[pull] master from supabase:master#892
Merged
Merged
Conversation
## Problem After the Tailwind v4 upgrade, the 3xx/4xx HTTP status badge in the Logs explorer rendered with a saturated yellow background and washed-out text, because `bg-amber-300`/`text-amber-1100` no longer resolve as they did under v3. ## Fix Switch the 3xx/4xx case in `ResponseCodeFormatter` to the existing `bg-warning/10 text-warning` semantic tokens, matching the pattern used by the shared `Badge` warning variant. ## Before <img width="798" height="722" alt="CleanShot 2026-05-05 at 12 13 23@2x" src="https://github.com/user-attachments/assets/a2d37f37-4260-4ec6-bf1c-ff96b6f51be0" /> ## After <img width="642" height="530" alt="CleanShot 2026-05-05 at 12 12 55@2x" src="https://github.com/user-attachments/assets/7c82aee2-0d40-4213-8533-14ffb04fb5de" /> ## How to test - Run `pnpm dev:studio` - Open any project's Logs explorer (API, Edge Functions, Auth, etc.) - Find a row with a 3xx or 4xx status code - Expected: faint yellow background with a darker amber/yellow text, consistent with other warning badges in the app - Confirm 2xx (brand) and 5xx (red) badges still render as before <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Updated the visual styling of response codes in the logs display for improved consistency. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
- closes #45266 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Bug Fixes** * Updated the formatting of MCP URLs in generated Codex setup commands to include proper quotation marks for correct CLI execution. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What kind of change does this PR introduce? UI polish. Updates sidebar and submenu navigation hover and active styling. ## What is the current behavior? Product submenu navigation items either lack a hover fill or use a hover fill that visually matches the active state. Adjacent hovered and selected rows can appear to touch. ## What is the new behavior? Primary sidebar buttons, sidebar sub-buttons, and product submenu pills now share a muted hover fill while preserving the full accent fill for active/selected states. Product submenu rows also get a small visual gap with slightly reduced vertical padding to keep the overall spacing compact. | After | | --- | | <img width="988" height="408" alt="CleanShot 2026-05-05 at 11 53 05@2x" src="https://github.com/user-attachments/assets/560ac8a5-1262-41af-a196-618c86580150" /> | <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Refined sidebar hover/active states with subtle accent alpha colors for a more polished visual experience. * Updated sidebar menu spacing and rounded corners for improved touch and visual clarity. * **UI Improvements** * Sidebar now only displays when sections exist and uses a streamlined submenu flow for more consistent, predictable navigation. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Onboarding Task - adding myself to the list! <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated team information. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR fixes a bug where a user might choose `classic-dark` as a theme in `studio` but then `docs` and `marketing` apps will look weird. To test: - Change the localStorage value of `theme` to `classic-dark` - Open `www` and `docs` apps, they should look ok <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a new "classic-dark" theme option for enhanced visual customization. * **Improvements** * Unified and simplified theme handling across apps for more consistent behavior. * Improved system-theme detection and smoother transitions when switching themes. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? New blog post ## What is the current behavior? N/A ## What is the new behavior? Adds a new blog post explaining when to use Supabase Realtime vs Supabase ETL, covering delivery guarantees, destinations, scale characteristics, and common mistakes. ## Additional context N/A <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added a comprehensive blog post comparing Supabase Realtime and ETL, covering technical differences, delivery guarantees, use cases, and best practices to help users select the appropriate tool for their data integration needs. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Ana <ana1337x@users.noreply.github.com>
…on (#44199) ## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? update docs on Realtime Postgres Changes + Authorization interaction ## What is the current behavior? It can be misleading to say `The `private` Channel option does not apply to Postgres Changes.` As Postgres Changes can happen under a private channel. ## What is the new behavior? Fix docs <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated the authorization guide to clarify how Postgres Changes interact with Channel authorization, including RLS policy enforcement and channel type compatibility. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
…s screens/components (#45590) ## Screenshots ### Auth: Create or edit custom Auth provider See the callback URL input at the bottom. Before: <img width="1179" height="1309" alt="image" src="https://github.com/user-attachments/assets/b15d38fd-6e32-489e-8ef6-bff519d38123" /> After: <img width="1176" height="1318" alt="image" src="https://github.com/user-attachments/assets/dedc72cc-7756-4995-af9a-5f7a4554f76f" /> ### Custom Auth provider list search input Before: <img width="1135" height="236" alt="image" src="https://github.com/user-attachments/assets/ced8538a-91ca-428b-8d90-544962c1eb5b" /> After: <img width="1147" height="227" alt="image" src="https://github.com/user-attachments/assets/695a5c87-f371-4d90-91a8-761266526345" /> ### Auth hooks Before: <img width="1150" height="301" alt="image" src="https://github.com/user-attachments/assets/20341d7b-6a2f-491a-b23f-74d92398192f" /> After: <img width="1143" height="305" alt="image" src="https://github.com/user-attachments/assets/95d73950-eb55-459d-9cb9-3077bcd10985" /> ### OAuth App list search input Before: <img width="1147" height="371" alt="image" src="https://github.com/user-attachments/assets/be935f9d-1b32-4488-bf37-6153f7d39262" /> After: <img width="1146" height="365" alt="image" src="https://github.com/user-attachments/assets/628b77c8-074b-455a-94ea-b8e20b4da2db" /> ### New policy sheet template search input Before: <img width="536" height="268" alt="image" src="https://github.com/user-attachments/assets/d5ea6ee9-02fa-48fc-a727-cb56e5f57f8f" /> After: <img width="534" height="260" alt="image" src="https://github.com/user-attachments/assets/34ac4c40-5613-47f1-b724-0780499afa26" /> ### Storage new policy dialog Before: <img width="1180" height="660" alt="image" src="https://github.com/user-attachments/assets/afb4b1d3-f42b-4379-9197-c47a97340eaa" /> After: <img width="1175" height="646" alt="image" src="https://github.com/user-attachments/assets/427e2f0f-553b-4ea8-a8ae-f1835c1c791b" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Updated search input design across authentication interfaces for improved consistency. * Standardized input control layout in auth configuration forms. * **Bug Fixes** * Corrected webhook configuration field behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
…eens/components (#45591) ## Screenshots ### New cron job edge function timeout Before: <img width="1157" height="259" alt="image" src="https://github.com/user-attachments/assets/b5e056e7-6216-45a6-9cc6-15e56621c62a" /> After: <img width="1162" height="258" alt="image" src="https://github.com/user-attachments/assets/bfb12a20-8a11-47f1-b7e6-c1ebc2fc187e" /> ### New cron job http request timeout Before: <img width="1161" height="237" alt="image" src="https://github.com/user-attachments/assets/ad1dc7ef-e9ec-4219-8f84-f20025aa1c68" /> After: <img width="1160" height="231" alt="image" src="https://github.com/user-attachments/assets/eb4d0df2-db20-4e04-a78d-fa36656a2987" /> ### New queue, partition configuration Before: <img width="786" height="677" alt="image" src="https://github.com/user-attachments/assets/34b3f1fc-b1e8-434f-bfc7-8a5686bd1c29" /> After: <img width="778" height="668" alt="image" src="https://github.com/user-attachments/assets/f7423240-b810-47d6-af1d-9d5647c78843" /> ### Queue: send message dialog Before: <img width="522" height="411" alt="image" src="https://github.com/user-attachments/assets/f9cf5993-c7e4-4bd0-9718-0c9e85e41378" /> After: <img width="532" height="414" alt="image" src="https://github.com/user-attachments/assets/d965bfcc-c074-44a1-8a8f-ecdd4e766221" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Enhanced input field presentation for timeout, delay, and interval configurations with inline unit labels (milliseconds, seconds, messages) for improved clarity and consistency across integration settings. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary Adds a contextual `D + <letter>` chord pattern for jumping between Database sub-pages, mounted only while `DatabaseLayout` is active. Establishes the pattern we can repeat for other sections (Auth, Storage, Functions, etc.). Linear: [FE-3140](https://linear.app/supabase/issue/FE-3140/define-subnavigation-pattern-for-database-management-page) ## Pattern - Chords are 2-key sequences (`D`, `<letter>`) — no global leader, no `G` prefix. - Registration is contextual: `<DatabaseNavShortcuts />` lives inside `DatabaseLayout`, so the leading `D` is only "owned" while the user is under `/project/<ref>/database/*`. Doesn't burn a global key. - Hover tooltips on each sub-menu item show the chord, anchored to the label text (Linear-style). Powered by `<ShortcutTooltip>` already used in the main nav. - Items hidden by feature flags (Roles, Column Privileges, Replication) auto-disable the chord — no muscle-memory navigating to a 404. ## Shortcuts added | Sub-page | Chord | Notes | |---|---|---| | Tables | `D T` | | | Functions | `D F` | | | Triggers | `D R` | t**R**iggers — `T` taken by Tables | | Indexes | `D I` | | | Extensions | `D X` | e**X**tensions | | Schema Visualizer | `D V` | | | Enumerated Types | `D E` | | | Publications | `D U` | p**U**blications — avoids collision with Schema Visualizer's `D P` (Download as PNG) | | Column Privileges | `D C` | flag-gated | | Settings | `D ,` | mirrors global `G ,` for project settings — avoids collision with Schema Visualizer's `D S` (Download as SVG) | | Replication | `D L` | rep**L**ication — flag-gated | | Roles | `D O` | r**O**les — flag-gated | | Backups | `D B` | platform-only | | Migrations | `D M` | | External-link sub-menu items (Policies, Wrappers, Webhooks, Security Advisor, Performance Advisor, Query Performance) are intentionally not chorded — they route out of `/database/*` and don't belong to the section's namespace. ## Collision audit Other shortcuts active on database pages (table-list, schema-visualizer) were checked against the new chords: - **Schema Visualizer** (`/database/schemas`): `D P` (Download PNG), `D S` (Download SVG), `O A`, `O S`. Publications and Settings were remapped to `D U` and `D ,` to avoid the `D P` / `D S` clashes. - **List pages** (`/database/tables`, etc.): `Shift+F`, `Shift+N`, `O S`, `F C` — no overlap with `D + <letter>`. ## Files - `state/shortcuts/registry/database-nav.ts` — new registry module with the 14 chord definitions. - `state/shortcuts/registry.ts` — spreads the new IDs/definitions into the canonical registry. - `components/interfaces/DatabaseNavShortcuts.tsx` — null-rendering hook component that wires `useShortcut` for each chord, keyed off `useGenerateDatabaseMenu` so URLs and feature gating stay in sync with the sidebar. - `components/layouts/DatabaseLayout/DatabaseLayout.tsx` — mounts the component. - `components/layouts/DatabaseLayout/DatabaseMenu.utils.tsx` — tags each menu item with its `shortcutId`. - `components/ui/ProductMenu/ProductMenu.types.ts` — adds optional `shortcutId?: ShortcutId` field. - `components/ui/ProductMenu/ProductMenuItem.tsx` — renders the hover tooltip when an item has a `shortcutId`, anchored to the label span. ## Test plan - [ ] On `/project/<ref>/database/tables`, press `D F` — navigates to `/database/functions`. - [ ] On `/project/<ref>/database/schemas`, press `D P` — downloads the PNG (Schema Visualizer wins, no nav conflict). - [ ] On `/project/<ref>/database/schemas`, press `D U` — navigates to `/database/publications`. - [ ] On `/project/<ref>/database/tables`, press `D ,` — navigates to `/database/settings`. - [ ] Hover any sub-menu item with a chord — pill appears next to the label after ~1s. - [ ] On a project with the Replication flag off — `D L` does nothing. - [ ] Navigate to `/auth` — pressing `D F` does nothing (chord unmounts with the layout). - [ ] Type `D` then `F` slowly inside an input — does not navigate (input-focus guard).
## Summary
- Adds `breadcrumbListSchema(items)` helper to `apps/www/lib/json-ld.ts`
and a hand-curated `apps/www/lib/breadcrumbs.ts` route map.
- Wires inline `<script type="application/ld+json">` BreadcrumbList
blocks into 18 marketing surfaces: blog (index + slug), customers (index
+ slug), events (index + slug), 5 product pages (database, auth,
storage, edge-functions, realtime), 3 modules (vector, cron, queues),
pricing, careers, company, features.
