mirror of
https://github.com/supabase/supabase.git
synced 2026-07-12 02:16:17 -04:00
create-pull-request/patch
154 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
4901f081e5 |
Migrate remaining requests to pg-meta API to use query endpoint (#47758)
## Context Migrates the remaining API requests to the pg-meta endpoint to use the query endpoint directly with the SQL from the pg-meta package. This touches the following: - policies - publications - triggers - views - materialized views - types ## To test Just need to verify that we're still fetching the data correctly on these pages - Database policies - Database publications - Database triggers - Database tables (views + materialized views) - Database types <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved and stabilized loading of database metadata (views, triggers, RLS policies, publications, materialized views, and enum types), including more reliable schema-scoped filtering. * Updated policy loading behavior and related UI queries to consistently use schema arrays, improving cache correctness and consistency. * **Tests** * Updated end-to-end test synchronization to wait for the correct metadata responses using more specific request identifiers. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
fd8a37b1d0 |
feat: add toggle for sensitive data visibility in table columns (#46180)
## Fixes FE-2619 ## What is the new behavior? This PR adds support for marking table columns as sensitive and masking their values in the grid view. Sensitive columns: - Display an 8-dot mask instead of the underlying value - Remain masked across page refreshes - Can be temporarily revealed for 5 seconds via the **Show data** action - Display a warning when copying rows containing sensitive data This helps prevent accidental exposure of sensitive information when sharing screens, recording demos, or taking screenshots. ## Testing - [x] Toggle sensitivity ON → save → refresh → remains masked - [x] Toggle sensitivity OFF → save → refresh → remains unmasked - [x] Toggle sensitivity multiple times → state remains consistent - [x] Copy row with sensitive columns → warning shown - [x] Click **Show data** → value revealed for 5 seconds then re-masked - [x] Text, Boolean, Binary, JSON, and Foreign Key columns all display a consistent 8-dot mask ### Test data SQL fixture covering multiple PostgreSQL data types: https://gist.github.com/monicakh/2485e9054bf21045912359871e9a1cb4. ### UI <img width="1284" height="554" alt="CleanShot 2026-06-09 at 12 01 33@2x" src="https://github.com/user-attachments/assets/4aec0ba7-c874-42d7-9442-d2c704b319cc" /> <img width="1200" height="560" alt="CleanShot 2026-06-07 at 10 43 40@2x" src="https://github.com/user-attachments/assets/b9569484-6fcc-47de-bc3d-881d0edc4060" /> The **Show data** action is only available for sensitive columns. <img width="450" height="400" alt="CleanShot 2026-06-07 at 10 42 18@2x" src="https://github.com/user-attachments/assets/d48849a2-ec0b-4522-a787-561a1d204ec9" /> Warnings on Copy command <img width="450" height="80" alt="CleanShot 2026-06-09 at 11 58 42@2x" src="https://github.com/user-attachments/assets/374e7d6b-b82a-4923-b035-2ec9b2f7bb7d" /> <img width="450" height="80" alt="CleanShot 2026-06-09 at 11 58 58@2x" src="https://github.com/user-attachments/assets/ecd951bb-e9e2-47ae-9ddd-d32969e01c12" /> <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46180?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: supabase-autofix-bot <noreply@supabase.com> Co-authored-by: Ali Waseem <waseema393@gmail.com> |
||
|
|
18431efb25 |
fix(studio): TanStack post-merge fixes — Monaco loader, fonts, CSP (from #46424) (#47657)
Post-merge fixes for the TanStack Start migration (#46424) — things that broke on the TanStack build as master evolved under the migration branches. Kept on their own branch off master rather than piling onto the E2E-matrix PR (#47119); all land on master and cascade up to S6 + the big PR. Common theme: a master PR changed something the Next pipeline handles via `next/font` / `pages/_app.tsx` / `next.config.ts`, but the hand-rolled TanStack equivalent (`routes/__root.tsx`, `styles/fonts.css`, `vercel.ts`) wasn't updated to match — invisible on the Next deploy, broken only on TanStack. --- ## 1. Monaco loader path (#47182) #47182 re-nested the served Monaco assets from a flat `public/monaco-editor/` layout into `public/monaco-editor/vs/` and updated `pages/_app.tsx`, but `routes/__root.tsx` still pointed `loader.config` at the old path, so `loader.js` 404'd and **no Monaco editor mounted anywhere in the TanStack build**. Now mirrors the Next config (`${origin}${BASE_PATH}/monaco-editor/vs`, window-guarded for SSR). Was failing the whole `tanstack` E2E shard on #47119. ## 2. Inter + Manrope fonts (#47306) #47306 renamed Tailwind's sans var `--font-custom` → `--font-sans` and added `--font-heading` (Manrope), set via `next/font` on Next. `fonts.css` still only set the now-ignored `--font-custom`, so the body fell back to the theme's system chain (`Circular, custom-font, Helvetica…`) at weight 450 — that's the "Inter weights look wrong". Manrope was missing entirely. - Wire `--font-sans` (Inter) + `--font-heading` (Manrope) to match `next/font`. - **Vendor all three families** (Inter, Manrope, Source Code Pro) via `@font-face` so nothing depends on the Google Fonts CDN — matches `next/font` self-hosting, and (see below) `font-src` doesn't allow `fonts.gstatic.com` anyway. Verified in-browser: computed `body` → `Inter`, headings → `Manrope`, all loading from local `/assets/*.woff2`. ## 3. Security headers / CSP (next.config.ts `headers()`) The Next build sets X-Frame-Options / X-Content-Type-Options / HSTS / **Content-Security-Policy** / Referrer-Policy via `next.config.ts`. The TanStack build never carried these over — `vercel.ts` only set cache-control, so **the deployed TanStack dashboard shipped with no CSP at all**. The TanStack deploy serves a static shell (no server to attach headers), so they go in the Vercel config: - `security-headers.ts` — shared source of truth, reuses `getCSP()`, env-gated exactly like next.config. - `vercel.ts` — apply to every response (all base-path prefixes): full `getCSP()` + HSTS on platform. - `scripts/serve.js` — the non-platform set (`frame-ancestors 'none'`) for the self-hosted server. **Tested the policy in a real browser** (temporarily enforced it on the TanStack build via /test-supabase-local): everything passed except one real gap — `font-src` was missing `data:`, so GraphiQL's bundled Monaco codicon font and Stripe's payment-element fonts (both data: URIs) were blocked (37 violations on a cold load). Added `data:` to `font-src` in `csp.ts` → violations drop to zero, SQL editor Monaco renders clean. That gap affects the Next build too. --- ## 4. `node:path` import crashing `/project/[ref]/merge` Found by a full-site click-through of the TanStack build (all product areas, ongoing — see below). `useEdgeFunctionsDiff.ts` + `EdgeFunctionsDiffPanel.tsx` did `import { basename } from 'path'` in client code. Webpack (Next) polyfills `path` in the browser; Vite externalizes it, so the whole `/merge` route crashed with "Module \"path\" has been externalized for browser compatibility". Replaced the two `basename` call sites with a string helper. Verified in-browser: `/merge` renders. ## 5. URL shape — Next-style search-param semantics + shim fixes The dashboard produced malformed URLs vs the Next build (strange query params, trailing slashes, `##` hashes). Root cause + audit verified empirically against `@tanstack/react-router@1.170.10`; all fixed with unit tests and browser-verified: - **`createRouter` used TanStack's default JSON search codec** — `?flag=true` became `?flag=%22true%22` via links, repeated `?filter=…&filter=…` collapsed into a JSON array (breaking multi-filter/sort table-editor URLs and the account-page round-trip, which double-encoded), and search values arrived as numbers/booleans where the app expects strings. New `lib/router-search-params.ts` (Next-style: strings in, strings out, repeated keys → string[]) wired into the router. - **Link shim** (`compat/next/link.tsx`): `URL.hash` includes the leading `#` while TanStack's `hash` prop adds its own → every `href="…#section"` navigated to `##section` (hash-scroll broke); `Object.fromEntries(searchParams)` dropped repeated query params. Both fixed. - **Trailing slash injected before the query** on every `?`-only relative navigation (`/auth/providers/?provider=…`): fixed in the compat router (prefix current pathname) and via a custom nuqs adapter (`lib/nuqs-tanstack-adapter.tsx`) replacing the stock tanstack-router adapter, whose `navigate({ to: '?…' })` writes hit the same TanStack behavior (123 files use nuqs). - **Pathname-less `router.push({ query })` leaked path params** — Next re-consumes `ref`/`id` from `query` into the path pattern; the shim didn't, yielding `/editor/17597?schema=public&ref=<ref>&id=17597&filter=…` from table-editor filter/sort, linter panels, and advisor shortcuts. The shim now defaults the pathname to the current route pattern and backfills omitted params. - **Redirects dropped query + hash** (Next's `redirects()` preserves them): `__root.tsx` `matchRedirect` and `routes/index.tsx` now carry incoming params/hash through (consumed rule params excluded, destination's own params win). `/?next=new-project&projectName=zzz` → `/new/new-project?projectName=zzz`; `/sql/quickstarts?template=x#frag` → `/sql/examples?template=x#frag`. Browser-verified post-fix: advisors `?preset=WARN`, providers `?provider=Google`, `?schema=auth` — all clean (no `/?`, no leaks); repeated `filter` params survive hydration; `=true` unquoted; single `#`. ## 6. TanStack `navigate` corrupting query values (Logs Explorer SQL newline loss) TanStack router-core treats a query string embedded in `navigate({ to })` as part of the *path*: `decodePath` percent-decodes it and `sanitizePathSegment` strips control characters, silently deleting every `%0A`. Logs Explorer's SQL (`s` param) lost its newlines on Run/reload — `order by timestamp desc` / `limit 5` glued into `desclimit 5`, which then failed the LIMIT lint. Pre-existing on the TanStack build (the stock nuqs adapter had the same shape); Next unaffected. Fixed by never embedding query strings in `to`: the nuqs adapter and the compat `router.push`/`replace`/`prefetch` (plus the `next/navigation` shim) now pass search as an object through the app codec (`splitInternalUrl` hoisted to `lib/internal-url.ts`). Guard test drives a real `createRouter` with multi-line SQL through both producers. Browser-verified: newlines survive the full Run → reload → re-Run cycle. ## 7. Integration overview markdown never loaded (all integrations) `MarkdownContent` used a template-literal dynamic import (``import(`@/static-data/integrations/${id}/overview.md`)``) — webpack builds a context module for that, Vite can't analyze it, so every integration detail page threw `Failed to resolve module specifier` and rendered no overview text. Fixed with an explicit lazy registry of literal imports (`static-data/integrations/overviews.ts`, drift-guarded by a test) plus an `mdRawLoader()` Vite plugin mirroring next.config's turbopack raw-loader rule. Both runtimes keep working; md stays out of the main bundle. ## 8. GraphiQL editor never mounted (`exports is not defined`) Our `umdAmdShortCircuit()` Vite plugin (which disarms Monaco's global AMD loader for deps like papaparse) rewrote `typeof define === 'function' && define.amd` to `false` inside `monaco-editor`'s bundled copy of marked — whose UMD relies on its own *local* `define` shim — so the whole optimized monaco chunk failed to evaluate and GraphiQL's editor pane stayed blank. The check now only short-circuits when `define` is the global AMD loader. Browser-verified: all four GraphiQL Monaco panes mount, queries execute. (Known follow-up: GraphiQL's Monaco workers fall back to the main thread under Vite — functional, worker wiring is Next-specific `setup-workers/webpack`.) ## 9. `@sentry/nextjs` bundling Next internals — built TanStack bundle crashed (caught by E2E) The E2E suite against the **built** TanStack bundle (not the dev server) found lazy chunks like `table-editor-*.js` dead on arrival: `@sentry/nextjs` (imported by ~25 client files) drags in `next/dist/shared/lib/constants`, whose module scope evaluates `process?.features?.typescript` — optional chaining doesn't guard an undeclared `process` in the browser, so the whole chunk failed at load with `ReferenceError: process is not defined`. Dev shims `process`, which is why weeks of dev-server testing never saw it. Fixed by aliasing `@sentry/nextjs` → `compat/sentry-nextjs.ts` (re-exports `@sentry/react`, same deduped 10.59.0, plus explicit stand-ins for the three Next-only APIs) in the Vite build only. Verified: fresh build has zero Next-internals markers in any chunk; table editor loads clean; full E2E suite run against the built bundle. Note for the stack: `alaister/tanstack-start` / the E2E-matrix branch already carried a different fix for the same crash (a `next/constants` shim) that never made it to master — the cherry-pick onto those branches keeps **both** (the shim covers any other transitive importer; the alias keeps Next internals out of the client bundle entirely). **Follow-up found while fixing:** Sentry is never *initialized* in the TanStack runtime — `instrumentation-client.ts` / `sentry.server.config.ts` are Next-convention files nothing imports under TanStack, so `captureException` calls are silent no-ops. Needs an `@sentry/react` init (+ `tanstackRouterBrowserTracingIntegration`) wired into the TanStack client entry as its own PR. ## 10. GraphiQL Monaco workers + edge-function Deno typings (Vite-only gaps) - **GraphiQL's Monaco workers ran on the main thread** under Vite ("Could not create web worker(s)…" — `setup-workers/webpack`'s `new URL(...)` form isn't rewritten by Vite). A `graphiqlViteWorkers()` plugin resolves the import to graphiql's own `setup-workers/vite` variant for client builds (SSR untouched, Next untouched); the setup-workers chain is `optimizeDeps.exclude`d because the Rolldown optimizer can't load `?worker` ids. - **Edge-function editors silently lost their Deno typings** — `AIEditor` loaded `public/deno/*.d.ts` via `/* @vite-ignore */` imports that always failed at runtime under Vite. The `.md` raw loader is generalized into `rawTextLoader` (exact-path allowlist for the two typings files, served as virtual string modules so the dep scanner never parses `.d.ts` syntax), and the imports are now static-analyzable literals that both bundlers handle (turbopack's raw-loader rules match them on the Next side). ## Split out for reviewability App-level fixes that reproduce on the Next build too (DOM-nesting hydration errors, the ghost deleted-snippet nav, the recurring pg-meta `migrations` 400) moved to their own PR: #47667. Sentry initialization for the TanStack runtime (captures were silent no-ops) is #47666, stacked on this PR. ## Full-site test campaign Drove every dashboard product area on the local TanStack build (Playwright, human-style) hunting migration regressions: redirects/404/catch-alls, org, account, project home/branches/merge, table editor CRUD, SQL editor (Monaco/run/save/templates/AI), all database pages, all auth pages, storage CRUD, edge functions + realtime, logs/observability, advisors, settings, integrations hub incl. nested routes, global UI (palette/connect/switchers/theme/fonts), and a cross-cutting sweep (document titles, back/forward chain, hard-refresh hydration on deep URLs, trailing-slash active state). Every failure found is fixed above and re-verified in-browser; remaining console quirks were cross-checked against the deployed Next build and are pre-existing (tracked separately). ## To test Most fixes are already browser-verified + covered by unit tests and the self-hosted E2E suite; the last two landed after the final browser pass and still need an in-browser check: 1. **GraphiQL Monaco workers** — restart the dev server (clear `apps/studio/node_modules/.vite` once first — the optimizer cache may hold a stale prebundle of the worker chain). Open `/project/<ref>/integrations/graphiql/graphiql` with the console open: the `Could not create web worker(s). Falling back to loading web worker code in main thread` warning must be gone, and DevTools → Sources → Threads shows the three workers (json, editor, graphql). Autocomplete in the query editor stays responsive. 2. **Edge-function Deno typings** — `/project/<ref>/functions/new`: no "Failed to load … typings" console error, and typing `Deno.` in the editor offers typed completions (e.g. `Deno.env`). Spot-checks for the rest (all previously verified): - `/project/<ref>/merge` renders (no "Module path" crash). - Multi-line SQL in Logs Explorer survives Run → reload (no `desclimit` gluing, no LIMIT-lint false failure); `s` param keeps `%0A`. - `/auth/providers` → open a provider → `?provider=…` with no trailing slash before `?`; table-editor filter/sort URLs carry no leaked `ref`/`id` params; `/?next=new-project&projectName=x` lands on `/new/new-project?projectName=x`. - Integration detail pages (cron/queues/vault/data_api) show their overview prose; GraphiQL query editor mounts. - Built bundle (`MODE=test vite build` + `start:tanstack`): table editor loads with no `process is not defined`. - `curl -sI` any page on a platform deploy: `X-Content-Type-Options: nosniff` (was the invalid `no-sniff`). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Centralized integration overview markdown loading with registry-based lookup. * Improved Monaco loading/asset path handling for smoother editor startup. * **Bug Fixes** * Next-style navigation/search handling now preserves pathname, hash, repeated query keys, and special characters (including newlines). * Redirects now reliably carry over query and hash with correct precedence. * **Security/Configuration** * Updated CSP font sourcing and unified security headers delivery across environments; conditional HSTS behavior. * Refreshed font CSS variables and font-face definitions to match the theme. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --- ### Review feedback: non-prod favicon (Joshen) The TanStack `__root.tsx` hardcoded the prod favicon; local + hosted staging now use the white staging favicon (`/favicon/staging`), matching what `pages/_app.tsx` passes to `MetaFaviconsPagesRouter` for non-prod. Rather than pull the pages-router component into the TanStack head, it reuses the same synchronous `NEXT_PUBLIC_ENVIRONMENT` signal the file already uses for `IS_DEV_TOOLBAR_ENABLED` (the `head()` route option isn't a React component, so it can't run `_app`'s async CLI check — but the env signal covers the reported local/staging case). --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
|
8f5ba52e2c |
fix(e2e): avoid response-listener race in SQL editor flaky test (#47698)
## Summary - Fixes the flaky "should check if SQL editor is working as expected" self-hosted E2E test (FE-3863) - The second query registered the pg-meta response waiter *after* clicking run, so a fast response could be missed, causing a 30s timeout. Moved the waiter registration before the click, matching the pattern already used for the first query. Fixes FE-3863 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Improved SQL editor end-to-end test synchronization to better wait for the correct API response during repeated query runs. * Increased test reliability for scenarios involving back-to-back SQL executions. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
229f6478f3 | test(self-hosted): add an e2e test for exposed schemas in data api ui (#47602) | ||
|
|
c87f673c4c |
Fix: improve accessibility for icon buttons (database menu) (#47531)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Bug fix (accessibility improvement) ## What is the current behavior? Icon-only buttons do not have explicit accessible names for screen readers or tooltips. ## What is the new behavior? All icon-only buttons now have explicit accessible names using visually hidden text (sr-only), ensuring proper screen reader support. ## Additional context Tooltip text is preserved or added for visual users. No visual changes were introduced. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Tightened end-to-end checks for policy creation so policy names must match exactly in the list. * Improved validation coverage for SELECT, INSERT, UPDATE, and DELETE policy flows, reducing the chance of false-positive test matches. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
38669218ac |
fix: preserve copy (#47607)
- closes https://github.com/supabase/supabase/issues/47606 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Copying cell values now preserves `false` and `0` instead of treating them like empty values. * Clipboard copy behavior now only returns blank for truly empty inputs, helping keep table data accurate when copied. * **Tests** * Added end-to-end coverage for copying table cells with `false`, `0`, and `true` values. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
dd3695814e |
test(e2e): add coverage for complex scalar and array column types (#47536)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Test (E2E coverage addition). ## What is the current behavior? The SafeSqlFragment migration (#45903) reworked column type modeling in the table/column editor (`ColumnTypeRef`: format/formatSchema/isArray) and tightened the FK selector's type comparison to the full `(format, format_schema, isArray)` triple instead of comparing `format` alone. This was manually tested but had no E2E coverage for the more complex scalar/array type cases it affects (FE-3377). ## What is the new behavior? Adds `e2e/studio/features/column-editor-types.spec.ts` covering: - Editing an existing array column preserves its type across an unrelated save, and displays as `type[]` (not the raw `_type` pg format) in the Database > Tables column list. - Editing an existing enum column from a non-public schema preserves its schema-qualified type across an unrelated save, and displays as `schema.type`. - The FK selector flags a mismatch between an array column and a scalar column of the same base type. - The FK selector flags a mismatch between same-named enums from different schemas. - The FK selector allows and successfully creates a relation between two columns with matching array types (guards against over-flagging arrays as incompatible). ## Additional context Resolves FE-3377 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Added end-to-end coverage for complex column types in the Studio UI. * Verified array and enum columns continue to display correctly after edits. * Added checks for foreign key type-mismatch warnings and save-button behavior. * Confirmed foreign keys can be created successfully when matching array types are used. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
