[pull] master from supabase:master#964
Merged
Merged
Conversation
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? - Minor issues here, the validation for creating names is there but users can create crons with empty names through SQL - When they edit the name in the Cron editor, since we use names as the where clause it treats it as a new create - So a duplicate cron is created - Since creating requires a name, the validation is moved to the component rather than zod and disabled when editing mode is on! <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Cron jobs can now be created without requiring a name field. * Improved handling to properly distinguish between creating new cron jobs and editing existing ones. * **Bug Fixes** * Fixed issue where editing unnamed cron jobs would create duplicate entries instead of updating the existing job in place. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46486?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Update passkeys docs to note the min required `supabase-js` version ## What is the current behavior? No mention of what `supabase-js` version is required ## What is the new behavior? Add note with the min `supabase-js` version. ## Additional context <img width="949" height="537" alt="Screenshot 2026-05-28 at 23 29 04" src="https://github.com/user-attachments/assets/96427b23-146b-4373-a1a6-db2a1f7d2da4" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated passkey authentication guide with version requirement information clarifying the minimum library version needed for passkey support. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46491?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: fadymak <[email protected]>
…ment (#46476) ## Summary PR 10 of the analytics SQL safety series. Migrates the last surface of analytics queries that flowed through plain `get(.../analytics/endpoints/logs.all, { query: { sql } })` or the `fetchLogs(projectRef, sql: string, ...)` helper over to `executeAnalyticsSql` with branded `SafeLogSqlFragment` inputs. After this PR, every analytics SQL call site builds its query through the safe-analytics-sql helpers and hits the wire through the single `executeAnalyticsSql` boundary. User-controlled values (filter operators, numeric thresholds, function IDs, regions, provider names) all flow through `analyticsLiteral` / branded operator maps; static fragments are wrapped in `safeSql`. PR 11 (ESLint / vitest rule forbidding direct analytics-endpoint POST/GET outside `executeAnalyticsSql`) is the next and final step. ## Changes - **`hooks/analytics/useProjectUsageStats.tsx`** — route the already-branded `genChartQuery` output through `executeAnalyticsSql` (parallels `useLogsPreview`). - **`data/reports/report.utils.ts`** — tighten `fetchLogs(sql)` from `string` to `SafeLogSqlFragment`; the wire boundary is now the same single `executeAnalyticsSql` wrapper used by the rest of the analytics path. Adds two pre-branded fragment maps reused by the report configs: - `SAFE_GRANULARITY_SQL` — closed set returned by `analyticsIntervalToGranularity`. - `SAFE_COMPARISON_OPERATOR_SQL` — closed set on `NumericFilter.operator`. - **`components/interfaces/Auth/Overview/OverviewErrors.constants.ts`** — wrap the two static `AUTH_TOP_*_SQL` fragments in `safeSql` (no interpolation, but the type now flows). - **`data/reports/v2/edge-functions.config.ts`** — `filterToWhereClause` and every entry in `METRIC_SQL` now return `SafeLogSqlFragment`. User-controlled values (`status_code.value`, `execution_time.value`, function IDs, regions) pass through `analyticsLiteral`; operators look up the branded map; the granularity uses the branded map. The wire-format strings are unchanged, so the existing `edge-functions.test.tsx` exact-string expectations still hold. - **`data/reports/v2/auth.config.ts`** — same shape applied to all ten `AUTH_REPORT_SQL` entries. The legacy `whereClause.replace(/^WHERE\s+/, '')` pattern is replaced by two helpers that emit `AND`-prefixed predicate fragments directly (`authFiltersToAndPredicates`, `edgeLogsFiltersToAndPredicates`). Static provider SELECT / GROUP BY fragments are pre-branded. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Enhanced security for analytics and reporting queries by updating query construction methods across auth, edge functions, and project usage reports. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46476?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Refactor / chore — lints the analytics SQL wire boundary and tightens internal API surface. Final PR in the safe-analytics-sql series (stacked on #46476). ## What is the current behavior? After PRs 1–10, every analytics SQL call site routes through `executeAnalyticsSql`, but nothing prevents a future caller from regressing by calling `post('/platform/projects/{ref}/analytics/endpoints/logs.all', …)` directly. `safe-analytics-sql.ts` also exports `rawSql` and `LogSqlFragmentSeparator`, neither of which has external consumers — `rawSql` in particular is a cast-to-brand escape hatch that should not be reachable from outside the file. The safe-sql-execution skill documents only the pg-meta (Postgres) side of the model. ## What is the new behavior? - Adds an ESLint `no-restricted-syntax` rule in `apps/studio/eslint.config.cjs` that fails on direct `post()` / `get()` calls against `/platform/projects/{ref}/analytics/endpoints/logs.all{,.otel}` outside the `executeAnalyticsSql` wrapper. - Un-exports `rawSql` and `LogSqlFragmentSeparator` from `safe-analytics-sql.ts`; updates the `SafeLogSqlFragment` docstring accordingly. - Adds an "Analytics SQL" section to `.claude/skills/safe-sql-execution/SKILL.md` covering the disjoint `SafeLogSqlFragment` brand, the helpers, the wire boundary, and the new lint. ## Additional context Resolves FE-2949
## Problem Padding if off: <img width="640" height="950" alt="image" src="https://github.com/user-attachments/assets/586b912e-bad4-4245-a1ca-1675362f7fa0" /> ## Solution <img width="546" height="764" alt="image" src="https://github.com/user-attachments/assets/ffae0c56-8f07-47e8-9c05-cd219bdd101d" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Style** * Updated navigation menu item spacing to include horizontal padding alongside vertical padding, providing improved visual balance and spacing within the navigation menu. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46505?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
The global `TooltipProvider` in `apps/studio/pages/_app.tsx` sets
`delayDuration={0}`, so every tooltip in Studio appears instantly on
hover. This makes tooltips easy to trigger accidentally while moving the
cursor, and contributed to issues like FE-3499 (status code tooltip in
Unified Logs).
The zero delay was introduced in #32679 when tooltips were migrated to
shadcn, without a stated reason.
## Fix
Remove the `delayDuration={0}` prop so tooltips use the Radix default
(700ms).
## How to test
- Open Studio
- Hover briefly over icons, buttons, and other elements with tooltips
- Expected: tooltips no longer appear instantly; they show after a short
hover delay
- Hovering long enough (around 700ms) still shows the tooltip as before
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Updated tooltip behavior to use default delay duration instead of
immediate display.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46456?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Simplified the local setup instructions for running the docs site during development. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
…evals (#46168) Adding broad RLS policies to public buckets can cause users to expose more than they expected, like the ability to list all profile pictures on an app. This patches Assistant with knowledge to follow our latest guidance on restrictive RLS policies for storage buckets #46172 **Changes** - Adds Storage bucket evals for public website assets and avatar access patterns to distinguish public vs private bucket use cases - Adds eval for overly permissive table policies - Adds `storage` knowledge so Assistant distinguishes public buckets, private buckets, object reads, and object listing. - Adds `includeToolCallInputs` option for scorer transcripts so LLM judges can evaluate proposed SQL/tool actions. - Bumps max step count to 10 since storage knowledge may incur another tool call (also 10 is recommended [here](https://vercel.com/academy/ai-sdk/multi-step-and-generative-ui#why-multi-step-is-required) for complex multi-tool scenarios) **References** - https://supabase.com/docs/guides/storage/buckets/fundamentals#public-buckets - https://supabase.com/docs/guides/storage/security/access-control - #46172 **Notes:** - These prompt tweaks are not meant to be exhaustive fixes, they are mainly hotfixes intended to hold us out until these cases can be addressed more deeply in skills/docs and tracked in a central evals Closes AI-676 Closes AI-756 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added Storage knowledge resource for the assistant covering Supabase Storage access patterns and RLS guidance. * Added three evaluation cases: two for Storage (marketing assets, avatars) and one for RLS policy generation for user profiles. * **Improvements** * Evaluators now include tool call inputs when judging conversations. * Assistant prompts and generation enhanced with richer Storage/RLS guidance and extended streaming limits. * **Tests** * Added test ensuring tool call inputs are included in serialized thread context. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46168?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Docs update. ## What is the current behavior? The troubleshooting entry `edge-functions-worker-timeouts-and-websocket-drops.mdx` includes frontmatter fields that are not part of the troubleshooting template/schema, so it does not conform to the expected metadata shape. ## What is the new behavior? The document now matches the supported troubleshooting template metadata. - **Frontmatter cleanup** - Removed unsupported `teams` and `types` fields. - Kept the existing supported metadata (`title`, `topics`, `keywords`) unchanged. - **Template alignment** - Brings the page in line with `/apps/docs/content/troubleshooting/_template.mdx`. - Avoids schema drift for troubleshooting content. ```mdx --- title = "Edge Functions worker timeouts and WebSocket drops" topics = [ "functions" ] keywords = [ "websocket", "timeout", "earlydrop", "wall clock", "cpu limit", "streaming", "cold start" ] --- ``` ## Additional context This is a surgical docs-only change to make the page consistent with the troubleshooting content schema used by the docs app. Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: Rodrigo Mansueli <[email protected]> Co-authored-by: Chris Chinchilla <[email protected]>
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Update (third-party integration script). ## What is the current behavior? The Default.com snippet on `/contact/sales` used the old `form_id` (`299973`) and listened to the legacy HubSpot form element IDs (`hsForm_de9a785a-…_5037`), which no longer match the form rendered on the page. ## What is the new behavior? The snippet now uses `form_id=879120` and listens to `["support-form"]`, the actual `id` of the `RequestADemoForm` rendered on the page, so submissions are enriched and routed correctly. ## Additional context `team_id` and the loader logic are unchanged. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated form configuration on the sales contact page to enhance data processing and routing. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46510?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
…6402) ## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Performance improvement / feature ## What is the current behavior? The Schema Designer fetches all tables in a single request via `useTablesQuery`. For schemas with 400+ tables this blocks first paint on a large payload. ## What is the new behavior? `SchemaGraph` uses `useInfiniteTablesQuery` (pageSize: 100) so the first 100 tables paint immediately. A "Load more tables" button appears above the legend whenever more pages remain, letting users load the rest on demand. ## Additional context <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a "Find table…" selector and keyboard shortcut to quickly locate and focus tables; supports incremental loading and debounced name search (with literal wildcard handling). * Schema Graph shows a bottom "Load more tables" control with loading state and preserves view after loading more. * **Refactor** * Table listing switched to infinite/paginated retrieval and improved "no tables" logic; server-side name filtering supported. * **Tests** * E2E tests add a schema-visualizer wait helper and update flows to support the paginated visualizer. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46402?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
github-actions
Bot
added
the
documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46486?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46491?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46476?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46505?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46456?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46168?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46510?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46402?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )