## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Content update: new blog post and feature page copy refresh for
Branching.
## What is the current behavior?
- No blog post exists announcing no-Git branching as the default
workflow.
- The Branching feature page (`/features/branching`) references
"Branching 2.0 (currently in public alpha)" and frames dashboard
branching as secondary to Git-based branching.
## What is the new behavior?
- New blog post: "Branching without Git is now the default"
(`apps/www/_blog/2026-04-branching-without-git-is-now-the-default.mdx`)
- Updated feature page (`apps/www/data/features.tsx`):
- Subtitle: "Test and preview changes using Supabase Branches." → "Test
schema changes without touching production."
- Intro: removes stale alpha framing; leads with dashboard branching as
the default.
- New "Two ways to branch" section covering dashboard and Git-based
workflows side by side.
- "When to use branching" replaces old Benefits/Valuable-for sections;
adds AI agents as a use case.
## Additional context
N/A
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Dashboard-based branching is now the default, letting you create
branches, edit schemas, review diffs, and merge to production without
Git.
* Two branching options offered: Dashboard branching or Git-based
branching (both supported).
* New pg-delta schema diff engine (alpha) powers automatic migration
generation; available in CLI behind a flag.
* AI-driven workflows supported for automatic branch creation and merge
actions.
* **Documentation**
* Updated guides and blog post explaining the new branching options,
workflow, and getting started links.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ana <ana1337x@users.noreply.github.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Enhanced safety of database query generation for publication and table
definition operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Closes#45179.
## Summary
`generateCreatePolicyQuery` in `PolicyEditorPanel.utils.ts` builds a
`CREATE POLICY` statement with raw double-quote interpolation for
name/schema/table, then executes it via `useExecuteSqlMutation` from
`PolicyEditorPanel/index.tsx:192`. Any of those values containing a `\"`
character breaks out of the identifier quoting in the executed
statement.
Applies `ident()` to the three identifier interpolations. Same pattern
as #44555 (queue), #44589 (index), #44721 (view autofix), #44723 (auth
hooks). The helper is already used at `Policies.utils.ts:319`.
## Scope
The preview-only SQL in `Policies.utils.ts`
(`createSQLStatementForCreatePolicy` /
`createSQLStatementForUpdatePolicy`) has the same pattern but is not
executed. That string is only rendered in the review modal while the
mutation uses a structured payload. Tracking separately.
## Test plan
- [ ] Create a policy with a name containing a double quote. Verify it
applies correctly with the fix (and produces broken SQL without).
- [ ] Create a policy on a table/schema name containing a double quote.
Same check.
- [ ] Regression: create a plain-named policy. Works as before.
## Summary
Wires the existing `list-page.*` shortcuts up to the Database →
Replication and Database → Migrations pages, so they get the same hotkey
behavior as Roles, Tables, Publications, etc. No new shortcut IDs were
added.
**Migrations page**
- Shift+F → focus the migration search input (label: "Search
migrations")
- F C → clear the search filter
**Replication / Destinations page**
- Shift+F → focus the destinations filter input (label: "Search
destinations")
- F C → clear the filter
- Shift+N → open the Add Destination panel. Wrapped with `<Shortcut>` so
the keybind tooltip shows on hover, and gated on
`!!newDestinationDefaultType` so it stays disabled when no destination
type is available.
Closes
[FE-3141](https://linear.app/supabase/issue/FE-3141/add-shortcuts-for-database-replication-and-migration-page).
## Test plan
- [x] On the Migrations page, press Shift+F → search input focuses &
selects existing text.
- [x] On the Migrations page, type a query then press F C → search
clears.
- [x] On the Replication page, press Shift+F → filter input focuses &
selects.
- [x] On the Replication page, press Shift+N → Add Destination panel
opens (when a destination type is available).
- [x] Hover the "Add destination" button → keybind tooltip shows
Shift+N.
- [x] On the Replication page, type a filter then press F C → filter
clears.
- [x] All four shortcuts appear in Cmd+K under "Shortcuts" while on the
respective page.
- [ ] Disabling list-page shortcuts in Preferences disables them on
these pages too.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added keyboard shortcuts for search field focus and filter reset in
Database Migrations and Destinations pages
* Added keyboard shortcut for "Add destination" action in Destinations
page
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Mark provenance of SQL via the branded types SafeSqlFragment and
UntrustedSqlFragment. Only SafeSqlFragment should be executed;
UntrustedSqlFragments require some kind of implicit user approval (show
on screen + user has to click something) before they are promoted to
SafeSqlFragment.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Editor and RLS tester show loading states for inferred/generated SQL
and include a dedicated user SQL editor for safer edits.
* **Refactor**
* Platform-wide SQL handling tightened: snippets and AI-generated SQL
are treated as untrusted/display-only until promoted, improving safety
and consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Adding myself to humans.txt
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
This adds me to humans.txt
## What is the current behavior?
humans.txt currently lacks a line with my name
## What is the new behavior?
humans.txt contains a line with my name
## Additional context
no, thank you
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated team contributors information
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the CONTRIBUTING.md file.
YES
## What kind of change does this PR introduce?
Bug fix
## What is the current behavior?
The query in `sql/indexes.ts` joins `pg_class` with `pg_indexes` using
only the index name:
```sql
JOIN pg_indexes ix ON c.relname = ix.indexname
```
This can lead to incorrect results when multiple schemas contain indexes
with the same name. PostgreSQL allows identical index names across
different schemas, so this join may return the wrong index_definition.
## What is the new behavior?
The join condition now includes the schema name:
```sql
JOIN pg_indexes ix
ON c.relname = ix.indexname
AND n.nspname = ix.schemaname
```
This ensures the correct index_definition is retrieved for each index,
even when duplicate index names exist across schemas.
## Additional context
- Added a test case to verify behavior when the same index name exists
in multiple schemas.
- This change prevents cross-schema collisions and ensures accurate
index metadata retrieval.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved index listing so indexes that share the same name in
different schemas are correctly distinguished and reported.
* **Tests**
* Added a regression test ensuring indexes with identical names in
separate schemas are both detected and contain expected schema-qualified
references.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Charis Lam <26616127+charislam@users.noreply.github.com>
Recent changes to blog pages surfaced existing errors because we stopped
silently swallowing errors. We were not properly handing the case when
the requested slug was not found, now this properly calls notFound()
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced error handling for missing blog posts to display a proper
"Not Found" page instead of showing an application error when users
attempt to access unavailable blog content.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Fixed some typos
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Fixed typo and corrected markdown link formatting in customer
documentation to improve readability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- The Tailwind v4 migration left `bg-_secondary` unresolved, so the WAL
segment of the disk size breakdown bar (and its legend dot) rendered
transparent — visible as the gap between Database and System in the
screenshot on FE-3138.
- Switch both usages to `bg-[hsl(var(--secondary-default))]` to bypass
the broken utility while still pulling from the existing per-theme CSS
variable, restoring the original purple.
Closes
[FE-3138](https://linear.app/supabase/issue/FE-3138/adjust-tiiiny-v4-disk-size-breakdown-ui).
## Test plan
- [x] On a project's Settings → Compute and Disk page, the WAL slice in
the disk size bar renders in purple
- [x] The "WAL" legend dot below the bar matches that purple
- [x] Verify in light, dark, and classic-dark themes
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Updated the visual styling of the WAL segment in the disk space
visualization to improve consistency with the design system's color
palette.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Some quick verbiage changes to the Cofounder case study.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated Cofounder product messaging and platform positioning
narrative.
* Refined descriptions of team structure and infrastructure capabilities
with enhanced product terminology.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Adds Claude.ai and ChatGPT as MCP connectors in the existing
`/guides/getting-started/mcp` dropdown
<img width="1511" height="744" alt="Screenshot 2026-05-04 at 14 53 24"
src="https://github.com/user-attachments/assets/8de5b3a4-56e2-45a7-bcce-1051baac30cd"
/>
- Groups all MCP clients into three categories: **Web Clients**
(Claude.ai, ChatGPT, Goose), **AI Agent CLIs** (Claude Code, Codex,
Gemini CLI, Opencode, Factory), **IDE** (Cursor, VS Code, Antigravity,
Kiro, Windsurf)
<img width="1511" height="744" alt="image"
src="https://github.com/user-attachments/assets/eb3ecdaa-878a-4f87-abfe-41a9144db5b8"
/>
- Both connectors use `generateDeepLink` to render a one-click "Connect"
button linking to the Supabase connector directory entry
- Includes external docs links for each connector
- Sets Claude Code as the default selected client
Closes
[AI-699](https://linear.app/supabase/issue/AI-699/add-claudeai-and-chatgpt-connectors-to-mcp-docs)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added Claude.ai and ChatGPT as selectable client options.
* Reorganized the client selector into categorized groups (AI Agent CLI,
Web Clients, IDE) for easier discovery.
* Improved dropdown rendering and selection behavior for more consistent
visuals and interaction.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Render blog posts on server so they are available in initial HTML
response.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* New collapsible sections for blog content
* Server-side MDX compilation for blog posts
* Improved TOC extraction producing both structured JSON and markdown
* **Refactor**
* Blog rendering converted to a server-rendered flow with unified MDX
components
* Tag handling normalized for related-post matching
* **Bug Fixes**
* Consistent image/self-closing tag normalization and corrected TOC
indentation
* Errors are now surfaced instead of being swallowed
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
New case study for Cofounder (General Intelligence). Plan is to publish
when they launch on Monday.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a new Cofounder customer story page with full article, quotes,
assets, and next-steps
* Inserted Cofounder into the customer listings and site feeds
* **UX**
* Product filter labels now show "Supabase for Platforms" for the
platforms product
* **Chores**
* Updated RSS feed metadata to include the new story
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The link builders in
`apps/studio/components/interfaces/Linter/Linter.utils.tsx` interpolate
`metadata.schema` and `metadata.name` directly into URL query strings. A
schema or table name with `&`, `=`, `+`, or `#` breaks the destination
filter on the linked page because `URLSearchParams` stops at the bare
`&` and decodes `+` to a space.
The `public_bucket_allows_listing` lint at line 338 already wraps
`bucket_id` in `encodeURIComponent`. The other 15 builders did not. This
wraps each `metadata?.schema` and `metadata?.name` interpolation with
`encodeURIComponent(value ?? '')` to match.
Added `Linter.utils.test.tsx` that constructs links with a schema
`a&b=c` and a name `d e+f` and asserts `URLSearchParams` round-trips
them. The bucket precedent is also covered.
Closes#45384
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved URL encoding for navigation links in the linter interface to
ensure proper handling of special characters in database, schema, and
table names.
* **Tests**
* Added test coverage for URL generation functionality in the linter
utility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the CONTRIBUTING.md file.
YES
## What kind of change does this PR introduce?
Bug fix
## What is the current behavior?
The Realtime Inspector panel breaks at smaller viewport sizes, causing
content
to overflow and overlap, making it unusable on mobile and resized
windows.
Fixes#45464
## What is the new behavior?
The Realtime Inspector panel is now responsive and displays correctly
across
all viewport sizes.
https://github.com/user-attachments/assets/8103a695-b5a1-4498-b523-c25afc0b5b37
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Improved the messages table with enhanced responsive design. The
layout now automatically adapts based on screen size: on mobile and
smaller screens, panes stack vertically for optimal readability; on
larger displays, they appear side-by-side to enable efficient content
comparison and provide a more comprehensive viewing experience.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Ali Waseem <waseema393@gmail.com>
## Summary
Adds the `O→S` / `Shift+F` / `Shift+N` / `F→C` shortcut set across every
Database listing page, on top of the schema-visualizer pattern from
#45386. Fixes [FE-3131](https://linear.app/supabase/issue/FE-3131).
A shared `list-page.*` registry replaces what would have been a per-page
registry file for each route, and `useShortcut`/`Shortcut` gain a
`label` override so a single ID renders contextually in Cmd+K and hover
tooltips.
## Pages and shortcuts
| Page | `O→S` | `Shift+F` | `Shift+N` | `F→C` |
| --- | --- | --- | --- | --- |
| Tables | Open schema selector | Search tables | Create new table |
Clears search + entity-type filter |
| Functions | Open schema selector | Search functions | Create new
function | Clears search + Return Type + Security |
| Triggers — data | Open schema selector | Search triggers | Create new
trigger | Clears search + Table filter |
| Triggers — event | — | Search event triggers | Create new event
trigger | Clears search + Owner filter |
| Enumerated Types | Open schema selector | Search enumerated types |
Create new enumerated type | Clears search |
| Indexes | Open schema selector | Search indexes | Create new index |
Clears search |
| Roles | — | Search roles | Add new role | Clears search + filter type
→ 'all' |
| Publications | — | Search publications | — | Clears search |
| Extensions | — | Search extensions | — | Clears search |
`Shift+N` only fires when the page-specific gate allows it (permission +
unlocked schema + any other prerequisite like `hasTables` for triggers).
## Test plan
- [ ] On each of the 9 pages, all four shortcuts behave as listed in the
table above
- [ ] Hover the wrapped controls — tooltip shows the page-specific label
and the right keybind badge
- [ ] Open the schema selector via `O→S` — the hover tooltip is
suppressed while the popover is open
- [ ] `Shift+N` is a no-op on locked schemas / when permission is
missing / when a prereq fails (e.g. no tables on Triggers data)
- [ ] `Shift+F` focuses the search input; while focused, Escape clears
(with text) → Escape blurs (when empty)
- [ ] `Cmd+K` shows the page-specific shortcut name while on each page;
the entry goes away on navigation
- [ ] `Mod+/` reference sheet shows one "List pages" group with 4
generic entries
- [ ] No regression to existing schema-visualizer / table-editor /
SQL-editor shortcut behavior
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a dedicated list-page shortcut group in the shortcuts reference.
* **Improvements**
* Keyboard shortcuts across database list pages: focus & select search,
reset filters, and create-new-item shortcuts.
* Escape now clears/searches or blurs inputs to avoid accidental popover
closes.
* Create/new buttons respond to shortcuts when allowed; disabled actions
keep permission tooltips for clarity.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
adding 'Brad Gyger' to humans!
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
More humans!
## What is the current behavior?
Less Humans!
## What is the new behavior?
Bigger = Better
## Additional context
Glad to be here!
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated contributor list to include a new team member.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Upgraded the UUID library to a newer major version across apps and
removed a now-unneeded dev dependency.
* Pinned PostCSS to a workspace-specific version to stabilize builds.
* **Refactor**
* Improved internal identifier generation for more consistent behavior
without changing outward functionality.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated examples and guides to use Supabase publishable (client) keys
instead of anon keys for client-side usage across frameworks and
platforms.
* Renamed environment variable examples and .env templates to reflect
publishable key naming.
* Adjusted sample requests and client-init examples to send/use the
publishable key via the apikey header where applicable.
* Updated references from service_role to secret for server-side
credential guidance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: fadymak <fady@fadymak.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated Flutter authentication guides (Auth0, AWS Cognito, Clerk, and
Firebase Auth) with corrected Supabase client initialization parameters
in code examples.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
The disk IO exhaustion banner currently warns that the project "may
become unresponsive". That phrasing is vague and non-actionable. The
actual behaviour when EBS burst credits hit zero is deterministic:
sustained throughput is throttled to 5 MB/s until the budget resets.
Users either ignore the warning or wait too long because they cannot
picture what is about to happen.
Reported in [Linear
DEBUG-62](https://linear.app/supabase/issue/DEBUG-62).
## Fix
Rewrite the `disk_io_exhaustion` banner copy in
[ResourceExhaustionWarningBanner.constants.ts](apps/studio/components/ui/ResourceExhaustionWarningBanner/ResourceExhaustionWarningBanner.constants.ts)
to name the throttle floor explicitly:
- **Warning** (about to deplete): "Once exhausted, disk throughput will
be throttled to 5 MB/s until the budget resets."
- **Critical** (depleted): title now reads "Disk throughput is throttled
to 5 MB/s"; description explains the throttle stays until the budget
resets and that upgrading restores full performance.
Card copy on the project list (the compact summary) is unchanged so the
home page does not get noisy.
The banner already renders an "Upgrade compute" primary CTA (via
`correctionUrlVariants.disk_io`), so no button changes are needed.
## Test plan
- [ ] Mock or trigger a `disk_io` warning at the warning level; confirm
new copy renders correctly.
- [ ] Same at critical level; confirm both title and description are
updated.
- [ ] Verify the project list card on the home page still shows the
existing short summary.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Updates**
* Improved disk I/O exhaustion warning messages to clearly communicate
that disk throughput will be throttled to 5 MB/s and explain when
throttling will be lifted. Guidance on upgrading compute or optimizing
disk-intensive queries remains available.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated UI labels and descriptions across the Data API settings to
clarify that default privileges apply to new tables only (removed
references to functions).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
The Max IOPS reference line in the Database Observability report
displays the provisioned disk IOPS, but its tooltip claims it shows the
"Maximum IOPS for your current compute size". The real effective ceiling
is `min(compute IOPS limit, provisioned disk IOPS)`. Users who upgrade
their disk IOPS without upgrading compute see an inflated number and may
draw incorrect conclusions about their IO headroom.
Reported in [Linear
DEBUG-63](https://linear.app/supabase/issue/DEBUG-63) (originally
[FE-2856](https://linear.app/supabase/issue/FE-2856)).
## Fix
In
[apps/studio/data/reports/database-charts.ts](apps/studio/data/reports/database-charts.ts),
use the existing `mapComputeSizeNameToAddonVariantId` +
`COMPUTE_MAX_IOPS` lookup (already used in DiskManagement) to compute
the effective ceiling and pass it as the `disk_iops_max` reference line
value. Tooltip rewritten to match.
```ts
const provisionedDiskIops = diskConfig?.attributes?.iops
const computeIopsLimit =
COMPUTE_MAX_IOPS[mapComputeSizeNameToAddonVariantId(project?.infra_compute_size)]
const effectiveMaxIops =
typeof provisionedDiskIops === 'number' && typeof computeIopsLimit === 'number'
? Math.min(provisionedDiskIops, computeIopsLimit)
: provisionedDiskIops
```
## Test plan
- [ ] On a project where compute IOPS limit < provisioned disk IOPS
(e.g. Micro compute with upgraded disk), confirm the Max IOPS reference
line on `/project/{ref}/observability/database` reflects the compute
limit, not the disk IOPS.