1de298ff31 |
Reinstate https://github.com/supabase/supabase/pull/45143 into latest master (#47433)
## Context Previous PR was [here](https://github.com/supabase/supabase/pull/45143) but it got stale with lots of conflicts so figured it'll be easier redo it off the latest master Moves policies page from Auth to Database under an Access Control section along with Roles. This moves all existing files, applies redirects, and updates urls to point to the new route <img width="274" height="412" alt="image" src="https://github.com/user-attachments/assets/7952c185-64ae-4355-ba36-45397efe1787" /> <img width="453" height="471" alt="image" src="https://github.com/user-attachments/assets/04b3dcb3-48a5-4049-9893-d01109fb46a9" /> ## To test - [ ] Verify that policies now live under Database correctly <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a quick navigation shortcut to open **Database > Policies (RLS)**. * **Bug Fixes** * Updated Policies and RLS-related links across the product to open the **Database policies** area (menus, command palette, context actions, alerts, and link-outs). * Added a permanent redirect from the old **auth policies** URL to the new **database policies** URL. * **Documentation** * Updated RLS Dashboard and security checklist instructions to reference **Database > Policies**. * **Tests** * Adjusted automated tests to validate the new Policies route. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
719434a7fd |
fix(studio): batched table edits issues (#47319)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Bug fix ## What is the current behavior? Fixes #47318 Supabase Studio's batched table edit queue has a few related row identity issues: - Editing a row's primary key can make later queued edits or deletes lose track of the original row. - Editing a primary key and another column in the same row before saving can save only the primary key change, because later updates still use the old primary key in the `WHERE` clause. - Adding a row in batched edit mode and then deleting it before saving may not remove the pending row correctly. ## What is the new behavior? - Preserves the original row identity for queued operations after primary key edits. - Applies multiple queued edits for the same row as a single update when saving. - Correctly deletes newly added pending rows before they are saved. - Adds regression coverage for these batched table edit cases. ## Additional context https://github.com/user-attachments/assets/75672361-d781-4fe5-a542-071574ad57bd <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved row identity handling for grid edits, optimistic updates, and queued operations so changes stay correctly attached when primary keys are edited, reverted, or “taken” by another row. * Updated header row deletion to delete from the currently visible/targeted rows rather than relying on the full dataset. * Reduced retry noise for missing tables by clearing conflicting sorts and preventing repeated retries for the same “does not exist” error. * More reliably consolidated queued edits for the same row into fewer combined save statements. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Ali Waseem <waseema393@gmail.com> |
||
|
|
4fa106e53c |
fix(studio): stop GraphiQL from corrupting other Monaco editors (#47363)
GraphiQL (`@graphiql/react`) runs a second Monaco instance that injects
two global, page-wide styles which corrupt Studio's other editors once a
GraphiQL chunk has loaded (it persists across client-side navigation, so
a full reload hides it). After visiting GraphiQL and returning to e.g.
the SQL editor, the editor collapses to a ~5px sliver and its syntax
colors swap to GraphiQL's theme.
**Changed:**
- `monaco.css` — a higher-specificity counter-rule
(`.monaco-editor.monaco-editor { position: relative !important }`) beats
GraphiQL's runtime-injected `.monaco-editor { position: absolute
!important }`, which otherwise pulls Studio's `@monaco-editor/react`
wrapper out of flow and collapses it to ~5px.
- GraphiQL now uses the primary `supabase` Monaco theme instead of a
separate `supabase-graphql-*` theme, so the global `.mtk*` token palette
stays identical and syntax colors no longer bleed into other editors.
**Added:**
- E2E test (`monaco-graphiql-coexistence.spec.ts`) reproducing both bugs
via client-side SQL editor → GraphiQL → SQL editor navigation (a full
reload unloads the chunk and hides the bug).
- Component test (`CodeEditor.test.tsx`) guarding the height-class
precedence regression from #47339/#47350 — a caller height (e.g. the
email template editor's `h-96`) must win over the default `h-full`.
Covered as a component test since the email source editor isn't
reachable on self-hosted.
## To test
- Open the SQL editor → **Integrations → GraphiQL** → back to the SQL
editor (in-app navigation, not a reload). It should stay full height and
keep its own syntax colors.
- Confirm autocomplete still works in the SQL editor.
- `pnpm --prefix e2e/studio run e2e --
features/monaco-graphiql-coexistence.spec.ts`
- `pnpm --prefix apps/studio test -- CodeEditor.test`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved Monaco editor styling so GraphiQL no longer affects the SQL
editor’s theme or layout when navigating between them.
* Fixed editor sizing so a custom height now takes precedence over the
default full-height setting.
* Polished GraphiQL panel styling for more consistent spacing and
appearance across themes.
* **New Features**
* GraphiQL now uses the shared editor theme for better visual
consistency with Studio.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
|
||
|
|
a074b62ed1 |
chore(studio): use sentence case for Data API access label (#47353)
## What kind of change does this PR introduce? UI copy + agent guidance. ## What is the current behavior? - The Table Editor labels the Data API setting as "Data API Access" (title case). - Agents have no scoped pointer to our copywriting rules ## What is the new behavior? - Label uses sentence case: "Data API access" (e2e and test docs updated). - Agents are pointed at `apps/design-system/content/docs/copywriting.mdx` via `studio-copy.instructions.md` and `studio-ui-patterns` skill. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Standardized the **“Data API access”** label casing across the Studio UI. * Updated end-to-end tests to assert the corrected label text. * **Documentation** * Updated Studio E2E test review instructions and examples to use **“Data API access”**. * Added/expanded Studio UI copywriting guidance, including where to source copy and how to apply consistent casing. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Cursor <cursoragent@cursor.com> |
||
|
|
b1b29ad011 |
Fix: improve accessibility for icon buttons (#47214)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Bug fix (accessibility improvement) ## What is the current behavior? Icon-only buttons do not have explicit accessible names for screen readers. ## What is the new behavior? All icon-only buttons now have explicit accessible names using visually hidden text (sr-only), ensuring proper screen reader support. ## Additional context Tooltip text is preserved or added for visual users. No visual changes were introduced. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Added hover tooltips across the database editor and SQL editor, including “More options” menus, table filter controls, and the “Create a new query” action. * **Accessibility** * Improved button accessibility by adding/expanding `aria-label`s for Intellisense, favorites (add/remove), and “Prettify SQL.” <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
2fdb59a905 |
test(e2e/studio): drop racy post-action waits in database specs (from #46424) (#47106)
Follow-up to #47077, extracted from the TanStack Start migration (#46424). Three `waitForResponse` waits in `database.spec.ts` were registered *after* their triggering action, so the response could resolve before the listener attached and the wait would time out (this surfaced under TanStack, where the data is SSR-streamed, but the waits are redundant on Next too). **Removed:** - Schema Visualizer *actions*: `waitForSchemaVisualizerToLoad(...'auth')` registered after the schema-selector click — the `focusTableInVisualizer` loop immediately below already auto-waits for the auth schema's tables. - table update / duplicate: `waitForDatabaseToLoad(...)` after the save mutation — the `toBeVisible` assertion right after each already waits for the list to refetch. - the now-unused `waitForDatabaseToLoad` / `waitForSchemaVisualizerToLoad` imports. The UI assertions are the real synchronization points, so behaviour is unchanged on Next. ## To test - Studio E2E `database.spec.ts` passes (the Schema Visualizer + Tables groups). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Improved database e2e test reliability by optimizing synchronization logic and eliminating timing-sensitive helpers that could introduce flakiness during schema and table operations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
|
84edf0dc94 |
fix: protect csv import (#47040)
## TL;DR fixes protected schema empty tables still exposing CSV import actions in table editor... ## ref: - closes https://github.com/supabase/supabase/issues/41358 - supersedes: https://github.com/supabase/supabase/pull/41362 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Updated the table empty state so CSV import actions are shown only when the table is allowed to accept imports, and are hidden for protected cases (including foreign-table scenarios). * **Tests** * Added an end-to-end test confirming that empty tables in protected schemas do not expose the “Import data from CSV” button or the drag-and-drop CSV hint. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
ba00a311db |
test(studio): harden flaky E2E specs (extracted from #46424) (#47077)
Pulls the framework-agnostic E2E test fixes out of the TanStack Start migration PR (#46424) so they can land on `master` independently and scope that PR down. Test files only — no app/source changes. > [!NOTE] > **These changes originate from #46424** (the Next.js → TanStack Start migration). They were made while getting the E2E suite green on both builds, but they're pure test-file changes that are framework-agnostic and already pass on the current Next.js build. A few are *also* written to tolerate TanStack behaviour (called out in code comments) — harmless and correct on Next today. **Changed:** - `realtime-inspector.spec.ts` — drop the racy `waitForResponse(/settings/)` (the "Join a channel" UI assertion already gates on settings loading); click the message row's timestamp instead of its center, which the wide untruncated-JSON cell pushes under the always-present detail panel. - `database.spec.ts` — gate the three Schema Visualizer / Tables tests on the visualizer UI (`focusTableInVisualizer` already auto-waits for the schema, including the freshly-created table) instead of the `pg-meta … public-infinite_tables` XHR. - `database-webhooks.spec.ts` — wait on the `Database Webhooks` heading instead of marketing copy that was removed when the page moved to the new integrations UI. - `queue-integration.spec.ts` — wait on the unconditional "Create queue" button instead of the grid (which only renders once a queue exists); assert creation by polling for either valid end-state. ## To test - Run the affected specs against a local self-hosted studio and confirm they pass: `pnpm --prefix e2e/studio run e2e -- features/realtime-inspector.spec.ts features/database.spec.ts features/database-webhooks.spec.ts features/queue-integration.spec.ts` - Or just let the studio E2E suite run on this PR (Next.js build). Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
