@deverjak/tenantkit-adapter-supabase 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Chytré Digital
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,116 @@
+# @deverjak/tenantkit-adapter-supabase
+
+The **Supabase reference adapter** for the `reservation-core` / tenantkit kernel ports. One call —
+`createSupabaseRuntime()` — gives you a fully‑wired `CoreRuntime` (Database, Identity, Session, Authz,
+Storage) that `withRoute()` consumes. Bring your own **email** (Resend/SMTP) and, if you sell, **payments**
+(Stripe); Supabase covers your DB + auth + storage.
+
+> Why Supabase is the *reference* adapter: it implements every flow the kernel needs **natively** — password,
+> magic link, OTP, OAuth, admin user creation, and RLS that reads the caller's JWT — so the mapping is thin and
+> complete. Other adapters (`@deverjak/tenantkit-adapter-postgres` + `@deverjak/tenantkit-adapter-authjs`) implement the same
+> ports; nothing in your app changes when you swap.
+
+## Install
+
+```bash
+pnpm add @deverjak/tenantkit-kernel @deverjak/tenantkit-adapter-supabase @deverjak/tenantkit-email-resend
+```
+
+```bash
+# .env
+SUPABASE_URL=https://YOUR-PROJECT.supabase.co
+SUPABASE_ANON_KEY=eyJ...                 # publishable / anon key
+SUPABASE_SERVICE_ROLE_KEY=eyJ...         # server-only — bypasses RLS, never shipped to the browser
+RESEND_API_KEY=re_...
+```
+
+## Wire it (≈12 lines)
+
+```ts
+// app/server/runtime.ts
+import { cookies } from 'next/headers'
+import { createSupabaseRuntime } from '@deverjak/tenantkit-adapter-supabase'
+import { createResendEmail } from '@deverjak/tenantkit-email-resend'
+
+export const runtime = createSupabaseRuntime({
+  email: createResendEmail({ from: 'Acme <no-reply@acme.com>' }),
+  // next/headers → the CookieAdapter the SSR client needs
+  cookies: async () => {
+    const store = await cookies()
+    return {
+      getAll: () => store.getAll(),
+      setAll: (cs) => cs.forEach((c) => store.set(c.name, c.value, c.options)),
+    }
+  },
+})
+```
+
+```ts
+// app/api/courses/route.ts — a real route, RLS-enforced
+import { withRoute, jsonOk } from '@deverjak/tenantkit-kernel'
+import { runtime } from '@/server/runtime'
+
+export const POST = withRoute(
+  { runtime, audience: 'staff', minRole: 'coach', can: 'courses:create', tenantFrom: 'cookie', body: CreateCourseSchema },
+  async (ctx) => {
+    // ctx.db.user() is the caller's RLS-scoped Supabase handle; the INSERT can't escape their tenant.
+    const course = await ctx.db.user().rpc('create_course', ctx.input.body)
+    return jsonOk({ course })
+  },
+)
+```
+
+That's it. The session cookie carries the user's JWT, PostgREST sets `request.jwt.claims`, and the kernel's
+`core.current_user_id()` resolves automatically — **no `SET LOCAL`, no service key in the request path.**
+
+## What each kernel port maps to
+
+| Kernel port | Supabase mapping |
+|---|---|
+| `Database.forRequest(req).user()` | cookie‑bound SSR client — RLS **as the caller** |
+| `Database.forRequest(req).anon()` | anon client — public catalogue reads |
+| `Database.forRequest(req).service()` / `Database.service()` | service‑role client — **bypasses RLS** (webhooks/cron) |
+| `ScopedDb.rpc(fn, args)` | `supabase.rpc(...)` — your SECURITY DEFINER functions (e.g. `redeem_credit_into_session`) |
+| `ScopedDb.client` *(escape hatch)* | the raw `SupabaseClient` for idiomatic `.from()` on your own tables |
+| `IdentityProvider.*` | `supabase.auth.*` — password / magic link (via `admin.generateLink`) / OTP / OAuth / `admin.createUser` |
+| `SessionStore.refresh()` | the `updateSession` cookie‑rotation pattern (call it in middleware) |
+| `AuthzStore.*` | service‑role reads of `core.{profiles,memberships,guardianships,plugin_activations,tenants}` keyed by the verified `userId` |
+| `StorageProvider.*` | `supabase.storage.*` |
+
+## Database setup (one migration)
+
+The kernel ships its schema + RLS. Apply, in order: **(1)** the kernel core migration (creates `core.*`, the
+RLS predicates, `core.current_user_id()`), **(2)** your app/domain migrations, **(3)** *optionally*
+[`./supabase/0000_current_user_id_supabase.sql`](./supabase/0000_current_user_id_supabase.sql) if you want to
+alias `current_user_id()` to Supabase's native `auth.uid()` (Option B in that file). The portable default needs
+no Supabase‑specific SQL at all.
+
+**Supabase project settings:**
+- **Project → API → Exposed schemas:** add `core` so the adapter's `.schema('core')` reads work — *or* keep
+  `core` private and expose only RPCs (more locked‑down; the adapter then reads via `rpc()`).
+- **Auth → Email:** if you mint magic links with `admin.generateLink()` and send them via Resend (recommended,
+  so *you* own the template), disable Supabase's built‑in magic‑link email; or point Supabase SMTP at Resend.
+
+## Honest limitations (so nothing surprises you)
+
+- **No client‑side transactions.** PostgREST can't `BEGIN…COMMIT` from the client, so `ScopedDb.tx()` runs
+  inline. For real atomicity (overbooking guard, credit redeem) call a **SECURITY DEFINER RPC** via `rpc()` —
+  which is exactly what the spec does (`redeem_credit_into_session`).
+- **No raw `query()`** on `user`/`anon` scopes (PostgREST, not SQL). Use `.from()` via `ScopedDb.client`, or an
+  RPC. Driver adapters (`@deverjak/tenantkit-adapter-postgres`) do implement raw `query()`.
+- **Cookie writing** is the one Next.js‑shaped seam; `@deverjak/tenantkit-next` supplies the `cookies()` factory for
+  you. A non‑Next host passes its own `CookieAdapter`.
+- **Service role bypasses RLS** — the adapter fences it to `AuthzStore`/webhooks/cron; your code using
+  `Database.service()` must re‑check authorization.
+
+## Use it à la carte
+
+Don't want the whole runtime? Import a single factory — e.g. keep Supabase for the DB but bring a different
+IdentityProvider:
+
+```ts
+import { createSupabaseDatabase, createSupabaseAuthzStore } from '@deverjak/tenantkit-adapter-supabase'
+const runtime = { db: createSupabaseDatabase(), authz: createSupabaseAuthzStore(), identity: myAuthjsIdentity, /* … */ }
+```
+
+MIT. Part of the tenantkit kernel family — see the platform spec, `docs/14-portability-and-providers.md`.

package/dist/authz.d.ts

@@ -0,0 +1,36 @@
+/**
+ * `AuthzStore` port → Supabase. The few cross-cutting reads the kernel does itself (profile, memberships,
+ * guardianships, plugin activation, tier, provisioning). Backed by the SERVICE-role client and keyed by the
+ * already-verified `userId` — reading a user's OWN rows by id is safe regardless of RLS, and sidesteps any
+ * membership-policy recursion. Domain queries (courses, sessions, credits) are NOT here — apps run those on
+ * the request-scoped `Database.user()` client so RLS applies.
+ *
+ * NOTE: core/public tables live in the `core`/`public` schemas. `core` must be added to Supabase's
+ * "Exposed schemas" (Project → API) for `.schema('core')` to work — or wrap these in RPCs.
+ */
+import type { AuthzStore, ProfileRow } from '@deverjak/tenantkit-kernel';
+export declare class SupabaseAuthzStore implements AuthzStore {
+    private db;
+    ensureProfile(userId: string, email: string | null): Promise<ProfileRow>;
+    getMemberships(userId: string): Promise<Array<{
+        tenantId: string;
+        role: string;
+    }>>;
+    getGuardianships(userId: string): Promise<Array<{
+        participantId: string;
+        tenantId: string;
+        relation: string;
+    }>>;
+    getPluginActivation(tenantId: string, pluginId: string): Promise<{
+        enabled: boolean;
+    } | null>;
+    getTenantTier(tenantId: string): Promise<string>;
+    provisionTenant(input: {
+        name: string;
+        slug: string;
+        ownerId: string;
+    }): Promise<{
+        tenantId: string;
+    }>;
+}
+export declare const createSupabaseAuthzStore: () => SupabaseAuthzStore;

package/dist/authz.js

@@ -0,0 +1,41 @@
+import { adminClient } from './clients';
+export class SupabaseAuthzStore {
+    db = adminClient();
+    async ensureProfile(userId, email) {
+        const { data } = await this.db.schema('core').from('profiles')
+            .select('full_name, locale, avatar_url, phone').eq('id', userId).maybeSingle();
+        if (data) {
+            return { fullName: data.full_name, locale: data.locale, avatarUrl: data.avatar_url, phone: data.phone };
+        }
+        const fullName = email ? (email.split('@')[0] ?? null) : null;
+        await this.db.schema('core').from('profiles').upsert({ id: userId, full_name: fullName }, { onConflict: 'id', ignoreDuplicates: true });
+        return { fullName, locale: null, avatarUrl: null, phone: null };
+    }
+    async getMemberships(userId) {
+        const { data } = await this.db.schema('core').from('memberships').select('tenant_id, role').eq('user_id', userId);
+        return (data ?? []).map((m) => ({ tenantId: m.tenant_id, role: m.role }));
+    }
+    async getGuardianships(userId) {
+        const { data } = await this.db.schema('core').from('guardianships')
+            .select('participant_id, tenant_id, relation').eq('user_id', userId);
+        return (data ?? []).map((g) => ({ participantId: g.participant_id, tenantId: g.tenant_id, relation: g.relation }));
+    }
+    async getPluginActivation(tenantId, pluginId) {
+        const { data } = await this.db.schema('core').from('plugin_activations')
+            .select('is_enabled').eq('tenant_id', tenantId).eq('plugin_id', pluginId).maybeSingle();
+        return data ? { enabled: data.is_enabled } : null;
+    }
+    async getTenantTier(tenantId) {
+        const { data } = await this.db.schema('core').from('tenants').select('tier').eq('id', tenantId).single();
+        return data?.tier ?? 'free';
+    }
+    async provisionTenant(input) {
+        const { data, error } = await this.db.schema('core').rpc('create_tenant_with_owner', {
+            p_name: input.name, p_slug: input.slug, p_owner: input.ownerId,
+        });
+        if (error)
+            throw error;
+        return { tenantId: data };
+    }
+}
+export const createSupabaseAuthzStore = () => new SupabaseAuthzStore();

package/dist/clients.d.ts

@@ -0,0 +1,9 @@
+import { type SupabaseClient } from '@supabase/supabase-js';
+import { type CookieAdapter, readOnlyCookies } from '@deverjak/tenantkit-kernel';
+export { type CookieAdapter, readOnlyCookies };
+/** Cookie-bound client: every query runs under the caller's RLS identity (JWT from the cookie). */
+export declare function userClient(cookies: CookieAdapter): SupabaseClient;
+/** anon-role client: no session, RLS still enforced. Safe for public reads. */
+export declare function anonClient(): SupabaseClient;
+/** service-role client: BYPASSES RLS. Singleton, server-only. Throws if the service key is absent. */
+export declare function adminClient(): SupabaseClient;

package/dist/clients.js

@@ -0,0 +1,48 @@
+/**
+ * The raw Supabase client factories — the ONE place @supabase/* is imported. Everything else in this adapter
+ * builds on these. Three roles, mirroring the four-factory pattern from the reference apps, here consolidated:
+ *
+ *   • userClient(req)  — cookie-bound SSR client; RLS runs AS the signed-in user. PostgREST injects the JWT,
+ *                        so `core.current_user_id()` resolves with ZERO extra work (no SET LOCAL needed).
+ *   • anonClient()     — anon role; RLS applies, no identity (public catalogue reads).
+ *   • adminClient()    — service role; BYPASSES RLS. Server-only singleton. Re-check authz in code.
+ *
+ * Cookie handling is the only Next.js-specific seam; it is injected so a non-Next host can supply its own.
+ */
+import { createServerClient } from '@supabase/ssr';
+import { createClient } from '@supabase/supabase-js';
+import { supabaseEnv } from './env';
+// CookieAdapter is a VENDOR-FREE kernel type — the adapter (and @deverjak/tenantkit-next) reuse it; neither owns it.
+import { readOnlyCookies } from '@deverjak/tenantkit-kernel';
+export { readOnlyCookies }; // re-export for this adapter's consumers
+/** Cookie-bound client: every query runs under the caller's RLS identity (JWT from the cookie). */
+export function userClient(cookies) {
+    const env = supabaseEnv();
+    return createServerClient(env.SUPABASE_URL, env.SUPABASE_ANON_KEY, {
+        cookies: {
+            getAll: () => cookies.getAll(),
+            setAll: (toSet) => cookies.setAll(toSet),
+        },
+    });
+}
+/** anon-role client: no session, RLS still enforced. Safe for public reads. */
+export function anonClient() {
+    const env = supabaseEnv();
+    return createClient(env.SUPABASE_URL, env.SUPABASE_ANON_KEY, {
+        auth: { persistSession: false, autoRefreshToken: false },
+    });
+}
+let admin = null;
+/** service-role client: BYPASSES RLS. Singleton, server-only. Throws if the service key is absent. */
+export function adminClient() {
+    if (admin)
+        return admin;
+    const env = supabaseEnv();
+    if (!env.SUPABASE_SERVICE_ROLE_KEY) {
+        throw new Error('[adapter-supabase] SUPABASE_SERVICE_ROLE_KEY is required for service-role access');
+    }
+    admin = createClient(env.SUPABASE_URL, env.SUPABASE_SERVICE_ROLE_KEY, {
+        auth: { persistSession: false, autoRefreshToken: false },
+    });
+    return admin;
+}

package/dist/database.d.ts

@@ -0,0 +1,26 @@
+/**
+ * `Database` port → Supabase. Implements `forRequest(req).{user,anon,service}()` and out-of-band `service()`.
+ *
+ * The elegant part of the Supabase mapping: `user()` is the cookie-bound client, so RLS runs as the caller
+ * with NO `SET LOCAL` — PostgREST injects `request.jwt.claims` and `core.current_user_id()` just works.
+ *
+ * Honest limitation surfaced by this adapter: PostgREST has no client-side interactive transaction, so `tx()`
+ * runs the callback without a real BEGIN/COMMIT. For genuine atomicity (the overbooking guard, credit redeem),
+ * the spec already routes through SECURITY DEFINER RPCs (`redeem_credit_into_session`) — call them via `rpc()`.
+ * Raw `query()` is intentionally omitted on Supabase scopes (no arbitrary SQL over PostgREST); use `.client`.
+ */
+import type { SupabaseClient } from '@supabase/supabase-js';
+import type { Database, RequestDb, ScopedDb } from '@deverjak/tenantkit-kernel';
+/** Concrete ScopedDb that also exposes `.client` — the escape hatch for idiomatic `.from()` on Supabase apps. */
+export declare class SupabaseScopedDb implements ScopedDb {
+    readonly client: SupabaseClient;
+    constructor(client: SupabaseClient);
+    rpc<T = unknown>(fn: string, args: Record<string, unknown>): Promise<T>;
+    /** No real transaction over PostgREST — run inline. Use a SECURITY DEFINER RPC when you need atomicity. */
+    tx<T>(fn: (db: ScopedDb) => Promise<T>): Promise<T>;
+}
+export declare class SupabaseDatabase implements Database {
+    forRequest(req: Request): RequestDb;
+    service(): ScopedDb;
+}
+export declare const createSupabaseDatabase: () => SupabaseDatabase;

package/dist/database.js

@@ -0,0 +1,42 @@
+import { adminClient, anonClient, readOnlyCookies, userClient } from './clients';
+/** Concrete ScopedDb that also exposes `.client` — the escape hatch for idiomatic `.from()` on Supabase apps. */
+export class SupabaseScopedDb {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    async rpc(fn, args) {
+        const { data, error } = await this.client.rpc(fn, args);
+        if (error)
+            throw error; // surfaces as PostgrestError → mapped to HTTP by the kernel's jsonError
+        return data;
+    }
+    /** No real transaction over PostgREST — run inline. Use a SECURITY DEFINER RPC when you need atomicity. */
+    async tx(fn) {
+        return fn(this);
+    }
+}
+export class SupabaseDatabase {
+    forRequest(req) {
+        const cookies = readOnlyCookies(parseCookieHeader(req.headers.get('cookie')));
+        return {
+            user: () => new SupabaseScopedDb(userClient(cookies)),
+            anon: () => new SupabaseScopedDb(anonClient()),
+            service: () => new SupabaseScopedDb(adminClient()),
+        };
+    }
+    service() {
+        return new SupabaseScopedDb(adminClient());
+    }
+}
+export const createSupabaseDatabase = () => new SupabaseDatabase();
+function parseCookieHeader(header) {
+    if (!header)
+        return [];
+    return header.split(';').map((pair) => {
+        const idx = pair.indexOf('=');
+        const name = pair.slice(0, idx).trim();
+        const value = decodeURIComponent(pair.slice(idx + 1).trim());
+        return { name, value };
+    });
+}

package/dist/env.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Supabase adapter env — validated once, fail-fast. The publishable key is named per the conventional
+ * `SUPABASE_ANON_KEY` (the reference apps used a non-standard name; we normalize it here).
+ */
+import { z } from 'zod';
+declare const Schema: z.ZodObject<{
+    SUPABASE_URL: z.ZodString;
+    SUPABASE_ANON_KEY: z.ZodString;
+    SUPABASE_SERVICE_ROLE_KEY: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type SupabaseEnv = z.infer<typeof Schema>;
+export declare function supabaseEnv(): SupabaseEnv;
+export {};

package/dist/env.js

@@ -0,0 +1,26 @@
+/**
+ * Supabase adapter env — validated once, fail-fast. The publishable key is named per the conventional
+ * `SUPABASE_ANON_KEY` (the reference apps used a non-standard name; we normalize it here).
+ */
+import { z } from 'zod';
+const Schema = z.object({
+    SUPABASE_URL: z.string().url(),
+    SUPABASE_ANON_KEY: z.string().min(1),
+    /** Server-only. NEVER exposed to the browser bundle. Bypasses RLS. */
+    SUPABASE_SERVICE_ROLE_KEY: z.string().min(1).optional(),
+});
+let cached = null;
+export function supabaseEnv() {
+    if (cached)
+        return cached;
+    const parsed = Schema.safeParse({
+        SUPABASE_URL: process.env.SUPABASE_URL ?? process.env.NEXT_PUBLIC_SUPABASE_URL,
+        SUPABASE_ANON_KEY: process.env.SUPABASE_ANON_KEY ?? process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
+        SUPABASE_SERVICE_ROLE_KEY: process.env.SUPABASE_SERVICE_ROLE_KEY,
+    });
+    if (!parsed.success) {
+        throw new Error(`[adapter-supabase] invalid env:\n${parsed.error.issues.map((i) => ` - ${i.path}: ${i.message}`).join('\n')}`);
+    }
+    cached = parsed.data;
+    return cached;
+}

package/dist/identity.d.ts

@@ -0,0 +1,43 @@
+import type { AuthSession, AuthUser, IdentityProvider } from '@deverjak/tenantkit-kernel';
+import { type CookieAdapter } from './clients';
+export interface SupabaseIdentityDeps {
+    /** A writable cookie adapter for the current request (the @deverjak/tenantkit-next binding backs this with next/headers). */
+    cookies: () => Promise<CookieAdapter>;
+}
+export declare class SupabaseIdentity implements IdentityProvider {
+    private readonly deps;
+    constructor(deps: SupabaseIdentityDeps);
+    private client;
+    getCurrentUser(_req: Request): Promise<AuthUser | null>;
+    signInWithPassword(input: {
+        email: string;
+        password: string;
+    }): Promise<AuthSession>;
+    createMagicLink(input: {
+        email: string;
+        redirectTo: string;
+    }): Promise<{
+        token: string;
+        url: string;
+    }>;
+    verifyMagicLink(token: string): Promise<AuthSession>;
+    requestOtp(email: string): Promise<void>;
+    verifyOtp(input: {
+        email: string;
+        code: string;
+    }): Promise<AuthSession>;
+    oauthAuthorizeUrl(input: {
+        provider: string;
+        redirectTo: string;
+    }): Promise<string>;
+    oauthExchange(input: {
+        provider: string;
+        code: string;
+    }): Promise<AuthSession>;
+    signOut(_req: Request): Promise<void>;
+    createUser(input: {
+        email: string;
+        password?: string;
+    }): Promise<AuthUser>;
+}
+export declare const createSupabaseIdentity: (deps: SupabaseIdentityDeps) => SupabaseIdentity;

package/dist/identity.js

@@ -0,0 +1,86 @@
+import { adminClient, userClient } from './clients';
+export class SupabaseIdentity {
+    deps;
+    constructor(deps) {
+        this.deps = deps;
+    }
+    async client() {
+        return userClient(await this.deps.cookies());
+    }
+    async getCurrentUser(_req) {
+        const { data } = await (await this.client()).auth.getUser();
+        return data.user ? toAuthUser(data.user) : null;
+    }
+    async signInWithPassword(input) {
+        const { data, error } = await (await this.client()).auth.signInWithPassword(input);
+        if (error || !data.session)
+            throw error ?? new Error('sign-in failed');
+        return toAuthSession(data.session);
+    }
+    async createMagicLink(input) {
+        const { data, error } = await adminClient().auth.admin.generateLink({
+            type: 'magiclink',
+            email: input.email,
+            options: { redirectTo: input.redirectTo },
+        });
+        if (error || !data.properties)
+            throw error ?? new Error('generateLink failed');
+        return { token: data.properties.hashed_token, url: data.properties.action_link };
+    }
+    async verifyMagicLink(token) {
+        const { data, error } = await (await this.client()).auth.verifyOtp({ token_hash: token, type: 'magiclink' });
+        if (error || !data.session)
+            throw error ?? new Error('magic-link verify failed');
+        return toAuthSession(data.session);
+    }
+    async requestOtp(email) {
+        // Sends a 6-digit code (configure the Supabase email OTP template). Anti-enumeration: never reveals existence.
+        await (await this.client()).auth.signInWithOtp({ email, options: { shouldCreateUser: true } });
+    }
+    async verifyOtp(input) {
+        const { data, error } = await (await this.client()).auth.verifyOtp({ email: input.email, token: input.code, type: 'email' });
+        if (error || !data.session)
+            throw error ?? new Error('otp verify failed');
+        return toAuthSession(data.session);
+    }
+    async oauthAuthorizeUrl(input) {
+        const { data, error } = await (await this.client()).auth.signInWithOAuth({
+            provider: input.provider,
+            options: { redirectTo: input.redirectTo, skipBrowserRedirect: true },
+        });
+        if (error || !data.url)
+            throw error ?? new Error('oauth start failed');
+        return data.url;
+    }
+    async oauthExchange(input) {
+        const { data, error } = await (await this.client()).auth.exchangeCodeForSession(input.code);
+        if (error || !data.session)
+            throw error ?? new Error('oauth exchange failed');
+        return toAuthSession(data.session);
+    }
+    async signOut(_req) {
+        await (await this.client()).auth.signOut();
+    }
+    async createUser(input) {
+        const { data, error } = await adminClient().auth.admin.createUser({
+            email: input.email,
+            password: input.password,
+            email_confirm: true,
+        });
+        if (error || !data.user)
+            throw error ?? new Error('createUser failed');
+        return toAuthUser(data.user);
+    }
+}
+export const createSupabaseIdentity = (deps) => new SupabaseIdentity(deps);
+function toAuthUser(u) {
+    return { id: u.id, email: u.email ?? null, emailVerified: Boolean(u.email_confirmed_at) };
+}
+function toAuthSession(s) {
+    return {
+        user: toAuthUser(s.user),
+        accessToken: s.access_token,
+        refreshToken: s.refresh_token,
+        expiresAt: (s.expires_at ?? 0) * 1000,
+    };
+}

package/dist/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * @deverjak/tenantkit-adapter-supabase — Supabase reference adapter for the kernel ports.
+ *
+ * Most apps need only `createSupabaseRuntime()`. The individual factories are exported for partial use
+ * (e.g. keep Supabase for DB but bring your own IdentityProvider). Provisional scope `@deverjak/tenantkit-*` (ADR-0010).
+ */
+export { createSupabaseRuntime, type SupabaseRuntimeOptions } from './runtime';
+export { createSupabaseDatabase, SupabaseDatabase, SupabaseScopedDb } from './database';
+export { createSupabaseIdentity, SupabaseIdentity, type SupabaseIdentityDeps } from './identity';
+export { createSupabaseSessionStore, SupabaseSessionStore } from './session';
+export { createSupabaseAuthzStore, SupabaseAuthzStore } from './authz';
+export { createSupabaseStorage, SupabaseStorage } from './storage';
+export { type CookieAdapter, userClient, anonClient, adminClient, readOnlyCookies } from './clients';
+export { supabaseEnv, type SupabaseEnv } from './env';

package/dist/index.js

@@ -0,0 +1,14 @@
+/**
+ * @deverjak/tenantkit-adapter-supabase — Supabase reference adapter for the kernel ports.
+ *
+ * Most apps need only `createSupabaseRuntime()`. The individual factories are exported for partial use
+ * (e.g. keep Supabase for DB but bring your own IdentityProvider). Provisional scope `@deverjak/tenantkit-*` (ADR-0010).
+ */
+export { createSupabaseRuntime } from './runtime';
+export { createSupabaseDatabase, SupabaseDatabase, SupabaseScopedDb } from './database';
+export { createSupabaseIdentity, SupabaseIdentity } from './identity';
+export { createSupabaseSessionStore, SupabaseSessionStore } from './session';
+export { createSupabaseAuthzStore, SupabaseAuthzStore } from './authz';
+export { createSupabaseStorage, SupabaseStorage } from './storage';
+export { userClient, anonClient, adminClient, readOnlyCookies } from './clients';
+export { supabaseEnv } from './env';

package/dist/runtime.d.ts

@@ -0,0 +1,21 @@
+/**
+ * `createSupabaseRuntime()` — the one call that assembles a kernel `CoreRuntime` from Supabase. This is what
+ * makes the adapter "drop-in": pass an EmailProvider (and optionally a PaymentProvider/StorageProvider) and you
+ * get a fully-wired runtime that `withRoute()` consumes. Email & payments are SEPARATE adapters by design —
+ * Supabase is your DB + auth + storage; Resend/Stripe/etc. are yours to choose.
+ */
+import type { CookieAdapter } from './clients';
+import type { Clock, CoreRuntime, EmailProvider, IdGen, PaymentProvider, StorageProvider } from '@deverjak/tenantkit-kernel';
+export interface SupabaseRuntimeOptions {
+    /** REQUIRED — transactional email (e.g. @deverjak/tenantkit-email-resend). Supabase doesn't own your templates. */
+    email: EmailProvider;
+    /** A writable cookie adapter factory for the current request. @deverjak/tenantkit-next supplies one over next/headers. */
+    cookies: () => Promise<CookieAdapter>;
+    /** OPTIONAL — the payments plugin's provider (e.g. @deverjak/tenantkit-payments-stripe). */
+    payments?: PaymentProvider;
+    /** OPTIONAL — override storage (defaults to Supabase Storage). */
+    storage?: StorageProvider;
+    clock?: Clock;
+    ids?: IdGen;
+}
+export declare function createSupabaseRuntime(opts: SupabaseRuntimeOptions): CoreRuntime;

package/dist/runtime.js

@@ -0,0 +1,28 @@
+import { createSupabaseDatabase } from './database';
+import { createSupabaseIdentity } from './identity';
+import { createSupabaseSessionStore } from './session';
+import { createSupabaseAuthzStore } from './authz';
+import { createSupabaseStorage } from './storage';
+export function createSupabaseRuntime(opts) {
+    return {
+        identity: createSupabaseIdentity({ cookies: opts.cookies }),
+        sessions: createSupabaseSessionStore(),
+        db: createSupabaseDatabase(),
+        authz: createSupabaseAuthzStore(),
+        email: opts.email,
+        payments: opts.payments,
+        storage: opts.storage ?? createSupabaseStorage(),
+        clock: opts.clock ?? { now: () => new Date() },
+        ids: opts.ids ?? defaultIds(),
+    };
+}
+function defaultIds() {
+    return {
+        uuid: () => crypto.randomUUID(),
+        token: (bytes = 32) => {
+            const a = new Uint8Array(bytes);
+            crypto.getRandomValues(a);
+            return Buffer.from(a).toString('base64url');
+        },
+    };
+}

package/dist/session.d.ts

@@ -0,0 +1,14 @@
+/**
+ * `SessionStore` port → Supabase SSR cookies. `refresh()` is the `updateSession` pattern from the reference
+ * apps: build a client whose cookie writes land on the outgoing Response, call `getUser()` to rotate the token,
+ * and the SSR client propagates the refreshed `Set-Cookie` headers. The @deverjak/tenantkit-next middleware calls this
+ * on every request.
+ */
+import type { AuthSession, SessionStore } from '@deverjak/tenantkit-kernel';
+export declare class SupabaseSessionStore implements SessionStore {
+    read(req: Request): Promise<AuthSession | null>;
+    write(_res: Response, _session: AuthSession): Promise<void>;
+    refresh(req: Request, res: Response): Promise<AuthSession | null>;
+    clear(res: Response): Promise<void>;
+}
+export declare const createSupabaseSessionStore: () => SupabaseSessionStore;

package/dist/session.js

@@ -0,0 +1,63 @@
+import { readOnlyCookies, userClient } from './clients';
+export class SupabaseSessionStore {
+    async read(req) {
+        const client = userClient(readOnlyCookies(cookiesFromRequest(req)));
+        const { data } = await client.auth.getSession();
+        return data.session ? toSession(data.session) : null;
+    }
+    async write(_res, _session) {
+        // No-op on Supabase: cookies are written by the SSR client during the auth call that produced the session.
+        // Kept for ports that persist out-of-band (e.g. iron-session adapters).
+    }
+    async refresh(req, res) {
+        const cookies = responseCookieAdapter(req, res);
+        const client = userClient(cookies);
+        const { data } = await client.auth.getUser(); // rotates + sets refreshed cookies onto `res`
+        if (!data.user)
+            return null;
+        const { data: s } = await client.auth.getSession();
+        return s.session ? toSession(s.session) : null;
+    }
+    async clear(res) {
+        const cookies = responseCookieAdapter(new Request('http://x'), res);
+        await userClient(cookies).auth.signOut();
+    }
+}
+export const createSupabaseSessionStore = () => new SupabaseSessionStore();
+function cookiesFromRequest(req) {
+    const header = req.headers.get('cookie');
+    if (!header)
+        return [];
+    return header.split(';').map((p) => {
+        const i = p.indexOf('=');
+        return { name: p.slice(0, i).trim(), value: decodeURIComponent(p.slice(i + 1).trim()) };
+    });
+}
+/** A cookie adapter that reads from the Request and APPENDS Set-Cookie onto the Response. */
+function responseCookieAdapter(req, res) {
+    return {
+        getAll: () => cookiesFromRequest(req),
+        setAll: (toSet) => {
+            for (const c of toSet) {
+                res.headers.append('set-cookie', serializeCookie(c.name, c.value, c.options));
+            }
+        },
+    };
+}
+function serializeCookie(name, value, options) {
+    // Minimal serializer; the @deverjak/tenantkit-next binding uses Next's cookie API in production.
+    const parts = [`${name}=${encodeURIComponent(value)}`, 'Path=/', 'HttpOnly', 'SameSite=Lax'];
+    if (process.env.NODE_ENV === 'production')
+        parts.push('Secure');
+    if (options?.['maxAge'])
+        parts.push(`Max-Age=${String(options['maxAge'])}`);
+    return parts.join('; ');
+}
+function toSession(s) {
+    return {
+        user: { id: s.user.id, email: s.user.email ?? null, emailVerified: Boolean(s.user.email_confirmed_at) },
+        accessToken: s.access_token,
+        refreshToken: s.refresh_token,
+        expiresAt: (s.expires_at ?? 0) * 1000,
+    };
+}

package/dist/storage.d.ts

@@ -0,0 +1,23 @@
+/** `StorageProvider` port → Supabase Storage. Optional; used for tenant logos / data exports. */
+import type { StorageProvider } from '@deverjak/tenantkit-kernel';
+export declare class SupabaseStorage implements StorageProvider {
+    private db;
+    put(input: {
+        bucket: string;
+        key: string;
+        body: ArrayBuffer | Uint8Array;
+        contentType: string;
+    }): Promise<{
+        key: string;
+    }>;
+    signedUrl(input: {
+        bucket: string;
+        key: string;
+        expiresInSec: number;
+    }): Promise<string>;
+    remove(input: {
+        bucket: string;
+        key: string;
+    }): Promise<void>;
+}
+export declare const createSupabaseStorage: () => SupabaseStorage;

package/dist/storage.js

@@ -0,0 +1,24 @@
+import { adminClient } from './clients';
+export class SupabaseStorage {
+    db = adminClient();
+    async put(input) {
+        const { error } = await this.db.storage.from(input.bucket).upload(input.key, input.body, {
+            contentType: input.contentType, upsert: true,
+        });
+        if (error)
+            throw error;
+        return { key: input.key };
+    }
+    async signedUrl(input) {
+        const { data, error } = await this.db.storage.from(input.bucket).createSignedUrl(input.key, input.expiresInSec);
+        if (error || !data)
+            throw error ?? new Error('signedUrl failed');
+        return data.signedUrl;
+    }
+    async remove(input) {
+        const { error } = await this.db.storage.from(input.bucket).remove([input.key]);
+        if (error)
+            throw error;
+    }
+}
+export const createSupabaseStorage = () => new SupabaseStorage();

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@deverjak/tenantkit-adapter-supabase",
+  "version": "0.1.0",
+  "description": "Supabase reference adapter for @deverjak/tenantkit-kernel — Database, Identity, Session, Authz, Storage. Drop-in: createSupabaseRuntime() → CoreRuntime.",
+  "license": "MIT",
+  "type": "module",
+  "repository": "github:chytre-digital/tenantkit-adapter-supabase",
+  "homepage": "https://github.com/chytre-digital/tenantkit#readme",
+  "keywords": [
+    "tenantkit",
+    "supabase",
+    "multi-tenant",
+    "rls",
+    "adapter",
+    "next"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./sql": "./supabase/0000_current_user_id_supabase.sql"
+  },
+  "files": [
+    "dist",
+    "supabase"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "@deverjak/tenantkit-kernel": "^0.1.0",
+    "next": ">=15"
+  },
+  "dependencies": {
+    "@supabase/ssr": "^0.8.0",
+    "@supabase/supabase-js": "^2.90.1",
+    "zod": "^4.0.0"
+  },
+  "devDependencies": {
+    "@deverjak/tenantkit-kernel": "^0.1.0",
+    "@deverjak/tenantkit-testing": "^0.1.0",
+    "@types/node": "^22.10.0",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.0"
+  },
+  "scripts": {
+    "typecheck": "tsc --noEmit",
+    "build": "tsc -p tsconfig.build.json",
+    "test": "vitest run"
+  }
+}

package/supabase/0000_current_user_id_supabase.sql

@@ -0,0 +1,21 @@
+-- @tenantkit/adapter-supabase — Supabase binding for the portable identity seam.
+--
+-- The kernel's RLS predicates call core.current_user_id() (NOT auth.uid()) so the SAME policies run on any
+-- Postgres (see packages/reservation-core/src/db/index.ts + docs/14 §3.1). On SUPABASE you have two options:
+
+-- OPTION A (recommended): keep the portable dual-path function shipped by the kernel as-is. It already reads
+--   request.jwt.claims -> 'sub', which PostgREST sets from the user's JWT. Nothing to do here. Most portable.
+
+-- OPTION B: if you only ever run on Supabase and prefer the native helper, alias the function to auth.uid():
+create or replace function core.current_user_id()
+  returns uuid language sql stable as $$
+  select auth.uid()
+$$;
+
+-- Either way, apply this AFTER the kernel core migration (which creates the core schema + the predicates).
+--
+-- Supabase project settings reminder:
+--   • Project → API → "Exposed schemas": add `core` (and `public`) so the adapter's .schema('core') reads work,
+--     OR keep core unexposed and reach it only via SECURITY DEFINER RPCs (more locked-down).
+--   • Auth → set the JWT to include `sub` (default). No custom access-token hook is required: memberships are
+--     resolved by the kernel's AuthzStore, not carried in the JWT.