fix: allow Supabase pooler TLS for retention backfill

[riderx]

Summary (AI generated)

• allow the retention backfill script to connect through the managed Supabase writer pooler without failing TLS verification
• keep explicit env overrides for PG certificate verification behavior
• add regression coverage for the Supabase pooler TLS heuristic and DB URL fallback ordering

Motivation (AI generated)

The backfill script now finds MAIN_SUPABASE_DB_URL, but production applies still fail when pg connects to the Supabase writer pooler at db.<project>.supabase.co:6543. That pooler currently presents a TLS chain that local Node/Bun pg rejects, so --apply aborts before writing any rows.

Business Impact (AI generated)

This unblocks the actual production backfill for NRR and churn revenue metrics. Without this fix, the script can fetch Stripe data but still cannot commit retention metrics into Supabase, leaving the admin charts empty or stale.

Test Plan (AI generated)

• bunx vitest run tests/backfill-retention-metrics.unit.test.ts
• bun lint
• bun typecheck
• Read-only SELECT 1 probe against MAIN_SUPABASE_DB_URL from internal/cloudflare/.env.prod

Generated with AI

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Improved database configuration handling with enhanced environment variable resolution and fallback prioritization.
  • Enhanced TLS certificate management for database connections with better support for self-signed certificates.

• Tests

  • Added test coverage for database configuration and certificate validation logic.

[coderabbitai]

Warning

Rate limit exceeded

@riderx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 13 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 2 minutes and 13 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 675d639b-562f-4f95-90b1-9eca7718deba

📥 Commits

Reviewing files that changed from the base of the PR and between 36f3833 and 6fe2ba1.

📒 Files selected for processing (2)

• scripts/backfill_retention_metrics.ts
• tests/backfill-retention-metrics.unit.test.ts

📝 Walkthrough

Walkthrough

The changes centralize database URL environment variable resolution by exporting helper functions with prioritized env key handling, and update self-signed TLS certificate logic to be URL-aware. The script now decides certificate handling based on explicit env overrides or inferred from the database URL pattern (Supabase pooler detection). Unit tests validate the new precedence rules and TLS behavior.

Changes

Cohort / File(s)	Summary
Database URL Resolution scripts/backfill_retention_metrics.ts	Adds DATABASE_URL_ENV_KEYS constant to define env var precedence; exports getDatabaseUrl and getRequiredDatabaseUrl functions that iterate through the list to find the first available URL; updates error messaging to reference the full set dynamically.
TLS Certificate Handling scripts/backfill_retention_metrics.ts	Exports shouldAllowSelfSignedPgCertificate with new signature accepting optional databaseUrl parameter; honors explicit PG_ALLOW_SELF_SIGNED_CERT / PG_SSL_REJECT_UNAUTHORIZED overrides first, then infers from URL (allows self-signed for Supabase pooler on port 6543 with .supabase.co/.supabase.com hosts); updates createPgClient to pass databaseUrl into certificate logic.
Unit Tests tests/backfill-retention-metrics.unit.test.ts	Adds test imports for new DB/TLS utilities; verifies env var precedence (MAIN_SUPABASE_DB_URL → DATABASE_URL → direct-url); validates shouldAllowSelfSignedPgCertificate with Supabase pooler URL detection and explicit env overrides.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• fix: use MAIN_SUPABASE_DB_URL for retention backfill #1953: Modifies the same database URL resolvers (getDatabaseUrl/getRequiredDatabaseUrl) and updates env-var lookup to prioritize MAIN_SUPABASE_DB_URL with identical precedence logic.

Poem

🐰 A rabbit hops through env vars so neat,
Prioritizing URLs, what a treat!
TLS certs now dance with URL grace,
Poolers detected in the right place, 🔐
Tests verify each hop we make!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description includes a comprehensive summary, motivation, business impact, and test plan; however, the formal template sections (Summary, Test plan, Screenshots, Checklist) are not explicitly filled as required by the repository template.	Reorganize the description to match the template structure with explicit Summary, Test plan, Screenshots, and Checklist sections, and check the code style and test coverage boxes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: allowing the retention backfill script to work with Supabase pooler TLS verification.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-retention-backfill-pooler-tls

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

🧹 Nitpick comments (2)

tests/backfill-retention-metrics.unit.test.ts (1)

402-414: Add explicit PG_ALLOW_SELF_SIGNED_CERT precedence tests.

Since override precedence is part of the behavior contract, add tests for PG_ALLOW_SELF_SIGNED_CERT=true/false (including when PG_SSL_REJECT_UNAUTHORIZED is also set).

🧪 Suggested test additions

+  it.concurrent('honors PG_ALLOW_SELF_SIGNED_CERT=true as highest-priority override', () => {
+    expect(shouldAllowSelfSignedPgCertificate(
+      { PG_ALLOW_SELF_SIGNED_CERT: 'true', PG_SSL_REJECT_UNAUTHORIZED: '1' },
+      'postgresql://postgres:secret@db.project-ref.supabase.co:6543/postgres',
+    )).toBe(true)
+  })
+
+  it.concurrent('honors PG_ALLOW_SELF_SIGNED_CERT=false as highest-priority override', () => {
+    expect(shouldAllowSelfSignedPgCertificate(
+      { PG_ALLOW_SELF_SIGNED_CERT: 'false', PG_SSL_REJECT_UNAUTHORIZED: '0' },
+      'postgresql://postgres:secret@db.project-ref.supabase.co:6543/postgres',
+    )).toBe(false)
+  })

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/backfill-retention-metrics.unit.test.ts` around lines 402 - 414, Add
explicit unit tests for PG_ALLOW_SELF_SIGNED_CERT precedence: update
tests/backfill-retention-metrics.unit.test.ts to include cases asserting
shouldAllowSelfSignedPgCertificate returns true when
PG_ALLOW_SELF_SIGNED_CERT='1' (even if PG_SSL_REJECT_UNAUTHORIZED is set), and
returns false when PG_ALLOW_SELF_SIGNED_CERT='0' (including when
PG_SSL_REJECT_UNAUTHORIZED is unset or set). Target the existing test block
using the shouldAllowSelfSignedPgCertificate helper to add these scenarios so
behavior contract for override precedence is covered.

scripts/backfill_retention_metrics.ts (1)

223-227: Validate DB URL format at selection time for clearer failures.

getRequiredDatabaseUrl currently guarantees presence but not URL validity; malformed values fail later with less actionable errors. Consider failing early here.

♻️ Proposed improvement

 export function getRequiredDatabaseUrl(env: Record<string, string | undefined>) {
   const value = getDatabaseUrl(env)
   if (!value)
     throw new Error(`--apply requires ${DATABASE_URL_ENV_KEYS.join(', ')} so metric writes and processed-event markers are committed atomically`)
+  try {
+    new URL(value)
+  }
+  catch {
+    throw new Error(`Invalid database URL in ${DATABASE_URL_ENV_KEYS.join(', ')}`)
+  }
   return value
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/backfill_retention_metrics.ts` around lines 223 - 227, Update
getRequiredDatabaseUrl to not only check presence but validate the URL format
immediately: call getDatabaseUrl(env) as before, then attempt to parse/validate
the returned value (e.g., using new URL(value) or a DB-URL-specific validation)
and if parsing/validation fails throw a clear Error that includes the invalid
value and DATABASE_URL_ENV_KEYS; reference getRequiredDatabaseUrl and
getDatabaseUrl so reviewers can find the change and ensure downstream code can
rely on a well-formed URL.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/backfill_retention_metrics.ts`:
- Around line 223-227: Update getRequiredDatabaseUrl to not only check presence
but validate the URL format immediately: call getDatabaseUrl(env) as before,
then attempt to parse/validate the returned value (e.g., using new URL(value) or
a DB-URL-specific validation) and if parsing/validation fails throw a clear
Error that includes the invalid value and DATABASE_URL_ENV_KEYS; reference
getRequiredDatabaseUrl and getDatabaseUrl so reviewers can find the change and
ensure downstream code can rely on a well-formed URL.

In `@tests/backfill-retention-metrics.unit.test.ts`:
- Around line 402-414: Add explicit unit tests for PG_ALLOW_SELF_SIGNED_CERT
precedence: update tests/backfill-retention-metrics.unit.test.ts to include
cases asserting shouldAllowSelfSignedPgCertificate returns true when
PG_ALLOW_SELF_SIGNED_CERT='1' (even if PG_SSL_REJECT_UNAUTHORIZED is set), and
returns false when PG_ALLOW_SELF_SIGNED_CERT='0' (including when
PG_SSL_REJECT_UNAUTHORIZED is unset or set). Target the existing test block
using the shouldAllowSelfSignedPgCertificate helper to add these scenarios so
behavior contract for override precedence is covered.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8163e2f7-a17e-43ef-a0d4-f00cb3344c93

📥 Commits

Reviewing files that changed from the base of the PR and between 224b3b1 and 36f3833.

📒 Files selected for processing (2)

• scripts/backfill_retention_metrics.ts
• tests/backfill-retention-metrics.unit.test.ts

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/fix-retention-backfill-pooler-tls (6fe2ba1) with main (07f489f)¹}

Footnotes

1. No successful run was found on main (f3f4f70) during the generation of this report, so 07f489f was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud