// Use when reviewing PRs that touch packages/dev-tools/, packages/common/posthog-client.ts, or packages/common/feature-flags.tsx. Covers environment guards, flag override cookies, telemetry event subscription, and SSE stream safety.
Safely execute SQL queries against a user database without risking SQL injection or other security vulnerabilities.
Design system UI patterns for Supabase Studio. Use when building or updating pages, forms, tables, charts, empty states, navigation, cards, alerts, or side panels (sheets). Covers layout selection, component choice, and placement conventions.
React and TypeScript best practices for Supabase Studio. Use when writing or reviewing Studio components — covers boolean naming, component structure, loading/error states, state management, custom hooks, event handlers, conditional rendering, performance, and TypeScript conventions.
Write and run Playwright E2E tests for Supabase Studio. Use when asked to run e2e tests, write new E2E tests, or debug flaky tests. Covers running commands, avoiding race conditions, waiting strategies, selectors, helper functions, and CI vs local differences.
React Query conventions for data fetching in Supabase Studio. Use when writing or reviewing query hooks, mutation hooks, or query keys in apps/studio/data/. Covers queryOptions pattern, keys.ts structure, mutation hook template, and imperative fetching.
Testing strategy for Supabase Studio. Use when writing tests, deciding what type of test to write, extracting logic from components into testable utility functions, or reviewing test coverage. Covers unit tests, component tests, and E2E test selection criteria.
| name | dev-toolbar-review |
| description | Use when reviewing PRs that touch packages/dev-tools/, packages/common/posthog-client.ts, or packages/common/feature-flags.tsx. Covers environment guards, flag override cookies, telemetry event subscription, and SSE stream safety. |
Review checklist for PRs touching the dev toolbar (packages/dev-tools/) and its
integration points in packages/common/. The toolbar surfaces telemetry events and
allows feature flag overrides during local development (expanding to staging/preview).
PRs modifying any of these paths need growth eng review:
packages/dev-tools/** (owned by @supabase/growth-eng in CODEOWNERS)packages/common/posthog-client.ts (flag override reads, event subscription)packages/common/feature-flags.tsx (flag override merge logic)DevToolbarProvider/DevToolbar/DevToolbarTrigger in apps/studio/, apps/www/, apps/docs/Note: posthog-client.ts and feature-flags.tsx are NOT in CODEOWNERS for growth-eng,
so PRs touching only those files won't auto-request review. Watch for these in the PR feed.
Files: packages/dev-tools/index.ts, DevToolbar.tsx, DevToolbarTrigger.tsx, DevToolbarContext.tsx
The toolbar uses two layers of protection:
index.ts: process.env.NODE_ENV !== 'development' ternaries that replace components with noops/stubs so the implementation is eliminated from production bundles.IS_LOCAL_DEV checks — DevToolbar and DevToolbarTrigger return null to hide themselves, while DevToolbarProvider passes children through (<>{children}</>) to preserve the component tree.Check for:
index.ts staying intact — these are the primary production safety mechanism.Files: packages/dev-tools/DevToolbar.tsx, packages/common/posthog-client.ts, packages/common/feature-flags.tsx
The toolbar writes two cookies that override feature flags locally:
x-ph-flag-overrides — PostHog flag overridesx-cc-flag-overrides — ConfigCat flag overridesThese are read by:
posthog-client.ts:getFeatureFlag() — checks the PostHog override cookie before querying the SDKfeature-flags.tsx — merges both override cookies into the flag store during initializationCheck for:
feature-flags.tsx (currently: vercel-flag-overrides first, then x-cc-flag-overrides takes precedence in local dev)IS_LOCAL_DEV / isLocalDev guard — overrides must never affect production flag evaluationparseOverrideValue or valuesAreEqual in packages/dev-tools/utils.ts that could cause type coercion bugsFiles: packages/common/posthog-client.ts, packages/dev-tools/DevToolbarContext.tsx
The toolbar subscribes to client-side PostHog events via posthogClient.subscribeToEvents().
The PostHog client calls emitToDevListeners() after capturePageView, capturePageLeave,
and identify. Note: captureExperimentExposure calls posthog.capture() directly
without emitting to dev listeners — experiment exposure events are invisible in the toolbar.
Check for:
emitToDevListeners or subscribeToEvents that could introduce side effects on the actual capture path (e.g., throwing errors, blocking, mutating event data)devListeners) being iterated synchronously in a way that could delay event dispatchemitToDevListeners (gap in toolbar visibility)Files: packages/dev-tools/DevToolbarContext.tsx
The toolbar connects to ${apiUrl}/telemetry/stream via Server-Sent Events to display
server-side telemetry. Uses exponential backoff on connection errors.
Check for:
session_id cookie handlingProvider + toolbar panel (DevToolbarProvider, DevToolbar):
apps/studio/pages/_app.tsxapps/www/pages/_app.tsx, apps/www/app/providers.tsxapps/docs/features/app.providers.tsxTrigger button (DevToolbarTrigger) — rendered separately in nav/header components:
apps/studio/components/layouts/Navigation/LayoutHeader/LayoutHeader.tsxapps/www/components/Nav/index.tsxapps/docs/components/Navigation/NavigationMenu/TopNavBar.tsxCheck for:
apiUrl prop changes (must point to the correct platform API)Changes that are purely UI/UX within the toolbar panel itself — styling, layout, copy changes, drag behavior, popover positioning — don't need growth eng review unless they also touch the integration points above.