@deverjak/tenantkit-adapter-supabase 0.1.2 → 0.1.4

package/README.md

@@ -17,13 +17,36 @@ pnpm add @deverjak/tenantkit-kernel @deverjak/tenantkit-adapter-supabase @deverj
 ```
 
 ```bash
-# .env
-SUPABASE_URL=https://YOUR-PROJECT.supabase.co
-SUPABASE_ANON_KEY=eyJ...                 # publishable / anon key
-SUPABASE_SERVICE_ROLE_KEY=eyJ...         # server-only — bypasses RLS, never shipped to the browser
-RESEND_API_KEY=re_...
+# .env — modern Supabase key names (legacy SUPABASE_ANON_KEY / SUPABASE_SERVICE_ROLE_KEY are also accepted)
+NEXT_PUBLIC_SUPABASE_URL=https://YOUR-PROJECT.supabase.co
+NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=sb_publishable_...   # browser-safe; RLS-enforced
+SUPABASE_SECRET_KEY=sb_secret_...                         # server-only — bypasses RLS, never ship to the browser
+RESEND_API_KEY=re_...                                     # only if you use @deverjak/tenantkit-email-resend
 ```
 
+## Which keys do you need?
+
+The adapter uses **two** Supabase API keys and `SUPABASE_URL`. It accepts both the **new** key names
+(`*_PUBLISHABLE_KEY` / `SUPABASE_SECRET_KEY`) and the **legacy** ones (`SUPABASE_ANON_KEY` /
+`SUPABASE_SERVICE_ROLE_KEY`); the `NEXT_PUBLIC_*` variants are read too (required by the Edge proxy/middleware).
+
+| You want to… | Key needed | Env var |
+|---|---|---|
+| **Auth** — sign in / sign up / magic link / OAuth / session refresh | **publishable** (anon) | `NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY` |
+| **Tables as the signed-in user** — RLS-scoped reads/writes (`ctx.db.user()`) | **publishable** (anon) | *(same — the user's JWT rides the cookie)* |
+| **Public / anon table reads** (`ctx.db.anon()`) | **publishable** (anon) | *(same)* |
+| **The tenant layer** — `resolveClaims` (memberships, profiles), `provisionTenant`, plugin activation, tenant tier | **secret** (service-role) | `SUPABASE_SECRET_KEY` |
+| **Storage** — logos / exports (`StorageProvider`) | **secret** (service-role) | `SUPABASE_SECRET_KEY` |
+| **Admin** — invite staff (`createUser`), mint magic links (`createMagicLink`) | **secret** (service-role) | `SUPABASE_SECRET_KEY` |
+| **Rate limits / webhooks / cron** (`Database.service()`) | **secret** (service-role) | `SUPABASE_SECRET_KEY` |
+
+**Rule of thumb:** the **publishable key alone** runs all user-facing **auth + RLS-scoped data**. Add the
+**secret key** the moment you touch the **tenant/authz layer, storage, admin user creation, or any service-role
+work** — it bypasses RLS, so keep it **server-only** (never in a `NEXT_PUBLIC_*` var or the browser bundle).
+
+> The project's **JWT secret** is *not* used by this adapter — it authenticates with the API keys above, it does
+> not verify JWTs itself. You only need the JWT secret if you verify Supabase tokens manually elsewhere.
+
 ## Wire it (≈12 lines)
 
 ```ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@deverjak/tenantkit-adapter-supabase",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Supabase reference adapter for @deverjak/tenantkit-kernel — Database, Identity, Session, Authz, Storage. Drop-in: createSupabaseRuntime() -> CoreRuntime.",
   "license": "MIT",
   "type": "module",
@@ -29,8 +29,8 @@
     "access": "public"
   },
   "peerDependencies": {
-    "next": ">=15",
-    "@deverjak/tenantkit-kernel": "0.2.0"
+    "@deverjak/tenantkit-kernel": "^0.3.0",
+    "next": ">=15"
   },
   "dependencies": {
     "@supabase/ssr": "^0.8.0",
@@ -41,7 +41,7 @@
     "@types/node": "^22.10.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.0",
-    "@deverjak/tenantkit-kernel": "0.2.0",
+    "@deverjak/tenantkit-kernel": "0.3.0",
     "@deverjak/tenantkit-testing": "0.1.0"
   },
   "scripts": {