chore(supabase): drop legacy/dead Supabase env-var infra

[softmarshmallow]

What & why

Removes two pieces of Supabase env-var infrastructure that were introduced but never wired into any live code path.

1. Read-replica routing (editor/env.ts)

Deletes the entire Env.supabase namespace — the 16 NEXT_PUBLIC_SUPABASE_URL_RR_* region constants, SUPABASE_READ_REPLICAL_URLS, the fallback / AWS-region maps, the SupabaseRegion type, and the rr() resolver — plus the Env.vercel namespace (region table + region()), which existed solely to feed that routing.

Nothing ever called Env.supabase.rr(); the real clients (lib/supabase/{client,server,proxy}.ts) read process.env.NEXT_PUBLIC_SUPABASE_URL directly. Supabase already does default region routing, so the manual replica-selection layer was unnecessary from the start.

2. CIAM JWT signing key (SUPABASE_SIGNING_KEY_JSON + ES256 signing keys)

The CIAM design originally specced editor-minted ES256 JWTs verified by PostgREST via JWKS. That path was abandoned in favor of opaque, sha256-hashed portal-session tokens resolved server-side via service_role (the live flow). The JWT scaffolding was left behind:

• Delete editor/lib/ciam/server/jwt.ts — signCustomerSessionToken had zero callers.
• Remove signing_keys_path from supabase/config.toml (local Auth falls back to the default symmetric jwt_secret).
• Drop the CI gen signing-key step (database-tests.yml) and the signing_keys.json .gitignore entry.
• Rewrite the README and grida_ciam.md sections to describe the actual opaque-token model; JWT/JWKS now appears only as clearly-labeled, not-yet-implemented future work.

No .well-known / JWKS / OIDC route ever existed in the repo — that part of the design never landed, so there was nothing to remove there.

Behavior

No change for anything that runs. The grida_ciam feature itself stays live (opaque-token based); only the dead JWT-signing scaffolding is removed.

Verification

• turbo typecheck --filter=editor — passes (no orphaned imports of the deleted module).
• Repo-wide grep for all removed symbols (SUPABASE_URL_RR, rr(, SUPABASE_SIGNING_KEY_JSON, signCustomerSessionToken, signing_keys*) — zero matches.
• supabase stop && supabase start — comes up healthy without signing_keys.json (Auth /health → 200, all containers healthy).
• DB tests set identity via set_config, not signed JWTs, so they are unaffected.

Note for local devs: an already-initialized local stack keeps its previously-generated ES256 key (cached in the Docker volume), which is harmless. A fresh init / new clone now uses the default symmetric secret — the intended end state.

Summary by CodeRabbit

• Refactor

  • Simplified local dev and CI by removing the legacy JWT signing-key workflow and related env/config options.

• Documentation

  • Updated authentication docs to describe the new opaque session model, server-side identity resolution, and revised local development guidance.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grida	Ready	Preview, Comment	Jun 2, 2026 10:30am

6 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
backgrounds	Ignored	Preview	Jun 2, 2026 10:30am
blog	Ignored	Preview	Jun 2, 2026 10:30am
code	Ignored		Jun 2, 2026 10:30am
docs	Ignored	Preview	Jun 2, 2026 10:30am
legacy	Ignored		Jun 2, 2026 10:30am
viewer	Ignored	Preview	Jun 2, 2026 10:30am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f1e79348-de16-4503-847e-03fa119ca9b4

📥 Commits

Reviewing files that changed from the base of the PR and between 5ee8c97 and 7603818.

📒 Files selected for processing (8)

• .github/workflows/database-tests.yml
• editor/.env.example
• editor/env.ts
• editor/lib/ciam/server/jwt.ts
• supabase/.gitignore
• supabase/README.md
• supabase/config.toml
• supabase/schemas/grida_ciam.md

💤 Files with no reviewable changes (6)

• editor/.env.example
• supabase/README.md
• editor/env.ts
• editor/lib/ciam/server/jwt.ts
• .github/workflows/database-tests.yml
• supabase/config.toml

✅ Files skipped from review due to trivial changes (1)

• supabase/.gitignore

🚧 Files skipped from review as they are similar to previous changes (1)

• supabase/schemas/grida_ciam.md

---

Walkthrough

Removes local Supabase ES256 JWT signing key configuration, CI generation step, related env vars and exported region/read-replica helpers; CIAM docs now describe an opaque server-issued session token model instead of minting JWTs.

Changes

JWT signing key infrastructure removal

Layer / File(s)	Summary
Environment and configuration cleanup editor/.env.example, supabase/config.toml, supabase/.gitignore	Removed SUPABASE_SIGNING_KEY_JSON and read-replica env examples, removed signing_keys_path from Supabase auth config, and added comments to keep legacy signing_keys.json ignored.
Code-level JWT and region infrastructure removal editor/env.ts	Removed exported Env.vercel and Env.supabase namespaces, including region constants/types and read-replica resolver logic.
CI workflow and CIAM docs update .github/workflows/database-tests.yml, supabase/README.md, supabase/schemas/grida_ciam.md	Removed CI supabase gen signing-key step, deleted README signing-key setup, and updated CIAM docs to describe opaque session tokens and mark JWT/JWKS-based RLS as not implemented.

Possibly related PRs

• gridaco/grida#514: Modifies the .github/workflows/database-tests.yml workflow around Supabase ES256 signing key generation and database startup sequence.

Suggested labels

org

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: removal of legacy and unused Supabase environment variable infrastructure (read-replica routing and JWT signing scaffolding).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/drop-legacy-supabase-env-infra

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3725d4334e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

supabase/schemas/grida_ciam.md (1)

88-97: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Documentation inconsistency between high-level flow and current implementation.

