fix: add acceptance matrix for vectors

.docker/docker-compose-infra-oriole-pgvector-override.yml

@@ -0,0 +1,6 @@
+services:
+  tenant_db:
+    build:
+      context: .
+      dockerfile: .docker/orioledb-pgvector.Dockerfile
+    image: supabase-storage-orioledb-pgvector:pg17-local

.docker/orioledb-pgvector.Dockerfile

@@ -0,0 +1,22 @@
+ARG ORIOLEDB_IMAGE=orioledb/orioledb:latest-pg17
+FROM ${ORIOLEDB_IMAGE}
+
+ARG PGVECTOR_VERSION=0.8.2
+
+USER root
+
+RUN apk add --no-cache --virtual .pgvector-build-deps \
+      build-base \
+      clang \
+      git \
+      llvm \
+    && git clone --depth 1 --branch "v${PGVECTOR_VERSION}" \
+      https://github.com/pgvector/pgvector.git /tmp/pgvector \
+    && cd /tmp/pgvector \
+    && make clean \
+    && make OPTFLAGS="" \
+    && make install \
+    && rm -rf /tmp/pgvector \
+    && apk del .pgvector-build-deps
+
+USER postgres

.env.acceptance.sample

@@ -24,7 +24,8 @@ ACCEPTANCE_ENABLE_RENDER=true
 # ACCEPTANCE_RLS_READ_OBJECT points at an existing object readable by authenticated role.
 ACCEPTANCE_ENABLE_RLS_SETUP=true
 # ACCEPTANCE_RLS_READ_OBJECT=authenticated/casestudy.png
-# Vector acceptance requires a configured S3 Vectors-compatible service.
+# Vector acceptance requires either the local pgvector provider or a configured
+# S3 Vectors-compatible service.
 ACCEPTANCE_ENABLE_VECTOR=false
 ACCEPTANCE_ENABLE_ICEBERG=true
 ACCEPTANCE_ENABLE_WIRE=true

.github/workflows/acceptance.yml

@@ -81,14 +81,18 @@ jobs:
         env:
           ACCEPTANCE_ADMIN_URL: ${{ matrix.tenancy == 'multitenant' && 'http://127.0.0.1:5001' || '' }}
           ACCEPTANCE_ENABLE_ADMIN: ${{ matrix.tenancy == 'multitenant' && 'true' || 'false' }}
-          ACCEPTANCE_INFRA_RESTART_SCRIPT: ${{ matrix.database == 'oriole' && 'infra:restart:ci:oriole' || 'infra:restart:ci' }}
+          ACCEPTANCE_ENABLE_VECTOR: "true"
+          ACCEPTANCE_INFRA_RESTART_SCRIPT: ${{ matrix.database == 'oriole' && 'infra:restart:ci:oriole:pgvector' || 'infra:restart:ci' }}
           ACCEPTANCE_PROFILE: ${{ inputs.profile || 'full' }}
           ACCEPTANCE_X_FORWARDED_HOST: ${{ matrix.tenancy == 'multitenant' && 'bjhaohmqunupljrqypxz.local.dev' || '' }}
           MULTI_TENANT: ${{ matrix.tenancy == 'multitenant' && 'true' || 'false' }}
           PG_QUEUE_ENABLE: ${{ matrix.tenancy == 'multitenant' && 'true' || 'false' }}
           REQUEST_X_FORWARDED_HOST_REGEXP: ${{ matrix.tenancy == 'multitenant' && '^([a-z]{20})[.]local[.](?:com|dev)$' || '' }}
           STORAGE_PUBLIC_URL: ${{ matrix.tenancy == 'multitenant' && 'http://127.0.0.1:5000' || '' }}
           STORAGE_BACKEND: ${{ matrix.storage_backend }}
+          VECTOR_BUCKET_PROVIDER: pgvector
+          VECTOR_DATABASE_URL: ${{ matrix.tenancy == 'single' && 'postgresql://postgres:postgres@127.0.0.1:5432/postgres' || '' }}
+          VECTOR_STORE_MIGRATIONS_ENABLED: "true"
         run: |
           mkdir -p data coverage/acceptance
           chmod -R 777 data

