@odvi/create-dtt-framework 0.1.5 → 0.1.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@odvi/create-dtt-framework",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "CLI tool to scaffold new projects with DTT Framework",
   "type": "module",
   "bin": {

package/template/.env.example

@@ -1,103 +1,106 @@
-# Since the ".env" file is gitignored, you can use the ".env.example" file to
-# build a new ".env" file when you clone the repo. Keep this file up-to-date
-# when you add new variables to `.env`.
-
-# This file will be committed to version control, so make sure not to have any
-# secrets in it. If you are cloning this repo, create a copy of this file named
-# ".env" and populate it with your secrets.
-
-# When adding additional environment variables, the schema in "/src/env.js"
-# should be updated accordingly.
-
-# ========================================
-# App Configuration
-# ========================================
-# The base URL of your application. Used for redirects, webhooks, and callbacks.
-# In development: http://localhost:3000
-# In production: https://your-domain.com
-NEXT_PUBLIC_APP_URL=http://localhost:3000
-
-# ========================================
-# Clerk Authentication
-# ========================================
-# Clerk publishable key - used on the client side for authentication
-# Get this from your Clerk Dashboard > API Keys > Publishable Key
-NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_xxx
-
-# Clerk secret key - used on the server side for authentication
-# Get this from your Clerk Dashboard > API Keys > Secret Key
-CLERK_SECRET_KEY=sk_test_xxx
-
-# Clerk webhook secret - used to verify webhook events from Clerk
-# Get this from your Clerk Dashboard > Webhooks > Add Endpoint > Signing Secret
-CLERK_WEBHOOK_SECRET=whsec_xxx
-
-# URL path for the sign-in page
-NEXT_PUBLIC_CLERK_SIGN_IN_URL=/sign-in
-
-# URL path for the sign-up page
-NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up
-
-# Where to redirect users after successful sign-in
-NEXT_PUBLIC_CLERK_AFTER_SIGN_IN_URL=/health
-
-# Where to redirect users after successful sign-up
-NEXT_PUBLIC_CLERK_AFTER_SIGN_UP_URL=/health
-
-# ========================================
-# Supabase
-# ========================================
-# Supabase project URL - found in your Supabase project settings
-NEXT_PUBLIC_SUPABASE_URL=https://xxx.supabase.co
-
-# Supabase anonymous/public key - safe to expose on client side
-# Found in your Supabase project settings under API keys
-NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJxxx
-
-# Supabase service role key - full admin access, keep secret!
-# Found in your Supabase project settings under API keys
-SUPABASE_SERVICE_ROLE_KEY=eyJxxx
-
-# PostgreSQL connection string for Drizzle ORM
-# Use Supabase's Transaction mode pooler for better performance
-# Format: postgresql://postgres.[ref]:[password]@aws-0-[region].pooler.supabase.com:6543/postgres
-DATABASE_URL=postgresql://postgres.[ref]:[password]@aws-0-[region].pooler.supabase.com:6543/postgres
-
-# ========================================
-# Snowflake Data Warehouse
-# ========================================
-# Snowflake account identifier (e.g., xxx.us-east-1)
-SNOWFLAKE_ACCOUNT=xxx.us-east-1
-
-# Snowflake username for authentication
-SNOWFLAKE_USERNAME=xxx
-
-# Snowflake password for authentication
-SNOWFLAKE_PASSWORD=xxx
-
-# Snowflake virtual warehouse to use for queries
-SNOWFLAKE_WAREHOUSE=COMPUTE_WH
-
-# Snowflake database name
-SNOWFLAKE_DATABASE=ANALYTICS
-
-# Snowflake schema name within the database
-SNOWFLAKE_SCHEMA=PUBLIC
-
-# Snowflake role with appropriate permissions
-SNOWFLAKE_ROLE=ANALYST
-
-# ========================================
-# NextBank API (Placeholder)
-# ========================================
-# Base URL for the NextBank API endpoint
-NEXTBANK_API_URL=https://api.nextbank.com
-
-# API key for NextBank authentication
-NEXTBANK_API_KEY=xxx
-
-# OAuth client ID for NextBank integration
-NEXTBANK_CLIENT_ID=xxx
-
-# OAuth client secret for NextBank integration
-NEXTBANK_CLIENT_SECRET=xxx
+# Since the ".env" file is gitignored, you can use the ".env.example" file to
+# build a new ".env" file when you clone the repo. Keep this file up-to-date
+# when you add new variables to `.env`.
+
+# This file will be committed to version control, so make sure not to have any
+# secrets in it. If you are cloning this repo, create a copy of this file named
+# ".env" and populate it with your secrets.
+
+# When adding additional environment variables, the schema in "/src/env.js"
+# should be updated accordingly.
+
+# ========================================
+# App Configuration
+# ========================================
+# The base URL of your application. Used for redirects, webhooks, and callbacks.
+# In development: http://localhost:3000
+# In production: https://your-domain.com
+NEXT_PUBLIC_APP_URL=http://localhost:3000
+
+# ========================================
+# Clerk Authentication
+# ========================================
+# Clerk publishable key - used on the client side for authentication
+# Get this from your Clerk Dashboard > API Keys > Publishable Key
+NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_xxx
+
+# Clerk secret key - used on the server side for authentication
+# Get this from your Clerk Dashboard > API Keys > Secret Key
+CLERK_SECRET_KEY=sk_test_xxx
+
+# Clerk webhook secret - used to verify webhook events from Clerk
+# Get this from your Clerk Dashboard > Webhooks > Add Endpoint > Signing Secret
+CLERK_WEBHOOK_SECRET=whsec_xxx
+
+# URL path for the sign-in page
+NEXT_PUBLIC_CLERK_SIGN_IN_URL=/sign-in
+
+# URL path for the sign-up page
+NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up
+
+# Where to redirect users after successful sign-in
+NEXT_PUBLIC_CLERK_AFTER_SIGN_IN_URL=/health
+
+# Where to redirect users after successful sign-up
+NEXT_PUBLIC_CLERK_AFTER_SIGN_UP_URL=/health
+
+# ========================================
+# Supabase
+# ========================================
+# Supabase project URL - found in your Supabase project settings
+NEXT_PUBLIC_SUPABASE_URL=https://xxx.supabase.co
+
+# Supabase anonymous/public key - safe to expose on client side
+# Found in your Supabase project settings under API keys
+NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJxxx
+
+# Supabase service role key - full admin access, keep secret!
+# Found in your Supabase project settings under API keys
+SUPABASE_SERVICE_ROLE_KEY=eyJxxx
+
+# PostgreSQL connection string for Drizzle ORM
+# Use Supabase's Transaction mode pooler for better performance
+# Format: postgresql://postgres.[ref]:[password]@aws-0-[region].pooler.supabase.com:6543/postgres
+DATABASE_URL=postgresql://postgres.[ref]:[password]@aws-0-[region].pooler.supabase.com:6543/postgres
+
+# ========================================
+# Snowflake Data Warehouse
+# ========================================
+# Snowflake account identifier (e.g., ef19411.ap-southeast-1)
+SNOWFLAKE_ACCOUNT=ef19411.ap-southeast-1
+
+# Snowflake warehouse to use
+SNOWFLAKE_WAREHOUSE=COMPUTE_WH
+
+# Snowflake role
+SNOWFLAKE_ROLE=ACCOUNTADMIN
+
+# Authentication method (SNOWFLAKE_JWT for Key Pair Auth)
+SNOWFLAKE_AUTHENTICATOR=SNOWFLAKE_JWT
+
+# Snowflake username
+SNOWFLAKE_USERNAME=APP_USER_WITH_KEY_AUTH
+
+# Private Key for Authentication (PEM format)
+SNOWFLAKE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
+...
+-----END PRIVATE KEY-----"
+
+# Passphrase for the Private Key (if encrypted)
+SNOWFLAKE_PRIVATE_KEY_PASSPHRASE="<password>"
+
+# Enable logging (optional)
+SNOWFLAKE_LOGGING=true
+
+# ========================================
+# NextBank API (Placeholder)
+# ========================================
+# Base URL for the NextBank API endpoint
+NEXTBANK_API=https://api.nextbank.com
+
+# Username for NextBank Basic Authentication
+NEXTBANK_API_USERNAME=user
+
+# Password for NextBank Basic Authentication
+NEXTBANK_API_PASSWORD=pass
+

package/template/docs/framework/deployment/environment-variables.md

@@ -63,10 +63,9 @@ This document provides a comprehensive guide to managing environment variables f
 
 | Variable Name | Type | Required | Description | Example |
 |---------------|------|----------|-------------|---------|
-| `NEXTBANK_API_URL` | Server | No | NextBank API endpoint | `https://api.nextbank.com` |
-| `NEXTBANK_API_KEY` | Server | No | NextBank API key | `xxx` |
-| `NEXTBANK_CLIENT_ID` | Server | No | NextBank OAuth client ID | `xxx` |
-| `NEXTBANK_CLIENT_SECRET` | Server | No | NextBank OAuth client secret | `xxx` |
+| `NEXTBANK_API` | Server | No | NextBank API endpoint | `https://api.nextbank.com` |
+| `NEXTBANK_API_USERNAME` | Server | No | NextBank API username | `user` |
+| `NEXTBANK_API_PASSWORD` | Server | No | NextBank API password | `pass` |
 
 ---
 

package/template/docs/framework/environment-variables.md

@@ -102,16 +102,13 @@ SNOWFLAKE_ROLE=ANALYST
 # ============================================
 
 # NextBank API URL
-NEXTBANK_API_URL=https://api.nextbank.com
+NEXTBANK_API=https://api.nextbank.com
 
-# NextBank API key
-NEXTBANK_API_KEY=xxx
+# NextBank API username
+NEXTBANK_API_USERNAME=user
 
-# NextBank OAuth client ID
-NEXTBANK_CLIENT_ID=xxx
-
-# NextBank OAuth client secret
-NEXTBANK_CLIENT_SECRET=xxx
+# NextBank API password
+NEXTBANK_API_PASSWORD=pass
 ```
 
 ---
@@ -425,40 +422,31 @@ SNOWFLAKE_ROLE=ANALYST
 
 **Note:** NextBank is a placeholder integration. These variables are optional and not currently used.
 
-#### NEXTBANK_API_URL
+#### NEXTBANK_API
 
 **Purpose:** NextBank API endpoint
 
 **Example:**
 ```bash
-NEXTBANK_API_URL=https://api.nextbank.com
-```
-
-#### NEXTBANK_API_KEY
-
-**Purpose:** API key for NextBank
-
-**Example:**
-```bash
-NEXTBANK_API_KEY=xxx
+NEXTBANK_API=https://api.nextbank.com
 ```
 
-#### NEXTBANK_CLIENT_ID
+#### NEXTBANK_API_USERNAME
 
-**Purpose:** OAuth client ID
+**Purpose:** API username for NextBank
 
 **Example:**
 ```bash
-NEXTBANK_CLIENT_ID=xxx
+NEXTBANK_API_USERNAME=user
 ```
 
-#### NEXTBANK_CLIENT_SECRET
+#### NEXTBANK_API_PASSWORD
 
-**Purpose:** OAuth client secret
+**Purpose:** API password for NextBank
 
 **Example:**
 ```bash
-NEXTBANK_CLIENT_SECRET=xxx
+NEXTBANK_API_PASSWORD=pass
 ```
 
 ---

package/template/docs/framework/health-check-system.md

@@ -564,6 +564,7 @@ try {
 - Check service logs for detailed error messages
 - Verify network connectivity to the service
 - Check if service is running and accessible
+- For Supabase Database: Ensure migrations are applied (`pnpm db:push` or `pnpm db:migrate`) so `health_check_tests` table exists
 
 **Issue: Health check is slow**
 

package/template/docs/framework/snowflake-integration.md

@@ -36,24 +36,27 @@ Add the following to your [`.env`](./environment-variables.md) file:
 
 ```bash
 # Snowflake
-SNOWFLAKE_ACCOUNT=xxx.us-east-1
-SNOWFLAKE_USERNAME=xxx
-SNOWFLAKE_PASSWORD=xxx
+SNOWFLAKE_ACCOUNT=ef19411.ap-southeast-1
+SNOWFLAKE_AUTHENTICATOR=SNOWFLAKE_JWT
+SNOWFLAKE_USERNAME=APP_USER_WITH_KEY_AUTH
+SNOWFLAKE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
+        -----END PRIVATE KEY-----"
+SNOWFLAKE_PRIVATE_KEY_PASSPHRASE="<password>"
 SNOWFLAKE_WAREHOUSE=COMPUTE_WH
-SNOWFLAKE_DATABASE=ANALYTICS
-SNOWFLAKE_SCHEMA=PUBLIC
-SNOWFLAKE_ROLE=ANALYST
+SNOWFLAKE_ROLE=ACCOUNTADMIN
+SNOWFLAKE_LOGGING=true
 ```
 
 **Where to find these values:**
 
-- **Account**: Snowflake URL (e.g., `xy12345.us-east-1` from `https://xy12345.us-east-1.snowflakecomputing.com`)
-- **Username**: Your Snowflake username
-- **Password**: Your Snowflake password
-- **Warehouse**: Compute warehouse name (create one if needed)
-- **Database**: Database name (create one if needed)
-- **Schema**: Schema name (usually `PUBLIC`)
-- **Role**: Role with appropriate permissions
+- **Account**: Snowflake URL (e.g., `ef19411.ap-southeast-1` from `https://ef19411.ap-southeast-1.snowflakecomputing.com`)
+- **Authenticator**: `SNOWFLAKE_JWT` for Key Pair Authentication
+- **Username**: Your Snowflake username (must be configured with public key)
+- **Private Key**: Your private key in PEM format
+- **Passphrase**: Password for your private key (if encrypted)
+- **Warehouse**: Compute warehouse name
+- **Role**: Role with appropriate permissions (e.g., `ACCOUNTADMIN` or custom role)
+- **Logging**: Enable verbose logging (optional)
 
 ### 4. Create Snowflake Client
 
@@ -67,10 +70,10 @@ import { env } from '@/config/env'
 const config = {
   account: env.SNOWFLAKE_ACCOUNT,
   username: env.SNOWFLAKE_USERNAME,
-  password: env.SNOWFLAKE_PASSWORD,
+  authenticator: env.SNOWFLAKE_AUTHENTICATOR,
+  privateKey: env.SNOWFLAKE_PRIVATE_KEY,
+  privateKeyPass: env.SNOWFLAKE_PRIVATE_KEY_PASSPHRASE,
   warehouse: env.SNOWFLAKE_WAREHOUSE,
-  database: env.SNOWFLAKE_DATABASE,
-  schema: env.SNOWFLAKE_SCHEMA,
   role: env.SNOWFLAKE_ROLE,
 }
 

package/template/docs/framework/supabase-integration.md

@@ -146,6 +146,7 @@ export * from './health-checks'
 pnpm db:generate
 
 # Push schema to database (development)
+# This is required for health checks to pass (creates health_check_tests table)
 pnpm db:push
 
 # Or run migrations (production)

package/template/drizzle.config.ts

@@ -8,5 +8,4 @@ export default {
   dbCredentials: {
     url: env.DATABASE_URL,
   },
-  tablesFilter: ["dtt-framework_*"],
 } satisfies Config;

package/template/src/config/__tests__/env.test.ts

@@ -33,10 +33,9 @@ describe('env configuration', () => {
       SNOWFLAKE_DATABASE: z.string().default('ANALYTICS'),
       SNOWFLAKE_SCHEMA: z.string().default('PUBLIC'),
       SNOWFLAKE_ROLE: z.string().default('ANALYST'),
-      NEXTBANK_API_URL: z.string().url().optional(),
-      NEXTBANK_API_KEY: z.string().optional(),
-      NEXTBANK_CLIENT_ID: z.string().optional(),
-      NEXTBANK_CLIENT_SECRET: z.string().optional(),
+      NEXTBANK_API: z.string().url().optional(),
+      NEXTBANK_API_USERNAME: z.string().optional(),
+      NEXTBANK_API_PASSWORD: z.string().optional(),
     });
 
     const result = envSchema.safeParse({});
@@ -104,10 +103,9 @@ describe('env configuration', () => {
 
   it('should allow optional NextBank fields', () => {
     const nextbankSchema = z.object({
-      NEXTBANK_API_URL: z.string().url().optional(),
-      NEXTBANK_API_KEY: z.string().optional(),
-      NEXTBANK_CLIENT_ID: z.string().optional(),
-      NEXTBANK_CLIENT_SECRET: z.string().optional(),
+      NEXTBANK_API: z.string().url().optional(),
+      NEXTBANK_API_USERNAME: z.string().optional(),
+      NEXTBANK_API_PASSWORD: z.string().optional(),
     });
 
     const result = nextbankSchema.safeParse({});

package/template/src/config/env.ts

@@ -19,17 +19,17 @@ const envSchema = z.object({
   // Snowflake
   SNOWFLAKE_ACCOUNT: z.string().default('placeholder'),
   SNOWFLAKE_USERNAME: z.string().default('placeholder'),
-  SNOWFLAKE_PASSWORD: z.string().default('placeholder'),
+  SNOWFLAKE_AUTHENTICATOR: z.literal('SNOWFLAKE_JWT').default('SNOWFLAKE_JWT'),
+  SNOWFLAKE_PRIVATE_KEY: z.string().default('placeholder'),
+  SNOWFLAKE_PRIVATE_KEY_PASSPHRASE: z.string().optional(),
   SNOWFLAKE_WAREHOUSE: z.string().default('COMPUTE_WH'),
-  SNOWFLAKE_DATABASE: z.string().default('ANALYTICS'),
-  SNOWFLAKE_SCHEMA: z.string().default('PUBLIC'),
-  SNOWFLAKE_ROLE: z.string().default('ANALYST'),
+  SNOWFLAKE_ROLE: z.string().default('ACCOUNTADMIN'),
+  SNOWFLAKE_LOGGING: z.string().transform((val) => val === 'true').optional(),
 
   // NextBank (optional)
-  NEXTBANK_API_URL: z.string().url().optional(),
-  NEXTBANK_API_KEY: z.string().optional(),
-  NEXTBANK_CLIENT_ID: z.string().optional(),
-  NEXTBANK_CLIENT_SECRET: z.string().optional(),
+  NEXTBANK_API: z.string().url().optional(),
+  NEXTBANK_API_USERNAME: z.string().optional(),
+  NEXTBANK_API_PASSWORD: z.string().optional(),
 })
 
 export const env = envSchema.parse(process.env)

package/template/src/features/health-check/components/health-dashboard.tsx

@@ -11,6 +11,7 @@ import { useState } from 'react'
 import type { HealthStatus } from '@/features/health-check/types'
 import { useHealthStore } from '../stores/health-store'
 import { useQueryClient } from '@tanstack/react-query'
+import { useAuth } from '@clerk/nextjs'
 
 const statusIcons: Record<HealthStatus, React.ReactNode> = {
   healthy: <CheckCircle className="h-5 w-5 text-green-500" />,
@@ -43,6 +44,7 @@ export function HealthDashboard() {
   const [loadingChecks, setLoadingChecks] = useState<Set<string>>(new Set())
   const healthStore = useHealthStore()
   const queryClient = useQueryClient()
+  const { getToken } = useAuth()
 
   const totalHealthChecks = SERVICES.reduce((total, service) => total + service.checks.length, 0)
 
@@ -85,8 +87,17 @@ export function HealthDashboard() {
           throw new Error(`Unknown client endpoint: ${endpoint}`)
         }
       } else {
+        // Get auth token if available
+        const token = await getToken()
+        
         // Handle server-side checks
-        const response = await fetch(`/api/health${endpoint}`)
+        const response = await fetch(`/api/health${endpoint}`, {
+          method: ['/database/write', '/database/delete', '/storage/upload', '/storage/delete'].includes(endpoint) ? 'POST' : 'GET',
+          headers: {
+            ...(token ? { Authorization: `Bearer ${token}` } : {}),
+          },
+          ...(endpoint === '/database/delete' || endpoint === '/storage/delete' ? { method: 'DELETE' } : {})
+        })
         // Check content type to ensure JSON
         const contentType = response.headers.get('content-type')
         if (!contentType || !contentType.includes('application/json')) {

package/template/src/features/health-check/config.ts

@@ -50,7 +50,6 @@ export const SERVICES = [
     icon: 'building',
     checks: [
       { name: 'Ping API', endpoint: '/nextbank/ping' },
-      { name: 'Test Authentication', endpoint: '/nextbank/auth' },
     ],
   },
   {

package/template/src/lib/nextbank/client.ts

@@ -2,35 +2,65 @@ import { env } from '@/config/env'
 
 class NextBankClient {
   private apiUrl: string
-  private apiKey: string
-  private accessToken: string | null = null
+  private username: string
+  private password: string
 
   constructor() {
-    this.apiUrl = env.NEXTBANK_API_URL ?? ''
-    this.apiKey = env.NEXTBANK_API_KEY ?? ''
+    this.apiUrl = env.NEXTBANK_API ?? ''
+    this.username = env.NEXTBANK_API_USERNAME ?? ''
+    this.password = env.NEXTBANK_API_PASSWORD ?? ''
   }
 
-  async ping(): Promise<{ status: string; timestamp: string }> {
-    const response = await fetch(`${this.apiUrl}/health`, {
-      headers: { 'X-API-Key': this.apiKey },
-    })
-    if (!response.ok) throw new Error(`NextBank API error: ${response.status}`)
-    return response.json()
+  private getAuthHeader(): Record<string, string> {
+    if (!this.username || !this.password) return {}
+    const token = btoa(`${this.username}:${this.password}`)
+    return { Authorization: `Basic ${token}` }
   }
 
-  async authenticate(): Promise<{ success: boolean; expiresAt: string }> {
-    const response = await fetch(`${this.apiUrl}/auth/token`, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({
-        clientId: env.NEXTBANK_CLIENT_ID,
-        clientSecret: env.NEXTBANK_CLIENT_SECRET,
-      }),
-    })
-    if (!response.ok) throw new Error(`NextBank auth error: ${response.status}`)
-    const data = await response.json()
-    this.accessToken = data.accessToken
-    return { success: true, expiresAt: data.expiresAt }
+  async ping(fingerprint: string): Promise<{ status: string; timestamp: string }> {
+    const url = `${this.apiUrl}/management/status`
+    console.log(`[NextBank] Pinging ${url}`)
+    
+    try {
+      const response = await fetch(url, {
+        method: 'POST',
+        headers: {
+          ...this.getAuthHeader(),
+          'Content-Type': 'application/json',
+          'Accept': 'application/json',
+          'User-Agent': 'dtt-framework-health-check',
+        },
+        body: JSON.stringify({
+          fingerprint: fingerprint,
+        }),
+      })
+
+      const contentType = response.headers.get('content-type')
+      
+      if (!response.ok) {
+        if (contentType && contentType.includes('text/html')) {
+           const text = await response.text()
+           console.error('[NextBank] Received HTML error response. Possible causes:')
+           console.error('1. NEXTBANK_API is pointing to the wrong server (e.g. Next.js app instead of NextBank API)')
+           console.error('2. The endpoint /management/status does not exist or does not support POST')
+           console.error(`[NextBank] Response preview: ${text.substring(0, 150)}...`)
+           throw new Error(`NextBank API error: ${response.status} (HTML response)`)
+        }
+        throw new Error(`NextBank API error: ${response.status} ${response.statusText}`)
