chore: mfa enhanced entitlement

[ignaciodob]

Depends on https://github.com/supabase/platform/pull/28639

Changes

• Add entitlement check for auth.mfa_enhanced_security feature in MFA settings
• Disable the "Limit duration of AAL1 sessions" toggle when user lacks entitlement
• Show upgrade prompt when Enhanced MFA Security is not available on user's plan

Summary by CodeRabbit

• New Features
  • Enhanced MFA Security option with upgrade availability
  • Cloud Marketplace contract linking eligibility checks
  • New entitlements: SOC2 reports, Private Link, realtime concurrency controls, function limits, project-scoped roles

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
design-system	Ready	Preview, Comment	Jan 30, 2026 4:43am
docs	Ready	Preview, Comment	Jan 30, 2026 4:43am
studio-self-hosted	Ready	Preview, Comment	Jan 30, 2026 4:43am
studio-staging	Ready	Preview, Comment	Jan 30, 2026 4:43am
ui-library	Ready	Preview, Comment	Jan 30, 2026 4:43am
zone-www-dot-com	Ready	Preview, Comment	Jan 30, 2026 4:43am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
cms	Ignored		Jan 30, 2026 4:43am
studio	Ignored		Jan 30, 2026 4:43am

[coderabbitai]

Walkthrough

Adds entitlement gating for enhanced MFA security in the auth form with conditional UI updates, extends API type definitions to include validation errors and deprecate legacy fields, and introduces cloud marketplace contract linking eligibility endpoint alongside schema refinements for disk throughput and feature keys.

Changes

Cohort / File(s)	Change Summary
MFA Enhanced Security Entitlement Gating apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx	Introduces entitlement check for enhanced MFA security with loading state (isLoadingEntitlementEnhanceSecurity) and access flag (hasAccessToEnhanceSecurity). Disables the Enhanced MFA Security toggle unless user has upgrade access and can update config. Adds conditional UpgradeToPro prompts when entitlement access is unavailable.
API Type Definitions - Upgrade Eligibility packages/api-types/types/api.d.ts	Adds new validation_errors field to ProjectUpgradeEligibilityResponse with union type describing various validation error shapes. Marks three existing fields as deprecated: objects_to_be_dropped, unsupported_extensions, user_defined_objects_in_internal_schemas. Includes minor documentation formatting updates.
Platform API Schemas - Marketplace & Subscriptions packages/api-types/types/platform.d.ts	Adds new cloud marketplace contract linking eligibility endpoint (/platform/cloud-marketplace/buyers/{buyer_id}/contract-linking-eligibility) with corresponding operation and response schema. Removes tierKey from BackupsResponse, CloneBackupsResponse, and GetSubscriptionResponse. Removes cached_egress_enabled from GetSubscriptionResponse. Deprecates throughput_mbps in favor of new throughput_mibps field across disk-related schemas. Expands ListEntitlementsResponse.feature keys with security, function, realtime, and role-based entitlements.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• kanishkdudeja
• ecktoteckto
• kevcodez

Poem

🐰✨ A hop through schemas, a gating delight,
Enhanced security now locked tight,
Marketplace checks and endpoints renewed,
Old fields deprecated, old fields subdued,
Better MFA protections in flight!

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description provides a clear summary of changes (entitlement check, toggle disabling, and upgrade prompt), but does not follow the provided template structure with required sections like 'What kind of change' and 'What is the current/new behavior'.	Consider reformatting the description to follow the repository template, including sections on change type, current behavior, new behavior, and additional context for better clarity.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: mfa enhanced entitlement' directly relates to the main change: adding entitlement checks for enhanced MFA security features in the MFA settings form.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/mfa-enhanced-entitlement

---

📜 Recent review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 64d813f and ed6f82c.

📒 Files selected for processing (3)

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx
• packages/api-types/types/api.d.ts
• packages/api-types/types/platform.d.ts

🧰 Additional context used

📓 Path-based instructions (2)

apps/studio/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/studio-best-practices.mdc)

apps/studio/**/*.{ts,tsx}: Assign complex conditions to descriptive variables instead of using multiple conditions in a single expression
Use consistent naming conventions for boolean variables: is prefix for state/identity, has prefix for possession, can prefix for capability/permission, should prefix for conditional behavior
Derive boolean state from existing state instead of storing it separately
Use early returns for guard clauses instead of deeply nested conditionals
Extract complex logic into custom hooks when logic becomes reusable or complex
Return objects from custom hooks instead of arrays for better extensibility and clearer API
Use discriminated unions for complex state management instead of multiple independent state fields
Avoid type casting (e.g., as any, as Type); instead validate values at runtime using zod schemas

Files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

apps/studio/**/*.tsx

📄 CodeRabbit inference engine (.cursor/rules/studio-best-practices.mdc)

apps/studio/**/*.tsx: Components should ideally be under 200-300 lines; break down large components with multiple distinct UI sections, complex conditional rendering, or multiple unrelated useState hooks
Extract repeated JSX patterns into reusable components instead of copying similar JSX blocks
Use consistent loading/error/success pattern: handle loading state first with early returns, then error state, then empty state, then render success state
Keep state as local as possible and only lift up when needed
Group related state using objects or reducers instead of multiple useState calls, preferring react-hook-form for form state management
Name event handlers consistently: use on prefix for prop callbacks and handle prefix for internal handlers
Avoid inline arrow functions for expensive operations; use useCallback to maintain stable function references
Use appropriate conditional rendering patterns: && for simple show/hide, ternary for binary choice, early returns or extracted components for multiple conditions
Avoid nested ternaries in JSX; use separate conditions or early returns instead
Use useMemo for expensive computations when the computation is genuinely expensive and the value is passed to memoized children
Define prop interfaces explicitly for React components with proper typing of props and callback handlers

Files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

🧠 Learnings (6)

📓 Common learnings

Learnt from: ignaciodob
Repo: supabase/supabase PR: 41291
File: packages/api-types/types/platform.d.ts:7128-7128
Timestamp: 2025-12-12T11:28:04.537Z
Learning: In supabase/supabase, use the existing 'do-not-merge' label to block merges for entitlement-gated UI changes until the backend entitlement is live and API types are regenerated.

Learnt from: ignaciodob
Repo: supabase/supabase PR: 41291
File: packages/api-types/types/platform.d.ts:7128-7128
Timestamp: 2025-12-12T11:28:04.537Z
Learning: For entitlement-gated changes (e.g., adding 'security.questionnaire'), apply a 'do-not-merge' label until backend entitlements are confirmed live, and avoid merging UI-only changes that rely on new entitlements.

📚 Learning: 2025-12-12T11:28:04.537Z

Learnt from: ignaciodob
Repo: supabase/supabase PR: 41291
File: packages/api-types/types/platform.d.ts:7128-7128
Timestamp: 2025-12-12T11:28:04.537Z
Learning: For entitlement-gated changes (e.g., adding 'security.questionnaire'), apply a 'do-not-merge' label until backend entitlements are confirmed live, and avoid merging UI-only changes that rely on new entitlements.

Applied to files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

📚 Learning: 2025-12-11T17:04:40.037Z

Learnt from: CR
Repo: supabase/supabase PR: 0
File: .cursor/rules/studio-ui.mdc:0-0
Timestamp: 2025-12-11T17:04:40.037Z
Learning: Applies to apps/studio/components/**/*.{ts,tsx} : Build forms with react-hook-form and zod for validation

Applied to files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

📚 Learning: 2025-12-11T17:04:40.037Z

Learnt from: CR
Repo: supabase/supabase PR: 0
File: .cursor/rules/studio-ui.mdc:0-0
Timestamp: 2025-12-11T17:04:40.037Z
Learning: Applies to apps/studio/components/**/*.{ts,tsx} : Use Switch component with checked and onCheckedChange props for toggle form fields

Applied to files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

📚 Learning: 2025-12-12T05:20:17.409Z

Learnt from: joshenlim
Repo: supabase/supabase PR: 41258
File: apps/studio/pages/project/[ref]/storage/vectors/buckets/[bucketId].tsx:9-9
Timestamp: 2025-12-12T05:20:17.409Z
Learning: In apps/studio/**/*.{ts,tsx}, use named imports for DefaultLayout: import { DefaultLayout } from 'components/layouts/DefaultLayout' instead of default import. This is the new practice being adopted across the studio app.

Applied to files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

📚 Learning: 2025-12-12T11:27:51.417Z

Learnt from: ignaciodob
Repo: supabase/supabase PR: 41291
File: packages/api-types/types/platform.d.ts:7128-7128
Timestamp: 2025-12-12T11:27:51.417Z
Learning: For changes tied to entitlements (e.g., adding a new entitlement like 'security.questionnaire'), do not merge until backend entitlements are confirmed live. Apply a do-not-merge label on such PRs and ensure UI changes that rely on new entitlements are not merged in isolation. In reviews, verify entitlement availability in backend before approving and, if needed, hold UI-only changes until entitlement is active.

Applied to files:

• packages/api-types/types/api.d.ts
• packages/api-types/types/platform.d.ts

🧬 Code graph analysis (1)

apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx (2)

apps/studio/hooks/misc/useCheckEntitlements.ts (1)

• useCheckEntitlements (58-114)

apps/studio/components/ui/UpgradeToPro.tsx (1)

• UpgradeToPro (25-65)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

🔇 Additional comments (8)

apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx (3)

123-124: LGTM!

The entitlement check follows the same pattern as the existing auth.mfa_phone check and correctly destructures the needed values with appropriate naming.

---

288-288: LGTM!

Correctly extends the loading guard to include the new entitlement loading state, ensuring the form doesn't render until all entitlement data is resolved.

---

586-603: LGTM!

The entitlement gating correctly disables the toggle and shows the upgrade prompt when the user lacks access. The implementation follows the same pattern as the existing SMS MFA upgrade prompt.

packages/api-types/types/api.d.ts (3)

286-292: Pagination docs for organization projects are clear and accurate

The added note about offset-based pagination (offset + limit semantics) is precise and matches typical API behavior, improving consumer understanding without changing surface.

---

309-313: Guidance to prefer organization-scoped /v1/organizations/{slug}/projects is helpful

The extra note on /v1/projects being less precise and suggesting the org-scoped endpoint clarifies intended usage and should reduce misuse of the legacy listing API.

---

3278-3366: Upgrade eligibility deprecations + validation_errors union are well structured

Marking objects_to_be_dropped, unsupported_extensions, and user_defined_objects_in_internal_schemas as deprecated while introducing the typed validation_errors discriminated union (keyed by type) keeps backward compatibility and gives clients a richer, strongly-typed error surface. The union members and discriminators look consistent and ergonomic for narrowing on the client side.

packages/api-types/types/platform.d.ts (2)

230-249: Verify PR scope and auto-generated nature of this file.

This PR adds a cloud marketplace contract linking eligibility endpoint, which appears unrelated to the MFA enhanced entitlement feature described in the PR title and objectives. Additionally, this .d.ts file appears to be auto-generated from an OpenAPI specification.

Please confirm:

1. Are these type definitions auto-generated? If so, this entire file should be regenerated from the platform API spec rather than manually edited.
2. Should the unrelated cloud marketplace changes be included in this PR, or do they represent concurrent platform API changes that will be picked up when types are regenerated?

Based on learnings, this PR correctly uses the 'do-not-merge' label to block merging until the backend entitlement is live per the dependent platform PR #28639.

---

6962-6962: LGTM: Core entitlement key added correctly.

The auth.mfa_enhanced_security feature key is correctly added to the entitlement type union, which aligns with the PR objectives for gating MFA enhanced security features.

Based on learnings, ensure this PR remains blocked with the 'do-not-merge' label until the dependent platform PR #28639 is merged and the backend entitlement is confirmed live.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[supabase]

This pull request has been ignored for the connected project xguihxuzqibwxjnimxev because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx (1)

610-617: Bug: Wrong loading state variable used.

