## Summary
- MCP `getSecurityAdvisors` and `getPerformanceAdvisors` now pass
`exposedSchemas` to `getLints`, fixing empty advisor results in
local/self-hosted environments
- Extracts `DEFAULT_EXPOSED_SCHEMAS` constant shared between the MCP
handler and the `run-lints` API route (cc @joshenlim related
https://github.com/supabase/supabase/pull/40043)
- Adds unit tests for `enrichLintsQuery` and the MCP advisor operations
## The bug
The MCP advisor tools (`get_advisors`) return empty arrays (`[]`) for
**all** scenarios when running locally via `supabase start`. No security
or performance advisors are surfaced, even when the database has clear
issues (e.g., tables with no RLS).
### Root cause
In `lib/api/self-hosted/mcp.ts`, both `getSecurityAdvisors` and
`getPerformanceAdvisors` call `getLints({ headers })` **without passing
`exposedSchemas`**:
```typescript
// Before (mcp.ts:131)
const { data, error } = await getLints({ headers })
```
When `exposedSchemas` is `undefined`, `enrichLintsQuery` in `lints.ts`
skips the `SET LOCAL pgrst.db_schemas = '...'` SQL statement:
```typescript
// lints.ts:23
${!!exposedSchemas ? `set local pgrst.db_schemas = '${exposedSchemas}';` : ''}
```
Without this GUC being set, the splinter SQL queries filter results
using `current_setting('pgrst.db_schemas', 't')` — which returns an
empty string in local environments. Every schema-filtered lint matches
no schemas and returns zero rows.
### Why this only affects local/self-hosted environments
In **hosted Supabase**, PostgREST sets the `pgrst.db_schemas` GUC on its
own database connections based on the project's API configuration. The
Studio MCP server in production reads the same project configuration, so
the GUC is already available.
**Locally**, PostgREST runs in a separate Docker container and only sets
this GUC on _its own_ connections. Studio connects directly to
PostgreSQL (bypassing PostgREST), so
`current_setting('pgrst.db_schemas', 't')` returns `''`.
The HTTP API endpoint (`/api/platform/.../run-lints`) already worked
because `run-lints.ts` passes `exposedSchemas: 'public, storage'` — this
parameter was simply never added to the MCP code path.
## How we verified the fix
### 1. Tests written to fail against the previous code
We wrote two test files that target the exact bug:
**`tests/unit/lints/enrichLintsQuery.test.ts`** — validates the SQL
generation:
- Confirms `SET LOCAL pgrst.db_schemas` is included when
`exposedSchemas` is provided
- Confirms it's omitted when `undefined` or empty (documenting current
behavior)
**`tests/unit/lints/mcp-advisors.test.ts`** — validates the MCP
operations:
- Asserts `getSecurityAdvisors` passes `exposedSchemas` to `getLints`
- Asserts `getPerformanceAdvisors` passes `exposedSchemas` to `getLints`
- Asserts the value matches `DEFAULT_EXPOSED_SCHEMAS`
- Verifies SECURITY/PERFORMANCE category filtering still works
Before the fix, the two `exposedSchemas` assertions failed:
```
FAIL getSecurityAdvisors should pass exposedSchemas to getLints
→ expected { Object (headers) } to have property "exposedSchemas"
FAIL getPerformanceAdvisors should pass exposedSchemas to getLints
→ expected { Object (headers) } to have property "exposedSchemas"
```
### 2. Fix applied, all tests pass
After adding `exposedSchemas: DEFAULT_EXPOSED_SCHEMAS` to both MCP
operations, all 14 tests pass (9 new + 5 existing MCP tests).
## Test plan
run `supabase start`, create a table without RLS, call `get_advisors`
via MCP — should return `rls_disabled_in_public` lint
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The self-hosted version of the
/platform/projects/[ref]/analytics/log-drains endpoint is always
returning a 200 even if the upstream errors, which causes the frontend
to crash because the returned data is not a JSON array. Updated to
properly return a 500 for errors.
* Use the .sql suffix when generating ids.
* Fix a bug where a new snippet would not show up in the snippet list until refresh.
* Add API routes which serve file snippets.
* Refactor the renameSnippet and moveSnippet to work with file snippets.
* Change the link to the SQL Editor.
* Minor fixes from CodeRabbit.
* Check the file/folder name for invalid chars.
* More fixes from CodeRabbit review.
* Fix minor issues.
* Use zod to parse the snippet ids when deleting.
* Try to fix snyk issue.
* Add validation to the GET content index route.
* Minor fixes.
* Show create a new folder, it was hidden by mistake.
* Add SNIPPETS_MANAGEMENT_FOLDER env var.
* Add snippets folder in the docker-compose.
* Add error toasts if the env var is not set.
* Add snippets management folder to the generateLocalEnv script.
* Revert the docker-compose changes, will be done in a followup PR.
* Revert also the snippets volume folder.
* Remove unneeded line.
* Deduplicate @babel/core.
* Remove explicit dependency of import-in-the-middle (it's imported in sentry deps).
* Add an API route for api-keys/temporary.
* Refresh the token if on self-hosted.
* Readd import-in-the-middle.
* Bump supabase to 2.50.3 which contains fixes for storage upload.
* Update Supabase docs URLs to use env variable
Co-authored-by: a <a@alaisteryoung.com>
* Refactor: Use DOCS_URL constant for documentation links
This change centralizes documentation links using a new DOCS_URL constant, improving maintainability and consistency.
Co-authored-by: a <a@alaisteryoung.com>
* Refactor: Use DOCS_URL constant for all documentation links
This change replaces hardcoded documentation URLs with a centralized constant, improving maintainability and consistency.
Co-authored-by: a <a@alaisteryoung.com>
* replace more instances
* ci: Autofix updates from GitHub workflow
* remaining instances
* fix duplicate useRouter
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: alaister <10985857+alaister@users.noreply.github.com>
* fix(www): types for awaited params
* fix(docs): no extraneous exports from route page
* fix(studio): api handler types, no non-handlers allowed in pages
* fix: use storage endpoint in S3 settings
* Update retrieval of endpoint for analytics bucket related components
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* Deprecate use of getWithTimeout, refactor BuildingState and RestoringState to use RQ
* Refactor profile-create-mutation to use data/fetchers, and edge-function-status-query to use fetch
* Shift post from lib/common/fetch, refactor bucket-object-download-mutation
* Address feedback
* Minor fix
* Refactor post calls from lib/common/fetch in auth pages to data/fetchers
* Add missing POST users endpoint + small fix when deleting user via context menu
* Remove all use of any imports from lib/common/fetch
* Clean up remaining usage of lib/common/fetch
* Fix fetchHeadWithTimeout
* simplify handleFetchError
* allow handleFetchError to accept unknown
* non-breaking change
* small fixes
* fix query path
---------
Co-authored-by: Alaister Young <a@alaisteryoung.com>
* init
* Update inner-side-menu.mdx
* chore: update SQL sidebar to use ui pattern components
* mor
* Update
* Update index.tsx
* init: merge table editor and sql editor and schema visualization together
* more
* move to valtio
* fix issue with Command+B shortcut
* now shows in treeviews if item is opened in tab
* Update ProjectLayout.tsx
* fix sidebar
* fix schema selector for non explorer version
* show schema name in tabs
* added schema names to tabs
* tabs have been updated to support preview tabs
* fix URL issue
* add empty state stuff
* Update SQLEditorNav.tsx
* preview tab works now
* more tabs stuff. 'new' tab also added
* new tab concept
* updates
* fix type errors
* remove unused files
* update test
* move back button, fix width issues on sidebar
* update sidebar logic
* Update ProjectLayout.tsx
* lots of updates. layouts now streamlined. localstorage for tabs in use
* moar
* bunch of new tab logic
* fix empty tab issue
* Update tabs.ts
* layouts switched
* new pages now have fixed layouts
* fix tabs
* fix code bg
* add tabs support for multiple project refs
* intialization issue
* update ID handling
* fixed isOpened state for SQL snippets
* remove old assistant because its bugging up panels
* preview style works in sql editor
* fix border
* removes preview tab if there is one
* fix background of loading skeleton
* lots of issues with types/icons/redirect
* new tab cards
* snippets in empty state now work
* moar stuff
* tabs now in feature flags
* Update tabs.ts
* Update tabs.ts
* moar
* add feature previews
* remove code not needed
* Update next-env.d.ts
* Delete FeaturePreviewModal.tsx
* fix typescript errors. remove more explorer stuff
* remove explorer files
* fixed issues with templates and quickstarts tab
* fixed active state when tabs are not opted in
* logic error
* fix open/highlight issue when opted out of tabs
* templates/quickstarts now displayed with new cards
* Update recent-items.tsx
* Update new-tab.tsx
* add icon back in
* add old empty state back in
* recent items updated to respect project ref
* localstorage cleanup on deletion
* moar
* overflow tabs now working
* correct tab names used for new sql templates/quickstarts
* ongoing queries fix
* cleanup
* update images
* Update RouteValidationWrapper.tsx
* Update AppLayout.tsx
* Update NavigationBar.tsx
* add headers back into side panels
* improve writing
* tabs now drag and drop a billion times better
* Update tabs.tsx
* Update tabs.tsx
* init issues on stores, which caused a race condition.
* fix hydration error
* fix new tab issue in sql
* Update ProjectLayout.tsx
* Update pnpm-lock.yaml
* Update new-tab.tsx
* move EditorMenuListSkeleton
* Fix type issues
* fixes: DESIGN-87
fixes: DESIGN-87
* refactor sort/filter components
* Update rules-set-button-text.tsx
* remove discussions for now
* small styling fixes
* Update FeaturePreviewModal.tsx
* Update FeaturePreviewModal.tsx
* Update RouteValidationWrapper.tsx
* revert
* revert
* revert
* revert
* revert
* more revert
* Update collapse-button.tsx
* Update SQLEditorTreeViewItem.tsx
* revert
* Update SchemaGraph.tsx
* Delete new-upcoming.tsx
* revert
* Update ProjectLayout.tsx
* fix home link
* Update table-editor.spec.ts
* test update
* Update table-editor.spec.ts
* Fix the playwright tests.
* layout fixes
* layout fix
* revert sort/filter
* Update LastSignInWrapper.tsx
* revert
* revert
* remove
* update file names
* revert
* revert
* revert
* Fix TreeView console error props
* Add guards in SQL Editor to ensure that feature preview tabs changes do not affect existing UI when flag is off
* Fix missing DefaultLayout in SQL editor templates + fix New tab
* Remove console log
* Remove DatabaseSelector for SQL editor on local
* Fix SQL editor shared favorites for local
* Fix test
* Ensure NewTab doesn't show up if flag is not toggled for SQL editor
* Decouple UI state changes from content-query and entity-types-infinite-query
* Fix tab closing unnecessary rerouting
* Beef up feature previews
* Fix create new table from table editor new tab
* Fix tabs getting incorrectly reset when going between table and SQL editors
* Fix last visited SQL snippet for both tabs and not tabs
* Fix last visited table for table editor tabs
* Clear dashboard history when closing last tab
* Fix loading dashboard history
* Add comment to refactor stores
* Ensure we only save up to 8 items for recent items for each type
* Remove unneccesary logic in tabs
* Smol style fix for DeleteAccountButton
* Smol fix
* Fix inability to close New tab
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Co-authored-by: Alaister Young <a@alaisteryoung.com>
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
* fix: response error codes
* upgrade docs
* remove request url modification middleware
* move api routes for self-hosted to platform folder
* remove some lib/common/fetch usage
* docs: use middleware for openapi-fetch (#30600)
Get rid of the unauthedAllowedPost function (I don't think there's any harm in letting any requests that require authentication to just 403, they should be disabled at the React Query level and if not they will fail gracefully enough...)
* fix local count query
* add default values for clone mutation
* fix ts and codegen
* add missing lodash dep to playwright tests
* Fix the playwright tests to match the new folder structure for selfhosted variant.
* remove unused import
* Remove unused state
* remove unused sql debug mutation
* remove unused export
* fix notifications query
* fix jwt updating status
* fix typescript
* save sql snippet after renaming
* update codegen & fix ts error
* override array querySerializer
---------
Co-authored-by: Charis <26616127+charislam@users.noreply.github.com>
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
Joshen Lim