feat(cli): port supabase test db and test new#5522
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 617bc838ce
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Supabase CLI previewnpx --yes https://pkg.pr.new/supabase@5522Preview package for commit |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: da955478ae
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 24b8d5a3fc
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Native TypeScript port of `supabase test db` and `supabase test new` into the legacy shell, replacing the Go proxies (CLI-1318). - test new: writes supabase/tests/<name>_test.sql from the embedded pgtap template; matches Go's relative-path output and exit codes. - test db: --db-url/--local/--linked + variadic paths; connects via @effect/sql-pg to enable/disable pgTAP, then runs supabase/pg_prove:3.36 through `docker run`. Honors --network-id and the db-url/linked/local mutual-exclusivity check byte-for-byte with cobra. - New shared infra for upcoming db ports: LegacyDbConnection (driver seam), LegacyDbConfigResolver (--db-url/--local/--linked + linked login-role, pooler, network-ban unban, backoff), LegacyDockerRun (one-shot container). - The Management API stack is built lazily on the --linked branch only, so --local/--db-url stay auth-free. pgTAP "already installed" detection uses a pre-check (sql-pg has no OnNotice hook) — equivalent drop-skip behavior. Credentials are kept out of error messages (docker spawn failure, db-url parse failure). Closes CLI-1318
Address Codex review findings on the test db / test new port: - pgTAP pre-existence check now keys off the extension name only (any schema), so a user-installed pgTAP in e.g. public is not dropped. - Read the linked pooler URL from supabase/.temp/pooler-url (where link writes it); the config.toml [db.pooler] field is toml:"-" in Go. - Fail on a malformed config.toml instead of silently defaulting; an absent file still uses defaults (matches config.Load). - Carry the Supavisor ?options=reference=<ref> startup param through to the connection for the legacy pooler-URL format. - Run SET SESSION ROLE postgres after connecting as a supabase_admin / cli_login_* role (Go's ConnectByConfigStream AfterConnect). - Derive the local DB host from SUPABASE_SERVICES_HOSTNAME / tcp DOCKER_HOST (shared legacyGetHostname, hoisted from gen types). - Resolve pooler_host from the active profile (built-in table or YAML pooler_host:) instead of recomputing it from the profile name.
Address the parity divergences flagged in the Codex review of the
`test db` port:
- Sanitize the configured `project_id` before naming the local docker
network. Go runs `sanitizeProjectId` on `c.ProjectId`
unconditionally (config.go:471) before `GetId` derives
`supabase_network_<id>`, so a configured value like "my project"
joins the same network the local stack created. The port previously
only sanitized the cwd-basename fallback.
- Enable TLS for remote connections. Go uses TLS for remote
(`ConnectByUrl`: pgx `sslmode=prefer` with non-TLS fallbacks
stripped) and disables it for local (`ConnectLocalPostgres` sets
`TLSConfig=nil`). The driver now sets `ssl: { rejectUnauthorized:
false }` for remote (no cert verification, matching pgx) via a new
`isLocal` connect option, threaded from the resolver and the pooler
temp-role probe.
- Keep stdout reserved for the pg_prove TAP stream. Go writes
"Connecting to {local|remote} database..." to stderr; the port used
`output.task`, which renders a clack spinner on stdout (text) and
emits JSON log events on stdout (stream-json), corrupting the TAP
stream. Emit the diagnostic via `output.raw(..., "stderr")` instead.
Updates SIDE_EFFECTS.md and the connect-path e2e comment, and adds
integration coverage for the stderr diagnostic, the remote label, and
project_id sanitization.
Coly010
force-pushed
the
cli/port-test-db
branch
from
24b8d5a to
c9e5648
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c9e5648bf5
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Close the three unresolved Codex threads on the test db port, all rooted in the --db-url/remote path not reproducing Go's pgconn.ParseConfig → ConnectByUrl: - Honor --dns-resolver https for remote connects via Cloudflare DoH (legacy-db-dns.ts), mirroring Go's cc.LookupFunc = FallbackLookupIP; TLS verification still targets the original hostname via ssl.servername. - Honor explicit sslmode in --db-url (legacySslOptionFor): disable → plaintext, verify-ca/verify-full → TLS with verification, otherwise TLS without verification (pgx default for prefer/require). - Accept libpq keyword/value DSNs (host=… dbname=…, incl. unix sockets) alongside URL form (legacy-db-config.parse.ts). Also preserve the libpq options param on the direct --db-url path and turn a malformed percent escape into a redacted parse error instead of an unhandled defect.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: eea9b56858
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
![depthfirst-app[bot]](https://avatars.githubusercontent.com/in/1021002?s=60&v=4){kind=small}
Match Go's mergeFileConfig: only os.ErrNotExist (PlatformError reason "NotFound") falls back to defaults; every other config.toml read error now aborts with LegacyDbConfigLoadError instead of silently running against the default local database.
… ref guard Pass the docker run env (incl. PGPASSWORD) through the spawned docker child's environment via the key-only `-e KEY` form instead of `-e KEY=VALUE`, so credentials no longer appear in `ps`/`/proc/<pid>/cmdline`. This restores the Go CLI's behavior, which ships container env over the Docker socket API (DockerRunOnceWithConfig) and never exposes it in argv. Also align the pooler `reference` check with Go's strings.Cut `found` guard (connect.go:83): a bare `reference` token with no value is accepted, matching Go, which only rejects on an explicit mismatch.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5dfc7e6504
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…n parser A --db-url URL that omits userinfo (postgresql://localhost/mydb) left conn.user empty, diverging from Go's pgconn.ParseConfig which applies the libpq PGUSER/OS-account default. Mirror the keyword/value DSN path so URL DSNs resolve the same default user (and database falls back to that user).
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a94be70ba5
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Go enables sslsni by default (pgconn config.go:768 sets ServerName=host for every TLS sslmode when the host is not a literal IP) and keeps the original hostname in the connection config when --dns-resolver https swaps the dial target for a FallbackLookupIP-resolved address. The port only carried the TLS servername for verify-ca/verify-full, so require/prefer/default connections lost SNI under DoH and could fail against endpoints that route on server name. Carry the original hostname as servername for every remote TLS mode.
Go decodes config.toml through mapstructure with LoadEnvHook (pkg/config/decode_hooks.go), so any string field of the form env(VAR) resolves to the named environment variable when it is set and non-empty. The test db toml reader passed [db].port/shadow_port/password through literally, so an env-backed local stack config connected to 54322/postgres instead of the configured values. Expand env(VAR) for these fields, preserving the literal when the variable is unset to match LoadEnvHook.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e41db48dc0
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Go decodes [db].port/shadow_port into uint16 (pkg/config/db.go:84-85); a value that is present but cannot unmarshal — non-numeric, negative, out of range, or an unresolved env(VAR) string — aborts config.Load rather than defaulting. The toml reader silently fell back to 54322/54320, so test db --local could run against the default local database while hiding a broken project config. Fail with LegacyDbConfigLoadError for present-but-invalid ports; omitted values still use the schema default.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2de496615f
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
pgconn merges settings as mergeSettings(defaultSettings, envSettings, connStringSettings) (config.go:249), so PGUSER takes priority over the OS account when the connection string omits a user. The defaultOsUser helper read only USER/USERNAME, so --db-url postgresql://host/db and keyword DSNs without user= connected as the wrong role (and defaulted the database to it) when PGUSER differed. Consult PGUSER first; an explicit user=/userinfo still wins.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6e2499722d
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…onfig Go's config.Load calls loadNestedEnv before LoadEnvHook (pkg/config/config.go:619), populating the process env from the project's nested .env files so env(VAR) references in config.toml resolve against values defined in supabase/.env* rather than only shell exports. The test db toml reader checked only process.env, so an env-backed [db].port/shadow_port/password failed validation or used the literal env() string. Add loadProjectEnv mirroring loadNestedEnv/loadDefaultEnv: walk supabase/ then the repo root, load .env.<env>.local, .env.local (unless SUPABASE_ENV=test), .env.<env>, .env per directory with godotenv no-override semantics (shell env wins, supabase/ wins over root, earlier filenames win), and abort on a malformed .env. Hoist the godotenv-compatible parseDotEnv from bootstrap into legacy/shared/legacy-dotenv.ts and reuse it.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 66f758e5b9
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
… comments Two pgconn/godotenv parity gaps in the test db connection path: - Connection-string parsing now fills omitted fields from libpq PG* env vars before the hardcoded defaults, matching pgconn's mergeSettings(defaultSettings, envSettings, connStringSettings): PGPASSWORD, PGHOST, PGPORT, PGDATABASE for both the URL and keyword/value DSN forms, with an absent host falling back to libpq's unix-socket/localhost default. Explicit connection-string fields still win. - parseDotEnv now strips unquoted inline comments (a '#' preceded by whitespace) and discards trailing comments after a quoted value, matching godotenv's extractVarValue, so env(VAR) references resolve to the value without the comment. It also fails on an unterminated quoted value. Move the parseDotEnv tests alongside the hoisted source in legacy-dotenv.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d1217db13e
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4899ae7c83
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Go's FallbackLookupIP returns every A/AAAA address and pgconn's expandWithIPs dials them in order, but the DoH helper kept only the first, so an unreachable first answer (e.g. an AAAA record on an IPv4-only network with a working A record later) failed the connection before pgTAP started. legacyResolveHostsOverHttps now returns the full address list. The connect path builds an ordered attempt list mirroring pgconn's fallback loop — each TLS config (allow's plaintext→TLS fallback included) expanded across every resolved address — and retries each, probing non-final attempts with select 1 to force the lazy pg connection. The single-attempt common path is unchanged. This also subsumes the previous allow-only fallback special-case.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 563c9095d1
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
legacyBuildConnectionUrl interpolated a bare IPv6 literal into the URL (postgresql://...@::1:5432/...), so new URL() threw before any connection attempt. This hit direct IPv6 --db-url values carrying ?options=... and the DoH path when a Supavisor URL resolves to an AAAA address. Wrap an IPv6 literal host in brackets, matching Go's ToPostgresURL (net.JoinHostPort). The discrete-field path is unaffected since the pg driver accepts a bare IPv6 host.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 85ba357228
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
loadProjectEnv swallowed every .env read error as None, but Go's loadEnvIfExists ignores only os.ErrNotExist and returns other I/O errors, aborting before env() expansion. An unreadable .env (e.g. permissions) could make test db --local reject a valid env-backed port or use the wrong password while hiding the real error. Distinguish NotFound (skip) from other read errors (fail with LegacyDbConfigLoadError), matching the config.toml read path.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dc95ef8998
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Go's loader enables viper SetEnvPrefix("SUPABASE") + EnvKeyReplacer(".","_")
+ AutomaticEnv() (config.go:487-492), so SUPABASE_DB_PORT, SUPABASE_DB_SHADOW_PORT,
and SUPABASE_DB_PASSWORD override the [db] fields before the TOML value/default.
The reader used only the TOML value, so a local stack started with those
overrides could run on a different port/password while test db --local connected
to 54322/postgres. Apply the SUPABASE_DB_* override (from the shell or the
loaded project .env, empty ignored per AllowEmptyEnv=false) ahead of the TOML
value, then through the same env()/uint16 resolution.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 70ac327d88
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
pgconn's parseURLSettings merges URL query parameters last, so libpq URL query settings (?host=/socket, ?port=, ?dbname=, ?user=, ?password=) override the structural userinfo/host/path. The parser only read sslmode/options from the query, so postgresql:///db?host=/var/run/postgresql dialed the wrong host and passed the wrong PGHOST to pg_prove. Merge those query params over the structural parts (query wins, then PG* env, then libpq defaults).
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: df51f5e5bf
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
resolveLinked read SUPABASE_DB_PASSWORD only from process.env, but Go's
loadNestedEnv populates the environment from supabase/.env* (and root .env*)
before viper.GetString("DB_PASSWORD"), so a password defined only in a project
.env was invisible and the linked path tried to mint a temp login role
(requiring Management API auth) instead. Resolve the password from the shell env
or the loaded project .env (legacyLoadProjectEnv, exported), with the shell
value still winning via its no-override map.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bca0cc10c4
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…ery ports Two more parity gaps in the test db config path: - parseDotEnv now ends the key at the first '=' OR ':' (godotenv's locateKeyName supports YAML-style 'KEY: value'), so a project .env using colon assignments for SUPABASE_DB_PASSWORD/DB_PORT is honored instead of treated as malformed. A separator later in the value is preserved (e.g. DB_URL=postgres://h:5432/db). - The db-url parser now rejects a present-but-non-numeric ?port= query override (pgconn's parsePort treats it as a parse error) rather than falling back to PGPORT/5432, so a typo surfaces LegacyDbConfigParseUrlError instead of connecting to an unintended database.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cc4ca5005b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
pgconn's parseEnvSettings maps PGSSLMODE to the sslmode setting, so an omitted sslmode falls back to PGSSLMODE before the TLS-mode default. The parser only read sslmode from the URL query/DSN keyword, so PGSSLMODE=disable (plaintext) or verify-full (verification) was ignored and legacySslOptionFor(undefined) forced TLS-without-verification. Merge PGSSLMODE in both the URL and keyword/value paths; an explicit connection-string sslmode still wins.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cb62fb9a00
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
libpqPort returned 5432 for a present-but-non-numeric PGPORT, but pgconn's parsePort reports an invalid port parse error after merging PGPORT. So a typo like PGPORT=abc on a db-url/DSN that omits the port silently ran against 5432. libpqPort now returns undefined for a non-numeric value (unset still defaults to 5432), and both parse paths reject the DSN when the PGPORT fallback is invalid.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bc004087ec
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
pgconn merges a ?port= query setting over the structural port and then parses it, so an explicit query port that is empty (?port=) or non-numeric is an invalid connection string. The parser treated an empty query value as absent and fell back to PGPORT/5432. Now a present ?port= override (even empty) must be a valid number, else the DSN is rejected with LegacyDbConfigParseUrlError.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ecd9b83fb1
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Go passes supabase/pg_prove:3.36 through DockerStart → GetRegistryImageUrl (docker.go:195-203), honoring SUPABASE_INTERNAL_IMAGE_REGISTRY and the default ECR mirror. The handler passed the hard-coded Docker Hub image straight to docker run, which fails in restricted/rate-limited environments. Add legacyGetRegistryImageUrl (1:1 port of Go's GetRegistry/GetRegistryImageUrl) in legacy/shared and resolve the pg_prove image through it before docker.run: unset → public.ecr.aws/supabase/pg_prove:3.36, docker.io → unchanged, custom → <registry>/supabase/pg_prove:3.36.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3d6d8aecc0
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…est db TLS
Two more pgconn TLS-parity gaps:
- pgconn's configTLS returns {tlsConfig, nil} for prefer (and the unset default),
i.e. TLS primary with a plaintext fallback, but the connect attempt list only
tried TLS — regressing prefer/unset DSNs against plaintext-only servers.
Extracted legacySslConfigsFor (the pgconn fallback list per sslmode) so connect
retries plaintext after TLS for prefer/unset, plaintext-then-TLS for allow, and
TLS-only for require/verify-*.
- verify-ca mapped to Node's full rejectUnauthorized (hostname included), but
pgconn's verify-ca verifies the CA chain and skips hostname (empty DNSName in
VerifyPeerCertificate). Set checkServerIdentity to a no-op for verify-ca so the
chain is verified without rejecting a non-matching hostname; verify-full keeps
full hostname verification.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c7958d30bb
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Two more pgconn TLS-parity gaps: - pgconn's configTLS errors for any sslmode outside disable/allow/prefer/require/ verify-ca/verify-full; the parser treated an unknown value like 'bogus' as prefer. Both parse paths now reject an invalid sslmode (LegacyDbConfigParseUrlError). - A DSN with sslmode=require + sslrootcert (or PGSSLROOTCERT) requested CA validation but the parsed config never carried the root cert, so TLS stayed unverified. Parse sslrootcert into LegacyPgConnInput; connect loads the CA bundle and legacySslConfigsFor pins it into the verifying modes, promoting require+rootcert to verify-ca like pgconn.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0d23fb7279
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
pgconn's ParseConfig reads ~/.pgpass (or PGPASSFILE) into config.Password when the password is omitted, and test.go passes it to pg_prove as PGPASSWORD. The parser resolved an omitted password to empty (unless PGPASSWORD was set), so pgpass-authenticated DSNs failed. Add legacy-pgpass (a 1:1 port of jackc/pgpassfile: parse + FindPassword with * wildcards and \/\: escapes, PGPASSFILE/~/.pgpass path, unix-socket→localhost) and resolve the password as connection-string → PGPASSWORD → .pgpass in both parse paths.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e738ae2b9c
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
1 participant
What changed
Native TypeScript port of
supabase test dbandsupabase test newinto the legacy shell (stable channel), replacing the Phase-0 Go proxies.test new— writessupabase/tests/<name>_test.sqlfrom the embedded pgtap template; matches Go's relative-path success message, file location, and exit codes.--template(pgtap).test db—--db-url/--local/--linked+ variadic paths. Connects via@effect/sql-pgto enable/disable the pgTAP extension, then runssupabase/pg_prove:3.36throughdocker run(read-only volume mounts,--security-opt label:disable, local docker network or host networking). Honors--network-id, and thedb-url/linked/localmutual-exclusivity is byte-for-byte identical to Go's cobra error.New shared infrastructure (for upcoming
db reset/db dumpports)LegacyDbConnection— Postgres connection seam (single swap point for the driver).LegacyDbConfigResolver—--db-url/--local/--linkedresolution, including the linked sub-flow (temp login-role viaV1CreateLoginRole, pooler fallback with a public-suffix MITM domain check, network-ban unban, backoff). Ports Go'sflags.ParseDatabaseConfig+NewDbConfigWithPassword.LegacyDockerRun— one-shotdocker runrunner.The Management API stack is built lazily on the
--linkedbranch only, so--local/--db-urlnever resolve an access token (auth-free, matching Go).Reviewer notes
@effect/sql-pg(4.0.0-beta.75, pure-JSpg); verified it bundles and round-trips underbun build --compile.PgClientexposes noOnNoticehook, so "already installed" is detected with apg_extensionpre-check before enabling — equivalent observable behavior to Go's notice-code 42710 callback.SIDE_EFFECTS.md):test dbhas no--output-formatmachine envelope (Go has none; TAP streams to stdout in all modes); the[images] pgproveconfig override is not modeled by the TS config schema.Known follow-up
The
--linkedsub-flow (login-role / pooler / unban / backoff) is implemented and type-checked but lacks a dedicated integration test — it requires the real management runtime with a mocked HTTP transport and a real linked project to verify faithfully. The local/db-url resolver paths andtomlparsing are covered.Closes CLI-1318