+      }
+
+      if (contentType && contentType.includes('application/json')) {
+        return await response.json()
+      } else {
+        const text = await response.text()
+        console.error('[NextBank] Invalid response content type:', contentType)
+        console.error('[NextBank] Response preview:', text.substring(0, 200))
+        throw new Error(`Invalid response format. Expected JSON, got ${contentType}`)
+      }
+    } catch (error) {
+      console.error('[NextBank] Ping failed:', error)
+      throw error
+    }
   }
 }
 

package/template/src/lib/snowflake/client.ts

@@ -1,33 +1,82 @@
-import snowflake from 'snowflake-sdk'
-import type { Bind } from 'snowflake-sdk'
+import type { Connection, Bind } from 'snowflake-sdk'
 import { env } from '@/config/env'
 
+// Helper to format private key correctly
+function formatPrivateKey(key: string | undefined): string | undefined {
+  if (!key || key === 'placeholder') return undefined
+
+  let cleanKey = key
+
+  // 1. Remove surrounding quotes if they exist
+  if ((cleanKey.startsWith('"') && cleanKey.endsWith('"')) ||
+      (cleanKey.startsWith("'") && cleanKey.endsWith("'"))) {
+    cleanKey = cleanKey.slice(1, -1)
+  }
+
+  // 2. Handle literal escaped newlines (common in one-line env vars)
+  if (cleanKey.includes('\\n')) {
+    cleanKey = cleanKey.replace(/\\n/g, '\n')
+  }
+
+  // 3. Split by newline to handle potential indentation/whitespace issues
+  const lines = cleanKey.split('\n')
+    .map(line => line.trim()) // Remove indentation/whitespace from each line
+    .filter(line => line.length > 0) // Remove empty lines
+
+  // 4. Reconstruct the key
+  const formattedKey = lines.join('\n')
+
+  // Debug log (safe)
+  if (!formattedKey.includes('BEGIN PRIVATE KEY')) {
+    console.warn('Snowflake Private Key may be invalid or missing PKCS#8 header (expected "-----BEGIN PRIVATE KEY-----")')
+  }
+  
+  if (formattedKey.includes('BEGIN RSA PRIVATE KEY')) {
+    console.warn('Snowflake Private Key appears to be PKCS#1 (RSA). Snowflake requires PKCS#8. Use "openssl pkcs8 -topk8..." to convert.')
+  }
+
+  return formattedKey
+}
+
 const config = {
   account: env.SNOWFLAKE_ACCOUNT,
   username: env.SNOWFLAKE_USERNAME,
-  password: env.SNOWFLAKE_PASSWORD,
+  authenticator: env.SNOWFLAKE_AUTHENTICATOR,
+  privateKey: formatPrivateKey(env.SNOWFLAKE_PRIVATE_KEY),
+  privateKeyPass: env.SNOWFLAKE_PRIVATE_KEY_PASSPHRASE,
   warehouse: env.SNOWFLAKE_WAREHOUSE,
-  database: env.SNOWFLAKE_DATABASE,
-  schema: env.SNOWFLAKE_SCHEMA,
   role: env.SNOWFLAKE_ROLE,
 }
 
-export function createSnowflakeConnection() {
+async function getSnowflake() {
+  if (process.env.NEXT_RUNTIME === 'edge') {
+    throw new Error('Snowflake SDK is not supported in Edge Runtime')
+  }
+  // Dynamically import snowflake-sdk to avoid build errors in Edge Runtime
+  return (await import('snowflake-sdk')).default
+}
+
+export async function createSnowflakeConnection(): Promise<Connection> {
+  const snowflake = await getSnowflake()
   return snowflake.createConnection(config)
 }
 
-export async function connectSnowflake(): Promise<snowflake.Connection> {
-  return new Promise((resolve, reject) => {
-    const connection = createSnowflakeConnection()
-    connection.connect((err, conn) => {
-      if (err) reject(err)
-      else resolve(conn)
-    })
+export async function connectSnowflake(): Promise<Connection> {
+  return new Promise(async (resolve, reject) => {
+    try {
+      const connection = await createSnowflakeConnection()
+      connection.connect((err, conn) => {
+        if (err) reject(err)
+        else resolve(conn)
+      })
+    } catch (error) {
+      reject(error)
+    }
   })
 }
 
 export async function executeQuery<T = unknown>(
-  connection: snowflake.Connection,
+  connection: Connection,
   sqlText: string,
   binds?: Bind[]
 ): Promise<T[]> {
@@ -43,7 +92,7 @@ export async function executeQuery<T = unknown>(
   })
 }
 
-export async function destroyConnection(connection: snowflake.Connection): Promise<void> {
+export async function destroyConnection(connection: Connection): Promise<void> {
   return new Promise((resolve, reject) => {
     connection.destroy((err) => {
       if (err) reject(err)

package/template/src/server/api/routes/health/database.ts

@@ -1,7 +1,5 @@
 import { Hono } from 'hono'
-import { db } from '@/server/db'
-import { healthCheckTests } from '@/server/db/schema/health-checks'
-import { eq } from 'drizzle-orm'
+import { supabaseAdmin } from '@/lib/supabase/admin'
 
 export const databaseHealthRoutes = new Hono()
 
@@ -12,24 +10,26 @@ databaseHealthRoutes.post('/write', async (c) => {
 
   try {
     // Delete any existing test row first
-    await db.delete(healthCheckTests).where(eq(healthCheckTests.testKey, TEST_KEY))
+    await supabaseAdmin.from('health_check_tests').delete().eq('test_key', TEST_KEY)
 
     // Insert a new test row
-    const result = await db
-      .insert(healthCheckTests)
-      .values({
-        testKey: TEST_KEY,
-        testValue: `test-${Date.now()}`,
+    const { data: result, error } = await supabaseAdmin
+      .from('health_check_tests')
+      .insert({
+        test_key: TEST_KEY,
+        test_value: `test-${Date.now()}`,
       })
-      .returning()
+      .select()
+
+    if (error) throw error
 
     return c.json({
       status: 'healthy',
       responseTimeMs: Math.round(performance.now() - start),
       message: 'Successfully wrote test row to database',
       data: {
-        id: result[0]?.id,
-        testKey: result[0]?.testKey,
+        id: result?.[0]?.id,
+        testKey: result?.[0]?.test_key,
       },
     })
   } catch (error) {
@@ -48,13 +48,15 @@ databaseHealthRoutes.get('/read', async (c) => {
   const start = performance.now()
 
   try {
-    const result = await db
-      .select()
-      .from(healthCheckTests)
-      .where(eq(healthCheckTests.testKey, TEST_KEY))
+    const { data: result, error } = await supabaseAdmin
+      .from('health_check_tests')
+      .select('*')
+      .eq('test_key', TEST_KEY)
       .limit(1)
 
-    if (result.length === 0) {
+    if (error) throw error
+
+    if (!result || result.length === 0) {
       return c.json({
         status: 'healthy',
         responseTimeMs: Math.round(performance.now() - start),
@@ -70,8 +72,8 @@ databaseHealthRoutes.get('/read', async (c) => {
       data: {
         found: true,
         id: result[0]?.id,
-        testKey: result[0]?.testKey,
-        createdAt: result[0]?.createdAt,
+        testKey: result[0]?.test_key,
+        createdAt: result[0]?.created_at,
       },
     })
   } catch (error) {
@@ -90,18 +92,39 @@ databaseHealthRoutes.delete('/delete', async (c) => {
   const start = performance.now()
 
   try {
-    const result = await db
-      .delete(healthCheckTests)
-      .where(eq(healthCheckTests.testKey, TEST_KEY))
-      .returning()
+    // Check if row exists first
+    const { data: result, error: readError } = await supabaseAdmin
+      .from('health_check_tests')
+      .select('*')
+      .eq('test_key', TEST_KEY)
+      .limit(1)
+
+    if (readError) throw readError
+
+    if (!result || result.length === 0) {
+      return c.json({
+        status: 'healthy',
+        responseTimeMs: Math.round(performance.now() - start),
+        message: 'Database connection successful, but no test row to delete',
+        data: { deleted: false },
+      })
+    }
+
+    // Delete the row
+    const { error: deleteError } = await supabaseAdmin
+      .from('health_check_tests')
+      .delete()
+      .eq('test_key', TEST_KEY)
+
+    if (deleteError) throw deleteError
 
     return c.json({
       status: 'healthy',
       responseTimeMs: Math.round(performance.now() - start),
       message: 'Successfully deleted test row from database',
       data: {
-        deleted: result.length > 0,
-        count: result.length,
+        deleted: true,
+        id: result[0]?.id,
       },
     })
   } catch (error) {
@@ -115,3 +138,4 @@ databaseHealthRoutes.delete('/delete', async (c) => {
     )
   }
 })
+

package/template/src/server/api/routes/health/edge-functions.ts

@@ -8,27 +8,31 @@ edgeFunctionsHealthRoutes.get('/ping', async (c) => {
   const start = performance.now()
 
   try {
-    // Note: This is a placeholder implementation
-    // In a real setup, you would have an actual edge function deployed
-    // and would invoke it using Supabase's invoke function
-
-    // For now, we'll simulate a successful ping by checking the Supabase connection
-    const { data, error } = await supabaseAdmin
-      .from('_test_connection_')
-      .select('*')
-      .limit(1)
+    // Invoke the 'health-check' edge function
+    const { data, error } = await supabaseAdmin.functions.invoke('health-check', {
+      body: { message: 'ping' },
+    })
 
-    // Even if the table doesn't exist, if we get a connection error, we know Supabase is reachable
-    // If we get a different error, it means the connection worked
+    if (error) {
+      // Return detailed error information
+      const errorDetails = error as any
+      return c.json({
+        status: 'error',
+        responseTimeMs: Math.round(performance.now() - start),
+        message: 'Edge Function invocation failed',
+        data: {
+          error: error.message,
+          context: errorDetails.context || 'No context available',
+          hint: 'Ensure the function is deployed: "supabase functions deploy health-check"'
+        }
+      })
+    }
 
     return c.json({
       status: 'healthy',
       responseTimeMs: Math.round(performance.now() - start),
-      message: 'Successfully pinged Supabase (edge functions placeholder)',
-      data: {
-        note: 'This is a placeholder - deploy an actual edge function to test real functionality',
-        supabaseUrl: env.NEXT_PUBLIC_SUPABASE_URL,
-      },
+      message: 'Successfully invoked edge function',
+      data,
     })
   } catch (error) {
     return c.json(
@@ -46,28 +50,56 @@ edgeFunctionsHealthRoutes.get('/auth', async (c) => {
   const start = performance.now()
 
   try {
-    // Note: This is a placeholder implementation
-    // In a real setup, you would invoke an edge function with an auth header
-    // and verify that the function can access and validate the auth token
-
-    // For now, we'll verify that we can create a valid auth header
+    // Verify that we can create a valid auth header and invoke the function
     const authHeader = c.req.header('authorization')
 
+    // If no auth header is provided to the health check endpoint, we can't test the downstream auth
+    if (!authHeader) {
+      return c.json({
+        status: 'warning', // Changed from error to warning/skipped if user isn't logged in
+        responseTimeMs: Math.round(performance.now() - start),
+        message: 'No auth header provided - skipping auth propagation check',
+        data: {
+          skipped: true,
+          reason: 'Client request did not include Authorization header',
+        },
+      })
+    }
+
+    const { data, error } = await supabaseAdmin.functions.invoke('health-check', {
+      body: { message: 'auth-check' },
+      headers: {
+        // We send the auth header in a custom header to verify it can be passed through
+        // We avoid overriding 'Authorization' to prevent Supabase Gateway from rejecting
+        // the request if the Clerk token hasn't been configured in Supabase yet.
