bump: supabase

[softmarshmallow]

Note

• Upgrade Supabase to 2.90.x: bumps @supabase/supabase-js, @supabase/postgrest-js, @supabase/ssr, and @supabase/storage-js; updates lockfile
• Env key migration: replaces NEXT_PUBLIC_SUPABASE_ANON_KEY with NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY and SUPABASE_SERVICE_KEY with SUPABASE_SECRET_KEY; updates usages across client.ts, server.ts, vault.ts, .env.example, middleware
• Auth/session refactor: extracts server-side updateSession to editor/lib/supabase/proxy.ts; middleware now uses it and adds local-dev fallback when Supabase env is missing
• PostgREST builder/type updates: aligns generics with new postgrest-js, adds safety checks and fromSearchParams handling; improves realtime schema typing
• Supabase project scaffolding: adds supabase/ with README.md, config.toml, .gitignore, and a migration; simplifies contributor docs to point to new setup
• Build config: adds SUPABASE_SECRET_KEY to editor/turbo.json env passthrough

^{Written by Cursor Bugbot for commit 42fb6ee. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• New Features

  • Added server-side session update to improve auth handling.

• Documentation

  • Streamlined contributor setup with a pointer to dedicated Supabase docs.
  • Added a comprehensive Supabase README for local development and workflows.

• Refactor

  • Moved session proxy logic to a dedicated module and adjusted middleware to use it.
  • Improved TypeScript safety around query builders and schema typing.

• Chores

  • Renamed Supabase env keys and updated references.
  • Bumped Supabase-related packages; updated ignore/config and cleaned migrations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Supabase integration updates: env var names changed (anon → publishable, service → secret), session sync extracted to a proxy and wired into middleware with a dev guard, Postgrest generics expanded for stronger typing, Supabase deps bumped, and local Supabase docs/.gitignore/config adjusted. (≈36 words)

Changes

Cohort / File(s)	Summary
Configuration & Documentation CONTRIBUTING.md, supabase/.gitignore, supabase/README.md, supabase/config.toml, supabase/migrations/...	Replaced in-repo Supabase setup with a Grida-specific pointer; added granular dotenv ignore patterns and signing_keys.json; new local Supabase contributor README; removed a couple schema exposures and pg_sodium extension lines in a migration.
Environment Examples & CI editor/.env.example, editor/turbo.json	Renamed example env keys: ANON_KEY → PUBLISHABLE_KEY, SERVICE_KEY → SECRET_KEY in examples/config.
Supabase Client Initialization editor/lib/supabase/client.ts, editor/lib/supabase/server.ts, editor/lib/supabase/vault.ts	Switched runtime env variables to NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY / SUPABASE_SECRET_KEY; brought in additional Supabase types and loosened schema typing for the service client.
Session Management Refactor editor/lib/supabase/proxy.ts, editor/middleware.ts	Extracted updateSession into proxy.ts which creates a per-request server client, syncs cookies and calls auth.getClaims(); middleware now imports it and adds a development-time guard when Supabase env is missing.
Postgrest Types & Query Builder editor/lib/supabase-postgrest/builder.ts, editor/lib/supabase/realtime.ts	Expanded Postgrest generic arities across builder API, updated method signatures/casts, added a runtime guard and typed access in fromSearchParams, and introduced SupabaseSchemaName<_Database> to tighten schema-name generics.
Dependencies editor/package.json	Bumped @supabase/postgrest-js, @supabase/ssr, @supabase/supabase-js, and @supabase/storage-js to newer 2.x versions.

Sequence Diagram(s)

sequenceDiagram
  participant Browser
  participant Middleware
  participant Proxy
  participant Supabase
  participant Response

  Browser->>Middleware: incoming request (with cookies)
  Middleware->>Proxy: call updateSession(request)
  Proxy->>Supabase: createServerClient(url, publishableKey)
  Proxy->>Supabase: supabase.auth.getClaims()
  Supabase-->>Proxy: claims + set-cookie headers
  Proxy->>Response: copy/sync cookies to NextResponse
  Proxy-->>Middleware: return NextResponse (with synced cookies)
  Middleware-->>Browser: respond (preserving cookies)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I hopped through keys, renamed them neat,

publishable, secret — tucked in a seat.
Builders stretched wider, types standing tall,
Sessions now routed through one tidy hall.
Docs and deps updated — a celebratory treat!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'bump: supabase' is concise and clearly indicates the primary change—upgrading Supabase dependencies—which aligns with the substantial version upgrades across multiple Supabase packages documented in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch canary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
docs	Ready	Preview, Comment	Jan 10, 2026 6:11pm
grida	Ready	Preview, Comment	Jan 10, 2026 6:11pm

