mirror of
https://github.com/supabase/supabase.git
synced 2026-05-08 01:40:13 -04:00
create-pull-request/patch
462 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 Saxon Fletcher
|
ae66a6a9c0 |
Connect GitHub during project creation (#44884)
<img width="1289" height="863" alt="image" src="https://github.com/user-attachments/assets/d661f107-b358-4894-8531-80441d60ab91" /> GitHub integration is now available on the free plan and so we'd like to start promoting code-first workflows as much as possible. One way to do that is to set the tone straight away by asking a user to connecting their GitHub repository to a project as part of project creation. This PR: - decouples GitHub connection and repo selection into a separate component we can make use of in integration settings and project creation. - Adds new GitHub fields to project creation form and sends them off to project creation endpoint - Pre-fills project name based on repo selection To test locally: - Ensure you have GitHub integration set up locally (using ngrok etc) - Ensure you are on the connected platform branch - Open create a new project page - Connect GitHub as part of the creation form and select a repo - Create the project and wait for status to be healthy - Check project settings integrations page and ensure repo is connected Note: - this requires changes on the management api end to accept new GitHub fields - it might make sense to pull out GitHub connection/authorization from GitHub repository selection but in the current state they are tied together. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * GitHub repository selection now available during project creation with integrated authorization flow * GitHub connection status and compute availability indicators now displayed on project dashboard * Project name auto-populates from selected GitHub repository name when available <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Gildas Garcia <1122076+djhi@users.noreply.github.com> |
||
|
Joshen Lim
|
e6f819f7f8 |
Update notice banner for TOS update (#45632)
## Context As per PR title - just updates the NoticeBanner component for TOS update information <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a Terms of Service update notification banner to inform users about recent policy changes. * Notification includes a dialog/modal with full update details, links, and effective date; it replaces the previous maintenance notification so users receive clear, actionable information. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Jordi Enric
|
d8bb0ade65 |
feat(studio): add timezone picker to user dropdown (#45517)
## Problem The dashboard renders all timestamps in the browser's local timezone. When debugging app issues, users often want to see logs and timestamps in a different timezone (e.g. their app's deployment region) without changing their OS clock. ## Fix - New Timezone submenu in the user-avatar dropdown, sitting next to the existing Theme picker. Search-as-you-type combobox over the full IANA catalog plus an Auto detect option. - Selection persists in localStorage (`supabase-ui-timezone`) and survives `clearLocalStorage()`. No backend schema change. - New `lib/datetime.tsx` exposes pure timezone-aware formatters (`formatDateTime`, `formatDate`, `formatTime`, `formatFromNow`, `toTimezone`) plus a `TimezoneProvider` and matching React hooks (`useTimezone`, `useFormatDateTime`, ...). The pure functions take `tz` explicitly so they're easy to unit test (17 vitest cases covering DST transitions, multi-tz formatting, unix-micro/Date inputs, invalid-tz fallback). - The selected timezone propagates to every existing `<TimestampInfo>` in Studio via a new `TimestampInfoProvider` context exported from `ui-patterns`. No per-callsite changes needed for those ~20+ surfaces. - The `UnifiedLogs` date column migrates off `date-fns` to the new `useFormatDateTime` hook (the rest of the date-fns callers stay as-is, since they're either internal range math or non-display). - `ALL_TIMEZONES` (~600 entries) moves out of `PITR.constants.ts` into a shared `lib/constants/timezones.ts`. PITR keeps a re-export shim so its callers don't move. New `TIMEZONES_BY_IANA` dedupes the catalog by primary IANA name (the original list contains both PDT and PST rows for `America/Los_Angeles`, etc.) and `findTimezoneByIana` provides reverse lookup. - Telemetry: `timezone_picker_clicked` PostHog event with `previousTimezone`, `nextTimezone`, `isAutoDetected` properties. Notes for reviewers: - Bare `dayjs(x).format(...)` calls (~157 files) intentionally still render in browser-local time. Surfaces opt in by switching to the new wrappers, so this PR is the abstraction plus logs adoption; broader migration is a follow-up. - Two `// prettier-ignore` lines (`apps/studio/pages/_app.tsx`, `apps/studio/components/interfaces/UnifiedLogs/UnifiedLogs.fields.tsx`) work around a pre-existing local-tooling issue where `prettier-plugin-sql-cst` strips angle-bracket type arguments under certain conditions. Project's pinned prettier (3.8.1) does not strip; the issue surfaces with a globally-installed prettier. Worth tracking separately. - Hydration: `guessLocalTimezone()` and `useLocalStorageQuery` are client-only. Studio is mostly CSR via the Pages Router, but any SSR'd `<TimestampInfo>` may briefly render in the server's tz before client hydration. Existing behavior already had this mismatch with `.local()`; this PR does not regress it. - Backend timestamps round-tripped through query params and mutations stay UTC. The picker is display-only. ## How to test - Run `pnpm dev:studio`, sign in. - Open the user avatar dropdown (top right). Hover Timezone. - Search for "tokyo", pick `(UTC+09:00) Osaka, Sapporo, Tokyo`. - Open any project, navigate to Logs (e.g. `Project > Logs > Edge Functions`). Hover a log row's timestamp; the popover should show UTC, the chosen tz (`Asia/Tokyo`), and the relative time. Visible cell text should be in JST. - Visit any page that uses `<TimestampInfo>` (Database > Backups, Project Pause state, Edge Function details). Same tooltip should reflect Asia/Tokyo. - Refresh the page; timezone is still Asia/Tokyo. - Reopen the picker, choose Auto detect; timestamps revert to browser local. - Run `pnpm --filter studio test lib/datetime.test.ts`. 17 tests should pass. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Timezone selector added to the user menu with auto-detect and manual override * App-wide timezone provider and hooks plus a shared timezone catalog for consistent timezone-aware display * Timestamp components accept an optional timezone prop and respect user preference (persisted) * **Bug Fixes / Improvements** * Logs and timestamp displays now use the new timezone formatting hooks * **Tests** * Added comprehensive datetime and timezone catalog tests * **Telemetry** * Telemetry event added for timezone picker interactions <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Mert YEREKAPAN
|
da81b2f14d |
feat(studio): add click tracking for top bar buttons (#45414)
## Summary Adds PostHog click/open tracking for every interactive element in the Studio top bar. Previously only 5 of ~16 surfaces were tracked. ### New events (16) | Event | Surface | |---|---| | `home_logo_clicked` | Supabase logo | | `header_back_to_dashboard_clicked` | Mobile back chevron | | `header_exceeding_usage_badge_clicked` | "Exceeding usage limits" badge | | `organization_dropdown_opened` | Org dropdown trigger | | `project_dropdown_opened` | Project dropdown trigger | | `branch_dropdown_opened` | Branch dropdown trigger | | `merge_request_button_clicked` | MR trigger (separate from existing success event) | | `connect_button_clicked` | Connect CTA | | `feedback_dropdown_opened` | Feedback dropdown trigger | | `advisor_button_clicked` | Advisor toggle | | `inline_editor_button_clicked` | SQL editor toggle | | `assistant_button_clicked` | AI Assistant toggle | | `user_dropdown_opened` | Account dropdown | | `local_dropdown_opened` | Local-dev settings dropdown | | `local_version_popover_opened` | CLI version popover | ### Notes - Uses `useTrack` (per `telemetry-standards`), all event names use approved `_clicked` / `_opened` verbs. - Dropdown `onOpenChange` handlers guard against Radix's double-fire by only tracking when `open === true`. - `merge_request_button_clicked` fires on the trigger click; the existing `branch_create_merge_request_button_clicked` continues to fire on successful MR creation. - Pre-existing tracked surfaces (`command_menu_opened`, `help_button_clicked`, `header_upgrade_cta_clicked`, `send_feedback_button_clicked`) are unchanged. ## Test plan - [x] Spot-check each event fires once per interaction in PostHog Live Events - [x] Verify no double-fire on dropdown close <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Added telemetry tracking for many header/navigation interactions (logo, back-to-dashboard, usage badge, connect/merge/advisor/assistant/inline-editor buttons, and multiple dropdowns/popovers). * **Tests** * Updated tests to stub telemetry calls so UI tests remain stable and deterministic. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Ivan Vasilov
|
97a8df0a23 |
feat: Handle the classic-dark theme in www and docs apps (#45214)
This PR fixes a bug where a user might choose `classic-dark` as a theme in `studio` but then `docs` and `marketing` apps will look weird. To test: - Change the localStorage value of `theme` to `classic-dark` - Open `www` and `docs` apps, they should look ok <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a new "classic-dark" theme option for enhanced visual customization. * **Improvements** * Unified and simplified theme handling across apps for more consistent behavior. * Improved system-theme detection and smoother transitions when switching themes. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Alex Hall
|
baaf07002f |
chore(studio): add method property to integration installation events (#45473)
Add new `method` property to existing event to distinguish from server-side emitted events |
||
|
Mert YEREKAPAN
|
34241f1f66 |
revert(pricing): remove A/B experiment, keep control (#44293) (#45361)
Reverts the pricing page flexibility/visibility A/B experiment from #44293. We decided to keep the control (original pricing page). **Changes:** - `PricingPlansSection.tsx`: removed all experiment logic (PostHog flag evaluation, exposure tracking, flexibility section) - `PricingContent.tsx`: removed `PricingPageExperimentVariant` type export - `PricingPlans.tsx`: removed `experimentVariant` prop and all variant-conditional rendering - `telemetry-constants.ts`: removed `PricingPageExperimentExposedEvent` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Consolidated pricing page component variants and simplified the component hierarchy by removing conditional experiment-dependent UI branches. * Removed pricing page experiment tracking and associated telemetry event definitions. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Francesco Sansalvadore
|
580598f0e8 |
feat(www): update changelog layout, rss and md files (#45219)
- Update Changelog [index page layout](https://zone-www-dot-com-git-feat-changelog-update-supabase.vercel.app/changelog): - with full timeline - filterable based on text search and tags - New Changelog [detail pages](https://zone-www-dot-com-git-feat-changelog-update-supabase.vercel.app/changelog/45071) - all added to www_sitemap - Changelog [RSS Feed](https://zone-www-dot-com-git-feat-changelog-update-supabase.vercel.app/changelog/45071) + llm-friendly [/changelog.md](https://zone-www-dot-com-git-feat-changelog-update-supabase.vercel.app/changelog.md) - and llm-friendly changelog detail md files: https://zone-www-dot-com-git-feat-changelog-update-supabase.vercel.app/changelog/45071.md ## Before <img width="1604" height="1094" alt="Screenshot 2026-04-27 at 17 07 55" src="https://github.com/user-attachments/assets/eac52f14-e447-4f64-8d50-a8e287ccf989" /> ## After <img width="1247" height="849" alt="changelog-index" src="https://github.com/user-attachments/assets/69b7bae1-63eb-4a4d-a065-7541ed9738b4" /> ### Detail page <img width="1695" height="1101" alt="Screenshot 2026-04-27 at 18 27 27" src="https://github.com/user-attachments/assets/accd4be8-d665-43ed-bcb7-0e6baf537762" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Redesigned changelog page with full-text search and product tag filtering * Individual pages for each changelog entry with dedicated URLs * Added RSS feeds for changelog updates and product-specific feeds * Copy changelog entries as markdown with one click * Direct sharing integration with ChatGPT and Claude <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> |
||
|
Alex Hall
|
c8781c885e |
chore(studio): use new publish_dashboard column for marketplace db query (#45345)
Updates the marketplace DB query to use the new `publish_dashboard` column that was added in https://github.com/supabase/marketplace/pull/49 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated internal marketplace integration query and database type definitions to streamline listing management logic. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Saxon Fletcher
|
3b756e4d9f |
Chore/project secure (#45108)
<img width="2652" height="830" alt="image" src="https://github.com/user-attachments/assets/3c3921e7-c255-4e59-a9c3-c5f97da87788" /> Adds a full screen alert behind a feature flag `projectNeedsSecuring` that prompts for fixing RLS issues. Adjusts a few other small styles to add more prominence to critical advisor issues. To test: - Enable the flag - Make sure you have a table with RLS disabled - Open project home and note the fade in of full page review - Click "copy prompt" or "fix" and note the prompt - Click skip to home and refresh the page, note it doesn't appear anymore <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Project-level security gate on project home with AI assistant prompts, table details, per-project dismissible notice, and a new telemetry event for CTA interactions. * **Improvements** * Stronger visual treatment for critical advisor items and advisor CTA when critical issues exist. * Assistant dropdown supports a copy-prompt callback; added local-storage key and utilities/types to support project security workflows. * **Tests** * Added tests covering gate behavior, navigation, and dismissal logic. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
Francesco Sansalvadore
|
072006ba0f | chore(studio): remove mobile toolbar flag (#45317) | ||
|
Joshen Lim
|
dab1512fe9 |
Add callout for feature preview rls tester (#45307)
## Context Adds a banner on the auth policies page for the new RLS tester feature preview <img width="307" height="310" alt="image" src="https://github.com/user-attachments/assets/6864c2cb-c3b8-4c1f-8dce-57411425e17d" /> Also adds a Give feedback button in the RLS Tester sheet footer <img width="616" height="73" alt="image" src="https://github.com/user-attachments/assets/64755f56-4e27-4b54-92b2-a894badc0b88" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * RLS Tester preview banner added to the policies page with animated content and a locally persisted dismissed state. * Enabling the RLS Tester via the preview also dismisses and records the banner dismissal. * New feedback link added to the RLS Tester UI that opens in a new tab. * **Layout/Providers** * Banner stack context moved so banner state is available more broadly across the app. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Joshen Lim
|
5f867e5f6c |
Feature Preview: RLS Tester (#45121)
## Context Resolves FE-3077 Related discussion: https://github.com/orgs/supabase/discussions/45233 Verifying the correctness of your RLS policies set up has always been a gap, as highlighted by a number of GitHub discussions like [here](https://github.com/orgs/supabase/discussions/12269) and [here](https://github.com/orgs/supabase/discussions/14401). As such, we're piloting a dedicated UI for RLS testing (using role impersonation as the base), in which you'll be able to - Run a SQL query as a user (not logged in / logged in - this is the role impersonation part) - See which RLS policies are being evaluated as part of the query - And hopefully be able to debug which policies are not set up correctly Changes are currently set as a feature preview - and we'll iterate as we get feedback from everyone 🙂 🙏 <img width="613" height="957" alt="image" src="https://github.com/user-attachments/assets/83c37f8a-28fc-43b3-b0ff-e28571d8710c" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * RLS Tester: run queries as anon or authenticated users, view inferred SQL, per-table policy summaries, and data previews of accessible rows. * UI preview: new RLS Tester preview card and modal with opt-in toggle; RLS Tester sheet with role/user selector and query editor. * SQLEditor: “Explain” tab is always visible. * **Chores** * Added supporting API endpoints, background checks for table RLS status, and a local-storage flag to persist the preview opt-in. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Alaister Young
|
5f6060197e |
[COM-205] feat(studio): add logs:all flag to hide all logs (#45202)
Adds a top-level `logs:all` flag (default `true`) so self-hosted and local setups can hide the logs pages in Studio when Logflare isn't configured — no separate Studio build required. The flag itself works everywhere; the additional `ENABLED_FEATURES_LOGS_ALL` env-var override (from FE-3036) is the self-hosted escape hatch so deployers can flip it without a custom build — that part is a no-op on `IS_PLATFORM` because hosted feature gating flows through `profile.disabled_features` instead. Addresses [COM-205](https://linear.app/supabase/issue/COM-205/add-feature-flag-to-disable-all-logs-in-studio). **Added:** - `logs:all` feature flag in `enabled-features.json` + schema **Changed:** - Sidebar "Logs" nav entry is hidden when `logs:all` is off (same pattern as `reports:all` / `billing:all`) - Cmd-K "Logs Explorer" / "Auth Logs" / etc. routes are hidden when the flag is off - `LogsLayout` renders `<UnknownInterface />` (soft-404) when the flag is off — covers all ~18 logs pages in one spot - `/logs/index.tsx` applies the same soft-404 for the unified-logs entry point ## To test Needs to be tested locally (preview doesn't let you flip the flag — hosted gating is profile-driven, not env-driven). Two ways: - Temporarily edit `"logs:all": false` in `packages/common/enabled-features/enabled-features.json` and run `pnpm dev:studio`, or - Run Studio locally with `ENABLED_FEATURES_LOGS_ALL=false` (env-var path, same as how self-hosted deployers would use it) With the flag **off**: - Sidebar "Logs" entry is hidden - Cmd-K search for "Logs" / "Auth Logs" / "Postgres Logs" etc. returns nothing - Direct navigation to `/project/<ref>/logs`, `/project/<ref>/logs/explorer`, `/project/<ref>/logs/auth-logs`, `/project/<ref>/logs/postgres-logs` (etc.) all render the "Looking for something?" soft-404 with a Head back button With the flag **on** (default): everything works as it does today. **Check on the preview deploy too** — nothing should change, no behaviour difference on hosted. Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
Joshen Lim
|
7f5865872a |
Enforce noUnusedLocals and noUnusedParameters in tsconfig.json + fix all related issues (#45264)
## Context Enforce `noUnusedLocals` and `noUnusedParameters` in tsconfig.json + fix all related issues |
||
|
Ivan Vasilov
|
9fbe5152d9 |
chore: Remove dead code and unused files from the packages/ui (#45169)
# Changes ## Removed unused themes - Deleted `concept-two.css` (unused) and `dark-combined.css` which was identical to `dark.css` - Removed the alias `deep-dark` to `dark` theme since it was unused ## Removed Figma token transform scripts - Deleted the entire `internals/transform/` directory (~700 lines of JS) — these scripts transformed Figma tokens into Tailwind variables but are no longer needed - Deleted `internals/tokens/cleanse-css-for-tailwind.js` and `extract-design-tokens.js` - Removed related dependencies from `package.json` ## Removed other unused files - Deleted `shadcn.css` (unused) - Deleted `tailwind-theming.md` (outdated doc), https://supabase.com/design-system/docs/color-usage is a better resource ## Refactoring - Extracted the `motion-safe-transition` Tailwind plugin into its own file (`packages/config/tailwind-plugins/motion-safe-transition.js`) - Renamed the tailwind class generation script for clarity - Added stub `tailwind.config.js` files in packages that were missing them, so VSCode IntelliSense works in those workspaces - Updated `packages/ui/README.md` to reflect current usage patterns (imports, styling conventions) instead of outdated Figma tokens workflow # Testing - Check all apps whether they have the correct themes with the correct colors [Linear task](https://linear.app/supabase/issue/FE-3059/clean-up-unused-ui-build-artifacts-themes-and-figma-token-scripts) |
||
|
Sean Oliver
|
1f318582e1 |
fix(growth): preserve non-accept consent decisions on banner re-init (#45187)
## Problem
Cookie banner keeps re-prompting GDPR users who denied consent or made a
partial opt-out via Privacy Settings — they can't get rid of it.
