Skip to content

fix(cli): legacy shell honors project .env for SUPABASE_YES + auth.enabled remote precedence (CLI-1878)#5839

Merged
Coly010 merged 3 commits into
developfrom
columferry/cli-1878-legacy-shell-full-viper-env-override-semantics-project-env
Jul 9, 2026
Merged

fix(cli): legacy shell honors project .env for SUPABASE_YES + auth.enabled remote precedence (CLI-1878)#5839
Coly010 merged 3 commits into
developfrom
columferry/cli-1878-legacy-shell-full-viper-env-override-semantics-project-env

Conversation

@Coly010

@Coly010 Coly010 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

What

Closes the remaining gaps in CLI-1878: full viper env-override semantics (project .env, remote precedence, malformed bools) in the TS legacy shell.

A go-parity-auditor pass determined most of the issue's original claims had already been fixed by an earlier PR (#5715) — project-.env-aware SUPABASE_YES/SUPABASE_EXPERIMENTAL resolvers, remote-config precedence, malformed-bool-fails-the-load, explicit-flag-beats-env, and case-agnostic env(...) resolution all already exist for db push/db reset/db pull/config push/migration down/repair/declarative-schema. This PR closes the 5 concrete gaps that pass left open:

  1. gen signing-key — the overwrite-confirmation prompt only consulted the shell env for SUPABASE_YES. Go's flags.LoadConfig loads the project .env before the prompt (signingkeys.go:99,130).
  2. storage rm — same gap for the delete-confirmation prompt (both the --local and default --linked branches of Go's ParseDatabaseConfig load the project .env first).
  3. migration fetch — same gap for the migrations-dir overwrite prompt (defaults to --linked, same ParseDatabaseConfig path).
  4. standalone seed buckets — its fallback yes resolution (used when db reset doesn't pass a pre-resolved value) had the same gap. db reset's own passthrough was already correct.
  5. [remotes.*].auth.enabled remote precedence — this key was missing from LEGACY_ENV_OVERRIDABLE_KEYS, so a linked remote's auth.enabled TOML value could lose to a SUPABASE_AUTH_ENABLED env var instead of winning, unlike every other allowlisted key (Go's mergeRemoteConfig applies the whole matched block above AutomaticEnv).

Each of the 4 handler fixes follows the existing legacyLoadProjectEnv + legacyResolveYesWithProjectEnv pattern already used by db push/config push/migration down/repair.

Fixed along the way

  • migration fetch's new project-.env load initially ran before the [db-url linked local] flag-conflict check — an ordering regression relative to Go and sibling migration down/repair (caught by architect-reviewer). Reordered so the flag check runs first; added a regression test that fails without the fix.

Behavior changes to be aware of

  • gen signing-key, storage rm, migration fetch, and seed buckets now honor SUPABASE_YES set only in supabase/.env/.env.local/.env.<env>[.local] (previously they only saw the shell env). This is a pure Go-parity fix, but on an earlier build of this TS legacy shell it was inert — a stale SUPABASE_YES=true left in a project's .env will now silently auto-confirm these destructive prompts.
  • A linked project's [remotes.<name>].auth.enabled TOML value now correctly beats a SUPABASE_AUTH_ENABLED env var (previously the reverse). If anything relied on the env var overriding a remote block's explicit auth.enabled, that no longer happens.

Test plan

  • bun run test:core — all unit + integration tests green (300 tests across the touched files, full suite unaffected).
  • bun run check:all — types/lint/fmt/knip clean.
  • New regression tests (integration, per this workspace's testing pyramid):
    • signing-key.integration.test.ts — project-.env SUPABASE_YES auto-confirms the overwrite even with a piped n (defensively clears any leaked shell SUPABASE_YES first).
    • rm.integration.test.ts — same, for the delete confirmation.
    • buckets.integration.test.ts — same, for the standalone seed buckets overwrite prompt.
    • fetch.integration.test.ts — same, for the migrations-dir overwrite prompt; plus a new test locking in the flag-conflict-before-env-read ordering fix (verified it fails without the reorder).
    • legacy-db-config.toml-read.unit.test.ts — 2 new unit tests for auth.enabled: a matched remote block beats the env var, and a control case where the env var still wins when the block omits the key.
  • Relocated one pre-existing test's fixture (fetch.integration.test.ts, "reports a write failure"): the file-collision now lives at <workdir>/supabase/migrations instead of <workdir>/supabase itself, since the latter would break the new project-.env read before ever reaching the mkdir under test. Verified this preserves the original test's coverage.

Judgement calls deliberately left open

  • [y/N] y echo doesn't say why it auto-confirmed. supabase-dx-reviewer flagged that the prompt echo is byte-identical whether the answer came from --yes, the shell env, or a forgotten project .env value — but explicitly recommended not annotating it, since that would diverge from Go's byte-identical console.PromptYesNo output (this is a strict 1:1 port). Not changed here; a source annotation would need to land in the Go CLI first if ever desired.
  • DB-bootstrap seam explicit --experimental=false forwarding. go-parity-auditor flagged (but could not fully confirm, since it didn't trace the hidden db __db-bootstrap subprocess) that legacy-db-bootstrap.seam.layer.ts forwards --experimental to the Go child only when true, never an explicit false — for db reset --experimental=false with SUPABASE_EXPERIMENTAL=true inherited by the child, the child might re-resolve true independently. Flagged as a caveat, not a confirmed gap; out of scope here.
  • storage.enabled/realtime.enabled don't read any SUPABASE_* env override at all in legacy-db-config.toml-read.ts, unlike auth.enabled. This is a latent divergence noted by go-parity-auditor but is outside CLI-1878's 5 named items; left as a separate follow-up.

🤖 Generated with the issue-autopilot skill.

…ix auth.enabled remote precedence (CLI-1878)

Go's loadNestedEnv loads supabase/.env before viper's AutomaticEnv reads
SUPABASE_YES, but gen signing-key, storage rm, migration fetch, and the
standalone seed buckets command only consulted the shell environment.
Load the project env (legacyLoadProjectEnv) before resolving --yes in each,
matching the pattern already used by db push/reset, config push, and
migration down/repair.

Also: a matched [remotes.*].auth.enabled TOML value now correctly beats a
SUPABASE_AUTH_ENABLED env var, matching every other LEGACY_ENV_OVERRIDABLE_KEYS
entry (Go's mergeRemoteConfig applies the whole matched block above
AutomaticEnv).

fetch.handler.ts additionally reorders its new .env load to run after the
[db-url linked local] flag-conflict check, matching Go's parse-time
MarkFlagsMutuallyExclusive running ahead of PersistentPreRunE and the sibling
migration down/repair handlers.
@Coly010

Coly010 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c2763aa1ca

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/cli/src/legacy/commands/storage/rm/rm.handler.ts Outdated
…(review: codex)

Go's ParseDatabaseConfig case linked (db_url.go:87-93) calls LoadProjectRef
strictly before LoadConfig, so an unlinked workdir fails fast with the
not-linked guidance before any .env file is read. `storage rm` had this
inverted, so a malformed/unreadable supabase/.env could surface an env-parse
error instead of the not-linked message.
@Coly010 Coly010 self-assigned this Jul 9, 2026
@Coly010

Coly010 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9a16dd6fab

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/cli/src/legacy/commands/gen/signing-key/signing-key.handler.ts Outdated
…is malformed (review: codex)

Go attaches the telemetry service in root's PersistentPreRunE (cmd/root.go:131-155),
before the leaf command's own RunE runs flags.LoadConfig (signingkeys.go:99), so
service.Capture still fires even when that .env load fails. Move the
legacyLoadProjectEnv/legacyResolveYesWithProjectEnv resolution inside the
Effect.ensuring(telemetryState.flush)-wrapped block so a malformed/unreadable
supabase/.env no longer skips the telemetry flush.
@Coly010

Coly010 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Swish!

Reviewed commit: 2dfa93939b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jgoux jgoux marked this pull request as ready for review July 9, 2026 12:59
@jgoux jgoux requested a review from a team as a code owner July 9, 2026 13:00
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Supabase CLI preview

npx --yes https://pkg.pr.new/supabase/cli/supabase@2dfa93939bdaffcc95e8508f6590eb85d9f3beb1

Preview package for commit 2dfa939.

@Coly010 Coly010 added this pull request to the merge queue Jul 9, 2026
Merged via the queue into develop with commit 1bd4085 Jul 9, 2026
40 of 41 checks passed
@Coly010 Coly010 deleted the columferry/cli-1878-legacy-shell-full-viper-env-override-semantics-project-env branch July 9, 2026 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants