fix(cli): generate non-TypeScript types from project refs

[avallete]

What changed

• Lets legacy supabase gen types --project-id generate Go, Swift, and Python types by resolving a temporary database connection and running pg-meta.
• Keeps TypeScript project-ref generation on the Management API typegen endpoint, while non-TypeScript project-ref flows use the project database host plus a temporary login role.
• Updates side-effect docs and integration coverage for project-ref type generation across TypeScript, Go, Swift, and Python.
• Adds e2e coverage for tokenless local typegen and an env-gated live remote project matrix across all supported typegen languages.

Why

Python type generation with --project-id failed before it could reach pg-meta, and the first fix used the preview-branch config endpoint. Production project refs return 404 Preview branch not found from that endpoint because /v1/branches/{ref} is branch-only.

Non-TypeScript type generation is still pg-meta-based, so project-ref flows need to construct a live database connection instead of calling the TypeScript-only typegen endpoint or asking the user to provide --db-url.

Reviewer context

Non-TypeScript project-ref generation still requires Docker because it continues to use pg-meta. The change is limited to how the CLI resolves the database connection for project refs: it fetches the project database host and creates a temporary login role rather than reading or storing the project's database password.

The live remote e2e matrix is skipped unless SUPABASE_TYPEGEN_E2E_REMOTE=1, SUPABASE_TEST_PROJECT_REF, and SUPABASE_ACCESS_TOKEN are set. The local e2e matrix runs without a token and points the API profile at an unreachable local URL to catch accidental Management API usage on the --local path.

Closes CLI-1812

[github-actions]

Supabase CLI preview

npx --yes https://pkg.pr.new/supabase/cli/supabase@864fdd786bf1941e1d7ae3352b2633bafbad536b

Preview package for commit 864fdd7.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6314b35001

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Route remote pg-meta through the linked DB resolver

For linked/project-ref non-TypeScript generation on an IPv4-only network, this always points pg-meta at project.database.host. The existing linked DB resolver treats an unreachable direct host as a supported case and falls back to the Supavisor pooler (apps/cli/src/legacy/shared/legacy-db-config.layer.ts:385-404, with the IPv6 error documented at legacy-db-config.errors.ts:66-70); bypassing it here means supabase gen types --project-id ... --lang go|swift|python fails during the TLS probe/container run instead of using the pooler for those projects.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Remove the committed linked-project cache

This commits a machine-local Supabase linked-project cache under the repo root, including a real project ref/name/org id. The legacy analytics layer reads <cwd>/supabase/.temp/linked-project.json when commands run from the repository root, so this can leak workspace-specific project metadata into the repo and misattribute local command telemetry to that project.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fall back to branch config for preview branch refs

When --linked or --project-id points at a preview branch, getProject({ ref }) returns 404; the link handler already treats that 404 as the branch case (apps/cli/src/legacy/commands/link/link.handler.ts:36-49). Mapping the 404 here as a fatal project-database-config error means supabase gen types --project-id <branch-ref> --lang go|swift|python cannot reach pg-meta for linked branch projects, even though the branch config endpoint exposes the branch DB host/port for this scenario.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Allow pg-meta flags on project-ref typegen

Now that this branch runs pg-meta for project refs, the earlier mutual-exclusion checks still reject the pg-meta-only flags before this path can use them. For example, supabase gen types --project-id <ref> --lang swift --swift-access-control public fails up front, so remote Swift generation is stuck with internal access control; the same issue prevents raising --query-timeout or using v9 compatibility for large/legacy remote schemas.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 864fdd786b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Treat all project 404s as branch candidates

Fresh evidence after this update: the new branch fallback still depends on the exact getProject response body, but the link flow documents and implements the branch case as any 404 from GET /v1/projects/{ref} (apps/cli/src/legacy/commands/link/link.handler.ts:36-48). If the Management API returns a different 404 body for a preview branch, gen types --project-id <branch-ref> --lang go|swift|python will fail before trying getABranchConfig, even though the branch config endpoint is the intended fallback.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fetch the pooler config for explicit project refs

Fresh evidence after this update: this explicit --project-id path now calls the normal linked DB resolver, but that resolver's IPv4 fallback only reads <workdir>/supabase/.temp/pooler-url unless fetchFromApi is enabled (legacy-db-config.layer.ts:335-339,394-400). From an unlinked workdir on an IPv4-only network there is no saved pooler URL, so supabase gen types --project-id <ref> --lang go|swift|python still exits with the IPv6/link suggestion instead of using the Management API pooler config that this command already has token access to.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Avoid ambient DB passwords bypassing temp roles

For explicit project-ref typegen, this reuses the linked DB resolver without constraining its password lookup. That resolver reads SUPABASE_DB_PASSWORD from the shell or the current worktree's .env* files and, when the direct DB host is reachable, returns postgres with that password instead of minting a login role (legacy-db-config.layer.ts:373-391); a local project that has SUPABASE_DB_PASSWORD=postgres for its dev stack will therefore make supabase gen types --project-id <ref> --lang go skip the temp-role path and hand pg-meta the wrong remote credentials. The new --project-id flow should not inherit an unrelated workdir password unless the user explicitly asked to use it for that ref.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Defer project API auth when DB password is available

For --linked --lang go|swift|python in a linked workdir with SUPABASE_DB_PASSWORD set but no Supabase access token, this eagerly builds the Management API client and calls getProject before the DB resolver gets a chance to use its password-only path. The linked resolver already skips temp-role creation when a DB password is present (legacy-db-config.layer.ts:387-391), so this scenario should be able to run pg-meta with the supplied database credentials; instead it fails up front with an auth error.

Useful? React with 👍 / 👎.