, foreign key)
- [x] Add a column to an existing table; verify the type dropdown lists
scalars + arrays separately and shows schema-qualified names for
non-public enums
- [x] Edit an existing column's type (scalar ↔ array, switch between
enums in different schemas) and save
- [x] Verify enum types from a non-public schema (e.g.
`private.my_enum`) display as `private.my_enum` in the column list

**Foreign key selector**
- [x] Open the FK selector for a column and pick a target column with a
matching type — no mismatch warning
- [x] Pick a target column whose type differs only by schema (two
same-named enums in different schemas) — should show a type-mismatch
alert
- [x] Pick a target column where one side is an array and the other is a
scalar of the same base type — should show a type-mismatch alert (no
auto-cast across array boundary)
- [x] When FK target sets the column type, verify `format_schema` and
`isArray` are preserved on the source column
- [x] Type-mismatch and type-notice alert messages render array types as
`type[]` (not `_type`)

**Column list / table list**
- [x] Schema-qualified type names display correctly for columns whose
type lives in a non-public schema
- [x] Array columns display as `type[]` (or `schema.type[]`)

**Policies (bundled due to import dependency)**
- [x] Open the Policies page; create/edit/delete a row-level policy via
the modal
- [x] Generate a policy via the AI assistant and accept it through
`SidePanelEditor` — verify the accepted policy lands in the editor
correctly

**Schema visualizer**
- [x] Open the Schemas → Schema Visualizer page; verify it renders
without type errors and shows tables/relationships

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Improvements**
* Support for column types in non-public schemas and richer column type
presentation (includes schema and array info).
* Stronger SQL safety around policies and constraints; draft policy SQL
is now promoted explicitly on save.
* Improved foreign-key type validation and compatibility checks using
enhanced type metadata.

* **Tests**
* Updated snapshots and tests to reflect new column metadata and SQL
fragment handling.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45903)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-14 15:12:08 -04:00
Charis d4079083fc chore(studio): drop @supabase/postgres-meta in favor of @supabase/pg-meta (#45844)
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Refactor / dependency cleanup.

## What is the current behavior?

`apps/studio` lists both `@supabase/pg-meta` (workspace package) as a
runtime dep and `@supabase/postgres-meta` (external npm package,
`^0.64.4`) as a devDependency. The external package is used only for
type imports across 44 files — there is no runtime usage and no codegen
pipeline that needs it.

## What is the new behavior?

Every `Postgres*` type import (`PostgresTable`, `PostgresColumn`,
`PostgresPolicy`, `PostgresTrigger`, `PostgresView`,
`PostgresMaterializedView`, `PostgresForeignTable`, `PostgresSchema`,
`PostgresPublication`, `PostgresRelationship`, `PostgresPrimaryKey`) is
replaced with its `PG*` counterpart from `@supabase/pg-meta`, and the
external dep is removed from \`apps/studio/package.json\`. Top-level
type re-exports were added to \`packages/pg-meta/src/index.ts\` so
consumers can import directly from the package root.

Two latent issues surfaced by the stricter pg-meta types are also fixed:
- \`data/foreign-tables/foreign-tables-query.ts\` was casting
foreign-table results as \`PostgresView[]\`; corrected to
\`PGForeignTable[]\`.
- \`pg-meta\`'s \`PGTrigger\` Zod schema declared
\`orientation\`/\`activation\` as \`z.string()\`, inconsistent with
pg-meta's own \`getDatabaseTriggerUpdateSQL\` helper that requires the
narrow literal unions; tightened to \`z.enum\`.

## Additional context

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated internal TypeScript type definitions across the codebase to
use the latest type system from `@supabase/pg-meta`.
  * Removed `@supabase/postgres-meta` dependency.
* Enhanced type validation for database triggers and schemas to enforce
stricter constraints.

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45844)

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-05-13 16:07:10 +00:00