Direct Postgres path via DATABASE_URL, bypassing Supabase's REST layer
Commit 27f2ffc9 adds an opt-in query path that talks to Postgres directly through `node-postgres` rather than through the Supabase JS client. Set `DATABASE_URL` and the existing Supabase chain API -- `.from().select().eq()` and so on -- routes through a hand-rolled adapter instead of Supabase's REST gateway.
The new backend/src/lib/pg.ts (480 lines) implements a QueryBuilder that mimics the Supabase JS surface the rest of the codebase uses: .from(), .select(), .eq(), .neq(), .in(), .is(), .or(), .filter(), .order(), .limit(), .single() / .maybeSingle(), plus insert, update, delete, and upsert with { onConflict, ignoreDuplicates } options. All return the { data, error } shape. Auth still goes through Supabase regardless -- only the data plane swaps. An optional DATABASE_SCHEMA env var controls the table prefix.
One follow-up to know about: a later commit (5d3945a1) adds a missing .not() operator to this adapter. If you import 27f2ffc9 on its own, that method will throw at runtime on any query that uses it.
The as unknown as SupabaseClient cast is doing real work here. Any Supabase JS method the adapter doesn't implement will fail silently at the TypeScript layer and explode at runtime. Coverage is limited to what the codebase actually calls today, so you'd want to audit your own query patterns before shipping.
The other thing worth naming: this bypasses Supabase RLS entirely. Whatever credentials DATABASE_URL carries are the authorization boundary. That's fine for server-side service-role usage, but it's a different security model than RLS-enforced access and needs explicit sign-off.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?