- [ ] On a project where provisioned disk IOPS < compute IOPS limit,
confirm the reference line still shows the disk IOPS.
- [ ] Hover the line and confirm the tooltip reads "Effective maximum
IOPS for your current compute and disk configuration..."
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Enhanced IOPS limit calculations in database reports to account for
both compute size and disk provisioning constraints, resulting in more
accurate Max IOPS reference values. Improved chart tooltips to better
reflect the effective combined compute and disk IOPS constraints.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
## Problem
The Database tables filter has a smaller tap-target than its visual
container.
This was probably introduced when we added the Shadcn `input-group`.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Updated internal styling implementation for improved code
maintainability.
---
**Note:** This is a minor internal refactor with no visible changes to
user-facing functionality.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The SQL Editor was warning about missing RLS even when the same query
enabled it, if the user wrote `ALTER TABLE IF EXISTS ...`. The parser
regex didn't recognise `IF EXISTS` and was capturing `IF` as the table
name, so the RLS event never matched the `CREATE TABLE`.
**Changed:**
- `ALTER TABLE` regex in `sql-event-parser.ts` now accepts the optional
`IF EXISTS` and `ONLY` modifiers, matching Postgres's `ALTER TABLE [ IF
EXISTS ] [ ONLY ] name` grammar.
**Added:**
- Unit tests for `IF EXISTS`, `ONLY`, and both combined.
- Regression test in `SQLEditor.utils.test.ts` using the customer's
exact SQL.
## To test
1. Open the SQL Editor and paste:
```sql
CREATE TABLE IF NOT EXISTS public."Conversations" (id int8 primary key);
ALTER TABLE IF EXISTS public."Conversations" ENABLE ROW LEVEL SECURITY;
```
2. Hit Run – the "table will not have RLS" warning should **not**
appear.
3. Sanity check: a `CREATE TABLE` without any matching `ENABLE ROW LEVEL
SECURITY` still triggers the warning.
Addresses
[FE-3134](https://linear.app/supabase/issue/FE-3134/sql-editor-warns-about-missing-rls-policy-incorrectly).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Added comprehensive test coverage for Row Level Security detection
across different SQL syntax patterns and clause combinations
* **Bug Fixes**
* Enhanced Row Level Security detection capabilities in the SQL editor
by extending support for additional ALTER TABLE statement syntax
variations, improving the accuracy and completeness of security
configuration recognition
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## Context
Just happened to pass by this - refactor to use Admonition instead of
Alert + fix spacing + use InlineLink
e.g General settings while on a preview branch
### Before
<img width="795" height="364" alt="image"
src="https://github.com/user-attachments/assets/28ab66ab-bd10-408e-afb5-24e287efc705"
/>
### After
<img width="759" height="349" alt="image"
src="https://github.com/user-attachments/assets/db62925d-f2e2-4c10-9cab-ce8204f2077c"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Preview-branch notices across Settings now use a unified admonition
design with adjusted spacing for improved visual consistency.
* **Refactor**
* Standardized branch-notice layout and inline navigation links across
Addons, General, and Integrations; each notice now links directly to its
respective settings page for clearer navigation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Description
Replaces legacy `anon` / `service_role` key references with the new
`publishable` / `secret` naming across SDK spec files under
`apps/docs/spec/`. Mirrors the rename table established by
[supabase-js#2280](https://github.com/supabase/supabase-js/pull/2280),
so the auto-generated reference docs at
supabase.com/docs/reference/{js,dart,kotlin,python,swift} stay
consistent with the SDK source.
## Files changed
| File | Highlights |
| --- | --- |
| `supabase_js_v2.yml` | Rename example vars `anon_key` →
`publishable_key`, `service_role_key` → `secret_key`; admin notes use
`secret`. |
| `supabase_dart_v2.yml` | Rename `anonKey` param → `publishableKey`
(matches the live Flutter SDK — see
[supabase-flutter/supabase.dart#L81](https://github.com/supabase/supabase-flutter/blob/main/packages/supabase_flutter/lib/src/supabase.dart#L81));
update call-site; example var `serviceRoleKey` → `secretKey`; admin
notes use `secret`. |
| `supabase_kt_v2.yml`, `supabase_kt_v3.yml` | Replace
`'publishable-or-anon-key'` placeholders with `'your-publishable-key'`;
admin notes use `secret`; fix `importAuthToken(\"service_role\")` →
`importAuthToken(\"your-secret-key\")` (the Kotlin SDK's
`importAuthToken(accessToken: String, …)` takes a JWT, not a role name).
|
| `supabase_py_v2.yml` | All `service_role` references → `secret`;
example var `service_role_key` → `secret_key`. |
| `supabase_swift_v2.yml` | Replace placeholders with
`'your-publishable-key'`; admin notes use `secret`; example var
`serviceRoleKey` → `secretKey`. |
| `storage_v0_config.yaml` | Rewrite `ANON_KEY` / `SERVICE_KEY` env var
**descriptions** in publishable/secret terms. **Env var names kept** —
see below. |
## Why the storage env var names are unchanged
`storage_v0_config.yaml` documents the env vars used to configure the
storage server (multi-tenant deployments). The `id` and `title` fields
must match the actual env var names the binary reads. The storage server
still reads its config from env vars literally named `ANON_KEY` and
`SERVICE_KEY`:
-
[`storage/src/config.ts#L614`](https://github.com/supabase/storage/blob/master/src/config.ts#L614)
— `getOptionalConfigFromEnv('SERVICE_KEY')`
-
[`storage/src/config.ts#L625`](https://github.com/supabase/storage/blob/master/src/config.ts#L625)
— `getOptionalConfigFromEnv('ANON_KEY')`
There is no `PUBLISHABLE_KEY` / `SECRET_KEY` reader on master. Renaming
the doc IDs would break self-hosted deployments — users following the
docs would set the wrong env var and the storage server would silently
fall back to generating its own JWT. Until the storage server itself
adds publishable/secret env support, only descriptions can be updated.
(Same reasoning for not bumping `storage_v0_config.yaml` →
`storage_v1_config.yaml`: the `_v0_` tracks the storage server's own API
version, paired with `storage_v0_openapi.json` downloaded from
`supabase.github.io/storage/api.json`. The server hasn't shipped a v1
API.)
## What we deliberately did NOT rename
Per the same rules established in supabase-js#2280:
- **JWT role claims** like `role: 'anon'` / `role: 'service_role'` —
these are functional Postgres role names in JWT payloads, not key
labels.
- **Real SDK identifiers** that haven't been renamed in the source (we
only rename in the doc when the underlying SDK rename has shipped). The
Dart `anonKey` rename was safe to apply because the Flutter SDK already
ships `publishableKey` as the preferred named parameter (with `anonKey`
`@Deprecated`).
## Out of scope
- **All `*_v1.yml` SDK spec files** (`supabase_js_v1`,
`supabase_dart_v1`, `supabase_kt_v1`, `supabase_swift_v1`). Older SDK
versions, not worth churning.
- **`cli_v1_commands.yaml`**. This file is auto-generated by the CLI
repo's release workflow
([`cli/tools/bumpdoc/main.go`](https://github.com/supabase/cli/blob/develop/tools/bumpdoc/main.go))
and the example outputs come from
[`cli/docs/templates/examples.yaml`](https://github.com/supabase/cli/blob/develop/docs/templates/examples.yaml)
— embedded in the CLI binary at build time. Any edits we make here would
be clobbered by the next CLI release. The fix needs to land upstream in
the CLI repo (note: the CLI itself already ships publishable/secret
naming in \`supabase status\` output — see
[`cli/internal/status/status.go#L40-L44`](https://github.com/supabase/cli/blob/develop/internal/status/status.go#L40-L44)
— but the doc-generation template is stale).
- **`supabase_csharp_v0.yml` / `supabase_csharp_v1.yml`** — checked,
already neutral. Both files use a generic `SUPABASE_KEY` env var with no
`anon` / `service_role` references.
- **Renaming the legacy Dart `anonKey` parameter itself** — that's an
SDK-side change. The Flutter SDK already exposes `publishableKey` as the
preferred parameter; full removal of `anonKey` will happen in a future
major version per the SDK's own deprecation comment.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Standardized API key naming across SDK docs: use publishable (client)
and secret (server/admin) key terminology
* Updated server-side admin examples and warnings to require secret keys
and emphasize never exposing them in client code
* Unified initialization examples across JavaScript, Dart, Kotlin,
Python, and Swift
* Corrected Storage spec metadata to point to the proper configuration
file
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Bug fix.
## What is the current behavior?
- Safari Table Editor cells fail to copy from a focused cell with `⌘C`.
- Safari right-click can show the browser menu instead of the custom
cell menu.
- Copy can leave RDG's copied-cell fill behind.
## What is the new behavior?
- Reuses the existing shared `copyToClipboard(value, onSuccess)`
pattern, with the Safari clipboard fix inside that util.
- Handles selected-cell `⌘C` in the RDG keydown path, preventing
browser/RDG defaults and showing the success toast only after copy.
- Replaces the row-level synthetic context-menu shim with RDG's
`onCellContextMenu`, so we prevent Safari's browser menu at the source
and select/focus the target cell.
- Keeps the selected-cell outline while the controlled menu is open.
## Additional context
- `RowRenderer` was only supporting the old context-menu shim; removing
it is part of moving to RDG's cell event path.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Context menu now provides feedback with toast notifications when
copying cells or rows.
* Selected cells retain their visual styling when context menu is open.
* **Bug Fixes**
* Improved keyboard shortcut handling for copy functionality.
* Enhanced clipboard error handling with user-friendly error messages.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ali Waseem <waseema393@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Update CLI command
## What is the current behavior?
N/A
## What is the new behavior?
Latest CLI command
## Additional context
N/A
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated terminal setup instructions for Stripe project integration to
reflect current configuration parameters.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Ana <ana1337x@users.noreply.github.com>
## Summary
- Replaces invalid Tailwind purple classes on the "previously used" JWT
key badge with the design system's warning tokens, matching the
bg-*-200/text-*-600/border-*-500 pattern used by the in_use and revoked
variants
- text-purple-1200 didn't exist (Tailwind purple scale stops at 950) and
the design system has no purple palette, which is why the badge rendered
with off-theme default Tailwind purple
Resolves
[FE-3128](https://linear.app/supabase/issue/FE-3128/fix-previous-key-button-color-in-jwt-rotation-modal)
## Test plan
- [x] Open the Rotate JWT signing key modal — "Previous key" badge
should match the warning palette and visually fit alongside
Standby/Current
- [x] JWT signing keys table row with status `previously_used` renders
with the same warning styling
## Example
<img width="426" height="570" alt="image"
src="https://github.com/user-attachments/assets/34baca2b-48c0-4cd3-b997-d5c029182ad4"
/>
## What kind of change does this PR introduce?
Feature and design-system cleanup. Resolves DEPR-551.
## What is the current behavior?
Admonition supports several overlapping content shapes, but it
previously did not support a first-class success state or
description-only usage cleanly. Title-only usage was also possible,
which made some callouts read like floating headings without body copy.
Docs MDX Admonitions could also pick up prose spacing around rich
children, while the design-system Tailwind config emitted an
ESM/CommonJS warning in the design-system app.
## What is the new behavior?
Adds a `success` Admonition type, description-only support, and a
stricter content contract: `title` or legacy `label` now requires either
`description` or `children`. Existing title-only Studio callsites have
been converted to description-only callouts.
The design-system docs now include examples for description-only and
success Admonitions, plus guidance for `title`, `description`,
`children`, and legacy `label` usage.
This also tightens Admonition body spacing so rich MDX children keep
docs link/code styling without inheriting excessive prose margins, and
renames the design-system Tailwind config to `tailwind.config.cjs` so it
matches its CommonJS syntax.
Warning and destructive alerts now explicitly set `text-foreground`,
preventing nested Admonition titles from inheriting muted
form-description colour after the Tailwind v4 cascade changes.
| Before | After |
| --- | --- |
| <img width="1818" height="388" alt="Image"
src="https://github.com/user-attachments/assets/283a1853-348a-4d74-a408-013957350e5e"
/> | <img width="1380" height="462" alt="Image"
src="https://github.com/user-attachments/assets/e5761e8e-3697-423b-805b-45110205099a"
/> |
| <img width="1398" height="550" alt="CleanShot 2026-04-28 at 15 12
41@2x"
src="https://github.com/user-attachments/assets/982694d9-5461-4362-8bae-a6e2b4c60e8b"
/> | <img width="1402" height="450" alt="CleanShot 2026-04-28 at 15 13
09@2x"
src="https://github.com/user-attachments/assets/0b1257c4-6b58-4c39-a182-4861a9e378ee"
/> |
| <img width="1640" height="716" alt="CleanShot 2026-04-28 at 15 17
25@2x"
src="https://github.com/user-attachments/assets/a5be4d5f-2bf7-4dc2-b396-56129fe64ec9"
/> | <img width="1630" height="716" alt="CleanShot 2026-04-28 at 15 16
00@2x"
src="https://github.com/user-attachments/assets/0d589252-aaf8-4efc-9d81-15ec4f99ec61"
/> |
| Design System Docs |
| --- |
| <img width="1646" height="1864" alt="CleanShot 2026-04-28 at 14 59
15@2x"
src="https://github.com/user-attachments/assets/12d13595-8972-4fb2-a04a-fb916388ebb6"
/> |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a "success" admonition variant and new example previews
demonstrating success and description-only usages.