+        'x-test-auth': authHeader,
+      },
+    })
+
+    if (error) {
+      // If we get an error from the function, it might be due to auth validation failure
+      // or the function crashing. We want to expose the error message.
+      const errorDetails = error as any
+      throw new Error(`Edge function invocation failed: ${error.message || 'Unknown error'}`)
+    }
+
     return c.json({
       status: 'healthy',
       responseTimeMs: Math.round(performance.now() - start),
-      message: 'Successfully verified auth header capability (edge functions placeholder)',
-      data: {
-        hasAuthHeader: !!authHeader,
-        note: 'This is a placeholder - deploy an actual edge function to test real functionality',
-      },
+      message: 'Successfully verified auth header with edge function',
+      data,
     })
   } catch (error) {
+    // Check if the error is due to a 401/403 from the function itself (which would come as an error response data if handled,
+    // or thrown if using invoke with certain options, but here likely a re-throw)
     return c.json(
       {
         status: 'error',
         responseTimeMs: Math.round(performance.now() - start),
         error: error instanceof Error ? error.message : 'Failed to test auth header',
+        data: {
+           details: error instanceof Error ? error.stack : undefined
+        }
       },
       500
     )

package/template/src/server/api/routes/health/framework.ts

@@ -1,6 +1,5 @@
 import { Hono } from 'hono'
-import { db } from '@/server/db'
-import { sql } from 'drizzle-orm'
+import { supabaseAdmin } from '@/lib/supabase/admin'
 
 export const frameworkHealthRoutes = new Hono()
 
@@ -20,15 +19,19 @@ frameworkHealthRoutes.get('/hono', (c) => {
 frameworkHealthRoutes.get('/drizzle', async (c) => {
   const start = performance.now()
   try {
-    // Simple SELECT 1 to verify ORM connection
-    await db.execute(sql`SELECT 1`)
+    // Note: Edge Runtime doesn't support direct Drizzle + postgres.js connection
+    // We check Supabase connection instead as a proxy for DB health
+    const { error } = await supabaseAdmin.from('health_check_tests').select('count').limit(1)
+    
+    if (error) throw error
     
     return c.json({
       status: 'healthy',
       responseTimeMs: Math.round(performance.now() - start),
-      message: 'Drizzle ORM is connected and executing queries',
+      message: 'Database access via Supabase Client is working (Edge compatible)',
       data: {
-        dialect: 'postgres',
+        mode: 'http-client',
+        platform: 'supabase',
       },
     })
   } catch (error) {
@@ -36,7 +39,7 @@ frameworkHealthRoutes.get('/drizzle', async (c) => {
       {
         status: 'error',
         responseTimeMs: Math.round(performance.now() - start),
-        error: error instanceof Error ? error.message : 'Drizzle ORM check failed',
+        error: error instanceof Error ? error.message : 'Database check failed',
       },
       500
     )

package/template/src/server/api/routes/health/nextbank.ts

@@ -7,7 +7,7 @@ export const nextbankHealthRoutes = new Hono()
 nextbankHealthRoutes.get('/ping', async (c) => {
   const start = performance.now()
 
-  if (!env.NEXTBANK_API_URL || env.NEXTBANK_API_URL === 'placeholder') {
+  if (!env.NEXTBANK_API || env.NEXTBANK_API === 'placeholder') {
     return c.json({
       status: 'unconfigured',
       responseTimeMs: Math.round(performance.now() - start),
@@ -15,43 +15,22 @@ nextbankHealthRoutes.get('/ping', async (c) => {
     })
   }
 
-  try {
-    const result = await nextbankClient.ping()
-    return c.json({
-      status: 'healthy',
-      responseTimeMs: Math.round(performance.now() - start),
-      message: 'Successfully pinged NextBank API',
-      data: result,
-    })
-  } catch (error) {
-    return c.json(
-      {
-        status: 'error',
-        responseTimeMs: Math.round(performance.now() - start),
-        error: error instanceof Error ? error.message : 'Ping failed',
-      },
-      500
-    )
-  }
-})
+  // Generate fingerprint based on request headers
+  const userAgent = c.req.header('user-agent') || 'unknown'
+  const ipAddress = c.req.header('x-forwarded-for')?.split(',')[0] || 
+                    c.req.header('x-real-ip') || 
+                    '127.0.0.1'
+  const acceptLanguage = c.req.header('accept-language') || ''
 
-nextbankHealthRoutes.get('/auth', async (c) => {
-  const start = performance.now()
-
-  if (!env.NEXTBANK_CLIENT_ID || env.NEXTBANK_CLIENT_ID === 'placeholder') {
-    return c.json({
-      status: 'unconfigured',
-      responseTimeMs: Math.round(performance.now() - start),
-      message: 'NextBank OAuth not configured',
-    })
-  }
+  const fingerprintString = `${userAgent}-${ipAddress}-${acceptLanguage}`
+  const fingerprint = Buffer.from(fingerprintString).toString('base64')
 
   try {
-    const result = await nextbankClient.authenticate()
+    const result = await nextbankClient.ping(fingerprint)
     return c.json({
       status: 'healthy',
       responseTimeMs: Math.round(performance.now() - start),
