## Problem
Our `<Button>` component breaks the default `button` contract by
redefining the `type` prop to set its variant (`primary`, `default`,
etc) instead of the button type (`submit`, `button`, etc).
This is confusing and forces to write more code when using it with
shadcn components that expect/inject the standard button props.
## Solution
- rename the `type` prop to `variant`
- rename the `htmlType` prop to `type`
- propagate the changes where necessary
- format code
## How to test
As this is just prop renaming, if it builds it's ok
---------
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Improving accessibility for icon-only buttons
## What is the current behavior?
Icon-only buttons do not have explicit accessible names for screen
readers.
## What is the new behavior?
All icon-only buttons now have explicit accessible names using visually
hidden text (sr-only), ensuring proper screen reader support.
## Additional context
Tooltip text is preserved for visual users.
No visual changes were introduced.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Added/updated aria-labels across refresh buttons, sidebar controls,
dropdown triggers, and navigation links for better accessibility.
* Added conditional aria-labels for the “Create with Assistant” control
to reflect permission states.
* Improved screen-reader descriptions for sidebar toggle and other
stateful controls to better convey status changes.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45981)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Refactor / dependency cleanup.
## What is the current behavior?
`apps/studio` lists both `@supabase/pg-meta` (workspace package) as a
runtime dep and `@supabase/postgres-meta` (external npm package,
`^0.64.4`) as a devDependency. The external package is used only for
type imports across 44 files — there is no runtime usage and no codegen
pipeline that needs it.
## What is the new behavior?
Every `Postgres*` type import (`PostgresTable`, `PostgresColumn`,
`PostgresPolicy`, `PostgresTrigger`, `PostgresView`,
`PostgresMaterializedView`, `PostgresForeignTable`, `PostgresSchema`,
`PostgresPublication`, `PostgresRelationship`, `PostgresPrimaryKey`) is
replaced with its `PG*` counterpart from `@supabase/pg-meta`, and the
external dep is removed from \`apps/studio/package.json\`. Top-level
type re-exports were added to \`packages/pg-meta/src/index.ts\` so
consumers can import directly from the package root.
Two latent issues surfaced by the stricter pg-meta types are also fixed:
- \`data/foreign-tables/foreign-tables-query.ts\` was casting
foreign-table results as \`PostgresView[]\`; corrected to
\`PGForeignTable[]\`.
- \`pg-meta\`'s \`PGTrigger\` Zod schema declared
\`orientation\`/\`activation\` as \`z.string()\`, inconsistent with
pg-meta's own \`getDatabaseTriggerUpdateSQL\` helper that requires the
narrow literal unions; tightened to \`z.enum\`.
## Additional context
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated internal TypeScript type definitions across the codebase to
use the latest type system from `@supabase/pg-meta`.
* Removed `@supabase/postgres-meta` dependency.
* Enhanced type validation for database triggers and schemas to enforce
stricter constraints.
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45844)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Mark provenance of SQL via the branded types SafeSqlFragment and
UntrustedSqlFragment. Only SafeSqlFragment should be executed;
UntrustedSqlFragments require some kind of implicit user approval (show
on screen + user has to click something) before they are promoted to
SafeSqlFragment.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Editor and RLS tester show loading states for inferred/generated SQL
and include a dedicated user SQL editor for safer edits.
* **Refactor**
* Platform-wide SQL handling tightened: snippets and AI-generated SQL
are treated as untrusted/display-only until promoted, improving safety
and consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR migrates the whole monorepo to use Tailwind v4:
- Removed `@tailwindcss/container-queries` plugin since it's included by
default in v4,
- Bump all instances of Tailwind to v4. Made minimal changes to the
shared config to remove non-supported features (`alpha` mentions),
- Migrate all apps to be compatible with v4 configs,
- Fix the `typography.css` import in 3 apps,
- Add missing rules which were included by default in v3,
- Run `pnpm dlx @tailwindcss/upgrade` on all apps, which renames a lot
of classes
- Rename all misnamed classes according to
https://tailwindcss.com/docs/upgrade-guide#renamed-utilities in all
apps.
---------
Co-authored-by: Jordi Enric <jordi.err@gmail.com>
Fixes the RLS policies page showing self-contradictory or wrong
admonitions for tables with partial grants. Classifies each table using
the same `granted / custom / revoked` semantics used by the Data API
settings page so the two views agree on what counts as "exposed".