5 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
code	Ignored		Jan 10, 2026 6:11pm
legacy	Ignored		Jan 10, 2026 6:11pm
backgrounds	Skipped		Jan 10, 2026 6:11pm
blog	Skipped		Jan 10, 2026 6:11pm
viewer	Skipped		Jan 10, 2026 6:11pm

[cursor]

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on February 5

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In @editor/middleware.ts:
- Around line 44-64: The dev-guard sets res via NextResponse.next when
NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY is missing but
then unconditionally calls updateSession(req), overwriting res and invoking
Supabase code; fix by preventing updateSession from running when the guard
triggers: either return the prebuilt res immediately (use return res after
NextResponse.next) or wrap the updateSession call in the same condition (only
call updateSession(req) when both NEXT_PUBLIC_SUPABASE_URL and
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY are present); update references to
updateSession and NextResponse.next in middleware.ts accordingly.
- Around line 49-51: Update the warning string emitted inside the conditional
that checks process.env.NODE_ENV and the NEXT_PUBLIC_SUPABASE_* env vars so it
references the correct variable names; replace the existing message with:
"NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY is not set
this will break all db-requests, please set them in the .env.local file". Locate
the conditional that checks process.env.NODE_ENV and
(!process.env.NEXT_PUBLIC_SUPABASE_URL ||
!process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY) and change the logger/console
warning message accordingly.

In @editor/turbo.json:
- Around line 33-36: Remove the unused SUPABASE_ANON_KEY entry from the
turbo.json env list: locate the array containing "SUPABASE_ANON_KEY", delete
that string (and adjust trailing commas so JSON remains valid), and confirm no
other references remain (the codebase uses NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY
instead).

🧹 Nitpick comments (3)

supabase/README.md (1)

41-41: Use proper heading syntax instead of bold text.

Lines 41 and 150 use bold emphasis (**text**) instead of proper Markdown headings. This affects document structure and accessibility.

📝 Proposed fix

-**Key safety property**
+### Key safety property

-**Rules**
+### Rules

Also applies to: 150-150

editor/lib/supabase/server.ts (2)

2-5: Unused import: SupabaseClientOptions.

SupabaseClientOptions is imported but doesn't appear to be used in this file. Consider removing it to keep imports clean.

Suggested fix

-import {
-  createClient as _createClient,
-  SupabaseClientOptions,
-} from "@supabase/supabase-js";
+import { createClient as _createClient } from "@supabase/supabase-js";

---

86-91: Type cast as any for schema configuration.

The schema as any cast at line 88 bypasses type checking. This is likely a workaround for stricter typing in the updated Supabase client. While functional, it may hide type mismatches. Consider investigating if there's a type-safe alternative in future refactoring.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5e78e68 and 83e0a43.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (14)

• CONTRIBUTING.md
• editor/.env.example
• editor/lib/supabase-postgrest/builder.ts
• editor/lib/supabase/client.ts
• editor/lib/supabase/proxy.ts
• editor/lib/supabase/realtime.ts
• editor/lib/supabase/server.ts
• editor/lib/supabase/vault.ts
• editor/middleware.ts
• editor/package.json
• editor/turbo.json
• supabase/.gitignore
• supabase/README.md
• supabase/config.toml

🧰 Additional context used

📓 Path-based instructions (1)

supabase/**

📄 CodeRabbit inference engine (AGENTS.md)

Do not use supabase edge functions; migrations should be managed with supabase migration commands

Files:

• supabase/README.md
• supabase/config.toml

🧠 Learnings (7)

📚 Learning: 2026-01-10T04:48:31.415Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Applies to supabase/schema/**/*.sql : Store human-friendly organized schema SQLs in /supabase/schema directory

Applied to files:

• supabase/README.md
• CONTRIBUTING.md

📚 Learning: 2026-01-10T04:48:31.415Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Applies to supabase/** : Do not use supabase edge functions; migrations should be managed with supabase migration commands

Applied to files:

• supabase/README.md
• CONTRIBUTING.md

📚 Learning: 2026-01-10T04:48:31.415Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Applies to supabase/migrations/**/*.sql : SQL migration files should follow naming convention created by 'supabase migration new <feature-name>' command

Applied to files:

