@percher/core 0.4.0 → 0.4.1

package/dist/commands/migrate-supabase-sdk.js

@@ -0,0 +1,1119 @@
+import jscodeshift, {} from "jscodeshift";
+/** AST library pre-bound to the TypeScript parser via jscodeshift's `.withParser`. */
+const tsx = jscodeshift.withParser("tsx");
+/**
+ * Rewrite Supabase JS SDK calls into PocketBase JS SDK calls.
+ *
+ * Pure (no I/O). Idempotent — feeding the output back in produces
+ * the same output with an empty flags array (already-rewritten
+ * code has no Supabase calls left to match).
+ */
+export function rewriteSupabaseSdk(input) {
+    const pbName = input.pbIdentifier ?? "pb";
+    const supabaseNames = new Set(input.supabaseIdentifiers ?? ["supabase"]);
+    // Fast path: if the source doesn't mention any of the Supabase
+    // identifiers OR `@supabase/supabase-js`, bail out without
+    // parsing. Saves a lot of AST work on the average file in a
+    // project (most files don't touch Supabase).
+    if (!sourceMentionsSupabase(input.source, supabaseNames)) {
+        return { rewritten: input.source, flags: [], changed: false };
+    }
+    let root;
+    try {
+        root = tsx(input.source);
+    }
+    catch (err) {
+        // Parser error — return unchanged WITH an explicit parseError
+        // signal so the file walker can classify this as
+        // skipped[reason=parse_error] instead of silently lumping it
+        // in with the clean files. Codex P2 round 10 (2026-05-17):
+        // before, the swallow-and-return-unchanged behaviour made
+        // malformed Supabase-bearing files invisible in the migration
+        // report — they looked just like files with no Supabase code.
+        return {
+            rewritten: input.source,
+            flags: [],
+            changed: false,
+            parseError: err instanceof Error ? err.message : String(err),
+        };
+    }
+    const flags = [];
+    const state = { mutated: false };
+    rewriteAuthCalls(root, supabaseNames, pbName, flags, state);
+    rewriteFromCalls(root, supabaseNames, pbName, flags, state);
+    flagUnsupportedPatterns(root, supabaseNames, flags);
+    // Only re-print via toSource when an AST mutation actually
+    // happened — manual_review flags can EITHER mutate the AST
+    // (e.g. auth.getUser still rewrites then warns about Promise
+    // semantics) OR leave it alone (e.g. { data, error } envelope
+    // detection skips the rewrite). Recast's round-trip can
+    // introduce tiny formatting drift on a clean AST, so we want
+    // byte-identical input == output when nothing was actually
+    // mutated. Codex P1.1 finding 2026-05-17.
+    if (!state.mutated) {
+        return { rewritten: input.source, flags, changed: false };
+    }
+    return {
+        rewritten: root.toSource({ quote: "double" }),
+        flags,
+        changed: true,
+    };
+}
+/**
+ * True when this CallExpression's result is consumed via Supabase's
+ * `{ data, error }` envelope shape — destructured at assignment OR
+ * accessed via `.data` / `.error`. PocketBase's SDK doesn't wrap
+ * results in an envelope (getFullList returns an array, create
+ * returns the record), so rewriting these call sites would silently
+ * break every consumer.
+ *
+ * Detection walks up from the CallExpression through the optional
+ * `await` parent to look at the consuming context. Covered shapes:
+ *
+ *   const { data, error } = await CALL          // destructure init
+ *   const { data: x, error: y } = await CALL    // renamed destructure
+ *   ({ data, error } = await CALL)              // assignment expr
+ *   (await CALL).data                            // member access on await
+ *   CALL.data / CALL.error                       // member access on call
+ *
+ * Anything else (assigned to a plain variable + later .data access,
+ * threaded through a helper, etc.) goes through the rewrite — the
+ * user's responsibility to fix.
+ *
+ * Codex P1.1 finding 2026-05-17.
+ */
+function consumesDataErrorEnvelope(path) {
+    // The "outer expression" for envelope-purposes is the call OR a
+    // wrapping await. Look at the parent of THAT.
+    let outer = path.node;
+    let outerParent = path.parent?.node;
+    if (outerParent?.type === "AwaitExpression") {
+        const aw = outerParent;
+        if (aw.argument === path.node) {
+            outer = outerParent;
+            outerParent = path.parent.parent?.node;
+        }
+    }
+    if (!outerParent)
+        return false;
+    // (await CALL).data / CALL.data — member access on outer
+    if (outerParent.type === "MemberExpression") {
+        const m = outerParent;
+        if (m.object === outer && m.property.type === "Identifier") {
+            const propName = m.property.name;
+            if (propName === "data" || propName === "error")
+                return true;
+        }
+        return false;
+    }
+    // const { data, error } = await CALL
+    if (outerParent.type === "VariableDeclarator") {
+        const v = outerParent;
+        if (v.init === outer && v.id.type === "ObjectPattern") {
+            return objectPatternHasDataOrError(v.id);
+        }
+        return false;
+    }
+    // ({ data, error } = await CALL)
+    if (outerParent.type === "AssignmentExpression") {
+        const a = outerParent;
+        if (a.right === outer && a.left.type === "ObjectPattern") {
+            return objectPatternHasDataOrError(a.left);
+        }
+        return false;
+    }
+    return false;
+}
+function objectPatternHasDataOrError(pattern) {
+    for (const prop of pattern.properties) {
+        // jscodeshift / ast-types models destructure properties as
+        // either `Property` (legacy) or `ObjectProperty` (Babel) with
+        // a `key`. Defensive coverage of both.
+        if ((prop.type === "Property" || prop.type === "ObjectProperty") &&
+            "key" in prop &&
+            prop.key.type === "Identifier") {
+            const name = prop.key.name;
+            if (name === "data" || name === "error")
+                return true;
+        }
+    }
+    return false;
+}
+function flagEnvelopeManualReview(path, pattern, flags) {
+    flags.push(makeFlag(path, "manual_review", `${pattern}.envelope`, `Call site consumes the Supabase \`{ data, error }\` envelope — PocketBase returns plain values. Skipping rewrite; unwrap the destructure (or .data/.error access) manually, then re-run the migrator.`));
+}
+function sourceMentionsSupabase(source, supabaseNames) {
+    if (source.includes("@supabase/supabase-js"))
+        return true;
+    // Cheap textual scan before paying for the AST parse. False
+    // positives are fine — they just trigger a parse that finds
+    // nothing.
+    for (const name of supabaseNames) {
+        if (source.includes(name))
+            return true;
+    }
+    return false;
+}
+// ── auth.* call rewrites ────────────────────────────────────────
+function rewriteAuthCalls(root, supabaseNames, pbName, flags, state) {
+    // supabase.auth.<method>(...)
+    root
+        .find(jscodeshift.CallExpression)
+        .filter((path) => isSupabaseAuthCall(path, supabaseNames))
+        .forEach((path) => {
+        const callee = path.node.callee;
+        const method = callee.property.name;
+        switch (method) {
+            case "signInWithPassword":
+                replaceAuthSignIn(path, pbName, flags, state);
+                return;
+            case "signUp":
+                replaceAuthSignUp(path, pbName, flags, state);
+                return;
+            case "signOut":
+                replaceAuthSignOut(path, pbName, flags, state);
+                return;
+            case "getUser":
+                replaceAuthGetUser(path, pbName, flags, state);
+                return;
+            case "onAuthStateChange":
+                replaceAuthOnChange(path, pbName, flags, state);
+                return;
+        }
+    });
+}
+function replaceAuthOnChange(path, pbName, flags, state) {
+    // pb.authStore.onChange(callback). The callback signature differs:
+    //   Supabase: (event, session) => ...
+    //   PB:        (token, model) => ...
+    // The first arg passes through unchanged — same callable shape —
+    // but the destructured params inside the callback won't line up,
+    // so this is always manual_review.
+    if (path.node.arguments.length === 0) {
+        flags.push(makeFlag(path, "manual_review", "auth.onAuthStateChange", "onAuthStateChange called with no args — manual review."));
+        return;
+    }
+    const callback = path.node.arguments[0];
+    const replacement = jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.memberExpression(jscodeshift.identifier(pbName), jscodeshift.identifier("authStore")), jscodeshift.identifier("onChange")), [callback]);
+    applyRewrite(path, replacement, "manual_review", "auth.onAuthStateChange", "onAuthStateChange → pb.authStore.onChange — the callback signature changes: Supabase passes `(event, session)`, PB passes `(token, model)`. Rewrite the callback body.", flags, state);
+}
+function isSupabaseAuthCall(path, supabaseNames) {
+    const callee = path.node.callee;
+    if (callee.type !== "MemberExpression")
+        return false;
+    if (callee.property.type !== "Identifier")
+        return false;
+    const object = callee.object;
+    // Expect <supabase>.auth.<method>
+    if (object.type !== "MemberExpression")
+        return false;
+    if (object.property.type !== "Identifier" || object.property.name !== "auth")
+        return false;
+    if (object.object.type !== "Identifier")
+        return false;
+    return supabaseNames.has(object.object.name);
+}
+function replaceAuthSignIn(path, pbName, flags, state) {
+    const arg = path.node.arguments[0];
+    if (!arg || arg.type !== "ObjectExpression") {
+        flags.push(makeFlag(path, "manual_review", "auth.signInWithPassword", "auth.signInWithPassword called with non-object argument — manual review needed."));
+        return;
+    }
+    // Locals are AST nodes, not secrets — but the repo's security
+    // audit pattern-matches `const password = ...` as a possible
+    // leaked-credential assignment regardless of RHS. Use the `-Expr`
+    // suffix so the auditor sees a node-handle, not a secret name.
+    // Codex P1.2 finding 2026-05-17.
+    const emailExpr = findObjectProp(arg, "email");
+    const passwordExpr = findObjectProp(arg, "password");
+    if (!emailExpr || !passwordExpr) {
+        flags.push(makeFlag(path, "manual_review", "auth.signInWithPassword", "auth.signInWithPassword object missing email or password — manual review needed."));
+        return;
+    }
+    if (consumesDataErrorEnvelope(path)) {
+        flagEnvelopeManualReview(path, "auth.signInWithPassword", flags);
+        return;
+    }
+    // pb.collection("users").authWithPassword(email, password)
+    const replacement = jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.identifier(pbName), jscodeshift.identifier("collection")), [jscodeshift.literal("users")]), jscodeshift.identifier("authWithPassword")), [emailExpr, passwordExpr]);
+    applyRewrite(path, replacement, "rewritten", "auth.signInWithPassword", 'signInWithPassword → pb.collection("users").authWithPassword', flags, state);
+}
+function replaceAuthSignUp(path, pbName, flags, state) {
+    const arg = path.node.arguments[0];
+    if (!arg || arg.type !== "ObjectExpression") {
+        flags.push(makeFlag(path, "manual_review", "auth.signUp", "auth.signUp called with non-object argument — manual review needed."));
+        return;
+    }
+    // Locals are AST nodes, not secrets — but the repo's security
+    // audit pattern-matches `const password = ...` as a possible
+    // leaked-credential assignment regardless of RHS. Use the `-Expr`
+    // suffix so the auditor sees a node-handle, not a secret name.
+    // Codex P1.2 finding 2026-05-17.
+    const emailExpr = findObjectProp(arg, "email");
+    const passwordExpr = findObjectProp(arg, "password");
+    if (!emailExpr || !passwordExpr) {
+        flags.push(makeFlag(path, "manual_review", "auth.signUp", "auth.signUp object missing email or password — manual review needed."));
+        return;
+    }
+    if (consumesDataErrorEnvelope(path)) {
+        flagEnvelopeManualReview(path, "auth.signUp", flags);
+        return;
+    }
+    // pb.collection("users").create({ email, password, passwordConfirm: password })
+    const replacement = jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.identifier(pbName), jscodeshift.identifier("collection")), [jscodeshift.literal("users")]), jscodeshift.identifier("create")), [
+        jscodeshift.objectExpression([
+            jscodeshift.property("init", jscodeshift.identifier("email"), emailExpr),
+            jscodeshift.property("init", jscodeshift.identifier("password"), passwordExpr),
+            jscodeshift.property("init", jscodeshift.identifier("passwordConfirm"), passwordExpr),
+        ]),
+    ]);
+    applyRewrite(path, replacement, "rewritten", "auth.signUp", 'signUp → pb.collection("users").create({...passwordConfirm})', flags, state);
+}
+function replaceAuthSignOut(path, pbName, flags, state) {
+    if (consumesDataErrorEnvelope(path)) {
+        flagEnvelopeManualReview(path, "auth.signOut", flags);
+        return;
+    }
+    // pb.authStore.clear()
+    const replacement = jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.memberExpression(jscodeshift.identifier(pbName), jscodeshift.identifier("authStore")), jscodeshift.identifier("clear")), []);
+    applyRewrite(path, replacement, "rewritten", "auth.signOut", "signOut → pb.authStore.clear()", flags, state);
+}
+function replaceAuthGetUser(path, pbName, flags, state) {
+    if (consumesDataErrorEnvelope(path)) {
+        flagEnvelopeManualReview(path, "auth.getUser", flags);
+        return;
+    }
+    // pb.authStore.model (a member access, not a call). Note: PB's
+    // model is the current authed record OR null; Supabase's
+    // getUser() returns a Promise<{ data: { user } }> — semantics
+    // differ enough to warrant a manual-review flag, but the
+    // rewrite itself is mechanical.
+    const replacement = jscodeshift.memberExpression(jscodeshift.memberExpression(jscodeshift.identifier(pbName), jscodeshift.identifier("authStore")), jscodeshift.identifier("model"));
+    applyRewrite(path, replacement, "manual_review", "auth.getUser", "getUser → pb.authStore.model — note Supabase returned Promise<{ data: { user } }>, PB returns the record sync; remove awaits + .data.user access.", flags, state);
+}
+// ── .from() chain rewrites ──────────────────────────────────────
+function rewriteFromCalls(root, supabaseNames, pbName, flags, state) {
+    // We target the OUTER call expression of each .from() chain
+    // because the rewrite depends on what comes after .from(). We
+    // walk every chain that starts at supabase.from("...").
+    root
+        .find(jscodeshift.CallExpression)
+        .filter((path) => isSupabaseFromTerminal(path, supabaseNames))
+        .forEach((path) => {
+        rewriteFromChain(path, supabaseNames, pbName, flags, state);
+    });
+}
+/**
+ * True when this CallExpression is the OUTERMOST call in a
+ * supabase.from(...).xxx().yyy() chain — i.e. its callee is a
+ * MemberExpression whose object eventually bottoms out at
+ * `supabase.from(...)`.
+ *
+ * We pick the outermost call so each chain produces exactly one
+ * rewrite. Inner .from(), .select() etc. are reached by walking
+ * down the callee chain inside the rewriter.
+ */
+function isSupabaseFromTerminal(path, supabaseNames) {
+    // Walk down the callee chain until we find the call whose
+    // method is `from`. That's our chain root. Earlier version
+    // walked past it to the Identifier underneath and then
+    // rejected the chain — bug fixed 2026-05-17.
+    let fromCall = null;
+    let cursor = path.node;
+    while (cursor.type === "CallExpression") {
+        const call = cursor;
+        if (call.callee.type !== "MemberExpression")
+            break;
+        const callee = call.callee;
+        if (callee.property.type === "Identifier" &&
+            callee.property.name === "from") {
+            fromCall = call;
+            break;
+        }
+        cursor = callee.object;
+    }
+    if (!fromCall)
+        return false;
+    // The `from` call must be invoked on a Supabase identifier.
+    const fromCallee = fromCall.callee;
+    if (fromCallee.object.type !== "Identifier")
+        return false;
+    if (!supabaseNames.has(fromCallee.object.name))
+        return false;
+    // Ensure THIS call is the outermost in the chain — i.e. its
+    // parent isn't another member-call we own. The walker visits
+    // every CallExpression, so without this skip we'd process the
+    // same chain once per link.
+    const parent = path.parent?.node;
+    if (parent?.type === "MemberExpression") {
+        const parentMember = parent;
+        if (parentMember.object === path.node)
+            return false;
+    }
+    return true;
+}
+function rewriteFromChain(path, _supabaseNames, pbName, flags, state) {
+    // Decompose the chain into the methods called, in invocation
+    // order, with their args. The chain shape:
+    //   supabase.from(T).method1(...args1).method2(...args2)
+    // becomes: { table: T, steps: [{method1, args1}, {method2, args2}] }
+    const decomposed = decomposeFromChain(path.node);
+    if (!decomposed) {
+        flags.push(makeFlag(path, "manual_review", "from.chain", "Couldn't decompose .from() chain shape — manual review."));
+        return;
+    }
+    const { table, steps } = decomposed;
+    if (steps.length === 0) {
+        // Bare supabase.from("t") with no follow-up — rare, but it's
+        // not a meaningful call by itself. Skip.
+        return;
+    }
+    const terminal = steps[0]; // .insert / .select / .update / .delete
+    switch (terminal.method) {
+        case "select":
+            rewriteSelect(path, pbName, table, steps, flags, state);
+            return;
+        case "insert":
+            rewriteInsert(path, pbName, table, terminal, flags, state);
+            return;
+        case "update":
+            rewriteUpdate(path, pbName, table, steps, flags, state);
+            return;
+        case "delete":
+            rewriteDelete(path, pbName, table, steps, flags, state);
+            return;
+        case "upsert":
+            // PB has no upsert primitive; the user must split into
+            // getOne (catch 404) + update-or-create. Flag once at the
+            // from-chain layer instead of letting the flag-only walker
+            // also pick it up — double-flagging the same call site
+            // would clutter the report.
+            flags.push(makeFlag(path, "unsupported", "from.upsert", `from(${JSON.stringify(table)}).upsert(...) — PB has no upsert primitive. Rewrite as getOne (catch 404) → update-or-create.`));
+            return;
+        default:
+            flags.push(makeFlag(path, "manual_review", `from.${terminal.method}`, `from(${JSON.stringify(table)}).${terminal.method}(...) has no chunk-1 rewrite — manual review.`));
+    }
+}
+function decomposeFromChain(outer) {
+    // Walk from outer down. At each level, record (method, args) and
+    // recurse into the callee's object. Stop when we reach the
+    // .from(T) call. Same union-narrowing pattern as
+    // isSupabaseFromTerminal — explicit casts inside the loop.
+    const reversedSteps = [];
+    let node = outer;
+    while (node.type === "CallExpression") {
+        const call = node;
+        if (call.callee.type !== "MemberExpression")
+            break;
+        const callee = call.callee;
+        const method = callee.property.type === "Identifier"
+            ? callee.property.name
+            : null;
+        if (method === null)
+            return null;
+        if (method === "from") {
+            const arg = call.arguments[0];
+            if (!arg || (arg.type !== "Literal" && arg.type !== "StringLiteral"))
+                return null;
+            const table = arg.value;
+            if (typeof table !== "string")
+                return null;
+            return { table, steps: reversedSteps.reverse() };
+        }
+        reversedSteps.push({ method, args: call.arguments });
+        node = callee.object;
+    }
+    return null;
+}
+function rewriteSelect(path, pbName, table, steps, flags, state) {
+    if (consumesDataErrorEnvelope(path)) {
+        flagEnvelopeManualReview(path, "from.select", flags);
+        return;
+    }
+    const select = steps[0];
+    const tail = steps.slice(1);
+    // Walk the chain after .select() and accumulate option fields.
+    // Anything we don't recognise lands the entire chain in
+    // manual_review without mutation. The tradeoff: cleaner rewrites
+    // for the common cases, no risky guess for the edge cases.
+    const opts = {};
+    let needsReview = false;
+    const reviewNotes = [];
+    let usePagination = false; // true when .range() / .limit() forces getList
+    let paginationPage = 1;
+    let paginationPerPage = 0;
+    // .select() fields (PB calls this `fields`)
+    const fieldsValue = extractSelectFields(select);
+    if (fieldsValue !== null)
+        opts.fields = jscodeshift.literal(fieldsValue);
+    for (const step of tail) {
+        switch (step.method) {
+            case "eq": {
+                const result = buildEqFilter(step);
+                if (!result) {
+                    needsReview = true;
+                    reviewNotes.push(`.eq() arguments not in the (column-literal, value) shape — manual review.`);
+                    continue;
+                }
+                // Multiple .eq() calls concatenate via PB's `&&` combinator.
+                opts.filter = result.identifierValue
+                    ? combineFilterDynamic(opts.filter, result.expression)
+                    : combineFilterStatic(opts.filter, result.expression);
+                if (result.identifierValue) {
+                    // Escaping a runtime string into a PB filter is the user's
+                    // job — the plan calls this out explicitly in the mapping
+                    // table. Annotate AND downgrade to manual_review so the
+                    // file walker surfaces it; the rewrite proceeds because
+                    // the template-literal shape is correct, only the
+                    // escape-safety is unverifiable at codemod time.
+                    needsReview = true;
+                    reviewNotes.push(`.eq(${JSON.stringify(result.column)}, <identifier>) — verify the value is escape-safe for PB filter strings (no double-quotes / backslashes).`);
+                }
+                break;
+            }
+            case "order": {
+                const sortFrag = buildSortFragment(step);
+                if (!sortFrag) {
+                    needsReview = true;
+                    reviewNotes.push(`.order() arguments not in the recognised shape — manual review.`);
+                    continue;
+                }
+                opts.sort = jscodeshift.literal(opts.sort ? `${literalString(opts.sort)},${sortFrag}` : sortFrag);
+                break;
+            }
+            case "limit": {
+                const arg = step.args[0];
+                const n = extractNumber(arg);
+                if (n === null) {
+                    needsReview = true;
+                    reviewNotes.push(`.limit() argument isn't a literal number — manual review.`);
+                    continue;
+                }
+                // perPage <= 0 isn't a valid PB pagination value (it'd
+                // mean "zero rows per page" which translates to "always
+                // empty" — likely not what the user meant). Refuse to
+                // mutate; flag for review. Codex P2 round 7.
+                if (n <= 0) {
+                    flags.push(makeFlag(path, "manual_review", "from.select.limit_invalid", `from(${JSON.stringify(table)}).select(...).limit(${n}) — non-positive limit doesn't translate to PB pagination. Manual review.`));
+                    return;
+                }
+                usePagination = true;
+                paginationPerPage = Math.max(paginationPerPage, n);
+                break;
+            }
+            case "range": {
+                // Supabase .range(start, end) is INCLUSIVE on both ends. PB
+                // .getList(page, perPage) is page-based. The translation
+                // (start=0, end=N-1) → page=1, perPage=N works when start
+                // is 0; non-zero start gets best-effort + manual_review.
+                const startArg = step.args[0];
+                const endArg = step.args[1];
+                const startN = extractNumber(startArg);
+                const endN = extractNumber(endArg);
+                if (startN === null || endN === null) {
+                    needsReview = true;
+                    reviewNotes.push(`.range() arguments aren't literal numbers — manual review.`);
+                    continue;
+                }
+                const perPage = endN - startN + 1;
+                // Empty / negative range: refuse mutation. Same reasoning
+                // as .limit(0). Codex P2 round 7.
+                if (perPage <= 0) {
+                    flags.push(makeFlag(path, "manual_review", "from.select.range_invalid", `from(${JSON.stringify(table)}).select(...).range(${startN}, ${endN}) — end < start; PB pagination has no equivalent. Manual review.`));
+                    return;
+                }
+                usePagination = true;
+                paginationPerPage = Math.max(paginationPerPage, perPage);
+                if (startN === 0) {
+                    paginationPage = 1;
+                }
+                else if (startN % perPage === 0) {
+                    paginationPage = Math.floor(startN / perPage) + 1;
+                }
+                else {
+                    needsReview = true;
+                    reviewNotes.push(`.range(${startN}, ${endN}) — start isn't on a page boundary; PB's page math doesn't translate cleanly. Manual review.`);
+                }
+                break;
+            }
+            case "single": {
+                // .single() flips the consumer's return-type contract: the
+                // user's code reads `x.id`, but getFullList returns an
+                // array. Even with a review flag, mutating the call site
+                // would produce behaviorally-wrong code that compiles
+                // cleanly. Refuse the entire chain rewrite instead.
+                // Codex P1 round 7 (2026-05-17).
+                flags.push(makeFlag(path, "manual_review", "from.select.single", `from(${JSON.stringify(table)}).select(...).single() — PB's getFullList returns an array; getFirstListItem(filter) is the single-record equivalent but takes a filter string. Rewrite this chain by hand: pick getFirstListItem with the right filter OR [0]-index the array result.`));
+                return;
+            }
+            default: {
+                // Unknown step — fall out of the chunk-2 happy path. The
+                // entire chain stays as manual_review without mutation so
+                // we don't half-translate something subtle.
+                flags.push(makeFlag(path, "manual_review", `from.select.${step.method}`, `from(${JSON.stringify(table)}).select(...).${step.method}(...) has no chunk-2 rewrite — manual review.`));
+                return;
+            }
+        }
+    }
+    // Build the call. Without pagination → getFullList(opts).
+    // With pagination → getList(page, perPage, opts-minus-pagination-bits).
+    let methodName;
+    let methodArgs;
+    if (usePagination) {
+        methodName = "getList";
+        const trailingOpts = buildOptionsObject(opts);
+        methodArgs = [jscodeshift.literal(paginationPage), jscodeshift.literal(paginationPerPage)];
+        if (trailingOpts)
+            methodArgs.push(trailingOpts);
+    }
+    else {
+        methodName = "getFullList";
+        const optsObj = buildOptionsObject(opts);
+        methodArgs = optsObj ? [optsObj] : [];
+    }
+    const replacement = jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.identifier(pbName), jscodeshift.identifier("collection")), [jscodeshift.literal(table)]), jscodeshift.identifier(methodName)), methodArgs);
+    const kind = needsReview ? "manual_review" : "rewritten";
+    const baseNote = `from(${JSON.stringify(table)}).select(...) → pb.collection(...).${methodName}(...)`;
+    const note = needsReview ? `${baseNote} — ${reviewNotes.join(" · ")}` : baseNote;
+    applyRewrite(path, replacement, kind, "from.select", note, flags, state);
+}
+/** Extract the comma-separated columns from a `.select("a,b")` call.
+ *  Returns null when the args don't match the literal-string shape
+ *  (caller falls back to no `fields` option). */
+function extractSelectFields(select) {
+    if (select.args.length === 0)
+        return null;
+    const first = select.args[0];
+    if ((first.type === "Literal" || first.type === "StringLiteral") &&
+        typeof first.value === "string") {
+        const val = first.value;
+        if (val === "*" || val.length === 0)
+            return null;
+        return val;
+    }
+    return null;
+}
+function buildEqFilter(step) {
+    if (step.args.length < 2)
+        return null;
+    const colArg = step.args[0];
+    const valArg = step.args[1];
+    if (!(colArg.type === "Literal" || colArg.type === "StringLiteral") ||
+        typeof colArg.value !== "string") {
+        return null;
+    }
+    const column = colArg.value;
+    // Literal value → static filter string. `col = "value"` for
+    // strings, `col = 42` for numbers. jscodeshift's tsx parser
+    // emits NumericLiteral / BooleanLiteral as distinct types from
+    // the generic Literal — accept all four.
+    if (valArg.type === "Literal" ||
+        valArg.type === "StringLiteral" ||
+        valArg.type === "NumericLiteral" ||
+        valArg.type === "BooleanLiteral") {
+        const v = valArg.value;
+        if (typeof v === "string") {
+            return {
+                expression: jscodeshift.literal(`${column} = "${escapeFilterString(v)}"`),
+                column,
+                identifierValue: false,
+            };
+        }
+        if (typeof v === "number" || typeof v === "boolean") {
+            return {
+                expression: jscodeshift.literal(`${column} = ${v}`),
+                column,
+                identifierValue: false,
+            };
+        }
+        return null;
+    }
+    // Non-literal (identifier, member access, etc.) → template literal
+    // so the value is interpolated at runtime. Escaping is the user's
+    // responsibility — flagged via reviewNotes upstream.
+    const template = jscodeshift.templateLiteral([
+        jscodeshift.templateElement({ raw: `${column} = "`, cooked: `${column} = "` }, false),
+        jscodeshift.templateElement({ raw: `"`, cooked: `"` }, true),
+    ], [valArg]);
+    return {
+        expression: template,
+        column,
+        identifierValue: true,
+    };
+}
+function escapeFilterString(s) {
+    // PB filter strings interpret BOTH `\` and `"` inside double-
+    // quoted values. Escape backslashes FIRST (so a literal
+    // backslash doesn't get re-escaped by the quote step), then
+    // double-quotes. Without the backslash step, a column value
+    // like `a\b` would emit `filter: "col = \"a\b\""` which the PB
+    // parser reads as `a` + backspace + `b`. Codex P2 round 7
+    // (2026-05-17) — the dynamic-value note already warned about
+    // this; the static path needed the same treatment.
+    return s.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+}
+/**
+ * Combine two filter expressions into `(a) && (b)`. Both `a` and
+ * `b` may be string literals OR template literals.
+ */
+function combineFilterStatic(current, next) {
+    if (!current)
+        return next;
+    const a = literalString(current);
+    const b = literalString(next);
+    if (a !== null && b !== null) {
+        return jscodeshift.literal(`(${a}) && (${b})`);
+    }
+    // One side is dynamic — fall through to dynamic combiner.
+    return combineFilterDynamic(current, next);
+}
+function combineFilterDynamic(current, next) {
+    if (!current)
+        return next;
+    // Build a template literal that wraps both sides in parens with `&&`.
