This PR migrates all tailwind configs in the apps to be CSS configs.
They import a shared CSS Tailwind config from the `config` package
(which in turns imports the old JS config).
The shared JS config will be migrated to CSS in a followup PR.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Centralized Tailwind into a config-driven entrypoint and updated the
app build flow to use the new build step; many apps now import unified
global styles.
* **Style**
* Migrated global styles to a Tailwind v4-style setup, added
project-wide content scanning, consolidated theme imports, standardized
theme tokens (including new --container-site max-width), and added a
small prose utility to remove paragraph margins.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## TL;DR
fixes cron losing http body/headers when values contain backslashes,
broken by:
- #45560
parser now handles escape-string literals (`E'...'`) emitted by
`literal()`
## ex:
Before:
https://github.com/user-attachments/assets/9f7c3c13-5c49-448d-aac1-b64e27e269f4
After:
https://github.com/user-attachments/assets/2c517c4d-9eaa-412f-9b40-5eaacc2c2b2d
## ref:
- closes https://github.com/supabase/supabase/issues/45674
- broken by / adds upto: #45560
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Improved reliability of cron job HTTP POST request parsing when using
special characters and escape sequences in headers and body parameters.
* Enhanced support for extracting headers from cron job commands
configured with escaped SQL literals.
* **Tests**
* Added test coverage for HTTP cron job command parsing with escaped SQL
string literals and special character handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Converts ~27 `executeSql` call sites in `apps/studio/data/**` to build
SQL through `safeSql` / `ident` / `literal` / `keyword` /
`joinSqlFragments` instead of raw template-string interpolation.
- Tightens the `useDatabaseCronJobCreateMutation` and
`useDatabaseEventTriggerCreateMutation` `sql`/`query` parameter types
from `string` to `SafeSqlFragment` (callers already produce one).
- Updates `getDeleteEnumeratedTypeSQL` in `packages/pg-meta` to return
`SafeSqlFragment`.
- Fixes a bug noticed while testing where Queues integration does not
correctly handle queues with uppercase names.
## Pages to manually test
- Integrations > Cron Jobs
- Integrations > Queues
- Database > Triggers > Event Triggers
- Database > Indexes
- Reports > Query Performance
- Storage
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Queue lookups now correctly handle case-insensitive queue names.
* Queue table references are now properly managed and consistently
applied throughout the queue management interface.
* Improved queue name display normalization in the user interface.
* **Chores**
* Enhanced SQL query safety across the database layer through
parameterized query construction and safer templating approaches.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Refactor / security improvement
## What is the current behavior?
SQL fragments across Studio are built from plain `string` values with no
type-level distinction between developer-authored SQL, DB-sourced
identifiers, and user-typed or externally-influenced content.
## What is the new behavior?
Extends the safe SQL model to additional Studio interfaces, using
`SafeSqlFragment`, `safeSql`, `ident()`, `literal()`, `untrustedSql()`,
and `acceptUntrustedSql()` from `@supabase/pg-meta/src/pg-format`:
- **Policy editor**: template constants typed as `SafeSqlFragment` via
`safeSql` tagged literals; Monaco editor `onInputChange` emits
`untrustedSql()`; `acceptUntrustedSql()` called only at the Save
gesture; roles selector emits a composed `SafeSqlFragment` via `ident()`
+ `joinSqlFragments()`
- **Auth hooks**: grant/revoke SQL statements use `ident()` for schema
and function names
- **Docs description editor**: `COMMENT ON` queries use `ident()` and
`literal()` for table/column/function names and values
- **Cron jobs**: `cron.schedule()` call and HTTP request builder use
`literal()` for all user-provided values
- **GraphQL linter CTA**: `REVOKE` statement uses `ident()` for schema,
table, and role
- **Storage public bucket warning**: `DROP POLICY` uses `ident()` for
policy name
- **View security autofix modal**: `ALTER VIEW` uses `ident()` for
schema and view name
- **API settings**: `CREATE SCHEMA` mutation uses `safeSql` tagged
literal
- **Database event trigger delete**: `DROP EVENT TRIGGER` uses `ident()`
for trigger name
- **Database queues query**: queue list query uses `safeSql` tagged
literal
- **Role impersonation**: function invocation SQL uses `ident()` and
`literal()`
## Manual testing checklist
- Authentication > Policies
- Authentication > Hooks
- Integrations > Queues
- Database > Event Triggers
- Integrations > Cron Jobs
- Table Editor > View entity security autofix
- API Settings > expose schema
- Linter > GraphQL exposure CTA
- Docs > table/column description editor
- Role impersonation (user impersonation panel)
## Additional context
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Replaced ad-hoc SQL string building with a safer, fragment-based SQL
construction across auth, policies, integrations, storage, and DB
operations to improve SQL safety while preserving behavior.
* **Bug Fixes / UX**
* Policy editor and code editor now propagate role and input changes
more reliably, improving editor responsiveness and policy handling
without UI changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This change updates the handler for simple GET installations to
correctly appending the organization_slug and project_ref parameters as
documented in our Partner Integrations Guide.
