OAuth/SSO callback failures (e.g. GitHub returning an email that
collides with gotrue's `users_email_partial_key` constraint) were
stranding users on `/sign-in-mfa` with the raw error rendered under the
"Two-factor authentication" heading. They now redirect to `/sign-in`,
where the error surfaces above the email form under "Welcome back" and
the form stays interactive so users can fall back to email/password
without refreshing.
Addresses FE-3483.
**Changed:**
- `pages/sign-in-mfa.tsx`: redirect to `/sign-in` when
`auth.initialize()` returns an error, instead of stopping the loader and
rendering the error on the MFA page. The error is already captured in
the shared `AuthProvider` state by `gotrueClient.initialize()` before
the redirect, so it survives the navigation via `useAuthError()`.
- `components/interfaces/SignIn/SignInForm.tsx`: render `useAuthError()`
as an inline `AlertError` above the email/password fields. Form stays
interactive so users hitting the duplicate-email case can use email
sign-in inline.
This is the "surgical" option from the ticket — option 3 (point the
OAuth callbacks at `/sign-in` directly) is still the right long-term
cleanup.
## To test
1. Visit
`/sign-in-mfa#error=server_error&error_description=Database+error+saving+new+user`
— should redirect to `/sign-in` with the error rendered above the email
form under "Welcome back".
2. Type into the email/password fields — form should be interactive
(this is the part the "replace the form" alternative would have broken).
3. Hard-reload `/sign-in` — no `AlertError`, normal form.
4. Sign in with a real email/password account that has MFA enabled —
`/sign-in-mfa` should load normally with the "Two-factor authentication"
heading and verification form. No redirect, no `AlertError`.
5. Try
`/sign-in-mfa?returnTo=%2Forganizations#error=server_error&error_description=test`
— after redirect the URL should be `/sign-in?returnTo=%2Forganizations`
(query preserved, hash consumed by gotrue).
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## Problem
We still uses the deprecated `Modal` for:
- Banning a user
- Inviting a user
- Adding a redirection URL
- Removing a redirection URL
## Test
Hard to test the JWT. I had to force its display by settings its `open`
prop to `true` in
`apps/studio/components/interfaces/JwtSecrets/jwt-settings.tsx`
## Solution
- use `Dialog` instead
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Modernized authentication UI components (user management, redirect URL
configuration) with updated dialog structures for improved consistency
and state handling
* Enhanced async operation handling in redirect URL deletion workflows
to ensure proper synchronization and state management
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46392?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
We still use the deprecated `Modal` for:
- Deleting a wrapper
- Updating a vault secret
- Sending a queue message
## Solution
- use `Dialog` instead
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Replaced several modal dialogs with updated dialog/alert patterns for
sending messages and confirming deletions, improving visual consistency
and content structure.
* **Bug Fixes**
* Prevent duplicate/accidental actions by disabling buttons and showing
loading states during pending operations; confirmation dialogs now
display relevant item details and close on success.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46380?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
We still use the deprecated `Modal` for:
- Adding a new payment card
- Deleting a payment a card
- Changing the payment method
- Displaying the spend cap details when creating a new org
## Solution
- use `Dialog` instead
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Updated billing dialogs (add/change/delete payment methods and spend
cap) to use a newer dialog/alert dialog system.
* Result: more consistent dialog behavior, clearer confirmation flows,
and improved handling of loading/confirmation states for payment
actions.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46385?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Follow-up to #46140 — the returned `track` function was re-created on
every router change or selected project/org refetch, which made it
unstable for consumers that depend on referential equality (e.g. effect
deps, memoized children).
**Changed:**
- Read `project?.ref`, `org?.slug`, and `router.pathname` through
`useLatest` so the values inside `track` stay current without being deps
of the `useCallback`
- Drop the deps from the `useCallback` — `track` is now stable for the
lifetime of the component
## To test
- Verify telemetry events still send with correct `project` /
`organization` groups and `pathname`
- Confirm any consumers that put `track` in `useEffect` deps no longer
re-run unnecessarily on route or project changes
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Improved telemetry event tracking to capture more accurate context
information at the time events are sent, ensuring data reflects current
application state.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46412?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## Summary
The three LWX edge functions consume `MISC_USE_ANON_KEY` while their
inline comments claim "SERVICE ROLE KEY": a copy-paste bug. This PR
swaps them to `MISC_USE_SERVICE_ROLE_KEY`, matching `lw11-og` (the
reference implementation that already uses the service role pattern
correctly). The secret is already configured on the project. Service
role bypasses RLS, so uploads succeed regardless of bucket policy and
the key is never exposed (edge functions are server-side).
## Changes
- `lwx-ticket/handler.tsx`: swap storage client to use
`MISC_USE_SERVICE_ROLE_KEY`
- `lwx-og/handler.tsx`: swap storage client to use
`MISC_USE_SERVICE_ROLE_KEY`
- `lwx-ticket-og/handler.tsx`: swap storage client to use
`MISC_USE_SERVICE_ROLE_KEY`
## Testing (Vercel preview)
1. Hit an LWX ticket share URL with a Twitterbot UA: `curl -A
'Twitterbot/1.0' '<preview>/launch-week/x/tickets/<username>'` — expect
HTML with OG meta tags, no edge function error.
2. Confirm the storage object got upserted at
`images/lwx/og/<type>/<username>.png` on `obuldanrptloktxcffvn`.
3. Confirm `MISC_USE_SERVICE_ROLE_KEY` is set as an edge function secret
on the project (it already powers `lw11-og`, so it should be).
### Follow-up (separate, manual)
After merge and deploy, the storage policy on the `images` bucket needs
tightening via the dashboard (no migration setup exists for this
project): revoke `INSERT`/`UPDATE`/`DELETE` policies that grant `anon`,
keep `SELECT` public. All legitimate writers (dashboard team uploads,
LWX/LW11 edge functions) use service role and will continue to work.
## Linear
- fixes GROWTH-882
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated backend authentication configuration for image generation and
ticket-related operations.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46411?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
I migrated every `useSendEventMutation` call site in `apps/studio` to
`useTrack`, deleted the legacy hook, and added a lint guardrail so it
can't return. `useTrack` is the type-safe replacement: it auto-injects
`groups: { project, organization }` from the selected project/org and
types `action` + `properties` against `TelemetryEvent`. Existing call
sites built groups manually and were not type-checked at the action
level. The migration covers 81 files (60 trivial swaps, 9 org-only, 3
pre-auth, 5 bespoke, 4 test mocks).
## Changes
- Migrated trivial call sites across `pages/project/[ref]`,
`components/interfaces/*` (Reports, Storage, Realtime/Inspector,
SQLEditor, Functions, EdgeFunctions, Integrations, ProjectAPIDocs,
Branching/BranchManagement, TableGridEditor, Connect, Docs, Auth,
Support, Home, ProjectHome, App), `components/layouts/*`, and
`components/ui/*`.
- Migrated org-only sites (`Organization/Documents/*`,
`Organization/BillingSettings/Subscription/*`,
`Organization/SecuritySettings.tsx`,
`Account/Preferences/DashboardSettingsToggles.tsx`) by dropping the
manual `groups: { organization: ... }` and letting `useTrack`
auto-inject. Verified `useSelectedProjectQuery` is disabled on org
routes (gates on URL `[ref]`).
- Migrated pre-auth sites (`SignInForm.tsx`, `sign-in-mfa.tsx`,
`profile.tsx`) where neither project nor org is resolved.
- Bespoke handling:
- `execute-sql-mutation.ts` and `table-row-create-mutation.ts`: pass `{
project: projectRef }` via `groupOverrides` since the mutation can
target a non-selected project ref.
- `useStudioCommandMenuTelemetry.ts`: kept a direct `sendTelemetryEvent`
call because studio groups must override pre-built event groups
(opposite of `useTrack`'s override direction).
- `AIAssistantOption.tsx`: passes sentinel-aware `groupOverrides` so
`NO_PROJECT_MARKER`/`NO_ORG_MARKER` continue to suppress group emission.
- `SidePanelEditor.utils.tsx`: utility functions `createTable` and
`updateTable` now take a `track: Track` parameter (threaded from
`SidePanelEditor.tsx`); dropped the `organizationSlug` arg since groups
are no longer assembled manually.
- Branch-event attribution: preserved `parentProjectRef` overrides on
`branch_updated`, `branch_merge_completed`, `branch_merge_failed`,
`branch_merge_submitted`, `branch_delete_button_clicked`,
`branch_review_with_assistant_clicked`, and
`branch_*_merge_request_button_clicked`. Original code grouped these
under the parent (production) project, not the branch ref;
auto-injection would have shifted them onto the branch.
- Switched 4 test mocks from `@/data/telemetry/send-event-mutation` to
`@/lib/telemetry/track`. Removed obsolete tests around manual groups and
`try/catch` on telemetry rejection.
- Deleted `apps/studio/data/telemetry/send-event-mutation.ts`. The
deleted module is its own guardrail: any reintroduction of the import
fails at TypeScript module resolution before lint runs.
## Testing
Tested on preview deploy:
- [x] SQL editor `CREATE TABLE` fires `table_created` with method
`sql_editor` and `groups.project` set to the mutation's `projectRef`.
- [x] Table editor creates a table from the side panel; `table_created`
fires from `SidePanelEditor.utils` via threaded `track`.
- [x] Help button (`/project/[ref]/...`) fires `help_button_clicked`
with auto-injected project + org groups.
- [x] Sign-in form fires `sign_in` with empty groups (pre-auth,
expected).
- [x] Org documents page (`/org/[slug]/documents`) fires
`document_view_button_clicked` with org group only, no stale project
ref.
- [x] Command menu (`Cmd+K`) inside a project still fires
`command_menu_opened` with studio's project/org overriding any
event-supplied groups.
- [x] Support form "Ask the Assistant" without selected org fires
`ai_assistant_in_support_form_clicked` with no project/org groups
(sentinels suppress).
- [x] On a branch, "Update branch" / "Merge branch" / "Close merge
request" events fire with `groups.project` set to the parent project
ref, not the branch ref.
Local checks:
- [x] 22/22 tests pass across the 4 updated test files
(`SidePanelEditor.utils.createTable`, `EdgeFunctionRenderer`,
`LayoutSidebar`, `PlanUpdateSidePanel`).
- [x] `rg useSendEventMutation apps/studio` returns 0 hits.
## Linear
- fixes GROWTH-860
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Standardized telemetry across the Studio to a unified tracking system;
events now send simplified payloads with less contextual/grouping data.
* No user-facing flows changed; UI behavior, permissions, and
interactions remain the same.
* **Tests**
* Updated telemetry mocks and tests to align with the new tracking
approach.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46140?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Chore — adds a static asset.
## What is the current behavior?
The State of Startups 2026 page references
`/images/state-of-startups/2026/state-of-startups-og.png` for its Open
Graph image, but the file did not exist in the repo.
## What is the new behavior?
Adds the OG image at the expected path so social previews render
correctly when sharing `/state-of-startups`.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Adjusted the minimum height of the State of Startups header and its
inner wrapper on non-medium breakpoints to refine spacing and visual
balance.
* Medium-breakpoint height remains unchanged, preserving the intended
layout at that size.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46394?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Feature
## What is the current behavior?
The 2026 State of Startups page is missing several selected pull quotes,
the Outlook chapter ends on a single static quote, and the "Thank you"
footer still renders the 2025 participants list as a static wrap of ~60
companies.
## What is the new behavior?
- Wires the six selected pull quotes for chapters 1–4 and 7 (with
section-level support so the Solo Founders quote sits inside its
section). `SurveyPullQuote` now accepts optional author position and
avatar.
- Replaces the Outlook chapter quote with a new
`SurveyPullQuoteCarousel` that rotates between four labelled quotes
(Burn out, Pace of change, Competition, Runway) and reuses the existing
stipple/checker timer-bar pattern.
- Replaces the participants list with all 326 verified 2026 entries and
renders them via a new `ParticipantsCarousel` — five horizontal marquee
rows scrolling at different speeds and alternating directions, pausing
on hover, with edge fades and `prefers-reduced-motion` support.
