## Context
Adding an "Ask Assistant" CTA in the RLS tester if the query executed
returns an error
<img width="618" height="375" alt="image"
src="https://github.com/user-attachments/assets/8b0a5069-3ec5-44aa-aa0b-f1cd8041960d"
/>
Which will open the Assistant panel with the following prompt (attaches
the query as well)
<img width="427" height="281" alt="image"
src="https://github.com/user-attachments/assets/16debd7b-9447-4b84-bef5-05debd0062ee"
/>
Theres a chance that the error might be just from the query and not
related to the policy hence the last sentence in the prompt
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Integrated AI assistant into the RLS tester so users can open the
assistant prefilled with a debug prompt and relevant SQL to troubleshoot
policy issues.
* Added an "Ask Assistant" action on execution error messages to quickly
start guided debugging.
* Streamlined error display to prioritize parse errors, then client-code
parse errors, then execution errors for clearer diagnostics.
* **Chores**
* Added telemetry source identifier for the RLS tester to track
assistant usage.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
Missed another case here - RLS tester when retrieving policies
associated with query needs to consider policies with the `ALL`
operation
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Added comprehensive tests for Row-Level Security policy filtering,
covering schema/table matching, role handling (including
public/service-role cases), command/operation semantics, and combined
filter behavior.
* **Refactor**
* Centralized and clarified RLS policy filtering logic used by the
tester for improved maintainability and consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
For a table that has RLS enabled, but a policy with just `true` for the
role `public`
The RLS tester was incorrectly reporting that `anon` doesn't have access
Was happening as we weren't considering policies that apply to the
`public` role (which applies to _all_ roles)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* RLS tester now treats explicitly-public policies as applicable
regardless of the impersonated role, improving policy coverage accuracy.
* **Refactor**
* Consolidated RLS test state computation to improve consistency of
access badges and policy messaging.
* **Tests**
* Added comprehensive tests validating RLS scenarios, badge states, and
policy/role messaging.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Mark provenance of SQL via the branded types SafeSqlFragment and
UntrustedSqlFragment. Only SafeSqlFragment should be executed;
UntrustedSqlFragments require some kind of implicit user approval (show
on screen + user has to click something) before they are promoted to
SafeSqlFragment.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Editor and RLS tester show loading states for inferred/generated SQL
and include a dedicated user SQL editor for safer edits.
* **Refactor**
* Platform-wide SQL handling tightened: snippets and AI-generated SQL
are treated as untrusted/display-only until promoted, improving safety
and consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
Small improvements from this PR:
https://github.com/supabase/supabase/pull/45373
- Fix feature preview badge alignment
- Before:
<img width="341" height="75" alt="image"
src="https://github.com/user-attachments/assets/e6e2f727-fc75-4f70-b9cd-94d67aed8c5d"
/>
- After:
<img width="365" height="64" alt="image"
src="https://github.com/user-attachments/assets/3d6e5e5d-c285-48f4-8f8f-251c23101e41"
/>
- Shift feature preview badge for policies into tester side panel
<img width="640" height="93" alt="image"
src="https://github.com/user-attachments/assets/3efb73a7-f7f5-4ae0-8560-d1e0ba989626"
/>
- Realised that advisor settings wasn't set up to be behind the feature
preview
- Fixing that in this PR
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added preview badge indicator to the RLS Tester feature
* **Style**
* Improved spacing and layout alignment across authentication, database
access, webhook, logging, and advisor interface components
* Enhanced badge component styling for better vertical alignment
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
As part of RLS testing, adding @awaseem's idea for having "View data as
user" CTAs in the Auth Users's table
<img width="348" height="190" alt="image"
src="https://github.com/user-attachments/assets/855c8f54-0aba-478c-982b-1d9d29e419bd"
/>
## Other changes
Similar from @awaseem's suggestions, am also refactoring the Role
Impersonation UI a little, mainly from a copy writing POV to improve the
clarity of the UI.
- More action-oriented and contextual header for the role impersonation
popover
- e.g Table Editor -> "View data as a role", or SQL Editor -> "Run SQL
query as a role"
- Updated labels to be bit more intuitive from a builder's POV
- The actual database role is still mentioned in the option's
description (so we aren't obfuscating the actual postgres logic)
- Add label descriptors to elaborate what each role implies
- e.g Anon -> "Not logged in"
- Add docs button which points to
[here](https://supabase.com/docs/guides/database/postgres/row-level-security#authenticated-and-unauthenticated-roles)
that explains which roles Supabase uses
- (Nit) Refactor to use Card component
### Before
<img width="647" height="277" alt="image"
src="https://github.com/user-attachments/assets/9ebae084-38b7-4e21-886b-f609bd71976e"
/>
### After
<img width="604" height="309" alt="image"
src="https://github.com/user-attachments/assets/4d797309-1b6b-4fd0-aab3-63d5e144c53c"
/>
<img width="630" height="297" alt="image"
src="https://github.com/user-attachments/assets/ca748635-c5da-4426-a9c3-8cb5aeef47a6"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added "View data as user" and "Run SQL as user" actions to user rows
to impersonate a user and jump to table or SQL views.
* Impersonation now surfaces an identity card in new tabs showing the
impersonated identity and a Stop button.
* **UI/UX Improvements**
* Impersonation panels accept customizable headers, show clearer role
labels (Postgres), richer role descriptions, condensed RLS copy,
in-panel docs link, simplified "Stop" labels, and adjusted
typography/padding for consistent styling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR migrates the whole monorepo to use Tailwind v4:
- Removed `@tailwindcss/container-queries` plugin since it's included by
default in v4,
- Bump all instances of Tailwind to v4. Made minimal changes to the
shared config to remove non-supported features (`alpha` mentions),
- Migrate all apps to be compatible with v4 configs,
- Fix the `typography.css` import in 3 apps,
- Add missing rules which were included by default in v3,
- Run `pnpm dlx @tailwindcss/upgrade` on all apps, which renames a lot
of classes
- Rename all misnamed classes according to
https://tailwindcss.com/docs/upgrade-guide#renamed-utilities in all
apps.
---------
Co-authored-by: Jordi Enric <jordi.err@gmail.com>
## Context
As per PR title - will make the RLS tester available for CLI / self-host
(still as a feature preview)
## To test
- [x] Verify briefly locally that the RLS tester is available for use,
and works as expected
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved user search error handling to display appropriate failure
messages when search encounters issues.
* **Refactor**
* Simplified RLS Tester feature availability logic by consolidating
enablement checks across components and removing redundant feature flag
dependencies.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
Just merging the callouts - only show one at a time, instead of both
### Before
<img width="610" height="518" alt="image"
src="https://github.com/user-attachments/assets/58567f7e-99bf-4c84-8392-35573c646af6"
/>
### After
<img width="605" height="428" alt="image"
src="https://github.com/user-attachments/assets/975a5a30-2b36-4602-af8f-b79c2383f38b"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced RLS Tester to prevent conflicting policy status messages from
appearing simultaneously. The interface now properly displays only the
relevant message about policy configuration and evaluation status,
improving clarity when reviewing row-level security results.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
Adds a banner on the auth policies page for the new RLS tester feature
preview
<img width="307" height="310" alt="image"
src="https://github.com/user-attachments/assets/6864c2cb-c3b8-4c1f-8dce-57411425e17d"
/>
Also adds a Give feedback button in the RLS Tester sheet footer
<img width="616" height="73" alt="image"
src="https://github.com/user-attachments/assets/64755f56-4e27-4b54-92b2-a894badc0b88"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* RLS Tester preview banner added to the policies page with animated
content and a locally persisted dismissed state.
* Enabling the RLS Tester via the preview also dismisses and records the
banner dismissal.
* New feedback link added to the RLS Tester UI that opens in a new tab.
* **Layout/Providers**
* Banner stack context moved so banner state is available more broadly
across the app.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
Resolves FE-3077
Related discussion: https://github.com/orgs/supabase/discussions/45233
Verifying the correctness of your RLS policies set up has always been a
gap, as highlighted by a number of GitHub discussions like
[here](https://github.com/orgs/supabase/discussions/12269) and
[here](https://github.com/orgs/supabase/discussions/14401). As such,
we're piloting a dedicated UI for RLS testing (using role impersonation
as the base), in which you'll be able to
- Run a SQL query as a user (not logged in / logged in - this is the
role impersonation part)
- See which RLS policies are being evaluated as part of the query
- And hopefully be able to debug which policies are not set up correctly
Changes are currently set as a feature preview - and we'll iterate as we
get feedback from everyone 🙂🙏
<img width="613" height="957" alt="image"
src="https://github.com/user-attachments/assets/83c37f8a-28fc-43b3-b0ff-e28571d8710c"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* RLS Tester: run queries as anon or authenticated users, view inferred
SQL, per-table policy summaries, and data previews of accessible rows.
* UI preview: new RLS Tester preview card and modal with opt-in toggle;
RLS Tester sheet with role/user selector and query editor.
* SQLEditor: “Explain” tab is always visible.
* **Chores**
* Added supporting API endpoints, background checks for table RLS
status, and a local-storage flag to persist the preview opt-in.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Joshen Lim