[codex] Fix post-merge pricing CI and config hardening

[riderx]

Summary

• pin the Supabase CLI in CI to avoid the new runner regression
• keep remote pricing config from overriding Supabase connection settings
• add a regression test for the config merge behavior

Verification

• bun typecheck
• bunx eslint src/services/supabase.ts tests/supabase-config.unit.test.ts
• bunx vitest run tests/supabase-config.unit.test.ts

Summary by CodeRabbit

• Bug Fixes

  • Fixed Supabase CLI compatibility issue in GitHub Actions by pinning a specific version.

• Chores

  • Adjusted build-time credit pricing and restructured pricing tier display system across all supported languages.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR refactors credit pricing from hardcoded tier strings to a dynamic, data-driven system. It introduces a new creditPricing service module, updates i18n locales with generic tier templates, enhances backend functions to support organization-scoped pricing and build-time metrics, and refactors frontend components to derive pricing display from database steps.

Changes

Cohort / File(s)	Summary
GitHub Actions & Build .github/workflows/tests.yml	Pins Supabase CLI to version: 2.84.2 to avoid regression in 2.90.0 affecting local test-db startup.
Internationalization (en.json) messages/en.json	Removes 60 hardcoded tier-specific pricing keys for bandwidth/build-time/MAU/storage; adds 8 new parameterized keys (credits-plan-overage, credits-pricing-price, tier templates, unit labels) enabling data-driven tier rendering.
Internationalization (Other Locales) messages/{de,es,fr,hi,id,it,ja,ko,pl,pt-br,ru,tr,vi,zh-cn}.json	Removes identical 60 hardcoded tier-specific pricing keys across all locales; section headings/descriptions retained.
i18n Module src/modules/i18n.ts	Introduces FALLBACK_LOCALE constant and ensureLanguageLoaded() helper; updates loadLanguageAsync() to enforce fallback locale loading before any requested language and improve duplicate-load detection.
Credit Pricing Service src/services/creditPricing.ts	New module exporting CreditPricingStep interface, metric ordering constants, and formatting utilities (formatCreditPricingPrice, formatCreditPricingTierLabel, formatIncludedThenPrice) for tier labels and currency display.
Supabase Service src/services/supabase.ts	Adds mergeRemoteConfig() for selective remote config override; replaces direct capgo_credits_steps queries with new getCreditPricingSteps() and calculateCreditCost() functions; introduces typed interfaces for cost calculation request/response.
Credits Settings Page src/pages/settings/organization/Credits.vue	Replaces hardcoded creditPricingSectionsConfig with data-driven creditPricingSteps-based rendering; removes direct Supabase queries in favor of getCreditPricingSteps() service call.
Plans Settings Page src/pages/settings/organization/Plans.vue	Refactors planFeatures() to use formatCreditPricingPrice() and formatIncludedThenPrice() for dynamic plan feature descriptions.
Usage Settings Page src/pages/settings/organization/Usage.vue	Replaces getCreditUnitPricing()-based overage calculation with calculateCreditCost() RPC; adds currency formatting helpers; switches to filtered deduction aggregation within billing cycle window.
Backend Credits Function supabase/functions/_backend/private/credits.ts	Extends CostCalculationRequest with optional build_time and org_id; replaces direct step queries with getScopedCreditSteps() enforcing JWT-based org access control and prioritizing org-scoped tiers over global ones.
Webhook Authorization supabase/functions/_backend/public/webhooks/index.ts	Adds assertWebhookOrgPolicy() helper for API-key policy validation; integrates org-scoped policy check into checkWebhookPermissionV2 for API-key auth path.
Database Migrations supabase/migrations/20260408134842_adjust_build_time_credit_pricing.sql	Updates build-time credit tier pricing (price_per_unit reduced from 0.50/0.45/0.40/0.35/0.30/0.25 to 0.16/0.14/0.12/0.10/0.09/0.08) and inserts missing tier rows.
Database Seed supabase/seed.sql	Updates build-time tier price_per_unit values to match migration.
Integration Tests supabase/tests/32_test_usage_credits.sql	Adds assertions for build-time credit step pricing; verifies repricing scenario with dynamic tier updates.
Test Utilities & Suites tests/{bundle-error-cases,bundle,webhooks}.test.ts	Refactors test setup to use createAppVersions helper and RPC-based API key creation; adds putBundleToChannelWithRetry() with exponential backoff.
New Unit Tests tests/{credit-pricing-ui.unit.test.ts,credits-pricing.test.ts,i18n-fallback.unit.test.ts,supabase-config.unit.test.ts}	Adds suites validating credit pricing formatting, cost calculation API, i18n fallback loading, and remote config merging.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• feat: credit system v2 #1231: Modifies credit pricing steps, i18n strings, and related API/service code for credits subsystem.
• [codex] Share build minute pricing credits #1900: Updates the same build-time pricing migration/seed and backend private/credits function, plus Usage.vue overage calculations.
• Build_system #1244: Adds and wires build_time credit metric across DB tiers, pricing functions, and APIs.

Suggested labels

codex, enhancement

Poem

🐰 Pricing tiers no longer hardcoded in stone,
Data-driven credits now reign on the throne!
From en.json templates to org-scoped grace,
Dynamic pricing fits every place! ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete compared to the template. It lacks the Test plan and Screenshots sections, and the Checklist is entirely missing.	Add a Test plan section with detailed testing steps, include Screenshots if applicable, and complete the Checklist with checkboxes marked as appropriate for this change.
Docstring Coverage	⚠️ Warning	Docstring coverage is 3.13% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately reflects the main changes: pinning Supabase CLI in CI and hardening config to prevent remote pricing from overriding Supabase connection settings.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/build-minute-credit-system

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.1.0)

supabase/migrations/20260408134842_adjust_build_time_credit_pricing.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

supabase/tests/32_test_usage_credits.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/build-minute-credit-system (47a647b) with main (d7ea9fd)}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	plausible-tracker@​0.3.9
	simple-git-hooks@​2.13.1
	unplugin-vue-macros@​2.14.5
	unplugin-formkit@​0.3.0
	vue-turnstile@​1.0.11
	vitest@​4.1.4
	vite-plugin-environment@​1.1.3
	stripe@​22.0.1
	mime@​4.1.0
	vue-chartjs@​5.3.3
	pinia@​3.0.4
	vite-plugin-vue-layouts@​0.11.0
	vue-demi@​0.14.10
	vite@​8.0.8
	tailwindcss@​4.2.2
	vue-sonner@​2.0.9
	vite-plugin-vue-devtools@​8.1.1
	vite-plugin-devtools-json@​1.0.0
	vite-plugin-pwa@​1.2.0
	semver@​7.7.4
	unplugin-auto-import@​21.0.0
	unplugin-icons@​23.0.1
	zod@​4.3.6
	pg@​8.20.0
	typescript@​6.0.2
	jose@​6.2.2
	supabase@​2.91.1
	vue-router@​5.0.4
	vue@​3.5.32
	vue-tsc@​3.2.6
	wrangler@​4.82.2
	vite-plugin-webfont-dl@​3.12.0
	sass@​1.99.0
See 3 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package.json → npm/vite@8.0.8 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@8.0.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[riderx]

Superseded by #1912, which uses a clean branch from current main so the review scope is limited to the actual 3-file post-merge fix.