Skip to content

fix(cli): wire --experimental gate into 7 ungated native leaves#5766

Open
Coly010 wants to merge 6 commits into
developfrom
columferry/cli-1854-wire-the-experimental-gate-into-the-7-ungated-native-leaves
Open

fix(cli): wire --experimental gate into 7 ungated native leaves#5766
Coly010 wants to merge 6 commits into
developfrom
columferry/cli-1854-wire-the-experimental-gate-into-the-7-ungated-native-leaves

Conversation

@Coly010

@Coly010 Coly010 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Current Behavior

Go gates postgres-config {get,update,delete}, ssl-enforcement {get,update}, and network-bans {get,remove} behind the global --experimental flag in the root PersistentPreRunE (apps/cli-go/cmd/root.go:56-93). The TS port's legacyRequireExperimental helper (shared/legacy-experimental-gate.ts) was wired only into the storage leaves, so these 7 commands ran unconditionally, without ever requiring --experimental.

Fixes #CLI-1854

Expected Behavior

All 7 leaves now fail with must set the --experimental flag to run this command unless --experimental (or SUPABASE_EXPERIMENTAL) is set, matching Go exactly.

Wiring this in required more than adding a yield* line: legacyManagementApiRuntimeLayer (used by all 7 leaves) eagerly resolves an access token as part of its own layer construction. Since Command.provide(layer) builds that layer before the handler body's first yield ever runs, leaving the gate check inside the handler while the layer stayed on Command.provide would let a missing-token error mask the missing---experimental error — verified against the built binary before the fix (postgres-config get with no credentials and no --experimental showed LegacyPlatformAuthRequiredError, not the gate error). Each leaf now moves legacyManagementApiRuntimeLayer to an inline Effect.provide applied after the gate check, matching Go's actual PersistentPreRunE order (experimental check, then the IsManagementAPI login check — root.go:91-109). Re-verified against the built binary post-fix for all 7 leaves.

Also corrects the legacy-experimental-gate.ts doc comment, which previously had cobra's PersistentPreRunE/ValidateFlagGroups ordering backwards, and now accurately notes that the 4 pre-existing storage leaves still have the mutex-check-before-gate ordering bug (tracked separately) rather than presenting their ordering as the correct example to copy.

…PI leaves

Go gates postgres-config {get,update,delete}, ssl-enforcement {get,update},
and network-bans {get,remove} behind --experimental in root.go's
PersistentPreRunE; the TS port ran these unconditionally.

Wiring the gate required moving each leaf's legacyManagementApiRuntimeLayer
from Command.provide (command-builder level) to an inline Effect.provide
placed after the gate check inside the handler body: the layer eagerly
resolves an access token as part of construction, and Command.provide
builds it before the handler's first yield runs, which would let a missing
token error mask the missing --experimental error before this fix. Verified
against the built CLI binary that the ordering now matches Go exactly.
@Coly010

Coly010 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@codex review

@Coly010 Coly010 self-assigned this Jul 2, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2443cfc275

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/cli/src/legacy/commands/postgres-config/get/get.command.ts
Coly010 added 3 commits July 2, 2026 12:50
…#5766)

Cobra parses flags (rejecting an out-of-enum -o value) before
PersistentPreRunE ever runs, so Go always shows an invalid --output error
ahead of a missing --experimental error. The 7 leaves this PR gates ran
legacyRequireExperimental first, inverting that precedence for e.g.
`postgres-config get -o csv` with no --experimental.

Exports legacyValidateOutputFormat (previously private to
withLegacyCommandInstrumentation) and calls it explicitly as the first
step in each gated leaf, ahead of the experimental check.
…review: #5766)

The "gate open" case reaches the real legacyManagementApiRuntimeLayer
(provided inline inside the command, not by the test's mocked runtime),
which reads credentials and SUPABASE_EXPERIMENTAL straight from process.env
and falls back to the OS keyring. A developer or CI host with a real
SUPABASE_ACCESS_TOKEN, SUPABASE_EXPERIMENTAL, or saved keyring token could
make these assertions non-deterministic, or worse, let a "gate closed"
test proceed to a real network call.

Adds processEnvLayer({ SUPABASE_NO_KEYRING: "1" }) to each suite's
runtime, matching the isolation the e2e harness already applies.
…4-wire-the-experimental-gate-into-the-7-ungated-native-leaves

# Conflicts:
#	apps/cli/src/legacy/commands/postgres-config/delete/delete.command.ts
#	apps/cli/src/legacy/commands/postgres-config/update/update.command.ts
@Coly010

Coly010 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 06509cfad1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/cli/src/legacy/commands/postgres-config/get/get.command.ts
Coly010 added 2 commits July 2, 2026 13:45
… too (review: #5766)

processEnvLayer isolates the env-var and keyring credential sources, but
legacyCredentialsLayer also falls back to a token file at
<RuntimeInfo.homeDir>/.supabase/access-token. mockRuntimeInfo() defaults
homeDir to the fixed /tmp/supabase-cli-test-home, so a stray token file
left there by another test or a local run could let the "gate open" case
authenticate for real instead of failing with LegacyPlatformAuthRequiredError.

Points RuntimeInfo.homeDir at each test's isolated tempRoot instead.
…es' SIDE_EFFECTS.md (review: #5766)

These docs said linked-project.json/telemetry.json are written "always" /
"on every invocation, including failures," which is no longer accurate:
a closed --experimental gate now exits before project-ref resolution,
the API call, and both of those writes. Adds SUPABASE_EXPERIMENTAL to
Environment Variables, the gate's exit code, and a Notes bullet matching
the existing storage/cp precedent for documenting a gated command.
@Coly010

Coly010 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@Coly010 Coly010 marked this pull request as ready for review July 2, 2026 12:48
@Coly010 Coly010 requested a review from a team as a code owner July 2, 2026 12:48
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Supabase CLI preview

npx --yes https://pkg.pr.new/supabase/cli/supabase@e5ee27e73811a8f5acbd35d00fa53633cbb3b330

Preview package for commit e5ee27e.

@Coly010

Coly010 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Breezy!

Reviewed commit: e5ee27e738

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant