feat(cli): port supabase start command to native TypeScript#5847
feat(cli): port supabase start command to native TypeScript#5847Coly010 wants to merge 31 commits into
Conversation
Ports `supabase start` from a Go-binary proxy to native TypeScript in the legacy CLI shell (CLI-1323), continuing the local-dev-stack shell migration alongside the already-ported `stop`/`status`/`db push`/`db reset`/`db start`. ## What changed Talks directly to Docker/Podman via subprocess, mirroring Go's sequential per-container `DockerStart` — no Docker Compose, and no `@supabase/stack/effect` orchestration (that runtime targets a deliberately different local-dev product and would silently manage the wrong set of containers). Brings up all 14 containers in Go's real start order, with per-service config-boolean + `--exclude` gating, Go-byte-exact env/image resolution, a bulk health-check phase (Docker healthcheck for most services, an HTTP-HEAD-through-Kong bypass for PostgREST/Edge Runtime), and full rollback on any bring-up failure. Also natively implements the fresh-volume DB schema/migration/seed pipeline, Edge Runtime container bring-up, and fresh-volume storage bucket seeding — previously tracked as out-of-scope follow-ups for this port, now closed. Only the linked-project version-check suggestion (a best-effort "update available" hint with zero Management API dependency otherwise) remains out of scope by design. ## Notable review-driven fixes - `legacyParseGoDuration` (the `config.toml` duration-string parser feeding Go-parity env vars like `GOTRUE_SESSIONS_TIMEBOX`) silently accepted a malformed duration with no digits (a bare unit like `"s"`, or a lone `"."` with no digits on either side) and returned `0` instead of erroring like Go's real `time.ParseDuration` — both cases now throw Go's exact `time: invalid duration "..."` message. - `start.services.ts`'s descriptive `enabledGate` metadata for Mailpit referenced the deprecated `inbucket` config section instead of its `local_smtp` rename. Fixed, and added a mechanical cross-check test that evaluates every service's `enabledGate` string against `start.gates.ts`'s real computed gate across a battery of synthetic configs, so a future drift between the two fails loudly instead of silently. - Confirmed and closed the PostgREST health-check's TLS/CA trust gap for `[api.tls] enabled = true` local stacks (self-signed Kong cert) — the local-Kong-CA-trust mechanism already used by `seed buckets`/`storage`/ `db reset` is now wired into `start`'s health-check HTTP client too. Closes CLI-1323
|
👋 Thanks for the contribution! This pull request isn't linked to a tracked issue, so it's being closed automatically. Please open an issue first, wait for a maintainer to add the |
…3-port-supabase-start
|
👋 Thanks for the contribution! This pull request isn't linked to a tracked issue, so it's being closed automatically. Please open an issue first, wait for a maintainer to add the |
|
👋 Thanks for the contribution! This pull request isn't linked to a tracked issue, so it's being closed automatically. Please open an issue first, wait for a maintainer to add the |
|
👋 Thanks for the contribution! This pull request isn't linked to a tracked issue, so it's being closed automatically. Please open an issue first, wait for a maintainer to add the |
) The contribution gate identified internal maintainers solely from the PR's `author_association`, which GitHub only reports as `MEMBER` when a user's organization membership is public. A private org member (e.g. a `supabase/cli` team member who keeps membership private) is reported as `CONTRIBUTOR`/`NONE`, so the gate wrongly closed their PRs as "no-linked-issue" (see supabase#5847). Resolve maintainer status from the author's effective repository permission (`admin`/`write`), which reflects team/org-granted access that `author_association` does not surface, falling back to it only when the cheap signals (bot, public internal association) are inconclusive. The permission endpoint needs just `Metadata: read`, already covered by the workflow's `contents: read`. Claude-Session: https://claude.ai/code/session_01D41gYiFBSU7adE4ppnUUKg --------- Co-authored-by: Claude <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 623dd8b18e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 623dd8b18e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
supabase start's TS port had five spots where Go's real behaviour was
silently dropped:
- supabase/.temp/storage-migration (the linked project's Storage
migration pin) was never read, so DB_MIGRATIONS_FREEZE_AT was always
empty on a fresh DB setup and the Storage container itself.
- supabase/.temp/{gotrue,rest,storage,realtime,studio,pgmeta,logflare,
pooler}-version pins were never applied to the images start
pulls/creates, unlike Go's Config.Load rewrite. Hoisted the existing
services command's reader into shared/legacy-service-version-overrides.ts
and reused services.shared.ts's tag-rewrite helpers instead of a third
copy.
- --network-id was read by several other native ports but never by
start itself, so the override never reached any container or the
Docker network start creates.
- SUPABASE_API_PORT's env override was computed for status URLs but
never exposed for Kong/Edge Runtime's own container specs, so they
kept publishing/binding the un-overridden config.api.port.
- Studio's function bind mounts were hardcoded to [], unlike Go's
unconditional (Edge-Runtime-independent) PopulatePerFunctionConfigs
call — extracted the existing per-function bind computation in
shared/functions/serve.ts into a reusable resolveFunctionBindMounts
so both callers share one calculation.
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
…l in start Three more Go-parity gaps in supabase start found by review: - db.root_key (including encrypted: values) was never resolved or passed to the Postgres container, so every project booted with the hard-coded default pgsodium key instead of a customized one, breaking decryption of existing encrypted data. Resolved in legacyResolveLocalConfigValues off the raw config document (unmodeled in @supabase/config's schema), reusing the existing decrypt helpers. - DockerStart's Linux-only host.docker.internal:host-gateway mapping was already correctly ported for the one-shot migrate jobs and Edge Runtime bring-up, but never made it into the common legacyStartContainer path the other 13 services go through. - auth.external_url (also unmodeled in the schema, with its own Go regression test) was never read, so GoTrue's API_EXTERNAL_URL/JWT issuer default/mailer verify URL/OAuth redirect fallbacks always derived from apiUrl even when a project intentionally exposed auth at a different host.
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
…es tag ordering Three more Go-parity gaps found by review: - [auth.email.smtp] present without an explicit enabled key should default to enabled (Go sets this at load time), but the schema always decodes enabled: false when the key is absent, so GoTrue silently fell back to Mailpit. Reuses the existing correct resolution already implemented for config validation, exposed as legacyResolveAuthEmailSmtp. - auth.external providers outside the schema's fixed ~19-provider set (e.g. a custom [auth.external.my_oidc] block) never reached GoTrue's env, even though Go's Auth.External is a genuine map iterated unconditionally and this port's own config validation already accepts arbitrary provider names. Reuses the same raw-document iteration validateAuthExternalProviders already established. - A registry override with a port (SUPABASE_INTERNAL_IMAGE_REGISTRY= localhost:5000) broke the Postgres version-tag comparison, since Go compares the pre-registry-rewrite image while this port was comparing the already-rewritten one. Threaded the original image through as a separate configImage field used only for that comparison.
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@codex review |
1 similar comment
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3e5cd58c9a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // raw `--exclude` values are enough on their own. | ||
| const statusExcluded = flags.exclude; | ||
|
|
||
| if (output.format === "text") { |
There was a problem hiding this comment.
Honor LegacyOutputFlag before rendering start status
When a user runs supabase start -o json (or yaml/toml/env), the root keeps Output.format as text via the quiet legacy output layer and exposes the chosen Go format only through LegacyOutputFlag. This native handler no longer reads that flag, so this branch emits the pretty status table and security notice instead of the machine payload the previous proxy produced by delegating to status --output <fmt>. Scripts parsing start -o json will now receive non-JSON; branch on LegacyOutputFlag before the text renderer, as status.handler.ts does.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3e5cd58c9a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (hours > 0) return `${sign}${hours}h${minutes}m${secs}s`; | ||
| if (minutes > 0) return `${sign}${minutes}m${secs}s`; |
There was a problem hiding this comment.
Preserve fractional seconds in formatted Go durations
When a configured duration has a minute/hour component plus fractional seconds (for example auth.sms.max_frequency = "1m0.5s" or auth.sessions.timebox = "1h0.5s"), these early returns ignore the remaining ms/us/ns after computing secs, so the GoTrue env value becomes 1m0s/1h0m0s. Go's time.Duration.String() preserves that fractional seconds component (...0.5s), so this changes user-configured rate-limit/session timings for valid Go duration strings.
Useful? React with 👍 / 👎.
| const binds = await Promise.all( | ||
| secretFiles.map(async (secretFile, index) => { | ||
| const hostPath = join(dir, `secret-${index}`); | ||
| await writeFile(hostPath, secretFile.content, { mode: 0o600 }); |
There was a problem hiding this comment.
Make staged secret binds readable inside containers
When supabase start stages Kong/Postgres/Supavisor secrets, these files are bind-mounted read-only into the containers but kept 0600 and owned by the host user. On native Linux/Podman bind mounts preserve the host UID and mode, while these images read the mounted paths as their own container users (for example Kong's declarative config and Postgres's pgsodium root key), so the service can fail with permission denied even though the Go CLI wrote the same files inside the container with a readable owner. Please make the mounted files readable to the container user, or copy/chown them inside the entrypoint instead of mounting host-owner-only files.
Useful? React with 👍 / 👎.
| yield* legacyEnsureStartNetwork(spawner, networkId, { | ||
| [LEGACY_CLI_PROJECT_LABEL]: projectId, | ||
| }); |
There was a problem hiding this comment.
Label the start network with the compose project
When supabase start creates the network, this label map omits com.docker.compose.project even though the containers and volumes get that label and the Go CLI passes the same full label map to network creation. Newly created stack networks therefore are not grouped with the rest of the stack for any compose-project-label based tooling or cleanup. Please include the compose-project label here as well.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3e5cd58c9a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // raw `--exclude` values are enough on their own. | ||
| const statusExcluded = flags.exclude; | ||
|
|
||
| if (output.format === "text") { |
There was a problem hiding this comment.
Honor legacy --output formats in start
When supabase start is invoked with the legacy -o/--output flag (for example -o env, -o json, -o toml, or -o yaml) after a successful start, the root layer keeps output.format as text/quiet-text, so this branch prints the pretty status table instead of the requested machine-readable status values. The old proxy path explicitly delegated to status --output <format>, so scripts that depend on supabase start -o env/json/... regress unless the handler reads LegacyOutputFlag and encodes the status values accordingly.
Useful? React with 👍 / 👎.
| yield* legacyEnsureStartNetwork(spawner, networkId, { | ||
| [LEGACY_CLI_PROJECT_LABEL]: projectId, | ||
| }); |
There was a problem hiding this comment.
Add the compose label when creating the start network
When supabase start creates a fresh local network, this call labels it only with com.supabase.cli.project; the Go DockerStart path passed the same label map used for containers, which also included com.docker.compose.project, and this port still adds both labels to containers/volumes. Freshly-created networks therefore lose the compose project label, so Docker/Compose tooling that filters or groups all stack resources by com.docker.compose.project no longer sees the network until it is recreated with the missing label.
Useful? React with 👍 / 👎.
| debug, | ||
| platform: runtimeInfo.platform, | ||
| }; | ||
| const runtime: StartedRuntime = yield* legacyStartEdgeRuntimeContainer(edgeRuntimeInput); |
There was a problem hiding this comment.
Keep Kong reload out of start's Edge Runtime path
When Edge Runtime is enabled, this call goes through the shared startEdgeRuntimeContainer core, which still unconditionally calls reloadKong(projectId) after docker run. I checked the Go paths: internal/start/start.go calls serve.ServeFunctions directly, while only the functions serve restartEdgeRuntime wrapper reloads Kong, so the TS start port now runs an extra docker exec <kong> kong reload before the normal health checks. In starts where Kong is excluded or still booting, users get a spurious Kong-reload warning/noise unrelated to the start health result; keep the reload in the functions-serve wrapper instead of this start path.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3e5cd58c9a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| yield* legacyEnsureStartNetwork(spawner, networkId, { | ||
| [LEGACY_CLI_PROJECT_LABEL]: projectId, |
There was a problem hiding this comment.
Label the start network like the other stack resources
On a fresh TS-created start network, this call passes only the Supabase CLI label, while the ported DockerStart behavior and the new container/volume path label resources with both the CLI label and com.docker.compose.project. That leaves the network outside Docker Desktop/compose-style grouping even though the containers and volumes are grouped, so include the compose project label in this network label map as well.
Useful? React with 👍 / 👎.
| ) { | ||
| if (env.length === 0) { | ||
| return undefined; | ||
| } | ||
|
|
||
| const dir = await mkdtemp(join(tmpdir(), "supabase-functions-serve-multiline-env-")); | ||
| // Self-healing — see the matching comment in `writeDockerEnvFile` above. | ||
| await rm(dir, { recursive: true, force: true }); |
There was a problem hiding this comment.
Clear stale multiline env secrets when none are needed
Because the new deterministic multiline-env directory is only removed after the early env.length === 0 return above, a run that no longer has multiline edge-runtime secrets leaves any existing supabase/.temp/start-secrets/<edge-runtime>/multiline-env tree untouched. If a previous crashed/manual run left JWT or custom multiline secret files there, the next successful run without multiline envs will not mount or clean them, so move the cleanup before the empty-env return as well.
Useful? React with 👍 / 👎.
| apiTlsCertPath !== undefined && | ||
| apiTlsKeyPath !== undefined |
There was a problem hiding this comment.
Treat empty TLS paths as unset before reading files
When [api.tls] is enabled but cert_path and key_path are present as empty strings, Go's len(...) > 0 checks treat them as unset and Kong uses the embedded localhost cert/key. This guard only checks for undefined, so the same config tries to read <workdir>/supabase/ as the cert/key path and aborts supabase start; require non-empty paths before reading the overrides.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3e5cd58c9a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // same "exit-code-only" shape in `legacy-pgdelta.seam.layer.ts`. | ||
| const stopResults = yield* Effect.all( | ||
| containerIds.map((id) => | ||
| containerCliExitCode(spawner, ["stop", id], { |
There was a problem hiding this comment.
Tolerate already-stopped containers during stop
When any matching Supabase container has already exited, docker ps --all still includes it and this calls docker stop <id> anyway. The Docker CLI stop command is defined for running containers and its runStop implementation returns ContainerStop errors, while the Go implementation this ports explicitly ignored errdefs.IsNotModified; because stderr is ignored here and any non-zero exit fails below, supabase stop and start rollback can abort before prune/cleanup whenever one service has already stopped or crashed. Stop only the running subset or explicitly tolerate the already-stopped case.
Useful? React with 👍 / 👎.
| export const legacyStartEdgeRuntimeContainer = Effect.fn("legacy.start.edgeRuntime")(function* ( | ||
| input: LegacyEdgeRuntimeBringUpInput, | ||
| ) { | ||
| return yield* startEdgeRuntimeContainer({ |
There was a problem hiding this comment.
Route Edge Runtime through the container CLI fallback
On Podman-only hosts (where docker is absent but podman is installed), the rest of native start uses spawnContainerCli/containerCliExitCode and can fall back from Docker to Podman, but this newly wired Edge Runtime path delegates to startEdgeRuntimeContainer, whose volume/network/run/reload steps call runChildProcess("docker", ...) directly. With edge_runtime.enabled, supabase start can therefore fail partway through even though the surrounding start path otherwise supports Podman; route this helper through the same container CLI abstraction or add an equivalent fallback.
Useful? React with 👍 / 👎.
|
@codex review |
1 similar comment
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@codex review |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
What changed
Ports
supabase startfrom a Go-binary proxy to native TypeScript in the legacy CLI shell (CLI-1323), continuing the local-dev-stack shell migration alongside the already-portedstop/status/db push/db reset/db start.Talks directly to Docker/Podman via subprocess, mirroring Go's sequential per-container
DockerStart— no Docker Compose, and no@supabase/stack/effectorchestration (that runtime targets a deliberately different local-dev product and would silently manage the wrong set of containers). Brings up all 14 containers in Go's real start order, with per-service config-boolean +--excludegating, Go-byte-exact env/image resolution, a bulk health-check phase (Docker healthcheck for most services, an HTTP-HEAD-through-Kong bypass for PostgREST/Edge Runtime), and full rollback on any bring-up failure.Also natively implements the fresh-volume DB schema/migration/seed pipeline, Edge Runtime container bring-up, and fresh-volume storage bucket seeding — previously tracked as out-of-scope follow-ups for this port, now closed. Only the linked-project version-check suggestion (a best-effort "update available" hint with zero Management API dependency otherwise) remains out of scope by design.
Why
Continues the legacy-shell migration from Go-binary-proxy commands to native TypeScript, closing CLI-1323.
Reviewer-relevant context
legacyParseGoDuration(theconfig.tomlduration-string parser feeding Go-parity env vars likeGOTRUE_SESSIONS_TIMEBOX) silently accepted a malformed duration with no digits (a bare unit like"s", or a lone"."with no digits on either side) and returned0instead of erroring like Go's realtime.ParseDuration— both cases now throw Go's exacttime: invalid duration "..."message.start.services.ts's descriptiveenabledGatemetadata for Mailpit referenced the deprecatedinbucketconfig section instead of itslocal_smtprename. Fixed, and added a mechanical cross-check test that evaluates every service'senabledGatestring againststart.gates.ts's real computed gate across a battery of synthetic configs, so a future drift between the two fails loudly instead of silently.[api.tls] enabled = truelocal stacks (self-signed Kong cert) — the local-Kong-CA-trust mechanism already used byseed buckets/storage/db resetis now wired intostart's health-check HTTP client too.Note
This branch is currently 9 commits behind
develop(unrelateddeps/dockerbump commits) — opening as draft to get CI/review visibility; happy to rebase before this comes out of draft.