Skip to content

feat(config,stack): add auto_expose_new_tables configuration option#5239

Open
avallete wants to merge 2 commits into
developfrom
claude/local-only-data-api-privileges-yL8fw
Open

feat(config,stack): add auto_expose_new_tables configuration option#5239
avallete wants to merge 2 commits into
developfrom
claude/local-only-data-api-privileges-yL8fw

Conversation

@avallete
Copy link
Copy Markdown
Member

@avallete avallete commented May 12, 2026
edited
Loading

Adds a new auto_expose_new_tables configuration option to control whether newly-created tables, views, sequences, and functions in the public schema are automatically exposed through the Data API roles (anon, authenticated, service_role).

Summary

This change introduces a new configuration flag that allows local Supabase stacks to match the cloud default behavior where new entities require explicit GRANTs to be exposed through the Data API, rather than being automatically accessible.

Key Changes

  • Configuration Schema: Added auto_expose_new_tables boolean field to [api] config section (defaults to true for backward compatibility)

    • Updated TypeScript config schema in packages/config/src/api.ts
    • Updated Go config structs in apps/cli-go/pkg/config/api.go
    • Updated config template and defaults in apps/cli-go/pkg/config/config.go

  • Database Initialization: Modified postgres initialization to conditionally revoke default Data API privileges

    • Added REVOKE_DEFAULT_DATA_API_PRIVILEGES_SQL constant in both TypeScript (packages/stack/src/services/postgres-init.ts) and Go (apps/cli-go/internal/db/start/start.go)
    • When auto_expose_new_tables is false, the revoke SQL is executed after schema initialization to remove default GRANTs
    • Applied to both fresh database setup and reset operations

  • Stack Configuration: Threaded the autoExposeNewTables flag through the stack builder

    • Updated PostgresConfig interface to include the new option
    • Passed the flag from project config through to postgres-init service
    • Updated all test fixtures to include the new field

  • CLI Integration: Connected project config to the local stack runtime

    • Modified start.command.ts to read auto_expose_new_tables from project config and pass it to stack configuration

Implementation Details

  • The revoke SQL matches exactly what Supabase Studio runs at cloud project creation when the "Default privileges for new entities" toggle is off
  • Default behavior (true) preserves backward compatibility with existing local stacks
  • When set to false, new tables created by the postgres role in the public schema will not be accessible via the Data API until explicit GRANTs are issued
  • Added comprehensive test coverage for both enabled and disabled states across TypeScript and Go test suites

Close: CLI-1454

https://claude.ai/code/session_011pZGRjHtkxjt1iZj5LYrqq

@claude
feat(cli): add [api].auto_expose_new_tables to opt out of Data API de…
ac5793f 
…fault privileges

Cloud now exposes a "Default privileges for new entities" toggle that, when
disabled, revokes the default GRANTs to anon/authenticated/service_role on
schema public so freshly-created tables, views, sequences, and functions are
not reachable through the Data API without explicit GRANTs (supabase/supabase
discussion #45329). Local Supabase had no equivalent: bootstrap always
installed the default GRANTs, forcing users who opted in on cloud to keep
their local schema out of sync or ship a project-specific revoke migration.

Add an opt-in flag under [api] with default true (preserving today's local
behaviour) and have the local DB bootstrap run the same revoke SQL Studio
runs at cloud project creation when the flag is false. The flag is wired
through both the Go CLI (covering `supabase db reset` and legacy
`supabase start`) and the TypeScript stack bootstrap (covering the new
`supabase start` foreground/background flows in apps/cli/next).

https://claude.ai/code/session_011pZGRjHtkxjt1iZj5LYrqq
@avallete avallete requested a review from a team as a code owner May 12, 2026 18:37
@coveralls
Copy link
Copy Markdown

coveralls commented May 12, 2026
edited
Loading

Coverage Report for CI Build 25785851202

Coverage decreased (-0.01%) to 63.731%

Details

  • Coverage decreased (-0.01%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • 17 coverage regressions across 4 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

17 previously-covered lines in 4 files lost coverage.

File Lines Losing Coverage Coverage
internal/db/reset/reset.go 5 71.88%
internal/db/start/start.go 5 81.23%
internal/utils/git.go 5 57.14%
internal/storage/rm/rm.go 2 80.61%

Coverage Stats

Coverage Status
Relevant Lines: 15694
Covered Lines: 10002
Line Coverage: 63.73%
Coverage Strength: 7.07 hits per line
💛 - Coveralls

@claude
style(config): apply oxfmt to project.unit.test.ts
7e972a7 
Fixes the "Check code quality" job failure on PR #5239 — the new
[api].auto_expose_new_tables test block was committed in a non-canonical
shape and oxfmt --check rejected it.

https://claude.ai/code/session_011pZGRjHtkxjt1iZj5LYrqq
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@avallete @coveralls @claude