Fixes INT-111
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Integration installs now open in a new browser tab instead of
replacing the current page.
* Organization and project context are appended to integration
installation links so setups receive correct context.
* Missing or invalid installation links now fall back to the home page
to avoid navigation errors.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## What kind of change does this PR introduce?
Feature and design-system cleanup. Resolves DEPR-551.
## What is the current behavior?
Admonition supports several overlapping content shapes, but it
previously did not support a first-class success state or
description-only usage cleanly. Title-only usage was also possible,
which made some callouts read like floating headings without body copy.
Docs MDX Admonitions could also pick up prose spacing around rich
children, while the design-system Tailwind config emitted an
ESM/CommonJS warning in the design-system app.
## What is the new behavior?
Adds a `success` Admonition type, description-only support, and a
stricter content contract: `title` or legacy `label` now requires either
`description` or `children`. Existing title-only Studio callsites have
been converted to description-only callouts.
The design-system docs now include examples for description-only and
success Admonitions, plus guidance for `title`, `description`,
`children`, and legacy `label` usage.
This also tightens Admonition body spacing so rich MDX children keep
docs link/code styling without inheriting excessive prose margins, and
renames the design-system Tailwind config to `tailwind.config.cjs` so it
matches its CommonJS syntax.
Warning and destructive alerts now explicitly set `text-foreground`,
preventing nested Admonition titles from inheriting muted
form-description colour after the Tailwind v4 cascade changes.
| Before | After |
| --- | --- |
| <img width="1818" height="388" alt="Image"
src="https://github.com/user-attachments/assets/283a1853-348a-4d74-a408-013957350e5e"
/> | <img width="1380" height="462" alt="Image"
src="https://github.com/user-attachments/assets/e5761e8e-3697-423b-805b-45110205099a"
/> |
| <img width="1398" height="550" alt="CleanShot 2026-04-28 at 15 12
41@2x"
src="https://github.com/user-attachments/assets/982694d9-5461-4362-8bae-a6e2b4c60e8b"
/> | <img width="1402" height="450" alt="CleanShot 2026-04-28 at 15 13
09@2x"
src="https://github.com/user-attachments/assets/0b1257c4-6b58-4c39-a182-4861a9e378ee"
/> |
| <img width="1640" height="716" alt="CleanShot 2026-04-28 at 15 17
25@2x"
src="https://github.com/user-attachments/assets/a5be4d5f-2bf7-4dc2-b396-56129fe64ec9"
/> | <img width="1630" height="716" alt="CleanShot 2026-04-28 at 15 16
00@2x"
src="https://github.com/user-attachments/assets/0d589252-aaf8-4efc-9d81-15ec4f99ec61"
/> |
| Design System Docs |
| --- |
| <img width="1646" height="1864" alt="CleanShot 2026-04-28 at 14 59
15@2x"
src="https://github.com/user-attachments/assets/12d13595-8972-4fb2-a04a-fb916388ebb6"
/> |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a "success" admonition variant and new example previews
demonstrating success and description-only usages.
* **Documentation**
* Clarified admonition guidance: when to use title vs description vs
children; added example sections for short callouts and success
messages.
* **Refactor**
* Standardized UI by moving short/advisory text into description across
the app and harmonized trailing punctuation.
* **Style**
* Ensured warning/destructive admonitions use consistent foreground text
styling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Adds `graphiql@5.2.2` and switches from our heavily-customised rebuild
(which used `@graphiql/react` + `@graphiql/toolkit` directly) to the
prebuilt component, restyled to match the dashboard. Role impersonation
re-added as a sidebar plugin.
This is a deliberately simpler setup than what we had – we lose some
layout customisation (sidebar is forced to the left, role impersonation
moves into the sidebar) but future upgrades become much easier since
we're no longer maintaining a fork-by-rewrite.
**Removed:**
- `apps/studio/components/interfaces/GraphQL/GraphiQL.tsx` – custom
rebuild
- `apps/studio/components/interfaces/GraphQL/graphiql.module.css` –
custom styles
**Changed:**
- Added `graphiql` ^5.2.2 (we previously didn't have the top-level
package, just the subpackages)
- `@graphiql/react` ^0.19.4 → ^0.37.3 (now Monaco-based; v0.19 was still
on CodeMirror 5)
- `@graphiql/toolkit` ^0.9.1 → ^0.11.3
- `GraphiQLTab.tsx` now wires up the prebuilt `<GraphiQL />` with worker
setup, theme bridge, and plugins
- New `graphiql.module.css` scopes restyling via `:global(...)` since we
can't add hashed classes to the library's DOM
- `RoleImpersonationSelector` gained an `orientation: 'horizontal' |
'vertical'` prop (default `horizontal`) so it fits in the sidebar pane –
all existing call sites unchanged
- `MonacoThemeProvider` exports `getTheme` so the GraphQL Monaco
instance can reuse Studio's theme
**Added:**
- Theme bridge: `supabase-graphql-dark` / `supabase-graphql-light`
Monaco themes synced with `next-themes` via `forcedTheme`
- Role impersonation sidebar plugin (gated on `field.jwt_secret` read
permission, same as before)
### Notes / tradeoffs
- We don't share Studio's monaco instance – Studio loads it via AMD/CDN,
GraphiQL bundles it as ESM. Both end up on `monaco-editor@0.52.2` but in
different module systems. Sharing would require ripping out Studio's CDN
loader (Studio-wide refactor, out of scope). GraphiQL's monaco is
dynamically imported and only loads when the GraphQL tab opens.
