npm - @donotdev/cli - Versions diffs - 0.0.19 → 0.0.21 - Mend

@donotdev/cli 0.0.19 → 0.0.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (128) hide show

package/dist/bin/commands/setup.js CHANGED Viewed

@@ -7077,7 +7077,7 @@ var init_PathResolver = __esm({
         }
         const detectedFormat = this._detectFormat(filePath, format);
         let writeContent;
-        if (Buffer2.isBuffer(content)) {
+        if (Buffer.isBuffer(content)) {
           writeContent = content;
         } else if (detectedFormat === "json" && typeof content === "object") {
           writeContent = JSON.stringify(content, null, 2);
@@ -7086,7 +7086,7 @@ var init_PathResolver = __esm({
         }
         try {
           return await safeExecuteAsync(async () => {
-            if (Buffer2.isBuffer(writeContent)) {
+            if (Buffer.isBuffer(writeContent)) {
               await fs.promises.writeFile(normalizedPath, writeContent);
             } else {
               await fs.promises.writeFile(normalizedPath, writeContent, "utf8");
@@ -7138,7 +7138,7 @@ var init_PathResolver = __esm({
         }
         const detectedFormat = this._detectFormat(filePath, format);
         let writeContent;
-        if (Buffer2.isBuffer(content)) {
+        if (Buffer.isBuffer(content)) {
           writeContent = content;
         } else if (detectedFormat === "json" && typeof content === "object") {
           writeContent = JSON.stringify(content, null, 2);
@@ -7146,7 +7146,7 @@ var init_PathResolver = __esm({
           writeContent = String(content);
         }
         try {
-          if (Buffer2.isBuffer(writeContent)) {
+          if (Buffer.isBuffer(writeContent)) {
             fs.writeFileSync(normalizedPath, writeContent);
           } else {
             fs.writeFileSync(normalizedPath, writeContent, "utf8");
@@ -8034,7 +8034,7 @@ var init_typed_file_operations = __esm({
 });
 // packages/tooling/src/bundler/utils.ts
-import { Buffer as Buffer2 } from "node:buffer";
+import { Buffer } from "node:buffer";
 import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "node:fs";
 import { createRequire as createRequire3 } from "node:module";
 import { dirname as dirname3, resolve as resolve3 } from "node:path";
@@ -8051,7 +8051,7 @@ var init_utils = __esm({
       globalThis.require = require2;
       globalThis.__filename = __filename;
       globalThis.__dirname = __dirname;
-      globalThis.Buffer = Buffer2;
+      globalThis.Buffer = Buffer;
       globalThis.process = process;
       if (typeof global === "undefined") {
         globalThis.global = globalThis;
@@ -8251,7 +8251,28 @@ var init_cli_input = __esm({
   }
 });
-// packages/tooling/src/cli/setup/vercel-token.ts
+// packages/tooling/src/utils/secrets-resolver.ts
+function parseEnvFile(filePath) {
+  if (!pathExists(filePath)) return {};
+  const content = readSync(filePath, { format: "text" });
+  if (typeof content !== "string" || !content) return {};
+  const result = {};
+  for (const line of content.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    let value = trimmed.slice(eqIdx + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    if (key && value) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
 function readEnvVar(filePath, varName) {
   if (!pathExists(filePath)) return null;
   const content = readSync(filePath, { format: "text" });
@@ -8260,16 +8281,93 @@ function readEnvVar(filePath, varName) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
     if (trimmed.startsWith(`${varName}=`)) {
-      const val = trimmed.substring(`${varName}=`.length).trim();
+      let val = trimmed.substring(`${varName}=`.length).trim();
       if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
-        return val.slice(1, -1);
+        val = val.slice(1, -1);
       }
       return val || null;
     }
   }
   return null;
 }
-function resolveVercelVar(appDir, varName) {
+function loadDndevSecrets(projectRoot) {
+  const secretsPath = joinPath(projectRoot, ".dndev.secrets");
+  if (cachedSecretsPath === secretsPath && cachedSecrets) {
+    return cachedSecrets;
+  }
+  cachedSecrets = parseEnvFile(secretsPath);
+  cachedSecretsPath = secretsPath;
+  return cachedSecrets;
+}
+function resolveSecret(name, projectRoot, opts) {
+  const appDir = opts?.appDir ?? projectRoot;
+  const envValue = process.env[name];
+  if (envValue) {
+    return { value: envValue, source: "process.env" };
+  }
+  const secrets = loadDndevSecrets(projectRoot);
+  if (secrets[name]) {
+    return { value: secrets[name], source: ".dndev.secrets" };
+  }
+  if (name === "SUPABASE_SECRET_KEY" && secrets["SUPABASE_SERVICE_ROLE_KEY"]) {
+    return {
+      value: secrets["SUPABASE_SERVICE_ROLE_KEY"],
+      source: ".dndev.secrets"
+    };
+  }
+  const legacyPaths = LEGACY_PATHS[name];
+  if (legacyPaths) {
+    for (const relPath of legacyPaths) {
+      const fullPath = joinPath(appDir, relPath);
+      const value = readEnvVar(fullPath, name);
+      if (value) {
+        if (!opts?.silent && !warnedLegacy.has(name)) {
+          warnedLegacy.add(name);
+          log.warn(
+            `${name} found in ${relPath} (legacy). Move it to .dndev.secrets at project root.`
+          );
+        }
+        return { value, source: "legacy", legacyPath: relPath };
+      }
+      if (name === "SUPABASE_SECRET_KEY") {
+        const aliasValue = readEnvVar(fullPath, "SUPABASE_SERVICE_ROLE_KEY");
+        if (aliasValue) {
+          if (!opts?.silent && !warnedLegacy.has(name)) {
+            warnedLegacy.add(name);
+            log.warn(
+              `${name} found in ${relPath} (legacy). Move it to .dndev.secrets at project root.`
+            );
+          }
+          return { value: aliasValue, source: "legacy", legacyPath: relPath };
+        }
+      }
+    }
+  }
+  return null;
+}
+var LEGACY_PATHS, warnedLegacy, cachedSecretsPath, cachedSecrets;
+var init_secrets_resolver = __esm({
+  "packages/tooling/src/utils/secrets-resolver.ts"() {
+    "use strict";
+    init_utils();
+    init_pathResolver();
+    init_cli_output();
+    LEGACY_PATHS = {
+      VERCEL_TOKEN: [".env.local"],
+      SUPABASE_SECRET_KEY: ["supabase/functions/.env", "functions/.env"],
+      SUPABASE_DB_URL: ["supabase/functions/.env", "functions/.env"],
+      SUPABASE_ACCESS_TOKEN: ["supabase/functions/.env", "functions/.env"],
+      STRIPE_SECRET_KEY: ["supabase/functions/.env", "functions/.env"],
+      STRIPE_WEBHOOK_SECRET: ["supabase/functions/.env", "functions/.env"]
+    };
+    warnedLegacy = /* @__PURE__ */ new Set();
+    cachedSecretsPath = null;
+    cachedSecrets = null;
+  }
+});
+// packages/tooling/src/cli/setup/vercel-token.ts
+function resolvePerAppVar(appDir, varName) {
   if (process.env[varName]) return process.env[varName];
   const fromLocal = readEnvVar(joinPath(appDir, ".env.local"), varName);
   if (fromLocal) return fromLocal;
@@ -8277,10 +8375,11 @@ function resolveVercelVar(appDir, varName) {
   if (fromEnv) return fromEnv;
   return null;
 }
-function resolveVercelCredentials(appDir) {
-  const token = resolveVercelVar(appDir, "VERCEL_TOKEN");
-  const orgId = resolveVercelVar(appDir, "VERCEL_ORG_ID");
-  const projectId = resolveVercelVar(appDir, "VERCEL_PROJECT_ID");
+function resolveVercelCredentials(appDir, projectRoot) {
+  const root = projectRoot ?? process.cwd();
+  const token = resolveSecret("VERCEL_TOKEN", root, { appDir })?.value ?? null;
+  const orgId = resolvePerAppVar(appDir, "VERCEL_ORG_ID");
+  const projectId = resolvePerAppVar(appDir, "VERCEL_PROJECT_ID");
   const missing = [];
   if (!token) missing.push("VERCEL_TOKEN");
   if (!orgId) missing.push("VERCEL_ORG_ID");
@@ -8294,6 +8393,7 @@ var init_vercel_token = __esm({
   "packages/tooling/src/cli/setup/vercel-token.ts"() {
     "use strict";
     init_utils();
+    init_secrets_resolver();
     init_pathResolver();
   }
 });
@@ -8912,40 +9012,15 @@ var init_firebase = __esm({
 });
 // packages/tooling/src/utils/supabase-management.ts
-import { execSync, spawnSync as spawnSync2 } from "node:child_process";
-function stripQuotes(value) {
-  if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
-    return value.slice(1, -1);
-  }
-  return value;
-}
-function detectDbUrl(appDir) {
-  const envPaths = [
-    joinPath(appDir, "supabase", "functions", ".env"),
-    joinPath(appDir, "functions", ".env"),
-    joinPath(appDir, ".env.local"),
-    joinPath(appDir, ".env")
-  ];
-  for (const envPath of envPaths) {
-    if (!pathExists(envPath)) continue;
-    try {
-      const content = readSync(envPath);
-      if (!content) continue;
-      for (const line of content.split("\n")) {
-        const trimmed = line.trim();
-        if (trimmed.startsWith("#") || !trimmed.includes("=")) continue;
-        const eqIdx = trimmed.indexOf("=");
-        const key = trimmed.slice(0, eqIdx).trim();
-        const value = stripQuotes(trimmed.slice(eqIdx + 1).trim());
-        if (key === "SUPABASE_DB_URL" && value) {
-          return value;
-        }
-      }
-    } catch {
-      continue;
-    }
+import { execSync } from "node:child_process";
+function extractProjectRef(supabaseUrl) {
+  const match = supabaseUrl.match(/https?:\/\/([a-z0-9]+)\.supabase\.co/);
+  if (!match?.[1]) {
+    throw new Error(
+      `Cannot extract project ref from URL: ${supabaseUrl}. Expected format: https://<ref>.supabase.co`
+    );
   }
-  return null;
+  return match[1];
 }
 async function cleanupOldEntityMigrations(supabaseDir, latestFile) {
   const migrationsDir = joinPath(supabaseDir, "migrations");
@@ -8959,29 +9034,6 @@ async function cleanupOldEntityMigrations(supabaseDir, latestFile) {
   const latestBasename = getBasename(latestFile);
   const toRemove = oldFiles.filter((f) => getBasename(f) !== latestBasename);
   if (toRemove.length === 0) return;
-  const timestamps = [];
-  for (const f of toRemove) {
-    const match = getBasename(f).match(/^(\d{14})_/);
-    if (match?.[1]) timestamps.push(match[1]);
-  }
-  if (timestamps.length > 0) {
-    const cmd = getSupabaseCmd();
-    const { dirname: dirname4 } = await import("node:path");
-    const projectRoot = dirname4(supabaseDir);
-    try {
-      execSync(
-        `${cmd} migration repair --status reverted ${timestamps.join(" ")}`,
-        { cwd: projectRoot, stdio: "pipe", env: { ...process.env } }
-      );
-      log.info(
-        `Repaired ${timestamps.length} old entity migration(s) in remote`
-      );
-    } catch (error2) {
-      log.debug(
-        `Migration repair skipped: ${error2 instanceof Error ? error2.message : String(error2)}`
-      );
-    }
-  }
   for (const f of toRemove) {
     try {
       removeSync(f);
