feat(cli): port services#5468
Merged
Merged
Conversation
7ttp
force-pushed
the
feat/services-native
branch
from
b0df251 to
9c2dcbd
Compare
7ttp
force-pushed
the
feat/services-native
branch
from
9c2dcbd to
a079484
Compare
- Authenticate tenant probes with apikey-only for new-style `sb_` keys
(drops the bearer header), matching the Go service gateway and the
existing legacy tenant-version probes; older JWT keys still send both.
- Wrap the fetched service-role key in `Redacted` end-to-end so it cannot
leak through Effect failure traces.
- Validate the project ref against `^[a-z]{20}$` before it reaches the
management API path param or the tenant gateway hostname, preventing
host/path injection of the service-role key.
- Read the ambient HttpClient from context instead of self-provisioning
`FetchHttpClient.layer`, so legacy `--debug` HTTP logging covers the
linked-version lookups; the next command now provides its own transport.
- Defer Go `--output pretty` to the TS `--output-format` flag in the legacy
handler so `--output pretty --output-format json` emits JSON (CLI-1546).
- Write the linked-project cache via `Effect.ensuring(linkedProjectCache.cache(ref))`
to match Go's PersistentPostRun, keeping PostHog org/project groups attached.
- Hoist the duplicated warning formatter into the shared module and align
the next user-agent with the other native commands.
- Mark the legacy `services` command as `ported` in the porting-status doc,
expand integration coverage (pretty+json, stream-json, linked merge with
warning) and add unit coverage for the sb_ auth guard and ref validation.
avallete
reviewed
Jun 5, 2026
| const fs = yield* FileSystem.FileSystem; | ||
| const path = yield* Path.Path; | ||
|
|
||
| const projectRefPath = path.join(cliConfig.workdir, "supabase", ".temp", "project-ref"); |
Member
There was a problem hiding this comment.
suggestion(non-blocking): use LegacyProjectRefResolver.resolveOptional here instead of re-reading .temp/project-ref inline. It already does this projectId/ref-file chain via legacyTempPaths() and mirrors Go's flags.LoadProjectRef.
| readonly userAgent: string; | ||
| readonly headers?: Readonly<Record<string, string | undefined>>; | ||
| readonly api?: ApiClient; | ||
| readonly tenantBaseUrlOverride?: string; |
Member
There was a problem hiding this comment.
note(non-blocking): tenantBaseUrlOverride bypasses the PROJECT_REF_PATTERN guard. Test-only today, but it sits on an exported type.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TL;DR
ports
supabase servicesto native tsWhat’s introduced
adds native TS implementations for services
moves the local service version rendering and linked version lookup into shared command logic,
adds integration coverage for text/json output and linked version fallback behavior
Ref