**Changed:**
- `PolicyTableRow` now uses `useTableApiAccessQuery` (shared cache with
the Table Editor sidebar) instead of a bespoke
`tables-roles-access-query`
- Boolean soup collapsed into a single `TableDataApiStatus`
discriminated union (`schema-not-exposed | no-grants | custom-grants |
publicly-readable | locked-by-rls | secured`) via a pure helper
- Admonition copy for `no-grants` and `locked-by-rls` updated; a table
with no policies but full grants now reads "No data will be returned via
the Data API as no RLS policies exist on this table." instead of the
earlier self-contradictory "can be accessed but no data will be
returned"
- `table-api-access-query.ts` now exposes a `grantStatus: 'granted' |
'custom'` on `access` entries — `granted` = all 3 API roles × all 4 CRUD
privileges (matches `getTableGrantsCTEs` in pg-meta)
**Added:**
- New `custom-grants` admonition: "This table has custom Data API
permissions — access may be restricted for some roles or operations."
- Unit tests for `getTableDataApiStatus`, `getTableAdmonitionMessage`,
and `isFullyGranted`
**Removed:**
- `data/tables/tables-roles-access-query.ts` and the `rolesAccess` key —
no more callers
## To test
On a project with the `public` schema exposed, for each scenario check
the admonition shown on `/project/{ref}/auth/policies`:
1. Table with full standard grants, RLS on, no policies → "No data will
be returned via the Data API as no RLS policies exist on this table."
2. Table with full standard grants, RLS off → yellow warning "can be
accessed by anyone"
3. Table with partial grants (e.g. only `GRANT SELECT ON t TO anon`) →
new "custom Data API permissions" admonition regardless of RLS state
4. Table with no anon/authenticated/service_role grants → "cannot be
accessed via the Data API"
5. Schema not in the exposed list → "schema not exposed" admonition with
link
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Added unit tests covering table Data API/RLS status classification and
API grant validation.
* **Refactor**
* Introduced a unified per-table API/RLS status model and reusable
utilities to derive display status and admonitions.
* Simplified UI logic to drive access indicators and warnings from the
new status.
* **Chores**
* Removed legacy role-based access query and its related keying logic.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Feature / Refactor
## What is the current behavior?
Data API docs live at the `/api` route as a standalone page. Old links
point to the previous location.
## What is the new behavior?
Data API docs are moved to the integrations section with a dedicated
docs tab and settings tab. Old links are cleaned up, a mobile menu is
added for data API docs navigation, and minor code review fixes are
applied.
## Additional context
Resolves FE-2517
## Summary by CodeRabbit
* **New Features**
* Revamped API docs UI with reusable section layout, language toggle
(JS/Bash), API key selection, and improved code snippets
* Added Data API docs tab, mobile navigation, and dedicated
loading/error/disabled states
* **Navigation Updates**
* Moved API docs and related links into the Integrations/Data API area
and added redirects to new routes
* Updated various internal links to the new Data API settings and
overview locations
* **Tests**
* Added comprehensive unit tests for Data API utilities
* Add shimmering-loader CSS to ui-patterns.
* Import the shimmering-loader classes from the ui-patterns component.
* Remove ShimmeringLoader from studio.
* Migrate studio to use ui-patterns/ShimmeringLoader.
* Migrate away from using default import for ShimmeringLoader.
* Fix the css imports in docs and studio.
* add useQueryStateWithSelect to Policies
* add useQueryStateWithSelect to Users
* use show for users param routing
---------
Co-authored-by: Ali Waseem <waseema393@gmail.com>
* fix(policies search): replace useUrlState with nuqs
There is a bug when typing quickly into the search field on the policies
page: because useUrlState naively uses router.replace, which is
asynchronous, the search term can get corrupted, e.g., searching for
"dummy" might end up with a final value of "dum". Switched to nuqs for
better handling.
* perf(policies page): memoize and optimize for projects with many tables
A project with hundreds of tables will have extremely slow search
performance for the policies page, because of heavy rerendering. Made
some optimizations:
- Memoized to reduce rerendering
- Hid filtered-out tables instead of unmounting, so we don't have to
remount when the search is cleared
* refactor(policies page): pass policies info through context
Avoid having a mess of props by creating a PoliciesDataContext to share
policy information.
* cleanup(policies pages): minor code cleanup, no user-facing changes
* fix(policy editor): reduce number of table role access queries
On the Policies page, every single PolicyTableRow fires off its own
table roles access query (because each query is keyed to an individual
table). For users with many tables (400+), this causes the API to
rate-limit the dashboard.
Changed so that the table roles access query now fetches information for
the entire schema in one go, then organizes it by table.
* Nit refactors
* refactor: return minimal data from table access query
All we need to know is whether a given table has anon or authenticated
access, so just query for the list of tables that match that criteria
from information_schema.role_table_grants.
* refactor(policies page): more efficient sql query for getting anon/auth access tables
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* Update perms checking in audit logs
* Deprecate useCheckPermissions, useIsPermissionsLoaded and useCheckProjectPermissions as they're no longer used
* Rename useAsyncCheckProjectPermissions to useAsyncCheckPermissions
* Fix TS
* refine the policies page
* minor fixes
* Fix TS
* Do not transform table name in policy row table header
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* Part 1 of swapping useCheckPermissions with useAsyncCheckProjectPermissions
* Update apps/studio/hooks/misc/useCheckPermissions.ts
Co-authored-by: Drake Costa <drake@saeris.io>
* Address feedback
---------
Co-authored-by: Drake Costa <drake@saeris.io>
* Replace all usage of useProjectContext with useSelectedProjectQuery
* Replace all usage of useSelectedProject with useSelectedProjectQuery
* Replace all usage of useProjectByRef with useProjectByRefQuery
* Replace all usage of useSelectedOrganization with useSelectedOrganizationQuery
* Deprecate useSelectedProject, useSelectedOrganization, and useProjectByRef hooks
* Deprecate ProjecContext
* add assistant chats
* refactoring
* refactor
* refactor to use onfinish
* fix ts
* dependencies removal
* Update useAssistant.ts
* ts
* refactor useAssistant hook to valtio store
* Minor tweaks
* Add name param to newChat, and add names to each call of newChat
---------
Co-authored-by: Alaister Young <a@alaisteryoung.com>
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* Add settings for queues: toggle expose through postgrest + permissions via table privileges
* Ensure appropriate grants are granted when toggling, and revoked when disabling
* Update to use queues_public schema
* Update queue schema to pgmq_public and add/remove from data api when enabling/disabling
* Fix query for retrieving toggle state
* Add schema invalidation
* Remove hard code
* Use QueuesSettings from Queues folder, remove from NewQueues
* Update SQL for toggling exposure + support RLS enabling
* Support toggling RLS for a queue
* Update admonition copy in queues for enabling/disable postgrest exposure
* Add custom RLS policy for queue
* Minor style fixes
* Fix
* Remove hard code
* Update RLS to add message regarding relevancy only if exposure to PostgREST is enabled
* Update message in exposing queues to postgREST
* Address feedback
* Address feedback
* Don't revoke postgres role stuff
* Remove hard code
* Update copy
* Update
* Address Oli's feedback, ensure that queues ALL have RLS enabled prior to allowing exposure to PostgREST
* Address remaining feedback
* Remove hardcode
* Update
* Address feedback
* show thinking if last message is empty
* sql toggle copy and border fix
* add table and schema context
* add suggestions for policy
* Add snippet content to ai assistant if on sql editor and assistant is open
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
* start
* added panels
* remove stuff
* fixes and refinements
* clean up
* remove old assistant panel
* resizable assistant kinda
* use icon
* Add missing package
* remove canvas
* add suggestions
* updated empty state if no tables exist
* fix table condition
* Implement diffing if using assistant in sql editor
* Reinstate old assistant in SQL editor if feature preview is off
* pane size adjustment
* assistant button corners
* Add SQL snippet content to assistant if opening assistant in sql editor
* Add the necessary checks for opt in and hipaa
* revert adding snippet to assistant when opening assistant in sql editor
* Add cmd i shortcut
* Add admonitions for when disablePrompt is toggled on, and if no api key is set. Add footer note RE rate limitation
* Bump ai package in packages
* some fixes for backwards compability depending on feature preview toggled
* Rename feature preview property for new assistant
* Smol fix
* Prevent SQL snippet from running until message is finished
* only loading last message
* fix z-index
* save chat state to global state
* add debug to failed ai queries
* Add basic contextual invalidation
* Add explain code action to SQL editor
* Add link to abort ongoing queries from SqlSnippet
* Update feature preview content
* Fix
* Fix
* Fix
* Te4st
* Fix tests
* ONly show ai button within a project
* Fix PH tracking
* Beef up a bit more event tracking
* Rough fix to padding when assistant is open
* A bit more telemetry stuff
* Update prompts
* fix rls editing via assistant
* Update generate-v3.ts
prompt to get auth schema too
* Add policy satement to assistant when editing
* Address all comments
* fixc
* Fix SqlSnippet not taking full width on larger viewports
* Adjust max width
---------
Co-authored-by: Saxon Fletcher <saxonafletcher@gmail.com>