-      message: 'Successfully authenticated with NextBank',
+      message: 'Successfully pinged NextBank API',
       data: result,
     })
   } catch (error) {
@@ -59,7 +38,7 @@ nextbankHealthRoutes.get('/auth', async (c) => {
       {
         status: 'error',
         responseTimeMs: Math.round(performance.now() - start),
-        error: error instanceof Error ? error.message : 'Auth failed',
+        error: error instanceof Error ? error.message : 'Ping failed',
       },
       500
     )

package/template/src/server/api/routes/health/snowflake.ts

@@ -26,8 +26,8 @@ snowflakeHealthRoutes.get('/connect', async (c) => {
       data: {
         account: env.SNOWFLAKE_ACCOUNT,
         warehouse: env.SNOWFLAKE_WAREHOUSE,
-        database: env.SNOWFLAKE_DATABASE,
-        schema: env.SNOWFLAKE_SCHEMA,
+        authenticator: env.SNOWFLAKE_AUTHENTICATOR,
+        role: env.SNOWFLAKE_ROLE,
       },
     })
   } catch (error) {

package/template/src/server/api/routes/health/storage.ts

@@ -86,6 +86,20 @@ storageHealthRoutes.get('/download', async (c) => {
       .from(BUCKET_NAME)
       .createSignedUrl(TEST_FILE_PATH, 60)
 
+    // Handle "Object not found" as a success state for health check
+    // since connectivity is working, but the file just isn't there
+    if (error && error.message.includes('Object not found')) {
+      return c.json({
+        status: 'healthy',
+        responseTimeMs: Math.round(performance.now() - start),
+        message: 'Storage connection successful, but no test file found to download',
+        data: {
+          found: false,
+          path: TEST_FILE_PATH,
+        },
+      })
+    }
+
     if (error) throw error
 
     return c.json({

package/template/src/server/api/routes/users.ts

@@ -1,7 +1,5 @@
 import { Hono } from 'hono'
-import { db } from '@/server/db'
-import { users } from '@/server/db/schema/users'
-import { eq, desc } from 'drizzle-orm'
+import { supabaseAdmin } from '@/lib/supabase/admin'
 
 export const usersRoutes = new Hono()
 
@@ -9,21 +7,14 @@ usersRoutes.get('/', async (c) => {
   const start = performance.now()
 
   try {
-    const allUsers = await db
-      .select({
-        id: users.id,
-        email: users.email,
-        firstName: users.firstName,
-        lastName: users.lastName,
-        imageUrl: users.imageUrl,
-        clerkOrgId: users.clerkOrgId,
-        createdAt: users.createdAt,
-        updatedAt: users.updatedAt,
-      })
-      .from(users)
-      .orderBy(desc(users.createdAt))
+    const { data: allUsers, error } = await supabaseAdmin
+      .from('users')
+      .select('id, email, first_name, last_name, image_url, clerk_org_id, created_at, updated_at')
+      .order('created_at', { ascending: false })
       .limit(100)
 
+    if (error) throw error
+
     return c.json({
       status: 'healthy',
       responseTimeMs: Math.round(performance.now() - start),
@@ -50,22 +41,15 @@ usersRoutes.get('/:id', async (c) => {
   const id = c.req.param('id')
 
   try {
-    const user = await db
-      .select({
-        id: users.id,
-        email: users.email,
-        firstName: users.firstName,
-        lastName: users.lastName,
-        imageUrl: users.imageUrl,
-        clerkOrgId: users.clerkOrgId,
-        createdAt: users.createdAt,
-        updatedAt: users.updatedAt,
-      })
-      .from(users)
-      .where(eq(users.id, id))
+    const { data: user, error } = await supabaseAdmin
+      .from('users')
+      .select('id, email, first_name, last_name, image_url, clerk_org_id, created_at, updated_at')
+      .eq('id', id)
       .limit(1)
 
-    if (user.length === 0) {
+    if (error) throw error
+
+    if (!user || user.length === 0) {
       return c.json(
         {
           status: 'error',

package/template/src/server/db/schema.ts

@@ -1,26 +1 @@
-// Example model schema from the Drizzle docs
-// https://orm.drizzle.team/docs/sql-schema-declaration
-
-import { index, pgTableCreator } from "drizzle-orm/pg-core";
-
-/**
- * This is an example of how to use the multi-project schema feature of Drizzle ORM. Use the same
- * database instance for multiple projects.
- *
- * @see https://orm.drizzle.team/docs/goodies#multi-project-schema
- */
-export const createTable = pgTableCreator((name) => `dtt-framework_${name}`);
-
-export const posts = createTable(
-  "post",
-  (d) => ({
-    id: d.integer().primaryKey().generatedByDefaultAsIdentity(),
-    name: d.varchar({ length: 256 }),
-    createdAt: d
-      .timestamp({ withTimezone: true })
-      .$defaultFn(() => /* @__PURE__ */ new Date())
-      .notNull(),
-    updatedAt: d.timestamp({ withTimezone: true }).$onUpdate(() => new Date()),
-  }),
-  (t) => [index("name_idx").on(t.name)],
-);
+export * from "./schema/index";

package/template/tsconfig.json

@@ -39,5 +39,5 @@
     "**/*.js",
     ".next/types/**/*.ts"
   ],
-  "exclude": ["node_modules", "generated", "cli", "src/test", "**/*.test.ts", "**/*.test.tsx", "vitest.config.ts", "drizzle.config.ts"]
+  "exclude": ["node_modules", "generated", "cli", "src/test", "**/*.test.ts", "**/*.test.tsx", "vitest.config.ts", "drizzle.config.ts", "supabase"]
 }