## Summary
- Converts ~27 `executeSql` call sites in `apps/studio/data/**` to build
SQL through `safeSql` / `ident` / `literal` / `keyword` /
`joinSqlFragments` instead of raw template-string interpolation.
- Tightens the `useDatabaseCronJobCreateMutation` and
`useDatabaseEventTriggerCreateMutation` `sql`/`query` parameter types
from `string` to `SafeSqlFragment` (callers already produce one).
- Updates `getDeleteEnumeratedTypeSQL` in `packages/pg-meta` to return
`SafeSqlFragment`.
- Fixes a bug noticed while testing where Queues integration does not
correctly handle queues with uppercase names.
## Pages to manually test
- Integrations > Cron Jobs
- Integrations > Queues
- Database > Triggers > Event Triggers
- Database > Indexes
- Reports > Query Performance
- Storage
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Queue lookups now correctly handle case-insensitive queue names.
* Queue table references are now properly managed and consistently
applied throughout the queue management interface.
* Improved queue name display normalization in the user interface.
* **Chores**
* Enhanced SQL query safety across the database layer through
parameterized query construction and safer templating approaches.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Logo field now accepts/editable logo URL, plus a new storage-based
Logo Picker to select or remove images from project storage.
* Full storage picker: browse buckets, columns/list views, search,
drag‑and‑drop uploads, file previews (image/audio/video), and
single-file selection with responsive mobile/desktop layouts.
* **Refactor**
* Logo submission streamlined to send the provided URL directly (legacy
file-read/upload flow removed).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
This connects the Advisor from the splinter repo. Below are the list of
changes:
- Register advisor which should appear in both the legacy Advisors and
Advisors sidebar.
- Adds a "Dismiss" button to the admonition inside the bucket view.
- Makes the check for select policy on public buckets tiny bit
stricter/truer.
This is awaiting the [PR](https://github.com/supabase/splinter/pull/152)
in splinter going in!
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a security lint that flags public storage buckets allowing
listing, with a direct "View bucket" link.
* Users can dismiss public-bucket warnings per project+bucket for 14
days via a Dismiss button.
* **Improvements**
* Tightened policy detection to better target bucket-scoped select
policies and avoid unrelated matches.
* **Telemetry**
* Added events for policy removal and dismiss-button clicks.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Similar to the Advisor, this adds an admonition enabling the user to
disable a public RLS select via dashboard.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Detect public buckets that have removable SELECT policies and show a
contextual warning on the bucket page.
* Let users remove the policy via a confirmation dialog that previews
the removal action.
* Show success/error feedback and automatically refresh storage views
after removal.
* Adjust page layout to surface the warning above the storage explorer.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Charis Lam <26616127+charislam@users.noreply.github.com>
## Context
Shifts all remaining dashboard queries into pg-meta so that we
centralize all manually written queries in one place
Having them in packages/pg-meta also allows us to write tests for them
## To test
Just needs a smoke test on
- Role Impersonation
- Lints
- Data API
- Database
- Enumerated Types
- Integrations
- Foreign Data Wrappers
- Vault
## Context
Related to FE-2557
Part of shifting manually written dashboard queries into
packages/pg-meta where
- pg-meta can be code owners of
- we can write tests for the queries
This PR just shifts all the `.sql.ts` files that we previously created
into packages/pg-meta
There's still other areas where we need to shift over as well which I'll
address in subsequent PRs
## Notable changes
- `getTableRowsCountSql` -> Opted to shift `formatFilterValue` logic out
before calling this method (ref `table-rows-count-query`)
- `getDeleteOldCronJobRunDetailsByCtidSql` -> Opted to shift
`validatePageNumber` logic out before calling this method (ref
`CronJobsTab.useCleanupActions`)
Bug fix
## What is the current behavior?
Read-only users cannot download files because the download feature
requires minting a temporary API key, which is properly blocked for
read-only users.
## What is the new behavior?
Instead of using temporary API keys, we now create signed URLs for the
files to be downloaded. We batch-create signed URLs for an entire
folder's worth of files, requiring only a single management API call,
then use those signed URLs to download the files. This allows read-only
users to download files without needing elevated permissions.
## Additional context
Resolves FE-2737
## Context
Related to Dashboard Scalability, specifically having Postgres team as
CODEOWNERS for dashboard queries
This is just a clean up as we're currently piling manual queries into
one folder under `data/sql/queries`, whereas I reckon it'll be better
for each query to sit within their RQ folder for better context.
Am opting the naming format for files housing queries to be `*.sql.ts`,
and also updating CODEOWNERS to reflect as such
Next step will also be to shift all the dashboard queries within pg-meta
into studio itself as requested by the pg-meta team
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Consolidated and reorganized internal module structure for the data
layer to improve maintainability and reduce redundancy.
* Streamlined import paths across components to align with new
consolidated module organization.
* **Chores**
* Updated code ownership patterns to reflect reorganized file structure.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ali Waseem <waseema393@gmail.com>
* fix(studio): use paginated buckets query for useSelectedBucket
Part of the effort to migrate all buckets list queries to the paginated
version. This migrates the useSelectedBucket hook, which is used on the
bucket details page to fetch the bucket info.
* fix(studio): flash of stale content when switching buckets
There's a flash of stale content when switching between buckets in the
File Explorer. This happens since the change to useSelectedBucket,
because when the bucket changes, the new data is no longer available
immediately. It must be awaited, and meanwhile `columns` in global
storage state is stale. This commit adds a check for whether the state
is stale by checking the current ID against the stored ID.
---------
Co-authored-by: Ali Waseem <waseema393@gmail.com>
The command menu search option uses the unpaginated version of the
buckets endpoint, which times out / causes jankiness when users have
tends of thousands of buckets.
Switch to using the paginated version. The old behaviour is preserved,
where only the first 10 results are shown, and the user has to specify a
more specific search query to get other buckets. This is for UX
simplicity, since this is a convenience feature, and fully
infinite-loading search is available in the full Storage interface.
* feat(studio): show icon on tables exposed by data api
Show an icon in the Table Editor for tables that are exposed via the
Data API.
* refactor(studio): move table api access query up to parent
* fix(studio): invalidate table privileges query on table create
* fix(studio): make RLS disabled warning on table editor more obvious
Change from warning -> danger
* Only show add foreign key in side panel if isSuccess
* chore(studio): put data api exposed badge behind feature flag
Only show badge for now if flag `dataApiExposedBadge` is enabled.
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
The global storage size validation depends on an unpaginated buckets
query to determine whether it is lower than any individual bucket's
cutoff. This causes a problem for users with tens of thousands of
buckets.
There's a bit of a UX/performance problem here, because in order to
determine whether any bucket's `file_size_limit` exceeds the global
setting, we need to get the max `file_size_limit` of `storage.buckets`
-- however, that column is not indexed.
My workaround is:
- Below a certain threshold (10,000) buckets, the query for max
`file_size_limit` is automatically run on form submit.
- Above that threshold, the user must confirm whether they want to run
the query. They're still allowed to change the storage config without
running it -- this does open a loophole where they can have a global
storage setting lower than an individual bucket's file size limit, but
though this is a potentially confusing situation, it's not strictly an
error.
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* Bump the deps, refactor deprecated code.
* Migrate keepPreviousData usage.
* Migrate all uses of InfiniteQuery.
* Fix refetchInterval in queries.
* Migrate all use of isLoading to isPending in mutations.
* Fix accessing location in claim-project.
* Fix a bug in duplicate query keys.
* Migrate all queries to use isPending.
* Revert "Fix accessing location in claim-project."
This reverts commit 2a07df64b5.
* Revert the rss.xml file to master.
* feat(studio): use bucket pagination for api docs
API docs V2 updated to use pagination for fetchign storage buckets.
Also some refactoring to split up large components for docs V2
interfaces.
* fix(studio): use bucket endpoint for getting single bucket
The bucket list endpoint now accepts pagination options. Adapting the
storage buckets table UI to paginate in pages of 100 buckets at a time,
with infinite loading/scrolling.
* Midway
* Hook up create/delete table, and update all iceberg RQs with mgmt API routes
* Add insert data CTA, update create table logic for decimal and fixed types
* Clean up
* Nit
* Fix test
* Refactor the iceberg queries and mutations to use getOrRefreshTemporaryApiKey.
* Fix the uses of the mutations.
* Hardcode the temp api keys queries at 60 seconds.
* When creating a s3 vectors fdw, add the target schema as a server option.
* Fix a bug in the row link, it didn't work when you middle click.
* Refactor the protected schema logic to include schemas from all fdws.
* Refactor the protected schema logic to include fdw type and name. Change the ProtectedSchemaWarning to show different messages for the 2 fdw types.
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* Retrieve temporary API key within iceberg-namespace-tables-query
* Retrieve temporary API key within iceberg-namespace-table-delete-mutation
* Retrieve temporary API key within iceberg-namespaces-query
* Fix
* Retrieve temporary API key within iceberg-namespace-create-mutation
* Update based on comments
* Fix childProps in Admonition so that they're added as a prop to the main div.
* Replace the admonition with Alert in Wrapper tab page to add a gap between childs.
* Add s3 vectors fdw.
* Minor fix to FormSection.
* Update the fdw mutations to support passing in options.
* Refactor the vector flow to create fdws.
* Revert cron description change.
* If the bucket can't be created, don't create a fdw.
* Update/delete the fdw when deleting a table or a bucket.
* Minor fixes.
* Clean up the delete modal.
* Handle edge cases when missing a wrapper.
* Remove the admonition in the create bucket modal.
* Fix the loading state when creating a bucket.
* Fix the createWrapper sheet to work with s3 vectors.
* Fix undefined wrapperMeta issue.
* Create the schema when installing a wrapper.
* Tiny cleanup.
* Clean up unneeded useState. Create a wrapper only if the all conditions are met.
* Fix all comments.
* Add s3 vectors for docs.
* Add a link and fix the file name for S3 Vectors in docs.
* Hide the table editor button if the wrapper instance is missing.
* Small fixes.
* midway
* Hook up connect tables e2e
* Update isEnabled flag
* Change connectingStep to enum
* Nit
* Nit
* Nit
* Only show replication status if theres a publication
* Improve loading state in etl page
* Refactor + Clean up + Add long poll logic when adding more tables
* Initial work on vector buckets.
* Add more queries and UI.
* chore(studio): vector buckets contents (#39705)
* language
* match analytics buckets
* shared empty state
* proper loading state
* create dialog cleanup
* simplify copywriting
* proper details
* filtering
* use real data
* chore(studio): vector buckets polish A (#39759)
* empty state
* better checks
* bucket name in sheet
* fix typo
* sheet improvements
* rename vector index to vector table
* cleanup
* More work on the vector indexes.
* Add delete for bucket and indexes. Create index should now work.
* chore(studio): vector buckets polish B (#39794)
* loading
* delete modal
* fix modal behaviour
* Add modal for deleting vector buckets.
* Bring back the shimmering loader.
* chore(studio): vector buckets polish C (#39887)
* fix bucketname on deletion dialog
* empty states
* remove extraneous padding
* proper loading and not-found cases
* Minor fixes.
* Minor updates to the vector components.
* Add more instructions to the cursor rules.
* Some refactors and shifting files around
* Refactor analytics buckets detial to improve time to fcp
* Fix
* Refactors + simplify
* Last few nits, just leaving comments
* If the bucket is not empty, delete all indexes first.
---------
Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com>
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* First pass of deprecating old storage UI components
* Clean up local-storage flag for new storage UI
* Add coming soon UI for analytics and vector buckets pages
* Set up warning states for analytics buckets
* fix spelling and margin
* Smol fix
* nit
* Surface wrappers upgrade check in UI instead of toast
* Nit clean up
* update tests
---------
Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com>
* Add custom types for queries, mutations and infinite queries.
* Migrate all queries to use the new type.
* Migrate all infinite queries to useCustomInfiniteQueryOptions.
* Migrate all mutations to use useCustomMutationOptions.
* Add type to all imports in `types` folder.
* Migrate all uses of invalidateQueries to use object syntax.
* Migrate the remainder of useInfiniteQuery.
* Migrate all setQueriesData.
* Migrate all fetchQuery uses.
* Migrate some leftover functions from RQ.
* Fix issues found by Charis.
Charis