• supabase/README.md

📚 Learning: 2025-12-01T00:22:41.045Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: editor/AGENTS.md:0-0
Timestamp: 2025-12-01T00:22:41.045Z
Learning: Applies to editor/**/next-env.d.ts : Include `next-env.d.ts` file in git for the project to avoid requiring dev/build runs for typechecking in CI environments

Applied to files:

• editor/lib/supabase/client.ts

📚 Learning: 2025-12-01T00:22:19.083Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: crates/grida-canvas-wasm/AGENTS.md:0-0
Timestamp: 2025-12-01T00:22:19.083Z
Learning: Applies to crates/grida-canvas-wasm/**/main.rs : Update `grida-canvas-wasm.d.ts` TypeScript definitions file when new APIs are introduced via `main.rs`

Applied to files:

• CONTRIBUTING.md

📚 Learning: 2026-01-10T04:48:31.415Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Use React.js 19 for web applications

Applied to files:

• editor/package.json

📚 Learning: 2026-01-10T04:48:31.415Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Use Next.js 15 for web applications

Applied to files:

• editor/package.json

🧬 Code graph analysis (1)

editor/middleware.ts (1)

editor/lib/supabase/proxy.ts (1)

• updateSession (7-59)

🪛 dotenv-linter (4.0.0)

editor/.env.example

[warning] 5-5: [QuoteCharacter] The value has quote characters (', ")

(QuoteCharacter)

---

[warning] 5-5: [UnorderedKey] The NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY key should go before the NEXT_PUBLIC_SUPABASE_URL key

(UnorderedKey)

---

[warning] 6-6: [QuoteCharacter] The value has quote characters (', ")

(QuoteCharacter)

🪛 markdownlint-cli2 (0.18.1)

supabase/README.md

41-41: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

150-150: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cursor Bugbot

🔇 Additional comments (19)

supabase/.gitignore (2)

10-11: LGTM!

Correctly ignoring signing_keys.json as it contains sensitive JWT signing keys that should never be committed. This aligns with the configuration in config.toml.

---

4-8: No action needed – plain .env files are already covered by the root .gitignore.

The root .gitignore (line 108) already includes .env, which covers plain .env files repository-wide. The new patterns in supabase/.gitignore (.env.keys, .env.local, .env.*.local) are explicit additions for that directory's specific use case and don't create any gaps. The original concern is not valid.

Likely an incorrect or invalid review comment.

supabase/config.toml (3)

3-3: LGTM!

Helpful addition of the reference link to the config template.

---

138-139: LGTM!

Good practice to externalize JWT signing keys to a separate file with a clear warning not to commit it. This aligns with the .gitignore changes.

---

15-15: No action required. The grida_west schema is not referenced anywhere in the codebase—all code depends on grida_west_referral, which remains in the exposed API schemas. The removal is safe.

supabase/README.md (1)

1-184: Excellent documentation for local development workflow!

The README provides comprehensive guidance on local Supabase development with clear safety boundaries between local and remote operations. The structure is logical, covering setup, daily commands, type generation, and environment variables.

editor/lib/supabase/realtime.ts (2)

17-18: LGTM! Enhanced type safety for schema names.

The new SupabaseSchemaName helper type properly excludes internal Supabase keys from valid schema names, improving type safety.

---

20-25: LGTM! Improved generic type constraints.

The updated generic parameters with conditional defaults ensure better type inference for schema names. When "public" is a valid schema, it becomes the default; otherwise, TypeScript infers the appropriate schema name from the database type.

Also applies to: 66-71

editor/package.json (1)

98-100: Breaking changes from Supabase package upgrades require verification.

The Supabase packages include a major version upgrade for @supabase/postgrest-js (v1 → v2) which introduces breaking changes, including constructor options rework with namespaced configuration (db, auth, global), TypeScript typing changes, query-builder API surface changes, and Node >=20.0.0 requirement. @supabase/ssr v0.8.0 contains no breaking changes.

The code actively imports and uses types from @supabase/postgrest-js (PostgrestQueryBuilder, PostgrestFilterBuilder, PostgrestSingleResponse, PostgrestError). Verify that all affected usage patterns in editor/lib/supabase-postgrest/builder.ts, editor/lib/supabase/client.ts, and other imports follow the v2 API contract and constructor conventions.

Also applies to: 241-241

editor/lib/supabase-postgrest/builder.ts (2)

371-396: Good defensive improvements to fromSearchParams.

