@jhizzard/termdeck 0.18.0 → 1.0.1

package/packages/server/src/setup/mnestra-migrations/016_mnestra_doctor_probes.sql

@@ -0,0 +1,117 @@
+-- Mnestra v0.4.1 — `mnestra doctor` SECURITY DEFINER probe wrappers
+--
+-- Sprint 51.5 T2 (TermDeck). Adds five SECURITY DEFINER helper functions
+-- so the `mnestra doctor` subcommand (running under the supabase
+-- service_role) can probe `cron.job_run_details`, `cron.job`, `vault.secrets`,
+-- `information_schema.columns`, and `pg_proc` without granting raw schema
+-- access to service_role.
+--
+-- Why SECURITY DEFINER: by default `cron.*` and `vault.*` are owned by
+-- the `postgres` role and unreadable from service_role. The classical
+-- alternative is to `grant usage on schema cron to service_role; grant
+-- select on cron.job_run_details to service_role; …` — broader privilege
+-- expansion than this lane needs. SECURITY DEFINER lets us read exactly
+-- what the doctor needs without exposing the entire cron/vault surface.
+--
+-- Idempotent: every function uses CREATE OR REPLACE; every GRANT is
+-- safe to re-run. No data mutation. Safe to re-apply on every install.
+
+-- ── 1. cron.job_run_details lookup ───────────────────────────────────────
+--
+-- Returns the most recent N runs of a named cron job, projecting only
+-- the columns the doctor needs (status, start/end timestamps, return
+-- message). The doctor parses `return_message` for the rumen-tick /
+-- graph-inference all-zeros pattern.
+
+create or replace function mnestra_doctor_cron_runs(
+  p_jobname text,
+  p_limit   int default 10
+)
+returns table (
+  jobname        text,
+  status         text,
+  start_time     timestamptz,
+  end_time       timestamptz,
+  return_message text
+)
+language sql
+security definer
+set search_path = cron, public
+as $$
+  select j.jobname, d.status, d.start_time, d.end_time, d.return_message
+  from cron.job_run_details d
+  join cron.job j on j.jobid = d.jobid
+  where j.jobname = p_jobname
+  order by d.start_time desc
+  limit greatest(coalesce(p_limit, 10), 1);
+$$;
+
+-- ── 2. column existence probe (public schema only) ───────────────────────
+
+create or replace function mnestra_doctor_column_exists(
+  p_table  text,
+  p_column text
+)
+returns boolean
+language sql
+security definer
+set search_path = public
+as $$
+  select exists (
+    select 1
+    from information_schema.columns
+    where table_schema = 'public'
+      and table_name   = p_table
+      and column_name  = p_column
+  );
+$$;
+
+-- ── 3. RPC / function existence probe ────────────────────────────────────
+
+create or replace function mnestra_doctor_rpc_exists(p_name text)
+returns boolean
+language sql
+security definer
+set search_path = public
+as $$
+  select exists (
+    select 1
+    from pg_proc p
+    join pg_namespace n on n.oid = p.pronamespace
+    where p.proname = p_name
+      and n.nspname = 'public'
+  );
+$$;
+
+-- ── 4. cron.job existence probe (does the named job exist at all) ───────
+
+create or replace function mnestra_doctor_cron_job_exists(p_jobname text)
+returns boolean
+language sql
+security definer
+set search_path = cron, public
+as $$
+  select exists (select 1 from cron.job where jobname = p_jobname);
+$$;
+
+-- ── 5. vault.secrets existence probe (no value disclosure) ──────────────
+--
+-- Existence-only — never returns the secret value. The doctor only needs
+-- to know whether the named vault entry was created during stack install.
+
+create or replace function mnestra_doctor_vault_secret_exists(p_name text)
+returns boolean
+language sql
+security definer
+set search_path = vault, public
+as $$
+  select exists (select 1 from vault.secrets where name = p_name);
+$$;
+
+-- ── 6. Grants ────────────────────────────────────────────────────────────
+
+grant execute on function mnestra_doctor_cron_runs(text, int)             to service_role;
+grant execute on function mnestra_doctor_column_exists(text, text)        to service_role;
+grant execute on function mnestra_doctor_rpc_exists(text)                 to service_role;
+grant execute on function mnestra_doctor_cron_job_exists(text)            to service_role;
+grant execute on function mnestra_doctor_vault_secret_exists(text)        to service_role;

package/packages/server/src/setup/preconditions.js

@@ -52,6 +52,23 @@ function extensionsDashboardUrl(secrets) {
   return `https://supabase.com/dashboard/project/${parsed.projectRef}/database/extensions`;
 }
 
+// Sprint 51.5 T3: Build a SQL-Editor deeplink that pre-fills a
+// vault.create_secret() call. Used when the audit's vault probe finds the
+// secret missing and the wizard's auto-apply step (init-rumen.js
+// `ensureVaultSecrets`) was unable to create it via pgRunner. The Vault
+// dashboard panel was quietly removed/relocated in current Supabase UIs
+// (Brad 2026-05-03 takeaway #2; INSTALLER-PITFALLS.md Class B), so SQL
+// Editor is the working manual surface.
+function vaultSqlEditorUrl(secrets, secretName, secretValue) {
+  if (!secrets || !secrets.SUPABASE_URL) return null;
+  const parsed = supabaseUrlHelper.parseProjectUrl(secrets.SUPABASE_URL);
+  if (!parsed.ok) return null;
+  const value = String(secretValue == null ? '' : secretValue).replace(/'/g, "''");
+  const name = String(secretName == null ? '' : secretName).replace(/'/g, "''");
+  const sql = `select vault.create_secret('${value}', '${name}');`;
+  return `https://supabase.com/dashboard/project/${parsed.projectRef}/sql/new?content=${encodeURIComponent(sql)}`;
+}
+
 // Render a single gap into 2-3 lines of CLI output (one indented hint per
 // non-empty `hint` line). Format aligned with the rest of the wizard's
 // step lines.
@@ -206,14 +223,28 @@ async function auditRumenPreconditions({ secrets, env, _pgClient } = {}) {
           'If permission is denied, the Vault is not accessible to this connection — double-check secrets.env.'
       });
     } else if (!vault.ok) {
+      // Sprint 51.5 T3: the Supabase Vault dashboard panel was quietly removed
+      // / relocated in current Supabase UIs (Brad 2026-05-03 takeaway #2;
+      // INSTALLER-PITFALLS.md Class B). The wizard's `ensureVaultSecrets`
+      // step (init-rumen.js) auto-creates this key via pgRunner when the
+      // user's connection has vault.create_secret privileges; this hint only
+      // fires when auto-apply also failed, in which case the SQL Editor is
+      // the working manual surface. Build a project-specific deeplink when
+      // we can derive the project ref so the user gets one click instead of
+      // a "find the SQL Editor yourself" instruction.
+      const sqlEditorUrl = vaultSqlEditorUrl(secrets, 'rumen_service_role_key',
+        '<paste your service_role JWT from Project Settings → API>');
+      const sqlEditorLine = sqlEditorUrl
+        ? `  Open: ${sqlEditorUrl}\n  Replace the placeholder with your service_role key from Project Settings → API, then click Run.`
+        : '  Open the Supabase SQL Editor and run:\n' +
+          "    select vault.create_secret('<service_role JWT>', 'rumen_service_role_key');";
       gaps.push({
         key: 'rumen_service_role_key',
         message: 'Vault secret "rumen_service_role_key" is missing',
         hint:
-          'Create it in the Supabase dashboard:\n' +
-          '  Project Settings → Vault → New secret\n' +
-          '  Name: rumen_service_role_key  (exact, case-sensitive)\n' +
-          '  Value: your service_role key from Project Settings → API\n' +
+          "The wizard tries to auto-create this via vault.create_secret() and only surfaces this hint when auto-apply also failed.\n" +
+          'Create it manually via the SQL Editor (the Vault dashboard panel was removed in current Supabase UIs):\n' +
+          sqlEditorLine + '\n' +
           '(The pg_cron schedule calls the Edge Function with this key as the bearer token.)'
       });
     }
@@ -384,6 +415,7 @@ module.exports = {
   printAuditReport,
   printVerifyReport,
   extensionsDashboardUrl,
+  vaultSqlEditorUrl,
   // Test surface
   _probeSupabaseAuth: probeSupabaseAuth,
   _safeQuery: safeQuery

package/packages/server/src/setup/rumen/functions/graph-inference/index.ts

@@ -343,9 +343,13 @@ export async function runGraphInference(sql: Sql): Promise<InferenceSummary> {
 }
 
 serve(async (_req: Request) => {
-  const url = Deno.env.get('DATABASE_URL');
+  // Supabase Edge Runtime auto-injects SUPABASE_DB_URL as a built-in env var.
+  // Falling back to it removes one whole category of "where do I get the DB
+  // connection string" from the install wizard. Brad surfaced this 2026-05-03
+  // after hand-patching all four of his deployed copies.
+  const url = Deno.env.get('DATABASE_URL') ?? Deno.env.get('SUPABASE_DB_URL');
   if (!url) {
-    console.error('[graph-inference] DATABASE_URL not set in Edge Function secrets');
+    console.error('[graph-inference] DATABASE_URL / SUPABASE_DB_URL not set in Edge Function secrets');
     return new Response(
       JSON.stringify({ ok: false, error: 'DATABASE_URL not set' }),
       { status: 500, headers: { 'Content-Type': 'application/json' } },

package/packages/server/src/setup/rumen/functions/rumen-tick/index.ts

@@ -31,9 +31,13 @@ import { runRumenJob, createPoolFromUrl } from 'npm:@jhizzard/rumen@__RUMEN_VERS
 declare const Deno: { env: { get: (k: string) => string | undefined } };
 
 serve(async (_req: Request) => {
-  const url = Deno.env.get('DATABASE_URL');
+  // Supabase Edge Runtime auto-injects SUPABASE_DB_URL as a built-in env var.
+  // Falling back to it removes one whole category of "where do I get the DB
+  // connection string" from the install wizard. Brad surfaced this 2026-05-03
+  // after hand-patching all four of his deployed copies.
+  const url = Deno.env.get('DATABASE_URL') ?? Deno.env.get('SUPABASE_DB_URL');
   if (!url) {
-    console.error('[rumen] DATABASE_URL not set in Edge Function secrets');
+    console.error('[rumen] DATABASE_URL / SUPABASE_DB_URL not set in Edge Function secrets');
     return new Response(
       JSON.stringify({
         ok: false,