- The dark/light response panel uses different `--graphiql-response-bg`
tokens because the editor sits at very different baseline lightness in
each theme; a single token can't lift it meaningfully in both
directions.
- Session header (tabs row) is hidden – we don't expose multi-tab
workflows.
## To test
- Open `/project/<ref>/api/graphiql` in both light and dark themes –
editor + response panel backgrounds, sidebar borders, button radii
should all match the dashboard
- Run a query and confirm syntax highlighting works (GraphQL-specific
token `argument.identifier.gql` is purple)
- Open the doc explorer and history sidebar plugins
- As a user with `field.jwt_secret` read permission: open the Role
Impersonation sidebar plugin, pick a role, confirm subsequent queries
hit the API with the impersonated JWT
- As a user without that permission: confirm the Role Impersonation
plugin doesn't appear, history still does
- Toggle theme while GraphiQL is open – Monaco theme should swap without
a reload
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Vertical layout option for the role impersonation selector; radios can
expand to full width.
* **Improvements**
* Revamped GraphiQL integration with updated upstream package, plugins,
and editor theming for improved consistency and UX.
* New GraphiQL styling and layout for clearer pane separation and
polished controls.
* Role selector radios now support a full-width mode for improved
responsiveness.
* **Chores**
* Updated GraphiQL-related dependencies.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
This PR migrates the whole monorepo to use Tailwind v4:
- Removed `@tailwindcss/container-queries` plugin since it's included by
default in v4,
- Bump all instances of Tailwind to v4. Made minimal changes to the
shared config to remove non-supported features (`alpha` mentions),
- Migrate all apps to be compatible with v4 configs,
- Fix the `typography.css` import in 3 apps,
- Add missing rules which were included by default in v3,
- Run `pnpm dlx @tailwindcss/upgrade` on all apps, which renames a lot
of classes
- Rename all misnamed classes according to
https://tailwindcss.com/docs/upgrade-guide#renamed-utilities in all
apps.
---------
Co-authored-by: Jordi Enric <jordi.err@gmail.com>
This PR preps the monorepo for a migration to Tailwind v4:
- Bump all Tailwind dependencies and libraries to the latest possible
version, while still compatible with Tailwind 3.
- Cleans up obsolete Tailwind 3 specific options and configs.
- Cleans up unused CSS files and fixes the CSS imports.
- Migrates all `important` uses in `@apply` lines to using the `!`
prefix.
- Move `typography.css` to the `config` package and import it from the
apps.
- Migrated all occurrences of `flex-grow`, `flex-shrink`,
`overflow-clip` and `overflow-ellipsis` since they're deprecated and
will be removed in Tailwind 4.
- Make the default theme object typesafe in the `ui` package.
- Migrate all `bg-opacity`, `border-opacity`, `ring-opacity` and
`divider-opacity` to the new format where they're declared as part of
the property color.
- Bump and unify all imports of `postcss` dependency.
Currently when a user clicks the **Install integration** button on an
OAuth integration like Grafana, they are redirected to the partner
website in the same tab in which they clicked the button. This makes
them lose context in the Supabase Studio. This PR changes the behaviour
such that the partner website will be opened in a new tab.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* OAuth integration installation now opens the redirect URL in a new
browser tab instead of redirecting the current window, allowing users to
remain in the application while completing the integration process.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## TL;DR
another parsing issue & updated prev tests to validate this aswell :P
## ex
<table>
<tr>
<td><strong>Before</strong></td>
<td><strong>After</strong></td>
</tr>
<tr>
<td>
<img width="325" height="108" alt="Before"
src="https://github.com/user-attachments/assets/f5583e2e-e0d5-439c-a05a-8120959250ca"
/>
</td>
<td>
<img width="363" height="119" alt="After"
src="https://github.com/user-attachments/assets/7e65a578-acb9-4b90-863c-d3b52411ca7b"
/>
</td>
</tr>
</table>
## ref:
- closes https://github.com/supabase/supabase/issues/45186
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Expanded cron job parsing tests to verify correct handling of
SQL-escaped single quotes in HTTP headers and request bodies.
* **Bug Fixes**
* Fixed cron HTTP request generation and parsing so URLs, headers, and
POST bodies with escaped quotes are preserved and unescaped correctly
when building and reading cron jobs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
We used to have a `_Shadcn_` suffix for all the shadcn form components
because we also had `formik` form components.
This is not needed anymore.