## Additional context
Participants list sourced from the verified
`state-of-startups-2026-companies-software-verified.csv` export.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Rotating quote carousels for survey chapters with progress indicators
and subtle animations
* Animated participants display as multi-row scrolling marquees
* Optional author position and avatar shown with quotes
* Reduced-motion support to disable animations
* **Updates**
* Refreshed State of Startups 2026 content and expanded participants
list
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46401?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- On the Free plan the GitHub integration form disables the branching
section, but the create/update payloads still included `branch_limit`,
`new_branch_per_pr`, and `supabase_changes_only`.
- These three fields are now only sent when the org has the
`branching_limit` entitlement.
## Manual testing
- [ ] As a Free plan org, open Project Settings → Integrations → GitHub
and connect a repository. In the network tab, verify the `POST
/platform/integrations/github/connections` request body does **not**
include `branch_limit`, `new_branch_per_pr`, or `supabase_changes_only`.
- [ ] Still on a Free org, edit the working directory / production
branch on an existing connection. Verify the `PATCH` body also omits
those three fields.
- [ ] As a Pro (or higher) plan org with branching enabled, repeat both
flows and confirm the three branching fields are still sent with the
values from the form.
- [ ] Confirm the UI itself is unchanged: the branching controls remain
disabled on Free and editable on Pro+.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed GitHub integration to conditionally send branching-related
configuration fields based on user access permissions, preventing
unnecessary data transmission for users without branching access.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46388?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Refactor / type safety improvement
## What is the current behavior?
The legacy log query stack (`genDefaultQuery`, `genCountQuery`,
`genChartQuery`, `genWhereStatement`, `useLogsPreview`, `useSingleLog`)
builds SQL from raw strings with no type-level guarantee that values are
safely interpolated. Identifier helpers (`bqIdent`, `bqDottedIdent`,
`clickhouseIdent`, `clickhouseDottedIdent`) are duplicated across
BigQuery and ClickHouse variants, and `bqDottedIdent` wraps the entire
dotted path in one backtick pair (`` `request.pathname` ``), which
BigQuery treats as a literal column name rather than a UNNEST alias
field — causing runtime query failures on dotted filter keys.
## What is the new behavior?
- All gen functions return `SafeLogSqlFragment` and all callers route
through `executeAnalyticsSql`, enforcing compile-time SQL provenance
tracking across the legacy stack.
- `bqIdent` / `bqDottedIdent` / `clickhouseIdent` /
`clickhouseDottedIdent` are replaced by a single `quotedIdent` function
that backtick-quotes each segment individually (e.g. ``
`request`.`pathname` ``). ClickHouse natively accepts backticks, so one
function serves both engines and the dotted-path quoting bug is fixed.
- `SQL_FILTER_TEMPLATES` entries are converted to `SafeLogSqlFragment`
(static via `safeSql`, dynamic via `safeSql` + `analyticsLiteral`).
- `buildWhereClauses` is extracted as a private helper returning
`SafeLogSqlFragment[]` so the pg_cron path can merge clauses without
unsafe slice-and-cast.
## Additional context
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Logs query generation migrated to safer, engine-agnostic SQL
fragments, typed filter templates, and unified identifier quoting for
stronger injection protection and more consistent queries.
* Logs preview and single-log retrieval now execute analytics SQL
end-to-end using the unified executor.
* **New Features**
* Analytics SQL executor can call the backend via GET or POST and
accepts method selection.
* **Tests**
* Updated tests to validate unified identifier quoting and safe-SQL
helper behavior.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46351?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Feature — adds a new data-layer hook. No callers are switched over in
this PR.
## What is the current behavior?
The Schema Designer and Database > Tables list both call
`useTablesQuery({ includeColumns: true })`, which fetches the full
schema (every table, with every column, every relationship) in one
round-trip. For customers with many tables this never loads. Towards
FE-3428.
## What is the new behavior?
Introduces `useInfiniteTablesQuery` — a cursor-paginated tables hook
ready to be consumed by the two pages above in follow-up PRs.
- `pg-meta`: new `getTablesPaginatedSql` SQL builder that picks a page
of table OIDs first (cheap `pg_class` index scan) and constrains every
enrichment CTE (primary keys, relationships, columns) to that set.
Pagination is by `c.oid > $afterOid` rather than `OFFSET`, so deep pages
stay O(limit). Relationships use a `UNION ALL` keyed by `table_id` so
the downstream join is a plain equi-join.
- `pg-meta`: `COLUMNS_SQL` is now produced by `getColumnsSql({ filter
})`, letting a paginating caller push a table-OID predicate into the
WHERE clause directly. The bare `COLUMNS_SQL` export is preserved for
the 5 existing callers (`pg-meta-columns`, `pg-meta-tables`,
`pg-meta-views`, `pg-meta-materialized-views`,
`pg-meta-foreign-tables`).
- `studio`: `useInfiniteTablesQuery` wires the new SQL into
`useInfiniteQuery` via `executeSql`. `initialPageParam: 0`,
`getNextPageParam` returns the last row's `id` or `undefined` on a short
last page.
- Tests: 12 new tests in `pg-meta` covering cursor invariants (no
overlap / no gap), schema filtering, primary-key / relationship / column
shape, and output parity against the existing `pgTableZod` schema.
## Additional context
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Enabled infinite scrolling for table listings with cursor-based
pagination and optional page sizing.
* Added an option to include per-table column data in paginated results.
* Made column queries filterable for more targeted metadata retrieval.
* **Tests**
* Added comprehensive tests validating pagination, schema scoping,
column inclusion, and relationship/PK shaping.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46285?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
Switches the two `instanceSizeSpecs[instanceSize]!.priceMonthly` lookups
(on the New Project page and its footer) to the existing
`monthlyInstancePrice` helper, which has a defensive fallback. Fixes a
render crash that fires when users switch between organizations of
different plan tiers via the OrganizationSelector dropdown.
Sentry:
[SUPABASE-APP-EJT](https://supabase.sentry.io/issues/SUPABASE-APP-EJT) —
339 occurrences, 312 users impacted.
Fixes FE-3481
## Test plan
- [x] On `/dashboard/new/<freeOrgSlug>`, open the org dropdown and
switch to a paid org — no crash
- [x] Verify the "Additional costs" total renders correctly once form
state syncs
- [x] `pnpm typecheck` passes
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Refactored pricing calculation logic across project creation
components for improved code organization.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46395?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Refactor
## What is the current behavior?
The Auth policy editor flow still uses the deprecated `Modal` component
and `Modal.Content` / `Modal.Separator` helpers.
## What is the new behavior?
The Auth policy editor flow now uses `Dialog` primitives instead:
- `Dialog`
- `DialogContent`
- `DialogHeader`
- `DialogTitle`
- `DialogSection`
- `DialogSectionSeparator`
Behavior is intended to remain unchanged.
## Additional context
- Fixes#46375
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Updated the policy editor and review flows to a unified dialog layout
for a cleaner, more consistent UI.
* Sections and footer controls were reorganized for clearer grouping and
improved button placement.
* Existing behaviors (viewing templates, review/save flow, and close
confirmation) are preserved.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46374?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What kind of change does this PR introduce?
Feature. Resolves FE-3417.
## What is the current behavior?
Project Settings has a top-level `G then ,` shortcut, but its
subnavigation and repeated key/log drain actions do not have scoped
keyboard shortcuts or visible shortcut tooltips.
| Area | Current behaviour |
| --- | --- |
| Project Settings sidebar | Routes are click-only once users are inside
Settings. |
| API/JWT keys | Creation buttons do not expose keyboard shortcuts. |
| Log Drains | Add/save destination actions do not expose keyboard
shortcuts. |
## What is the new behavior?
Adds scoped Project Settings navigation chords, shortcut tooltips on the
sidebar rows, and page/action shortcuts for API keys, JWT standby keys,
and Log Drains.
| Area | New shortcut coverage |
| --- | --- |
| Project Settings sidebar | `S then G/C/I/N/W/K/J/L/A/D` for eligible
in-section routes. |
| API Keys | `Shift+P` and `Shift+S` open the publishable/secret key
dialogs; `Mod+Enter` submits the open dialog. |
| JWT Keys | `Shift+N` opens Create standby key; `Mod+Enter` submits the
open dialog. |
| Log Drains | `Shift+N` adds a destination when the primary action is
available; `Mod+Enter` saves the open destination sheet. |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added keyboard shortcuts for Project Settings navigation and for
actions in API Keys, JWT Keys, and Log Drains (open, create/submit).
* **Improvements**
* Dialogs and forms now support keyboard-triggered open and submit
actions with improved enable/disable gating and updated settings menu
composition; shortcuts appear in the shortcuts reference.
* **Tests**
* Added tests covering shortcut wiring and shortcut-driven open/submit
behaviors across dialogs and action panels.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46352?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Ali Waseem <waseema393@gmail.com>
## What kind of change does this PR introduce?
Add `Markdown` component
- as a ui-pattern
- docs in design-system
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced a Markdown UI pattern with full documentation and a docs
sidebar entry.
* Markdown component supports composable renderers, optional lazy syntax
highlighting, and customizable element overrides.
* Added many interactive examples (full demo, headings, paragraphs,
lists, links, inline code, blockquotes, code blocks, tables, images,
horizontal rules) plus Quote and Avatar demos.
* **Documentation**
* New MDX guide detailing usage, props, and customization previews.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46325?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
The unified logs view shows Postgres connection lifecycle events
(connection received, connection authenticated, connection authorized)
alongside application logs. These messages are emitted on every database
connection and make it hard to spot meaningful log entries.
## Fix
Adds a SQL-level filter that excludes Postgres connection messages by
default. A toggle in the filter sidebar lets users opt in to seeing them
when needed. The preference is stored in the URL so it persists across
navigation.
**Changes:**
- `SEARCH_PARAMS_PARSER` gets a new `hide_connection_logs` boolean param
(default `true`)
- `buildBaseWhere` in the query builder emits a `NOT (source =
'postgres_logs' AND event_message LIKE 'connection %...')` predicate
when the param is true, filtering at the query level
- New `ConnectionLogsToggle` component renders a labeled switch in the
filter sidebar
- `FilterSideBar` gains a `beforeFilters` slot so the toggle can be
injected without coupling the generic component to log-specific logic
## How to test
1. Open a project in Studio and navigate to the unified logs page
2. Confirm that connection log messages (e.g. "connection received:
host=...", "connection authorized: user=...") are not visible by default
3. In the left filter sidebar, find the "Connection logs" toggle near
the top and switch it on
4. Confirm that connection log messages now appear in the list
5. Toggle it back off and confirm they disappear again
6. Reload the page with the toggle on (URL will contain
`hide_connection_logs=false`) and confirm the setting is preserved
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a "Connection logs" toggle in the filter sidebar to hide
Postgres connection lifecycle messages by default (default = hidden);
changing it updates the logs view and the logs chart.
* Filter sidebar now supports placing extra controls so the toggle is
available alongside existing filters.
* **Behavior**
* Facet/count queries remain unaffected by this toggle to preserve
existing counts.
* **Tests**
* Added tests verifying default hide behavior and explicit show
behavior.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46371?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## Summary
Adds keyboard shortcuts to the Integrations Marketplace landing and
per-integration detail pages. Introduces a `useDynamicShortcut` hook
since per-integration tab counts/labels can't be pre-declared in the
static registry.
## Shortcuts
| Page | Keys | Action |
|---|---|---|
| Marketplace landing | `Shift+F` | Focus the integrations search input
|
| Marketplace landing | `F` then `C` | Clear search +
category/type/source filters |
| Marketplace landing search | `Esc` | Clear value (1st press), blur
(2nd press) |
| Integration detail | `1`–`9` | Jump to the Nth tab (label adapts per
integration, e.g. "Go to Queues", "Go to Jobs") |
Linear: [FE-3416](https://linear.app/supabase/issue/FE-3416)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Use number keys 1–9 to jump to integration detail tabs.
* Marketplace search shortcuts: focus/select the search field and reset
filters via keyboard; Escape now clears the search input.
* Shortcuts now appear in the command menu under a dedicated
integrations navigation group.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46348?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Adds a consumer-side guide for hardening npm installs of @supabase/*
packages: lockfile hygiene, minimum-release-age quarantine across
pnpm/yarn/npm/bun, private registries, provenance verification,
lifecycle script controls, blocking exotic transitive refs, Edge
Functions specifics, and an incident-response checklist.
Lives at guides/security/ alongside platform-security and
product-security; filesystem-driven sidebar picks it up automatically.
Originally drafted in supabase/supabase-js#2382 and moved here per
review.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added an npm security hardening guide (lockfile & CI practices,
release-age quarantines, transitive/exotic dependency controls,
provenance verification, lifecycle-script hardening, package-manager
pinning, CI/lockfile hygiene, Deno/Edge guidance, incident-response
checklist).
* Added a navigation entry for the new guide.
* Note: guide frontmatter contains unresolved merge-conflict markers.
* **Chores**
* Expanded spelling allowlist to include common tech terms (e.g.,
lockfile, sigstore, postinstall).
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46384?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Feature — ports real 2026 survey data and narrative into the existing
`apps/www/app/state-of-startups` page.
## What is the current behavior?
The 2026 page renders the pre-launch `<RegisterContent />` signup form
(`SHOW_RESULTS = false`), and the 2026 chart components still query
`responses_2025` via the unsuffixed 2025 RPCs. The chapter narrative in
`state-of-startups-2026.tsx` is placeholder copy cloned from 2025, and
there are no charts for any of the new-in-2026 survey questions (auth
provider, share of AI-generated code, paid AI/product subscriptions,
agent building, MCP adoption).
## What is the new behavior?
- Flips `SHOW_RESULTS` to `true` so `/state-of-startups` renders
`<StateOfStartups2026Content />`.
- Repoints the 14 carry-over chart components to `responses_2026` and
calls `_2026`-suffixed RPC siblings (the original 2025 RPCs stay intact
so the 2025 page can live at its own URL).
- Adds 5 new chart components — `AuthProviderChart`,
`AICodebasePercentChart`, `PaidSubscriptionsChart`,
`BuildingAgentsChart`, `MCPAdoptionChart` — and wires them into
`SurveyChapterSection`'s chart registry.
- Rewrites `state-of-startups-2026.tsx` into 8 chapters with real 2026
narrative, pull quotes, and summarized answers from the source-of-truth
`supabase/state-of-startups` repo.
- Adds `.context/**` to `.prettierignore` so the scratch directory
holding the companion SQL migrations is ignored.
## Additional context
Backend changes live in the separate `supabase/state-of-startups` repo /
project `iddgenoqmqztnnefcbwp`: a `responses_2026` table, 5 new
2026-only RPCs, and 14 `_2026`-suffixed siblings of the existing RPCs
(drafts staged under `.context/sos-2026-survey-sql/` locally, not in
this PR). This PR's chart fetches will error until those migrations are
applied and `2026-responses.arrayified.csv` is loaded.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Released State of Startups 2026 results with a year selector,
preloaded results cache for faster viewing, and hourly revalidation.
* Added new interactive charts (AI codebase share, auth providers,
biggest challenges, building agents, MCP adoption, paid subscriptions,
location) and updated many charts for 2026; charts now show “added in
2026” when not available.
* **UX**
* Reworked page layout: floating table of contents relocated, year
toggle added, and animations simplified for smoother transitions.
* **Documentation**
* Restructured survey narrative into new thematic chapters, revised
chapter content, stats, and visuals.
* **Chores**
* Updated formatting ignore rules to skip generated/context files.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Replaces the in-dashboard logic to manually construct the redirect URL
with a backend API call, as these are now routed through server-side
processing to do Posthog events and status tracking in the marketplace
DB.
Fixes INT-109
## Problem
Some pages still uses the deprecated `Modal` for:
- Legacy JWT new secret
- PITR recovery confirmation
## Test
Hard to test the JWT. I had to force its display by settings its `open`
prop to `true` in
`apps/studio/components/interfaces/JwtSecrets/jwt-settings.tsx`
## Solution
- use `Dialog` instead
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Improved database restore (PITR) confirmation: replaced modal flow
with an alert dialog, reorganized review sections (timing, warnings),
and made the restore action await completion for clearer feedback.
* Redesigned JWT secrets dialog: replaced modal with dialog primitives,
centralized form and state reset on open/close, moved confirmation into
dialog footer, and disabled confirm during submission.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46366?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The Compute card's "High Availability" badge was overflowing the cell
horizontally in 2-column layouts and bleeding vertically into adjacent
cards when the badges wrapped onto a second line in narrow/vertical
layouts.
Root cause was in `SingleStat`: the value row used `h-[34px]` +
`truncate` (overflow: hidden), so the inner `flex-wrap` couldn't grow
the row, and the flex column lacked `min-w-0` so it couldn't shrink to
its grid track.
**Changed:**
- `SingleStat` outer flex gets `min-w-0` so the grid item is constrained
by its track
- Right column swapped from `truncate` to `min-w-0 flex-1` (takes
remaining space, can shrink)
- Value row swapped from `h-[34px]` to `min-h-[34px]` with `py-0.5` —
keeps the 34px baseline for single-line text values, but lets the row
grow when badges wrap
Closes [FE-3408](https://linear.app/supabase/issue/FE-3408)
## To test
- Open the project overview on a project with `high_availability`
enabled
- At 2-column widths: the "HIGH AVAILABILITY" badge should sit fully
inside the Compute card alongside the compute size badge — no clipping
at the right edge
- At narrow / 1-column widths: when the two badges need to wrap, the
Compute card should grow vertically rather than letting the second-line
badge overlap the cards above/below
- Spot check the other stat cards (GitHub, Recent branch, Last
migration, Last backup) — long text values should still truncate with an
ellipsis as before
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Updated stat card layout and inner spacing to improve responsiveness
and prevent overflow.
* Improved text truncation and minimum-width behavior for stat values
and labels.
* Standardized spacing, truncation and color handling across activity
stats for more consistent display.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46370?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## Context
Improved formatting for auth logs in unified logs - their metadata are
seemingly all hidden within "event_message" so the changes here bring
them up
- Fix detecting status, pathname, and method for auth logs from
`event_message`
- None were showing originally, status was mostly defaulting to `200`
- Improve formatting of `event_message` by prioritising errors +
floating up the auth action
- Currently only shows "request completed"
## Before
<img width="1449" height="955" alt="image"
src="https://github.com/user-attachments/assets/f0c7f166-06ab-4bfc-8653-6f5638bf1ae7"
/>
## After
<img width="1449" height="956" alt="image"
src="https://github.com/user-attachments/assets/cdf49bd8-c33a-4f40-a6b7-8783dc38d174"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* More robust parsing of auth log messages to extract
error/status/method/path values and fall back to the original text when
parsing fails.
* Fixed cases where displayed status/method/pathname could be incorrect
for auth logs.
* **Improvements**
* Normalized auth error text (underscores → spaces) and optional
auth-action prefixes for clearer messages.
* Conditional sentence-capitalization for auth event messages.
* **New Features**
* Centralized log metadata extraction for unified log display.
* **Tests**
* Added tests covering auth and non-auth log parsing and metadata
extraction.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46365?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Feature, docs update
## What is the new behavior?
This PR introduces a new `RealtimeFlow` component and hook to the UI
library for building collaborative React Flow with Supabase Realtime:
- keeps nodes and edges in sync across multiple connected clients in
real time
- uses Yjs with `@supabase-labs/y-supabase` to propagate flow updates
- supports optional persistence, so a flow can be restored from
previously saved shared state
## Additional context
https://github.com/user-attachments/assets/90d3a381-6f9c-427f-a493-5d91c2141462
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Collaborative "Realtime Flow" diagram editor with syncing overlays and
a dual-view demo component
* Interactive demo page and registry example for live editing
(add/remove/rename nodes)
* Framework-ready registry packages for Next.js, React, React Router,
and TanStack
* **Documentation**
* Comprehensive docs added for Next.js, React, React Router, and
TanStack (usage, persistence, hook API)
* **Chores**
* Added runtime dependency for the flow component package
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/44273)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Re-adds support form Assistant response using a lighter weight
Streamdown component vs the more heavy `Message` component.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* AI Assistant follow-up card after ticket submission for project-scoped
requests.
* In-chat support request preview panels showing submitted subject and
message.
* **Improvements**
* Smarter project selection when opening the support form via
route/context.
* Success screen: cleaner layout, project-name messaging, optional
finish action, and a "Join Discord" button.
* Category prompt text updated to "What issue are you having?"
* New success/feedback section for consistent layouts.
* **Tests**
* Added tests covering support prompt serialization/parsing and UI
previews.
<!-- review_stack_entry_start -->
[](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46248?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)
<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
