@donotdev/cli 0.0.20 → 0.0.21

package/dist/bin/commands/setup.js

@@ -7077,7 +7077,7 @@ var init_PathResolver = __esm({
         }
         const detectedFormat = this._detectFormat(filePath, format);
         let writeContent;
-        if (Buffer2.isBuffer(content)) {
+        if (Buffer.isBuffer(content)) {
           writeContent = content;
         } else if (detectedFormat === "json" && typeof content === "object") {
           writeContent = JSON.stringify(content, null, 2);
@@ -7086,7 +7086,7 @@ var init_PathResolver = __esm({
         }
         try {
           return await safeExecuteAsync(async () => {
-            if (Buffer2.isBuffer(writeContent)) {
+            if (Buffer.isBuffer(writeContent)) {
               await fs.promises.writeFile(normalizedPath, writeContent);
             } else {
               await fs.promises.writeFile(normalizedPath, writeContent, "utf8");
@@ -7138,7 +7138,7 @@ var init_PathResolver = __esm({
         }
         const detectedFormat = this._detectFormat(filePath, format);
         let writeContent;
-        if (Buffer2.isBuffer(content)) {
+        if (Buffer.isBuffer(content)) {
           writeContent = content;
         } else if (detectedFormat === "json" && typeof content === "object") {
           writeContent = JSON.stringify(content, null, 2);
@@ -7146,7 +7146,7 @@ var init_PathResolver = __esm({
           writeContent = String(content);
         }
         try {
-          if (Buffer2.isBuffer(writeContent)) {
+          if (Buffer.isBuffer(writeContent)) {
             fs.writeFileSync(normalizedPath, writeContent);
           } else {
             fs.writeFileSync(normalizedPath, writeContent, "utf8");
@@ -8034,7 +8034,7 @@ var init_typed_file_operations = __esm({
 });
 
 // packages/tooling/src/bundler/utils.ts
-import { Buffer as Buffer2 } from "node:buffer";
+import { Buffer } from "node:buffer";
 import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "node:fs";
 import { createRequire as createRequire3 } from "node:module";
 import { dirname as dirname3, resolve as resolve3 } from "node:path";
@@ -8051,7 +8051,7 @@ var init_utils = __esm({
       globalThis.require = require2;
       globalThis.__filename = __filename;
       globalThis.__dirname = __dirname;
-      globalThis.Buffer = Buffer2;
+      globalThis.Buffer = Buffer;
       globalThis.process = process;
       if (typeof global === "undefined") {
         globalThis.global = globalThis;
@@ -8251,7 +8251,28 @@ var init_cli_input = __esm({
   }
 });
 
-// packages/tooling/src/cli/setup/vercel-token.ts
+// packages/tooling/src/utils/secrets-resolver.ts
+function parseEnvFile(filePath) {
+  if (!pathExists(filePath)) return {};
+  const content = readSync(filePath, { format: "text" });
+  if (typeof content !== "string" || !content) return {};
+  const result = {};
+  for (const line of content.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    let value = trimmed.slice(eqIdx + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    if (key && value) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
 function readEnvVar(filePath, varName) {
   if (!pathExists(filePath)) return null;
   const content = readSync(filePath, { format: "text" });
@@ -8260,16 +8281,93 @@ function readEnvVar(filePath, varName) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
     if (trimmed.startsWith(`${varName}=`)) {
-      const val = trimmed.substring(`${varName}=`.length).trim();
+      let val = trimmed.substring(`${varName}=`.length).trim();
       if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
-        return val.slice(1, -1);
+        val = val.slice(1, -1);
       }
       return val || null;
     }
   }
   return null;
 }
-function resolveVercelVar(appDir, varName) {
+function loadDndevSecrets(projectRoot) {
+  const secretsPath = joinPath(projectRoot, ".dndev.secrets");
+  if (cachedSecretsPath === secretsPath && cachedSecrets) {
+    return cachedSecrets;
+  }
+  cachedSecrets = parseEnvFile(secretsPath);
+  cachedSecretsPath = secretsPath;
+  return cachedSecrets;
+}
+function resolveSecret(name, projectRoot, opts) {
+  const appDir = opts?.appDir ?? projectRoot;
+  const envValue = process.env[name];
+  if (envValue) {
+    return { value: envValue, source: "process.env" };
+  }
+  const secrets = loadDndevSecrets(projectRoot);
+  if (secrets[name]) {
+    return { value: secrets[name], source: ".dndev.secrets" };
+  }
+  if (name === "SUPABASE_SECRET_KEY" && secrets["SUPABASE_SERVICE_ROLE_KEY"]) {
+    return {
+      value: secrets["SUPABASE_SERVICE_ROLE_KEY"],
+      source: ".dndev.secrets"
+    };
+  }
+  const legacyPaths = LEGACY_PATHS[name];
+  if (legacyPaths) {
+    for (const relPath of legacyPaths) {
+      const fullPath = joinPath(appDir, relPath);
+      const value = readEnvVar(fullPath, name);
+      if (value) {
+        if (!opts?.silent && !warnedLegacy.has(name)) {
+          warnedLegacy.add(name);
+          log.warn(
+            `${name} found in ${relPath} (legacy). Move it to .dndev.secrets at project root.`
+          );
+        }
+        return { value, source: "legacy", legacyPath: relPath };
+      }
+      if (name === "SUPABASE_SECRET_KEY") {
+        const aliasValue = readEnvVar(fullPath, "SUPABASE_SERVICE_ROLE_KEY");
+        if (aliasValue) {
+          if (!opts?.silent && !warnedLegacy.has(name)) {
+            warnedLegacy.add(name);
+            log.warn(
+              `${name} found in ${relPath} (legacy). Move it to .dndev.secrets at project root.`
+            );
+          }
+          return { value: aliasValue, source: "legacy", legacyPath: relPath };
+        }
+      }
+    }
+  }
+  return null;
+}
+var LEGACY_PATHS, warnedLegacy, cachedSecretsPath, cachedSecrets;
+var init_secrets_resolver = __esm({
+  "packages/tooling/src/utils/secrets-resolver.ts"() {
+    "use strict";
+    init_utils();
+    init_pathResolver();
+    init_cli_output();
+    LEGACY_PATHS = {
+      VERCEL_TOKEN: [".env.local"],
+      SUPABASE_SECRET_KEY: ["supabase/functions/.env", "functions/.env"],
+      SUPABASE_DB_URL: ["supabase/functions/.env", "functions/.env"],
+      SUPABASE_ACCESS_TOKEN: ["supabase/functions/.env", "functions/.env"],
+      STRIPE_SECRET_KEY: ["supabase/functions/.env", "functions/.env"],
+      STRIPE_WEBHOOK_SECRET: ["supabase/functions/.env", "functions/.env"]
+    };
+    warnedLegacy = /* @__PURE__ */ new Set();
+    cachedSecretsPath = null;
+    cachedSecrets = null;
+  }
+});
+
+// packages/tooling/src/cli/setup/vercel-token.ts
+function resolvePerAppVar(appDir, varName) {
   if (process.env[varName]) return process.env[varName];
   const fromLocal = readEnvVar(joinPath(appDir, ".env.local"), varName);
   if (fromLocal) return fromLocal;
@@ -8277,10 +8375,11 @@ function resolveVercelVar(appDir, varName) {
   if (fromEnv) return fromEnv;
   return null;
 }
-function resolveVercelCredentials(appDir) {
-  const token = resolveVercelVar(appDir, "VERCEL_TOKEN");
-  const orgId = resolveVercelVar(appDir, "VERCEL_ORG_ID");
-  const projectId = resolveVercelVar(appDir, "VERCEL_PROJECT_ID");
+function resolveVercelCredentials(appDir, projectRoot) {
+  const root = projectRoot ?? process.cwd();
+  const token = resolveSecret("VERCEL_TOKEN", root, { appDir })?.value ?? null;
+  const orgId = resolvePerAppVar(appDir, "VERCEL_ORG_ID");
+  const projectId = resolvePerAppVar(appDir, "VERCEL_PROJECT_ID");
   const missing = [];
   if (!token) missing.push("VERCEL_TOKEN");
   if (!orgId) missing.push("VERCEL_ORG_ID");
@@ -8294,6 +8393,7 @@ var init_vercel_token = __esm({
   "packages/tooling/src/cli/setup/vercel-token.ts"() {
     "use strict";
     init_utils();
+    init_secrets_resolver();
     init_pathResolver();
   }
 });
@@ -8912,40 +9012,15 @@ var init_firebase = __esm({
 });
 
 // packages/tooling/src/utils/supabase-management.ts
-import { execSync, spawnSync as spawnSync2 } from "node:child_process";
-function stripQuotes(value) {
-  if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
-    return value.slice(1, -1);
-  }
-  return value;
-}
-function detectDbUrl(appDir) {
-  const envPaths = [
-    joinPath(appDir, "supabase", "functions", ".env"),
-    joinPath(appDir, "functions", ".env"),
-    joinPath(appDir, ".env.local"),
-    joinPath(appDir, ".env")
-  ];
-  for (const envPath of envPaths) {
-    if (!pathExists(envPath)) continue;
-    try {
-      const content = readSync(envPath);
-      if (!content) continue;
-      for (const line of content.split("\n")) {
-        const trimmed = line.trim();
-        if (trimmed.startsWith("#") || !trimmed.includes("=")) continue;
-        const eqIdx = trimmed.indexOf("=");
-        const key = trimmed.slice(0, eqIdx).trim();
-        const value = stripQuotes(trimmed.slice(eqIdx + 1).trim());
-        if (key === "SUPABASE_DB_URL" && value) {
-          return value;
-        }
-      }
-    } catch {
-      continue;
-    }
+import { execSync } from "node:child_process";
+function extractProjectRef(supabaseUrl) {
+  const match = supabaseUrl.match(/https?:\/\/([a-z0-9]+)\.supabase\.co/);
+  if (!match?.[1]) {
+    throw new Error(
+      `Cannot extract project ref from URL: ${supabaseUrl}. Expected format: https://<ref>.supabase.co`
+    );
   }
-  return null;
+  return match[1];
 }
 async function cleanupOldEntityMigrations(supabaseDir, latestFile) {
   const migrationsDir = joinPath(supabaseDir, "migrations");
@@ -8959,29 +9034,6 @@ async function cleanupOldEntityMigrations(supabaseDir, latestFile) {
   const latestBasename = getBasename(latestFile);
   const toRemove = oldFiles.filter((f) => getBasename(f) !== latestBasename);
   if (toRemove.length === 0) return;
-  const timestamps = [];
-  for (const f of toRemove) {
-    const match = getBasename(f).match(/^(\d{14})_/);
-    if (match?.[1]) timestamps.push(match[1]);
-  }
-  if (timestamps.length > 0) {
-    const cmd = getSupabaseCmd();
-    const { dirname: dirname4 } = await import("node:path");
-    const projectRoot = dirname4(supabaseDir);
-    try {
-      execSync(
-        `${cmd} migration repair --status reverted ${timestamps.join(" ")}`,
-        { cwd: projectRoot, stdio: "pipe", env: { ...process.env } }
-      );
-      log.info(
-        `Repaired ${timestamps.length} old entity migration(s) in remote`
-      );
-    } catch (error2) {
-      log.debug(
-        `Migration repair skipped: ${error2 instanceof Error ? error2.message : String(error2)}`
-      );
-    }
-  }
   for (const f of toRemove) {