@@ -8991,7 +9043,7 @@ async function cleanupOldEntityMigrations(supabaseDir, latestFile) {
   log.info(`Cleaned up ${toRemove.length} old entity migration file(s)`);
 }
 async function executeMigration(options) {
-  const { supabaseDir } = options;
+  const { supabaseDir, supabaseUrl, accessToken } = options;
   if (!pathExists(supabaseDir)) {
     throw new Error(`Supabase directory not found: ${supabaseDir}`);
   }
@@ -8999,54 +9051,30 @@ async function executeMigration(options) {
   if (!pathExists(migrationsDir)) {
     throw new Error(`Migrations directory not found: ${migrationsDir}`);
   }
-  const { dirname: dirname4 } = await import("node:path");
-  const projectRoot = dirname4(supabaseDir);
-  try {
-    const cmd = getSupabaseCmd();
-    const parts = cmd.split(" ");
-    const bin = parts[0];
-    const baseArgs = [
-      ...parts.slice(1),
-      "db",
-      "push",
-      "--include-all",
-      "--db-url",
-      options.dbUrl
-    ];
-    const result = spawnSync2(bin, baseArgs, {
-      cwd: projectRoot,
-      stdio: ["pipe", "pipe", "pipe"],
-      input: "Y\n",
-      env: { ...process.env }
-    });
-    if (result.status !== 0) {
-      const stderr = result.stderr?.toString() || "";
-      throw new Error(stderr || `Process exited with code ${result.status}`);
-    }
-  } catch (error2) {
-    const raw = error2 instanceof Error ? error2.message : String(error2);
-    const sanitized = raw.replace(
-      /postgresql:\/\/[^\s"']*/g,
-      "postgresql://***"
-    );
+  const sqlFiles = readdirSync2(migrationsDir).filter((f) => f.endsWith(".sql")).sort().map((f) => joinPath(migrationsDir, f));
+  if (sqlFiles.length === 0) {
+    throw new Error(`No .sql files found in ${migrationsDir}`);
+  }
+  const sql = sqlFiles.map((f) => readSync(f)).filter(Boolean).join("\n\n");
+  const projectRef = extractProjectRef(supabaseUrl);
+  const mgmtUrl = `https://api.supabase.com/v1/projects/${projectRef}/database/query`;
+  const response = await fetch(mgmtUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${accessToken}`
+    },
+    body: JSON.stringify({ query: sql })
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    const safe = body.replace(/sbp_[^\s"']*/g, "***").replace(/sb_secret_[^\s"']*/g, "***");
     throw new Error(
-      `Failed to push migrations: ${sanitized}
-Check your SUPABASE_DB_URL (format: postgresql://postgres:<password>@db.<ref>.supabase.co:5432/postgres)`
+      `Supabase Management API error (HTTP ${response.status}): ${safe}
+Ensure SUPABASE_ACCESS_TOKEN is valid. Get one from: https://supabase.com/dashboard/account/tokens`
     );
   }
-}
-function getSupabaseCmd() {
-  try {
-    execSync("supabase --version", { stdio: "pipe" });
-    return "supabase";
-  } catch {
-    try {
-      execSync("bunx supabase --version", { stdio: "pipe" });
-      return "bunx supabase";
-    } catch {
-      return "npx supabase";
-    }
-  }
+  log.info("Migrations executed via Supabase Management API");
 }
 var init_supabase_management = __esm({
   "packages/tooling/src/utils/supabase-management.ts"() {
@@ -9501,7 +9529,7 @@ var init_base_generator = __esm({
       async isBinaryFile(filePath) {
         try {
           const fd = await openFile(filePath, "r");
-          const buffer = Buffer2.alloc(4096);
+          const buffer = Buffer.alloc(4096);
           await fd.read(buffer, 0, 4096, 0);
           await fd.close();
           for (let i = 0; i < buffer.length; i++) {
@@ -9660,6 +9688,9 @@ function roleToSqlCondition(role) {
     case "super":
       return "(auth.jwt()->'app_metadata'->>'role') = 'super'";
     default:
+      log.warn(
+        `Unknown access role "${role}" \u2014 defaulting to deny (false). Use guest|user|admin|super.`
+      );
       return "false";
   }
 }
@@ -9667,7 +9698,20 @@ function camelToSnake(str) {
   return str.replace(/[A-Z]/g, (c) => `_${c.toLowerCase()}`);
 }
 function fieldTypeToSql(fieldType) {
-  return FIELD_TYPE_TO_SQL[fieldType] ?? "text";
+  return FIELD_TYPE_TO_SQL[fieldType] ?? null;
+}
+function inferSqlTypeFromValidation(validation) {
+  if (!validation) return "text";
+  if (validation.min !== void 0 || validation.max !== void 0)
+    return "numeric";
+  if (validation.minLength !== void 0 || validation.maxLength !== void 0)
+    return "text";
+  if (Array.isArray(validation.options) && validation.options.length > 0) {
+    const first = validation.options[0];
+    if (first && typeof first === "object" && typeof first.value === "number")
+      return "numeric";
+  }
+  return "text";
 }
 function schemaRequiresJsonb(schema) {
   if (!schema || typeof schema !== "object") return false;
@@ -9838,7 +9882,6 @@ var init_sql_generator = __esm({
         const tableName = this.safeTableName(entity.collection);
         const columns = [];
         columns.push("id uuid PRIMARY KEY DEFAULT gen_random_uuid()");
-        columns.push("user_id uuid NOT NULL");
         columns.push("created_at timestamptz NOT NULL DEFAULT now()");
         columns.push("updated_at timestamptz NOT NULL DEFAULT now()");
         columns.push("created_by_id uuid");
@@ -9854,14 +9897,23 @@ var init_sql_generator = __esm({
           if (schema && schemaRequiresJsonb(schema)) {
             sqlType = "jsonb";
           } else {
-            sqlType = fieldTypeToSql(field.type || "text");
+            sqlType = fieldTypeToSql(field.type || "text") ?? inferSqlTypeFromValidation(field.validation);
           }
           columns.push(`${colName} ${sqlType}`);
         }
         const columnList = columns.join(",\n  ");
-        return `CREATE TABLE IF NOT EXISTS ${tableName} (
+        const createSql = `CREATE TABLE IF NOT EXISTS ${tableName} (
   ${columnList}
 );`;
+        const alterDefaults = [
+          `ALTER TABLE ${tableName} ALTER COLUMN id SET DEFAULT gen_random_uuid();`,
+          `ALTER TABLE ${tableName} ALTER COLUMN created_at SET DEFAULT now();`,
+          `ALTER TABLE ${tableName} ALTER COLUMN updated_at SET DEFAULT now();`,
+          `ALTER TABLE ${tableName} ALTER COLUMN status SET DEFAULT 'available';`
+        ].join("\n");
+        return `${createSql}
+${alterDefaults}`;
       }
       buildRlsSql(tableName, access) {
         const quoted = this.safeTableName(tableName);
@@ -10148,29 +10200,9 @@ function detectPublicConfig(appDir, framework) {
   }
   return null;
 }
-function detectSecretKey(appDir) {
-  const candidates = [
-    joinPath(appDir, "supabase", "functions", ".env"),
-    joinPath(appDir, "functions", ".env")
-  ];
-  for (const functionsEnvPath of candidates) {
-    if (!pathExists(functionsEnvPath)) continue;
-    const envContentRaw = readSync(functionsEnvPath, { format: "text" });
-    const envContent = typeof envContentRaw === "string" ? envContentRaw : "";
-    const lines = envContent.split("\n");
-    for (const line of lines) {
-      const trimmed = line.trim();
-      if (trimmed.startsWith("SUPABASE_SECRET_KEY=") || trimmed.startsWith("SUPABASE_SERVICE_ROLE_KEY=")) {
-        const match = trimmed.match(
-          /^SUPABASE_(?:SECRET|SERVICE_ROLE)_KEY=(.+)$/
-        );
-        if (match && match[1]) {
-          return match[1].trim();
-        }
-      }
-    }
-  }
-  return null;
+function detectSecretKey(appDir, projectRoot) {
+  const root = projectRoot ?? process.cwd();
+  return resolveSecret("SUPABASE_SECRET_KEY", root, { appDir })?.value ?? null;
 }
 async function generateCrudFunction(supabaseDir, projectRoot) {
   const templatesRoot = getTemplatesRoot();
@@ -10254,26 +10286,23 @@ async function main3(options = {}) {
   const supabaseUrl = existingConfig.url;
   log.success(`Supabase URL: ${supabaseUrl}`);
   const secretKey = detectSecretKey(appDir);
-  const dbUrl = detectDbUrl(appDir);
+  const accessToken = resolveSecret("SUPABASE_ACCESS_TOKEN", projectRoot, { appDir })?.value ?? null;
   if (secretKey) log.success("Secret key detected");
-  else log.error("Missing SUPABASE_SECRET_KEY in supabase/functions/.env");
-  if (dbUrl) log.success("DB URL detected");
-  else log.error("Missing SUPABASE_DB_URL in supabase/functions/.env");
-  if (!secretKey || !dbUrl) {
-    const functionsEnvPath = joinPath(supabaseDir, "functions", ".env");
+  else log.error("Missing SUPABASE_SECRET_KEY");
+  if (accessToken) log.success("Access token detected");
+  else log.error("Missing SUPABASE_ACCESS_TOKEN");
+  if (!secretKey || !accessToken) {
     const missing = [];
     if (!secretKey) missing.push("  SUPABASE_SECRET_KEY=your-service-role-key");
-    if (!dbUrl)
+    if (!accessToken)
       missing.push(
-        "  SUPABASE_DB_URL=postgresql://postgres:...@db.<ref>.supabase.co:5432/postgres"
+        "  SUPABASE_ACCESS_TOKEN=sbp_... (from https://supabase.com/dashboard/account/tokens)"
       );
     Me(
       [
-        `Fill in ${functionsEnvPath}:`,
+        "Fill in .dndev.secrets at project root:",
         ...missing,
         "",
-        "Get these from: https://supabase.com/dashboard > Settings > Database",
-        "",
         "Then re-run: dndev setup supabase"
       ].join("\n"),
       "Missing Credentials"
@@ -10340,7 +10369,7 @@ async function main3(options = {}) {
     const s = Y2();
     s.start("Pushing migrations...");
     try {
-      await executeMigration({ supabaseDir, dbUrl });
+      await executeMigration({ supabaseDir, supabaseUrl, accessToken });
       s.stop("Migrations pushed successfully");
       migrationsPushed = true;
     } catch (error2) {
@@ -10359,10 +10388,13 @@ async function main3(options = {}) {
   const steps = [];
   steps.push("\u2705 Credentials validated from .env");
   if (secretKey) steps.push("\u2705 Secret key detected");
-  else steps.push("\u274C Secret key missing \u2014 cannot push migrations");
+  else steps.push("\u274C Secret key missing");
+  if (accessToken) steps.push("\u2705 Access token detected");
+  else steps.push("\u274C Access token missing \u2014 cannot push migrations");
   if (sqlGenerated) steps.push("\u2705 Entity SQL migrations generated");
-  if (migrationsPushed) steps.push("\u2705 Migrations pushed to remote DB");
-  else if (secretKey) steps.push("\u274C Migration push failed (see error above)");
+  if (migrationsPushed) steps.push("\u2705 Migrations pushed via Management API");
+  else if (accessToken)
+    steps.push("\u274C Migration push failed (see error above)");
   const hasErrors = steps.some((s) => s.startsWith("\u274C"));
   const title = hasErrors ? "Setup Incomplete" : "Setup Complete";
   Me(
@@ -10393,6 +10425,7 @@ var init_supabase = __esm({
     init_pathResolver();
     init_app_selector();
     init_supabase_management();
+    init_secrets_resolver();
     init_error_handling();
     init_types();
     supabase_default = main3;
@@ -10416,15 +10449,17 @@ var init_supabase = __esm({
           return { provider: "supabase", steps, overallStatus: "failed" };
         }
         const secretKey = detectSecretKey(ctx.appDir);
-        const dbUrl = detectDbUrl(ctx.appDir);
+        const accessToken = resolveSecret("SUPABASE_ACCESS_TOKEN", ctx.projectRoot, {
+          appDir: ctx.appDir
+        })?.value ?? null;
         const missingSecrets = [];
         if (!secretKey) missingSecrets.push("SUPABASE_SECRET_KEY");
-        if (!dbUrl) missingSecrets.push("SUPABASE_DB_URL");
+        if (!accessToken) missingSecrets.push("SUPABASE_ACCESS_TOKEN");
         if (missingSecrets.length > 0) {
           steps.push({
             name: "Credentials",
             status: "failed",
-            message: `Missing in functions/.env: ${missingSecrets.join(", ")}`
+            message: `Missing in .dndev.secrets: ${missingSecrets.join(", ")}`
           });
           return { provider: "supabase", steps, overallStatus: "failed" };
         }
@@ -10488,7 +10523,11 @@ var init_supabase = __esm({
           const s = Y2();
           s.start("Pushing migrations...");
           try {
-            await executeMigration({ supabaseDir, dbUrl });
+            await executeMigration({
+              supabaseDir,
+              supabaseUrl: existingConfig.url,
+              accessToken
+            });
             s.stop("Migrations pushed");
             steps.push({
               name: "DB migrations",
@@ -10597,6 +10636,7 @@ init_cross_app_detection();
 init_utils();
 init_pathResolver();
 init_cli_output();
+init_secrets_resolver();
 var FIREBASE_VARS = [
   {
     provider: "Firebase",
@@ -10635,32 +10675,28 @@ var SUPABASE_SECRET_VARS = [
   {
     provider: "Supabase",
     varName: "SUPABASE_SECRET_KEY",
-    envFile: "supabase/functions/.env"
+    envFile: ".dndev.secrets",
+    isSecret: true
   },
   {
     provider: "Supabase",
-    varName: "SUPABASE_DB_URL",
-    envFile: "supabase/functions/.env"
+    varName: "SUPABASE_ACCESS_TOKEN",
+    envFile: ".dndev.secrets",
+    isSecret: true
   }
 ];
-var VERCEL_VARS = [
-  { provider: "Vercel", varName: "VERCEL_TOKEN", envFile: ".env.local" },
-  { provider: "Vercel", varName: "VERCEL_ORG_ID", envFile: ".env.local" },
-  { provider: "Vercel", varName: "VERCEL_PROJECT_ID", envFile: ".env.local" }
-];
-function readEnvValue(envPath, varName) {
-  if (!pathExists(envPath)) return null;
-  const content = readSync(envPath, { format: "text" });
-  if (typeof content !== "string") return null;
-  for (const line of content.split(/\r?\n/)) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    if (trimmed.startsWith(`${varName}=`)) {
-      return trimmed.substring(`${varName}=`.length).trim();
-    }
+var VERCEL_SECRET_VARS = [
+  {
+    provider: "Vercel",
+    varName: "VERCEL_TOKEN",
+    envFile: ".dndev.secrets",
+    isSecret: true
   }
-  return null;
-}
+];
+var VERCEL_APP_VARS = [
+  { provider: "Vercel", varName: "VERCEL_ORG_ID", envFile: ".env" },
+  { provider: "Vercel", varName: "VERCEL_PROJECT_ID", envFile: ".env" }
+];
 function isProviderRelevant(ctx, provider) {
   switch (provider) {
     case "Firebase":
@@ -10683,32 +10719,33 @@ function validateRequiredEnvVars(ctx) {
   }
   if (isProviderRelevant(ctx, "Supabase")) {
     requirements.push(...SUPABASE_VARS);
-    const sbFunctionsEnv = joinPath(
-      ctx.appDir,
-      "supabase",
-      "functions",
-      ".env"
-    );
-    const altFunctionsEnv = joinPath(ctx.appDir, "functions", ".env");
-    if (pathExists(joinPath(ctx.appDir, "supabase", "functions")) || pathExists(sbFunctionsEnv)) {
-      requirements.push(...SUPABASE_SECRET_VARS);
-    } else if (pathExists(altFunctionsEnv)) {
-      requirements.push({
-        provider: "Supabase",
-        varName: "SUPABASE_SECRET_KEY",
-        envFile: "functions/.env"
-      });
-    }
+    requirements.push(...SUPABASE_SECRET_VARS);
   }
   if (isProviderRelevant(ctx, "Vercel")) {
-    requirements.push(...VERCEL_VARS);
+    requirements.push(...VERCEL_SECRET_VARS);
+    requirements.push(...VERCEL_APP_VARS);
   }
   for (const req of requirements) {
     const actualVarName = req.needsPrefix ? `${prefix}${req.varName}` : req.varName;
+    if (req.isSecret) {
+      const resolved = resolveSecret(req.varName, ctx.projectRoot, {
+        appDir: ctx.appDir,
+        silent: true
+      });
+      if (!resolved) {
+        missing.push({
+          provider: req.provider,
+          varName: req.varName,
+          envFile: req.envFile,
+          status: "missing"
+        });
+      }
+      continue;
+    }
     const envFilePath = joinPath(ctx.appDir, req.envFile);
     if (req.varName === "SUPABASE_PUBLIC_KEY") {
-      const pkValue = readEnvValue(envFilePath, actualVarName);
-      const anonValue = readEnvValue(envFilePath, `${prefix}SUPABASE_ANON_KEY`);
+      const pkValue = readEnvVar(envFilePath, actualVarName);
+      const anonValue = readEnvVar(envFilePath, `${prefix}SUPABASE_ANON_KEY`);
       if ((!pkValue || pkValue === "") && (!anonValue || anonValue === "")) {
         missing.push({
           provider: req.provider,
@@ -10719,20 +10756,30 @@ function validateRequiredEnvVars(ctx) {
       }
       continue;
     }
-    const value = readEnvValue(envFilePath, actualVarName);
+    if (req.varName === "VERCEL_ORG_ID" || req.varName === "VERCEL_PROJECT_ID") {
+      const fromEnv = readEnvVar(envFilePath, actualVarName);
+      const fromLocal = readEnvVar(
+        joinPath(ctx.appDir, ".env.local"),
+        actualVarName
+      );
+      const fromProcessEnv = process.env[actualVarName];
+      if (!fromEnv && !fromLocal && !fromProcessEnv) {
+        missing.push({
+          provider: req.provider,
+          varName: actualVarName,
+          envFile: req.envFile,
+          status: pathExists(envFilePath) ? "missing" : "missing"
+        });
+      }
+      continue;
+    }
+    const value = readEnvVar(envFilePath, actualVarName);
     if (value === null) {
       missing.push({
         provider: req.provider,
         varName: actualVarName,
         envFile: req.envFile,
-        status: pathExists(envFilePath) ? "missing" : "missing"
-      });
-    } else if (value === "") {
-      missing.push({
-        provider: req.provider,
-        varName: actualVarName,
-        envFile: req.envFile,
-        status: "empty"
+        status: pathExists(envFilePath) ? "missing" : "no_env_file"
       });
     }
   }
@@ -10764,7 +10811,7 @@ function printAllValidationResults(results, multiApp) {
   }
   for (const { appName, m: m2 } of allMissing) {
     const prefix = multiApp ? `${appName}: ` : "";
-    const detail = m2.status === "empty" ? `empty in ${m2.envFile}` : `missing \u2014 ${m2.envFile}`;
+    const detail = m2.status === "empty" ? `empty in ${m2.envFile}` : m2.status === "no_env_file" ? `env file not found: ${m2.envFile}` : `missing \u2014 ${m2.envFile}`;
     log.error(`  ${prefix}${m2.varName} (${detail})`);
   }
   log.warn(`Run 'dndev coach' to see where to get them.`);