## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Adds my name to the public-facing `humans.txt` endpoint on
`supabase.com`.

## What is the current behavior?

Existing humans listed without me.

## What is the new behavior?

I become listed as another human. 🎉 

## Additional context

I think that's enough already. 😈 


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
  * Updated team information in public documentation.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Adds Lukas Klingsbo to the humans.txt

## What is the current behavior?

There is no Lukas Klingsbo in humans.txt

## What is the new behavior?

There is a Lukas Klingsbo in humans.txt

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
  * Updated team information with a new team member addition.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

)

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Bug fix (documentation) — fixes three internal links that currently 404.

## What is the current behavior?

Three docs pages link to internal paths that do not resolve (no matching
page, and no redirect in `apps/www/lib/redirects.js`):

| File | Link | Problem |
| --- | --- | --- |
| `guides/telemetry/reports.mdx` (×3) |
`/docs/content/guides/database/query-optimization` | Stray `content/`
path segment (the content folder name leaked into the public URL) |
| `guides/database/prisma.mdx` |
`/docs/guides/database/prisma-troubleshooting` | Page lives under the
`prisma/` subfolder |
| `guides/database/postgres/data-deletion.mdx` |
`/docs/blog/postgres-bloat` | Blog posts are served from `/blog`, not
`/docs/blog` |

No related issue — these are self-evident broken links found by checking
every internal `/docs/...` link against the actual pages, the redirects
config, and the dynamic doc routes.

## What is the new behavior?

The links now point to the correct, existing pages:

- `/docs/guides/database/query-optimization` (page:
`apps/docs/content/guides/database/query-optimization.mdx`)
- `/docs/guides/database/prisma/prisma-troubleshooting` (page:
`apps/docs/content/guides/database/prisma/prisma-troubleshooting.mdx`)
- `/blog/postgres-bloat` (post:
`apps/www/_blog/2024-04-26-postgres-bloat.mdx`; consistent with the ~30
other `/blog/...` links across the docs)

Docs-only change; no wording changes beyond the URLs. The `reports.mdx`
tables were re-aligned by Prettier as a result of the shortened links.

## Additional context

For each link I confirmed the target page/post file exists, that the
broken path has no rule in `apps/www/lib/redirects.js`, and that it is
not served by a dynamic Next.js route under `apps/docs/app/`.

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Redesigned the Database guide into a shorter, link-focused overview
that highlights each project’s full Postgres database.
* Rewrote the introduction and description to clarify Postgres usage and
added “Working with your database” tips (Table Editor, SQL Editor,
programmatic methods).
* Added “Get started” and “Going further” sections with curated guide
links and removed older, feature-heavy and backup-focused content.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46464?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

…6572)

During the migration to make `PREVIEW` match `PRODUCTION` environment we
got a negation wrong.

With this fix, now wrappers pages are rendered statically on build, so
we can catch errors on MDX syntax on the fly.

… Harassment (#46565)

## Summary

Adds AUP clause **1.6 — Privacy Violations, Doxxing, and Targeted
Harassment** to Section 1 (General Prohibitions), positioned between the
existing 1.5 (Obfuscation) and Section 2.

**The wording for clause 1.6 was supplied verbatim by Supabase Legal.**
This PR is the mechanical addition of that text in the right place with
the right formatting and numbering — the wording itself is not up for
review.

Driven by the "namehim" case — see the Slack `#team-security`
investigation thread for the specific events that drove this addition.
Codifies the AUP grounds for handling that abuse pattern so future
enforcement actions for the same shape don't have to lean on General
Prohibitions stretch interpretations.

Linear:
[ABU-44](https://linear.app/supabase/issue/ABU-44/chore-add-aup-clause-16-privacy-violations-doxxing-and-targeted)

## What changed

- New clause 1.6 inserted in Section 1
- `_Last Modified:_` date bumped to 1 June 2026
- Trailing-two-spaces added to the previous 1.5 line so 1.6 renders on a
new line (matches the existing within-section line-break convention)

## Wording rationale (per Legal)

The clause prohibits using the Services to publish, disclose, or
facilitate dissemination of another person's
personal/confidential/identifying information, plus using the Services
to doxx, harass, intimidate, threaten, stalk, extort, or otherwise
target individuals.

The legitimate-uses carve-out at the end was specifically requested by
Legal:

> This provision does not prohibit lawful processing, publication, or
distribution of information for legitimate purposes, including
journalism, research, public-interest reporting, legal compliance,
public records uses, or other activities protected by applicable law.

Keeps the clause from accidentally prohibiting customers doing
journalism, public-records work, breach research, or other lawful uses.

## Open question for review

The AUP doesn't currently follow the date-suffixed-archive pattern that
`privacy.mdx` does (e.g. `privacy-260316.mdx`). Should this substantive
change trigger archiving the prior version as `aup-260225.mdx`? Flagging
for the reviewers — happy to add the archive copy in a follow-up commit
on this branch if so.

## Test plan

- [ ] Reviewer renders the page locally (`pnpm --filter www dev`, then
`http://localhost:3000/aup`) and confirms clause 1.6 displays correctly
between 1.5 and Section 2
- [ ] Clause numbering convention matches existing pattern (bold title
with period and colon, two-trailing-space line breaks within sections)
- [x] Wording supplied by Supabase Legal (no wordsmith review required)

🤖 Generated with [Claude Code](https://claude.com/claude-code)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
  * Updated Acceptable Use Policy with an effective date of 1 June 2026.
* Enhanced General Prohibitions section with revised Obfuscation
guidance and newly added provisions addressing Privacy Violations,
Doxxing, and Targeted Harassment.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES
## What kind of change does this PR introduce?

Bug fix - CI

## What is the current behavior?

action fails:
https://github.com/supabase/supabase/actions/runs/26818877603/job/79068294605

## Problem

Because we have controller inputs and zod validation on numbers, many of
them cannot be cleared correctly as deleting their value resets it to
`0`.

## Solution

Update the `Input` component to allow those editions by always storing
and displaying the user entered value

## How to test

- Open the webhook page and add/edit one
- Clear its timeout value and observe that it is not reset to `0`
- Same for:
  - Database network restrictions
  - API settings max rows
  - Disk size modal

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Standardized numeric form input handling across examples, settings,
and modals — inputs now rely on form bindings and schema coercion for
consistent parsing and simplified behavior.

* **Chores**
* Added form resolver utilities and a user-event testing library to
development dependencies.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

… inviting members (#46515)

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?
- Better role selector thats actually more helpful with descriptions
- More tests with MSW
- Refactored to a side panel due to more information being presented in
the modal

## How to test
- Try inviting members to an org
- Make sure members can still be revoked!

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Team member invitation interface redesigned from modal dialog to side
panel.
* Role selection now displays as an interactive radio list with
descriptions for each role.
* Improved form layout with horizontal organization for better
usability.

* **Tests**
* Added integration and unit tests for team member invitation
functionality.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

- Minor updates to date on pooler changes

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Extended the on-screen maintenance notice so the banner remains
visible until June 9, 2026.
* Updated the scheduled maintenance window details for the US East
region.
  * Revised local maintenance tracking to use the new June 9, 2026 date.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

)

The autogenerated Data API docs listed every table and database function
from the PostgREST OpenAPI spec, even ones that aren't actually
accessible via the Data API (i.e. with grants revoked). This filters the
docs down to only the entities that are exposed, and surfaces a count of
the excluded ones with a link to enable them.

This applies to **both** autogenerated docs surfaces:
- the **API Docs side panel** (the slide-over opened from the API docs
button), and
- the **full-page Data API docs** at `/integrations/data_api/docs`.

<img width="259" height="272" alt="Screenshot 2026-06-01 at 5 48 21 PM"
src="https://github.com/user-attachments/assets/d2af86f2-5436-4e94-8295-83ecc74a77d9"
/>

**Changed:**
- Both docs UIs now only list tables and functions that have Data API
access (any `anon`/`authenticated`/`service_role` grant). Fully-revoked
entities are hidden.
- Side panel: both the sidebar list and the drilled-in resource picker
are filtered.
- Full page: the menu's Tables/Functions groups are filtered, with a
footer note under each.

**Added:**
- A footer under each list — "N table(s)/function(s) not exposed via
**Data API**" — linking to Data API settings
(`/integrations/data_api/settings`) so the entity can be granted access.
- One-shot `useExposedTablesQuery` / `useExposedFunctionsQuery` hooks
reusing the same granted/custom/revoked SQL as the Data API settings
page (no new SQL).
- Pure, unit-tested `partitionExposedDocsEntities()` helper (fails open
if grant status hasn't loaded / errors, so docs are never blanked).
- Optional `footer` slot on `ProductMenuGroup` (rendered by `DocsMenu`)
so the full-page menu can show the not-exposed note under a group.

**Note on the "all" queries:** the new `useExposedTablesQuery` /
`useExposedFunctionsQuery` fetch the full grant-status list in a single
request (rather than paginating like the Data API settings page does).
This is deliberate — the docs sections aren't paginated and render every
entity from the OpenAPI spec at once, so we need the complete status set
to cross-reference against. Ideally we'd refactor the docs to be
paginated in future, at which point these queries should move to a
paginated approach too; until then, the one-shot "all" fetch is what
matches the current (unpaginated) docs behavior.

## To test

- On a project, revoke a `public` table's Data API access (Data API
settings → uncheck it)
- Open the **full-page** docs at `/integrations/data_api/docs`: the
table should no longer appear under Tables and Views, and you should see
"1 table not exposed via Data API" under that menu group
- Open the **API Docs side panel** and expand Tables and Views: same
behavior
- Click the "Data API" link → goes to Data API settings (closes the side
panel if open)
- Same for a database function under Functions
- Tables/functions that are still granted (or have custom/partial
grants) should remain visible

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Data API docs now reflect actual exposure: tables/functions not
exposed by permissions are hidden and counted.
* Sections display footer indicators with counts of hidden entities and
links to Data API settings.
* Navigation lists and docs menu updated to show only exposed entities
and the new "not exposed" cues.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>

…6488)

Adds support for the new `integration_status` installation
identification method for OAuth marketplace integrations, which will use
the new integration state stored in Marketplace DB and updated via
partner callbacks. Fixes INT-123

Updates JS sdk documentation following stable release.
Ran `make` in apps/docs/spec to regenerate tsdoc files.

**Details:**
- **Version:** `2.107.0`
- **Source:** `supabase-js-stable-release`
- **Changes:** Regenerated tsdoc files from latest spec files

🤖 Auto-generated from @supabase/supabase-js stable release.

Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>

This PR updates @supabase/*-js libraries to version 2.107.0.

**Source**: manual

**Changes**:
- Updated @supabase/supabase-js to 2.107.0
- Updated @supabase/auth-js to 2.107.0
- Updated @supabase/realtime-js to 2.107.0
- Updated @supabase/postgest-js to 2.107.0
- Refreshed pnpm-lock.yaml

---

## Release Notes

## v2.107.0

## 2.107.0 (2026-06-02)

### 🚀 Features

- **auth:** remove navigator.locks-based mutex; introduce commit guard +
dispose() ([#2392](supabase/supabase-js#2392))
- **realtime:** allow httpSend to send binary payload
([#2400](supabase/supabase-js#2400))
- **supabase:** update X-Client-Info to structured metadata format
([#2359](supabase/supabase-js#2359))

### 🩹 Fixes

- **auth:** return AuthInvalidJwtError from getClaims for expired JWT
([#2395](supabase/supabase-js#2395))
- **auth:** recognize ?error= redirects in implicit grant gate
([#2407](supabase/supabase-js#2407))
- **auth): revert fix(auth:** encode client-id in oauth requests
([#2383](supabase/supabase-js#2383),
[#2417](supabase/supabase-js#2417))
- **postgrest:** return a structured error for non-JSON body on
successful responses
([#2398](supabase/supabase-js#2398))
- **release:** pin workspace:* sibling deps before JSR publish
([#2418](supabase/supabase-js#2418))
- **release:** publish gotrue-js legacy mirror via pnpm
([#2419](supabase/supabase-js#2419))

### ❤️ Thank You

- Claude Opus 4.7 (1M context)
- Claude Sonnet 4.6
- Eduardo Gurgel
- Guilherme Souza
- Katerina Skroumpelou @mandarini
- Omar Al Matar @Bewinxed
- youcef zr @youcefzemmar
- youcefzemmar

This PR was created automatically.

Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

function change

## What is the current behavior?

defaults to the read-write connection string when doing observability
report queries

## What is the new behavior?

uses the read-only connection string instead

## Additional context

these should only ever be read-only operations, reporting should not
have side effects and this adds a guardrail to ensure that remains the
case


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

**Bug Fixes**
- Corrected database replica query handling by using read-only
connection strings for replica database access.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->