## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Refactor / security improvement
## What is the current behavior?
SQL fragments across Studio are built from plain `string` values with no
type-level distinction between developer-authored SQL, DB-sourced
identifiers, and user-typed or externally-influenced content.
## What is the new behavior?
Extends the safe SQL model to additional Studio interfaces, using
`SafeSqlFragment`, `safeSql`, `ident()`, `literal()`, `untrustedSql()`,
and `acceptUntrustedSql()` from `@supabase/pg-meta/src/pg-format`:
- **Policy editor**: template constants typed as `SafeSqlFragment` via
`safeSql` tagged literals; Monaco editor `onInputChange` emits
`untrustedSql()`; `acceptUntrustedSql()` called only at the Save
gesture; roles selector emits a composed `SafeSqlFragment` via `ident()`
+ `joinSqlFragments()`
- **Auth hooks**: grant/revoke SQL statements use `ident()` for schema
and function names
- **Docs description editor**: `COMMENT ON` queries use `ident()` and
`literal()` for table/column/function names and values
- **Cron jobs**: `cron.schedule()` call and HTTP request builder use
`literal()` for all user-provided values
- **GraphQL linter CTA**: `REVOKE` statement uses `ident()` for schema,
table, and role
- **Storage public bucket warning**: `DROP POLICY` uses `ident()` for
policy name
- **View security autofix modal**: `ALTER VIEW` uses `ident()` for
schema and view name
- **API settings**: `CREATE SCHEMA` mutation uses `safeSql` tagged
literal
- **Database event trigger delete**: `DROP EVENT TRIGGER` uses `ident()`
for trigger name
- **Database queues query**: queue list query uses `safeSql` tagged
literal
- **Role impersonation**: function invocation SQL uses `ident()` and
`literal()`
## Manual testing checklist
- Authentication > Policies
- Authentication > Hooks
- Integrations > Queues
- Database > Event Triggers
- Integrations > Cron Jobs
- Table Editor > View entity security autofix
- API Settings > expose schema
- Linter > GraphQL exposure CTA
- Docs > table/column description editor
- Role impersonation (user impersonation panel)
## Additional context
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Replaced ad-hoc SQL string building with a safer, fragment-based SQL
construction across auth, policies, integrations, storage, and DB
operations to improve SQL safety while preserving behavior.
* **Bug Fixes / UX**
* Policy editor and code editor now propagate role and input changes
more reliably, improving editor responsiveness and policy handling
without UI changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR migrates the whole monorepo to use Tailwind v4:
- Removed `@tailwindcss/container-queries` plugin since it's included by
default in v4,
- Bump all instances of Tailwind to v4. Made minimal changes to the
shared config to remove non-supported features (`alpha` mentions),
- Migrate all apps to be compatible with v4 configs,
- Fix the `typography.css` import in 3 apps,
- Add missing rules which were included by default in v3,
- Run `pnpm dlx @tailwindcss/upgrade` on all apps, which renames a lot
of classes
- Rename all misnamed classes according to
https://tailwindcss.com/docs/upgrade-guide#renamed-utilities in all
apps.
---------
Co-authored-by: Jordi Enric <jordi.err@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Replaces "stored procedures" with "functions" for everything related to
the Data API.
## Additional context
It's not accurate to call database functions "stored procedures". It may
have been that way before Postgres 11, but now it causes confusion
because PostgREST allows functions and not stored procedures.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Standardized terminology across docs, SDK guides, CLI/config specs,
examples, UI, and config comments to use "database functions" instead of
"stored procedures".
* Updated API docs, CLI/config descriptions, Studio UI labels, help
text, empty-state and navigation copy, RPC documentation, and example
text for consistency.
* Adjusted explanatory text and error/help messages to reflect the
revised terminology.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR moves several components which rely on `next` out of the `ui`
package to the `ui-patterns` package.
`ui-patterns` package is intented to be imported with specific imports
so it's ok if there are components reliant on `next` in there.
The `SonnerToaster` component has removed its dependency by requiring a
prop for `theme`.
This PR fixes some prettier issues:
- Bump and unify all prettier versions to 3.7.3 across teh whole repo
- Bump the SQL prettier plugin
- When running `test:prettier`, check `mdx` files also
- Run the new prettier format on all files
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## Context
Main fix is to adjust the new home page + connect dialog (and connect
sheet) to render the project's custom domain if available
<img width="471" height="255" alt="image"
src="https://github.com/user-attachments/assets/3a208b2e-bdeb-43f5-a2e7-3495881dbaaa"
/>
<img width="1065" height="233" alt="image"
src="https://github.com/user-attachments/assets/2a7b8f81-8c0b-4803-bf0a-fc16a2f1e0e1"
/>
## Changes involved
- Created a `useProjectApiUrl` hook that will return the API URL
depending if custom domains is available, otherwise default to default
project API URL
- Refactored all the other places that were manually deriving the
project's endpoint
- Storage Explorer -> copy URL
- Edge Functions
- Integrations -> Data API + API Docs
- Auth Providers -> Callback URL
- Also updated the copy CTA for the addons page
- Instead of just "Change xxx", make it a bit more actionable
- For add ons with binary states (Custom domains, IPv4)
- If not enabled yet, "Enable xxx", otherwise "Toggle xxx"
- For PITR
- If not enabled yet, "Enable PITR", otherwise "Change recovery
duration"
- Also added "Edit custom domain" CTA if enabled
<img width="1144" height="518" alt="image"
src="https://github.com/user-attachments/assets/4f152ea5-0cc7-412c-95e8-ad5bb37c19c3"
/>
## To test
- [ ] Verify that for a project with custom domain set up, all the
affected UI mentioned in the above section look correct
Feature / Refactor
## What is the current behavior?
Data API docs live at the `/api` route as a standalone page. Old links
point to the previous location.
## What is the new behavior?
Data API docs are moved to the integrations section with a dedicated
docs tab and settings tab. Old links are cleaned up, a mobile menu is
added for data API docs navigation, and minor code review fixes are
applied.
## Additional context
Resolves FE-2517
## Summary by CodeRabbit
* **New Features**
* Revamped API docs UI with reusable section layout, language toggle
(JS/Bash), API key selection, and improved code snippets
* Added Data API docs tab, mobile navigation, and dedicated
loading/error/disabled states
* **Navigation Updates**
* Moved API docs and related links into the Integrations/Data API area
and added redirects to new routes
* Updated various internal links to the new Data API settings and
overview locations
* **Tests**
* Added comprehensive unit tests for Data API utilities
* Bump the deps, refactor deprecated code.
* Migrate keepPreviousData usage.
* Migrate all uses of InfiniteQuery.
* Fix refetchInterval in queries.
* Migrate all use of isLoading to isPending in mutations.
* Fix accessing location in claim-project.
* Fix a bug in duplicate query keys.
* Migrate all queries to use isPending.
* Revert "Fix accessing location in claim-project."
This reverts commit 2a07df64b5.
* Revert the rss.xml file to master.
* Update Supabase docs URLs to use env variable
Co-authored-by: a <a@alaisteryoung.com>
* Refactor: Use DOCS_URL constant for documentation links
This change centralizes documentation links using a new DOCS_URL constant, improving maintainability and consistency.
Co-authored-by: a <a@alaisteryoung.com>
* Refactor: Use DOCS_URL constant for all documentation links
This change replaces hardcoded documentation URLs with a centralized constant, improving maintainability and consistency.
Co-authored-by: a <a@alaisteryoung.com>
* replace more instances
* ci: Autofix updates from GitHub workflow
* remaining instances
* fix duplicate useRouter
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: alaister <10985857+alaister@users.noreply.github.com>
* Update perms checking in audit logs
* Deprecate useCheckPermissions, useIsPermissionsLoaded and useCheckProjectPermissions as they're no longer used
* Rename useAsyncCheckProjectPermissions to useAsyncCheckPermissions
* Fix TS
* Add flags for policies, third party auth, and manual linking + providers in sign in page
* Add flag for rate limitm page
* Add UnknownInterface components
* Update comment
* Flip flags to true
* Add flags for realtime policies and reports page
* Temp
* Add flag for sign in providers page
* Add flag for stripe wrapper
* Add flag for custom domains
* Add flag for dedicated ipv4 address addon
* Add empty state for realtime policies
* Add empty state for reports page
* Add flag for disable legacy JWT keys section
* Add flag for legacy jwt keys
* nit
* Remove ConnectionStringMoved call out
* Add flag for project settings log drains
* Add flag for subscription link in project settings
* Deprecate settings/auth page and redirect directly to auth page
* Flip back flags
* Add flags for account preferences analytics marketing and account deleetion
* Remove 'table_editor:enable_rls_toggle' flag and revert UI changes
* Remove 'authentication:policies' flag and revert UI changes
* Add flags for cmd K routes
* Add flags for instance size in infra settings
* Small refactor to DisplayApiSettings, decouple ToggleLegacyApiKeysPanel from it
* Have project_connection:javascript_example toggle code example title to TS
* add flag for templates dropdown in logs explorer
* UsesOverview only show link to providers page if providers is enabled
* API Docs UserManagement to only include docs on third party auth if providers is enabled
* Hide instance size on project card if flag is off
* Fix cmd k for roles, update redirect link from settings/auth to auth/providers
* Replace all usage of useProjectContext with useSelectedProjectQuery
* Replace all usage of useSelectedProject with useSelectedProjectQuery
* Replace all usage of useProjectByRef with useProjectByRefQuery
* Replace all usage of useSelectedOrganization with useSelectedOrganizationQuery
* Deprecate useSelectedProject, useSelectedOrganization, and useProjectByRef hooks
* Deprecate ProjecContext
* feat: move storage settings
* feat: redirect
* feat: database settings in service area
* feat: move data api settings
* fix: revert data API placement
* feat: minor UX touches
* fix: simplify configuration group
* feat: references to database settings
* feat: references to storage settings
* fix: redirects and formatting
* fix: Import StorageMenu dynamically to avoid SSR issues with useLocalStorage
* fix: move Data API closer to semantic siblings
* fix: revert smart comma
* Shift bucket sort logic into storage explorer store
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* Deprecate getAPIKeys from project settings v2, use new api keys endpoint instead
* use getPreferredKeys where appropriate
* Prevent usage of secret key for storage and realtime inspector
* Add dashboard API api-keys endpoint
* Simplify
* Disable edge functions test if legacy api keys are disabled
* Revert
* Fix graphiql
* Remove all usage of api keys from project settings, except DisplayApiSettings
* Update
* Fix
* Small fix for an undefined upload url.
* Fix the storage state initialization when the resumable url changes.
---------
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
* Fix the types for API settings to include protocol.
* Use the protocol property in all usages of endpoints.
* Update
* Lint
* Revert changes to retrieving protocol
* Remove console.logs
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* Add perms check in projects API query
* Start deprecating use of projects-api-query, move to projects-settings-v2-query
* PRETTY
* Shift all uses of project api query to project settings v2 query, and deprecate project api query
* Fix
* Fix
* Small unrelated styling fix on join page
* Fix
* Update apps/studio/components/interfaces/Auth/Users/UserOverview.tsx
Co-authored-by: Alaister Young <alaister@users.noreply.github.com>
---------
Co-authored-by: Alaister Young <alaister@users.noreply.github.com>
* Add perms check in projects API query
* Start deprecating use of projects-api-query, move to projects-settings-v2-query
* PRETTY
* Address feedback
* Address feedback
* Add lucide-react to docs (to make the autocomplete work).
* Migrate the docs app icons.
* Migrate the ui-patterns.
* Remove the old icons from ui package.
* Migrate the www app from react-feather icons.
* Migrate all of studio icons.
* Migrate the only component in design-system.
* Fix an old import in ui package. Revert an import in docs app.
* Fix some pages in www.
* Remove unneeded files used in generation of icons.
* Fix a prettier error.
* Fix more issues in www.
* Fix an issue in Log Date picker.
* Replace all string sizes with number sizes because the icons grew in some cases.
* Fix more imports in security page.
* Fix an extra import.
* Remove the size prop from all icons if they're in a button and they match the button size.
* Minor fixes for docs and www.
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* Update the design of the sonner toasts. Add the close button by default.
* Migrate studio and www apps to use the SonnerToaster.
* Migrate all toasts from studio.
* Migrate all leftover toasts in studio.
* Add a new toast component with progress. Use it in studio.
* Migrate the design-system app.
* Refactor the consent toast to use sonner.
* Switch docs to use the new sonner toasts.
* Remove toast examples from the design-system app.
* Remove all toast-related components and old code.
* Fix the progress bar in the toast progress component. Also make the bottom components vertically centered.
* Fix the width of the toast progress.
* Use text-foreground-lighter instead of muted for ToastProgress text
* Rename ToastProgress to SonnerProgress.
* Shorten the text in sonner progress.
* Use the correct classes for the close button. Add a const var for the default toast duration. Remove the custom width class from sonner.
* Set the position for all progress toasts to bottom right. Set the duration for all toasts to the default (when reusing a toast id from loading/progress toast, the duration is set to infinity).
* Fix the playwright tests.
* Refactor imports to use ui instead of @ui.
* Change all imports of react-hot-toast with sonner. These components were merged since the last commit to this branch.
* Remove react-hot-toast lib.
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Co-authored-by: Jonathan Summers-Muir <MildTomato@users.noreply.github.com>
* Add check before generating nodes in settings infrastructure
* Fix conditional in ResourceContent and add some typing
* Wrap checkIfPrivate with try catch
* Add ? in TableEditor.utils generateTableFieldsFromPostgresTable
* More typing
* Add ternary in RPC
* Remove mobx from API docs v1
* Fix renaming folder in storage explorer
* UpgradeToPro remove project ref and org slug props
* Add check in Docs/ResourceContent
* Add conditional for accessing query property in QueryPerformanceGrid
* Add fallback value for lastPage in notifications-v2-query
* Simplify logic for finding api key in TerminalInstructions, EdgeFunctionDetails, [ref]/api/index
* Minor fixes and refactors
* Fix type issues
* docs(snippets): add bash example for third party Oauth
* style(docs): fix prettier
* docs(snippets): fix method type for Oauth authorize
---------
Co-authored-by: Charis <26616127+charislam@users.noreply.github.com>
* Remove public from permanent schemas
* Swap MultiSelectV2
* Loading state on schemas
* Show a warning when public is removed
* Type error
* Change wording
* Add alert if public schema disabled
* Move alert to own component
* Adjust message
* Add graphql to warning
* Fix repopulation issue
* Empty input state
* Move public schema warning
* Add alert file
* Remove prop
* cleanup
* Replace all methods of MetaStore with react queries.
* Remove unneeded usages of MetaStore.
* Remove RootStore completely. The only thing left from these stores is uiStore.
* Remove unnecessary comments.
* Delete MetaStore.
* Fix the usage of the wrong toaster.
* Remove unused variables
* Remove onSqlQuery
* Convert some ui setNotification calls to direct toast calls
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Gildas Garcia