feat(db): add supabase db advisors command for checking security and performance issues

[Rodriguespn]

Summary

Add supabase db advisors command that checks the database for security and performance issues — the CLI equivalent of the get_advisors MCP tool.

Why do we need this if we already have get_advisors in the MCP server?

Same reasoning as supabase db query (#4955): the MCP server works well for agents that go through the OAuth flow for remote projects, but for local development the human still has to reload the agent session to load MCP tools into context. This adds friction to a path that should be fully agentic (no human in the loop).

With this command, an agent can check the security posture of the local database using just the CLI — no MCP configuration needed.

Example use case: security-aware migrations. The agent applies a migration that creates new tables, then runs supabase db advisors --type security to verify RLS is enabled and policies exist. If issues are found, the agent can fix them before committing the migration. Today this requires the get_advisors MCP tool to be configured. With this command, the entire flow only needs the CLI.

Implementation

• Local (supabase db advisors, default): Executes the same splinter SQL lints that the Studio dashboard runs. Uses pgx to connect directly to the local Postgres — consistent with every other local db subcommand (push, pull, diff, lint, test, reset, dump). Runs in a read-only transaction (always rolled back). No extensions required.
• Remote (supabase db advisors --linked): Calls the Management API endpoints (GET /v1/projects/{ref}/advisors/security and GET /v1/projects/{ref}/advisors/performance), authenticated with the access token from supabase login.

Differences from db lint

	db lint	db advisors
Purpose	Checks PL/pgSQL function bodies for type errors	Checks database security posture and performance issues
Scope	Function-level code quality	Schema-level security/performance (RLS, indexes, auth config)
Extension	Requires plpgsql_check	No extensions needed
Checks	Syntax/type errors in functions	23 checks: missing RLS, exposed auth.users, unused indexes, missing primary keys, etc.

Usage

# Local (default) — checks the local database
supabase db advisors

# Security checks only
supabase db advisors --type security

# Performance checks only
supabase db advisors --type performance

# Remote — checks the linked project via Management API
supabase db advisors --linked

# Include INFO-level issues (default is WARN+)
supabase db advisors --level info

# CI: exit non-zero on errors
supabase db advisors --fail-on error

Test plan

go test ./internal/db/advisors/... — 15 unit tests covering:

• Local: query parsing, empty results, query errors
• Filtering: by type (security/performance/all), by level (info/warn/error), combined
• Output: JSON encoding, no-issues message, fail-on thresholds
• API: response conversion, security/performance fetch, error handling

[coveralls]

Pull Request Test Coverage Report for Build 23192402137

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 118 of 184 (64.13%) changed or added relevant lines in 2 files are covered.
• 7 unchanged lines in 2 files lost coverage.
• Overall coverage increased (+0.009%) to 61.901%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
cmd/db.go	0	24	0.0%
internal/db/advisors/advisors.go	118	160	73.75%

Files with Coverage Reduction	New Missed Lines	%
internal/storage/rm/rm.go	2	80.61%
internal/utils/git.go	5	57.14%

Totals
Change from base Build 23187359628:	0.009%
Covered Lines:	8031
Relevant Lines:	12974

---

💛 - Coveralls

[avallete]

Overall LGTM, just a minor nit.