|
097f220c5c |
Add support for managing stored procedures under database functions (#46977)
## Context Dashboard currently doesn't have any support for managing stored procedures. In the event that the security advisor surfaces a warning about a stored procedure, users hence run into a dead-end as there's currently no way to self-remediate via the dashboard ## Changes involved We're hence adding support for managing stored procedures within Database Functions <img width="1082" height="546" alt="image" src="https://github.com/user-attachments/assets/2598a5fe-e58f-4e8a-ad2f-9cb6d0eb2f53" /> Creating a function now shows a dropdown to select the type <img width="500" alt="image" src="https://github.com/user-attachments/assets/acc9249d-7b25-4416-aae8-89c630e1c62b" /> In which if stored procedure is selected, the following fields will be hidden since they're irrelevant for stored procedures - Return type - Behaviour (Under advanced settings) Some other minor UI changes as well: - Field inputs are re-ordered a little, opting to group "Schema" and "Name" into one section, followed by "Type" and "Return type" - Opting to show "Return type" when editing a function but disabled - Add schema filter for fetching database functions to reduce unnecessary load on the database ## To test - [ ] Can create, update, delete, read stored procedures via database functions page <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Summary - **New Features** - Added PostgreSQL **procedure** support alongside functions, including a **Type** selector in the create/edit flow. - Updated Functions UI with a new **Type** column and procedure-aware return/argument details. - **Improvements** - Refreshed create/edit headers and language help text for clearer context. - Improved argument parsing/display, including better handling of procedure argument modes. - **Bug Fixes** - Corrected routine-type handling during function/procedure delete and update SQL operations. - **Tests** - Updated unit snapshots and end-to-end UI flows/labels for the new “New function” control. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
a10bc9a88a |
feat(unified-logs): compact toggle banner and ArrowDown selects first log (#46812)
Visual cleanup of the Logs sidebar (unified logs): - Restyle the "Go back to old logs" and "Try Unified Logs" banners as full-bleed bordered strips (no card), with an icon-only switch-back button and a tooltip - Add a "Beta" badge next to the "Logs" sidebar title - Rename the product from "Logs & Analytics" to "Logs" <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added Unified Logs banner with “Try Unified Logs” and “More information” actions, plus a “Go back to old logs” utility layout. * Show a **“Beta”** badge for Unified Logs eligibility. * **UX Updates** * Updated the Logs experience to consistently display under the **“Logs”** product layout. * **Tests / Documentation** * Updated end-to-end checks and examples to expect the **“Logs”** heading text exactly. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: kemal <hello@kemal.earth> |
||
|
|
7414802e57 | test(studio): unflake schema visualizer Copy as SQL assertion (#46863) | ||
|
|
d745036c9e |
chore: create index form (#46288)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Refactored the Database Create Index side panel to align with the recommended Studio form patterns. ## What is the current behavior? The side panel was using a legacy layout that did not follow the common Studio form patterns. It's also not a real form. ## What is the new behavior? The Create Index side panel in the Database section is now consistent with the Studio form patterns. It's now a real form using `react-hook-form` ## Additional context Before: <img width="668" height="855" alt="image" src="https://github.com/user-attachments/assets/d15ee63c-8d03-4780-8945-1792f0493133" /> After: <img width="606" height="856" alt="image" src="https://github.com/user-attachments/assets/78e0269c-e79c-42d1-a2c2-9465c0b0c46a" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **UI Improvements** * Reworked index-creation panel into a validated, form-driven workflow with clearer field interactions, multi-column selector, live read-only SQL preview, and updated submit/cancel behavior. * Footer actions: Cancel resets the form and closes the panel; Create triggers form submission and reflects loading state. * **Tests** * Updated end-to-end flow to click "Select a table" (replacing "Choose a table") during index creation. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Gildas Garcia <1122076+djhi@users.noreply.github.com> |
||
|
|
4ae803c3d7 |
feat(studio): paginate Tables list with server-side search (#46514)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Feature / performance improvement. ## What is the current behavior? The Database > Tables list renders every table for the selected schema in a single `useTablesQuery({ includeColumns: true })` fetch. ## What is the new behavior? - Database > Tables list uses `useInfiniteTablesQuery` with a 50-row page size, streaming pages as the user scrolls. - An `IntersectionObserver` sentinel attached to the footer status row triggers `fetchNextPage()` while `hasNextPage` is true; the same row doubles as the table count / loading indicator. - Search is debounced (300 ms) and passed as `nameFilter` to the hook, which forwards it to pg-meta's `getTablesPaginatedSql`. The backend returns only matching rows, so search works across the whole schema rather than only the loaded pages. ## Additional context <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Debounced search filtering for tables * Infinite-scroll pagination with sentinel-driven loading * Footer shows “Loading more tables…” and dynamic table counts * **Bug Fixes** * Ensure table list refresh after create/duplicate by invalidating infinite-list cache * **Tests** * Updated end-to-end waits and helpers to match the new paginated table-loading API <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
0c8b71de64 | feat(self-hosted): update project home for self-hosted and cli (#46544) | ||
|
|
ac59de1f9e |
chore: e2e tests reliability (#46496)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES/NO ## What kind of change does this PR introduce? Bug fix, feature, docs update, ... ## What is the current behavior? Please link any relevant issues here. ## What is the new behavior? Feel free to include screenshots if it includes visual changes. ## Additional context Add any other context or screenshots. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Accessibility** * Improved screen-reader label for table row action menus so table controls are clearer for assistive‑technology users. * **Tests** * Enhanced end-to-end test reliability: tightened selectors, added dialog/toast visibility and API-wait synchronization, scoped lookup fixes, removed redundant cleanup helper, and updated test setup to mark a terms-of-service dismissal to reduce flakiness. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
a4334a2cc7 |
feat(studio): paginate Schema Designer via useInfiniteTablesQuery (#46402)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Performance improvement / feature ## What is the current behavior? The Schema Designer fetches all tables in a single request via `useTablesQuery`. For schemas with 400+ tables this blocks first paint on a large payload. ## What is the new behavior? `SchemaGraph` uses `useInfiniteTablesQuery` (pageSize: 100) so the first 100 tables paint immediately. A "Load more tables" button appears above the legend whenever more pages remain, letting users load the rest on demand. ## Additional context <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a "Find table…" selector and keyboard shortcut to quickly locate and focus tables; supports incremental loading and debounced name search (with literal wildcard handling). * Schema Graph shows a bottom "Load more tables" control with loading state and preserves view after loading more. * **Refactor** * Table listing switched to infinite/paginated retrieval and improved "no tables" logic; server-side name filtering supported. * **Tests** * E2E tests add a schema-visualizer wait helper and update flows to support the paginated visualizer. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46402?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
5222f31fe3 |
fix: cron job editing was done by name rather than Job ID (#46486)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? - Minor issues here, the validation for creating names is there but users can create crons with empty names through SQL - When they edit the name in the Cron editor, since we use names as the where clause it treats it as a new create - So a duplicate cron is created - Since creating requires a name, the validation is moved to the component rather than zod and disabled when editing mode is on! <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Cron jobs can now be created without requiring a name field. * Improved handling to properly distinguish between creating new cron jobs and editing existing ones. * **Bug Fixes** * Fixed issue where editing unnamed cron jobs would create duplicate entries instead of updating the existing job in place. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46486?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
c39bb96d74 |
feat: Context view actions for views and material views (#46383)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Right now material views and views don't have any options on the context menu, they only have a copy name. This adds copy schema, export CSV, export SQL and delete table to that list Added E2E tests to cover the use cases <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Delete views and materialized views via confirmation dialogs with optional cascade * Copy SQL definitions for views and materialized views * Export views and materialized views as CSV and SQL from the entity menu * Confirmation modals now show dependency warnings and cascade toggle consistently * **Tests** * End-to-end tests covering copy, export, and delete flows for views and materialized views in the table editor <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46383?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
239825e9a3 |
fix(studio): clarify RLS disable destructiveness (#46357)