acceptance/API_COVERAGE.md

@@ -42,7 +42,7 @@ the configured target, and the selected profile includes the spec:
 | Render     | `ACCEPTANCE_ENABLE_RENDER=true`                                                         | public, authenticated, and signed image transformation routes, `webp` output format, non-image input errors, invalid transformation validation                                                                                                                                                                                                 |
 | RLS        | `ACCEPTANCE_ENABLE_RLS_SETUP=true` plus anon/authenticated keys and RLS resource config | authenticated allow and anon deny for read/write on configured policies                                                                                                                                                                                                                                                                        |
 | Path edges | Derived from `ACCEPTANCE_TARGET` and `STORAGE_BACKEND`                                  | list-v2 preservation for object names with empty path segments; local S3/MinIO backends skip this case directly                                                                                                                                                                                                                                |
-| Vector     | `ACCEPTANCE_ENABLE_VECTOR=true`                                                         | vector bucket pagination, index pagination, put/get/list/query/delete lifecycle                                                                                                                                                                                                                                                                |
+| Vector     | `ACCEPTANCE_ENABLE_VECTOR=true` with local pgvector or S3 Vectors configured            | vector bucket pagination, index pagination, vector list pagination, metadata filter keys, non-filterable metadata rejection, default distance omission, cosine and euclidean query behavior, put/get/list/query/delete lifecycle                                                                                                               |
 | Iceberg    | `ACCEPTANCE_ENABLE_ICEBERG=true`                                                        | analytics bucket, catalog config, namespace (create/list/load/head/drop, missing load/drop, upsert on re-create, drop blocked when non-empty), table create/list/page-size/load/head/drop, missing load/drop, commit success/conflict                                                                                                          |
 
 ## Intentionally Gated

acceptance/README.md

@@ -98,6 +98,15 @@ Local CI also enables admin acceptance for multitenant matrix entries. Path-edge
 from the local storage backend, so empty path segment object names are exercised only on backends
 that can store them.
 
+Local CI enables vector acceptance on PostgreSQL and OrioleDB matrix rows using the pgvector-backed
+local provider, covering both S3/file storage backends and single/multitenant modes. OrioleDB rows
+use the locally built OrioleDB+pgvector image. Single-tenant rows create and migrate a dedicated
+`storage_vectors` database from `VECTOR_DATABASE_URL`. Multitenant pgvector rows provision the local
+tenant with the configured tenant database URL and pool URL. Multitenant pgvector index DDL reuses
+the active tenant transaction connection; single-tenant pgvector and S3 Vectors index creation keep
+physical side effects outside retried metadata transactions and clean up committed metadata on
+post-commit failures.
+
 ## GitHub Environments
 
 The workflow dispatch `acceptance_environment` input uses `local` for the managed local run. Any
@@ -125,7 +134,7 @@ secrets as environment secrets.
 | `ACCEPTANCE_ENABLE_CDN`           | Enables CDN purge tests. Managed local runs provide a purge stub by default.                      |
 | `ACCEPTANCE_ENABLE_RENDER`        | Enables image transformation tests.                                                               |
 | `ACCEPTANCE_ENABLE_RLS_SETUP`     | Enables RLS tests; requires service, anon, authenticated keys and bucket/prefix policy resources. |
-| `ACCEPTANCE_ENABLE_VECTOR`        | Enables vector bucket API tests. Requires a configured S3 Vectors-compatible service.             |
+| `ACCEPTANCE_ENABLE_VECTOR`        | Enables vector bucket API tests. Requires local pgvector or a configured S3 Vectors target.       |
 | `ACCEPTANCE_ENABLE_ICEBERG`       | Enables Iceberg catalog API tests.                                                                |
 | `ACCEPTANCE_ENABLE_WIRE`          | Enables wire-level tests outside the `wire` / `full` profiles.                                    |
 | `ACCEPTANCE_RLS_BUCKET`           | Bucket used by opt-in RLS tests. Defaults to local dummy `bucket2`.                               |

acceptance/scripts/run-managed-local.ts

@@ -277,7 +277,11 @@ function closeHttpServer(server: HttpServer): Promise<void> {
 
 function resolveInfraRestartScript() {
   const script = acceptanceEnv('ACCEPTANCE_INFRA_RESTART_SCRIPT') ?? 'infra:restart:ci'
-  const allowed = new Set(['infra:restart:ci', 'infra:restart:ci:oriole'])
+  const allowed = new Set([
+    'infra:restart:ci',
+    'infra:restart:ci:oriole',
+    'infra:restart:ci:oriole:pgvector',
+  ])
 
   if (!allowed.has(script)) {
     throw new Error(`Unsupported ACCEPTANCE_INFRA_RESTART_SCRIPT: ${script}`)