     try {
       removeSync(f);
@@ -8991,7 +9043,7 @@ async function cleanupOldEntityMigrations(supabaseDir, latestFile) {
   log.info(`Cleaned up ${toRemove.length} old entity migration file(s)`);
 }
 async function executeMigration(options) {
-  const { supabaseDir } = options;
+  const { supabaseDir, supabaseUrl, accessToken } = options;
   if (!pathExists(supabaseDir)) {
     throw new Error(`Supabase directory not found: ${supabaseDir}`);
   }
@@ -8999,54 +9051,30 @@ async function executeMigration(options) {
   if (!pathExists(migrationsDir)) {
     throw new Error(`Migrations directory not found: ${migrationsDir}`);
   }
-  const { dirname: dirname4 } = await import("node:path");
-  const projectRoot = dirname4(supabaseDir);
-  try {
-    const cmd = getSupabaseCmd();
-    const parts = cmd.split(" ");
-    const bin = parts[0];
-    const baseArgs = [
-      ...parts.slice(1),
-      "db",
-      "push",
-      "--include-all",
-      "--db-url",
-      options.dbUrl
-    ];
-    const result = spawnSync2(bin, baseArgs, {
-      cwd: projectRoot,
-      stdio: ["pipe", "pipe", "pipe"],
-      input: "Y\n",
-      env: { ...process.env }
-    });
-    if (result.status !== 0) {
-      const stderr = result.stderr?.toString() || "";
-      throw new Error(stderr || `Process exited with code ${result.status}`);
-    }
-  } catch (error2) {
-    const raw = error2 instanceof Error ? error2.message : String(error2);
-    const sanitized = raw.replace(
-      /postgresql:\/\/[^\s"']*/g,
-      "postgresql://***"
-    );
+  const sqlFiles = readdirSync2(migrationsDir).filter((f) => f.endsWith(".sql")).sort().map((f) => joinPath(migrationsDir, f));
+  if (sqlFiles.length === 0) {
+    throw new Error(`No .sql files found in ${migrationsDir}`);
+  }
+  const sql = sqlFiles.map((f) => readSync(f)).filter(Boolean).join("\n\n");
+  const projectRef = extractProjectRef(supabaseUrl);
+  const mgmtUrl = `https://api.supabase.com/v1/projects/${projectRef}/database/query`;
+  const response = await fetch(mgmtUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${accessToken}`
+    },
+    body: JSON.stringify({ query: sql })
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    const safe = body.replace(/sbp_[^\s"']*/g, "***").replace(/sb_secret_[^\s"']*/g, "***");
     throw new Error(
-      `Failed to push migrations: ${sanitized}
-Check your SUPABASE_DB_URL (format: postgresql://postgres:<password>@db.<ref>.supabase.co:5432/postgres)`
+      `Supabase Management API error (HTTP ${response.status}): ${safe}
+Ensure SUPABASE_ACCESS_TOKEN is valid. Get one from: https://supabase.com/dashboard/account/tokens`
     );
   }
-}
-function getSupabaseCmd() {
-  try {
-    execSync("supabase --version", { stdio: "pipe" });
-    return "supabase";
-  } catch {
-    try {
-      execSync("bunx supabase --version", { stdio: "pipe" });
-      return "bunx supabase";
-    } catch {
-      return "npx supabase";
-    }
-  }
+  log.info("Migrations executed via Supabase Management API");
 }
 var init_supabase_management = __esm({
   "packages/tooling/src/utils/supabase-management.ts"() {
@@ -9501,7 +9529,7 @@ var init_base_generator = __esm({
       async isBinaryFile(filePath) {
         try {
           const fd = await openFile(filePath, "r");
-          const buffer = Buffer2.alloc(4096);
+          const buffer = Buffer.alloc(4096);
           await fd.read(buffer, 0, 4096, 0);
           await fd.close();
           for (let i = 0; i < buffer.length; i++) {
@@ -9670,7 +9698,20 @@ function camelToSnake(str) {
   return str.replace(/[A-Z]/g, (c) => `_${c.toLowerCase()}`);
 }
 function fieldTypeToSql(fieldType) {
-  return FIELD_TYPE_TO_SQL[fieldType] ?? "text";
+  return FIELD_TYPE_TO_SQL[fieldType] ?? null;
+}
+function inferSqlTypeFromValidation(validation) {
+  if (!validation) return "text";
+  if (validation.min !== void 0 || validation.max !== void 0)
+    return "numeric";
+  if (validation.minLength !== void 0 || validation.maxLength !== void 0)
+    return "text";
+  if (Array.isArray(validation.options) && validation.options.length > 0) {
+    const first = validation.options[0];
+    if (first && typeof first === "object" && typeof first.value === "number")
+      return "numeric";
+  }
+  return "text";
 }
 function schemaRequiresJsonb(schema) {
   if (!schema || typeof schema !== "object") return false;
@@ -9841,7 +9882,6 @@ var init_sql_generator = __esm({
         const tableName = this.safeTableName(entity.collection);
         const columns = [];
         columns.push("id uuid PRIMARY KEY DEFAULT gen_random_uuid()");
-        columns.push("user_id uuid NOT NULL");
         columns.push("created_at timestamptz NOT NULL DEFAULT now()");
         columns.push("updated_at timestamptz NOT NULL DEFAULT now()");
         columns.push("created_by_id uuid");
@@ -9857,14 +9897,23 @@ var init_sql_generator = __esm({
           if (schema && schemaRequiresJsonb(schema)) {
             sqlType = "jsonb";
           } else {
-            sqlType = fieldTypeToSql(field.type || "text");
+            sqlType = fieldTypeToSql(field.type || "text") ?? inferSqlTypeFromValidation(field.validation);
           }
           columns.push(`${colName} ${sqlType}`);
         }
         const columnList = columns.join(",\n  ");
-        return `CREATE TABLE IF NOT EXISTS ${tableName} (
+        const createSql = `CREATE TABLE IF NOT EXISTS ${tableName} (
   ${columnList}
 );`;
+        const alterDefaults = [
+          `ALTER TABLE ${tableName} ALTER COLUMN id SET DEFAULT gen_random_uuid();`,
+          `ALTER TABLE ${tableName} ALTER COLUMN created_at SET DEFAULT now();`,
+          `ALTER TABLE ${tableName} ALTER COLUMN updated_at SET DEFAULT now();`,
+          `ALTER TABLE ${tableName} ALTER COLUMN status SET DEFAULT 'available';`
+        ].join("\n");
+        return `${createSql}
+
+${alterDefaults}`;
       }
       buildRlsSql(tableName, access) {
         const quoted = this.safeTableName(tableName);
@@ -10151,29 +10200,9 @@ function detectPublicConfig(appDir, framework) {
   }
   return null;
 }
-function detectSecretKey(appDir) {
-  const candidates = [
-    joinPath(appDir, "supabase", "functions", ".env"),
-    joinPath(appDir, "functions", ".env")
-  ];
-  for (const functionsEnvPath of candidates) {
-    if (!pathExists(functionsEnvPath)) continue;
-    const envContentRaw = readSync(functionsEnvPath, { format: "text" });
-    const envContent = typeof envContentRaw === "string" ? envContentRaw : "";
-    const lines = envContent.split("\n");
-    for (const line of lines) {
-      const trimmed = line.trim();
-      if (trimmed.startsWith("SUPABASE_SECRET_KEY=") || trimmed.startsWith("SUPABASE_SERVICE_ROLE_KEY=")) {
-        const match = trimmed.match(
-          /^SUPABASE_(?:SECRET|SERVICE_ROLE)_KEY=(.+)$/
-        );
-        if (match && match[1]) {
-          return match[1].trim();
-        }
-      }
-    }
-  }
-  return null;
+function detectSecretKey(appDir, projectRoot) {
+  const root = projectRoot ?? process.cwd();
+  return resolveSecret("SUPABASE_SECRET_KEY", root, { appDir })?.value ?? null;
 }
 async function generateCrudFunction(supabaseDir, projectRoot) {
   const templatesRoot = getTemplatesRoot();
@@ -10257,26 +10286,23 @@ async function main3(options = {}) {
   const supabaseUrl = existingConfig.url;
   log.success(`Supabase URL: ${supabaseUrl}`);
   const secretKey = detectSecretKey(appDir);
-  const dbUrl = detectDbUrl(appDir);
+  const accessToken = resolveSecret("SUPABASE_ACCESS_TOKEN", projectRoot, { appDir })?.value ?? null;
   if (secretKey) log.success("Secret key detected");
-  else log.error("Missing SUPABASE_SECRET_KEY in supabase/functions/.env");
-  if (dbUrl) log.success("DB URL detected");
-  else log.error("Missing SUPABASE_DB_URL in supabase/functions/.env");
-  if (!secretKey || !dbUrl) {
-    const functionsEnvPath = joinPath(supabaseDir, "functions", ".env");
+  else log.error("Missing SUPABASE_SECRET_KEY");
+  if (accessToken) log.success("Access token detected");
+  else log.error("Missing SUPABASE_ACCESS_TOKEN");
+  if (!secretKey || !accessToken) {
     const missing = [];
     if (!secretKey) missing.push("  SUPABASE_SECRET_KEY=your-service-role-key");
-    if (!dbUrl)
+    if (!accessToken)
       missing.push(
-        "  SUPABASE_DB_URL=postgresql://postgres:...@db.<ref>.supabase.co:5432/postgres"
+        "  SUPABASE_ACCESS_TOKEN=sbp_... (from https://supabase.com/dashboard/account/tokens)"
       );
     Me(
       [
-        `Fill in ${functionsEnvPath}:`,
+        "Fill in .dndev.secrets at project root:",
         ...missing,
         "",
-        "Get these from: https://supabase.com/dashboard > Settings > Database",
-        "",
         "Then re-run: dndev setup supabase"
       ].join("\n"),
       "Missing Credentials"
@@ -10343,7 +10369,7 @@ async function main3(options = {}) {
     const s = Y2();
     s.start("Pushing migrations...");
     try {
-      await executeMigration({ supabaseDir, dbUrl });
+      await executeMigration({ supabaseDir, supabaseUrl, accessToken });
       s.stop("Migrations pushed successfully");
       migrationsPushed = true;
     } catch (error2) {
@@ -10362,10 +10388,13 @@ async function main3(options = {}) {
   const steps = [];
   steps.push("\u2705 Credentials validated from .env");
   if (secretKey) steps.push("\u2705 Secret key detected");
-  else steps.push("\u274C Secret key missing \u2014 cannot push migrations");
+  else steps.push("\u274C Secret key missing");
+  if (accessToken) steps.push("\u2705 Access token detected");
+  else steps.push("\u274C Access token missing \u2014 cannot push migrations");
   if (sqlGenerated) steps.push("\u2705 Entity SQL migrations generated");
-  if (migrationsPushed) steps.push("\u2705 Migrations pushed to remote DB");
-  else if (secretKey) steps.push("\u274C Migration push failed (see error above)");
+  if (migrationsPushed) steps.push("\u2705 Migrations pushed via Management API");
+  else if (accessToken)
+    steps.push("\u274C Migration push failed (see error above)");
   const hasErrors = steps.some((s) => s.startsWith("\u274C"));
   const title = hasErrors ? "Setup Incomplete" : "Setup Complete";
   Me(
@@ -10396,6 +10425,7 @@ var init_supabase = __esm({
     init_pathResolver();
     init_app_selector();
     init_supabase_management();
+    init_secrets_resolver();
     init_error_handling();
     init_types();
     supabase_default = main3;
@@ -10419,15 +10449,17 @@ var init_supabase = __esm({
           return { provider: "supabase", steps, overallStatus: "failed" };
         }
         const secretKey = detectSecretKey(ctx.appDir);
-        const dbUrl = detectDbUrl(ctx.appDir);
+        const accessToken = resolveSecret("SUPABASE_ACCESS_TOKEN", ctx.projectRoot, {
+          appDir: ctx.appDir
+        })?.value ?? null;
         const missingSecrets = [];
         if (!secretKey) missingSecrets.push("SUPABASE_SECRET_KEY");
-        if (!dbUrl) missingSecrets.push("SUPABASE_DB_URL");
+        if (!accessToken) missingSecrets.push("SUPABASE_ACCESS_TOKEN");
         if (missingSecrets.length > 0) {
           steps.push({
             name: "Credentials",
             status: "failed",
-            message: `Missing in functions/.env: ${missingSecrets.join(", ")}`
+            message: `Missing in .dndev.secrets: ${missingSecrets.join(", ")}`
           });
           return { provider: "supabase", steps, overallStatus: "failed" };
         }
@@ -10491,7 +10523,11 @@ var init_supabase = __esm({
           const s = Y2();
           s.start("Pushing migrations...");
           try {
-            await executeMigration({ supabaseDir, dbUrl });
+            await executeMigration({
+              supabaseDir,
+              supabaseUrl: existingConfig.url,
+              accessToken
+            });
             s.stop("Migrations pushed");
             steps.push({
               name: "DB migrations",
@@ -10600,6 +10636,7 @@ init_cross_app_detection();
 init_utils();
 init_pathResolver();
 init_cli_output();
+init_secrets_resolver();
 var FIREBASE_VARS = [
   {
     provider: "Firebase",
@@ -10638,32 +10675,28 @@ var SUPABASE_SECRET_VARS = [
   {
     provider: "Supabase",
     varName: "SUPABASE_SECRET_KEY",
-    envFile: "supabase/functions/.env"
+    envFile: ".dndev.secrets",
+    isSecret: true
   },
   {
     provider: "Supabase",
-    varName: "SUPABASE_DB_URL",
-    envFile: "supabase/functions/.env"
+    varName: "SUPABASE_ACCESS_TOKEN",
+    envFile: ".dndev.secrets",
+    isSecret: true
   }
 ];
-var VERCEL_VARS = [
-  { provider: "Vercel", varName: "VERCEL_TOKEN", envFile: ".env.local" },
-  { provider: "Vercel", varName: "VERCEL_ORG_ID", envFile: ".env.local" },
-  { provider: "Vercel", varName: "VERCEL_PROJECT_ID", envFile: ".env.local" }
-];
-function readEnvValue(envPath, varName) {
-  if (!pathExists(envPath)) return null;
-  const content = readSync(envPath, { format: "text" });
-  if (typeof content !== "string") return null;
-  for (const line of content.split(/\r?\n/)) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    if (trimmed.startsWith(`${varName}=`)) {
-      return trimmed.substring(`${varName}=`.length).trim();
-    }
+var VERCEL_SECRET_VARS = [
+  {
+    provider: "Vercel",
+    varName: "VERCEL_TOKEN",
+    envFile: ".dndev.secrets",
+    isSecret: true
   }
-  return null;
-}
+];
+var VERCEL_APP_VARS = [
+  { provider: "Vercel", varName: "VERCEL_ORG_ID", envFile: ".env" },
+  { provider: "Vercel", varName: "VERCEL_PROJECT_ID", envFile: ".env" }
+];
 function isProviderRelevant(ctx, provider) {
   switch (provider) {
     case "Firebase":
@@ -10686,32 +10719,33 @@ function validateRequiredEnvVars(ctx) {
   }
   if (isProviderRelevant(ctx, "Supabase")) {
     requirements.push(...SUPABASE_VARS);
-    const sbFunctionsEnv = joinPath(
-      ctx.appDir,
-      "supabase",
-      "functions",
-      ".env"
-    );
-    const altFunctionsEnv = joinPath(ctx.appDir, "functions", ".env");