## Solution
- Remove the suffix
- Update all usages
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES/NO
## What kind of change does this PR introduce?
Fixes FE-2304.
## What is the current behavior?
Please link any relevant issues here.
## What is the new behavior?
Feel free to include screenshots if it includes visual changes.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated the documentation link in Queues Settings to direct users to
the internal quickstart guide for exposing queues to client-side
consumers.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
When trying to create a new CRON job with an already used name, the
`name` input isn't focused. As a result, users don't see the error.
## Solution
Fix the call to `form.setError` so that it focuses the input
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Improved error handling in cron job creation. When a duplicate job
name is detected, the form now automatically focuses on the name field,
providing clearer feedback to help you quickly identify and correct
validation errors.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The Data API overview page (`/integrations/data_api/overview`) was
showing the project URL as `https://xxx.supabase.co`, but the documented
Data API base URL is `https://xxx.supabase.co/rest/v1/`. This normalizes
the URL so it matches the docs.
**Changed:**
- `getApiEndpoint` now appends `/rest/v1/` to the resolved endpoint
(only used by the Data API overview card, so no other dashboard URLs are
affected)
## To test
- Visit `/dashboard/project/_/integrations/data_api/overview` and
confirm the API URL field ends with `/rest/v1/`
- Switch the database selector between primary, a read replica, and (if
available) a load balancer — all should show a URL ending in `/rest/v1/`
- With a custom domain active, the custom domain URL should also end
with `/rest/v1/`
Addresses
[FE-3035](https://linear.app/supabase/issue/FE-3035/dashboard-data-api-page-shows-inconsistent-api-url)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* API endpoints are now properly normalized to ensure consistent path
formatting with the `/rest/v1/` suffix across all endpoint sources.
* Fixed URL handling for custom domain and load balancer endpoint
selection.
* Enhanced replica database URL handling to ensure correct trailing
slash formatting.
* **Tests**
* Updated test expectations and added new test cases to verify proper
endpoint normalization behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## Summary
- The delete confirmation dialog for integration connections hard-coded
GitHub-specific copy about preview branches, even when deleting a Vercel
connection.
- Branch the dialog body on the connection `type` so Vercel connections
explain that environment variable syncing to the Vercel project will
stop.
Fixes
[FE-3006](https://linear.app/supabase/issue/FE-3006/deleting-vercel-connection-confirmation-dialog-incorrectly).
## Test plan
- [x] Go to Organization > Integrations
- [x] Set up a Vercel integration linking a Supabase project to a Vercel
project
- [x] Click Manage > Delete connection → dialog should reference Vercel
env var syncing, not GitHub preview branches
- [x] Repeat with a GitHub connection → dialog should still reference
preview branches
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Updated integration disconnection confirmation messages to provide
type-specific guidance, clarifying exactly what happens when stopping
synchronization for each integration type.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR shows installed marketplace apps in the left pane on the
integrations page and shows the `Installed` badge on the card.
`Official` badge is not shown on marketplace listings.
<img width="1652" height="892" alt="image"
src="https://github.com/user-attachments/assets/16c0a218-1658-426e-9b5b-d28e44c5c3b6"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed excessive spacing on the integrations page
* Enhanced integration installation detection for improved accuracy
* **Style**
* Updated official badge display on integration cards
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR integrates with the new marketplace db to allow Grafana (and
other partners) OAuth apps to install from the integrations page. A demo
of this working locally is available here:
https://supabase.slack.com/archives/C01GN60J0BS/p1775551752479709. End
to end flow is documented here:
https://www.notion.so/supabase/Grafana-Integration-Flow-33a5004b775f80eeaf91c098beb8071f.
TODO:
- [ ] Make sure `NEXT_PUBLIC_MARKETPLACE_API_URL` variable is set to the
new marketplace db.
- [x] Test with the `marketplaceIntegrations` enabled and disabled in
staging once https://github.com/supabase/platform/pull/31298 is merged
and available in staging.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Add OAuth "Install integration" button that detects installed
integrations and supports GET/POST install flows
* Marketplace listings now include install links, installation method,
partner info, and listing assets/logos
* **Infrastructure**
* Allow marketplace API origin for images and content in security and
image config
* Centralize marketplace types and switch marketplace data source for
more reliable listings
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## Problem
We'd like to update react to `19` but many of our dependencies don't
support it.
## Solution
Update those dependencies. This PR focuses on `react-hook-form`
## How to test
Play with some forms, especially those that use arrays of values
(database/enumerated types for instance) and the highly dynamic ones
(auth providers for instance)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Summary by CodeRabbit
* **Chores**
* Bumped the form-handling library version across apps and packages for
improved compatibility and stability.
* **Refactor**
* Improved component form typings and generics in the studio to increase
type safety and reduce potential runtime issues.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Closes#44873
When creating a new cron job, `getDatabaseCronJob` is called to check if
the name already exists. If that call throws (network error, DB
connection issue), the catch block shows an error toast but doesn't
return. Execution falls through to `upsertCronJob`, creating the job
without validating name uniqueness.