* **Documentation**
* Clarified admonition guidance: when to use title vs description vs
children; added example sections for short callouts and success
messages.
* **Refactor**
* Standardized UI by moving short/advisory text into description across
the app and harmonized trailing punctuation.
* **Style**
* Ensured warning/destructive admonitions use consistent foreground text
styling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
Adds the first batch of keyboard shortcuts for the Database → Schema
Visualizer page, following the registry pattern established for the SQL
editor and table editor.
Fixes [FE-3115](https://linear.app/supabase/issue/FE-3115).
## Shortcuts
| Shortcut | Action |
| --- | --- |
| `Mod+Shift+C` | Copy schema as SQL |
| `Mod+Shift+M` | Copy schema as Markdown |
| `D` then `P` | Download schema as PNG |
| `D` then `S` | Download schema as SVG |
| `O` then `A` | Open the auto-layout confirmation dialog |
| `O` then `S` | Open the schema selector |
All six entries appear in the Cmd+K command menu under "Shortcuts" and
in the global shortcuts sheet (`Mod+/`) under a new "Schema Visualizer"
group while the page is mounted. None are surfaced in Account →
Preferences yet (`showInSettings: false`), matching how the SQL/table
editor batches shipped.
The schema selector and auto-layout button are wrapped in the unified
`Shortcut` component so the keybind is shown on hover (Linear-style).
The dropdown items for copy/download don't get hover hints since
tooltips on dropdown items don't make sense — they're discoverable via
Cmd+K instead.
## Toasts
Each user-visible action now confirms via a sonner toast:
- `Successfully copied as SQL` — fires on Copy as SQL (button or
`Mod+Shift+C`).
- `Successfully copied as Markdown` — fires on Copy as Markdown
(dropdown or `Mod+Shift+M`).
- `Successfully downloaded as PNG` / `Successfully downloaded as SVG` —
already present in `useExportSchemaToImage`; fires on click or `D → P` /
`D → S`.
- `Failed to download current view: …` — error toast on download failure
(also pre-existing).
## Notes
- `Mod+Shift+C` and `Mod+Shift+M` collide with the SQL editor's
`results.copy-csv` / `results.copy-markdown` shortcuts. They coexist
cleanly because `useShortcut` only fires while the hook is mounted, and
the two pages live on different routes. Both labels appear in the global
shortcuts sheet honestly scoped per surface.
- `SchemaSelector` was promoted to a `forwardRef` component that spreads
extra props onto its outer `<div>`. This was needed for `<TooltipTrigger
asChild>` to attach event handlers and the ref properly — previously
they were silently dropped and the hover tooltip didn't render.
- `SchemaSelector` and the auto-layout `AlertDialog` accept controlled
`open` props now so the shortcuts can drive them and the tooltip can be
suppressed while the popover/dialog is open (`Shortcut` gained a
`tooltipOpen` passthrough for this).
- Auto-layout still pops the existing confirmation dialog rather than
running directly — destructive enough to keep the guardrail.
## Test plan
- [x] On the Schema Visualizer page, each of the six shortcuts fires the
corresponding action.
- [x] Hover the schema selector and the Auto layout button — tooltip
shows the action label and keybind badge.
- [x] Open the schema selector popover (click or `O → S`) — hover
tooltip is suppressed while open.
- [x] Open the auto-layout confirm dialog (click or `O → A`) — hover
tooltip is suppressed while open.
- [x] Cmd+K shows all six entries under "Shortcuts" while on the page;
navigating away unregisters them.
- [x] `Mod+/` shortcuts sheet has a "Schema Visualizer" group listing
all six.
- [x] Copy as SQL / Markdown each fire a confirmation toast; PNG / SVG
downloads each fire a confirmation toast.
- [x] On the SQL editor results page, `Mod+Shift+M` / `Mod+Shift+C`
still copy results (no regression from the duplicate keybinds).
- [x] The download dropdown items still work via click; PNG/SVG
downloads succeed.
- [x] All other consumers of `SchemaSelector` (~15 callsites) render
unchanged after the `forwardRef` promotion.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Keyboard shortcuts for schema visualizer: copy as SQL/Markdown,
download PNG/SVG, auto-layout, and focus selector
* Success toasts when copying content to clipboard
* **Improvements**
* Schema selector and auto-layout dialog can be opened/closed via
keyboard and programmatically
* Shortcut tooltips can be suppressed when related overlays/dialogs are
open
* Schema Visualizer added to the shortcuts reference sheet
* **Tests**
* E2E tests dismiss transient toasts to avoid UI interference
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