-    if (pathExists(joinPath(ctx.appDir, "supabase", "functions")) || pathExists(sbFunctionsEnv)) {
-      requirements.push(...SUPABASE_SECRET_VARS);
-    } else if (pathExists(altFunctionsEnv)) {
-      requirements.push({
-        provider: "Supabase",
-        varName: "SUPABASE_SECRET_KEY",
-        envFile: "functions/.env"
-      });
-    }
+    requirements.push(...SUPABASE_SECRET_VARS);
   }
   if (isProviderRelevant(ctx, "Vercel")) {
-    requirements.push(...VERCEL_VARS);
+    requirements.push(...VERCEL_SECRET_VARS);
+    requirements.push(...VERCEL_APP_VARS);
   }
   for (const req of requirements) {
     const actualVarName = req.needsPrefix ? `${prefix}${req.varName}` : req.varName;
+    if (req.isSecret) {
+      const resolved = resolveSecret(req.varName, ctx.projectRoot, {
+        appDir: ctx.appDir,
+        silent: true
+      });
+      if (!resolved) {
+        missing.push({
+          provider: req.provider,
+          varName: req.varName,
+          envFile: req.envFile,
+          status: "missing"
+        });
+      }
+      continue;
+    }
     const envFilePath = joinPath(ctx.appDir, req.envFile);
     if (req.varName === "SUPABASE_PUBLIC_KEY") {
-      const pkValue = readEnvValue(envFilePath, actualVarName);
-      const anonValue = readEnvValue(envFilePath, `${prefix}SUPABASE_ANON_KEY`);
+      const pkValue = readEnvVar(envFilePath, actualVarName);
+      const anonValue = readEnvVar(envFilePath, `${prefix}SUPABASE_ANON_KEY`);
       if ((!pkValue || pkValue === "") && (!anonValue || anonValue === "")) {
         missing.push({
           provider: req.provider,
@@ -10722,20 +10756,30 @@ function validateRequiredEnvVars(ctx) {
       }
       continue;
     }
-    const value = readEnvValue(envFilePath, actualVarName);
+    if (req.varName === "VERCEL_ORG_ID" || req.varName === "VERCEL_PROJECT_ID") {
+      const fromEnv = readEnvVar(envFilePath, actualVarName);
+      const fromLocal = readEnvVar(
+        joinPath(ctx.appDir, ".env.local"),
+        actualVarName
+      );
+      const fromProcessEnv = process.env[actualVarName];
+      if (!fromEnv && !fromLocal && !fromProcessEnv) {
+        missing.push({
+          provider: req.provider,
+          varName: actualVarName,
+          envFile: req.envFile,
+          status: pathExists(envFilePath) ? "missing" : "missing"
+        });
+      }
+      continue;
+    }
+    const value = readEnvVar(envFilePath, actualVarName);
     if (value === null) {
       missing.push({
         provider: req.provider,
         varName: actualVarName,
         envFile: req.envFile,
-        status: pathExists(envFilePath) ? "missing" : "missing"
-      });
-    } else if (value === "") {
-      missing.push({
-        provider: req.provider,
-        varName: actualVarName,
-        envFile: req.envFile,
-        status: "empty"
+        status: pathExists(envFilePath) ? "missing" : "no_env_file"
       });
     }
   }
@@ -10767,7 +10811,7 @@ function printAllValidationResults(results, multiApp) {
   }
   for (const { appName, m: m2 } of allMissing) {
     const prefix = multiApp ? `${appName}: ` : "";
-    const detail = m2.status === "empty" ? `empty in ${m2.envFile}` : `missing \u2014 ${m2.envFile}`;
+    const detail = m2.status === "empty" ? `empty in ${m2.envFile}` : m2.status === "no_env_file" ? `env file not found: ${m2.envFile}` : `missing \u2014 ${m2.envFile}`;
     log.error(`  ${prefix}${m2.varName} (${detail})`);
   }
   log.warn(`Run 'dndev coach' to see where to get them.`);