The runtime guard (lines 373-377) and the BuilderWithUrl type alias (line 384) improve robustness by:

1. Failing fast with a clear error message when the builder is uninitialized
2. Providing type-safe access to the url property that exists at runtime on all builder variants

---

236-240: Incorrect generic type parameters for postgrest-js API.

The generic parameters in the builder type do not match the current @supabase/postgrest-js API (v1.21.3). According to the official type definitions:

• PostgrestQueryBuilder expects a single generic parameter: PostgrestQueryBuilder<T>
• PostgrestFilterBuilder expects a single generic parameter: PostgrestFilterBuilder<T>

The code currently uses:

• PostgrestQueryBuilder<any, any, any> (3 parameters - incorrect)
• PostgrestTransformBuilder<any, any, any, any> (4 parameters - incorrect)
• PostgrestFilterBuilder<any, any, any, any> (4 parameters - incorrect)

These should be updated to use single generic parameters to match the actual postgrest-js type signatures.

Likely an incorrect or invalid review comment.

editor/lib/supabase/vault.ts (1)

4-11: LGTM - Environment variable rename is consistent.

The change from SUPABASE_SERVICE_KEY to SUPABASE_SECRET_KEY aligns with the broader environment variable naming updates across the PR.

editor/lib/supabase/client.ts (1)

11-13: LGTM - Client-side key source updated.

The switch to NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY is consistent with the environment variable naming convention updates across the PR.

editor/.env.example (1)

4-6: LGTM - Environment variable examples updated.

The key renames to NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY and SUPABASE_SECRET_KEY are consistent with the code changes. The placeholder values clearly indicate these are example values to be replaced.

The static analysis warnings about quote characters and key ordering are acceptable for a .env.example file where clarity and documentation take precedence.

editor/lib/supabase/server.ts (2)

17-19: LGTM - Server client key source updated.

The change to NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY is consistent with the client-side changes and environment variable renames across the PR.

---

83-85: LGTM - Service role client key source updated.

The change to SUPABASE_SECRET_KEY is consistent with the vault.ts changes and the environment variable naming convention updates.

CONTRIBUTING.md (1)

54-54: LGTM - Documentation consolidated.

Good practice to centralize Grida-specific Supabase setup instructions in a dedicated README rather than duplicating them here. The supabase/README.md file contains all referenced setup details: migrations, environment variables, and signing keys.

editor/lib/supabase/proxy.ts (1)

1-2: LGTM!

The imports are appropriate for the Supabase SSR integration with Next.js middleware.

editor/middleware.ts (1)

5-5: LGTM!

The extraction of updateSession to a dedicated proxy module improves code organization and reusability.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

editor/middleware.ts (1)

11-15: Fix typos and consolidate with the new guard.

Two issues:

• Line 13: "CONTRIBUTER" → "CONTRIBUTOR", "Backedn" → "Backend"
• This early check only validates NEXT_PUBLIC_SUPABASE_URL, while the new guard (lines 48-61) checks both URL and PUBLISHABLE_KEY. Consider consolidating these checks or removing this early warning to avoid duplication.

✏️ Proposed fix

-  console.warn(
-    "[CONTRIBUTER MODE]: Supabase Backedn is not configured - some feature may restricted"
-  );

If keeping this early check, fix typos:

+  console.warn(
+    "[CONTRIBUTOR MODE]: Supabase Backend is not configured - some features may be restricted"
+  );

Otherwise, remove lines 11-15 entirely since the dev guard below (lines 48-61) provides more comprehensive validation.

🤖 Fix all issues with AI agents

In @editor/middleware.ts:
- Around line 48-64: The dev guard uses ambiguous var names and prints multiple
console.warn args, updateSession is unprotected and there is no production
validation; change the env check variable
(env_not_set_but_can_skip_on_local_dev) to warn using the full names
NEXT_PUBLIC_SUPABASE_URL and NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY in a single
formatted message (template literal), wrap the await updateSession(req) call in
a try/catch to handle and log errors and return a safe NextResponse on failure,
and add a production-time validation block (run after imports) that throws a
clear Error if NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY
are missing to prevent non-null assertion crashes in proxy.ts.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b73c97b and 42fb6ee.

📒 Files selected for processing (1)

• editor/middleware.ts

🧰 Additional context used

🧬 Code graph analysis (1)

editor/middleware.ts (1)

editor/lib/supabase/proxy.ts (1)

• updateSession (7-59)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Cursor Bugbot
• GitHub Check: test

🔇 Additional comments (1)

editor/middleware.ts (1)

5-5: LGTM: Clean extraction of session logic.

Moving updateSession to a dedicated proxy module improves separation of concerns and aligns with Supabase SSR best practices.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Refine the development guard and add error handling.

Several concerns:

1. Line 58: The warning message refers to "SUPABASE_URL or SUPABASE_PUBLISHABLE_KEY" but should use the full environment variable names (NEXT_PUBLIC_SUPABASE_URL and NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY) for clarity.

2. Lines 57-61: console.warn with three separate string arguments will print them as separate lines rather than a single formatted message. Use a template literal or string concatenation for better readability.

3. Line 63: The updateSession call lacks error handling. If the proxy throws (e.g., due to Supabase API issues), the middleware will fail ungracefully and potentially break all requests.

4. Production safety: The guard only checks environment variables in development mode. However, the proxy implementation (from editor/lib/supabase/proxy.ts) uses non-null assertions (process.env.NEXT_PUBLIC_SUPABASE_URL!). If these variables are missing in production, the application will crash at runtime.

🛠️ Proposed improvements

Fix warning message formatting:

-    console.warn(
-      "SUPABASE_URL or SUPABASE_PUBLISHABLE_KEY is not set this will break all db-requests, please set them in the .env.local file",
-      "If you are just testing things around, you can ignore this message",
-      "Learn more at https://github.com/gridaco/grida/blob/main/CONTRIBUTING.md"
-    );
+    console.warn(
+      "[DEV] NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY is not set. " +
+      "This will break all DB requests. Please set them in the .env.local file.\n" +
+      "If you are just testing things around, you can ignore this message.\n" +
+      "Learn more at https://github.com/gridaco/grida/blob/main/CONTRIBUTING.md"
+    );

Add error handling:

  } else {
-    res = await updateSession(req);
+    try {
+      res = await updateSession(req);
+    } catch (error) {
+      console.error("[middleware] Failed to update session:", error);
+      res = NextResponse.next({ request: req });
+    }
  }

Add production validation (at the top of the file after imports):

// Validate required env vars in production
if (process.env.NODE_ENV === "production") {
  if (!process.env.NEXT_PUBLIC_SUPABASE_URL || !process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY) {
    throw new Error(
      "NEXT_PUBLIC_SUPABASE_URL and NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY must be set in production"
    );
  }
}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const env_not_set_but_can_skip_on_local_dev =
	process.env.NODE_ENV === "development" &&
	(!process.env.NEXT_PUBLIC_SUPABASE_URL ||
	!process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY);
	if (env_not_set_but_can_skip_on_local_dev) {
	res = NextResponse.next({
	request: req,
	});
	console.warn(
	"SUPABASE_URL or SUPABASE_PUBLISHABLE_KEY is not set this will break all db-requests, please set them in the .env.local file",
	"If you are just testing things around, you can ignore this message",
	"Learn more at https://github.com/gridaco/grida/blob/main/CONTRIBUTING.md"
	);
	} else {
	res = await updateSession(req);
	}
	const env_not_set_but_can_skip_on_local_dev =
	process.env.NODE_ENV === "development" &&
	(!process.env.NEXT_PUBLIC_SUPABASE_URL ||
	!process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY);
	if (env_not_set_but_can_skip_on_local_dev) {
	res = NextResponse.next({
	request: req,
	});
	console.warn(
	"[DEV] NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY is not set. " +
	"This will break all DB requests. Please set them in the .env.local file.\n" +
	"If you are just testing things around, you can ignore this message.\n" +
	"Learn more at https://github.com/gridaco/grida/blob/main/CONTRIBUTING.md"
	);
	} else {
	try {
	res = await updateSession(req);
	} catch (error) {
	console.error("[middleware] Failed to update session:", error);
	res = NextResponse.next({ request: req });
	}
	}

🤖 Prompt for AI Agents

In @editor/middleware.ts around lines 48 - 64, The dev guard uses ambiguous var
names and prints multiple console.warn args, updateSession is unprotected and
there is no production validation; change the env check variable
(env_not_set_but_can_skip_on_local_dev) to warn using the full names
NEXT_PUBLIC_SUPABASE_URL and NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY in a single
formatted message (template literal), wrap the await updateSession(req) call in
a try/catch to handle and log errors and return a safe NextResponse on failure,
and add a production-time validation block (run after imports) that throws a
clear Error if NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY
are missing to prevent non-null assertion crashes in proxy.ts.