feat(api): flip auto_expose_new_tables default to false#5524
Conversation
…ecate explicit true Implements the 2026-05-30 cloud flip for the tri-state [api].auto_expose_new_tables flag: - Unset now behaves as false: the default Data API GRANTs on the public schema are revoked so new entities require explicit GRANTs. Go's ApplyApiPrivileges only short-circuits on explicit true, and the next shell read site / stack library default flip from `?? true` to `?? false`. - Explicit true keeps the legacy auto-expose behaviour but now emits a one-time deprecation warning (Go config validation + next start command) pointing at the 2026-10-30 removal. - Updated the config.toml templates, config schema descriptions, and docs config reference to describe the new implicit default and removal date. Tests cover all three states (unset, true, false) in Go and TS, plus the deprecation warning.
Replace the repeated three-statement default-privilege revoke mock chain across the start, reset, and diff tests with a single helper.MockApiPrivilegesRevoke(conn) helper, mirroring the existing MockMigrationHistory pattern. The helper is self-contained (no start import) to avoid an import cycle with the start package's internal tests.
This comment has been minimized.
This comment has been minimized.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a16f3127cc
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Supabase CLI previewnpx --yes https://pkg.pr.new/supabase@5524Preview package for commit |
The auto_expose_new_tables default flip means database setup now revokes the default Data API GRANTs when the flag is unset, which broke the shared-mock tests in internal/start and internal/migration/squash that did not expect the revoke statements. Route them through the existing helper.MockApiPrivilegesRevoke helper. Also revert the @supabase/stack createStack library default back to true: the issue only flips the implicit default at the start-command read site, which passes the resolved value explicitly. Flipping the library fallback would silently revoke privileges for callers that do not read project config (functions dev, branches switch), losing an explicit `= true` opt-in.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fda05ee6a5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
After merging develop, the new TestSetupShadowDatabase exercises the extracted SetupShadowDatabase, which runs ApplyApiPrivileges during the platform baseline. With auto_expose_new_tables unset the revoke now runs between the initial schema and the regression template, so route the mock through helper.MockApiPrivilegesRevoke.
Coverage Report for CI Build 27214624907Warning Build has drifted: This PR's base is out of sync with its target branch, so coverage data may include unrelated changes. Coverage increased (+0.006%) to 64.642%Details
Uncovered ChangesNo uncovered changes found. Coverage Regressions20 previously-covered lines in 3 files lost coverage.
Coverage Stats
💛 - Coveralls |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 821a9ecec4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if utils.Config.Api.AutoExposeNewTables != nil && *utils.Config.Api.AutoExposeNewTables { | ||
| return nil |
There was a problem hiding this comment.
When the flag is unset, this branch now runs the revoke SQL, but the declarative cache key still records the same auto_expose_new_tables=unset token in apps/cli-go/internal/db/declarative/declarative.go:694-698. Users with .temp/pgdelta baseline or declarative catalogs created before the May 30, 2026 flip and no explicit config value will therefore reuse snapshots built with the old auto-expose privileges during db schema declarative generate/sync, which can hide or emit bogus default-ACL diffs until they clear the cache or pass --no-cache; the cache key needs to include the effective default/version for the unset case.
Useful? React with 👍 / 👎.
The pgdelta/declarative baseline cache key folded in the raw tri-state auto_expose_new_tables flag, encoding the unset case as a constant "unset" token. Since baselineVersionToken keys on the Postgres image (not the CLI version), upgrading to the release that flips the implicit default reused caches built before the flip — when unset still meant auto-expose — producing stale default-ACL baselines during db schema declarative generate/sync. Key on the effective value instead: unset now resolves to the same revoke-by-default baseline as explicit false (matching start.ApplyApiPrivileges), so it keys identically to false and differs from the pre-flip "unset" token, self-invalidating stale caches.
3 participants
Implements the May 30, 2026 flip of the
[api].auto_expose_new_tablesimplicit default fromtruetofalse, aligning local behavior with the new cloud default of revoking Data API privileges on newly-created entities in the public schema.Summary
The
auto_expose_new_tablesflag is a tri-state configuration that controls whether new tables, views, sequences, and functions created in thepublicschema are automatically reachable through Data API roles (anon,authenticated,service_role). This change flips the implicit default behavior:true: Preserves legacy auto-expose behavior but emits a deprecation warning; field removed on 2026-10-30false: Revokes GRANTs explicitly (same as unset)Key Changes
Go CLI (
apps/cli-go/):ApplyApiPrivileges()logic to revoke by default when the flag is unset or falseauto_expose_new_tables = truehelper.MockApiPrivilegesRevoke()test utility to reduce duplication across test suitesstart_test.go,reset_test.go, anddiff_test.goto expect privilege revocationTypeScript CLI (
apps/cli/):resolveAutoExposeNewTables()function to handle tri-state flag resolutionstartCommandto emit deprecation warning when flag is explicitlytruetruetofalsein stack configurationDocumentation & Schema:
Implementation Details
The privilege revocation is implemented via SQL statements that revoke default privileges for the
postgresrole on tables, sequences, and functions in the public schema for the Data API roles. This ensures newly-created entities require explicit GRANTs to be exposed through the Data API, matching the cloud platform's security posture.The deprecation warning message includes the removal date (2026-10-30) to guide users toward removing the configuration field during the transition window.
https://claude.ai/code/session_01W2z1un8QYhPvaSpdzwDP6F