## What kind of change does this PR introduce? UI fix ## What is the current behavior? RLS disable dialog is just plain prose. ## What is the new behavior? RLS disable dialog better communicates the high-risk action. | Before | After | | --- | --- | | <img width="866" height="536" alt="CleanShot 2026-05-26 at 11 31 47@2x" src="https://github.com/user-attachments/assets/9ae061aa-edf5-45e8-b866-4d59a035a597" /> | <img width="860" height="534" alt="CleanShot 2026-05-26 at 11 29 42@2x-584E1768-6ACD-4873-9477-A8FA7D017C67" src="https://github.com/user-attachments/assets/00b485dd-485a-4c28-825c-6c0460e3428d" /> | <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Improved RLS toggle dialog component logic. * **Tests** * Enhanced RLS policies test assertions for better accuracy. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46357?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
e13486e358 |
Storage file bucket design (#46184)
<img width="1285" height="654" alt="image" src="https://github.com/user-attachments/assets/10074f07-3ac0-4f1f-b920-4255c67968d6" /> Updates file storage buckets to make use of new page components and follow more standard full width pages as recommended in our design system. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Search input now always visible with dynamic placeholder and cancel control. * “Go up one level” navigation button shown in list view when not at bucket root. * **Style** * Thinner icon strokes and smaller button/icon sizing across the Storage Explorer and preview. * Header, breadcrumbs, and page container spacing/layout refined; explorer outer container simplified. * Selection count UI made compact/monospaced; new layout tokens for header and bulk-action rows. * **Tests** * Unit and e2e tests updated; added e2e helper for rename/create inputs. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46184?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
1470c51021 |
fix(studio): align rls confirmation dialogs (#45961)
## What kind of change does this PR introduce? Studio UI cleanup and docs update. Resolves FE-3217. ## What is the current behavior? The table RLS confirmation dialogs differ across the Policies page and Table Editor surfaces. The table editor disable flow also uses a verbose confirmation modal with admonitions and repeated warning copy. | Policies | Table Editor | | --- | --- | | <img width="852" height="448" alt="25125" src="https://github.com/user-attachments/assets/baa9fafa-752c-4701-bf54-40da4e32030b" /> | <img width="1108" height="1016" alt="57354" src="https://github.com/user-attachments/assets/b1b88355-be39-49b9-aed2-a60f20c25104" /> | | <img width="866" height="434" alt="CleanShot 2026-05-15 at 18 01 15@2x" src="https://github.com/user-attachments/assets/d67f69ee-0a49-4dbd-939e-ca968361fc33" /> | <img width="840" height="426" alt="CleanShot 2026-05-15 at 18 01 52@2x" src="https://github.com/user-attachments/assets/a0b5f390-abeb-453f-8636-ad097f22308b" /> | ## What is the new behavior? Table RLS enable and disable confirmations now use one shared concise Alert Dialog treatment across the Policies page, Table Editor header, and Table Editor side panel. The server-backed toggles use the async Alert Dialog action behaviour from the stacked base branch, and the design-system docs now clarify when to start with Alert Dialog versus Confirmation Modal. This PR is stacked on #45960. | Before | After | | --- | --- | | <img width="852" height="448" alt="25125" src="https://github.com/user-attachments/assets/baa9fafa-752c-4701-bf54-40da4e32030b" /> | <img width="864" height="518" alt="CleanShot 2026-05-15 at 18 07 21@2x" src="https://github.com/user-attachments/assets/bda53246-164b-4d5b-81a1-25d3bc661eb3" /> | | <img width="1108" height="1016" alt="57354" src="https://github.com/user-attachments/assets/b1b88355-be39-49b9-aed2-a60f20c25104" /> | <img width="864" height="518" alt="CleanShot 2026-05-15 at 18 07 21@2x" src="https://github.com/user-attachments/assets/bda53246-164b-4d5b-81a1-25d3bc661eb3" /> | | <img width="866" height="434" alt="CleanShot 2026-05-15 at 18 01 15@2x" src="https://github.com/user-attachments/assets/d67f69ee-0a49-4dbd-939e-ca968361fc33" /> | <img width="860" height="488" alt="CleanShot 2026-05-15 at 18 08 41@2x" src="https://github.com/user-attachments/assets/4c67f797-e2cd-4d56-a49d-e6c6fc0edff3" /> | | <img width="840" height="426" alt="CleanShot 2026-05-15 at 18 01 52@2x" src="https://github.com/user-attachments/assets/a0b5f390-abeb-453f-8636-ad097f22308b" /> | <img width="860" height="488" alt="CleanShot 2026-05-15 at 18 08 41@2x" src="https://github.com/user-attachments/assets/4c67f797-e2cd-4d56-a49d-e6c6fc0edff3" /> | <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Refined guidance and wording for dialog usage, clarifying when to use Alert Dialog, Confirmation Modal, and modal modality. * **New Features** * Reworked RLS confirmation flow with a streamlined toggle dialog, clearer messaging, and a “Learn more” link to docs. * **Tests** * Updated end-to-end tests to cover the updated RLS dialog flows and explanatory content. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45961?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
5fdff9707f |
chore(studio): improve download snippet dialog (#46242)
## What kind of change does this PR introduce? Chore: component migration and copy update. ## What is the current behavior? `DownloadSnippetModal` and `RenameQueryModal` use an awkward tabs-based layout. The download action is labelled "Download" throughout, and the NPX toggle was incorrectly labelled "NPM". ## What is the new behavior? - Both modals are migrated to the `Dialog` component. - The download dialog replaces the tab layout with a select (Migration / Seed file / SQL file) and a CLI/NPX toggle. - Action language changed from "Download" to "Export" (context menu item, dialog title, select label) — more accurate since the user runs a CLI command rather than triggering a browser download. - NPM toggle label corrected to NPX; internal `npm` property key renamed to `npx` for consistency. | Before | After | | --- | --- | | <img width="1024" height="759" alt="Add Auth Hook (General) SQL Editor Pickles Pantry Supabase-C6F22F8B-19FF-486E-8C08-915895495875" src="https://github.com/user-attachments/assets/98637802-5e05-4431-87f8-b2e83216082a" /> | <img width="1024" height="759" alt="Add Auth Hook (General) SQL Editor Pickles Pantry Supabase-5B63AD0C-7CD0-4BB2-BEC8-5DBAE94963CE" src="https://github.com/user-attachments/assets/a8f48c2f-a7e2-42fd-b52c-89a133811ad8" /> | | <img width="1024" height="759" alt="Add Auth Hook (General) SQL Editor Pickles Pantry Supabase-1F28FADA-46D1-4C0A-BE96-6CFF2317FDCF" src="https://github.com/user-attachments/assets/afb904d0-689b-4756-b0b4-8177703934e4" /> | <img width="1024" height="759" alt="Add Auth Hook (General) SQL Editor Pickles Pantry Supabase-652E6E8D-1CD2-4465-BC82-46EDB974CD8C" src="https://github.com/user-attachments/assets/f1adfb6b-fba6-495f-b571-1713c3eebb4d" /> | <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Updated the SQL query export modal UI from a tabs-based interface to a dropdown-based selection for choosing export formats. * Revised menu and dialog labels to "Export query" for improved clarity. * Enhanced code block presentation in the export modal. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46242?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Gildas Garcia <1122076+djhi@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|
|
34303997c6 |
fix(table-editor): wait for filter value before applying (#46113)
## Summary - Closes [FE-3399](https://linear.app/supabase/issue/FE-3399/make-table-editor-filter-bar-wait-for-a-value) - Table editor's filter bar was firing a row request as soon as a property was selected, before any operator/value was set. This regressed after #46071 unified the table editor and unified logs onto the shared `FilterBar`. - `LogsFilterBar` already validates that each condition has a propertyName, operator, and non-empty value before applying. `FilterPopoverNew.handleApply` did not — it called `setFilters` unconditionally on every `onApply` from the shared bar (property change, operator change, blur, etc.). This PR mirrors the `LogsFilterBar` validation so the table editor stops requesting rows until the condition is complete. ## Test plan - [ ] Open the table editor on any table - [ ] Click the filter bar, pick a column → no network request fires, no toast, grid unchanged - [ ] Pick an operator → still no request - [ ] Type a value and hit Enter → row request fires, grid filters - [ ] Remove the filter → grid refetches with no filter - [ ] New e2e test: `pnpm --prefix e2e/studio run e2e -- features/filter-bar.spec.ts --grep "does not trigger a row request"` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Filter validation now prevents incomplete filter conditions from being applied, ensuring only fully-specified filters affect table data. * **Tests** * Added end-to-end test coverage for filter bar operations to verify expected behavior during filter setup. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46113?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
5950b6ca04 |
test(e2e/studio): stabilize flaky and TZ/OS-sensitive specs (#46039)
Backports a batch of e2e test stabilization fixes — each commit is
scoped to a single failure class and only touches `e2e/studio/` files.
**Changed:**
- **`_global.setup` — playwright-locks cleanup was dead code**: the
lock-cleanup block was at the bottom of `Global Setup`, but every branch
above it returns early — so it never ran. Tests that use
`withFileOnceSetup` (cron-jobs) would see a stale `setup.done.json`
marker from the previous run and silently skip their setup, leaving e.g.
`pg_cron` uninstalled and all 11 cron-jobs specs failing. Moved the
cleanup to before any early return.
- **filter-bar — Home key**: macOS Chromium doesn't honor a standalone
`Home` keypress inside text inputs (macOS routes "go to line start" via
`Cmd+ArrowLeft` / `Fn+ArrowLeft`). Tests that expected the cursor to
jump to position 0 silently kept the previous selection. Replaced with
`el.setSelectionRange(0, 0)` so the assertion runs against a known
cursor position on every OS.
- **filter-bar — date filters**: tests inserted rows with `CURRENT_DATE`
/ `NOW()` (postgres session TZ = UTC) and asserted with JS-local dates
from `getDateValue()`. Near midnight the two diverged and the filter
returned 0 rows. Switched the inserts to explicit `getDateValue()`
strings so insert and assert use the same calendar day.
- **queue-table-operations — `networkidle`**: Studio holds long-poll /
SSE connections (PostHog, realtime), so `page.reload({ waitUntil:
'networkidle' })` never resolves and timed out. Replaced with a targeted
`waitForTableToLoad` API waiter.
- **sql-editor — RLS smoke test**: a hard-coded table name
(`pw_rls_smoke_test`) collided across 3 parallel workers running against
the same db. Suffixed with `test.info().parallelIndex`.
- **table-editor — FK spec timeout**: `waitForApiResponseWithTimeout`
for `query?key=table-update` returns `null` on timeout (silent), then
the panel-close assertion fails. Bumped 15s → 30s to absorb
parallel-load latency.