The fix adds `return` in the catch block so the mutation doesn't fire
after a failed validation check.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed cron job validation error handling to properly halt processing
when name validation fails and display appropriate error feedback.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Gildas Garcia <1122076+djhi@users.noreply.github.com>
## TL;DR
fixes a cron job parsing issue where the `HTTP request body`
could include content from a later argument when editing an existing job
## ex:
<table>
<tr>
<td valign="top" width="50%">
<strong>Before:</strong>
<br />
when editing some existing <code>net.http_post(...)</code> cron jobs,
studio populated the <code>HTTP Request Body</code> field with extra
content from the following argument instead of only the body value
<br /><br />
<img width="532" height="108" alt="before"
src="https://github.com/user-attachments/assets/eccf1f6b-3e4c-4d6d-8611-e144794fac8f"
/>
</td>
<td valign="top" width="50%">
<strong>After:</strong>
<br />
now it stops parsing the body at the correct boundary, so the <code>HTTP
Request Body</code> field only contains the intended body content
<br /><br />
<img width="165" height="69" alt="after"
src="https://github.com/user-attachments/assets/92f5cf44-ad8c-409c-a0f5-5b9c1664ccd0"
/>
</td>
</tr>
</table>
added a smol regress test aswell :)
## ref:
- closes https://github.com/supabase/supabase/issues/44794
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed parsing of cron job commands with quoted JSON body parameters
and additional arguments to ensure headers and timeout parameters are
correctly recognized.
* **Tests**
* Added test case to validate correct parsing of complex cron job
command configurations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
Follow-up to #44801 — fixes the data layer issue flagged in the review
comment.
The previous fix handled the display crash (`table.columns.map` when
`columns` is undefined) but left the edit/save path broken. When a
Stripe wrapper table has `null` columns from the DB (e.g. `jsonb_agg`
returns `NULL` when there are no rows), `formatWrapperTables` was
forwarding that `null` directly into the react-hook-form state. The Zod
`tableSchema` declares `columns` as a non-optional `z.array(...)`, so
the zodResolver rejected the form silently on save — the Save button
appeared to do nothing with no error shown to the user.
## Change
In `Wrappers.utils.ts`, `formatWrapperTables`:
```ts
// before
columns: table.columns,
// after
columns: table.columns ?? [],
```
This ensures the form is always initialized with a valid array,
satisfying the Zod schema and allowing saves to proceed normally.
---
Slack thread:
https://supabase.slack.com/archives/C063LNYJJKS/p1776067210776939?thread_ts=1776067141.988569&cid=C063LNYJJKShttps://claude.ai/code/session_01N6nyTggA68yktWg4b46ssL
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed an issue where wrapper tables could fail to display correctly
when column data was missing or invalid.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Claude <noreply@anthropic.com>
## Summary
- Adds null check for `table.columns` in `CreateWrapperSheet` and
`EditWrapperSheet` to prevent runtime errors when columns are undefined
- Fixes TypeError: "can't access property 'map', e.columns is undefined"
on `/dashboard/project/[ref]/integrations/stripe_wrapper/overview`
## Problem
When viewing the Stripe wrapper integration overview page, users
encounter a JavaScript error because `table.columns` can be undefined in
some cases, but the code attempts to call `.map()` on it directly.
## Solution
Changed `table.columns.map(...)` to `(table.columns ?? []).map(...)` to
safely handle cases where columns is undefined by defaulting to an empty
array.
## Test plan
- [ ] Navigate to
`/dashboard/project/[ref]/integrations/stripe_wrapper/overview` with a
wrapper that has tables with undefined columns
- [ ] Verify no JavaScript error occurs
- [ ] Verify tables without columns display correctly (showing "Columns:
" with nothing after)
---
Slack thread:
https://supabase.slack.com/archives/C063LNYJJKS/p1776067210776939?thread_ts=1776067141.988569&cid=C063LNYJJKShttps://claude.ai/code/session_01N6nyTggA68yktWg4b46ssL
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed a stability issue in wrapper integrations where missing or
undefined column information from foreign tables could cause display
problems. The interface now safely handles these edge cases with
improved spacing and more reliable column rendering, ensuring consistent
and predictable presentation of integration data regardless of data
availability or table configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Claude <noreply@anthropic.com>
## Problem
Foreign wrapper forms still use `formik` but we now use
`react-hook-form` everywhere and we'd like to reduce our dependencies.
## Solution
- [x] Write e2e tests for wrappers
- [x] Migrate to `react-hook-form`
## Notes
I tried to cover the 3 cases I identified for foreign wrappers with e2e
tests:
- Add all available tables to a new schema (stripe)
- Add selected tables to a new table (stripe)
- Create dynamic columns (s3 wrapper)
However, they are not exhaustive as I can't test the integration
actually works, only that it was created successfully. Besides, I can't
test the Iceberg wrapper case as it needs actual S3 buckets.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Enhanced column-type selector with searchable combobox, enum support,
icons, and optional recommendation prompts.
* **Refactor**
* Migrated many wrapper/table/editor forms to a schema-driven form
system with stronger validation, dynamic field arrays, and consistent
form controls.
* Updated input field integration to work with the new form control
model.
* **Bug Fixes**
* Improved handling of missing wrapper/error states during wrapper
loading.
* **Tests**
* Added unit tests for form schemas and end-to-end tests for wrapper
creation flows.
* **Chores**
* Removed legacy dynamic-columns component.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
Part of marketplace integrations, this moves the last integration over
to the new integrations UI
Just a heads up though that the code changes imo are quite messy - am
trying to figure out how to shift a lot of the integration logic (e.g
installing, installation progress tracking, etc) into a code
configuration within `Integrations.constants.ts` so pardon the
mid-transition state. I reckon we'll be able to clean up things once
requirements are bit more clearer. (Refer to "Moving forward" section
below for details)
## Changes involved
- Much of the details on the Stripe Sync Engine page will now live in
the Installation panel
<img width="1143" height="512" alt="image"
src="https://github.com/user-attachments/assets/cb23e49d-cc4e-4ad6-8a47-0bc3fe81ede7"
/>
<img width="656" height="955" alt="image"
src="https://github.com/user-attachments/assets/ff0e33c5-52ab-480f-b941-ebf3fd0708c5"
/>
- Code wise, `useStripeSyncStatus` will retrieve `ref` and
`connectionString` itself, don't need to pass in as parameters
## To test
- [ ] Verify that you can install + uninstall Stripe Sync Engine with
the flag off
- [ ] Verify that you can install + uninstall Stripe Sync Engine with
the flag on
## Moving forward
Couple of notes + open questions at the top of my head
- We'll need to do away with integration-specific overview UI (e.g
Queues, Data API, Webhooks, Wrappers, Stripe Sync Engine)
- Everything needs to be defined in code, so `IntegrationDefinition`
within `Integrations.constants.ts` is also a bit fluid at the moment as
we figure out what properties we need / don't need
- We'll need to figure out a way to do the following from a code config
POV, keeping in mind that integrations will be fetched remotely from a
DB
- How to trigger the installation of the integration (e.g from a set of
commands? SQL?)
- How to track the progress of the installation (e.g We can do long
polling but on what data?)
- How to uninstall the integration (if applicable, e.g Stripe Sync
Engine supports this)
- How all this this can work for self-hosted/CLI
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* New modular integration install experience: interactive install sheet
with form inputs, installation overview (Extensions & SQL), advanced
per-extension schema settings, and dedicated installation settings.
* New Stripe Sync Engine overview and action controls for
install/upgrade/uninstall flows.
* **Bug Fixes & Improvements**
* Improved installation status handling, long-polling/status checks,
progress/error reporting and telemetry; more robust install/uninstall
flows and error recovery.
* **Tests**
* Updated install-sheet tests to better simulate form submission.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Co-authored-by: Alaister Young <alaister@users.noreply.github.com>
## What kind of change does this PR introduce?
Design system and validation consistency update.
## What is the current behaviour?
`KeyValueFieldArray` already renders per-cell form messages, but each
consumer still decides its own validation rules. At the moment, some
consumers allow partially filled rows to submit silently, while Log
Drains now treats them as inline validation errors.
## What is the new behaviour?
This PR standardises the recommended partial-row behaviour for the
current `KeyValueFieldArray` consumers by introducing a shared
validation helper and using it from each form schema.
- adds `getKeyValueFieldArrayValidationIssues` alongside
`KeyValueFieldArray`
- keeps `KeyValueFieldArray` presentation-only and leaves validation in
consumer schemas
- shows inline errors when one side of a key/value row is filled and the
other is empty
- keeps fully empty rows as draft rows
- keeps duplicate-key validation in Log Drains, where it already applies
- updates the design-system docs and examples to describe the validation
pattern explicitly
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added reusable key/value validation utilities and public export; forms
now trim header/key/value inputs, show inline errors for partially
filled rows, and remove fully empty draft rows on submit.
* **Documentation**
* Clarified the field-array is rendering-only and added guidance for
placing validation in form schemas and handling draft rows.
* **Tests**
* Added unit and integration tests covering validation rules, duplicate
keys, trimming, draft-row stripping, and payload behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
We had some bugs where webhooks were not able to be turned on for
projects. This is to ensure that doesn't happen again
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Added UI tests for integration overview and installation flows: verify
action enablement/disablement (aria-disabled and visual opacity)
depending on required extensions, ensure the "Install integration"
button is disabled when no installation command or required extensions
are missing, and confirm the installation command is invoked (without
executing SQL) when appropriate.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## Summary
- Adds 6 Playwright E2E tests for queue integration: view page, create
basic queue, create unlogged queue, delete queue, purge messages, and
send test message
- Adds `aria-label` to icon-only Purge and Delete buttons in
`QueueTab.tsx` for reliable test selectors
- Follows existing `cron-jobs.spec.ts` patterns for setup/teardown and
API helpers
## Test plan
- [x] All 6 queue integration tests pass locally against self-hosted
Supabase
- [x] Tests run stably in parallel (3 workers)
- [x] Cleanup via `withSetupCleanup` ensures no leftover test queues
## Context
For database extensions, previously dashboard would fire a separate call
just to retrieve the "default schema" for an extension via
`useDatabaseExtensionDefaultSchemaQuery` from the
`pg_available_extension_versions` table (the `schema` from this table
implies where the extension will be installed in)
## Changes involved
Am updating the `useDatabaseExtensionsQuery` to use a custom studio SQL
that will fetch this data in one request via a `LEFT JOIN`, so dashboard
no longer needs to fire a request to `pg_available_extension_versions`
each time we open the `EnableExtensionModal` since all the info we need
is loaded up front.
Have also validated that the cost of the custom studio SQL is low (6.8,
via explain analyze) so performance wise on the project's DB should be
okay.
This will then also allow us to correctly render the "default schema" of
the extensions in the new Install Integration Sheet now that we have
that information up front.
## Misc fix
Also fixed a small issue on the database extensions page whereby if you
searched for an extension that's hidden (e.g pg_tle), there's no "No
results" UI state showing up
<img width="1112" height="319" alt="image"
src="https://github.com/user-attachments/assets/eb488117-2a24-4317-ad73-1d636f9b1bc8"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Per-extension default schema detection surfaced across install flows;
default schema options added to selectors when applicable.
* **Bug Fixes**
* Hidden extensions filtered out earlier so they no longer appear in
lists.
* Install button now correctly disables when required extensions are
missing.
* **Refactor**
* Consolidated extensions metadata retrieval and simplified schema
selection/validation logic; UI text formatting standardized.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Bug fix
## What is the current behavior?
Cron jobs using pg_cron's `$` syntax (representing 'last day of month')
show 'Unable to parse next run for job' in the dashboard's Next run
column, even though these are valid pg_cron schedules.
## What is the new behavior?
The dashboard now correctly parses schedules using `$` and displays the
proper next run time.
## Root Cause
pg_cron uses `$` for 'last day of month', but the `cron-parser` library
used by Studio uses `L` for the same purpose. The `$` character was
causing the parsing to fail.
## Fix
Normalize pg_cron's `$` syntax to cron-parser's `L` syntax before
parsing. Both represent 'last day of month' - it's just a syntax
difference between the two systems.
Fixes#42176
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved cron job scheduling to correctly calculate next-run times for
pg_cron-compatible schedule expressions.
---------
Co-authored-by: Charis <26616127+charislam@users.noreply.github.com>
## Summary
- Fixes the "Enable webhooks" button being greyed out in the
non-marketplace UI
- PR #44277 added `requiredExtensions: ['pg_net']` for the new UI, which
inadvertently caused the old UI's actions area to get disabled via
`hasToInstallExtensions`
- Skips the disabled styling when `hideRequiredExtensionsSection` is
set, since webhooks handles `pg_net` installation server-side
Companion to #44402 which fixed the same issue in the new (V2) UI.
## Summary
- The "Install integration" button in `InstallIntegrationSheet` was
unconditionally disabled when required extensions were missing from the
DB image (`hasMissingExtensions`)
- For webhooks, the installation goes through `installationCommand`
(platform API `/database/{ref}/hook-enable`) which handles `pg_net`
setup server-side — the client-side extension check is unnecessary
- Now only disables the button for missing extensions when there is no
custom `installationCommand`
## How this happened
PR #44277 migrated Database Webhooks to the new marketplace integrations
UI. The `InstallIntegrationSheet` already had a
`disabled={hasMissingExtensions}` guard from its original implementation
(for extension-only integrations like queues). When webhooks was added
with its `installationCommand` + `requiredExtensions: ['pg_net']`, the
guard wasn't updated to account for the command-based install path.
