## What kind of change does this PR introduce?
Chore: component migration and copy update.
## What is the current behavior?
`DownloadSnippetModal` and `RenameQueryModal` use an awkward tabs-based
layout. The download action is labelled "Download" throughout, and the
NPX toggle was incorrectly labelled "NPM".
## What is the new behavior?
- Both modals are migrated to the `Dialog` component.
- The download dialog replaces the tab layout with a select (Migration /
Seed file / SQL file) and a CLI/NPX toggle.
- Action language changed from "Download" to "Export" (context menu
item, dialog title, select label) — more accurate since the user runs a
CLI command rather than triggering a browser download.
- NPM toggle label corrected to NPX; internal `npm` property key renamed
to `npx` for consistency.
| Before | After |
| --- | --- |
| <img width="1024" height="759" alt="Add Auth Hook (General) SQL Editor
Pickles Pantry Supabase-C6F22F8B-19FF-486E-8C08-915895495875"
src="https://github.com/user-attachments/assets/98637802-5e05-4431-87f8-b2e83216082a"
/> | <img width="1024" height="759" alt="Add Auth Hook (General) SQL
Editor Pickles Pantry Supabase-5B63AD0C-7CD0-4BB2-BEC8-5DBAE94963CE"
src="https://github.com/user-attachments/assets/a8f48c2f-a7e2-42fd-b52c-89a133811ad8"
/> |
| <img width="1024" height="759" alt="Add Auth Hook (General) SQL Editor
Pickles Pantry Supabase-1F28FADA-46D1-4C0A-BE96-6CFF2317FDCF"
src="https://github.com/user-attachments/assets/afb904d0-689b-4756-b0b4-8177703934e4"
/> | <img width="1024" height="759" alt="Add Auth Hook (General) SQL
Editor Pickles Pantry Supabase-652E6E8D-1CD2-4465-BC82-46EDB974CD8C"
src="https://github.com/user-attachments/assets/f1adfb6b-fba6-495f-b571-1713c3eebb4d"
/> |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Updated the SQL query export modal UI from a tabs-based interface to a
dropdown-based selection for choosing export formats.
* Revised menu and dialog labels to "Export query" for improved clarity.
* Enhanced code block presentation in the export modal.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46242?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Gildas Garcia <1122076+djhi@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Backports a batch of e2e test stabilization fixes — each commit is
scoped to a single failure class and only touches `e2e/studio/` files.
**Changed:**
- **`_global.setup` — playwright-locks cleanup was dead code**: the
lock-cleanup block was at the bottom of `Global Setup`, but every branch
above it returns early — so it never ran. Tests that use
`withFileOnceSetup` (cron-jobs) would see a stale `setup.done.json`
marker from the previous run and silently skip their setup, leaving e.g.
`pg_cron` uninstalled and all 11 cron-jobs specs failing. Moved the
cleanup to before any early return.
- **filter-bar — Home key**: macOS Chromium doesn't honor a standalone
`Home` keypress inside text inputs (macOS routes "go to line start" via
`Cmd+ArrowLeft` / `Fn+ArrowLeft`). Tests that expected the cursor to
jump to position 0 silently kept the previous selection. Replaced with
`el.setSelectionRange(0, 0)` so the assertion runs against a known
cursor position on every OS.
- **filter-bar — date filters**: tests inserted rows with `CURRENT_DATE`
/ `NOW()` (postgres session TZ = UTC) and asserted with JS-local dates
from `getDateValue()`. Near midnight the two diverged and the filter
returned 0 rows. Switched the inserts to explicit `getDateValue()`
strings so insert and assert use the same calendar day.
- **queue-table-operations — `networkidle`**: Studio holds long-poll /
SSE connections (PostHog, realtime), so `page.reload({ waitUntil:
'networkidle' })` never resolves and timed out. Replaced with a targeted
`waitForTableToLoad` API waiter.
- **sql-editor — RLS smoke test**: a hard-coded table name
(`pw_rls_smoke_test`) collided across 3 parallel workers running against
the same db. Suffixed with `test.info().parallelIndex`.
- **table-editor — FK spec timeout**: `waitForApiResponseWithTimeout`
for `query?key=table-update` returns `null` on timeout (silent), then
the panel-close assertion fails. Bumped 15s → 30s to absorb
parallel-load latency.
- **table-editor / storage-helpers — URL encoding & redirect race**:
post-action URL assertions were over-specific (`%20` vs `+` encoding)
and the bucket-delete redirect could race other history updates. Relaxed
the regex to accept both encodings; asserting the row removal directly
is a more stable signal than the redirect URL.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Improved end-to-end determinism with explicit dates/timestamps and
stable cursor positioning
* Prevented parallel-test collisions by using unique identifiers for
resources
* Made page reloads and API waits more robust for long-lived connections
and increased timeouts
* Strengthened assertions to rely on stable UI signals instead of
transient navigation/network state
* Ensured test setup reliably cleans up temporary locks before any setup
steps run
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46039?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## What kind of change does this PR introduce?
Studio UI cleanup.
## What is the current behaviour?
The SQL editor query warning modal repeats itself with an admonition, a
nested warning panel, and extra confirmation copy. Single-warning cases
are harder to scan than they need to be.
## What is the new behaviour?
The warning now uses `AlertDialog` and resolves each detected issue into
concise title/body copy. Single-warning cases show one short
description, while multi-warning cases show a compact list. The existing
RLS actions are preserved.
## Testing instructions
Manual SQL editor checks:
Open the Studio SQL editor, paste each snippet, click **Run**, verify
the warning copy, then click **Cancel**. These snippets are only
intended to trigger the warning UI, so do not confirm the dangerous
ones.
Destructive operation warning:
```sql
drop table if exists public.codex_warning_destructive;
```
UPDATE without WHERE warning:
```sql
update public.codex_warning_table set id = id;
```
Prevent database connections warning:
```sql
alter database postgres connection limit 0;
```
Missing RLS warning:
```sql
create schema if not exists codex_warning;
create table codex_warning.missing_rls (id bigint);
```
Multiple issues warning:
```sql
drop table if exists public.codex_warning_destructive;
update public.codex_warning_table set id = id;
create schema if not exists codex_warning;
create table codex_warning.missing_rls_multi (id bigint);
```
## Additional context
| Before | After |
| --- | --- |
| <img width="1024" height="759" alt="Codex Warning Table Maintenance
SQL Editor Hammer Toolshed Supabas-BDBD32C7-FCE8-4623-ACF2-D2554233EBB4"
src="https://github.com/user-attachments/assets/aaed16c2-9910-424a-8a3c-f9815139b1bf"
/> | <img width="1024" height="759" alt="Codex Warning Table Maintenance
SQL Editor Hammer Toolshed Supabas-C8964C98-1CF9-4992-89D6-86C081C884E8"
src="https://github.com/user-attachments/assets/d291c559-1e64-4c63-b918-b20b58d9a2a5"
/> |
| <img width="1024" height="759" alt="Codex Warning Table Maintenance
SQL Editor Hammer Toolshed Supabas-C341A032-B5B0-49A2-8EA2-E3E6EEC54E4F"
src="https://github.com/user-attachments/assets/667d9d1a-e34b-4411-9f91-4972ee8d1a23"
/> | <img width="1024" height="759" alt="Codex Warning Table Maintenance
SQL Editor Hammer Toolshed Supabas-FC66ADE9-6AF1-44D2-A6B6-F7B2FC935C0E"
src="https://github.com/user-attachments/assets/1348377e-6606-47c0-aa95-128d7f86ed56"
/> |
| <img width="1024" height="759" alt="Codex Warning Table Maintenance
SQL Editor Hammer Toolshed Supabas-43AAD9FA-7FAC-4DCE-A713-00E8FC76B343"
src="https://github.com/user-attachments/assets/bdadedc2-f17d-4011-ae67-5248097b3e92"
/> | <img width="1024" height="759" alt="Codex Warning Table Maintenance
SQL Editor Hammer Toolshed Supabas-279EC81D-31C7-49C7-B4A8-EEEF1738740A"
src="https://github.com/user-attachments/assets/0c178fff-ff49-4522-870d-7a3401c6af30"
/> |
| <img width="1024" height="759" alt="Codex Warning Table Maintenance
SQL Editor Hammer Toolshed Supabas-D405AED5-613F-4C78-909E-F718C67CF17E"
src="https://github.com/user-attachments/assets/a4399935-3596-471b-854a-c689e2e0df07"
/> | <img width="1024" height="759" alt="Codex Warning Table Maintenance
SQL Editor Hammer Toolshed Supabas-725FBCE6-5606-4BC3-B13F-6210DBADF6F2"
src="https://github.com/user-attachments/assets/0dcd08fc-cfb4-4d67-b167-eb6eaa768764"
/> |
| <img width="1024" height="759" alt="Codex Warning Table Maintenance
SQL Editor Hammer Toolshed Supabas-EA6563AF-DE7E-4AB8-9164-AC66164CA581"
src="https://github.com/user-attachments/assets/ef56fe0f-0243-4ff3-a2b2-ee8b3fe2330a"
/> | <img width="1024" height="759" alt="Codex Warning Table Maintenance
SQL Editor Hammer Toolshed Supabas-EC85EFB1-715E-4841-BBCA-51F88B539595"
src="https://github.com/user-attachments/assets/5be05527-920d-4f23-92eb-c7cd0bbff13e"
/> |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Prevented unintended modal dismissal and duplicate handling when
confirming.
* **Refactor**
* Redesigned SQL editor warning modal with structured, consolidated
warnings, adaptive title/confirmation copy, and centralized handling of
missing-RLS table names.
* Added conditional "Run and enable RLS" confirmation when available.
* **Tests**
* Updated end-to-end tests to match the new modal headings and body
text.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/45912)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes a false positive in the CREATE-TABLE-without-RLS warning modal
added in #45008. The warning was firing on `CREATE FUNCTION` statements
because the `SELECT..INTO` detector was matching plpgsql variable
assignments inside `$$…$$` function bodies.
Reported example that triggered the modal with no table actually being
created:
```sql
create or replace function schema_checks()
returns jsonb
language plpgsql
as $$
declare
ret jsonb;
begin
select jsonb_build_object('value', 'ok') into ret;
return ret;
end;
$$;
```
**Changed:**
- `SQLEventParser.match()` now strips the body of `$tag$…$tag$` blocks
before running detectors. Tags are kept as markers; content is blanked
out so function bodies, DO blocks, and dollar-quoted string literals are
never scanned as DDL.
- Updated a pre-existing parser test that asserted the buggy behaviour
(it expected `CREATE TABLE fake` inside a `$$…$$` string literal to be
detected — `$$…$$` is a string literal in Postgres, not DDL).
**Added:**
- Regression tests in `SQLEditor.utils.test.ts` covering: the exact
reported function, DO blocks with `select into`, `create table` text
inside a function body, mixed top-level `CREATE TABLE` + function with
`INTO` assignments, and custom `$body$…$body$` tags.
- Parser-level regression test in `sql-event-parser.test.ts`.
## To test
- In the SQL editor, paste the function from the Slack report and run it
— the RLS warning modal should not appear.
- Run `create table foo (id int8 primary key);` on its own — modal still
appears as before.
- Run `create table foo (id int8); create or replace function bar()
returns int language plpgsql as $$ declare v int; begin select 1 into v;
return v; end; $$;` — modal should flag only `foo`, not `v`.
- Run an existing destructive query (`drop table x`) — unaffected, modal
still works.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Parser no longer treats DDL/DML-like text inside PL/pgSQL functions,
DO blocks, or dollar-quoted bodies (including nested/custom tags) as
top-level CREATE TABLE/SELECT INTO, preventing false detections and UI
warnings.
* **Tests**
* Added unit and e2e regression tests covering dollar-quoted blocks,
nested dollar tags, DO blocks, SELECT INTO inside functions, and
positive controls with a real top-level CREATE TABLE.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Adds a pre-execution warning in the SQL editor when a `CREATE TABLE`
statement is run without enabling Row Level Security on the new table.
Responds to the press call-out around SQL editor security.
<img width="708" height="498" alt="Screenshot 2026-04-18 at 4 31 07 PM"
src="https://github.com/user-attachments/assets/4f23ed5e-f32c-46f0-b0da-ac6d4c661c7c"
/>
**Added:**
- Pre-execution check in `executeQuery` that detects `CREATE TABLE`
statements without a matching `ALTER TABLE ... ENABLE ROW LEVEL
SECURITY` in the same submitted SQL.
- New "Run and enable RLS" action in the warning modal that rewrites the
SQL to append `ALTER TABLE [schema.]<table> ENABLE ROW LEVEL SECURITY;`
for each detected table before running.
- Link in the modal to the RLS docs.
**Changed:**
- `RunQueryWarningModal` now renders `Dialog` directly (instead of
`ConfirmationModal`) so it can show three buttons: Cancel / Run without
RLS / Run and enable RLS.
- `sqlEventParser` table-name regex now supports quoted identifiers
containing spaces (e.g. `"My Table"`) and escaped quotes (e.g.
`"user""table"`).
The check runs against the SQL that's actually submitted, so
partial-selection works correctly — selecting only the `CREATE TABLE`
portion will trigger the warning even if there's a matching `ENABLE RLS`
lower in the editor.
## To test
- Open the SQL editor and run `create table foo (id int8 primary key);`
→ modal should appear with the RLS warning bullet and three buttons.
- Click **Run and enable RLS** → query runs, table is created with RLS
enabled.
- Click **Run without RLS** → query runs as written, no RLS.
- Run `create table foo (id int8); alter table foo enable row level
security;` → no modal (RLS already enabled in same submission).
- Run `create table public.bar (id int8); create table baz (id int8);
alter table baz enable rls;` → modal flags only `public.bar`.
- Select only the `create table` portion of a snippet that also enables
RLS lower down and run the selection → modal should still fire.
- Run an existing destructive query (`drop table x`) → modal still works
as before with two buttons (Cancel / Run this query).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* SQL editor now detects CREATE TABLE statements missing Row Level
Security (RLS) and shows counts and dynamic table/schema details in a
redesigned warning dialog with updated pluralization and a “Learn more”
link.
* New actions: “Run without RLS” and, when available, “Run and enable
RLS” which applies RLS and runs the query; editor can execute an
overridden SQL payload when applying RLS changes.
* **Tests**
* Added comprehensive unit and e2e tests covering RLS detection, SQL
augmentation, trigger handling, identifier parsing, and the “Run and
enable RLS” flow.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## What kind of change does this PR introduce?
Chore / UI consistency fix. Resolves DEPR-418.
## What is the current behavior?
Shortcut hints are still hand-built in several high-traffic Studio
surfaces, which leads to inconsistent rendering and stale
platform-specific markup. Buttons in particular can end up with awkward
spacing and baseline alignment when shortcut labels are inserted
directly into the button text.
## What is the new behavior?
This PR standardises those shortcut hints around `KeyboardShortcut` and
updates the surrounding layout primitives to support that approach more
cleanly.
It includes:
- Design docs
- using `KeyboardShortcut` in the table side-panel `ActionBar`
- replacing hardcoded operation queue button shortcuts in
`OperationQueueSidePanel`
- standardising the command menu trigger shortcut chip and updating the
`LayoutHeader` overrides to match the new DOM shape
- replacing the AI editor empty-state `Cmd/Ctrl + K` hint with
`KeyboardShortcut`
- refining shared shortcut/button primitives so inline shortcuts align
better when used as button accessories
- keeping the SQL utility shortcut work on this branch consistent with
the same shared component approach
| Before | After |
| --- | --- |
| <img width="1454" height="902" alt="CleanShot 2026-03-27 at 15 55
32@2x"
src="https://github.com/user-attachments/assets/3a8de192-3f4c-480b-9d26-9b28becd0ee3"
/> | <img width="1488" height="906" alt="CleanShot 2026-03-27 at 15 29
31@2x-63A17C58-D023-4D3A-9355-6C40A6485328"
src="https://github.com/user-attachments/assets/46ef7f7a-2b8b-4c10-8935-84ca5ad44562"
/> |
| <img width="738" height="328" alt="CleanShot 2026-03-27 at 15 57
07@2x"
src="https://github.com/user-attachments/assets/ad459c41-867d-42f9-a8cb-c936af8326b7"
/> | <img width="726" height="290" alt="CleanShot 2026-03-27 at 15 56
29@2x-ECE4E10F-9693-4ED8-B085-DC436A839F52"
src="https://github.com/user-attachments/assets/95b4bfb4-ec34-4080-8b69-211b5045ca26"
/> |
## Later todo
- [ ] Replace the string-based SQL editor placeholder shortcut in
`SQLEditor` once that placeholder API supports rich content
- [ ] Refactor `CommandOption` to use `KeyboardShortcut` instead of
bespoke platform detection and command-key markup
- [ ] Standardise the remaining DataTable shortcut hints
(`DataTableToolbar`, `DataTableResetButton`, `DataTableFilterCommand`,
`DataTableFilterControlsDrawer`) around `KeyboardShortcut`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced a new KeyboardShortcut component for displaying keyboard
shortcuts with two visual variants (pill and inline).
* Standardized keyboard shortcut indicators across the application
interface for consistent user experience.
* **Bug Fixes**
* Fixed capitalization inconsistencies in button labels and hotkey
settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
Some tests rely on hard coded timeouts. That makes them
- brittle if the timeout is not long enough
- take longer than necessary if the timeout is too long
## Solution
- Rely on playwright `expect` retries when possible
- Rely on UI updates when possible
## Context
Adds a warning if running an `ALTER DATABASE` command that prevents
connections to the database. This would lock the dashboard out of the
database, and re-configuring the setting will require a direct
connection to the DB
<img width="623" height="535" alt="image"
src="https://github.com/user-attachments/assets/4c388f4a-753b-4fd6-89c5-89dfaa52c859"
/>
## To test
- Could try running the following command in the SQL editor to check the
warning, this will show all the warnings
```
ALTER TABLE colors2 drop column sss;
update colors set name = 'test';
alter database postgres connection limit 0;
```
* Hide favorite and share actions for self-hosted version.
* Rename the query on save only on platform.
* Simplify useCheckOpenAiKeyQuery.
* Rename with AI now depends if the OPENAI_API_KEY is set.
* Minor fixes.
* Fix the tests to use .skip for skipping tests. Remove extra port params.
* Make the test for favourites work only on platform variant.
Table editor tests were being run serially because they would otherwise
stomp all over each other in setup. But this made them really slow. This
PR changes them to run in parallel, and makes sure the setup step runs
only once by using a file lock.
Also cleans up miscellaneous other sources of flakiness in tests.
Co-authored-by: Ali Waseem <waseema393@gmail.com>
* chore: add final e2e tests for table-editor and sql-editor
* chore: update tests to run in staging
* chore: minor updates
* chore: fix PR feedback
---------
Co-authored-by: Jordi Enric <37541088+jordienr@users.noreply.github.com>
* chore: add e2e test for sql editor snippets
* trigger build
* chore: fix failing test and add rls
---------
Co-authored-by: Terry Sutton <saltcod@gmail.com>
* add new e2e folder
* add local supabase and confitional storage
* fix e2e selfhosted
* update actions
* add correct e2e folder
* fix e2e actions
* fix action project ids
* fix permissions
* fix script
* fix playwright install
* playwright root
* pnpm i
* fix api rul
* add env docs
* update run script
* only install deps for e2e
* use same dep
* only install deps for tests
* upd lockfile
* use official vercel integration
* use vercel cli
* remove old folder
* fix script
* rm filter
* rename e2e studio package
* fix install browsers
* add polling for vercel build
* use vercel-preview-url package
* undo actions
* rename ci env to ci
* chore:add rls check and make playwright test less flakey (#35348)
* update ci action
* fix paths
* fix browser install
* run ci against staging
* try caching builds
* fix envs
* fix env check
* fix sign in
* fix sign in url
* fix envs and url
* fix caching
* fix race condition in sign in page
* fix race condition in sign in page
* add check to see if being redirected
* fix caching, check IS_PLATFORM var
* log is_platform
* try vercel build
* fix vercel project id
* fix path
* add temp vercel.json file
* fix paths
* undo project id stuff
* rm cwd
* fix path
* fix paths again
* fix path
* fix base url
* try different fix
* fix config base url
* fix base studio url issues
* retain video on fails
* Update e2e/studio/README.md
Co-authored-by: Copple <10214025+kiwicopple@users.noreply.github.com>
* Update e2e/studio/README.md
Co-authored-by: Copple <10214025+kiwicopple@users.noreply.github.com>
* fix env file naming
* undo caching
* rm old tests folder
* fix readme scripts
* rm vercel deploy for now, just run build locally
* fix url
* fix build script
* fix is_platform
* fix stuck studio start
* fix env vars
* retain network and logs on fail for better debugging
* add apiurl env
* back to vercel
* disable catpcha
* fix test
* update environment configuration to remove default URLs for CI and streamline API base URL handling
* fix typeerr
* fix urls in home.spec
* fix urls in logs.spec
* fix urls in sqleditor spec
* fix table editor spec
* add tourl util
* use staging api in ci
* re add base url env var
* fix url in projects page
* fix url in sql editor spec
* fix sign in not waiting for cookies omfg
* fix env var name
* fix sql-editor test
* simplify table removal
* add opt out telemetry step
* fix logs tests
* fix table editor spec
* remove flaky steps from table editor tests
* use vercel deployment events instead of build
* add studio check
* fix condition
* debug event
* rm if
* trigger deploy
* undo ac
* make opt out button step optional, some envs dont hav eit
* use testid for sql run button
* use id instaed of timestamp in logs tests
* empty
* rm retries
* up glbal timeout
* chore: fix failing sql-editor playwright test (#35767)
* chore: fix failing sql-editor playwright test
* chore: minor fixes
* Chore/update playwright config (#35826)
chore: update playwright config
* rm supabase project from e2e tests
* refactor and simplify environments
* fix sql editor test
* fix ci env vars
* fix
* fix on windows
* update readme
* add playwright install script to readme
* rm turbopack trace flag
* npm to pnpm for scripts
* delete ivan lines
---------
Co-authored-by: Michael Ong <minghao_3728@hotmail.com>
Co-authored-by: Copple <10214025+kiwicopple@users.noreply.github.com>
