feat(cli): add [api].auto_expose_new_tables to opt out of Data API default privileges

Cloud now exposes a "Default privileges for new entities" toggle that, when
disabled, revokes the default GRANTs to anon/authenticated/service_role on
schema public so freshly-created tables, views, sequences, and functions are
not reachable through the Data API without explicit GRANTs (supabase/supabase
discussion #45329). Local Supabase had no equivalent: bootstrap always
installed the default GRANTs, forcing users who opted in on cloud to keep
their local schema out of sync or ship a project-specific revoke migration.

Add an opt-in flag under [api] with default true (preserving today's local
behaviour) and have the local DB bootstrap run the same revoke SQL Studio
runs at cloud project creation when the flag is false. The flag is wired
through both the Go CLI (covering `supabase db reset` and legacy
`supabase start`) and the TypeScript stack bootstrap (covering the new
`supabase start` foreground/background flows in apps/cli/next).

https://claude.ai/code/session_011pZGRjHtkxjt1iZj5LYrqq

Author: claude

apps/cli-go/internal/db/reset/reset.go

@@ -146,7 +146,10 @@ func initDatabase(ctx context.Context, options ...func(*pgx.ConnConfig)) error {
 		return err
 	}
 	defer conn.Close(context.Background())
-	return start.InitSchema14(ctx, conn)
+	if err := start.InitSchema14(ctx, conn); err != nil {
+		return err
+	}
+	return start.ApplyApiPrivileges(ctx, conn)
 }
 
 // Recreate postgres database by connecting to template1

apps/cli-go/internal/db/start/start.go

@@ -384,6 +384,9 @@ func SetupDatabase(ctx context.Context, conn *pgx.Conn, host string, w io.Writer
 	if err := initSchema(ctx, conn, host, w); err != nil {
 		return err
 	}
+	if err := ApplyApiPrivileges(ctx, conn); err != nil {
+		return err
+	}
 	// Create vault secrets first so roles.sql can reference them
 	if err := vault.UpsertVaultSecrets(ctx, utils.Config.Db.Vault, conn); err != nil {
 		return err
@@ -394,3 +397,33 @@ func SetupDatabase(ctx context.Context, conn *pgx.Conn, host string, w io.Writer
 	}
 	return err
 }
+
+// RevokeDefaultDataApiPrivilegesSql matches the SQL that Studio runs at cloud project creation
+// when the "Default privileges for new entities" toggle is off. It removes the default GRANTs
+// applied by the initial schema so newly-created entities in `public` owned by `postgres` are
+// not exposed through the Data API roles until explicit GRANTs are issued.
+const RevokeDefaultDataApiPrivilegesSql = `
+alter default privileges for role postgres in schema public
+  revoke select, insert, update, delete on tables from anon, authenticated, service_role;
+alter default privileges for role postgres in schema public
+  revoke usage, select on sequences from anon, authenticated, service_role;
+alter default privileges for role postgres in schema public
+  revoke execute on functions from anon, authenticated, service_role;
+`
+
+// ApplyApiPrivileges adjusts the default privileges on the `public` schema to match the
+// `[api].auto_expose_new_tables` flag in config.toml. When the flag is true (the default), the
+// initial schema GRANTs are kept as-is to preserve backwards-compatible local behaviour. When the
+// flag is false, the GRANTs to anon/authenticated/service_role are revoked so new tables, views,
+// sequences, and functions created by `postgres` in `public` require explicit GRANTs to surface
+// through the Data API.
+func ApplyApiPrivileges(ctx context.Context, conn *pgx.Conn) error {
+	if utils.Config.Api.AutoExposeNewTables {
+		return nil
+	}
+	file, err := migration.NewMigrationFromReader(strings.NewReader(RevokeDefaultDataApiPrivilegesSql))
+	if err != nil {
+		return err
+	}
+	return file.ExecBatch(ctx, conn)
+}

apps/cli-go/internal/db/start/start_test.go

@@ -259,6 +259,42 @@ func TestSetupDatabase(t *testing.T) {
 		assert.Empty(t, apitest.ListUnmatchedRequests())
 	})
 
+	t.Run("revokes default data api privileges when auto_expose_new_tables is false", func(t *testing.T) {
+		utils.Config.Db.MajorVersion = 14
+		utils.Config.Api.AutoExposeNewTables = false
+		defer func() {
+			utils.Config.Db.MajorVersion = 15
+			utils.Config.Api.AutoExposeNewTables = true
+		}()
+		utils.Config.Db.Port = 5432
+		utils.GlobalsSql = "create schema public"
+		utils.InitialSchemaPg14Sql = "create schema private"
+		// Setup in-memory fs
+		fsys := afero.NewMemMapFs()
+		roles := "create role postgres"
+		require.NoError(t, afero.WriteFile(fsys, utils.CustomRolesPath, []byte(roles), 0644))
+		// Setup mock postgres: the revoke SQL must execute between the initial schema and roles.sql
+		conn := pgtest.NewConn()
+		defer conn.Close(t)
+		conn.Query(utils.GlobalsSql).
+			Reply("CREATE SCHEMA").
+			Query(utils.InitialSchemaPg14Sql).
+			Reply("CREATE SCHEMA").
+			Query("alter default privileges for role postgres in schema public\n  revoke select, insert, update, delete on tables from anon, authenticated, service_role").
+			Reply("ALTER DEFAULT PRIVILEGES").
+			Query("alter default privileges for role postgres in schema public\n  revoke usage, select on sequences from anon, authenticated, service_role").
+			Reply("ALTER DEFAULT PRIVILEGES").
+			Query("alter default privileges for role postgres in schema public\n  revoke execute on functions from anon, authenticated, service_role").
+			Reply("ALTER DEFAULT PRIVILEGES").
+			Query(roles).
+			Reply("CREATE ROLE")
+		// Run test
+		err := SetupLocalDatabase(context.Background(), "", fsys, io.Discard, conn.Intercept)
+		// Check error
+		assert.NoError(t, err)
+		assert.Empty(t, apitest.ListUnmatchedRequests())
+	})
+
 	t.Run("throws error on connect failure", func(t *testing.T) {
 		utils.Config.Db.Port = 0
 		// Run test

apps/cli-go/pkg/config/api.go

@@ -14,6 +14,11 @@ type (
 		Schemas         []string `toml:"schemas" json:"schemas"`
 		ExtraSearchPath []string `toml:"extra_search_path" json:"extra_search_path"`
 		MaxRows         uint     `toml:"max_rows" json:"max_rows"`
+		// When true (default) new tables, views, sequences and functions created in the
+		// `public` schema by `postgres` are automatically reachable through the Data API roles
+		// `anon`, `authenticated`, and `service_role`. Set to false to match the new cloud
+		// default and require explicit GRANTs to expose entities through the Data API.
+		AutoExposeNewTables bool `toml:"auto_expose_new_tables" json:"auto_expose_new_tables"`
 		// Local only config
 		Image     string  `toml:"-" json:"-"`
 		KongImage string  `toml:"-" json:"-"`

apps/cli-go/pkg/config/api_test.go

@@ -134,3 +134,10 @@ func TestApiDiff(t *testing.T) {
 		assertSnapshotEqual(t, diff)
 	})
 }
+
+func TestApiAutoExposeNewTablesDefault(t *testing.T) {
+	t.Run("defaults to true via NewConfig", func(t *testing.T) {
+		cfg := NewConfig()
+		assert.True(t, cfg.Api.AutoExposeNewTables)
+	})
+}

apps/cli-go/pkg/config/config.go

@@ -354,8 +354,9 @@ func NewConfig(editors ...ConfigEditor) config {
 	initial := config{baseConfig: baseConfig{
 		Hostname: "127.0.0.1",
 		Api: api{
-			Image:     Images.Postgrest,
-			KongImage: Images.Kong,
+			Image:               Images.Postgrest,
+			KongImage:           Images.Kong,
+			AutoExposeNewTables: true,
 			Tls: tlsKong{
 				CertContent: kongCert,
 				KeyContent:  kongKey,

apps/cli-go/pkg/config/templates/config.toml

@@ -16,6 +16,11 @@ extra_search_path = ["public", "extensions"]
 # The maximum number of rows returns from a view, table, or stored procedure. Limits payload size
 # for accidental or malicious requests.
 max_rows = 1000
+# When true (default), new tables, views, sequences and functions created in the `public` schema by
+# `postgres` are automatically reachable through the Data API roles `anon`, `authenticated`, and
+# `service_role`. Set to false to match the new cloud default and require explicit GRANTs to expose
+# entities through the Data API.
+auto_expose_new_tables = true
 
 [api.tls]
 # Enable HTTPS endpoints locally using a self-signed certificate.

apps/cli-go/pkg/config/testdata/TestApiDiff/detects_differences.diff

@@ -9,6 +9,6 @@ diff remote[api] local[api]
 +schemas = ["public", "private"]
 +extra_search_path = ["extensions", "public"]
 +max_rows = 1000
+ auto_expose_new_tables = false
  port = 0
  external_url = ""
- 

apps/cli/src/next/commands/start/start.command.ts

@@ -13,6 +13,7 @@ import type * as CliCommand from "effect/unstable/cli/Command";
 import { projectLocalServiceVersionsLayer } from "../../config/project-local-service-versions.layer.ts";
 import { ensureProjectStateIgnored } from "../../config/project-gitignore.ts";
 import { CliConfig } from "../../config/cli-config.service.ts";
+import { ProjectContext } from "../../config/project-context.service.ts";
 import { ProjectHome } from "../../config/project-home.service.ts";
 import { projectLinkStateLayer } from "../../config/project-link-state.layer.ts";
 import { provideProjectCommandRuntime } from "../../config/project-runtime.layer.ts";
@@ -137,6 +138,7 @@ export const startCommand = Command.make("start", flags).pipe(
     const runtimeStateEffect = Effect.gen(function* () {
       const output = yield* Output;
       const cliConfig = yield* CliConfig;
+      const projectContext = yield* ProjectContext;
       const projectHome = yield* ProjectHome;
       const runtimeInfo = yield* RuntimeInfo;
       const stateManager = yield* StateManager;
@@ -151,10 +153,18 @@ export const startCommand = Command.make("start", flags).pipe(
           onSome: (metadata) => metadata.services,
         }),
       );
-      const stackConfig = withServiceVersions(
+      const autoExposeNewTables = Option.match(projectContext.rawProjectConfig, {
+        onNone: () => true,
+        onSome: (config) => config.api.auto_expose_new_tables,
+      });
+      const baseStackConfig = withServiceVersions(
         toStartStackConfig(flags.exclude, flags.mode),
         serviceVersionContext.runtimeVersions,
       );
+      const stackConfig = {
+        ...baseStackConfig,
+        postgres: { ...baseStackConfig.postgres, autoExposeNewTables },
+      };
       const resolvedConfig = yield* Effect.promise(() =>
         resolveDaemonConfig({
           cacheRoot: cliConfig.supabaseHome,

packages/config/src/api.ts

@@ -14,6 +14,7 @@ const defaultPort = 54321;
 const defaultSchemas = ["public", "graphql_public"];
 const defaultExtraSearchPath = ["public", "extensions"];
 const defaultMaxRows = 1000;
+const defaultAutoExposeNewTables = true;
 const defaultTls = {};
 const defaultTlsEnabled = false;
 
@@ -56,6 +57,13 @@ export const api = Schema.Struct({
     tags,
     links,
   }).pipe(Schema.withDecodingDefaultKey(() => defaultMaxRows)),
+  auto_expose_new_tables: Schema.Boolean.annotate({
+    default: defaultAutoExposeNewTables,
+    description:
+      "When true (default), new tables, views, sequences and functions created in the `public` schema by `postgres` are automatically reachable through the Data API roles `anon`, `authenticated` and `service_role`. Set to false to match the new cloud default and require explicit GRANTs to expose entities through the Data API.",
+    tags,
+    links,
+  }).pipe(Schema.withDecodingDefaultKey(() => defaultAutoExposeNewTables)),
   tls: Schema.Struct({
     enabled: Schema.Boolean.annotate({
       default: defaultTlsEnabled,