## Test plan
- [ ] With marketplace flag enabled, verify the "Install integration"
button is clickable for webhooks even if `pg_net` is not pre-installed
- [ ] Verify clicking it successfully enables webhooks via the platform
API
- [ ] Verify that extension-only integrations (e.g. queues) still
correctly disable the button when extensions are unavailable
Fixes FE-2928
## Context
Related to marketplace integrations, now shifting wrappers over to the
new UI (feature flagged)
## Changes involved
- Added a "Installed" indicator if the integration is installed
<img width="1155" height="171" alt="image"
src="https://github.com/user-attachments/assets/6de2ea49-64bb-46af-ba04-db6629ec7546"
/>
- New UI will only show the "Add new wrapper" + "Recent wrappers" table
only if the required extensions have been installed (Current UI shows
them both irregardless)
<img width="1147" height="518" alt="image"
src="https://github.com/user-attachments/assets/c428ff70-4a52-401e-a369-6948100d1cef"
/>
- Once required extensions are installed, the wrappers tab will also
show up
- Currently the wrappers tab only shows up after a wrapper is created
- This change will affect the existing behaviour too (reckon it makes
more sense this UX)
<img width="1143" height="611" alt="image"
src="https://github.com/user-attachments/assets/b05f5196-854e-41c1-8a01-7a5e5cca9d4e"
/>
- In the install integration sheet, only extensions that have yet to be
installed will users be allowed to adjust schema selection for
<img width="553" height="583" alt="image"
src="https://github.com/user-attachments/assets/045e185a-6235-4dc5-a984-b039b64cd7fd"
/>
- Likewise, if the extension has already been installed, it will be
omitted from the SQL code output
<img width="575" height="267" alt="image"
src="https://github.com/user-attachments/assets/5e6c0a75-5738-4a0d-9e33-ff19aed074d3"
/>
- Updated docs URL for some of the integrations (vault, database
webhooks, graphql)
- Nit: This one's bugged me for the longest time but remove extra border
bottom in "Recent wrappers" table
<img width="1068" height="177" alt="image"
src="https://github.com/user-attachments/assets/1d6e24cf-072a-4605-8eca-ee0f37406d74"
/>
FWIW i think the integrations UI for wrappers is due for an update, but
we'll leave things as they are for now - at least until we're bit more
clearer on the requirements for marketplace integrations (less we make
changes now which then have to be redone again later)
## To test
- [ ] Verify that you can install + create wrappers still with the new
UI
- [ ] Verify that behaviour is status quo with flag off (except the ones
mentioned explicitly)
## Context
Related to marketplace integrations
Shifts Database Webhooks integration to the new Integrations UI. This
one's a bit different from the previous PRs as this involves a full SQL
installation query instead of only just a database extension. So am
tweaking `Integrations.constants` a little.
For context eventually all the integrations will be pulled remotely from
a database, so am still trying to figure out an optimal data structure,
but requirements will be clearer as we build out the UI
RE installing integrations:
- For now, if the integration has a provided SQL installation command,
that'll take precedence
- Else, if the integration has a provided SQL installation query, we'll
use that on the /query endpoint
- Otherwise, if the integration only requires database extensions,
dashboard will generate the queries to install the extensions
- In the case of the former tho, we won't allow users to choose which
schema to install the extension in too
Just ping me if any clarification's required!
## To test
- [ ] Verify that you can install the database webhooks with the new
integration UI
- [ ] Verify that behaviour is status quo without the new integration UI
This PR moves several components which rely on `next` out of the `ui`
package to the `ui-patterns` package.
`ui-patterns` package is intented to be imported with specific imports
so it's ok if there are components reliant on `next` in there.
The `SonnerToaster` component has removed its dependency by requiring a
prop for `theme`.
## Context
Just brings more integrations over to the new UI bit by bit
- Vault
- Cron
- Data API
- GraphiQL
Will be tackling webhooks next which is a bit different as its not just
a database extension
## Context
Related to marketplace related work, just moves the Queues integration
to the new UI (Changes are feature flagged)
<img width="1145" height="584" alt="image"
src="https://github.com/user-attachments/assets/d3245889-597d-44e2-9850-f20907e42056"
/>
Installation is now in a side panel with the intention that it'll just
be a single click to install integrations that involve multiple parts
<img width="400" height="955" alt="image"
src="https://github.com/user-attachments/assets/71903b61-6bd2-486c-903e-b48ae2133887"
/>
## To test
- Verify that you can install the integration and everything else should
be status quo
- Verify that everything should be status quo if the flag is off
## Context
Shifts all remaining dashboard queries into pg-meta so that we
centralize all manually written queries in one place
Having them in packages/pg-meta also allows us to write tests for them
## To test
Just needs a smoke test on
- Role Impersonation
- Lints
- Data API
- Database
- Enumerated Types
- Integrations
- Foreign Data Wrappers
- Vault
## What kind of change does this PR introduce?
Chore that references DEPR-394.
## What is the current behavior?
Key/value editors for headers are implemented separately in multiple
places.
## What is the new behavior?
DEPR-394 is consolidating repeated RHF field-array UIs across Studio and
the design system.
- adds a shared `KeyValueFieldArray` component in `ui-patterns`
- adds a shared `httpHeaderAddActions` helper for preset header rows
- migrates the key/value header editors in:
- Platform Webhooks
- Cron Jobs HTTP headers
- Database Webhooks HTTP headers
- documents the key/value pattern in the design system with:
- a dedicated fragment page
- updated forms guidance
- updated form pattern demos
| Preview |
| --- |
| <img width="1102" height="420" alt="CleanShot 2026-03-23 at 12 22
18@2x"
src="https://github.com/user-attachments/assets/f8d23ff9-7063-462f-8074-b400561f77e9"
/> |
## Additional context
This is PR 1 of a 3-PR stack for DEPR-394.
## Problem
The Query Performance page loaded all results in a single query with a
fixed limit of 20 rows, giving users no way to browse beyond the first
page. There was also no way to control how many rows were shown at once.
## Fix
adds pagination
## How to test
- Navigate to `/observability/query-performance` in Studio
- scroll to bottom
- should automatically load more results
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Ivan Vasilov