[codex] Fix post-merge pricing CI and config hardening

[riderx]

Summary

• pin the Supabase CLI in CI to avoid the new runner regression
• keep remote pricing config from overriding Supabase connection settings
• add a regression test for the config merge behavior

Verification

• bun typecheck
• bunx eslint src/services/supabase.ts tests/supabase-config.unit.test.ts
• bunx vitest run tests/supabase-config.unit.test.ts

Summary by CodeRabbit

• Chores

  • Pinned Supabase CLI version in CI for more stable runs.
  • Made test CI timeout detection more robust.

• Bug Fixes

  • Improved remote config merging so only valid remote fields override local settings.
  • Normalized Supabase host URL handling for more reliable connections.

• Tests

  • Added unit tests covering configuration merge behavior.
  • Added test resolver alias to simplify imports across test configs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8f433fb7-e580-4f18-99b9-6686eeab5a6d

📥 Commits

Reviewing files that changed from the base of the PR and between 29bf1d1 and 80a8013.

📒 Files selected for processing (2)

• vitest.config.cloudflare-plugin.ts
• vitest.config.cloudflare.ts

✅ Files skipped from review due to trivial changes (1)

• vitest.config.cloudflare.ts

---

📝 Walkthrough

Walkthrough

Pins Supabase CLI version in CI, adds a safe merge function for remote config merging, changes remote config parsing to Partial, normalizes Supabase host when creating the client, and adds unit tests plus Vitest aliasing for ~/ imports.

Changes

Cohort / File(s)	Summary
CI Workflow .github/workflows/tests.yml	Pins Supabase CLI from latest to 2.84.2 via supabase/setup-cli@v1.6.0 in the Install step.
Supabase service src/services/supabase.ts	Adds exported mergeRemoteConfig(localConfig, remoteConfig) that conditionally overrides host, hostWeb, and stripeEnabled when types match; getRemoteConfig() now parses Partial<CapgoConfig> and uses the merge function; useSupabase() uses getSupabaseHost() (normalizes trailing slash) when creating the client.
Tests tests/supabase-config.unit.test.ts	Adds unit tests for mergeRemoteConfig() covering override and fallback behavior.
Vitest configs vitest.config.ts, vitest.config.cloudflare-plugin.ts, vitest.config.cloudflare.ts	Adds resolve.alias mapping '~/' to the project src/ path; adjusts imports and CI timeout detection to use env.CI in cloudflare-plugin config.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore: switch to sb.capgo.app for Supabase URLs #1770 — Also modifies src/services/supabase.ts around Supabase host handling and local-vs-remote host logic.

Suggested labels

💰 Rewarded

Poem

🐇 I hopped through lines of code tonight,
Merged the distant config just right,
Fixed a host, pinned CLI tight,
Tests gave a thump — a cozy bite. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references specific changes in the PR: pinning Supabase CLI, fixing config hardening, and addressing a CI issue.
Description check	✅ Passed	The description covers summary, verification steps, and test coverage; however, it lacks a formal Test plan section and Checklist as specified in the template.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/post-merge-pricing-ci-fix

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	plausible-tracker@​0.3.9
	simple-git-hooks@​2.13.1
	unplugin-vue-macros@​2.14.5
	unplugin-formkit@​0.3.0
	vue-turnstile@​1.0.11
	vitest@​4.1.4
	vite-plugin-environment@​1.1.3
	stripe@​22.0.1
	mime@​4.1.0
	vue-chartjs@​5.3.3
	pinia@​3.0.4
	vite-plugin-vue-layouts@​0.11.0
	vue-demi@​0.14.10
	vite@​8.0.8
	tailwindcss@​4.2.2
	vue-sonner@​2.0.9
	vite-plugin-vue-devtools@​8.1.1
	vite-plugin-devtools-json@​1.0.0
	vite-plugin-pwa@​1.2.0
	semver@​7.7.4
	unplugin-auto-import@​21.0.0
	unplugin-icons@​23.0.1
	zod@​4.3.6
	pg@​8.20.0
	typescript@​6.0.2
	jose@​6.2.2
	supabase@​2.91.1
	vue-router@​5.0.4
	vue@​3.5.32
	vue-tsc@​3.2.6
	wrangler@​4.82.2
	vite-plugin-webfont-dl@​3.12.0
	sass@​1.99.0
See 3 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package.json → npm/vite@8.0.8 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@8.0.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/post-merge-pricing-ci-fix (80a8013) with main (d7ea9fd)}

[riderx]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tests/supabase-config.unit.test.ts (1)

15-37: Prefer it.concurrent() for these independent unit tests.

Line 15 and Line 33 can run concurrently since they only operate on local in-memory data and don’t touch shared resources.

Proposed diff

-  it('keeps Supabase connection parameters from the local build config', () => {
+  it.concurrent('keeps Supabase connection parameters from the local build config', () => {
@@
-  it('falls back to local values when remote config omits optional fields', () => {
+  it.concurrent('falls back to local values when remote config omits optional fields', () => {

As per coding guidelines, "tests/**/*.{ts,js}: Use it.concurrent() instead of it() when possible to run tests in parallel within the same file, maximizing parallelism for faster CI/CD".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/supabase-config.unit.test.ts` around lines 15 - 37, Replace the two
independent unit tests that only use in-memory data — the test titled "keeps
Supabase connection parameters from the local build config" and the test titled
"falls back to local values when remote config omits optional fields" — by
changing their declarations from it(...) to it.concurrent(...); ensure nothing
else changes in the test bodies so they run safely in parallel.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/supabase-config.unit.test.ts`:
- Around line 1-3: The test file uses relative imports for CapgoConfig and
mergeRemoteConfig; replace the two occurrences of "../src/services/supabase"
with the path alias "~/services/supabase" so the imports become "import type {
CapgoConfig } from '~/services/supabase'" and "import { mergeRemoteConfig } from
'~/services/supabase'"; keep the existing vitest imports (describe, expect, it)
unchanged.

---

Nitpick comments:
In `@tests/supabase-config.unit.test.ts`:
- Around line 15-37: Replace the two independent unit tests that only use
in-memory data — the test titled "keeps Supabase connection parameters from the
local build config" and the test titled "falls back to local values when remote
config omits optional fields" — by changing their declarations from it(...) to
it.concurrent(...); ensure nothing else changes in the test bodies so they run
safely in parallel.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 59e34bdf-9247-46d3-a2cd-c2cdca7cd9da

📥 Commits

Reviewing files that changed from the base of the PR and between d7ea9fd and 77606f9.

📒 Files selected for processing (3)

• .github/workflows/tests.yml
• src/services/supabase.ts
• tests/supabase-config.unit.test.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 29bf1d1eab

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud