[pull] master from supabase:master

apps/docs/app/contributing/content.mdx

@@ -181,6 +181,8 @@ Line numbers are 1-indexed and inclusive.
 lines={[[1, 3], [5, -1]]}
 {/* Optional, displays as a file name on the code block */}
 meta="name=display/path.js"
+{/* Optional, strips TypeScript types to produce JavaScript, which you also include with another <CodeSample /> */}
+convertToJs={true}
 />
 ```
 
@@ -195,11 +197,31 @@ commit="1623aa9b95ec90e21c5bae5a0d50dcf272abe92f"
 path="/relative/path/from/root.js"
 lines={[[1, 3], [5, -1]]}
 meta="name=display/path.js"
+convertToJs={true}
 />
 ```
 
 The repo must be public, the org must be on the allow list, and the commit must be an immutable SHA (not a mutable tag or branch name).
 
+#### Converting TypeScript to JavaScript
+
+You can automatically strip TypeScript types from code samples to produce JavaScript using the `convertToJs` option:
+
+```mdx
+<$CodeSample
+path="/path/to/typescript-file.ts"
+lines={[[1, -1]]}
+convertToJs={true}
+/>
+```
+
+This is useful when you want to show JavaScript examples from TypeScript source files. The conversion:
+
+- Removes all TypeScript type annotations, interfaces, and type definitions
+- Converts the language identifier from `typescript` to `javascript` (or `tsx` to `jsx`)
+- Happens before any line selection or elision processing
+- Defaults to `false` to preserve TypeScript code when not specified
+
 #### Multi-file code samples
 
 Multi-file code samples use the `<$CodeTabs>` annotation:

apps/docs/content/guides/platform/sso.mdx

@@ -13,30 +13,45 @@ Supabase offers single sign-on (SSO) as a login option to provide additional acc
 
 <Admonition type="note">
 
-Supabase currently provides SAML SSO for [Team and Enterprise Plan customers](https://supabase.com/pricing). If you are an existing Team or Enterprise Plan customer, continue with the setup below. Once completed, [contact us](https://supabase.com/dashboard/support/new?category=Login_issues&subject=Enquiry%20about%20setting%20up%20SSO&message=I%20would%20like%20to%20set%20up%20SAML%20SSO%20for%20my%20team%20and%20have%20followed%20https://supabase.com/docs/guides/platform/sso%20and%20configured%20my%20provider%20%0A%0APlease%20attach%20the%20IDP%20metadata%20in%20the%20attachments%20below) to enable SSO for your team.
+Supabase currently provides SAML SSO for [Team and Enterprise Plan customers](https://supabase.com/pricing). If you are an existing Team or Enterprise Plan customer, continue with the setup below.
 
 </Admonition>
 
-## Setup and limitations
+## Supported providers
 
 Supabase supports practically all identity providers that support the SAML 2.0 SSO protocol. We've prepared these guides for commonly used identity providers to help you get started. If you use a different provider, our support stands ready to support you.
 
 - [Google Workspaces (formerly G Suite)](/docs/guides/platform/sso/gsuite)
 - [Azure Active Directory](/docs/guides/platform/sso/azure)
 - [Okta](/docs/guides/platform/sso/okta)
 
-Accounts signing in with SSO have certain limitations.
-The following sections outline the limitations when SSO is enabled or disabled for your team.
+Once configured, you can update your settings anytime via the [SSO tab](https://supabase.com/dashboard/org/_/sso) under **Organization Settings**.
 
-### Enable SSO for your team [#enable-sso]
+![SSO Example](/docs/img/sso-dashboard-enabled.png)
+
+## Key configuration options
+
+- **Multiple domains** - You can associate one or more email domains with your SSO provider. Users with email addresses matching these domains are eligible to sign in via SSO.
+- **Auto-join** - Optionally allow users with a matching domain to be added to your organization automatically when they first sign in, without an invitation.
+- **Default role for auto-joined users** - Choose the role (e.g., `Read-only`, `Developer`, `Administrator`, `Owner`) that automatically joined users receive. Refer to [access control](/docs/guides/platform/access-control) for more information about roles.
+
+## How SSO works in Supabase
+
+When SSO is enabled for an organization:
 
 - Organization invites are restricted to company members belonging to the same identity provider.
 - Every user has an organization created by default. They can create as many projects as they want.
 - An SSO user will not be able to update or reset their password since the company administrator manages their access via the identity provider.
 - If an SSO user with the following email of `[email protected]` attempts to sign in with a GitHub account that uses the same email, a separate Supabase account is created and will not be linked to the SSO user's account.
-- An SSO user will not be able to see all organizations/projects created under the same identity provider. They will need to be invited to the Supabase organization first. Refer to [access control](/docs/guides/platform/access-control) for more information.
+- SSO users will only see organizations/projects they've been invited to or auto-joined into. See [access control](/docs/guides/platform/access-control) for more details.
+
+## Disabling SSO for an organization
+
+If you disable the SSO provider for an organization, **all SSO users will immediately be unable to sign in**. Before disabling SSO, ensure you have at least one non-SSO owner account to prevent being locked out.
+
+## Removing an individual SSO user's access
 
-### Disable SSO for your team [#disable-sso]
+To revoke access for a specific SSO user without disabling the provider entirely you may:
 
-- You can prevent a user's account from further access to Supabase by removing or disabling their account in your identity provider.
-- You should also remove or downgrade their permissions from any organizations inside Supabase.
+- Remove or disable the user's account in your identity provider
+- Downgrade or remove their permissions for any organizations in Supabase.

apps/docs/content/guides/platform/sso/azure.mdx

@@ -5,7 +5,7 @@ description: 'Configure single sign-on with Azure AD (Microsoft Entra).'
 
 <Admonition type="note">
 
-This feature is only available on the [Team and Enterprise Plans](https://supabase.com/pricing). If you are an existing Team or Enterprise Plan customer, continue with the setup below. Once completed, [contact us](https://supabase.com/dashboard/support/new?category=Login_issues&subject=Enquiry%20about%20setting%20up%20SSO&message=I%20would%20like%20to%20set%20up%20SAML%20SSO%20for%20my%20team%20and%20have%20followed%20https://supabase.com/docs/guides/platform/sso%20and%20configured%20my%20provider%20%0A%0APlease%20attach%20the%20IDP%20metadata%20in%20the%20attachments%20below) to enable SSO for your team.
+This feature is only available on the [Team and Enterprise Plans](https://supabase.com/pricing). If you are an existing Team or Enterprise Plan customer, continue with the setup below.
 
 </Admonition>
 
@@ -33,7 +33,7 @@ You'll be using the custom enterprise application setup for Supabase.
 
 ## Step 3: Fill in application details [#add-application-details]
 
-In the modal titled _Create your own application_, enter a display name for Supabase. This is the name your Azure AD users see when signing in to Supabase from Azure. `Supabase` works in most cases.
+In the modal titled _Create your own application_, enter a display name for Supabase. This is the name your Azure AD users will see when signing in to Supabase from Azure. `Supabase` works in most cases.
 
 Make sure to choose the third option: _Integrate any other application you
 don't find in the gallery (Non-gallery)_.
@@ -81,24 +81,73 @@ All of the correct information should automatically populate the _Basic SAML Con
 
 Finally, click the _Save_ button to save the configuration.
 
-## Step 7: Obtain metadata URL and send to Supabase [#send-metadata-url]
+## Step 7: Obtain metadata URL [#idp-metadata-url]
 
-Supabase needs to finalize enabling single sign-on with your Azure AD application. To do this, copy and send the link under **App Federation Metadata URL** in \*section 3 **SAML Certificates\*** to your support contact and await further instructions. If you're not clear who to send this link to or need further assistance, reach out to [Supabase Support](https://supabase.help).
-
-**Do not test the login until you have heard back from the support contact.**
+Save the link under **App Federation Metadata URL** in \*section 3 **SAML Certificates\***. You will need to enter this URL later in [Step 10](#dashboard-configure-metadata).
 
 ![Azure AD console: Supabase application, SAML Certificates card shown, App Federation Metadata Url highlighted](/docs/img/sso-azure-step-07.png)
 
-## Step 8: Wait for confirmation [#confirmation]
+## Step 8: Enable SSO in the Dashboard [#dashboard-enable-sso]
+
+1. Visit the [SSO tab](https://supabase.com/dashboard/org/_/sso) under the Organization Settings page. ![SSO disabled](/docs/img/sso-dashboard-disabled.png)
+
+2. Toggle **Enable Single Sign-On** to begin configuration. Once enabled, the configuration form appears. ![SSO enabled](/docs/img/sso-dashboard-enabled.png)
+
+## Step 9: Configure domains [#dashboard-configure-domain]
+
+Enter one or more domains associated with your users email addresses (e.g., `supabase.com`).
+These domains determine which users are eligible to sign in via SSO.
+
+![Domain configuration](/docs/img/sso-dashboard-configure-domain.png)
+
+If your organization uses more than one email domain - for example, `supabase.com` for staff and `supabase.io` for contractors - you can add multiple domains here. All listed domains will be authorized for SSO sign-in.
+
+![Domain configuration with multiple domains](/docs/img/sso-dashboard-configure-domain-multi.png)
+
+<Admonition type="note">
+
+We do not permit use of public domains like `gmail.com`, `yahoo.com`.
+
+</Admonition>
+
+## Step 10: Configure metadata [#dashboard-configure-metadata]
+
+Enter the metadata URL you obtained from [Step 7](#idp-metadata-url) into the Metadata URL field:
 
-Wait for confirmation or further instructions from your support contact at Supabase before proceeding to the next step. It usually takes us 1 business day to configure SSO for you.
+![Metadata configuration with Azure AD](/docs/img/sso-dashboard-configure-metadata-azure.png)
 
-## Step 9: Test single sign-on [#testing]
+## Step 11: Configure attribute mapping [#dashboard-configure-attributes]
+
+Fill out the Attribute Mapping section using the **Azure** preset.
+
+![Attribute mapping configuration](/docs/img/sso-dashboard-configure-attributes-azure.png)
+
+## Step 12: Join organization on signup (optional) [#dashboard-configure-autojoin]
+
+By default this setting is disabled, users logging in via SSO will not be added to your organization automatically.
+
+![Auto-join disabled](/docs/img/sso-dashboard-configure-autojoin-disabled.png)
+
+Toggle this on if you want SSO-authenticated users to be **automatically added to your organization** when they log in via SSO.
+
+![Auto-join enable](/docs/img/sso-dashboard-configure-autojoin-enabled.png)
+
+When auto-join is enabled, you can choose the **default role** for new users:
+
+![Auto-join role selection](/docs/img/sso-dashboard-configure-autojoin-enabled-role.png)
+
+Choose a role that fits the level of access you want to grant to new members.
+
+<Admonition type="note">
+
+Visit [access-control](/docs/guides/platform/access-control) documentation for details about each role.
+
+</Admonition>
 
-_Testing sign-on before your Azure AD has been registered with Supabase will not work. Make sure you've received confirmation from your support contact at Supabase as laid out in the [confirmation](#confirmation) step._
+## Step 13: Save changes and test single sign-on [#dashboard-configure-save]
 
-Once you’ve received confirmation from your support contact at Supabase that SSO setup has been completed for your enterprise, you can ask some of your users to sign in via their Azure AD account.
+When you click **Save changes**, your new SSO configuration is applied immediately. From that moment, any user with an email address matching one of your configured domains who visits your organization's sign-in URL will be routed through the SSO flow.
 
-You ask them to enter their email address on the [Sign in with SSO](https://supabase.com/dashboard/sign-in-sso) page.
+We recommend asking a few users to test signing in via their Azure AD account. They can do this by entering their email address on the [Sign in with SSO](https://supabase.com/dashboard/sign-in-sso) page.
 
-If sign in is not working correctly, reach out to your support contact at Supabase for further guidance.
+If SSO sign-in doesn't work as expected, contact your Supabase support representative for assistance.