The loading prop references isUpdatingPhoneForm but should use isUpdatingSecurityForm. This will cause the button to show a loading spinner based on the phone form's submission state instead of the security form's state.

🔎 Proposed fix

                   <Button
                     type="primary"
                     htmlType="submit"
                     disabled={
                       !canUpdateConfig || isUpdatingSecurityForm || !securityForm.formState.isDirty
                     }
-                    loading={isUpdatingPhoneForm}
+                    loading={isUpdatingSecurityForm}
                   >
                     Save changes
                   </Button>

Additionally, for consistency with the SMS MFA save button (line 529), consider adding !hasAccessToEnhanceSecurity to the disabled condition as defense in depth:

                     disabled={
-                      !canUpdateConfig || isUpdatingSecurityForm || !securityForm.formState.isDirty
+                      !canUpdateConfig || isUpdatingSecurityForm || !securityForm.formState.isDirty || !hasAccessToEnhanceSecurity
                     }

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 64d813f and ed6f82c.

📒 Files selected for processing (3)

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx
• packages/api-types/types/api.d.ts
• packages/api-types/types/platform.d.ts

🧰 Additional context used

📓 Path-based instructions (2)

apps/studio/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/studio-best-practices.mdc)

apps/studio/**/*.{ts,tsx}: Assign complex conditions to descriptive variables instead of using multiple conditions in a single expression
Use consistent naming conventions for boolean variables: is prefix for state/identity, has prefix for possession, can prefix for capability/permission, should prefix for conditional behavior
Derive boolean state from existing state instead of storing it separately
Use early returns for guard clauses instead of deeply nested conditionals
Extract complex logic into custom hooks when logic becomes reusable or complex
Return objects from custom hooks instead of arrays for better extensibility and clearer API
Use discriminated unions for complex state management instead of multiple independent state fields
Avoid type casting (e.g., as any, as Type); instead validate values at runtime using zod schemas

Files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

apps/studio/**/*.tsx

📄 CodeRabbit inference engine (.cursor/rules/studio-best-practices.mdc)

apps/studio/**/*.tsx: Components should ideally be under 200-300 lines; break down large components with multiple distinct UI sections, complex conditional rendering, or multiple unrelated useState hooks
Extract repeated JSX patterns into reusable components instead of copying similar JSX blocks
Use consistent loading/error/success pattern: handle loading state first with early returns, then error state, then empty state, then render success state
Keep state as local as possible and only lift up when needed
Group related state using objects or reducers instead of multiple useState calls, preferring react-hook-form for form state management
Name event handlers consistently: use on prefix for prop callbacks and handle prefix for internal handlers
Avoid inline arrow functions for expensive operations; use useCallback to maintain stable function references
Use appropriate conditional rendering patterns: && for simple show/hide, ternary for binary choice, early returns or extracted components for multiple conditions
Avoid nested ternaries in JSX; use separate conditions or early returns instead
Use useMemo for expensive computations when the computation is genuinely expensive and the value is passed to memoized children
Define prop interfaces explicitly for React components with proper typing of props and callback handlers

Files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

🧠 Learnings (6)

📓 Common learnings

Learnt from: ignaciodob
Repo: supabase/supabase PR: 41291
File: packages/api-types/types/platform.d.ts:7128-7128
Timestamp: 2025-12-12T11:28:04.537Z
Learning: In supabase/supabase, use the existing 'do-not-merge' label to block merges for entitlement-gated UI changes until the backend entitlement is live and API types are regenerated.

Learnt from: ignaciodob
Repo: supabase/supabase PR: 41291
File: packages/api-types/types/platform.d.ts:7128-7128
Timestamp: 2025-12-12T11:28:04.537Z
Learning: For entitlement-gated changes (e.g., adding 'security.questionnaire'), apply a 'do-not-merge' label until backend entitlements are confirmed live, and avoid merging UI-only changes that rely on new entitlements.

📚 Learning: 2025-12-12T11:28:04.537Z

Learnt from: ignaciodob
Repo: supabase/supabase PR: 41291
File: packages/api-types/types/platform.d.ts:7128-7128
Timestamp: 2025-12-12T11:28:04.537Z
Learning: For entitlement-gated changes (e.g., adding 'security.questionnaire'), apply a 'do-not-merge' label until backend entitlements are confirmed live, and avoid merging UI-only changes that rely on new entitlements.

Applied to files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

📚 Learning: 2025-12-11T17:04:40.037Z

Learnt from: CR
Repo: supabase/supabase PR: 0
File: .cursor/rules/studio-ui.mdc:0-0
Timestamp: 2025-12-11T17:04:40.037Z
Learning: Applies to apps/studio/components/**/*.{ts,tsx} : Build forms with react-hook-form and zod for validation

Applied to files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

📚 Learning: 2025-12-11T17:04:40.037Z

Learnt from: CR
Repo: supabase/supabase PR: 0
File: .cursor/rules/studio-ui.mdc:0-0
Timestamp: 2025-12-11T17:04:40.037Z
Learning: Applies to apps/studio/components/**/*.{ts,tsx} : Use Switch component with checked and onCheckedChange props for toggle form fields

Applied to files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

📚 Learning: 2025-12-12T05:20:17.409Z

Learnt from: joshenlim
Repo: supabase/supabase PR: 41258
File: apps/studio/pages/project/[ref]/storage/vectors/buckets/[bucketId].tsx:9-9
Timestamp: 2025-12-12T05:20:17.409Z
Learning: In apps/studio/**/*.{ts,tsx}, use named imports for DefaultLayout: import { DefaultLayout } from 'components/layouts/DefaultLayout' instead of default import. This is the new practice being adopted across the studio app.

Applied to files:

• apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx

📚 Learning: 2025-12-12T11:27:51.417Z

Learnt from: ignaciodob
Repo: supabase/supabase PR: 41291
File: packages/api-types/types/platform.d.ts:7128-7128
Timestamp: 2025-12-12T11:27:51.417Z
Learning: For changes tied to entitlements (e.g., adding a new entitlement like 'security.questionnaire'), do not merge until backend entitlements are confirmed live. Apply a do-not-merge label on such PRs and ensure UI changes that rely on new entitlements are not merged in isolation. In reviews, verify entitlement availability in backend before approving and, if needed, hold UI-only changes until entitlement is active.

Applied to files:

• packages/api-types/types/api.d.ts
• packages/api-types/types/platform.d.ts

🧬 Code graph analysis (1)

apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx (2)

apps/studio/hooks/misc/useCheckEntitlements.ts (1)

• useCheckEntitlements (58-114)

apps/studio/components/ui/UpgradeToPro.tsx (1)

• UpgradeToPro (25-65)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

🔇 Additional comments (8)

apps/studio/components/interfaces/Auth/MfaAuthSettingsForm/MfaAuthSettingsForm.tsx (3)

123-124: LGTM!

The entitlement check follows the same pattern as the existing auth.mfa_phone check and correctly destructures the needed values with appropriate naming.

---

288-288: LGTM!

Correctly extends the loading guard to include the new entitlement loading state, ensuring the form doesn't render until all entitlement data is resolved.

---

586-603: LGTM!

The entitlement gating correctly disables the toggle and shows the upgrade prompt when the user lacks access. The implementation follows the same pattern as the existing SMS MFA upgrade prompt.

packages/api-types/types/api.d.ts (3)

286-292: Pagination docs for organization projects are clear and accurate

The added note about offset-based pagination (offset + limit semantics) is precise and matches typical API behavior, improving consumer understanding without changing surface.

---

309-313: Guidance to prefer organization-scoped /v1/organizations/{slug}/projects is helpful

The extra note on /v1/projects being less precise and suggesting the org-scoped endpoint clarifies intended usage and should reduce misuse of the legacy listing API.

---

3278-3366: Upgrade eligibility deprecations + validation_errors union are well structured

Marking objects_to_be_dropped, unsupported_extensions, and user_defined_objects_in_internal_schemas as deprecated while introducing the typed validation_errors discriminated union (keyed by type) keeps backward compatibility and gives clients a richer, strongly-typed error surface. The union members and discriminators look consistent and ergonomic for narrowing on the client side.

packages/api-types/types/platform.d.ts (2)

230-249: Verify PR scope and auto-generated nature of this file.

This PR adds a cloud marketplace contract linking eligibility endpoint, which appears unrelated to the MFA enhanced entitlement feature described in the PR title and objectives. Additionally, this .d.ts file appears to be auto-generated from an OpenAPI specification.

Please confirm:

1. Are these type definitions auto-generated? If so, this entire file should be regenerated from the platform API spec rather than manually edited.
2. Should the unrelated cloud marketplace changes be included in this PR, or do they represent concurrent platform API changes that will be picked up when types are regenerated?

Based on learnings, this PR correctly uses the 'do-not-merge' label to block merging until the backend entitlement is live per the dependent platform PR #28639.

---

6962-6962: LGTM: Core entitlement key added correctly.

The auth.mfa_enhanced_security feature key is correctly added to the entitlement type union, which aligns with the PR objectives for gating MFA enhanced security features.

Based on learnings, ensure this PR remains blocked with the 'do-not-merge' label until the dependent platform PR #28639 is merged and the backend entitlement is confirmed live.

[github-actions]

🎭 Playwright Test Results

 86 passed
 4 skipped

Details

 90 tests across 14 suites
 10 minutes, 5 seconds
 e6a7802

Skipped tests

Features › sql-editor.spec.ts › SQL Editor › snippet favourite works as expected
Features › sql-editor.spec.ts › SQL Editor › share with team works as expected
Features › sql-editor.spec.ts › SQL Editor › folders works as expected
Features › sql-editor.spec.ts › SQL Editor › other SQL snippets actions work as expected

[coveralls]

coverage: 66.162%. remained the same
when pulling 8f07d30 on chore/mfa-enhanced-entitlement
into f90f3b4 on master.

[github-actions]

Braintrust eval report

Assistant (master-1769748940)

Score	Average	Improvements	Regressions
Completeness	90% (-10pp)	-	1 🔴
Conciseness	0% (+0pp)	-	-
Goal Completion	90% (-5pp)	-	1 🔴
SQL Identifier Quoting	100% (+0pp)	-	-
SQL Validity	100% (+20pp)	1 🟢	-
Tool Usage	100% (+0pp)	-	-
Correctness	100% (+0pp)	-	-
Docs Faithfulness	50% (-12pp)	-	1 🔴
Time_to_first_token	0.15tok (-0.18tok)	8 🟢	2 🔴
Llm_calls	8.3 (+0)	2 🟢	2 🔴
Tool_calls	2.9 (-0.6)	1 🟢	4 🔴
Errors	0 (+0)	-	-
Llm_errors	0 (+0)	-	-
Tool_errors	0 (+0)	-	-
Prompt_tokens	94964tok (-43143.6tok)	4 🟢	6 🔴
Prompt_cached_tokens	54451.2tok (+19788.8tok)	7 🟢	2 🔴
Prompt_cache_creation_tokens	0tok (+0tok)	-	-
Completion_tokens	6082.9tok (-180.3tok)	5 🟢	5 🔴
Completion_reasoning_tokens	4371.2tok (-19.2tok)	5 🟢	5 🔴
Completion_accepted_prediction_tokens	0tok (+0tok)	-	-
Completion_rejected_prediction_tokens	0tok (+0tok)	-	-
Completion_audio_tokens	0tok (+0tok)	-	-
Total_tokens	101046.9tok (-43323.9tok)	5 🟢	5 🔴
Estimated_cost	0.02$ (-0.02$)	5 🟢	5 🔴
Duration	69.78s (+17.18s)	2 🟢	8 🔴
Llm_duration	138.17s (+33.74s)	2 🟢	8 🔴