[nightly] master -> master

_docs/master/configuring-metabase/config-template.md

@@ -230,10 +230,10 @@ config:
     report-timezone: null
     reset-token-ttl-hours: 48
     retry-initial-interval: 500
-    retry-max-attempts: 7
+    retry-max-retries: 6
     retry-max-interval-millis: 30000
     retry-multiplier: 2.0
-    retry-randomization-factor: 0.1
+    retry-jitter-factor: 0.1
     saml-application-name: Metabase
     saml-attribute-email: null
     saml-attribute-firstname: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

_docs/master/configuring-metabase/environment-variables.md

@@ -1378,13 +1378,13 @@ Number of hours a password reset is considered valid.
 
 The initial retry delay in milliseconds.
 
-### `MB_RETRY_MAX_ATTEMPTS`
+### `MB_RETRY_MAX_RETRIES`
 
 - Type: integer
-- Default: `7`
-- [Configuration file name](./config-file): `retry-max-attempts`
+- Default: `6`
+- [Configuration file name](./config-file): `retry-max-retries`
 
-The maximum number of attempts for an event.
+The maximum number of retries for a failed event.
 
 ### `MB_RETRY_MAX_INTERVAL_MILLIS`
 
@@ -1406,7 +1406,7 @@ The delay multiplier between attempts.
 
 - Type: double
 - Default: `0.1`
-- [Configuration file name](./config-file): `retry-randomization-factor`
+- [Configuration file name](./config-file): `retry-jitter-factor`
 
 The randomization factor of the retry delay.
 
@@ -1983,29 +1983,6 @@ Since: v35.0
 
 Maximum number of async Jetty threads. If not set, then [MB_JETTY_MAXTHREADS](#mb_jetty_maxthreads) will be used, otherwise it will use the default.
 
-### `MB_ATTACHMENT_TABLE_ROW_LIMIT`
-
-Type: integer<br>
-Default: `20`<br>
-
-Limits the number of rows Metabase will display in tables sent with dashboard subscriptions and alerts. Range: 1-100. To limit the total number of rows included in the file attachment for an email dashboard subscription, use [MB_ATTACHMENT_ROW_LIMIT](#mb_attachment_row_limit).
-
-### `MB_AUDIT_MAX_RETENTION_DAYS`
-
-Only available on Metabase [Pro](/product/pro) and [Enterprise](/product/enterprise) plans.<br>
-Type: integer<br>
-Default: 720 (Metabase keeps all rows)<br>
-
-Sets the maximum number of days Metabase preserves rows for the following application database tables:
-
-- `query_execution`
-- `audit_log`
-- `view_log`
-
-Twice a day, Metabase will delete rows older than this threshold.
-
-The minimum value is `30` days (Metabase will treat entered values of `1` to `29` the same as `30`). If set to `0`, Metabase will keep all rows.
-
 ### `MB_COLORIZE_LOGS`
 
 Type: boolean<br>
@@ -2282,21 +2259,6 @@ Default: `null`
 
 Password for Java TrustStore file.
 
-### `MB_LANDING_PAGE`
-
-Only available on Metabase [Pro](/product/pro) and [Enterprise](/product/enterprise) plans.<br>
-Type: string<br>
-Default: `""`
-
-Default page to show people when they log in.
-
-### `MB_LOAD_ANALYTICS_CONTENT`
-
-Type: Boolean<br>
-Default: True
-
-If you want to exclude the [Metabase analytics](../usage-and-performance-tools/usage-analytics) collection, you can set `MB_LOAD_ANALYTICS_CONTENT=false`. Setting this environment variable to false can also come in handy when migrating environments, as it can simplify the migration process.
-
 ### `MB_LOAD_SAMPLE_CONTENT`
 
 Type: Boolean<br>
@@ -2355,46 +2317,13 @@ Path of the "plugins" directory, which is used to store the Metabase database dr
 
 The location is where custom third-party drivers should be added. Then Metabase will load the driver on startup, which can be verified in the log.
 
-### `MB_PREMIUM_EMBEDDING_TOKEN`
-
-Type: string<br>
-Default: `null`
-
-The license token used for Pro and Enterprise to enable premium features on the Enterprise edition. It is also used for the deprecated "Premium Embedding" functionality on the OSS edition.
-
 ### `MB_QP_CACHE_BACKEND`
 
 Type: string<br>
 Default: `"db"`
 
 Current cache backend. Dynamically rebindable primarily for test purposes.
 
-### `MB_SEARCH_TYPEAHEAD_ENABLED`
-
-Type: boolean<br>
-Default: `true`<br>
-Since: v39.0
-
-Show auto-suggestions when using the global search in the top navigation bar.
-
-### `MB_SEND_EMAIL_ON_FIRST_LOGIN_FROM_NEW_DEVICE`
-
-Type: boolean<br>
-Default: `true`<br>
-Since: v39.0
-
-Send email notification to user, when they login from a new device. Set to `false` to stop sending "We've noticed a new login on your Metabase account" emails for all users.
-
-Also, this variable controls the geocoding service that Metabase uses to know the location from where your users logged in. Setting this variable to false also disables this reverse geocoding functionality.
-
-### `MB_SEND_NEW_SSO_USER_ADMIN_EMAIL`
-
-Only available on Metabase [Pro](/product/pro) and [Enterprise](/product/enterprise) plans.<br>
-Type: boolean<br>
-Default: `true`
-
-Send email notifications to users in Admin group, when a new SSO users is created on Metabase.
-
 ### `MB_SETUP_TOKEN`
 
 Type: string<br>
@@ -2419,13 +2348,6 @@ Since: v48.4
 
 Setting `MB_JETTY_SKIP_SNI=true` (the default setting) turns off the Server Name Indication (SNI) checks in the Jetty web server. Normally you would leave this enabled. If, however, you're terminating the Transport Layer Security (TLS) connection on Metabase itself, and you're getting an error like `HTTP ERROR 400 Invalid SNI`, consider either setting `MB_JETTY_SKIP_SNI=false`, or use another SSL certificate that exactly matches the domain name of the server.
 
-### `MB_SOURCE_ADDRESS_HEADER`
-
-Type: string<br>
-Default: `X-Forwarded-For`
-
-Identify the source of HTTP requests by this header's value, instead of its remote address. Related to [MB_DISABLE_SESSION_THROTTLE](#mb_disable_session_throttle).
-
 ### `MB_SSL_CERTIFICATE_PUBLIC_KEY`
 
 Type: string<br>

_docs/master/databases/connections/aws-rds.md

@@ -28,6 +28,70 @@ Here's how to get connection information for databases on Amazon's RDS:
    - **Database Name**. Find this under Configuration Details.
    - **Password**. Ask your database administrator for the password.
 
-## Database routing
+## IAM authentication
 
-See [Database routing](../../permissions/database-routing).
+{% include plans-blockquote.html feature="IAM authentication" self-hosted-only="true" %}
+
+You can connect to RDS Aurora PostgreSQL and MySQL instances using AWS IAM authentication instead of a password.
+
+To set up IAM authentication:
+
+1. [In AWS, enable IAM authentication on your RDS instance](#in-aws-enable-iam-authentication-on-your-rds-instance)
+2. [In AWS, set up an IAM policy](#in-aws-set-up-an-iam-policy)
+3. [In your database, create a database user](#in-your-database-create-a-database-user)
+4. [In your Metabase environment, configure AWS credentials](#in-your-metabase-environment-configure-aws-credentials)
+5. [In Metabase, select IAM authentication](#in-metabase-select-iam-authentication)
+6. [In Metabase, configure SSL](#in-metabase-configure-ssl)
+
+### In AWS, enable IAM authentication on your RDS instance
+
+[Enable IAM authentication on your RDS instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html) in the AWS console.
+
+### In AWS, set up an IAM policy
+
+Add a policy with the `rds-db:connect` action. The policy resource must specify the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) of your database user in the format:
+
+```
+arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name
+```
+
+When entering the username in Metabase, you'd just enter your `db-user-name`, not the full ARN.
+
+See [Creating IAM policy for IAM database access](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html).
+
+### In your database, create a database user
+
+Create the database user with IAM authentication enabled. The database username must match exactly (case-sensitive) with the `db-user-name` portion of your IAM policy [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html).
+
+**PostgreSQL:**
+
+```sql
+CREATE USER your_username;
+GRANT rds_iam TO your_username;
+```
+
+**MySQL:**
+
+```sql
+CREATE USER 'your_username'@'%' IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
+```
+
+See [Setting up for IAM database authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html).
+
+### In your Metabase environment, configure AWS credentials
+
+Authentication credentials must be available via one of the methods supported by the [AWS SDK credentials chain](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html), typically either:
+
+- Environment variables (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`)
+- AWS credentials file (`.aws/credentials`), automatically available if running in [Elastic Container Service (ECS)](https://docs.aws.amazon.com/ecs/)
+
+### In Metabase, select IAM authentication
+
+When adding or editing a database connection in Metabase, click **Use an authentication provider** and select **IAM Authentication**.
+
+### In Metabase, configure SSL
+
+Use a secure connection (SSL):
+
+- **PostgreSQL**: Set the SSL Mode to **require**. See [PostgreSQL SSL options](./postgresql#ssl-mode).
+- **MySQL**: The SSL Mode will be automatically set to **verify-ca**. If you manually change the SSL Mode, it must be set to **verify-ca**. See [MySQL SSL options](./mysql#use-a-secure-connection-ssl).

_docs/master/databases/connections/mysql.md

@@ -49,6 +49,16 @@ The database username for the account that you want to use to connect to your da
 
 The password for the username that you use to connect to the database.
 
+### Use an authentication provider
+
+{% include plans-blockquote.html feature="Authenticating with a provider" %}
+
+Instead of a password, you can authenticate with a supported provider. Only for self-hosted Pro and Enterprise plans.
+
+#### IAM authentication
+
+To connect to Amazon RDS instances using IAM authentication instead of a password, see [IAM authentication for AWS RDS](./aws-rds#iam-authentication).
+
 ### Use a secure connection (SSL)
 
 You can paste your server's SSL certification chain.

_docs/master/databases/connections/postgresql.md

@@ -84,6 +84,10 @@ To use Oauth as a provider, you'll need to input your:
 - Auth token URL
 - Auth token request headers (a JSON map)
 
+#### IAM authentication
+
+To connect to Amazon RDS instances using IAM authentication instead of a password, see [IAM authentication for AWS RDS](./aws-rds#iam-authentication).
+
 ### Schemas
 
 You can specify which schemas you want to sync and scan. Options are:

_docs/master/developers-guide/devenv.md

@@ -20,12 +20,16 @@ Both components are built and assembled together into a single JAR file. In the
 
 ## Quick start
 
-First, make sure your local dev tooling matches the Metabase requirements. Run:
+**New to the project?** Run the automated setup:
 
 ```
-./bin/dev-requirements
+./bin/dev-install
 ```
 
+This installs [mise](https://mise.jdx.dev) (a tool version manager), sets up your shell, and installs all required tools (Node.js, Java, Clojure, Yarn, Babashka) at the correct versions. Follow the prompts, then open a new terminal.
+
+**Already have your own setup?** You can check that it meets the requirements with `./bin/dev-requirements`.
+
 To spin up a development environment, run:
 
 ```
@@ -64,6 +68,56 @@ clojure -M:run
 
 See [backend development](#backend-development).
 
+## IDE and editor setup
+
+If you use an IDE or editor that runs commands outside your interactive shell (VS Code tasks, Emacs (magit etc.), or IntelliJ run configurations), the tools installed by mise won't be available by default. To fix this, add mise shims to your PATH.
+
+Shims are wrapper scripts that automatically select the correct tool version based on the current directory's `mise.toml`.
+
+First, add this to your shell profile (**.zshrc**, **.bashrc**, **.config/fish/config.fish**):
+
+```bash
+export PATH="$HOME/.local/share/mise/shims:$PATH"
+```
+
+Then configure your editor:
+
+### VS Code
+
+VS Code usually inherits your shell's PATH if you launch it from the terminal. If not, add to your **settings.json**:
+
+```json
+{
+  "terminal.integrated.env.osx": {
+    "PATH": "${env:HOME}/.local/share/mise/shims:${env:PATH}"
+  },
+  "terminal.integrated.env.linux": {
+    "PATH": "${env:HOME}/.local/share/mise/shims:${env:PATH}"
+  }
+}
+```
+
+### Emacs
+
+Add to your Emacs config (**init.el** or **.emacs**):
+
+```elisp
+(add-to-list 'exec-path (expand-file-name "~/.local/share/mise/shims"))
+(setenv "PATH" (concat (expand-file-name "~/.local/share/mise/shims") ":" (getenv "PATH")))
+```
+
+If you use **exec-path-from-shell**, it should pick up the shims automatically after you update your shell profile.
+
+### IntelliJ / Cursive
+
+Go to **Settings → Tools → Terminal** and add to "Environment variables":
+
+```
+PATH=$HOME/.local/share/mise/shims:$PATH
+```
+
+For run configurations, you may also need to set the PATH in the run configuration's environment variables.
+
 ## Frontend development
 
 We use these technologies for our FE build process to allow us to use modules, es6 syntax, and css variables.

_docs/master/developers-guide/driver-changelog.md

@@ -17,6 +17,9 @@ layout: new-docs
 
 - Added `metabase.driver/compile-insert` to implement incremental transforms.
 
+- All tests in `metabase.query-processor-test.*` namespaces have been moved to `metabase.query-processor.*` (This is
+  only relevant if you run individual test namespaces as part of your development workflow).
+
 ## Metabase 0.57.0
 
 - `driver/field-reference-mlv2` is now deprecated, and is no longer used. Please remove your implementations.

_docs/master/developers-guide/e2e-tests.md

@@ -36,14 +36,14 @@ Our custom Cypress runner builds its own backend and creates a temporary H2 app
 To run all Cypress tests headlessly in the terminal:
 
 ```sh
-OPEN_UI=false yarn run test-cypress
+CYPRESS_GUI=false yarn run test-cypress
 ```
 
 You can quickly test a single file only by using the official `--spec` flag.
 This flag can be used to run all specs within a folder, or to run multiple assorted specs. Consult [the official documentation](https://docs.cypress.io/app/references/command-line#cypress-run-spec-lt-spec-gt) for instructions.
 
 ```sh
-OPEN_UI=false yarn test-cypress --spec e2e/test/scenarios/question/new.cy.spec.js
+CYPRESS_GUI=false yarn test-cypress --spec e2e/test/scenarios/question/new.cy.spec.js
 ```
 
 You can specify a browser to execute Cypress tests in using the `--browser` flag. For more details, please consult [the official documentation](https://docs.cypress.io/guides/guides/launching-browsers).