Add Supabase tenant extension#267
Merged
nicoloboschi merged 1 commit intovectorize-io:mainfrom Feb 9, 2026
Merged
Conversation
nicoloboschi
requested changes
Jan 31, 2026
Collaborator
nicoloboschi
left a comment
nicoloboschi
left a comment
There was a problem hiding this comment.
Hey! Thanks for this contribution! we need to make this part of the api package otherwise users will not abble to use without modifying the package/docker image
jerryhenley
force-pushed
the
add-supabase-extension
branch
from
3adb345 to
703c9ea
Compare
Contributor
Author
|
Thanks for the feedback @nicoloboschi! I've updated the PR to address this: Moved to built-in package: The extension now lives at HINDSIGHT_API_TENANT_EXTENSION=hindsight_api.extensions.builtin.supabase_tenant:SupabaseTenantExtension
HINDSIGHT_API_TENANT_SUPABASE_URL=https://your-project.supabase.coOther changes in this update:
The old |
jerryhenley
force-pushed
the
add-supabase-extension
branch
from
703c9ea to
1124533
Compare
Collaborator
|
hey @jerryhenley can you rebase and resolve conflicts? after that I will merge the PR |
Move the Supabase tenant extension into the hindsight-api package so users can enable it with just an environment variable — no file copying or Docker image modifications needed. Key improvements over the original submission: - JWKS-based local JWT verification (no network call per request) with automatic fallback to /auth/v1/user for legacy HS256 projects - Service key is now optional (only needed for HS256 or health checks) - UUID validation on user IDs before schema name construction - Schema prefix validation against Postgres identifier rules - Key rotation handling with automatic JWKS cache refresh - Proper logging via Python logging module - Tenant extension lifecycle hooks (on_startup/on_shutdown) wired into the server lifespan - Public tenant_extension property on MemoryEngine - 54 unit tests covering both verification modes, cache behavior, error paths, and the extension loader - README updated to reflect JWKS-first architecture Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
jerryhenley
force-pushed
the
add-supabase-extension
branch
from
1124533 to
4d8e9ed
Compare
Contributor
Author
|
Rebased onto latest main, conflicts resolved, all tests passing. |
nicoloboschi
approved these changes
Feb 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a TenantExtension for validating Supabase JWTs and providing multi-tenant memory isolation. Each authenticated user gets their own PostgreSQL schema.
Features:
Includes complete documentation with installation, usage examples, and troubleshooting guide.