Simplify the Connect modal for Multigres/High Availability projects.
Pooling is always on for these projects, so the connection method
distinction doesn't apply.
**Removed:**
- Connection Method selector (Direct/Transaction/Session) for HA
projects
- IPv4 add-on panel for HA projects
- Pooler badge (Shared/Dedicated) for HA projects
**Changed:**
- "Type" label renamed to "Connection Type" for HA projects
- Default connection method set to `transaction` (instead of `direct`)
for HA projects
Non-HA projects are completely unaffected.
## To test
- Open Connect sheet → Direct tab on a **non-HA project** — verify
everything looks the same as before
- Open Connect sheet → Direct tab on an **HA project** — verify:
- No Connection Method radio selector
- Label reads "Connection Type" instead of "Type"
- No IPv4 status panel
- No pooler badge
- Connection string displays correctly
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Improvements**
* Connection UI now adapts for high-availability projects: hides pooler
options and IPv4 status, and updates the connection type label for
clarity.
* **Tests**
* Added tests covering connection configuration behavior when a project
is high-availability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the new behavior?
How to Restore Project After a 90-Day Pause troubleshooting guide
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a troubleshooting guide for recovering projects paused over 90
days that cannot be restored via the dashboard.
* Describes a step-by-step recovery workflow: export available database
backups and Storage objects, create a replacement project, restore the
database, restore Storage content, and reapply project configurations.
* Notes expected errors during restore, includes an image and video
walkthrough, optional automation script guidance, and links to related
migration and backup/restore guides.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Jeremias Menichelli <jmenichelli@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Bug fix
## What is the current behavior?
Fixes#34967
The `/account/me`
([https://supabase.com/dashboard/account/me](https://supabase.com/dashboard/account/me))
preferences page has layout shifting during profile loading.
## What is the new behavior?
- Loading skeletons now match the structure of the loaded content (one
card per dynamic section)
- Static sections only render in the non-error branch, preventing them
from appearing alongside error messages
- Removed unused `isSuccess` destructure from `useProfile()`
- CLS value now on good range <= 0.10.
<img width="1917" height="905" alt="Screenshot from 2026-02-11 00-39-19"
src="https://github.com/user-attachments/assets/1d8fa7e1-9ca3-49ae-b4b8-1c0f28ebbf93"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Enhanced the loading state interface on the account settings page with
improved visual indicators. Updated the component structure for better
UI consistency and refined the visual feedback mechanism during profile
data retrieval.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Danny White <3104761+dnywh@users.noreply.github.com>
## What kind of change does this PR introduce?
Bug fix. Resolves FE-2959.
## What is the current behaviour?
Grouped inputs strip the inner control border with `border-0`, while the
outer `InputGroup` is responsible for the visible outline. After #44703,
grouped form inputs now receive the correct validation attributes, but
the primitive still removes the inner border dimensions entirely. That
keeps the visual layer brittle and can lead to inconsistent error
rendering, especially in light mode where the grouped password field
does not match the Project name input.
The shared `ui-patterns` input wrapper also inherits the generic
`inline-end` button spacing from `InputGroupAddon`, which pushes the
password copy button slightly too far to the right.
## What is the new behaviour?
The shared grouped-input primitive now keeps a transparent inner border
instead of removing border widths entirely. The outer `InputGroup`
continues to own the visible border, focus ring and error treatment, but
the inner control now has stable border metrics and no redundant
dark-mode background override.
The grouped invalid state now also matches the plain input treatment
more closely:
- unfocused error border uses `destructive-400`
- focused error border uses `destructive`
- error background uses `destructive-200`
The `ui-patterns` input wrapper now overrides the inherited `inline-end`
negative margin for its own copy/reveal button addon, so the password
copy button sits in the right place without changing spacing for other
direct `InputGroup` consumers.
| Before | After |
| --- | --- |
| <img width="1338" height="284" alt="CleanShot 2026-04-09 at 13 43
50@2x-91489355-5EEA-4884-BAA2-B93B28F1D7CB"
src="https://github.com/user-attachments/assets/ed40683b-8a87-4deb-8a0f-f892d00894f0"
/>| <img width="1334" height="278" alt="CleanShot 2026-04-09 at 13 41
36@2x-5D7E930B-EDB2-4002-9367-34ACE2DF4DB4"
src="https://github.com/user-attachments/assets/7d9594a4-9988-480e-a809-9f5ed29e8e24"
/> |
| <img width="1336" height="210" alt="CleanShot 2026-04-09 at 14 06
15@2x-05379F74-4CA5-4E6E-9250-CBA2764C1318"
src="https://github.com/user-attachments/assets/25e48cd4-de0a-47f3-9022-d7a3829a0626"
/> | <img width="1334" height="210" alt="CleanShot 2026-04-09 at 14 12
11@2x-11FBC519-D398-4A59-971A-97FBFEF610DE"
src="https://github.com/user-attachments/assets/91c3710c-7773-4286-854d-7b7144db85ab"
/> |
An easy place to test this is the Database password field in the New
Project creation flow. See also the Minimum password length field in
Email (Sign In / Providers).
## Summary
- update `packages/ui/src/components/shadcn/ui/input-group.tsx`
- replace `border-0` on grouped inputs/textareas with transparent
borders
- remove the redundant `dark:bg-transparent`
- keep the inner grouped controls visually neutral so the outer group
owns the rendered border state
- align grouped invalid border and background styling with the plain
input treatment
- update `packages/ui-patterns/src/DataInputs/Input.tsx` so copy/reveal
buttons do not inherit the extra right pull intended for other
`inline-end` addons
## Problem
The input groups components introduced in #44282 don't have the
validation attributes when invalid. This hurts accessibility and also
break the design:
<img width="1730" height="324" alt="image"
src="https://github.com/user-attachments/assets/a3fb8d86-f3a8-46bb-aa53-d0599c11f056"
/>
## Solution
This is because the wrapper `<FormControl_Shadcn_>` passes the
validation props to its direct child.
The solution is to avoid applying them on the `<InputGroup>` and to
apply them manually on the inputs.
I also fixed a small accessibility issue by moving the addon texts after
the input so that screen readers announce them in the correct order. No
visual change for this
<img width="587" height="158" alt="image"
src="https://github.com/user-attachments/assets/1f8858ea-6659-45f9-964e-8c43a7fe14ba"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Unified numeric input layout by moving unit labels/suffixes (e.g.,
"seconds", "GB", "%", "connections", "digits", "IOPS", "MB/s", "rows")
to appear after their inputs for a consistent, predictable form
appearance.
* **Accessibility**
* Form controls now expose IDs and ARIA attributes from form context
when available, improving screen-reader descriptions and error
association.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
We are currently migrating to the safeSql utility for all SQL arguments
of executeSql. During the migration, executeSql will continue to accept
plain strings for backwards compatibility. Adding a custom ESLint rule
so we can ratchet this and prevent new calls of executeSql with plain
strings.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added SQL safety validation throughout the application to enforce
secure query construction and prevent SQL-related vulnerabilities
* Introduced type-aware linting to identify and catch type-related
issues during development and continuous integration processes
* **Chores**
* Enhanced continuous integration pipeline with improved code quality
enforcement
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Standardized SQL construction across the pg-meta package to use
parameter-safe SQL fragments instead of raw string assembly, improving
safety for dynamic values (filters, limits, offsets, identifiers) and
unifying how exported SQL constants and query helpers are produced. No
functional query behavior changes expected.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
#44677 modified the previous behaviour on callback URLs. It used to
prevent users to remove the URL if only one was provided.
## Solution
Restore the previous behaviour.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed the Remove button behavior for OAuth callback URLs. The button
now only appears when multiple callback URLs are configured, preventing
accidental deletion of the only redirect URI.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
docs update
## What is the new behavior?
SSL modes table reference
<img width="1000" height="567" alt="CleanShot 2026-04-05 at 15 39 27"
src="https://github.com/user-attachments/assets/ed05d05b-b559-4554-aef1-d70038f520b9"
/>
## Additional context
While there is a table available in postgres docs, other providers do
include simplified versions of that table.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a clear reference table for Postgres client-side SSL modes
(disable, allow, prefer, require, verify-ca, verify-full), summarizing
encryption, certificate authority validation, hostname verification, and
connection behavior for each mode.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
-
[**SUPABASE-APP-E2R**](https://supabase.sentry.io/issues/SUPABASE-APP-E2R):
Guard against undefined entries in notifications array in
`AdvisorButton` (optional chaining on `.some()` callbacks)
-
[**SUPABASE-APP-EBA**](https://supabase.sentry.io/issues/SUPABASE-APP-EBA):
Remove render-time `handleError()` throw in `useEdgeFunctionsDiff` — the
hook already handles missing body data gracefully
-
[**SUPABASE-APP-BVN**](https://supabase.sentry.io/issues/SUPABASE-APP-BVN)
/
[**SUPABASE-APP-BTV**](https://supabase.sentry.io/issues/SUPABASE-APP-BTV):
Guard `localStorage` access in `FeaturePreviewContext` with try-catch,
matching the established pattern in `useLocalStorage.ts` (Safari private
browsing)
-
[**SUPABASE-APP-AV3**](https://supabase.sentry.io/issues/SUPABASE-APP-AV3):
Filter stale folder IDs before passing `expandedIds` to
`react-accessible-treeview` in the SQL editor nav
## Test plan
- [x] Verify AdvisorButton renders without errors when notifications
data has sparse pages
- [x] Verify branch merge page loads when edge function body fetch fails
- [x] Verify feature previews initialize correctly in Safari private
browsing
- [x] Verify SQL editor folder expand/collapse works after deleting a
folder
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Feature preview now falls back safely when browser storage is
unavailable
* Notifications display updated to tolerate missing entries without
errors
* Private snippets navigation no longer preserves expansion state for
removed nodes
* **Refactor**
* Streamlined error aggregation in edge functions diff processing
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
Foreign wrapper forms still use `formik` but we now use
`react-hook-form` everywhere and we'd like to reduce our dependencies.
## Solution
This PR focuses on migrating the OAuth apps form to `react-hook-form`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Reworked the OAuth app publish form to use schema-driven validation
and managed callback URL fields.
* Replaced bespoke URL state/handlers with add/remove field array logic;
consolidated error rendering.
* Submission, loading and preview now reflect real-time form state and
reset correctly when the panel or selection changes.
* **Bug Fixes**
* Improved URL validation to handle localhost cases and optional
HTTPS-only enforcement.
* **Tests**
* Extended URL validation tests to cover localhost, HTTP/HTTPS and
HTTPS-only scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What kind of change does this PR introduce?
Docs update
## Additional context
The Smart CDN documentation lacked clarity around caching behavior for
signed URLs used with private bucket assets. This update adds that
missing detail.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a Smart CDN guide section on signed URL caching at the CDN edge:
each unique signed URL is a separate cache key.
* Explained cache behavior: first request for a specific signed URL is a
miss; subsequent identical requests are cache hits; cached responses
remain until CDN cache expiry.
* Clarified access-control interactions: revoking/expiring a token does
not purge cached content; deleting the object invalidates cached entries
(propagates within ~60s).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: ferhat elmas <elmas.ferhat@gmail.com>
Show OAuth server endpoints in oauth server settings page.
Preview: [OAuth Server
settings](https://studio-staging-git-chore-show-oauth-server-endpoints-supabase.vercel.app/dashboard/project/_/auth/oauth-server)
<img width="1138" height="496" alt="Screenshot 2026-01-09 at 12 00 31"
src="https://github.com/user-attachments/assets/eeca7726-0426-4abe-990d-271b702e4f7b"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added an OAuth endpoints table showing Authorization, Token, JWKS, and
Discovery/OpenID URLs with copy-to-clipboard and a masked preview mode.
* Inline preview of the Authorization URL when an authorization path is
set.
* **Improvements**
* Reorganized OAuth server settings for clearer enable/disable flow,
conditional field visibility, and disable confirmation.
* Dynamic loading of the endpoints table, improved loading skeletons,
layout refinements, and form reset to reflect saved defaults.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ali Waseem <waseema393@gmail.com>
Cleanup task following https://github.com/supabase/supabase/pull/43194
I noticed the run of `braintrust-scorers-deploy.yml` included the branch
prefix on scorers in Assistant. This is unnecessary since there's only
one copy of scorers in the "Assistant" project, unlike "Assistant
(Staging Scorers)" which uses prefixes to disambiguate branches.
<img width="502" height="262" alt="CleanShot 2026-03-09 at 15 45 19@2x"
src="https://github.com/user-attachments/assets/214ec1e8-5f40-411f-8d2a-71cc4a5fc294"
/>
This is a small housekeeping correction so scorers in the main
"Assistant" project don't include branch prefixes, whereas scorers from
PRs deployed to "Assistant (Staging Scorers)" remain prefixed.
https://docs.github.com/en/actions/reference/variables-reference
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated CI deployment configuration for scorer branch/prefix handling
to optimize behavior across different GitHub event types (PR vs.
push/dispatch events).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
Removes `_DEFAULT` from the publishable key env var name across all
Connect and ConnectSheet framework content, so that e.g.
`NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY` becomes
`NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY`. This matches the docs and sample
apps.
### Connect
- Next.js (App Router)
- Next.js (Pages Router)
- React (Create React App)
- React (Vite)
- Remix
- SolidJS
- SvelteKit
### ConnectSheet
- Next.js (App Router)
- Next.js (Pages Router)
- React (Create React App)
- React (Vite)
- Remix
- SolidJS
- SvelteKit
- Vue.js
- shadcn env step
Resolves FE-2934
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Standardized environment variable names in generated connection/setup
instructions: when a publishable key is present the templates now
reference the publishable env var (e.g.,
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY, VITE_SUPABASE_PUBLISHABLE_KEY,
REACT_APP_SUPABASE_PUBLISHABLE_KEY, etc.) with unchanged anon-key
fallback behavior.
* Updated cURL/tab placeholders to reflect the new publishable-key
identifier when hiding keys.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The Connect Sheet install step only listed `@supabase/supabase-js`, but
the generated code for Next.js (app router) and Remix imports from
`@supabase/ssr` – so users following the steps immediately hit import
errors.
**Added:**
- `EXTRA_PACKAGES` map in `connect.schema.ts` – frameworks declare
additional packages on top of the base library install, keyed by
`framework/variant` for granularity (e.g. `nextjs/app` gets
`@supabase/ssr`, `nextjs/pages` does not)
- Install content component appends extras automatically
- Step title pluralises to "Install packages" when extras are present
- Tests for extra packages, variant-specific install commands, and step
titles
**Changed:**
- Next.js steps now branch on `frameworkVariant` so app router and pages
router can have different install steps
- Remix gets an explicit entry in the step tree (previously fell through
to DEFAULT)
## To test
- Open Connect Sheet → Framework → Next.js → App Router
- Install step should say "Install packages" and show `npm install
@supabase/supabase-js @supabase/ssr`
- Switch to Pages Router
- Install step should say "Install package" and show `npm install
@supabase/supabase-js`
- Switch to Remix
- Install step should say "Install packages" and show `npm install
@supabase/supabase-js @supabase/ssr`
- Other frameworks (Vue, SvelteKit, etc.) should be unchanged
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Enhanced package installation guidance to include framework-specific
additional packages (e.g., @supabase/ssr for Next.js App Router and
Remix).
* Installation step labels now accurately reflect the number of packages
being installed.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Removes the temporary killswitch that was blocking tracing in production
environments.
Note this still excludes from tracing projects that are any of the
following:
- HIPAA sensitive
- Hosted in EU regions
- Within orgs where some owner previously signed our DPA
See [approval
message](https://supabase.slack.com/archives/C051L8U2EJF/p1775526578561789?thread_ts=1775144006.270549&cid=C051L8U2EJF)
for context.
Closes AI-450
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Tracing enablement now depends solely on the presence of required API
credentials instead of environment-based restrictions, enabling
diagnostic tracing functionality across all environments.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
Foreign wrapper forms still use `formik` but we now use
`react-hook-form` everywhere and we'd like to reduce our dependencies.
## Solution
- [x] Write e2e tests for wrappers
- [x] Migrate to `react-hook-form`
## Notes
I tried to cover the 3 cases I identified for foreign wrappers with e2e
tests:
- Add all available tables to a new schema (stripe)
- Add selected tables to a new table (stripe)
- Create dynamic columns (s3 wrapper)
However, they are not exhaustive as I can't test the integration
actually works, only that it was created successfully. Besides, I can't
test the Iceberg wrapper case as it needs actual S3 buckets.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Enhanced column-type selector with searchable combobox, enum support,
icons, and optional recommendation prompts.
* **Refactor**
* Migrated many wrapper/table/editor forms to a schema-driven form
system with stronger validation, dynamic field arrays, and consistent
form controls.
* Updated input field integration to work with the new form control
model.
* **Bug Fixes**
* Improved handling of missing wrapper/error states during wrapper
loading.
* **Tests**
* Added unit tests for form schemas and end-to-end tests for wrapper
creation flows.
* **Chores**
* Removed legacy dynamic-columns component.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
smol follow up to:
- https://github.com/supabase/supabase-js/pull/2234
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Improved Smart CDN documentation with updated cache-bypass
instructions. The guidance now uses the `cacheNonce` query parameter to
clarify how to force the CDN to fetch fresh content from origin.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update — new blog post.
## What is the current behavior?
No blog post exists for the Supabase Agent Skills release.
## What is the new behavior?
Adds a new blog post: **"AI Agents Know About Supabase. They Don't
Always Use It Right."**
The post covers:
- What Supabase Agent Skills teaches (docs access, security checklist,
tooling, schema management)
- How the skill was designed (why everything critical lives in
`SKILL.md`)
- How we test it (eval framework, LLM judge, results table across Claude
and GPT models)
- Lessons for skill authors
- Installation instructions for `npx skills add` and Claude Code plugin
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Published a new blog post introducing Supabase Agent Skills:
installation options, core skill areas (docs access, security/RLS
safeguards, tooling/workflow, schema-management guidance), testing and
evaluation methodology with example results, and links for getting
started and reporting issues.
* **Chores**
* Updated app build configuration to enforce consistent React module
resolution, improving build stability across environments.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
New go landing page for Prompt to Prod: Debug Your Full Supabase Stack
with Sentry webinar (April 30, 2026)
## What is the current behavior?
No landing page exists for the webinar
## What is the new behavior?
Adds supabase.com/go/prompt-to-prod-debug-supabase-stack-sentry, a page
promoting the webinar with a CTA that drives to Sentry's registration at
sentry.io/resources/sentry-supabase-workshop/
## Additional context
n/a
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a new webinar landing page: "Prompt to Prod Sentry" with
lead-generation form, hero section including webinar date/time and
primary CTAs (Register, Learn more), and a feature grid outlining four
key learning outcomes (end-to-end instrumentation, error tracing,
AI-assisted root-cause analysis, and actionable patch guidance).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ana <ana1337x@users.noreply.github.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Bug fix
## What is the current behavior?
After clicking delete on a project, the `onSuccess` callback
unconditionally redirects to `/org/{slug}` or `/organizations`. If the
user has already navigated away from the project page before the
deletion completes, this causes an unwanted redirect back to the
organizations page.
## What is the new behavior?
The redirect now only happens if the user is still viewing the deleted
project's page (`router.asPath.startsWith(/project/${projectRef})`). If
they've already navigated away, only the success toast is shown.
## Additional context
The Next.js pages router object is mutable, so `router.asPath` reflects
the current URL at callback execution time, not at closure creation
time.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed navigation behavior after project deletion to avoid unnecessary
redirects when you've already navigated away from the deleted project.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Refactor based on https://github.com/supabase/platform/pull/31325
## What is the current behavior?
We presented a page to Stripe users to let them either pick an existing
org or create one.
## What is the new behavior?
We're forcing them to create a new one (or show that there was one
already linked).
- It also adds the option to sign out when there's a conflict. Fixes
https://linear.app/supabase/issue/API-963/add-a-button-to-logout-from-the-page-you-must-be-logged-in-as-x-to
- And adds the link to root from the logo.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added organization preview creation endpoint for billing workflows.
* **Bug Fixes**
* Removed organization-picking flow from Stripe Projects login; users
now proceed directly with confirmation.
* Added a "Sign out" button on error pages.
* **Refactor**
* Removed a legacy billing partner option.
* Made the Supabase logo clickable for quick navigation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
This takes our dialog to review compute upgrade's and gives it a bit
more visual clarity (as it can get confusing). Simplification and clear
communication of what differences there are.
| Before | After |
|--------|--------|
| <img width="663" height="722" alt="Screenshot 2026-04-07 at 16 58 33"
src="https://github.com/user-attachments/assets/dbb699b4-89ad-4172-8c23-e5d1ca5045f8"
/> | <img width="608" height="635" alt="Screenshot 2026-04-08 at 12 28
32"
src="https://github.com/user-attachments/assets/9a4a5952-6049-4cda-86e6-73773f001010"
/> |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **UI Improvements**
* Redesigned disk review dialog to a stacked "Before/After" layout with
a clear vertical breakdown of changes.
* Replaced badges/tooltips with inline per-line monthly deltas and
explicit summed totals.
* Replica note moved inline; cooldown and throughput explanations
consolidated and more broadly shown when storage type changes.
* Arrow between totals updated and "After" state emphasized.
* **Chores**
* Updated dialog spacing, padding, min-width, confirm button styling,
and dialog wording.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What kind of change does this PR introduce?
Chore / UI consistency fix. Resolves DEPR-418.
## What is the current behavior?
Shortcut hints are still hand-built in several high-traffic Studio
surfaces, which leads to inconsistent rendering and stale
platform-specific markup. Buttons in particular can end up with awkward
spacing and baseline alignment when shortcut labels are inserted
directly into the button text.
## What is the new behavior?
This PR standardises those shortcut hints around `KeyboardShortcut` and
updates the surrounding layout primitives to support that approach more
cleanly.
It includes:
- Design docs
- using `KeyboardShortcut` in the table side-panel `ActionBar`
- replacing hardcoded operation queue button shortcuts in
`OperationQueueSidePanel`
- standardising the command menu trigger shortcut chip and updating the
`LayoutHeader` overrides to match the new DOM shape
- replacing the AI editor empty-state `Cmd/Ctrl + K` hint with
`KeyboardShortcut`
- refining shared shortcut/button primitives so inline shortcuts align
better when used as button accessories
- keeping the SQL utility shortcut work on this branch consistent with
the same shared component approach
| Before | After |
| --- | --- |
| <img width="1454" height="902" alt="CleanShot 2026-03-27 at 15 55
32@2x"
src="https://github.com/user-attachments/assets/3a8de192-3f4c-480b-9d26-9b28becd0ee3"
/> | <img width="1488" height="906" alt="CleanShot 2026-03-27 at 15 29
31@2x-63A17C58-D023-4D3A-9355-6C40A6485328"
src="https://github.com/user-attachments/assets/46ef7f7a-2b8b-4c10-8935-84ca5ad44562"
/> |
| <img width="738" height="328" alt="CleanShot 2026-03-27 at 15 57
07@2x"
src="https://github.com/user-attachments/assets/ad459c41-867d-42f9-a8cb-c936af8326b7"
/> | <img width="726" height="290" alt="CleanShot 2026-03-27 at 15 56
29@2x-ECE4E10F-9693-4ED8-B085-DC436A839F52"
src="https://github.com/user-attachments/assets/95b4bfb4-ec34-4080-8b69-211b5045ca26"
/> |
## Later todo
- [ ] Replace the string-based SQL editor placeholder shortcut in
`SQLEditor` once that placeholder API supports rich content
- [ ] Refactor `CommandOption` to use `KeyboardShortcut` instead of
bespoke platform detection and command-key markup
- [ ] Standardise the remaining DataTable shortcut hints
(`DataTableToolbar`, `DataTableResetButton`, `DataTableFilterCommand`,
`DataTableFilterControlsDrawer`) around `KeyboardShortcut`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced a new KeyboardShortcut component for displaying keyboard
shortcuts with two visual variants (pill and inline).
* Standardized keyboard shortcut indicators across the application
interface for consistent user experience.
* **Bug Fixes**
* Fixed capitalization inconsistencies in button labels and hotkey
settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
429 rate-limited responses from edge-functions-ingress do not appear in
the edge function logs dashboard. The cause is that rate-limited
requests are rejected before a function ID is resolved, so their log
events have no `metadata.function_id`. The dashboard filters logs by
`metadata.function_id`, silently dropping these events. Cloudflare
errors (502, 503, 525) are excluded for the same reason.
## Fix
Changed the filter in the edge function logs page from
`metadata.function_id` to `metadata.request.pathname`. The pathname
(`/functions/v1/{slug}`) is present on all requests, including
rate-limited ones, so 429s and Cloudflare errors are now visible
alongside normal invocation logs.
## Before
- Not seeing 429s
<img width="2408" height="1608" alt="CleanShot 2026-04-08 at 13 13
24@2x"
src="https://github.com/user-attachments/assets/ee369506-dbf0-4f67-b996-3bb9c0f66796"
/>
## After
- seeing 429s
<img width="2404" height="1606" alt="CleanShot 2026-04-08 at 13 12
27@2x"
src="https://github.com/user-attachments/assets/e5fa4a63-04b5-4a9e-b691-6315c118b09f"
/>
## How to test
- Navigate to an edge function's Logs tab in the dashboard
- Confirm that normal invocation logs still load and are scoped to the
correct function
- Trigger a rate-limited request (>100 req/s to a function) and confirm
the 429 now appears in the logs tab
- Expected result: 429 events appear in the function logs dashboard
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved accuracy of edge function invocation log filtering by
refining the matching criteria used to display relevant logs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
## Problem
The "INSERTED AT (UTC)" column in the Database Migrations UI showed
local time instead of UTC. For a user in Buenos Aires (UTC-3), a
migration timestamped at UTC 08:33:31 would show 05:33:31 in the table.
The tooltip's relative time also showed "in 3 hours" (future) for a
migration that had already run, because the UTC offset was applied in
the wrong direction.
Root cause: `parseMigrationVersion` parsed the version string (format
`YYYYMMDDHHmmss`, which the Supabase CLI generates in UTC) using
`dayjs()` without the UTC flag, so dayjs interpreted the digits as local
time.
## Fix
- Changed `parseMigrationVersion` to use `dayjs.utc()` so the version
string is correctly interpreted as a UTC timestamp.
- Updated the label formatter in `Migrations.tsx` to use
`.utc().format()`, so the displayed time matches the column header
("INSERTED AT (UTC)").
- Added the dayjs UTC plugin setup to the test file and added a
regression test that asserts `toISOString()` returns the correct UTC
time.
## Before
<img width="1102" height="658" alt="CleanShot 2026-04-08 at 12 41 18@2x"
src="https://github.com/user-attachments/assets/5eccdfb1-757c-4794-b24f-6a2c71f483dc"
/>
## After
<img width="1126" height="612" alt="CleanShot 2026-04-08 at 12 42 03@2x"
src="https://github.com/user-attachments/assets/6f3da69f-ace5-4758-b025-b49d8b325034"
/>
## How to test
- Set your browser/OS timezone to something other than UTC (e.g.
America/Buenos_Aires, UTC-3).
- Open the Database Migrations page for a project that has migrations.
- The "INSERTED AT (UTC)" column should show the UTC time matching the
version number digits (e.g. version `20260406083331` should show `06 Apr
2026, 08:33:31`).
- Hover over the timestamp. The tooltip should show the same value for
"UTC", a correctly offset value for your local timezone, and a relative
time that reflects the past (e.g. "3 hours ago", not "in 3 hours").
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Migration timestamps now parsed and displayed in UTC for consistent,
accurate labels; unparsable versions show "Unknown".
* **New Features**
* Improved migration version labeling for clearer, uniformly formatted
date/time shown in the UI.
* **Tests**
* Expanded tests for migration parsing and label formatting; test setup
updated for UTC handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## Summary
- Removes the "API Docs" navigation item from the sidebar and mobile
menu
- Removes the `UI_PREVIEW_API_SIDE_PANEL` feature preview flag since the
feature is fully rolled out
- Makes API docs buttons unconditionally visible across Auth Users,
Storage, Edge Functions, and SecondLevelNav
## Test plan
- [x] `NavigationBar.utils` tests pass (26 tests)
- [x] `FileExplorerHeader` tests pass (6 tests)
- [x] TypeScript compiles with no errors
- [ ] Verify sidebar no longer shows "API Docs" nav item
- [ ] Verify API docs buttons still appear in Auth Users, Storage, and
Edge Functions pages
- [ ] Verify feature preview modal no longer lists "Project API
documentation"
Resolves FE-2759
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* APIDocs button can optionally display a label and use a custom
tooltip.
* **Chores**
* Removed the API docs side-panel feature flag and its localStorage key.
* “API Docs” navigation entry removed; sidebar no longer special-cases
that route.
* Back links and API Docs buttons now render consistently across the app
(no flag gating).
* **Tests**
* Tests updated to stop depending on the removed feature-flag behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Layout shifting due to projects and orgs not fully ready
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved loading state handling in disk management interfaces. UI
elements now properly hide while project and organization data are
loading, preventing incomplete information from displaying prematurely.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem
We currently have 3 different libraries for drag & drop, two of which
are not actively maintained anymore.
## Solution
Migrate all usage of the two unmaintained libraries to DndKit.
This PR focuses on using DndKit instead of `react-dnd` for column
reordering in the table editor
## Screencast
https://github.com/user-attachments/assets/54fb36f4-5671-42e2-9698-2ae928a69f55
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Column drag-and-drop rebuilt with a live drag preview and improved
pointer/keyboard handling
* **Improvements**
* More reliable column reordering with refined move/freeze/unfreeze
behavior and stable index recomputation
* Standardized column type/format display and simplified grid rendering
* **Accessibility**
* Added accessible labeling for column actions controls
* **Tests**
* End-to-end locator updated to target the column actions button
deterministically
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Bug fix
## What is the current behavior?
Social-media crawlers (X, LinkedIn, etc.) cache the dynamic OG images
generated by the `generate-og` Edge Function. When an OG image is
updated or a crawler caches the wrong image, the stale version persists
indefinitely because the URL doesn't change between deploys.
## What is the new behavior?
`getAbsoluteBlogSocialImage` now appends a `&v={timestamp}` parameter to
OG image URLs that point to the `generate-og` Edge Function. The
timestamp is evaluated once at build time (`Date.now()`), so each deploy
produces unique meta tag URLs that bypass crawler caches. Static image
URLs are left untouched.
## Additional context
Only affects the `og:image` and `twitter:image` meta tags — on-site
thumbnails and other image references are unchanged.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Fixed cache refresh behavior for dynamically generated OG images to
ensure updated content is served with each deployment.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#44587
index-delete-mutation.ts and index-create-mutation.ts construct SQL
using raw string interpolation for identifiers (schema, table, column
names) without escaping double quotes. Uses ident() from
@supabase/pg-meta/src/pg-format, same utility already used in the
database-queues mutations.
## Summary by CodeRabbit
* **Refactor**
* Improved identifier quoting/escaping for creating and dropping
database indexes to ensure consistent, safer index operations.
---------
Co-authored-by: Charis Lam <26616127+charislam@users.noreply.github.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Bumped core dependency pins: lodash and lodash-es updated to ^4.18.1;
vite updated to ^7.3.2 for stability and compatibility.
* Updated release-exclusion configuration to shift focus away from
several older packages and prioritize maintenance of currently used
libraries, reducing noise in release workflows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
The CLI now collects usage telemetry (supabase/cli#5019) with opt-out
via `supabase telemetry disable` or `SUPABASE_TELEMETRY_DISABLED=1`. The
self-hosting docs previously stated "no telemetry" without
distinguishing Docker from the CLI. This PR discloses CLI telemetry
across docs and regenerates the CLI reference spec to include the new
telemetry commands.
## Changes
- Update self-hosting telemetry section: Docker has no telemetry, CLI is
separate with opt-out instructions and link to full telemetry docs
- Regenerate `cli_v1_commands.yaml` from CLI v2.88.0, adding
consolidated `supabase telemetry` reference page
- Add Telemetry category to `common-cli-sections.json` for CLI reference
nav
- Add telemetry section to CLI getting-started guide with opt-out
commands and env vars
## Testing
Tested on Vercel preview:
- [x] `/docs/guides/self-hosting#telemetry` renders with CLI telemetry
note and link to full docs
- [x] `/docs/reference/cli/supabase-telemetry` renders single
consolidated reference page
- [x] `/docs/guides/local-development/cli/getting-started#telemetry`
shows opt-out section
## Linear
- fixes GROWTH-754
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Updates the date of the OIDC article
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated blog post publication date.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Ivan Vasilov <vasilov.ivan@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
This PR adds support for configuring end-user IP address forwarding to
Supabase Auth, as well as docs explaining the feature.
## What is the current behavior?
These settings don't exist in Studio. Users that wish to enable IP
address forwarding must do so through the management API.
## What is the new behavior?
Users can enable IP address forwarding in Studio directly without
needing to use the management API.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added an "IP Address Forwarding" toggle in Auth rate limit settings as
a separate section with its own Save/Cancel behavior.
* **Documentation**
* Added a guide detailing when/how to forward end-user IPs, how to
enable the setting, required key types, Management API examples, and an
SDK/SSR snippet.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Cemal Kılıç <cemalkilic@users.noreply.github.com>
## Problem
The disk throughput chart on the database observability report was gated
to Team plan and above. This prevented Free and Pro tier users from
seeing disk throughput data, which is a useful self-debugging aid when
hitting DiskIO-related resource exhaustion, especially on smaller
instances where baseline throughput limits are a major constraint.
The gate was originally introduced to reduce load on the metrics
infrastructure while observability queries were being scaled. That
constraint no longer applies.
## Fix
Remove the `entitlement` and `requiredPlan` fields from the
`disk-throughput` chart config in
`apps/studio/data/reports/database-charts.ts`. The rendering logic in
the database observability page only shows the upsell prompt when
`chart.entitlement` is set, so removing it makes the chart render
unconditionally for all tiers.
## How to test
- Open the database observability report at
`/project/<ref>/observability/database` on a Free or Pro project
- Confirm the Disk Throughput chart is visible and showing data (not an
upsell card)
- Confirm the chart still works correctly on a Team or Enterprise
project
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Removed plan-based access restrictions from disk-throughput metrics,
making them available to all users.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
New troubleshooting guide for PostgREST
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added a troubleshooting guide explaining why unqualified object names
can fail when multiple schemas are exposed and how to resolve it
(reorder schemas, initialize the client with a schema, or set schema per
request).
* Added a troubleshooting entry for the "schema
pg_pgrst_no_exposed_schemas does not exist" PostgREST error, describing
typical logs, causes, and when it appears if the Data API is disabled.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Jeremias Menichelli <jmenichelli@gmail.com>