The "Authentication flow (high level)" section (lines 88-97) describes JWT minting and RLS reading JWT claims, but the "Current: opaque portal-session tokens" section (lines 102-114) explicitly states the system is "opaque URL-token based, not JWT based" and that "customer-session claims are not attached to DB requests today."

Update the high-level flow to accurately reflect the current opaque-token implementation, or clearly mark steps 3-4 as "Future" to avoid confusion.

As per coding guidelines: Keep schema documentation in supabase/schemas/ updated when making changes, treating it as best-effort documentation that should align with actual migrations.

📝 Suggested clarification

Option 1: Update the high-level flow to reflect current implementation:

-3. **Mint JWT**
-   - Backend mints a JWT containing a session identifier (`sid`).
-   - Client uses Supabase client `accessToken: async () => jwt`.
+3. **Create portal session token**
+   - Backend generates an opaque URL-safe token and stores its hash.
+   - Token is returned to client for server-side redemption.

-4. **RLS**
-   - DB helpers read `request.jwt.claims` and resolve:
+4. **Identity resolution** (future: via RLS)
+   - Currently: server-side resolution using `service_role`.
+   - Future: DB helpers will read `request.jwt.claims` and resolve:
     - `customer_uid()`
     - `project_id()`
-   - Policies can reference these helpers to enforce row access.
+   - Policies will reference these helpers to enforce row access.

Option 2: Keep the flow as aspirational but add a note:

 ### Authentication flow (high level)
 
+> **Note**: Steps 3-4 describe the intended JWT-based model. Currently, the system uses opaque portal-session tokens (see "Session model & cryptography" below).
+
 1. **Create OTP challenge**

Also applies to: 102-114

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@supabase/schemas/grida_ciam.md` around lines 88 - 97, Update the
"Authentication flow (high level)" section in supabase/schemas/grida_ciam.md to
match the actual opaque-token implementation: change steps "3. Mint JWT" and "4.
RLS" to either (A) describe the current opaque portal-session token flow (portal
issues opaque session token, client passes it as accessToken, DB requests do not
carry customer-session JWT claims and helpers like customer_uid()/project_id()
are not populated), or (B) mark steps 3–4 explicitly as "Future / aspirational"
and add a short note referencing the existing "Current: opaque portal-session
tokens" section so readers aren’t confused; ensure the documentation reflects
which path (opaque vs JWT) is currently implemented.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@supabase/schemas/grida_ciam.md`:
- Around line 88-97: Update the "Authentication flow (high level)" section in
supabase/schemas/grida_ciam.md to match the actual opaque-token implementation:
change steps "3. Mint JWT" and "4. RLS" to either (A) describe the current
opaque portal-session token flow (portal issues opaque session token, client
passes it as accessToken, DB requests do not carry customer-session JWT claims
and helpers like customer_uid()/project_id() are not populated), or (B) mark
steps 3–4 explicitly as "Future / aspirational" and add a short note referencing
the existing "Current: opaque portal-session tokens" section so readers aren’t
confused; ensure the documentation reflects which path (opaque vs JWT) is
currently implemented.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5e3aeb85-5984-40bb-a62e-81538dbc4c29

📥 Commits

Reviewing files that changed from the base of the PR and between 304c423 and f9da37d.

📒 Files selected for processing (34)

• .github/workflows/database-tests.yml
• editor/.env.example
• editor/env.ts
• editor/lib/ciam/server/jwt.ts
• packages/grida-agent-tools/tsdown.config.mts
• packages/grida-ai-models/tsdown.config.mts
• packages/grida-canvas-cg/tsdown.config.mts
• packages/grida-canvas-color/tsdown.config.mts
• packages/grida-canvas-hud/tsdown.config.mts
• packages/grida-canvas-pixelgrid/tsdown.config.mts
• packages/grida-canvas-ruler/tsdown.config.mts
• packages/grida-canvas-sdk-render-figma/tsdown.config.mts
• packages/grida-canvas-sequence/tsdown.config.mts
• packages/grida-canvas-sync/tsdown.config.mts
• packages/grida-canvas-transparency-grid/tsdown.config.mts
• packages/grida-canvas-vn/tsdown.config.mts
• packages/grida-cmath/tsdown.config.mts
• packages/grida-fonts/tsdown.config.mts
• packages/grida-format/tsdown.config.mts
• packages/grida-history/tsdown.config.mts
• packages/grida-keybinding/tsdown.config.mts
• packages/grida-mixed-properties/tsdown.config.mts
• packages/grida-number-input/tsdown.config.mts
• packages/grida-reftest/tsdown.config.mts
• packages/grida-svg-editor/tsdown.config.mts
• packages/grida-svg/tsdown.config.mts
• packages/grida-text-editor/tsdown.config.mts
• packages/grida-tokens/tsdown.config.mts
• packages/grida-tree-view/tsdown.config.mts
• packages/react-p-queue/tsdown.config.mts
• supabase/.gitignore
• supabase/README.md
• supabase/config.toml
• supabase/schemas/grida_ciam.md

💤 Files with no reviewable changes (6)

• editor/lib/ciam/server/jwt.ts
• supabase/config.toml
• editor/.env.example
• .github/workflows/database-tests.yml
• supabase/README.md
• editor/env.ts

[softmarshmallow]

Addressed the grida_ciam.md outside-diff finding in 5ee8c97: rewrote the 'Authentication flow (high level)' steps 3–4 (Mint JWT / RLS) to describe the current opaque portal-session token flow, with the JWT-claims/RLS path marked as future — now consistent with the 'Session model & cryptography' section.