TML-2503: Supabase-internal namespaces via a secondary db.supabase root (slice D)#845
Conversation
@prisma-next/extension-author-tools
@prisma-next/mongo-runtime
@prisma-next/family-mongo
@prisma-next/sql-runtime
@prisma-next/family-sql
@prisma-next/extension-arktype-json
@prisma-next/middleware-cache
@prisma-next/mongo
@prisma-next/extension-paradedb
@prisma-next/extension-pgvector
@prisma-next/extension-postgis
@prisma-next/postgres
@prisma-next/sql-orm-client
@prisma-next/sqlite
@prisma-next/extension-supabase
@prisma-next/target-mongo
@prisma-next/adapter-mongo
@prisma-next/driver-mongo
@prisma-next/contract
@prisma-next/utils
@prisma-next/config
@prisma-next/errors
@prisma-next/framework-components
@prisma-next/operations
@prisma-next/ts-render
@prisma-next/contract-authoring
@prisma-next/ids
@prisma-next/psl-parser
@prisma-next/psl-printer
@prisma-next/cli
@prisma-next/cli-telemetry
@prisma-next/config-loader
@prisma-next/emitter
@prisma-next/language-server
@prisma-next/migration-tools
prisma-next
@prisma-next/vite-plugin-contract-emit
@prisma-next/mongo-codec
@prisma-next/mongo-contract
@prisma-next/mongo-value
@prisma-next/mongo-contract-psl
@prisma-next/mongo-contract-ts
@prisma-next/mongo-emitter
@prisma-next/mongo-schema-ir
@prisma-next/mongo-query-ast
@prisma-next/mongo-orm
@prisma-next/mongo-query-builder
@prisma-next/mongo-lowering
@prisma-next/mongo-wire
@prisma-next/sql-contract
@prisma-next/sql-errors
@prisma-next/sql-operations
@prisma-next/sql-schema-ir
@prisma-next/sql-contract-psl
@prisma-next/sql-contract-ts
@prisma-next/sql-contract-emitter
@prisma-next/sql-lane-query-builder
@prisma-next/sql-relational-core
@prisma-next/sql-builder
@prisma-next/target-postgres
@prisma-next/target-sqlite
@prisma-next/adapter-postgres
@prisma-next/adapter-sqlite
@prisma-next/driver-postgres
@prisma-next/driver-sqlite
commit: |
size-limit report 📦
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (5)
📒 Files selected for processing (7)
✅ Files skipped from review due to trivial changes (2)
🚧 Files skipped from review as they are similar to previous changes (5)
📝 WalkthroughWalkthrough
ChangesService-role extension namespace surface
Estimated code review effort: 4 (Complex) | ~45 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
a93eb6e to
5a4e610
Compare
wmadden
left a comment
There was a problem hiding this comment.
This is the wrong approach. Expose the supabase project as a secondary root
5a4e610 to
31fbe37
Compare
|
Reworked to the secondary-root design (force-pushed as a single clean commit; the merge-design history is gone).
Why a separate root and not a merge: the runtime is contract-bound by The four inline threads are addressed and resolved. Independent review confirmed: one shared pool, Ready for re-review. |
…db.supabase root
Admin reads of auth.*/storage.* are a SEPARATE secondary root on the
service_role-bound db: db.asServiceRole().supabase.{sql,orm}. The .supabase
facet is the extension contract's own intact ExecutionContext + a second
SupabaseRuntimeImpl bound to it, sharing the app runtime's driver/pool +
service_role session, with marker-verification off. The two contracts are NOT
merged (a merge breaks the storageHash-bound validatePlan, codec-registry
uniqueness, and the marker check). asServiceRole().sql/.orm stay app-only;
asUser/asAnon are unchanged (no .supabase).
- runtime: SupabaseInternalDb + ServiceRoleDb<TContract>, buildExtensionContract,
extContext/extRuntime; asServiceRole() gains .supabase. ext-contract-type names
the extension Contract without a bare `as` (lint:casts delta 0).
- tests: integration reads auth.users via .supabase.sql + .orm (SQL targets
"auth"."users"; current_setting(role)=service_role); type test proves the
secondary root carries auth/storage while the primary root + asAnon/asUser do not.
- docs: decision C15 (secondary root, the rejected merge, the aggregate-contract
future), deferred.md (aggregate-contract runtime), slice spec, plan.md, overview.md.
Reviewed (opus): APPROVE-WITH-NITS; nits applied (transaction-omission doc comment).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: willbot <w.a.madden+machine@gmail.com>
check:upgrade-coverage requires a per-PR declaration when a PR touches examples/ or packages/3-extensions/. Slice D is purely additive (new db.asServiceRole().supabase admin root; the removed WithExtensionNamespaces was never released), so both touches are incidental — append an incidental note to the user- and extension-author-upgrade 0.14->0.15 instructions (changes arrays unchanged: user changes: [], ext-author block). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: willbot <w.a.madden+machine@gmail.com>
138ced9 to
41d1248
Compare
Linked issue
Refs TML-2503. Slice D of extension-supabase (slice A merged in #839). Slice contract:
projects/extension-supabase/slices/d-service-role-internal-namespaces/spec.md; design in decision C15.At a glance
Decision
Admin access to Supabase-internal tables (
auth.*,storage.*) is exposed as a separate secondary rootdb.asServiceRole().supabase— not by merging the extension contract into the app contract (a first attempt did that; rejected in review). The.supabasefacet is the extension contract's own intactExecutionContext+ a secondSupabaseRuntimeImplbound to it, sharing the app runtime's driver/pool + theservice_rolesession, with marker-verification off (theexternalextension contract owns no app-space marker).asServiceRole().sql/.ormstay app-contract-only;asUser/asAnonare unchanged (no.supabase).Why a separate root, not a merge
The runtime is contract-bound by
storageHash:SqlFamilyAdapter.validatePlanassertsplan.meta.storageHash === context.contract.storage.storageHash. A plan built against the extension contract carries the extension's hash and can't run on the app runtime — so the two roots are genuinely separate (own context + own runtime), sharing only the driver/pool. Merging twoContracts also breaks codec-registry uniqueness and the marker check. Two intact contexts/runtimes sharing one pool is the ADR 230 pattern.Behavior changes & evidence
db.asServiceRole().supabase.{sql,orm}query the extension contract;asServiceRole().sql/.ormare app-only;asUser/asAnonhave no.supabase. Impl:packages/3-extensions/supabase/src/runtime/supabase.ts(SupabaseInternalDb,ServiceRoleDb,buildExtensionContract,extContext/extRuntime). Evidence:examples/supabase/test/explicit-namespace-query.integration.test.ts(readsauth.usersvia.supabase.sqland.orm; SQL targets"auth"."users";current_setting('role') = 'service_role') +service-role-namespaces.test-d.ts(type-level: secondary root carriesauth/storage; primary root +asAnon/asUserdo not).Reviewer notes
service_rolebinding intact on the ext path, marker-verify correctly scoped (ext off, app on), noauth.*leak to anon/user, per-contractvalidatePlan. The one acted nit (doc comment explainingSupabaseInternalDbomitstransaction) is applied.ext-contract-type.tsis a no-astype alias naming the extensionContractdistinctly from the frameworkContract(keepslint:castsdelta 0).transactionspanning the app root and.supabase(separate runtimes, unpinned connections). The principled fix — aRuntimebound to the aggregate contract — is recorded as future direction in C15 +deferred.md.Testing performed
pnpm exec turbo run typecheck test lint --filter @prisma-next/example-supabase --filter @prisma-next/extension-supabase— green (example suite 9 tests, incl. the.supabasesql+orm reads).pnpm lint:castsdelta 0;pnpm lint:depsclean. CI re-running on push.Skill update
n/a — the only user-facing surface change (the
asServiceRole().supabaseadmin root) is documented in decision C15 +overview.md; no CLI/config/error-code change.Checklist
git commit -s).Summary by CodeRabbit
db.asServiceRole().supabaseadmin root that enables service-role access to Supabase internal namespaces (e.g.,auth,storage) via.sqland.orm, while keeping the primaryasServiceRole()surface restricted topublic.service_role,anon, and user/JWT namespace visibility..supabasesurface and related exported types.