Reported by Christian Gedde-Dahl (Front SU-362240, mygame.no) and a
Supabase support engineer independently.
The March fix for FE-2648 handled the accept case — users got their
banner dismissal stomped when GTM's Usercentrics integration migrated
localStorage from `uc_settings` to `ucData`/`ucString`. But that fix
only recognized uniformly-accepted `ucData`, so any other shape
(deny-all, essentials-plus-some-tracking, partial opt-out via the
Privacy Settings modal) fell through and was treated as "no prior
decision." Banner re-prompts on every page load.
Christian's and his colleague's `ucData.consent.services` showed 13
services accepted (essentials + functional) and 4 tracking services
denied — the shape you get from toggling off the Marketing category in
Privacy Settings. Our detection ignored it.
## Changes
- `detectPriorConsent` now returns a discriminated union — `null`, `{
kind: 'uniform-accept' }`, or `{ kind: 'decisions'; decisions }` — so we
restore per-service state faithfully instead of flattening to deny-all.
- Parse `uc_settings` for the fast cross-app nav case. The old fallback
treated `uc_user_interaction === "true"` as uniform-accept, which
silently upgraded deny users (GDPR violation waiting to happen). Now the
flag is just a gate confirming the user actually interacted, and we read
real decisions from `uc_settings.services[]`.
- Extracted the post-init orchestration from `initUserCentrics` into
exported `applyPriorDecisionToSDK(UC, initialUIValues, priorDecision)`
so it's unit-testable without mocking the dynamic SDK import.
- Added a coverage cross-check: if the Usercentrics ruleset has a
non-essential service that isn't in the user's stored decisions, force a
re-prompt rather than silently defaulting the new service. Essentials
are skipped because the SDK forces them on regardless.
- Everything fails closed on partial `ucData` / `uc_settings`
corruption. Cherry-picking the valid subset would bias toward
over-consent, which is the worst-direction bias in this domain.
## Testing
27 unit tests covering `detectPriorConsent` parsing (both `ucData` and
`uc_settings` paths, fail-closed on malformed or partially-corrupt
blobs, combined scenarios) and `applyPriorDecisionToSDK` orchestration
(uniform accept, decisions with full coverage, uncovered-non-essential
compliance guard, essentials-only negative control, null fallthrough,
SDK-already-consented passthrough).
Can't fully repro on staging — CSP blocks GTM on preview, so the
`ucData` migration never fires. Same limitation as the original FE-2648
fix. Will verify in production post-merge by asking Christian to reload
and watching support ticket volume.
Reviewed twice by Codex with a full iteration between passes; final pass
found no functional blockers.
GROWTH-790
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fail-closed validation for stored consent data: malformed, partial, or
missing entries now yield null and avoid unsafe restoration.
* Improved precedence and fallback so corrupt prior data won’t
incorrectly restore consent.
* **Refactor**
* Consent detection now returns richer prior-decision results (uniform
accept, per-service decisions, or null).
* Applying prior decisions to the SDK uses stricter coverage checks
before restoring per-service consent.
* **Tests**
* Expanded tests covering varied stored-consent shapes, gating rules,
precedence, recovery, and SDK application behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
|
||
|
Danny White
|
1ab7251060 |
chore(studio): clarify partnered orgs and projects (#44328)
## What kind of change does this PR introduce? UI improvements. - Resolves DEPR-401 - Resolves DEPR-424 - Resolves DEPR-425 ## What is the current behaviour? Studio currently blurs two different concepts together: - `billing_partner` / `billing_via_partner`, which represent real billing ownership for marketplace-managed organisations such as AWS and Vercel - Stripe connection state, which is not actually partner billing in the same sense, but was previously being mocked through the same UI paths That made the Stripe work harder to reason about and left some local behaviour dependent on temporary overrides rather than the API shape we want to ship. ## What is the new behaviour? This PR separates those concerns while keeping the existing AWS and Vercel marketplace experience intact. - AWS and Vercel continue to use `billing_partner` / `billing_via_partner` for billing ownership, lockouts, and manage CTAs - Stripe display state now comes from `integration_source`, which lets Studio show Stripe-specific badges and alerts without treating Stripe as a billing partner - organisation-level partner UI is unified across AWS, Vercel, and Stripe, including the org banner, navbar icon treatment, and organisation cards - project-level Stripe UI now appears only when the project itself is marked as Stripe-connected, including the project switcher, project list surfaces, and a project-level banner - Stripe-connected organisations are no longer incorrectly blocked behind the AWS/Vercel-style billing management alerts for invoices, billing address, payment methods, or plan changes - banner dismissal is scoped to the relevant org/project and partner/integration state ## Review order Most of the diff size here is regression tests and generated types. The behavioural changes are concentrated in a smaller set of files. Recommended review order: 1. `integration_source` vs `billing_partner` data-model split and org/project query mapping 2. org-level UI: partner icon, org banner, org dropdown/card treatment 3. billing gating updates for Stripe vs AWS/Vercel 4. project-level Stripe UI: dropdown, list surfaces, banner 5. tests and generated types | Stripe Org(s) | | --- | | <img width="1024" height="759" alt="Organizations Supabase" src="https://github.com/user-attachments/assets/d0ef338c-3b41-4c6d-b3bd-f21a2c182840" /> | | Vercel Org(s) | | --- | | <img width="1024" height="759" alt="Organizations Supabase" src="https://github.com/user-attachments/assets/1dc57770-3f24-45ac-840f-34680555cde8" /> | | AWS Org(s) | | --- | | <img width="1024" height="759" alt="Organizations Supabase" src="https://github.com/user-attachments/assets/7847dad0-ee30-4a65-ab0b-b3b16af0d34f" /> | | Stripe Org, Non-Stripe Project | | --- | | <img width="1152" height="885" alt="Mallet Toolshed Supabase-1673E019-792C-462C-B6F8-C5DDB810B331" src="https://github.com/user-attachments/assets/556fbea3-b5ae-4f2f-96b9-6f66c6654e4a" /> | | Stripe Org, Stripe Project | | --- | | <img width="1152" height="885" alt="Hammer Toolshed Supabase-7E86C17C-561F-4221-BD16-EAFF7D41AAE0" src="https://github.com/user-attachments/assets/94f8daf6-0320-413e-8d56-59f9acaaea15" /> | | Vercel Org | | --- | | <img width="1024" height="759" alt="Projects Toolshed Supabase-A7891653-9366-4B99-89DD-789D70CD52E3" src="https://github.com/user-attachments/assets/c87ee6e8-4451-4866-a905-23a38b2593e3" /> | | AWS Org | | --- | | <img width="1024" height="759" alt="Projects Toolshed Supabase-58A43ECE-569E-4541-9463-346A90B02CFF" src="https://github.com/user-attachments/assets/9350a180-4d58-42a1-ad1a-95893c2e8b12" /> | This also removes the old Stripe mock override path in Studio so the frontend matches the intended API model more closely. ## ~~Dependencies~~ (merged!) This work depends on the private platform change that exposes `integration_source` on the relevant organisation and project payloads: - https://github.com/supabase/platform/pull/31874 _Update: now merged._ ## Local testing ### Stripe If you have the private `platform` repo checked out locally, make sure your local API returns `integration_source: 'stripe_projects'` consistently for the Stripe-linked org/project you are testing. Important responses: - `/platform/organizations` - `/platform/organizations/:slug/projects` - `/platform/projects/:ref` Verify: - org banner and org icon show the Stripe connected state - unopened and opened project switcher both show Stripe only for Stripe-linked projects - project cards / table rows show the Stripe chip only for Stripe-linked projects - the project-level Stripe banner appears across project surfaces - billing address, tax ID, invoices, payment methods, and plan changes remain editable in Studio for Stripe orgs ### Vercel Use a Vercel Marketplace org with real `billing_partner` / `billing_via_partner` values. Important org-level endpoints for local mocking in `platform`: - `/platform/organizations` - `/platform/organizations/:slug` - `/platform/organizations/:slug/billing/subscription` Project-level Vercel indicators still come from `/platform/integrations/:slug`, not `integration_source`. ### AWS Use an AWS Marketplace org with real `billing_partner` / `billing_via_partner` values. Important org-level endpoints for local mocking in `platform`: - `/platform/organizations` - `/platform/organizations/:slug` - `/platform/organizations/:slug/billing/subscription` AWS does not currently have a Stripe-like project-level indicator in these org/project payloads. ## Notes - `billing_partner` is no longer the right abstraction for the Stripe-connected case in this PR. It remains the source of truth for marketplace billing ownership, while Stripe currently uses `integration_source` as a connection/display signal. - I re-ran `pnpm api:codegen` while tightening this PR and kept only the generated type changes this branch actually depends on, to avoid unrelated API drift in the review. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Stripe Projects integration added for billing and project flows * Partner icons/badges shown across org and project lists, dropdowns, and rows * Dismissible, partner-specific marketplace/integration banners with contextual CTA behavior * Improved partner-billing detection to drive billing UI and invoice/plan availability * **Tests** * Extensive new test coverage for billing UI, partner-managed fallbacks, banners, icons, and related flows <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com> |
||
|
kemal.earth
|
4ec48666d2 |
feat(studio): unified logs guard change (#44962)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? This changes the guard to expose unified logs to Enterprise. **To test:** - Create an Enterprise org. - Go to a project and then Logs. - Default view should be unified logs (with a CTA offering to switch back to old logs). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added enterprise/Supabase-org eligibility checks and loading state for the unified logs preview. * **UX** * Updated messaging to state unified logs are only available to Enterprise plan organizations. * Sidebar and filter panels now show unified-logs preview panels based on eligibility. * **Analytics** * Track unified logs row clicks with a new telemetry event. * **Bug Fixes** * Prevent navigation until unified-logs eligibility and preview flag loading are resolved. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Alaister Young
|
75e08577c1 |
chore(studio): remove tableEditorApiAccessToggle flag (#45081)
Cleans up the `tableEditorApiAccessToggle` PostHog flag now that the gated UI is shipping to everyone. Follow-up to #45034 — the new project-creation checkbox makes the management UI a prerequisite, so no reason to keep it behind a flag. **Removed:** - `useDataApiGrantTogglesEnabled` hook - Old schemas-only multi-selector branch in the Data API settings page (the rich per-table / per-function toggles + default-privileges switch become the only UI) - Flag gate around the `<ApiAccessToggle>` section in the table editor side panel - Flag gates around `updateTableApiAccess` calls in the save pipeline (create / duplicate / update) - `tableEditorApiAccessToggleEnabled` telemetry property + stale JSDoc / docs references **Changed:** - `createTableApiAccessHandlerParams` no longer takes an `enabled` param — it was always `true` after removal ## To test - Integrations → Data API settings page: exposed tables, exposed functions, default-privileges toggle all render and save correctly - Table editor: creating, duplicating, and editing a table all run the expected Data API privilege updates - Project creation flow still works end-to-end (unchanged, but the submit telemetry no longer includes `tableEditorApiAccessToggleEnabled`) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Improvements** * API access configuration is now always available in the table editor and PostgreSQL settings, removing previous conditional gating. * Simplified the "Automatically expose new tables and functions" interface by consolidating UI branches. * **Documentation** * Updated telemetry guidance and examples with current feature-flag references. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
Alaister Young
|
d1a7d64e63 |
[FE-3023] feat(studio): default privileges toggle at project creation (#45034)
<img width="783" height="414" alt="Screenshot 2026-04-20 at 3 02 37 PM" src="https://github.com/user-attachments/assets/a353c35a-3de5-4bfa-ab31-829c79c43165" /> Adds a "Default privileges for new entities" checkbox under "Enable Data API" in both the main create flow and the Vercel deploy-button flow. Default checked (current behaviour). When unchecked, runs `buildDefaultPrivilegesSql('revoke')` after the base init script so new entities in `public` aren't auto-granted to `anon` / `authenticated` / `service_role`. This PR decouples the two surfaces: - **`tableEditorApiAccessToggle`** — unchanged; still gates only the integrations → Data API settings UI. - **`dataApiRevokeOnCreateDefault`** (new) — controls only the default state of the new checkbox at project creation. `true` → checkbox unchecked by default (revoke runs); `false`/absent → checkbox checked by default (no behaviour change). The new flag is already live in PostHog at **0% rollout, off for everyone**, so shipping this PR changes nothing until the flag is explicitly flipped. ## Added - `apps/studio/hooks/misc/useDataApiRevokeOnCreateDefault.ts` — reads the new PostHog flag. Returns `false` in `IS_TEST_ENV` so existing E2E flows don't silently change default behaviour. - Checkbox UI in `SecurityOptions.tsx` (main flow) and `pages/integrations/vercel/[slug]/deploy-button/new-project.tsx` (Vercel flow), with copy matching the integrations → Data API settings page. - Tooltip + dimmed state for the main-flow checkbox when "Enable Data API" is unchecked (can't configure default privileges if Data API is off). - Telemetry: `dataApiDefaultPrivilegesGranted` (raw checkbox value) and `dataApiRevokeOnCreateDefaultEnabled` (raw flag, conditionally included using the existing raw-flag pattern so undefined flag state → omitted property, not `false`). - Vitest unit tests for the new hook. ## Changed - `pages/new/[slug].tsx`: removed the `false &&` rollback guard. Revoke SQL now runs only when `dataApi && !dataApiDefaultPrivileges`. Dropped the now-unused `useDataApiGrantTogglesEnabled` import. - `pages/integrations/vercel/[slug]/deploy-button/new-project.tsx`: this flow was **never rolled back** — it still ran revoke whenever `tableEditorApiAccessToggle` was on for a user. Now correctly gated on the new flag + checkbox state. - `packages/common/telemetry-constants.ts`: added the two new properties and corrected the `tableEditorApiAccessToggleEnabled` docstring (it no longer claims to control project-creation revoke behaviour). ## Kill switch Flipping `dataApiRevokeOnCreateDefault` to off in PostHog fully disables the revoke SQL for new projects without needing a redeploy — the checkbox just defaults to checked again. ## Follow-ups (not blockers) - joshenlim's review comments on PR 43704: (1) Auth Policies table row incorrectly showing "exposed via Data API" based on schema-level check instead of table-level at `apps/studio/components/interfaces/Auth/Policies/PolicyTableRow/index.tsx:64`; (2) Data API integrations page showing zero exposed tables even after exposing one. Both unrelated to this PR but will be more visible once the checkbox lands. - Once this flag fully rolls out, the old `tableEditorApiAccessToggle` docstring/comments elsewhere should stop claiming it controls project creation. ## To test - **Flag off (default state, simulates post-merge):** create a project with and without "Enable Data API" checked. The new "Default privileges for new entities" checkbox should default to **checked**. Submitting should produce an identical result to today — new tables in `public` are reachable via the Data API. - **Flag on (simulate rollout):** override the flag locally. The checkbox should default to **unchecked**. Creating a project with it unchecked should run the revoke SQL; create a new table in `public` afterwards and confirm it's not reachable via the Data API until grants are added. - **Enable Data API off:** the new checkbox should render disabled + dimmed with a tooltip reading "Enable the Data API to configure default privileges." The revoke SQL should not run in this case regardless of checkbox state. - **Vercel flow:** repeat at `/integrations/vercel/<slug>/deploy-button/new-project` — verify both checkbox states. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added an "Automatically expose new tables and functions" checkbox to project creation and Vercel deploy flow; enabled only when Data API is available (disabled with tooltip otherwise) and affects initial project provisioning. * **Telemetry** * Tracks exposure of the default-privileges control and includes checkbox state and feature-flag status on project-creation submissions. * **Tests** * Added tests for flag behavior, exposure tracking, deduplication, and submission telemetry. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> Co-authored-by: Sean Oliver <882952+seanoliver@users.noreply.github.com> |
||
|
Stephen Morgan
|
bd55ad23a6 |
feat: iso27001 certificate (#44963)
Edit: Can be merged, mgmt api deployed Dashboard addition to frontend for access to the ISO 27001 certificate. View for Team customers: <img width="1737" height="1151" alt="image" src="https://github.com/user-attachments/assets/cd62d24f-8b6e-4600-9ded-943a170cd124" /> Resolves SEC-799 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * ISO 27001 certificate added to Documents with a Download action, confirmation modal, new-tab open on success, and error toast on failure. * Users without billing permission see a no-permission view; users missing entitlement see an “Upgrade to Team” prompt. * **Refactor** * Upgrade-to-Team flows for SOC2 and related upgrade UI standardized to use the shared upgrade component. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
Alaister Young
|
19027e73f8 |
[FE-3036] feat(studio): runtime env var overrides for enabled features (#45049)
Lets self-hosted Studio toggle flags in `enabled-features.json` at container start time via `ENABLED_FEATURES_*` env vars, without rebuilding the prebuilt image. Addresses [FE-3036](https://linear.app/supabase/issue/FE-3036/allow-enabled-featuresjson-flags-to-be-overridden-via-env-vars) and is a prerequisite for [COM-205](https://linear.app/supabase/issue/COM-205/add-feature-flag-to-disable-all-logs-in-studio). **Added:** - `packages/common/enabled-features/overrides.ts` — pure parser that maps `ENABLED_FEATURES_*` env vars to a disabled-features list (forward-only key mapping, boolean validation, typo warnings) + 10 vitest tests - `apps/studio/pages/api/enabled-features-overrides.ts` — Next.js API route reading `process.env` at request time; no-op (`{ disabled_features: [] }`) when `IS_PLATFORM` - `apps/studio/data/misc/enabled-features-override-query.ts` — React Query hook with `staleTime: Infinity`, `enabled: !IS_PLATFORM` - `packages/common/enabled-features/README.md` — docs the env var convention, resolution order, `IS_PLATFORM` gating, and the `Support.constants.ts` build-time caveat **Changed:** - `apps/studio/hooks/misc/useIsFeatureEnabled.ts` — merges the override's `disabled_features` with `profile.disabled_features` ### Env var shape One var per flag, prefixed `ENABLED_FEATURES_`. Feature key → env name: uppercase with every non-alphanumeric char replaced by `_`. ```bash ENABLED_FEATURES_LOGS_ALL=false ENABLED_FEATURES_BRANDING_LARGE_LOGO=true ``` Values are `true`/`false` case-insensitively. Other values and prefixed vars that don't match a known feature are logged and ignored. ### Resolution order (runtime, Studio only) 1. `ENABLED_FEATURES_*` (self-hosted, via API route → React Query → hook) 2. `profile.disabled_features` (hosted, from `/platform/profile`) 3. `enabled-features.json` static value 4. Default (enabled) `ENABLED_FEATURES_OVERRIDE_DISABLE_ALL` still short-circuits everything. ### Known limitation `apps/studio/components/interfaces/Support/Support.constants.ts:4` calls `isFeatureEnabled('billing:all')` at module load to build `CATEGORY_OPTIONS`, which is spread into Zod form schemas. That call site stays resolved from the JSON — documented in the package README. `billing:all` isn't on the radar for self-hosted runtime toggling. ## To test - `cd packages/common && pnpm exec vitest run enabled-features` — 10 new tests pass - `pnpm --filter studio run typecheck` clean - Spin Studio locally with `NEXT_PUBLIC_IS_PLATFORM=false` and `ENABLED_FEATURES_LOGS_TEMPLATES=false`; `/project/[ref]/logs/explorer/templates` should reflect the flag after the override fetch resolves - Confirm the API route returns `{ disabled_features: [] }` when `NEXT_PUBLIC_IS_PLATFORM=true` - Set a typo like `ENABLED_FEATURES_LOGS_TMEPLATES=false` and check the warning in container logs; flag stays enabled <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Runtime feature-flag overrides for self-hosted deployments (env var driven), new API endpoint and client-side hook to fetch overrides, and client logic now merges profile and runtime overrides. * **Documentation** * Added comprehensive README describing the feature-flag system and override configuration. * **Tests** * Added unit tests for override parsing and E2E tests covering runtime override behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com> |
||
|
Danny White
|
b721a2d780 |
feat(studio): advisor signal items for banned IPs (#44372)
## What kind of change does this PR introduce? Feature. Resolves DEPR-430. ## What is the current behaviour? The homepage Advisor summary, shared Advisor panel, and top-nav Advisor indicator only surface lints and notifications. Banned IPs are not represented as dismissible Advisor items, so network bans are easy to miss unless a user visits Database Settings directly. The `public bucket allows listing` warning is no longer part of this PR. That warning will move to a follow-up Splinter `WARN` lint so it can flow through the standard lint surfaces instead of a bespoke Studio signal path. ## What is the new behaviour? - adds a new Advisor `signal` source for banned IPs on the platform homepage, in the shared Advisor panel, and in the top-nav Advisor indicator - keeps dismissals client-side only for now, scoped by project and exact IP fingerprint - keeps banned IP signals at `warning` severity because they still indicate suspicious traffic and remain actionable if a user wants to review or remove a ban - leaves `/project/[ref]/advisors/security` as follow-up work because that surface is still lint-native, and banned IPs are management-plane signals rather than Splinter lints | After | | --- | | <img width="1728" height="997" alt="Mallet Toolshed Supabase-65A60B4A-107E-4D79-B9A8-23F754BEAB08" src="https://github.com/user-attachments/assets/c08ecbbb-c302-43bd-81bb-6ba7eb18b7b3" /> | ## Reviewer testing notes 1. Use a throwaway project. 2. Get the database connection string for that project. 3. Attempt to connect with the wrong password 3-4 times until you hit an `ECONNREFUSED`-style error, which should mean your IP has been banned. 4. Refresh Studio and confirm the project overview shows the new `Banned IP address` signal. 5. Open the Advisor Center and confirm: - the top-nav Advisor dot turns warning yellow - the signal detail shows `Entity`, `Issue`, and `Resolve` - `Edit network bans`, `Dismiss`, and `Learn more` are present 6. Open Database Settings > Network bans and confirm your banned IP appears there and can be unbanned. 7. Note that `/project/[ref]/advisors/security` will not show this item. That page is still lint-only, and this banned IP work is a short-term client-side signal rather than a true lint. Longer term, we likely want a more durable event model here so banned IPs can power notifications, webhooks, emails, and other project-level alerts. --------- Co-authored-by: kemal <hello@kemal.earth> Co-authored-by: Charis Lam <26616127+charislam@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
Ali Waseem
|
e8df67d5d5 |
chore: migrate shortcuts to new hooks API (#44955)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Cleanup shortcuts with new hooks <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Centralized keyboard shortcut system for consistent shortcut behavior across the app and moved preference toggles to a unified registry. * **New Features** * Added explicit shortcuts for Command Menu, AI Assistant, Inline Editor, and result copy/download actions. * Hotkey preferences UI now renders dynamically from the centralized shortcut list. * **Tests** * Test helpers updated to include the command menu provider for accurate shortcut behavior in tests. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Ali Waseem
|
3ed436de74 |
feat: new shortcuts hook with registrations (#44954)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? - Brand new hook APIs for registering shortcuts using tanstack hotkeys - Support for command menu injection when shortcut is added <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Centralized keyboard shortcuts system with per‑shortcut registration and per‑user enable/disable preferences stored locally * Added a "Copy results as Markdown" shortcut (Mod+Shift+M) * Shortcuts can be surfaced in the Command Menu with a visual shortcut badge for discoverability * **Documentation** * Legacy keyboard shortcut hooks marked as deprecated and documentation updated to point to the new shortcut API <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Ali Waseem
|
ae4f1551f0 |
chore: make new table filter bar the default (#44910)
## Summary - Makes the new table filter bar the permanent default by hardcoding `useIsTableFilterBarEnabled` to return `true` - Removes the feature preview toggle (opt-out) from the preview modal - Cleans up E2E tests: removes old filter UI test, removes `enableFilterBar` helper, fixes race condition in column-drop test - Old filter code paths are left in place for a follow-up cleanup PR Closes FE-2819 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Removed the table filter bar preview and its opt-in/local-storage preview key. * Cleared preview content from the feature preview modal. * **Tests** * Removed the UI filtering e2e test and associated preview opt-in helper. * Updated filter-bar e2e flows to adjust navigation/wait behavior (added explicit waits, removed redundant reloads). <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
Ali Waseem
|
02325f00e7 |
feat(studio): add Copy as CSV option to SQL editor results (#44911)
## Summary - Adds a new "Copy as CSV" action to the export dropdown in the SQL editor results panel, alongside the existing Copy as Markdown, Copy as JSON, and Download CSV options - Registers a `Shift+Cmd+C` keyboard shortcut for the action, with a toggle in Account > Preferences > Keyboard shortcuts - Works everywhere `DownloadResultsButton` is used: SQL editor, logs, query performance, and linter pages Fixes FE-2991 ## Test plan - [x] Run a SELECT query in the SQL editor, open the Export dropdown, and verify "Copy as CSV" appears between "Copy as JSON" and "Download CSV" - [x] Click "Copy as CSV" and verify CSV data is copied to clipboard - [x] Use `Shift+Cmd+C` shortcut and verify it copies CSV to clipboard - [x] Go to Account > Preferences > Keyboard shortcuts and verify the "Copy results as CSV" toggle is present and functional - [x] Disable the shortcut in preferences, verify `Shift+Cmd+C` no longer triggers the copy - [x] Verify the same option appears in the logs export dropdown <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added "Copy as CSV" action to the results download menu, allowing users to quickly copy query results in CSV format to the clipboard. * Introduced a new hotkey preference setting to enable/disable the Shift+Meta+C keyboard shortcut for copying results as CSV. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Raminder Singh
|
0cb71a2497 |
feat: new marketplace db (#44574)
This PR integrates with the new marketplace db to allow Grafana (and other partners) OAuth apps to install from the integrations page. A demo of this working locally is available here: https://supabase.slack.com/archives/C01GN60J0BS/p1775551752479709. End to end flow is documented here: https://www.notion.so/supabase/Grafana-Integration-Flow-33a5004b775f80eeaf91c098beb8071f. TODO: - [ ] Make sure `NEXT_PUBLIC_MARKETPLACE_API_URL` variable is set to the new marketplace db. - [x] Test with the `marketplaceIntegrations` enabled and disabled in staging once https://github.com/supabase/platform/pull/31298 is merged and available in staging. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Add OAuth "Install integration" button that detects installed integrations and supports GET/POST install flows * Marketplace listings now include install links, installation method, partner info, and listing assets/logos * **Infrastructure** * Allow marketplace API origin for images and content in security and image config * Centralize marketplace types and switch marketplace data source for more reliable listings <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> |
||
|
Sean Oliver
|
571533482f |
refactor(growth): remove useTelemetryCookie and sb-telemetry-data cookie (#43840)
The `sb-telemetry-data` cookie and `useTelemetryCookie` hook are fully superseded by the `_sb_first_referrer` edge cookie (GROWTH-625) and the in-memory first-touch store (GROWTH-656). GROWTH-656 already removed the `useTelemetryCookie` call from `PageTelemetry` — this PR cleans up the rest. **Changes** - Delete `useTelemetryCookie.tsx` hook - Remove `clearTelemetryDataCookie` from `telemetry-utils.ts` (and its `TELEMETRY_DATA` dep) - Remove the `clearTelemetryDataCookie` call from `consent.tsx` (the cookie is never written anymore, so clearing it on deny is a no-op) - Remove `TELEMETRY_DATA` key from `LOCAL_STORAGE_KEYS` **Testing** Verified no remaining references to `useTelemetryCookie`, `sb-telemetry-data`, `TELEMETRY_DATA`, or `clearTelemetryDataCookie` in the codebase. GROWTH-646 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Removed local telemetry data collection and cookie storage functionality. * Updated consent handling to remove associated telemetry cookie cleanup operations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Alaister Young
|
1b1d05ff96 |
chore: upgrade vite to v8 and vitest to v4 (#44833)
Upgrade vite and vitest to their latest major versions across the
monorepo, along with related packages.
**Changed:**
- `vite` catalog: `^7.3.2` → `^8.0.8` (Rolldown replaces esbuild/Rollup)
- `vitest` catalog: `^3.2.0` → `^4.1.4`
- `@vitejs/plugin-react`: `^4.3.4` → `^6.0.1`
- `@vitest/coverage-v8`: `^3.2.0` → `^4.1.4`
- `@vitest/ui`: `^3.2.0` → `^4.1.4`
- `vite-tsconfig-paths`: `^4.3.2` / `^5.1.4` → `^6.1.1`
**Pinned to vite 7:**
- `apps/lite-studio` — `@react-router/dev` hasn't declared vite 8
support yet
- `blocks/vue` — Nuxt plugins (`vite-plugin-inspect`, `vite-dev-rpc`,
`vite-hot-client`, `vite-plugin-vue-tracer`) haven't declared vite 8
support yet
**Test fixes for vitest 4 breaking changes:**
- **`apps/studio/lib/api/snippets.utils.test.ts`** — Replaced
`vi.mock('fs/promises')` automock with an explicit factory. Vitest 4's
automocking doesn't create mock functions for getter-based exports on
Node built-ins, so `mockedFS.access.mockResolvedValue` etc. were
`undefined`.
- **`apps/studio/lib/api/self-hosted/functions/index.test.ts`** —
Changed `mockReturnValue` to `mockImplementation(function() { ... })`
for a constructor mock. Vitest 4 no longer allows `mockReturnValue` when
the mock is called with `new`.
- **`apps/studio/tests/pages/api/mcp/index.test.ts`** — Changed arrow
function to regular `function` in `mockImplementation` for
`StreamableHTTPServerTransport`. Arrow functions can't be constructors,
and vitest 4 now enforces this.
- **`packages/ui-patterns/vitest.setup.ts`** — Changed `ResizeObserver`
mock from arrow function to regular `function` for the same constructor
enforcement reason. This was crashing Radix popover rendering in jsdom.
## To test
- `pnpm test:studio` — all 226 test files should pass
- `pnpm --filter ui-patterns vitest run` — all 183 tests should pass
- `pnpm --filter www test -- --run` — all 19 tests should pass
- `pnpm --filter ui vitest run` — all tests should pass
- `pnpm --filter dev-tools vitest run` — all tests should pass
- `pnpm --filter ai-commands vitest run` — all tests should pass
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Standardized and updated development tooling versions and version
sources for consistent installs across the repo (Vite, Vitest,
vite-tsconfig-paths and related plugins/catalog entries).
* **Tests**
* Improved test mocks and typings (updated mock
factories/implementations and tightened spy/type assertions) to increase
test reliability and compatibility with updated tooling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
|
||
|
Jordi Enric
|
169a8ff44b |
feat(studio): add direct Upgrade compute CTA to exhaustion banners (#44675)
## Problem The `ResourceExhaustionWarningBanner` routed disk IO, CPU, and memory/swap exhaustion warnings to `/settings/infrastructure#<metric>` — an infra chart page with no direct fix available. The action button label "Learn more" didn't reflect a clear next step, and there was no way to get AI-assisted query optimization from the banner. ## Changes **Routing & CTAs** - Compute warnings (`disk_io`, `cpu`, `ram`) now route to `/settings/compute-and-disk` instead of the infra chart page - Free plan users are routed to `/org/[slug]/billing?panel=subscriptionPlan&source=resource_exhaustion_banner` - Primary CTA text changed to "Upgrade compute" for all compute warnings (paid and free plan) - Read-only mode CTA changed from "Learn more" to "Manage disk" **Troubleshoot dropdown** - For compute warnings (which have both a docs URL and an AI prompt), a "Troubleshoot" dropdown replaces the standalone "Learn more" button, offering: - Documentation — links to the relevant troubleshooting guide - Ask AI Assistant — opens the AI assistant with a pre-filled query to identify expensive queries via `pg_stat_statements` - For warnings with only a docs URL (read-only mode, disk space, auth), a direct "Learn more" button is shown as before **Telemetry** Two new events track user interactions with the banner: | Event | Fires when | Properties | |---|---|---| | `resource_exhaustion_banner_upgrade_clicked` | User clicks the primary CTA | `warningTypes: string[]`, `isFreePlan: boolean`, `destination: string` | | `resource_exhaustion_banner_ai_assistant_clicked` | User clicks "Ask AI Assistant" | `warningTypes: string[]`, `isFreePlan: boolean` | Both events include the standard `groups` payload (project + org). **Suppression fixes** - Banner is now hidden on `/settings/compute-and-disk` for paid-plan compute warnings (CTA would be a no-op) - Banner stays visible on `/settings/infrastructure` for compute warnings (CTA now links to a different page) **Description text** - Removed stale "Check the usage page for more recent and detailed statistics" from compute warning descriptions — no button in the banner leads there - Updated `multiple_resource_warnings` descriptions to reflect the upgrade-focused CTAs **Bug fixes** - Fixed: auth rate limit critical banner was showing when warning content had no title/description - Fixed: CTA disabled state now only applies to compute warnings while org data is loading (not all warning types) ## How to test - Trigger or mock a `disk_io_exhaustion`, `cpu_exhaustion`, or `memory_and_swap_exhaustion` warning - Paid plan: CTA reads "Upgrade compute" → `/project/<ref>/settings/compute-and-disk` - Free plan: CTA reads "Upgrade compute" → `/org/<slug>/billing?panel=subscriptionPlan&source=resource_exhaustion_banner` - Troubleshoot dropdown appears with Documentation and Ask AI Assistant options - Verify `is_readonly_mode_enabled` shows "Manage disk" CTA and a direct "Learn more" button (no dropdown) - Verify `disk_space_exhaustion` and auth warnings show a direct "Learn more" button (no dropdown) - Verify the banner is hidden on `/settings/compute-and-disk` for paid-plan compute warnings - Verify the banner is still visible on `/settings/infrastructure` for compute warnings - Verify `resource_exhaustion_banner_upgrade_clicked` and `resource_exhaustion_banner_ai_assistant_clicked` events fire with the correct properties --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|
kemal.earth
|
fa951a55a6 |
feat(studio): posthog events for scoped pats (#44850)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? This is a follow up for both our classic and scoped PAT's to add events for tracking created and deleted. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Enhanced telemetry for access token creation and removal. * Creation events now include token type (classic or scoped), expiry setting, scope/resource access and permission counts when applicable. * Removal events now include token type (classic or scoped). * Instrumentation added across token creation and deletion flows to improve analytics and auditing. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
fadymak
|
fd427bbe09 |
fix(auth): remove banner from email notification templates (#44887)
Removes the "New" banner from the email notification templates section as the features has been GA-ed for ~6 months now. <img width="1844" height="758" alt="CleanShot 2026-04-15 at 10 30 33@2x" src="https://github.com/user-attachments/assets/4415f651-7274-4565-8e2d-4a66f8bbd100" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Removed the security notifications acknowledgement feature from the email templates interface, including the dismissible notification tip and associated state management. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
kemal.earth
|
83e5ee8c5c |
feat(studio): add advisor for public bucket rls (#44438)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? This connects the Advisor from the splinter repo. Below are the list of changes: - Register advisor which should appear in both the legacy Advisors and Advisors sidebar. - Adds a "Dismiss" button to the admonition inside the bucket view. - Makes the check for select policy on public buckets tiny bit stricter/truer. This is awaiting the [PR](https://github.com/supabase/splinter/pull/152) in splinter going in! <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a security lint that flags public storage buckets allowing listing, with a direct "View bucket" link. * Users can dismiss public-bucket warnings per project+bucket for 14 days via a Dismiss button. * **Improvements** * Tightened policy detection to better target bucket-scoped select policies and avoid unrelated matches. * **Telemetry** * Added events for policy removal and dismiss-button clicks. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|
kemal.earth
|
12989ba7fe |
feat(studio): prototype for telemetry entry point (#44720)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Some small styling brush ups and experimental for internal telemetry tools. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Developer toolbar redesigned with compact event/flag lists, “Copy JSON” per event, and a fixed draggable trigger that snaps and remembers its position. Toolbar is now available in staging and local environments. * **Bug Fixes** * ConfigCat readiness wait ensures flags load correctly. * Feature flag loading made resilient so one provider’s failure won’t block the other. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Sean Oliver <882952+seanoliver@users.noreply.github.com> |
||
|
Joshen Lim
|
be0d05fb08 |
Bring Branching 2.0 out of feature preview (#44279)
## Context Have Branching 2.0 as the default behaviour + remove it from feature preview Behaviour should match staging / prod if branching 2.0 feature preview is toggled on ## To test - [ ] Test branching flow in general for any oddities <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Removed the Branching 2.0 preview and cleared its persisted preview setting; branching UI and branch editing are now available without opt‑in. * Simplified branch management flows and empty states by removing preview-dependent conditions and tooltips. * Made GitHub branch sync optional in create/edit forms and simplified validation and submit behavior. * "Create merge request" and related branch actions now render consistently across the UI. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Ali Waseem
|
26b3db8302 |
fix: remove API Docs nav item after transition period (#44637)
## Summary - Removes the "API Docs" navigation item from the sidebar and mobile menu - Removes the `UI_PREVIEW_API_SIDE_PANEL` feature preview flag since the feature is fully rolled out - Makes API docs buttons unconditionally visible across Auth Users, Storage, Edge Functions, and SecondLevelNav ## Test plan - [x] `NavigationBar.utils` tests pass (26 tests) - [x] `FileExplorerHeader` tests pass (6 tests) - [x] TypeScript compiles with no errors - [ ] Verify sidebar no longer shows "API Docs" nav item - [ ] Verify API docs buttons still appear in Auth Users, Storage, and Edge Functions pages - [ ] Verify feature preview modal no longer lists "Project API documentation" Resolves FE-2759 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * APIDocs button can optionally display a label and use a custom tooltip. * **Chores** * Removed the API docs side-panel feature flag and its localStorage key. * “API Docs” navigation entry removed; sidebar no longer special-cases that route. * Back links and API Docs buttons now render consistently across the app (no flag gating). * **Tests** * Tests updated to stop depending on the removed feature-flag behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Ali Waseem
|
6be596ea34 |
feat: add user preference to enable queue operations (#44366)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? - Remove queue operations from feature preview into settings - Refactor dashboard settings - Resolves DEPR-434 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Dashboard settings panel in Account preferences with toggles for Inline Editor and Queue Operations; “Dashboard” added to project Configuration. * **Removed** * Old Inline Editor settings UI and the Queue Operations feature-preview UI removed. * **Refactor** * Consolidated dashboard preferences into a single settings surface; banners and actions now navigate to preferences; account/preferences layouts and back-navigation behavior adjusted for platform vs self-hosted. * **Tests** * Added tests for settings UI, menu generation, redirects, and local-storage. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com> Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com> |
||
|
Mert YEREKAPAN
|
b9e83b25e1 |
feat(studio): adding upgrade button to header experiment (#44494)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? - Add an always-visible "Upgrade to Pro" button in the dashboard header for free-plan users (GROWTH-615) - Button is gated behind a PostHog experiment (`headerUpgradeCta`) with `control` and `test` variants - Experiment exposure is tracked for both variants; click events are tracked when the button is clicked - Button reuses existing `UpgradePlanButton` component for routing, permissions, and billing logic ## What is the current behavior? <img width="3840" height="2160" alt="Arc 2026-04-02 16 36 22" src="https://github.com/user-attachments/assets/8a94db0c-06c8-4237-8ba5-6ac1fe111a56" /> ## What is the new behavior? <img width="3840" height="2160" alt="Arc 2026-04-02 16 36 12" src="https://github.com/user-attachments/assets/0e60d834-028b-49fd-845e-ce1b4cbcc960" /> ## Additional context Add any other context or screenshots. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added an upgrade call-to-action in the header and mobile navigation (visible on medium+ screens in platform builds) shown to free-plan users as part of a controlled experiment. * The CTA records experiment exposures and sends analytics for impressions and clicks, including the user's current plan, to measure engagement and upgrade interest. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Danny White
|
73692b0a4d |
feat(studio): add stuck pausing and restoring escalations (#43368)
## What kind of change does this PR introduce? Bug fix / UX improvement for long-running project transitions. Resolves DEPR-362. ## What is the current behaviour? - `PausingState` does not preserve elapsed time across refreshes, so the stuck escalation can disappear for the same user. - `RestoringState` relies on weaker frontend heuristics and always showed a support CTA in the footer even before the restore was clearly long-running. ## What is the new behaviour? - `PausingState` - Persists a per-project pause start time in local storage so the stuck CTA survives refreshes in the same browser. - Escalates after 10 minutes. - Clears the stored timer when pausing succeeds or fails. - `RestoringState` - Persists a per-project restore start time in local storage so the stuck CTA survives refreshes in the same browser. - Removes the always-visible footer CTA and only escalates once restoration is genuinely long-running. - Computes the long-running threshold from volume size using a shared restore estimate: `max(10, ceil(estimateRestoreTime(sizeGb) * 1.5))`. - Clears the stored timer when restoration succeeds or fails. - Shared changes - Extracts reusable transition timing helpers and restore estimate helpers with unit tests. - Reuses the same restore estimate formula for branch restore timing and restore escalation, so the two do not drift. | `PausingState` | `RestoringState` | | --- | --- | | <img width="1570" height="906" alt="Krosno Toolshed Supabase-C6D7E29F-C38D-43E1-8AF9-C612B6A2FD8D" src="https://github.com/user-attachments/assets/e0bd9434-09b6-4cf6-bffa-07a0ddcdf5db" /> | <img width="1570" height="906" alt="Krosno Toolshed Supabase-51F4763D-B798-4B41-A92D-43B3CF8ECDAF" src="https://github.com/user-attachments/assets/d0e47356-dcc3-42aa-b602-802a35249a16" /> | ## Additional context - This PR intentionally stays frontend-only. - We are not exposing backend lifecycle timestamps here; local storage is the stopgap to improve the same-browser experience now. - If you need to test the frontend blocker states locally, use [`dnywh/chore/depr-362-blocker-preview-mocks`](https://github.com/supabase/supabase/tree/dnywh/chore/depr-362-blocker-preview-mocks) and append one of the following query params to a project URL: - `?mockProjectBlockingState=pausing` - `?mockProjectBlockingState=pausing-long-running` - `?mockProjectBlockingState=restoring` - `?mockProjectBlockingState=restoring-long-running` - I know these two views are quite differently stylistically, and will consolidate later - References DEPR-434 |
||
|
Sean Oliver
|
273102323d |
feat(growth): filter OAuth/SSO redirect referrers from attribution (#44405)
## Problem GitHub OAuth redirects and Google SSO set the browser's Referer header to their domain when redirecting back to supabase.com. Our attribution pipeline treats these as genuine referral traffic, inflating the `github` channel by ~20K orgs/week. The internal referrer fix (GROWTH-647) surfaced this by reducing `unknown-internal` — it didn't cause the issue, it revealed OAuth noise that was previously hidden. ## What happened When users sign in with GitHub, the browser sends `Referer: https://github.com/`. GitHub's login pages use `origin-when-cross-origin` Referrer-Policy, which strips the path. So OAuth redirects arrive as bare `github.com/` — indistinguishable from a direct visit to github.com. Meanwhile, genuine GitHub referrals from repos/READMEs always include the full path because those pages use `no-referrer-when-downgrade`. We validated against `mart_marketing_organization_attribution`: 98.5% of GitHub-attributed orgs have bare `github.com/` as the referrer. Only ~250/week have specific paths (genuine referrals). ## Changes - Added `isOAuthRedirectReferrer()` to `first-referrer-cookie.ts` — identifies auth provider redirects: - `accounts.google.com` blocked entirely (dedicated SSO subdomain) - Bare `github.com/` blocked (OAuth redirect signature) - `github.com/<specific-path>` preserved (genuine repo/README referrals) - Wired into `shouldRefreshCookie()` so OAuth referrers never get stamped into cookies - Wired into `handlePageTelemetry()` referrer overrides as defense-in-depth - 17 new tests covering all OAuth patterns and edge cases ## Testing All 52 tests pass. New tests cover Google SSO (bare + with path), GitHub bare domain (with/without trailing slash), genuine GitHub referrals (repo, README, discussion, blob), explicit OAuth path, non-OAuth domains, empty/malformed URLs. Verified TDD — tests failed red before implementation, green after. Companion dbt PR in data-engineering handles historical data. GROWTH-732 |
||
|
Mert YEREKAPAN
|
f590319f0a |
feat(pricing): implement A/B experiment for pricing page flexibility/visibility (#44293)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES/NO ## What kind of change does this PR introduce? Includes 5 new variants to test pricing to solve cost flexibility and visibility concerns ## What is the current behavior? Current pricing page ## What is the new behavior? Variants: <img width="3840" height="2160" alt="CleanShot 2026-03-30 at 19 32 02@2x" src="https://github.com/user-attachments/assets/a4f3b048-fa0d-4137-9f24-2eb6d431f3c8" /> <img width="3840" height="2160" alt="CleanShot 2026-03-30 at 19 33 34@2x" src="https://github.com/user-attachments/assets/a9045a33-b8c3-4df1-a47d-00cf58495bb3" /> <img width="3840" height="2160" alt="CleanShot 2026-03-30 at 19 32 22@2x" src="https://github.com/user-attachments/assets/10511fc8-5e88-4e3c-baa1-56798009d86f" /> <img width="3840" height="2160" alt="CleanShot 2026-03-30 at 19 33 09@2x" src="https://github.com/user-attachments/assets/aa01aaf6-0e41-4466-bfc7-77ae912b6043" /> <img width="3840" height="2160" alt="CleanShot 2026-03-30 at 19 32 43@2x" src="https://github.com/user-attachments/assets/21834f7d-43cb-4981-9c29-934f44986714" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes **New Features** - Launched A/B testing variants on the pricing page featuring customized pricing plan layouts, descriptions, and billing options based on your assigned experiment group. - Certain plan tiers now display optional flexibility information, hourly billing rates, and project scaling details to help optimize your cost estimation and plan selection. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
