supabase · utkarash2991 · May 29, 2026 · May 29, 2026
@@ -3,10 +3,10 @@ supautils.policy_grants = '{"postgres":["auth.audit_log_entries","auth.flow_stat
 supautils.drop_trigger_grants = '{"postgres":["auth.audit_log_entries","auth.flow_state","auth.identities","auth.instances","auth.mfa_amr_claims","auth.mfa_challenges","auth.mfa_factors","auth.oauth_clients","auth.one_time_tokens","auth.refresh_tokens","auth.saml_providers","auth.saml_relay_states","auth.sessions","auth.sso_domains","auth.sso_providers","auth.users","realtime.messages","realtime.subscription","storage.buckets","storage.buckets_analytics","storage.objects","storage.prefixes","storage.s3_multipart_uploads","storage.s3_multipart_uploads_parts"]}'
 # full list:                                 address_standardizer, address_standardizer_data_us, adminpack, amcheck, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, file_fdw, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intagg, intarray, isn, lo, ltree, moddatetime, old_snapshot, orioledb, pageinspect, pg_buffercache, pg_cron, pg_freespacemap, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_surgery, pg_tle, pg_trgm, pg_visibility, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgmq, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers, xml2
 # omitted because may be unsafe:             adminpack, amcheck, file_fdw, lo, old_snapshot, pageinspect, pg_freespacemap, pg_surgery, pg_visibility
-# NOTE: keep nix/tests/prime-superuser.sql in sync with the "may be unsafe" list above.
 # omitted because deprecated:                intagg, xml2
 # omitted because doesn't require superuser: pgmq
 # omitted because protected:                 plpgsql
+# NOTE: keep nix/tests/prime-superuser.sql in sync with the "may be unsafe" + "deprecated" lists above.
 supautils.privileged_extensions = 'address_standardizer, address_standardizer_data_us, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intarray, isn, ltree, moddatetime, orioledb, pg_buffercache, pg_cron, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_tle, pg_trgm, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers'
 supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'

@@ -1,27 +1,43 @@
 -- Superuser-only extensions for testing.
 --
--- These extensions are excluded from `supautils.privileged_extensions` (see
--- the "omitted because may be unsafe" comment in
--- `ansible/files/postgresql_config/supautils.conf.j2`). Hosted Supabase
--- projects cannot install them via non-superuser sessions, so this file is
--- loaded only by superuser-context harnesses: pg_regress (nix/checks.nix),
--- the docker-image-test, and the local migrate-tool. supadev's hosted
--- engines-with-smoke test sources `prime.sql` only.
+-- These extensions cannot be installed by a non-superuser session on a
+-- hosted Supabase project. They live here (not in prime.sql) so that
+-- prime.sql can be sourced by non-superuser contexts (e.g. supadev's
+-- engines-with-smoke against hosted projects). Superuser-context harnesses
+-- — pg_regress (nix/checks.nix), the docker-image-test, and the local
+-- migrate-tool — source this file in addition to prime.sql.
 --
--- This file covers the "may be unsafe" extensions available in BOTH PG 15
--- and PG 17 builds. Two more entries from the same list, `adminpack` and
--- `old_snapshot`, were removed from contrib in PG 17 and are loaded directly
--- by nix/tests/sql/z_15_ext_interface.sql for the PG 15 path.
+-- Categories of extensions in here, mapped to supautils.conf.j2 in
+-- ansible/files/postgresql_config:
 --
--- Keep this list in sync with the "may be unsafe" list in supautils.conf.j2,
--- minus adminpack and old_snapshot.
+-- 1. "omitted because may be unsafe" — supautils.conf.j2.
+--    Covers the entries available in BOTH PG 15 and PG 17 builds. Two more
+--    entries from the same list, `adminpack` and `old_snapshot`, were
+--    removed from contrib in PG 17 and are loaded directly by
+--    nix/tests/sql/z_15_ext_interface.sql for the PG 15 path.
+--
+-- 2. "omitted because deprecated" — supautils.conf.j2.
+--    Not in privileged_extensions, so non-superuser can't install.
+--    Note: "deprecated" here is a supautils-policy label, not a
+--    build-availability one. These extensions still ship in the PG
+--    image; supautils just doesn't auto-elevate non-superusers to
+--    install them. As superuser (this file's context), they install
+--    fine.
+--
+-- When adding a new extension here, also update the corresponding category
+-- in supautils.conf.j2 (or add a new comment line if the category is new).
 
 set client_min_messages = warning;
 
+-- Category 1: "may be unsafe" per supautils.conf.j2
 create extension if not exists amcheck;
 create extension if not exists file_fdw;
 create extension if not exists lo;
 create extension if not exists pageinspect;
 create extension if not exists pg_freespacemap;
 create extension if not exists pg_surgery;
 create extension if not exists pg_visibility;
+
+-- Category 2: "deprecated" per supautils.conf.j2
+create extension if not exists intagg;
+create extension if not exists xml2;
@@ -4,12 +4,15 @@ set client_min_messages = warning;
 -- CREATE ROLE authenticated;
 -- CREATE ROLE service_role;
 --
--- Extensions in supautils' "may be unsafe" list (amcheck, file_fdw, lo,
--- pageinspect, pg_freespacemap, pg_surgery, pg_visibility) are NOT enabled
+-- Extensions that require superuser context to install are NOT enabled
 -- here so this file can be sourced by non-superuser contexts (e.g. supadev's
--- engines-with-smoke against hosted projects). Superuser-context harnesses
--- (nix/checks.nix, docker-image-test, migrate-tool) source prime-superuser.sql
--- in addition to this file.
+-- engines-with-smoke against hosted projects). They live in
+-- prime-superuser.sql instead — that covers:
+--   - the "may be unsafe" list from supautils.conf.j2
+--     (amcheck, file_fdw, lo, pageinspect, pg_freespacemap, pg_surgery, pg_visibility)
+--   - the "deprecated" list from supautils.conf.j2 (intagg, xml2)
+-- Superuser-context harnesses (nix/checks.nix, docker-image-test,
+-- migrate-tool) source prime-superuser.sql in addition to this file.
 create extension if not exists address_standardizer;
 create extension if not exists address_standardizer_data_us;
 create extension if not exists autoinc;
@@ -28,7 +31,6 @@ create extension if not exists hstore;
 create extension if not exists hypopg;
 create extension if not exists index_advisor;
 create extension if not exists insert_username;
-create extension if not exists intagg;
 create extension if not exists intarray;
 create extension if not exists isn;
 create extension if not exists ltree;
@@ -84,4 +86,3 @@ create extension if not exists unaccent;
 create extension if not exists "uuid-ossp";
 create extension if not exists vector;
 create extension if not exists wrappers;
-create extension if not exists xml2;