- **table-editor / storage-helpers — URL encoding & redirect race**:
post-action URL assertions were over-specific (`%20` vs `+` encoding)
and the bucket-delete redirect could race other history updates. Relaxed
the regex to accept both encodings; asserting the row removal directly
is a more stable signal than the redirect URL.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Improved end-to-end determinism with explicit dates/timestamps and
stable cursor positioning
* Prevented parallel-test collisions by using unique identifiers for
resources
* Made page reloads and API waits more robust for long-lived connections
and increased timeouts
* Strengthened assertions to rely on stable UI signals instead of
transient navigation/network state
* Ensured test setup reliably cleans up temporary locks before any setup
steps run
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46039?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
|
||
|
|
8935043a1b |
simplify sql editor warning dialog (#45912)
## What kind of change does this PR introduce? Studio UI cleanup. ## What is the current behaviour? The SQL editor query warning modal repeats itself with an admonition, a nested warning panel, and extra confirmation copy. Single-warning cases are harder to scan than they need to be. ## What is the new behaviour? The warning now uses `AlertDialog` and resolves each detected issue into concise title/body copy. Single-warning cases show one short description, while multi-warning cases show a compact list. The existing RLS actions are preserved. ## Testing instructions Manual SQL editor checks: Open the Studio SQL editor, paste each snippet, click **Run**, verify the warning copy, then click **Cancel**. These snippets are only intended to trigger the warning UI, so do not confirm the dangerous ones. Destructive operation warning: ```sql drop table if exists public.codex_warning_destructive; ``` UPDATE without WHERE warning: ```sql update public.codex_warning_table set id = id; ``` Prevent database connections warning: ```sql alter database postgres connection limit 0; ``` Missing RLS warning: ```sql create schema if not exists codex_warning; create table codex_warning.missing_rls (id bigint); ``` Multiple issues warning: ```sql drop table if exists public.codex_warning_destructive; update public.codex_warning_table set id = id; create schema if not exists codex_warning; create table codex_warning.missing_rls_multi (id bigint); ``` ## Additional context | Before | After | | --- | --- | | <img width="1024" height="759" alt="Codex Warning Table Maintenance SQL Editor Hammer Toolshed Supabas-BDBD32C7-FCE8-4623-ACF2-D2554233EBB4" src="https://github.com/user-attachments/assets/aaed16c2-9910-424a-8a3c-f9815139b1bf" /> | <img width="1024" height="759" alt="Codex Warning Table Maintenance SQL Editor Hammer Toolshed Supabas-C8964C98-1CF9-4992-89D6-86C081C884E8" src="https://github.com/user-attachments/assets/d291c559-1e64-4c63-b918-b20b58d9a2a5" /> | | <img width="1024" height="759" alt="Codex Warning Table Maintenance SQL Editor Hammer Toolshed Supabas-C341A032-B5B0-49A2-8EA2-E3E6EEC54E4F" src="https://github.com/user-attachments/assets/667d9d1a-e34b-4411-9f91-4972ee8d1a23" /> | <img width="1024" height="759" alt="Codex Warning Table Maintenance SQL Editor Hammer Toolshed Supabas-FC66ADE9-6AF1-44D2-A6B6-F7B2FC935C0E" src="https://github.com/user-attachments/assets/1348377e-6606-47c0-aa95-128d7f86ed56" /> | | <img width="1024" height="759" alt="Codex Warning Table Maintenance SQL Editor Hammer Toolshed Supabas-43AAD9FA-7FAC-4DCE-A713-00E8FC76B343" src="https://github.com/user-attachments/assets/bdadedc2-f17d-4011-ae67-5248097b3e92" /> | <img width="1024" height="759" alt="Codex Warning Table Maintenance SQL Editor Hammer Toolshed Supabas-279EC81D-31C7-49C7-B4A8-EEEF1738740A" src="https://github.com/user-attachments/assets/0c178fff-ff49-4522-870d-7a3401c6af30" /> | | <img width="1024" height="759" alt="Codex Warning Table Maintenance SQL Editor Hammer Toolshed Supabas-D405AED5-613F-4C78-909E-F718C67CF17E" src="https://github.com/user-attachments/assets/a4399935-3596-471b-854a-c689e2e0df07" /> | <img width="1024" height="759" alt="Codex Warning Table Maintenance SQL Editor Hammer Toolshed Supabas-725FBCE6-5606-4BC3-B13F-6210DBADF6F2" src="https://github.com/user-attachments/assets/0dcd08fc-cfb4-4d67-b167-eb6eaa768764" /> | | <img width="1024" height="759" alt="Codex Warning Table Maintenance SQL Editor Hammer Toolshed Supabas-EA6563AF-DE7E-4AB8-9164-AC66164CA581" src="https://github.com/user-attachments/assets/ef56fe0f-0243-4ff3-a2b2-ee8b3fe2330a" /> | <img width="1024" height="759" alt="Codex Warning Table Maintenance SQL Editor Hammer Toolshed Supabas-EC85EFB1-715E-4841-BBCA-51F88B539595" src="https://github.com/user-attachments/assets/5be05527-920d-4f23-92eb-c7cd0bbff13e" /> | <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Prevented unintended modal dismissal and duplicate handling when confirming. * **Refactor** * Redesigned SQL editor warning modal with structured, consolidated warnings, adaptive title/confirmation copy, and centralized handling of missing-RLS table names. * Added conditional "Run and enable RLS" confirmation when available. * **Tests** * Updated end-to-end tests to match the new modal headings and body text. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45912) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
7092cac4a4 |
e2e: fk save shortcut (#45804)
adds coverage for: - #45761 which solved #45759 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Added test coverage for keyboard shortcut save workflow in the column editor with foreign-key relationships. [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45804) <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
1e59ef9a06 |
chore: balance e2e shards load (#45661)
## Problem We run the e2e tests across two shards to reduce their duration. However, one takes longer than the other. ## Solution Use a currently hidden Playwright feature to balance their load <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Upgraded Playwright test dependency to a newer version for refreshed test tooling and fixes. * Adjusted end-to-end test shard weighting to rebalance distribution across parallel runs. * **Tests** * Stabilized several end-to-end editor interactions to make E2E flows more reliable. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
0433eeb5f5 |
feat(studio): mark sql provenance for safety (#45336)
Mark provenance of SQL via the branded types SafeSqlFragment and UntrustedSqlFragment. Only SafeSqlFragment should be executed; UntrustedSqlFragments require some kind of implicit user approval (show on screen + user has to click something) before they are promoted to SafeSqlFragment. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Editor and RLS tester show loading states for inferred/generated SQL and include a dedicated user SQL editor for safer edits. * **Refactor** * Platform-wide SQL handling tightened: snippets and AI-generated SQL are treated as untrusted/display-only until promoted, improving safety and consistency. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
e6f779ea30 |
feat(studio): add keyboard shortcuts to the schema visualizer (#45386)
## Summary Adds the first batch of keyboard shortcuts for the Database → Schema Visualizer page, following the registry pattern established for the SQL editor and table editor. Fixes [FE-3115](https://linear.app/supabase/issue/FE-3115). ## Shortcuts | Shortcut | Action | | --- | --- | | `Mod+Shift+C` | Copy schema as SQL | | `Mod+Shift+M` | Copy schema as Markdown | | `D` then `P` | Download schema as PNG | | `D` then `S` | Download schema as SVG | | `O` then `A` | Open the auto-layout confirmation dialog | | `O` then `S` | Open the schema selector | All six entries appear in the Cmd+K command menu under "Shortcuts" and in the global shortcuts sheet (`Mod+/`) under a new "Schema Visualizer" group while the page is mounted. None are surfaced in Account → Preferences yet (`showInSettings: false`), matching how the SQL/table editor batches shipped. The schema selector and auto-layout button are wrapped in the unified `Shortcut` component so the keybind is shown on hover (Linear-style). The dropdown items for copy/download don't get hover hints since tooltips on dropdown items don't make sense — they're discoverable via Cmd+K instead. ## Toasts Each user-visible action now confirms via a sonner toast: - `Successfully copied as SQL` — fires on Copy as SQL (button or `Mod+Shift+C`). - `Successfully copied as Markdown` — fires on Copy as Markdown (dropdown or `Mod+Shift+M`). - `Successfully downloaded as PNG` / `Successfully downloaded as SVG` — already present in `useExportSchemaToImage`; fires on click or `D → P` / `D → S`. - `Failed to download current view: …` — error toast on download failure (also pre-existing). ## Notes - `Mod+Shift+C` and `Mod+Shift+M` collide with the SQL editor's `results.copy-csv` / `results.copy-markdown` shortcuts. They coexist cleanly because `useShortcut` only fires while the hook is mounted, and the two pages live on different routes. Both labels appear in the global shortcuts sheet honestly scoped per surface. - `SchemaSelector` was promoted to a `forwardRef` component that spreads extra props onto its outer `<div>`. This was needed for `<TooltipTrigger asChild>` to attach event handlers and the ref properly — previously they were silently dropped and the hover tooltip didn't render. - `SchemaSelector` and the auto-layout `AlertDialog` accept controlled `open` props now so the shortcuts can drive them and the tooltip can be suppressed while the popover/dialog is open (`Shortcut` gained a `tooltipOpen` passthrough for this). - Auto-layout still pops the existing confirmation dialog rather than running directly — destructive enough to keep the guardrail. ## Test plan - [x] On the Schema Visualizer page, each of the six shortcuts fires the corresponding action. - [x] Hover the schema selector and the Auto layout button — tooltip shows the action label and keybind badge. - [x] Open the schema selector popover (click or `O → S`) — hover tooltip is suppressed while open. - [x] Open the auto-layout confirm dialog (click or `O → A`) — hover tooltip is suppressed while open. - [x] Cmd+K shows all six entries under "Shortcuts" while on the page; navigating away unregisters them. - [x] `Mod+/` shortcuts sheet has a "Schema Visualizer" group listing all six. - [x] Copy as SQL / Markdown each fire a confirmation toast; PNG / SVG downloads each fire a confirmation toast. - [x] On the SQL editor results page, `Mod+Shift+M` / `Mod+Shift+C` still copy results (no regression from the duplicate keybinds). - [x] The download dropdown items still work via click; PNG/SVG downloads succeed. - [x] All other consumers of `SchemaSelector` (~15 callsites) render unchanged after the `forwardRef` promotion. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Keyboard shortcuts for schema visualizer: copy as SQL/Markdown, download PNG/SVG, auto-layout, and focus selector * Success toasts when copying content to clipboard * **Improvements** * Schema selector and auto-layout dialog can be opened/closed via keyboard and programmatically * Shortcut tooltips can be suppressed when related overlays/dialogs are open * Schema Visualizer added to the shortcuts reference sheet * **Tests** * E2E tests dismiss transient toasts to avoid UI interference <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
7f8ae81d64 |
Clean up table editor header (#45452)
## Context Resolves FE-3126 Just cleaning up the table editor header with a bit of refactors (pre-req to investigating collapsing filter bar and table editor header actions into a single row) ## Non-visual changes involved - Break down components within `GridHeaderActions` into smaller ones - `IndexAdvisorPopover` - `SecurityDefinerViewPopover` - `RealtimeToggle` - Deprecate use of `useUrlState` in `GridHeaderActions` to use `useQueryState` instead - Improve types for `TwoOptionToggle` ## Visual changes involved - Collapse realtime button toggle into a button icon, with no text (just tooltip) - Adjust layout of buttons a little ### Before <img width="796" height="118" alt="image" src="https://github.com/user-attachments/assets/436bca94-4d91-471a-a184-487c6f78dc04" /> ### After <img width="731" height="132" alt="image" src="https://github.com/user-attachments/assets/5fd30982-a1fc-4f92-a590-146d1e69d52a" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Index Advisor popover with recommendations. * Realtime toggle to manage realtime table publication. * Security Definer view popover with optional autofix. * Insert menu for adding rows/columns and CSV import. * **Bug Fixes** * Adjusted filter bar input sizing for improved readability. * **Refactor** * Header layout updated and insert/import actions moved into dedicated components. * **Tests** * Updated end-to-end selectors for the Insert row menu item. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
f4abe3fca7 |
chore: migrate MultiSelectDeprecated to Shadcn multi-select (#45377)
## Problem We want to reduce the code we ship and maintain. ## Solution - Migrate old `MultiSelectDeprecated` usage to the new Shadcn `multi-select` - Fix `multi-select` background color to align it with other inputs - Fix `multi-select` popover content alignment (now align to its input start) ## Screenshots ### RLS policies Before: <img width="618" height="705" alt="image" src="https://github.com/user-attachments/assets/098504fc-21a9-4386-9390-e69f929189c1" /> After: <img width="549" height="704" alt="image" src="https://github.com/user-attachments/assets/06842e31-90bf-4d24-8c19-78f74941cd65" /> ### Storage policies Before: <img width="1177" height="664" alt="image" src="https://github.com/user-attachments/assets/3cf1afb4-9604-4ee9-b7b6-8371f94bcfcc" /> After: <img width="1170" height="653" alt="image" src="https://github.com/user-attachments/assets/e3b235d3-5890-45ff-9658-82c6612ac82a" /> ### Database indexes Before: <img width="675" height="496" alt="image" src="https://github.com/user-attachments/assets/84c0d3b6-45af-49dc-b4f4-274abed4cea7" /> After: <img width="674" height="498" alt="image" src="https://github.com/user-attachments/assets/697ceafc-256f-4106-9193-8697bc3d9d8e" /> ### Contact support Before: <img width="643" height="534" alt="image" src="https://github.com/user-attachments/assets/ee7fc790-622d-4c09-afab-269271a31af4" /> After: <img width="645" height="457" alt="image" src="https://github.com/user-attachments/assets/db0b9a32-95e0-4864-a12a-88828c431aab" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Replaced legacy multi-select controls with a unified selector UI: dynamic trigger labels, per-item disable support, explicit item rendering, deletable badges, and improved search/selection behavior. * **Chores** * Removed deprecated multi-select badge and legacy picker implementations; adjusted exports/types to align with the new selector components. * **Style** * Minor UI text and inline code styling improvements and modal spacing tweaks. * **Tests** * Updated end-to-end flows to wait and interact with the new pickers. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
|
718021fc7b |
chore: migrate Listbox to Shadcn components (#45279)
## Problem We want to reduce the code we ship and maintain. ## Solution Migrate old `<Listbox />` usage to the new Shadcn component. ## Screenshots ### Billing Before: <img width="536" height="458" alt="image" src="https://github.com/user-attachments/assets/c8883bd8-cbbd-47cd-84a4-e37a36c05cd6" /> After: <img width="541" height="451" alt="image" src="https://github.com/user-attachments/assets/9c848b1b-e72a-413c-b264-48340ce0c7ef" /> ### Foreign Key Editor Before: <img width="463" height="995" alt="image" src="https://github.com/user-attachments/assets/4debeeeb-94bd-439d-8f57-a84a2ed5230a" /> <img width="428" height="241" alt="image" src="https://github.com/user-attachments/assets/81a21d58-c023-445a-a6e8-c9be22b53075" /> After: <img width="451" height="1007" alt="image" src="https://github.com/user-attachments/assets/18c781c0-4f52-4ca2-99e6-1fc34dc857e3" /> <img width="434" height="240" alt="image" src="https://github.com/user-attachments/assets/13fbb3ad-ef3c-499d-a27e-26cfae89ae44" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Replaced legacy dropdowns with a unified Select component and consistent form layout across payment method, org transfer, foreign-key/column selectors, region selection, and other dropdowns. * **Chores** * Removed the legacy listbox implementation and its public exports from the UI package. * **Tests** * Removed old listbox unit tests and updated e2e selectors to target the new Select-based controls. * **Style** * Deleted obsolete listbox-specific styles. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
bc3dc73240 |
chore: migrate old <Select /> usage to the new Shadcn component (#45232)
## Problem We want to reduce the code we ship and maintain. ## Solution Migrate old `<Select />` usage to the new Shadcn component. ## Screenshots ### `www` Pricing Before: <img width="637" height="697" alt="image" src="https://github.com/user-attachments/assets/b6f261de-e587-411b-9408-faf94d709f1c" /> After: <img width="644" height="756" alt="image" src="https://github.com/user-attachments/assets/8cc4894c-64da-4e6a-960c-77cd162ac71d" /> ### Observability Before: <img width="1015" height="452" alt="image" src="https://github.com/user-attachments/assets/3d7e8613-e7a6-461d-a50d-e66c7c85fef1" /> After: <img width="833" height="467" alt="image" src="https://github.com/user-attachments/assets/98ace34f-25ec-48b5-aad3-fe812307b01d" /> ### Docs Realtime Used in pages: - https://supabase.com/docs/guides/realtime/postgres-changes - https://supabase.com/docs/guides/realtime/benchmarks Before: <img width="578" height="437" alt="image" src="https://github.com/user-attachments/assets/22fa0048-be07-42e0-9153-65171fa3ccb9" /> After: <img width="571" height="423" alt="image" src="https://github.com/user-attachments/assets/e0adbde9-0c6f-48da-b377-516392185fb0" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Updated dropdown/select controls across the app to a consistent, composable implementation * Replaced advanced JWT generator in docs with a simplified JWT generator component * **Chores** * Removed legacy select component, associated styles and exports * Updated theme and tests to align with the new select implementation <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
d9b58fdf3e |
fix: paste seq sync (#45116)
## TL;DR - extends https://github.com/supabase/supabase/pull/45076 - closes https://github.com/supabase/supabase/issues/45113 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Sequence values now properly sync after bulk row inserts, ensuring correct auto-increment behavior for subsequent inserts. * **Tests** * Added end-to-end coverage for CSV import, including a "Paste text" import path that verifies custom-owned sequences are synchronized before the next insert. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Gildas Garcia <1122076+djhi@users.noreply.github.com> Co-authored-by: Ali Waseem <waseema393@gmail.com> |
||
|
|
19a6fc90ac |
feat: Add "Export as markdown" action on both the schema and individual tables (#44986)
## Problem When using LLMs, it's useful to describe your tables in markdown format. ## Solution - Add an _Copy as SQL_ and _Copy as Markdown_ in the schema visualiser table menu <img width="320" height="235" alt="image" src="https://github.com/user-attachments/assets/b465d6aa-a011-4308-86de-78725328630b" /> - Refactor the _Copy as SQL_ and _Download current view_ buttons in a single button/dropdown combo and add _Copy as markdown_: <img width="333" height="143" alt="image" src="https://github.com/user-attachments/assets/a823988b-abff-4840-b5a5-53a5830065b4" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * "Copy as Markdown" for schemas and individual tables. * "Copy as SQL" for individual tables. * Per-column descriptions included in schema/table exports. * **Style** * Export actions consolidated into a compact, grouped dropdown with adjacent copy action for streamlined header controls. * **Tests** * Unit tests for markdown export helpers. * E2E tests updated to use the new export UI and adjusted dialog timing. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> |
||
|
|
2e3ddc3a52 |
fix: csv seq sync (#45076)
## TL;DR fixes csv imports with explicit id values leaving auto generated primary keys out of sync by resolving the primary key sequence correctly after import ## ex: | Before | After | | --- | --- | | <img width="378" height="201" alt="Before: stale sequence after CSV import" src="https://github.com/user-attachments/assets/34c827f5-c69b-4c05-aa67-9fb6fd65a040" /> | <img width="435" height="196" alt="After: sequence synced after CSV import" src="https://github.com/user-attachments/assets/bb84f286-1b3e-44a5-965b-5f2faa3f7622" /> | ## ref: - closes https://github.com/supabase/supabase/issues/45073 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Bug Fixes** * Fixed identity sequence synchronization during CSV imports. After spreadsheet data is inserted, the system now properly updates sequence values, ensuring subsequent rows receive correct identifiers. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
|
8c4ae77ece |
fix: enum quotes (#45023)
## TL;DR
fixes enum create/update failures when names contain quotes
(also added a smol e2e)
## Ex:
<table>
<tr>
<td><strong>Before</strong></td>
<td><strong>After</strong></td>
</tr>
<tr>
<td>
<img width="424" height="178" alt="Before"
src="https://github.com/user-attachments/assets/d1815f4e-3879-4f8d-8d24-40d2c1f5563d"
/>
</td>
<td>
<img width="233" height="75" alt="After fix"
src="https://github.com/user-attachments/assets/f3f9b53c-b234-4e18-9b2d-db97ca4713d5"
/>
</td>
</tr>
</table>
## ref:
- closes https://github.com/supabase/supabase/issues/45022
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed enumerated type description handling to preserve special
characters (quotes and apostrophes) without unintended escaping.
* **Tests**
* Extended enumerated types test coverage to include creation, updates,
and deletion of types with special characters in names and descriptions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
|
19027e73f8 |
[FE-3036] feat(studio): runtime env var overrides for enabled features (#45049)
Lets self-hosted Studio toggle flags in `enabled-features.json` at container start time via `ENABLED_FEATURES_*` env vars, without rebuilding the prebuilt image. Addresses [FE-3036](https://linear.app/supabase/issue/FE-3036/allow-enabled-featuresjson-flags-to-be-overridden-via-env-vars) and is a prerequisite for [COM-205](https://linear.app/supabase/issue/COM-205/add-feature-flag-to-disable-all-logs-in-studio). **Added:** - `packages/common/enabled-features/overrides.ts` — pure parser that maps `ENABLED_FEATURES_*` env vars to a disabled-features list (forward-only key mapping, boolean validation, typo warnings) + 10 vitest tests - `apps/studio/pages/api/enabled-features-overrides.ts` — Next.js API route reading `process.env` at request time; no-op (`{ disabled_features: [] }`) when `IS_PLATFORM` - `apps/studio/data/misc/enabled-features-override-query.ts` — React Query hook with `staleTime: Infinity`, `enabled: !IS_PLATFORM` - `packages/common/enabled-features/README.md` — docs the env var convention, resolution order, `IS_PLATFORM` gating, and the `Support.constants.ts` build-time caveat **Changed:** - `apps/studio/hooks/misc/useIsFeatureEnabled.ts` — merges the override's `disabled_features` with `profile.disabled_features` ### Env var shape One var per flag, prefixed `ENABLED_FEATURES_`. Feature key → env name: uppercase with every non-alphanumeric char replaced by `_`. ```bash ENABLED_FEATURES_LOGS_ALL=false ENABLED_FEATURES_BRANDING_LARGE_LOGO=true ``` Values are `true`/`false` case-insensitively. Other values and prefixed vars that don't match a known feature are logged and ignored. ### Resolution order (runtime, Studio only) 1. `ENABLED_FEATURES_*` (self-hosted, via API route → React Query → hook) 2. `profile.disabled_features` (hosted, from `/platform/profile`) 3. `enabled-features.json` static value 4. Default (enabled) `ENABLED_FEATURES_OVERRIDE_DISABLE_ALL` still short-circuits everything. ### Known limitation `apps/studio/components/interfaces/Support/Support.constants.ts:4` calls `isFeatureEnabled('billing:all')` at module load to build `CATEGORY_OPTIONS`, which is spread into Zod form schemas. That call site stays resolved from the JSON — documented in the package README. `billing:all` isn't on the radar for self-hosted runtime toggling. ## To test - `cd packages/common && pnpm exec vitest run enabled-features` — 10 new tests pass - `pnpm --filter studio run typecheck` clean - Spin Studio locally with `NEXT_PUBLIC_IS_PLATFORM=false` and `ENABLED_FEATURES_LOGS_TEMPLATES=false`; `/project/[ref]/logs/explorer/templates` should reflect the flag after the override fetch resolves - Confirm the API route returns `{ disabled_features: [] }` when `NEXT_PUBLIC_IS_PLATFORM=true` - Set a typo like `ENABLED_FEATURES_LOGS_TMEPLATES=false` and check the warning in container logs; flag stays enabled <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Runtime feature-flag overrides for self-hosted deployments (env var driven), new API endpoint and client-side hook to fetch overrides, and client logic now merges profile and runtime overrides. * **Documentation** * Added comprehensive README describing the feature-flag system and override configuration. * **Tests** * Added unit tests for override parsing and E2E tests covering runtime override behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
|
2555e81dde |
fix(studio): don't scan dollar-quoted bodies for DDL in SQL editor (#45050)
Fixes a false positive in the CREATE-TABLE-without-RLS warning modal added in #45008. The warning was firing on `CREATE FUNCTION` statements because the `SELECT..INTO` detector was matching plpgsql variable assignments inside `$$…$$` function bodies. Reported example that triggered the modal with no table actually being created: ```sql create or replace function schema_checks() returns jsonb language plpgsql as $$ declare ret jsonb; begin select jsonb_build_object('value', 'ok') into ret; return ret; end; $$; ``` **Changed:** - `SQLEventParser.match()` now strips the body of `$tag$…$tag$` blocks before running detectors. Tags are kept as markers; content is blanked out so function bodies, DO blocks, and dollar-quoted string literals are never scanned as DDL. - Updated a pre-existing parser test that asserted the buggy behaviour (it expected `CREATE TABLE fake` inside a `$$…$$` string literal to be detected — `$$…$$` is a string literal in Postgres, not DDL). **Added:** - Regression tests in `SQLEditor.utils.test.ts` covering: the exact reported function, DO blocks with `select into`, `create table` text inside a function body, mixed top-level `CREATE TABLE` + function with `INTO` assignments, and custom `$body$…$body$` tags. - Parser-level regression test in `sql-event-parser.test.ts`. ## To test - In the SQL editor, paste the function from the Slack report and run it — the RLS warning modal should not appear. - Run `create table foo (id int8 primary key);` on its own — modal still appears as before. - Run `create table foo (id int8); create or replace function bar() returns int language plpgsql as $$ declare v int; begin select 1 into v; return v; end; $$;` — modal should flag only `foo`, not `v`. - Run an existing destructive query (`drop table x`) — unaffected, modal still works. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Parser no longer treats DDL/DML-like text inside PL/pgSQL functions, DO blocks, or dollar-quoted bodies (including nested/custom tags) as top-level CREATE TABLE/SELECT INTO, preventing false detections and UI warnings. * **Tests** * Added unit and e2e regression tests covering dollar-quoted blocks, nested dollar tags, DO blocks, SELECT INTO inside functions, and positive controls with a real top-level CREATE TABLE. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
|
3aed9a9a2a |
feat(studio): warn before CREATE TABLE without RLS in SQL editor (#45008)
Adds a pre-execution warning in the SQL editor when a `CREATE TABLE` statement is run without enabling Row Level Security on the new table. Responds to the press call-out around SQL editor security. <img width="708" height="498" alt="Screenshot 2026-04-18 at 4 31 07 PM" src="https://github.com/user-attachments/assets/4f23ed5e-f32c-46f0-b0da-ac6d4c661c7c" /> **Added:** - Pre-execution check in `executeQuery` that detects `CREATE TABLE` statements without a matching `ALTER TABLE ... ENABLE ROW LEVEL SECURITY` in the same submitted SQL. - New "Run and enable RLS" action in the warning modal that rewrites the SQL to append `ALTER TABLE [schema.]<table> ENABLE ROW LEVEL SECURITY;` for each detected table before running. - Link in the modal to the RLS docs. **Changed:** - `RunQueryWarningModal` now renders `Dialog` directly (instead of `ConfirmationModal`) so it can show three buttons: Cancel / Run without RLS / Run and enable RLS. - `sqlEventParser` table-name regex now supports quoted identifiers containing spaces (e.g. `"My Table"`) and escaped quotes (e.g. `"user""table"`). The check runs against the SQL that's actually submitted, so partial-selection works correctly — selecting only the `CREATE TABLE` portion will trigger the warning even if there's a matching `ENABLE RLS` lower in the editor. ## To test - Open the SQL editor and run `create table foo (id int8 primary key);` → modal should appear with the RLS warning bullet and three buttons. - Click **Run and enable RLS** → query runs, table is created with RLS enabled. - Click **Run without RLS** → query runs as written, no RLS. - Run `create table foo (id int8); alter table foo enable row level security;` → no modal (RLS already enabled in same submission). - Run `create table public.bar (id int8); create table baz (id int8); alter table baz enable rls;` → modal flags only `public.bar`. - Select only the `create table` portion of a snippet that also enables RLS lower down and run the selection → modal should still fire. - Run an existing destructive query (`drop table x`) → modal still works as before with two buttons (Cancel / Run this query). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * SQL editor now detects CREATE TABLE statements missing Row Level Security (RLS) and shows counts and dynamic table/schema details in a redesigned warning dialog with updated pluralization and a “Learn more” link. * New actions: “Run without RLS” and, when available, “Run and enable RLS” which applies RLS and runs the query; editor can execute an overridden SQL payload when applying RLS changes. * **Tests** * Added comprehensive unit and e2e tests covering RLS detection, SQL augmentation, trigger handling, identifier parsing, and the “Run and enable RLS” flow. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
|
ae4f1551f0 |
chore: make new table filter bar the default (#44910)
## Summary - Makes the new table filter bar the permanent default by hardcoding `useIsTableFilterBarEnabled` to return `true` - Removes the feature preview toggle (opt-out) from the preview modal - Cleans up E2E tests: removes old filter UI test, removes `enableFilterBar` helper, fixes race condition in column-drop test - Old filter code paths are left in place for a follow-up cleanup PR Closes FE-2819 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Removed the table filter bar preview and its opt-in/local-storage preview key. * Cleared preview content from the feature preview modal. * **Tests** * Removed the UI filtering e2e test and associated preview opt-in helper. * Updated filter-bar e2e flows to adjust navigation/wait behavior (added explicit waits, removed redundant reloads). <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
|
8ff22d7f0f |
fix: table editor columns cannot be selected nor advisor icon clicked (#44931)
## Problem Since the drag & drop refactor, users cannot double click to select the column name in the columns headers of the table editor. Besides, the advisor button cannot be clicked either. ## Solution - Add a delay constraint on the drag & drop operation, allowing click events to trigger - Add e2e tests to prevent future reggressions <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Double-click column headers to copy column names to clipboard * Index Advisor warnings now accessible in the Table Editor * **Improvements** * Improved drag start timing and tolerance for smoother column dragging * Better screen reader announcement for index suggestion actions <!-- end of auto-generated comment: release notes by coderabbit.ai --> |