@deverjak/tenantkit-adapter-supabase 0.1.0 → 0.1.2

package/dist/authz.d.ts

@@ -10,7 +10,7 @@
  */
 import type { AuthzStore, ProfileRow } from '@deverjak/tenantkit-kernel';
 export declare class SupabaseAuthzStore implements AuthzStore {
-    private db;
+    private get db();
     ensureProfile(userId: string, email: string | null): Promise<ProfileRow>;
     getMemberships(userId: string): Promise<Array<{
         tenantId: string;

package/dist/authz.js

@@ -1,6 +1,10 @@
 import { adminClient } from './clients';
 export class SupabaseAuthzStore {
-    db = adminClient();
+    // Lazy: the service-role client (and its SUPABASE_SERVICE_ROLE_KEY requirement) resolves on FIRST USE, not at
+    // construction — so an anon-only app (public catalogue, family sign-in) can build a runtime without the key.
+    get db() {
+        return adminClient();
+    }
     async ensureProfile(userId, email) {
         const { data } = await this.db.schema('core').from('profiles')
             .select('full_name, locale, avatar_url, phone').eq('id', userId).maybeSingle();

package/dist/env.d.ts

@@ -1,6 +1,7 @@
 /**
- * Supabase adapter env — validated once, fail-fast. The publishable key is named per the conventional
- * `SUPABASE_ANON_KEY` (the reference apps used a non-standard name; we normalize it here).
+ * Supabase adapter env — validated once, fail-fast. Accepts BOTH key namings: the new Supabase keys
+ * (`SUPABASE_PUBLISHABLE_KEY` / `SUPABASE_SECRET_KEY`, incl. their `NEXT_PUBLIC_*` variants) and the legacy
+ * `SUPABASE_ANON_KEY` / `SUPABASE_SERVICE_ROLE_KEY`. Internally both collapse to the same two fields.
  */
 import { z } from 'zod';
 declare const Schema: z.ZodObject<{

package/dist/env.js

@@ -1,6 +1,7 @@
 /**
- * Supabase adapter env — validated once, fail-fast. The publishable key is named per the conventional
- * `SUPABASE_ANON_KEY` (the reference apps used a non-standard name; we normalize it here).
+ * Supabase adapter env — validated once, fail-fast. Accepts BOTH key namings: the new Supabase keys
+ * (`SUPABASE_PUBLISHABLE_KEY` / `SUPABASE_SECRET_KEY`, incl. their `NEXT_PUBLIC_*` variants) and the legacy
+ * `SUPABASE_ANON_KEY` / `SUPABASE_SERVICE_ROLE_KEY`. Internally both collapse to the same two fields.
  */
 import { z } from 'zod';
 const Schema = z.object({
@@ -15,8 +16,13 @@ export function supabaseEnv() {
         return cached;
     const parsed = Schema.safeParse({
         SUPABASE_URL: process.env.SUPABASE_URL ?? process.env.NEXT_PUBLIC_SUPABASE_URL,
-        SUPABASE_ANON_KEY: process.env.SUPABASE_ANON_KEY ?? process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
-        SUPABASE_SERVICE_ROLE_KEY: process.env.SUPABASE_SERVICE_ROLE_KEY,
+        // New Supabase key naming (publishable / secret) first, then the legacy anon / service_role names.
+        // NEXT_PUBLIC_* variants cover the Edge runtime (proxy), where only public vars are inlined.
+        SUPABASE_ANON_KEY: process.env.SUPABASE_PUBLISHABLE_KEY ??
+            process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY ??
+            process.env.SUPABASE_ANON_KEY ??
+            process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
+        SUPABASE_SERVICE_ROLE_KEY: process.env.SUPABASE_SECRET_KEY ?? process.env.SUPABASE_SERVICE_ROLE_KEY,
     });
     if (!parsed.success) {
         throw new Error(`[adapter-supabase] invalid env:\n${parsed.error.issues.map((i) => ` - ${i.path}: ${i.message}`).join('\n')}`);

package/dist/storage.d.ts

@@ -1,7 +1,7 @@
 /** `StorageProvider` port → Supabase Storage. Optional; used for tenant logos / data exports. */
 import type { StorageProvider } from '@deverjak/tenantkit-kernel';
 export declare class SupabaseStorage implements StorageProvider {
-    private db;
+    private get db();
     put(input: {
         bucket: string;
         key: string;

package/dist/storage.js

@@ -1,6 +1,9 @@
 import { adminClient } from './clients';
 export class SupabaseStorage {
-    db = adminClient();
+    // Lazy (see authz.ts): resolve the service-role client on first use, not at construction.
+    get db() {
+        return adminClient();
+    }
     async put(input) {
         const { error } = await this.db.storage.from(input.bucket).upload(input.key, input.body, {
             contentType: input.contentType, upsert: true,

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "@deverjak/tenantkit-adapter-supabase",
-  "version": "0.1.0",
-  "description": "Supabase reference adapter for @deverjak/tenantkit-kernel — Database, Identity, Session, Authz, Storage. Drop-in: createSupabaseRuntime() → CoreRuntime.",
+  "version": "0.1.2",
+  "description": "Supabase reference adapter for @deverjak/tenantkit-kernel — Database, Identity, Session, Authz, Storage. Drop-in: createSupabaseRuntime() -> CoreRuntime.",
   "license": "MIT",
   "type": "module",
-  "repository": "github:chytre-digital/tenantkit-adapter-supabase",
+  "repository": "github:chytre-digital/tenantkit",
   "homepage": "https://github.com/chytre-digital/tenantkit#readme",
   "keywords": [
     "tenantkit",
@@ -29,8 +29,8 @@
     "access": "public"
   },
   "peerDependencies": {
-    "@deverjak/tenantkit-kernel": "^0.1.0",
-    "next": ">=15"
+    "next": ">=15",
+    "@deverjak/tenantkit-kernel": "0.2.0"
   },
   "dependencies": {
     "@supabase/ssr": "^0.8.0",
@@ -38,11 +38,11 @@
     "zod": "^4.0.0"
   },
   "devDependencies": {
-    "@deverjak/tenantkit-kernel": "^0.1.0",
-    "@deverjak/tenantkit-testing": "^0.1.0",
     "@types/node": "^22.10.0",
     "typescript": "^5.9.3",
-    "vitest": "^4.0.0"
+    "vitest": "^4.0.0",
+    "@deverjak/tenantkit-kernel": "0.2.0",
+    "@deverjak/tenantkit-testing": "0.1.0"
   },
   "scripts": {
     "typecheck": "tsc --noEmit",