[pull] master from supabase:master

.github/CODEOWNERS

@@ -1,6 +1,6 @@
 /packages/ui/  @supabase/design
-/packages/shared-data/pricing.ts @roryw10 @kevcodez
-/packages/shared-data/plans.ts @roryw10 @kevcodez
+/packages/shared-data/pricing.ts @roryw10 @supabase/billing
+/packages/shared-data/plans.ts @roryw10 @supabase/billing
 /packages/common/telemetry-constants.ts @4L3k51 @supabase/growth-eng
 
 /apps/studio/ @supabase/Dashboard

apps/docs/content/guides/auth/password-security.mdx

@@ -23,7 +23,7 @@ There are hundreds of millions (and growing!) known passwords out there. Malicio
 To help protect your users, Supabase Auth allows you fine-grained control over the strength of the passwords used on your project. You can configure these in your project's [Auth settings](/dashboard/project/_/auth/providers?provider=Email):
 
 - Set a large minimum password length. Anything less than 8 characters is not recommended.
-- Set the required characters that must appear at least once in a user's password. Use the strongest option of requiring digits, lowercase and uppercase letters, and symbols.
+- Set the required characters that must appear at least once in a user's password. Use the strongest option of requiring digits, lowercase and uppercase letters, and symbols. The allowed symbols are: ``!@#$%^&*()_+-=[]{};'\:"|<>?,./`~``
 - Prevent the use of leaked passwords. Supabase Auth uses the open-source [HaveIBeenPwned.org Pwned Passwords API](https://haveibeenpwned.com/Passwords) to reject passwords that have been leaked and are known by malicious actors.
 
 <Admonition type="note">

apps/docs/content/guides/security/hipaa-compliance.mdx

@@ -8,6 +8,12 @@ The [Health Insurance Portability and Accountability Act (HIPAA)](https://www.hh
 
 Under HIPAA, both covered entities and business associates have distinct responsibilities to ensure the protection of PHI. Supabase acts as a business associate for customers (the covered entity) who wish to provide healthcare related services. As a business associate, Supabase has a number of obligations and has undergone auditing of the security and privacy controls that are in place to meet these. Supabase has signed a Business Associate Agreement (BAA) with all of our vendors who would have access to ePHI, such as AWS, and ensure that we follow their terms listed in the agreements. Similarly when a customer signs a BAA with us, they have some responsibilities they agree to when using Supabase to store PHI.
 
+<Admonition type="caution">
+
+The hosted Supabase platform has the necessary controls to meet HIPAA requirements. These controls are not supported out of the box in self-hosted Supabase. HIPAA controls extend further than the Supabase product, encompassing legal agreements (BAAs) with providers, operating controls and policies. Achieving HIPAA compliance with self-hosted Supabase is out of scope for this documentation and you should consult your auditor for further guidance.
+
+</Admonition>
+
 ### Customer responsibilities
 
 Covered entities (the customer) are organizations that directly handle PHI, such as health plans, healthcare clearinghouses, and healthcare providers that conduct certain electronic transactions.

apps/studio/components/interfaces/Billing/Subscription/Subscription.utils.ts

@@ -1,4 +1,4 @@
-import type { OrgSubscription, ProjectSelectedAddon } from 'data/subscriptions/types'
+import type { OrgSubscription, PlanId, ProjectSelectedAddon } from 'data/subscriptions/types'
 import { IS_PLATFORM } from 'lib/constants'
 
 export const getAddons = (selectedAddons: ProjectSelectedAddon[]) => {
@@ -32,3 +32,43 @@ export const billingPartnerLabel = (billingPartner?: string) => {
       return billingPartner
   }
 }
+
+type PlanChangeType = 'upgrade' | 'downgrade' | 'none'
+
+export const getPlanChangeType = (
+  fromPlan: PlanId | undefined,
+  toPlan: PlanId | undefined
+): PlanChangeType => {
+  const planChangeTypes: Record<PlanId, Record<PlanId, PlanChangeType>> = {
+    free: {
+      free: 'none',
+      pro: 'upgrade',
+      team: 'upgrade',
+      enterprise: 'upgrade',
+    },
+    pro: {
+      free: 'downgrade',
+      pro: 'none',
+      team: 'upgrade',
+      enterprise: 'upgrade',
+    },
+    team: {
+      free: 'downgrade',
+      pro: 'downgrade',
+      team: 'none',
+      enterprise: 'upgrade',
+    },
+    enterprise: {
+      free: 'downgrade',
+      pro: 'downgrade',
+      team: 'downgrade',
+      enterprise: 'none',
+    },
+  }
+
+  if (!fromPlan || !toPlan) {
+    return 'none'
+  }
+
+  return planChangeTypes[fromPlan]?.[toPlan] ?? 'none'
+}

apps/studio/components/interfaces/Organization/BillingSettings/CreditTopUp.tsx

@@ -252,8 +252,10 @@ export const CreditTopUp = ({ slug }: { slug: string | undefined }) => {
                   name="paymentMethod"
                   render={() => (
                     <PaymentMethodSelection
+                      createPaymentMethodInline={false}
                       onSelectPaymentMethod={(pm) => form.setValue('paymentMethod', pm)}
                       selectedPaymentMethod={form.getValues('paymentMethod')}
+                      readOnly={executingTopUp || paymentConfirmationLoading}
                     />
                   )}
                 />

apps/studio/components/interfaces/Organization/BillingSettings/PaymentMethods/NewPaymentMethodElement.tsx

@@ -15,7 +15,8 @@ const NewPaymentMethodElement = forwardRef(
     {
       pending_subscription_flow_enabled,
       email,
-    }: { pending_subscription_flow_enabled: boolean; email?: string },
+      readOnly,
+    }: { pending_subscription_flow_enabled: boolean; email?: string; readOnly: boolean },
     ref
   ) => {
     const stripe = useStripe()
@@ -58,7 +59,7 @@ const NewPaymentMethodElement = forwardRef(
       createPaymentMethod,
     }))
 
-    return <PaymentElement options={{ defaultValues: { billingDetails: { email } } }} />
+    return <PaymentElement options={{ defaultValues: { billingDetails: { email } }, readOnly }} />
   }
 )
 

apps/studio/components/interfaces/Organization/BillingSettings/Subscription/DowngradeModal.tsx

@@ -5,10 +5,11 @@ import type { OrgSubscription, ProjectAddon } from 'data/subscriptions/types'
 import { PricingInformation } from 'shared-data'
 import { Modal } from 'ui'
 import { Admonition } from 'ui-patterns'
+import { plans as subscriptionsPlans } from 'shared-data/plans'
+import { useMemo } from 'react'
 
 export interface DowngradeModalProps {
   visible: boolean
-  selectedPlan?: PricingInformation
   subscription?: OrgSubscription
   onClose: () => void
   onConfirm: () => void
@@ -50,12 +51,13 @@ const ProjectDowngradeListItem = ({ projectAddon }: { projectAddon: ProjectAddon
 
 const DowngradeModal = ({
   visible,
-  selectedPlan,
   subscription,
   onClose,
   onConfirm,
   projects,
 }: DowngradeModalProps) => {
+  const selectedPlan = useMemo(() => subscriptionsPlans.find((tier) => tier.id === 'tier_free'), [])
+
   // Filter out the micro addon as we're dealing with that separately
   const previousProjectAddons =
     subscription?.project_addons.flatMap((projectAddons) => {