kemal.earth
|
908da85225 |
feat(studio): nano exhaustion indicators (#44395)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? This PR introduces some visual indicators when a Nano project is exhausting resources on Pro plus plans. The indicator tells the user a free upgrade to Micro is available via a flashing Nano badge that guides them to Upgrade and a global banner that notifies them resources are near exhaustion, please upgrade for free. | Project List | Project View | |--------|--------| | <img width="412" height="223" alt="Screenshot 2026-03-31 at 16 11 19" src="https://github.com/user-attachments/assets/0d0e7727-e4eb-4ade-9024-528a2501596c" /> | <img width="1256" height="618" alt="Screenshot 2026-03-31 at 16 11 10" src="https://github.com/user-attachments/assets/b664e020-2b18-4842-8e64-4e49fac69eef" /> | <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Free Micro Upgrade banner appears for nano-tier projects near compute exhaustion with animated visuals and an “Upgrade for free” CTA. * Compute badge highlights near-exhaustion with glow/shimmer and an animated upgrade indicator; optional icon support added. * Per-project banner dismissal is saved locally; dismissed banners remain hidden. * **Tests** * Added tests covering banner display and dismissal scenarios. * **Chores** * Added local-storage keys and telemetry events for banner and upgrade interactions. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Pamela Chia
|
8364ffb5e0 |
chore(studio): remove privacy policy update notification banner (#44380)
## Summary Remove the privacy policy update notification banner that was added for the March 2026 policy update. The effective date has passed and users have had sufficient notice. ## Changes - Remove `PrivacyUpdateBanner` component from `AnalyticsSettings.tsx` and its unused imports - Remove banner usage from the organizations list page and org projects page - Remove `PRIVACY_NOTICE_ACKNOWLEDGED` localStorage key ## Testing No setup needed - this is a removal of UI elements. Tested on Vercel preview: - [x] Organizations page loads without the banner - [x] Org projects page loads without the banner - [ ] No console errors on either page - [x] Analytics settings page still renders correctly ## Linear - fixes GROWTH-692 |
||
|
Sean Oliver
|
c8e98cec0e |
feat(growth): in-memory first-touch attribution store (#43570)
## Changes Introduces two new files in `packages/common`: - **`telemetry-first-touch-store.ts`** — a module-scoped singleton that holds first-touch attribution data (referrer, UTM params, page URL) in memory. Writes once on first load, cleared after the initial pageview event fires or on opt-out. No device storage involved. - **`useFirstTouchStore.tsx`** — a React hook that captures attribution data on initial page load and writes it into the store, gated on the `enabled` flag so it only runs where consent has been handled. Trade-off: data is lost on a hard reload before consent is granted — accepted edge case per GROWTH-656. Follows the same module-scope pattern already used by `posthogClient` and `consentState`. ## Testing - Verify first-touch data is captured on initial load and readable by `PageTelemetry` after consent - Verify no cookie is set before consent - Verify data is cleared after initial pageview fires GROWTH-656 |
||
|
Pamela Chia
|
edacf2413d |
chore(studio): ship connect section, remove getting started and experiment plumbing (#44329)
## Summary The `connectSection` A/B experiment concluded as a true null (no effect on activation or any downstream metric after 13 days at 50/50, ~153K mature orgs). Saxon decided to ship the Connect section as the permanent experience. This PR removes the Getting Started control variant, the old Connect modal, all experiment flag gating, and related telemetry types. ## Changes - Delete `GettingStarted/` directory (5 files: section component, types, utils, progress hook) - Delete old `Connect.tsx` dialog modal (replaced by ConnectSheet) - Remove `connectSection` PostHog flag reads from `Home.tsx` and `LayoutHeader.tsx` - Remove `getSectionVisibility()` experiment logic and `ConnectSectionVariant` type - Remove `getting-started` from `DEFAULT_SECTION_ORDER` - Always render `<ConnectSheet />` in header (no more conditional with old `<Connect />` modal) - Remove `variant` prop from `ConnectSection` component - Remove 4 getting-started telemetry event interfaces from `telemetry-constants.ts` - Update `mergeSectionOrder` tests to reflect new section order ## Testing Tested on Vercel preview: - [x] Project homepage shows Connect section for new projects (< 10 days old) - [x] Connect section hidden for mature projects (> 10 days old) - [x] Header Connect button opens ConnectSheet (not old modal) - [x] Connect tiles open ConnectSheet with correct tab - [x] Section drag-and-drop still works without getting-started in the order - [x] Existing users with `getting-started` in localStorage order don't break (mergeSectionOrder strips it) ## Linear - fixes GROWTH-730 --------- Co-authored-by: Alaister Young <alaister@users.noreply.github.com> |
||
|
Danny White
|
12a43e5aba |
chore(studio): storage file explorer breadcrumbs (#43844)
## What kind of change does this PR introduce? UI update that resolves DEPR-114. Also resolves DEPR-113. ## What is the current behavior? - The breadcrumbs on the file explorer have some rough edges in column view - Fancy hide/show behavior - Hidden tap targets - `FileExplorerHeader` actions can overflow on the x-axis - The Navigate button is only shown on hover - The inline Navigate flow does not work well on smaller screens ## What is the new behavior? - Column view now shows the same in-explorer breadcrumb trail as list view - The active breadcrumb is visually emphasized, while inactive breadcrumbs remain clickable - The back affordance now uses a clearer arrow treatment with a stronger separator from the breadcrumb trail - The Navigate button is permanently visible and moved to the right-side action group before Reload - Navigate now opens a dialog on both desktop and mobile - Added typed telemetry so we can measure `Navigate` usage before deciding whether to keep or remove it - Fixed header overflow by letting the full header contents scroll horizontally together instead of visibly spilling out | Before | After | | --- | --- | | <img width="947" height="997" alt="Buckets Storage AWS Healthy Toolshed Supabase" src="https://github.com/user-attachments/assets/fa53fdd4-954c-4832-bf9b-210b63ae020b" /> | <img width="947" height="997" alt="Buckets Storage AWS Healthy Toolshed Supabase" src="https://github.com/user-attachments/assets/3689a0e5-97d1-4b36-a2dd-7adce23add5d" /> | | <img width="864" height="997" alt="Buckets Storage AWS Healthy Toolshed Supabase" src="https://github.com/user-attachments/assets/ad559118-205f-40e2-b3c5-97cef462d5f5" /> | <img width="864" height="997" alt="Buckets Storage AWS Healthy Toolshed Supabase" src="https://github.com/user-attachments/assets/9c569b29-7c58-4a33-b809-34d6ed919008" /> | ## Additional context Also added a link to the `Buckets` portion of the `PageHeader` breadcrumb: ```text Files > Buckets > MyBucketName ``` It goes to the same place as Files because the root Files page lists buckets, but having both links there feels more ergonomic in practice. --------- Co-authored-by: Ali Waseem <waseema393@gmail.com> |
||
|
Sean Oliver
|
81b1c50aff |
fix: detect prior consent via uc_user_interaction for fast cross-app navigation (#44284)
## Problem Follow-up to #44252. The previous fix handled the case where the user waits on the page after accepting (GTM writes `ucData`), but there's a second scenario: if the user accepts and navigates to another app quickly (before GTM finishes), `ucData` hasn't been written yet. The SDK on the new app overwrites `uc_user_interaction: "true"` with `"false"` and shows the banner again. ## What changed `hasPreviousConsentInUcData` is now `detectPriorConsent` and checks two signals before `UC.init()` overwrites them: 1. **Slow navigation** (existing): `ucData` contains all services with `consent: true` 2. **Fast navigation** (new): `uc_user_interaction` is `"true"` — the SDK on the previous app wrote this but GTM hasn't had time to replace it yet Also adds unit tests covering both scenarios, edge cases (empty services, malformed JSON, mixed signals), and the combined behavior. ## Testing - 13 unit tests for `detectPriorConsent()` covering all localStorage state combinations - Can't fully reproduce on staging previews (CSP blocks GTM), verified root cause via production console monitoring Closes FE-2648 |
||
|
Mert YEREKAPAN
|
f8815aff9b |
refactor(pricing): remove A/B experiment logic and consolidate pricing components (#44205)
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Removes the control variant and replaces it with the test variant as winner. ## What is the current behavior? - ## What is the new behavior? - ## Additional context Add any other context or screenshots. |