- Pages router callers wrap the script in `<Head>`; app router callers
place it directly in JSX. Dynamic surfaces append a leaf at render time
using the page's title (`frontmatter.title` for blog, `meta_title ??
title` for customers, `event.meta_title ?? event.title` for events).
- Modules sit at `Home > {Name}` since no `/modules` index page exists;
products sit at `Home > {Product}` (no shared products parent). Absolute
`https://supabase.com` URLs match the existing `CANONICAL_ORIGIN`
convention so anchors stay stable across Vercel previews.
Linear:
[GROWTH-822](https://linear.app/supabase/issue/GROWTH-822/add-breadcrumblist-json-ld-to-www-marketing-surfaces)
(sub-issue under
[GROWTH-724](https://linear.app/supabase/issue/GROWTH-724)).
> **Note on branch name:** the branch is
`pamela/growth-820-www-breadcrumb-jsonld`; the actual Linear issue is
GROWTH-822. The branch was named before the sub-issue was created.
Ignore the `820` in the branch.
Explicitly deferred (separate PRs / low SEO ROI): `/launch-week/*`,
`/solutions/*`, `/partners/*`, `/alternatives/*`, `/changelog`,
`/legal/dpa`, `/aws-reinvent-2025`, `/wrapped`, `/contribute/*`,
`/brand-assets`, `/ga`, `/ga-week`, `/state-of-startups*`, and the
homepage (Organization + WebSite already cover homepage entity signals;
single-item BreadcrumbList is ignored by Google).
## Test plan
- [x] On the Vercel preview, `curl -s https://<preview>/database | grep
'"BreadcrumbList"'` returns the script block with `Home > Database`.
- [x] `curl -s https://<preview>/blog/<recent-slug> | grep
'"BreadcrumbList"'` returns `Home > Blog > {post title}`.
- [x] `curl -s https://<preview>/customers/<slug> | grep
'"BreadcrumbList"'` returns `Home > Customer Stories > {customer
title}`.
- [x] `curl -s https://<preview>/events/<slug> | grep
'"BreadcrumbList"'` returns `Home > Events > {event title}`.
- [x] `curl -s https://<preview>/modules/vector | grep
'"BreadcrumbList"'` returns `Home > Vector`.
…rfaces (#45560) ## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Refactor / security improvement ## What is the current behavior? SQL fragments across Studio are built from plain `string` values with no type-level distinction between developer-authored SQL, DB-sourced identifiers, and user-typed or externally-influenced content. ## What is the new behavior? Extends the safe SQL model to additional Studio interfaces, using `SafeSqlFragment`, `safeSql`, `ident()`, `literal()`, `untrustedSql()`, and `acceptUntrustedSql()` from `@supabase/pg-meta/src/pg-format`: - **Policy editor**: template constants typed as `SafeSqlFragment` via `safeSql` tagged literals; Monaco editor `onInputChange` emits `untrustedSql()`; `acceptUntrustedSql()` called only at the Save gesture; roles selector emits a composed `SafeSqlFragment` via `ident()` + `joinSqlFragments()` - **Auth hooks**: grant/revoke SQL statements use `ident()` for schema and function names - **Docs description editor**: `COMMENT ON` queries use `ident()` and `literal()` for table/column/function names and values - **Cron jobs**: `cron.schedule()` call and HTTP request builder use `literal()` for all user-provided values - **GraphQL linter CTA**: `REVOKE` statement uses `ident()` for schema, table, and role - **Storage public bucket warning**: `DROP POLICY` uses `ident()` for policy name - **View security autofix modal**: `ALTER VIEW` uses `ident()` for schema and view name - **API settings**: `CREATE SCHEMA` mutation uses `safeSql` tagged literal - **Database event trigger delete**: `DROP EVENT TRIGGER` uses `ident()` for trigger name - **Database queues query**: queue list query uses `safeSql` tagged literal - **Role impersonation**: function invocation SQL uses `ident()` and `literal()` ## Manual testing checklist - Authentication > Policies - Authentication > Hooks - Integrations > Queues - Database > Event Triggers - Integrations > Cron Jobs - Table Editor > View entity security autofix - API Settings > expose schema - Linter > GraphQL exposure CTA - Docs > table/column description editor - Role impersonation (user impersonation panel) ## Additional context <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Replaced ad-hoc SQL string building with a safer, fragment-based SQL construction across auth, policies, integrations, storage, and DB operations to improve SQL safety while preserving behavior. * **Bug Fixes / UX** * Policy editor and code editor now propagate role and input changes more reliably, improving editor responsiveness and policy handling without UI changes. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
) ## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Feature ## What is the current behavior? `/go` page form submissions can be routed to HubSpot and Customer.io, but there's no way to send the same data to a Notion database. Partnerships needs Notion as a third destination. Relates to [DEBR-265](https://linear.app/supabase/issue/DEBR-265/notion-database-for-go-pages). ## What is the new behavior? Adds a `notion` provider alongside `hubspot` and `customerio` in the form CRM config. Each page can now declare: ```ts notion: { database_id: '21b5004b775f8058872fe8fa81e2c7ac', columnMap: { email_address: 'email', first_name: 'first_name' }, staticProperties: { source: 'Website Go Page' }, } ``` A new `NotionClient` fetches the target database schema once per submission to auto-detect each column's property type (`title`, `rich_text`, `email`, `number`, `select`, etc.) so the config stays a plain string→string map. Unknown columns are silently skipped. The submit action reads `NOTION_API_KEY` from env and dispatches in parallel with the existing providers. ## Additional context - New env var required on Vercel: `NOTION_API_KEY` (a Notion internal integration token with write access to the target database). - Simplified `CRMConfig` from a discriminated-union-of-all-combinations to a plain object with optional providers; the "at least one provider" invariant still lives in the Zod schema refinement. This avoided a 2^3 - 1 = 7 member union and a generic `CRMClient<T>` whose call site was already casting to `any`. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added Notion as a CRM provider for form submissions with schema-backed mapping, validation, and automatic creation of Notion database pages. * Exposed a typed Notion form config for configuration and validation; example lead-gen form includes a Notion mapping. * **Bug Fixes / Improvements** * Simplified CRM option handling and made submission behavior clearer. * HubSpot submissions now URI-encode identifiers to avoid endpoint errors. * Improved Notion request handling, caching, and error reporting; Notion sends in parallel when configured. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary Adds PostHog click/open tracking for every interactive element in the Studio top bar. Previously only 5 of ~16 surfaces were tracked. ### New events (16) | Event | Surface | |---|---| | `home_logo_clicked` | Supabase logo | | `header_back_to_dashboard_clicked` | Mobile back chevron | | `header_exceeding_usage_badge_clicked` | "Exceeding usage limits" badge | | `organization_dropdown_opened` | Org dropdown trigger | | `project_dropdown_opened` | Project dropdown trigger | | `branch_dropdown_opened` | Branch dropdown trigger | | `merge_request_button_clicked` | MR trigger (separate from existing success event) | | `connect_button_clicked` | Connect CTA | | `feedback_dropdown_opened` | Feedback dropdown trigger | | `advisor_button_clicked` | Advisor toggle | | `inline_editor_button_clicked` | SQL editor toggle | | `assistant_button_clicked` | AI Assistant toggle | | `user_dropdown_opened` | Account dropdown | | `local_dropdown_opened` | Local-dev settings dropdown | | `local_version_popover_opened` | CLI version popover | ### Notes - Uses `useTrack` (per `telemetry-standards`), all event names use approved `_clicked` / `_opened` verbs. - Dropdown `onOpenChange` handlers guard against Radix's double-fire by only tracking when `open === true`. - `merge_request_button_clicked` fires on the trigger click; the existing `branch_create_merge_request_button_clicked` continues to fire on successful MR creation. - Pre-existing tracked surfaces (`command_menu_opened`, `help_button_clicked`, `header_upgrade_cta_clicked`, `send_feedback_button_clicked`) are unchanged. ## Test plan - [x] Spot-check each event fires once per interaction in PostHog Live Events - [x] Verify no double-fire on dropdown close <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Added telemetry tracking for many header/navigation interactions (logo, back-to-dashboard, usage badge, connect/merge/advisor/assistant/inline-editor buttons, and multiple dropdowns/popovers). * **Tests** * Updated tests to stub telemetry calls so UI tests remain stable and deterministic. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
github-actions
Bot
added
the
documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )