Permit single-quoted arguments in SHELL_SAFE_COMMAND_PATTERN while
keeping dangerous metacharacters blocked, and add security test cases
for quoted --entrypoint and --hostname values.
Using 'stub' as default would break existing installations that stored files
under the default tenantId 'storage-single-tenant' (pre-TENANT_ID era).
After upgrading, storage-api would look for files under 'stub/...' prefix
instead of 'storage-single-tenant/...', making all existing files inaccessible.
- Update Kong to 3.9.1 with new awk-based entrypoint script (replaces fragile eval/echo)
- Add request-transformer plugin to all secure Kong routes for API key translation
- Fix hide_credentials: false on REST and GraphQL routes
- Add post-function plugin on storage route for S3 presigned URL compatibility
- Add opaque API key support (SUPABASE_PUBLISHABLE_KEY, SUPABASE_SECRET_KEY)
- Update Vector router to use contains() matching for Coolify container names
- Add auto-generated self-signed TLS cert for Supavisor (fixes Supabase CLI connectivity)
- Fix logs not queryable in Studio by separating public/private Logflare access tokens
- Update image versions: Kong 3.9.1, Studio 2026.03.16, PostgREST v14.6, Storage v1.44.2, Edge Runtime v1.71.2
- Fix IMGPROXY_ENABLE_WEBP_DETECTION -> IMGPROXY_AUTO_WEBP
- Add deno-cache volume for faster Edge Function cold starts
- Make POOLER_TENANT_ID configurable
- Add start_period to Realtime and Supavisor healthchecks
- Add KONG_PROXY_ACCESS_LOG configuration
- Update SQL init scripts to use $POSTGRES_USER instead of hardcoded supabase_admin
The pinned commit hashes (00bd9272, 33cef775) are from ~Nov 2025 and
incompatible with convex npm package >=1.30, causing deploy failures
with "missing field `functions`" errors.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When upgrading to the latest image version, the database alteration command was missing, causing the application to fail due to schema mismatch. This change ensures the database is properly migrated to the latest version during startup.
Prevent null CA certificate access during database SSL certificate regeneration
across KeyDB, MariaDB, MongoDB, MySQL, PostgreSQL, and Redis components.
If no CA certificate exists, attempt to generate one and re-query; if still
missing, dispatch a clear error and stop regeneration gracefully.
Add `SslCertificateRegenerationTest` coverage for missing-CA and CA-query
scenarios to prevent regressions.
The releases published on 27/03/26 causes Clickhouse to incorrectly
initialize. This prevent the DB from restarting after the initial run.
This pin the version to the most recent version that was working
properly.
Do not replace self-referencing environment variables (e.g., DATABASE_URL: ${DATABASE_URL})
with saved DB values in the compose environment section. Keeping the reference intact allows
Docker Compose to resolve from .env at deploy time, preventing stale values from overriding
user updates that haven't been re-parsed.
Fixes#9136
The Directus service templates were missing CORS configuration, causing
preflight OPTIONS requests to fail when connecting from frontend apps.
Users had to manually edit the compose file to add CORS variables.
Add sensible CORS defaults (enabled with dynamic origin matching) to
both directus.yaml and directus-with-postgresql.yaml templates. All
values are user-overridable via the Coolify UI.
Fixes#5024
GF_SERVER_DOMAIN expects a bare hostname (e.g. grafana.example.com) but
was set to SERVICE_URL_GRAFANA which includes the protocol
(https://grafana.example.com). This mismatch can cause Grafana to fail
to load its application files when deployed behind Coolify's proxy.
Changed to SERVICE_FQDN_GRAFANA which provides just the hostname. Applied
the fix to both grafana.yaml and grafana-with-postgresql.yaml templates.
Fixes#5307
The Supabase template hardcoded GOTRUE_SITE_URL to the internal Supabase
Kong URL, which caused OAuth redirects to go to the Supabase API domain
instead of the user's frontend domain. This broke Google OAuth, magic
links, and other redirect-based auth flows.
Allow users to set GOTRUE_SITE_URL in the Coolify UI to their frontend
domain while keeping the Supabase URL as a sensible default.
Fixes#5581