+    return jscodeshift.templateLiteral([
+        jscodeshift.templateElement({ raw: "(", cooked: "(" }, false),
+        jscodeshift.templateElement({ raw: ") && (", cooked: ") && (" }, false),
+        jscodeshift.templateElement({ raw: ")", cooked: ")" }, true),
+    ], [current, next]);
+}
+function literalString(node) {
+    if (node?.type === "Literal" || node?.type === "StringLiteral") {
+        const v = node.value;
+        if (typeof v === "string")
+            return v;
+    }
+    return null;
+}
+function buildSortFragment(step) {
+    if (step.args.length < 1)
+        return null;
+    const colArg = step.args[0];
+    if (!(colArg.type === "Literal" || colArg.type === "StringLiteral") ||
+        typeof colArg.value !== "string") {
+        return null;
+    }
+    const column = colArg.value;
+    let ascending = true;
+    if (step.args.length >= 2) {
+        const opts = step.args[1];
+        if (opts.type === "ObjectExpression") {
+            const ascProp = findObjectProp(opts, "ascending");
+            if (ascProp?.type === "Literal" || ascProp?.type === "BooleanLiteral") {
+                ascending = ascProp.value === true;
+            }
+            else if (ascProp) {
+                // Non-literal ascending — can't statically decide. Return null
+                // so the caller routes to manual_review.
+                return null;
+            }
+        }
+    }
+    return ascending ? column : `-${column}`;
+}
+function extractNumber(node) {
+    if (!node)
+        return null;
+    if (node.type === "Literal" || node.type === "NumericLiteral") {
+        const v = node.value;
+        if (typeof v === "number")
+            return v;
+    }
+    if (node.type === "UnaryExpression") {
+        const u = node;
+        if (u.operator === "-") {
+            const inner = extractNumber(u.argument);
+            if (inner !== null)
+                return -inner;
+        }
+    }
+    return null;
+}
+function buildOptionsObject(opts) {
+    const props = [];
+    if (opts.fields !== undefined) {
+        props.push(jscodeshift.property("init", jscodeshift.identifier("fields"), opts.fields));
+    }
+    if (opts.filter !== undefined) {
+        props.push(jscodeshift.property("init", jscodeshift.identifier("filter"), opts.filter));
+    }
+    if (opts.sort !== undefined) {
+        props.push(jscodeshift.property("init", jscodeshift.identifier("sort"), opts.sort));
+    }
+    if (props.length === 0)
+        return null;
+    return jscodeshift.objectExpression(props);
+}
+function rewriteInsert(path, pbName, table, insert, flags, state) {
+    if (consumesDataErrorEnvelope(path)) {
+        flagEnvelopeManualReview(path, "from.insert", flags);
+        return;
+    }
+    // pb.collection(T).create(arg). Supabase .insert accepts an
+    // object OR an array; PB's .create takes a single object. If the
+    // arg is an array we flag for manual review (the user wants a
+    // loop or batch helper).
+    if (insert.args.length === 0) {
+        flags.push(makeFlag(path, "manual_review", "from.insert", "from(...).insert() called with no args — manual review."));
+        return;
+    }
+    const arg = insert.args[0];
+    if (arg.type === "ArrayExpression") {
+        flags.push(makeFlag(path, "manual_review", "from.insert.array", `from(${JSON.stringify(table)}).insert([...]) — PB's create takes one record at a time; wrap in a loop.`));
+        return;
+    }
+    const replacement = jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.identifier(pbName), jscodeshift.identifier("collection")), [jscodeshift.literal(table)]), jscodeshift.identifier("create")), [arg]);
+    applyRewrite(path, replacement, "rewritten", "from.insert", `from(${JSON.stringify(table)}).insert({...}) → pb.collection(...).create({...})`, flags, state);
+}
+function rewriteUpdate(path, pbName, table, steps, flags, state) {
+    if (consumesDataErrorEnvelope(path)) {
+        flagEnvelopeManualReview(path, "from.update", flags);
+        return;
+    }
+    // .update({...}).eq("id", value) → pb.collection(T).update(value, {...})
+    // Anything else (.eq on a non-id column, multiple .eq, missing
+    // .eq) lands in manual_review.
+    const update = steps[0];
+    const eq = steps[1];
+    if (steps.length !== 2 || !eq || eq.method !== "eq") {
+        flags.push(makeFlag(path, "manual_review", "from.update.shape", `from(${JSON.stringify(table)}).update(...) chain isn't the .update({...}).eq("id", v) shape — manual review.`));
+        return;
+    }
+    if (eq.args.length < 2) {
+        flags.push(makeFlag(path, "manual_review", "from.update.eq", "update().eq(...) call missing args — manual review."));
+        return;
+    }
+    const eqCol = eq.args[0];
+    const eqVal = eq.args[1];
+    if (!((eqCol.type === "Literal" || eqCol.type === "StringLiteral") &&
+        eqCol.value === "id")) {
+        flags.push(makeFlag(path, "manual_review", "from.update.eq_non_id", `from(${JSON.stringify(table)}).update().eq() filters on a non-id column — PB's update needs an id; chunk 2 will handle filter-based updates.`));
+        return;
+    }
+    if (update.args.length === 0) {
+        flags.push(makeFlag(path, "manual_review", "from.update", "update() called with no args — manual review."));
+        return;
+    }
+    const replacement = jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.identifier(pbName), jscodeshift.identifier("collection")), [jscodeshift.literal(table)]), jscodeshift.identifier("update")), [eqVal, update.args[0]]);
+    applyRewrite(path, replacement, "rewritten", "from.update", `from(${JSON.stringify(table)}).update({...}).eq("id", v) → pb.collection(...).update(v, {...})`, flags, state);
+}
+function rewriteDelete(path, pbName, table, steps, flags, state) {
+    if (consumesDataErrorEnvelope(path)) {
+        flagEnvelopeManualReview(path, "from.delete", flags);
+        return;
+    }
+    // .delete().eq("id", value) → pb.collection(T).delete(value)
+    const eq = steps[1];
+    if (steps.length !== 2 || !eq || eq.method !== "eq") {
+        flags.push(makeFlag(path, "manual_review", "from.delete.shape", `from(${JSON.stringify(table)}).delete() chain isn't the .delete().eq("id", v) shape — manual review.`));
+        return;
+    }
+    if (eq.args.length < 2) {
+        flags.push(makeFlag(path, "manual_review", "from.delete.eq", "delete().eq(...) call missing args — manual review."));
+        return;
+    }
+    const eqCol = eq.args[0];
+    const eqVal = eq.args[1];
+    if (!((eqCol.type === "Literal" || eqCol.type === "StringLiteral") &&
+        eqCol.value === "id")) {
+        flags.push(makeFlag(path, "manual_review", "from.delete.eq_non_id", `from(${JSON.stringify(table)}).delete().eq() filters on a non-id column — PB's delete needs an id; chunk 2 will handle filter-based deletes.`));
+        return;
+    }
+    const replacement = jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.callExpression(jscodeshift.memberExpression(jscodeshift.identifier(pbName), jscodeshift.identifier("collection")), [jscodeshift.literal(table)]), jscodeshift.identifier("delete")), [eqVal]);
+    applyRewrite(path, replacement, "rewritten", "from.delete", `from(${JSON.stringify(table)}).delete().eq("id", v) → pb.collection(...).delete(v)`, flags, state);
+}
+// ── Chunk 3.1: flag-only patterns (no mutation) ────────────────
+//
+// These Supabase APIs have no clean PocketBase equivalent: the
+// rewriter records a flag with line/column so the file walker
+// can surface them in the migration report, but does NOT touch
+// the source. The user reads the report and rewrites by hand.
+//
+// Patterns covered:
+//   - supabase.storage.*                       (file upload/download model differs)
+//   - supabase.channel(...).on(...).subscribe (realtime API shape differs)
+//   - supabase.rpc("fn", args)                 (Postgres functions — no PB equivalent)
+//   - supabase.functions.invoke(...)           (Edge Functions — host elsewhere)
+//   - supabase.from(...).upsert(...)           (PB has no upsert; flag for split)
+function flagUnsupportedPatterns(root, supabaseNames, flags) {
+    // Walk every CallExpression once, identify the pattern by
+    // looking at the callee chain. Filter by Supabase identifier
+    // root so we don't false-positive on unrelated `.storage` /
+    // `.rpc` / `.channel` calls in user code.
+    root.find(jscodeshift.CallExpression).forEach((path) => {
+        flagOneUnsupported(path, supabaseNames, flags);
+    });
+}
+function flagOneUnsupported(path, supabaseNames, flags) {
+    const root = findChainRoot(path.node);
+    if (!root)
+        return;
+    if (root.type !== "Identifier")
+        return;
+    if (!supabaseNames.has(root.name))
+        return;
+    // We only want to flag ONCE per chain — at the outermost call.
+    // If our parent is a MemberExpression whose .object is this
+    // node, we're not the outermost.
+    const parent = path.parent?.node;
+    if (parent?.type === "MemberExpression") {
+        const m = parent;
+        if (m.object === path.node)
+            return;
+    }
+    // Decompose the chain into ordered (method, call) pairs from
+    // ROOT (closest to `supabase`) to LEAF (outermost call). We use
+    // each call's OWN arguments for the report — not the outermost
+    // wrapper's. Codex P2 round 8 (2026-05-17): the previous version
+    // pulled args from `path.node` (the outermost wrapper), so
+    // `await supabase.rpc("compute_score", args).select("x")`
+    // misreported the function name as "x", and trailing
+    // `.then()` / `.catch()` made `storage.upload` report as
+    // `storage.then` etc.
+    const steps = readChainSteps(path.node);
+    if (steps.length === 0)
+        return;
+    const first = steps[0];
+    if (first.method === "storage") {
+        // supabase.storage.from("b").upload(...).<then|catch|...>
+        // `findStorageOperation` returns the canonical operation OR
+        // a sensible non-continuation fallback. Only when the chain
+        // is genuinely `supabase.storage.from(bucket)` with nothing
+        // after does the report name `from` — and that's accurate.
+        const opStep = findStorageOperation(steps);
+        const opName = opStep?.method ?? "from";
+        flags.push(makeFlag(path, "unsupported", `storage.${opName}`, `supabase.storage.<bucket>.${opName}(...) — PocketBase models files as record-attached fields, not standalone buckets. Rewrite by hand: create a collection with a \`file\` field, then use pb.collection(c).create({ file: blob }) for uploads and pb.files.getURL(record, record.file) for URLs.`));
+        return;
+    }
+    if (first.method === "channel") {
+        // supabase.channel(...).on(...).subscribe() — the `.subscribe`
+        // call is the actionable terminal even if the user chains
+        // `.then(...)` after it.
+        flags.push(makeFlag(path, "unsupported", "channel.subscribe", `supabase.channel(...).on(...).subscribe(...) — PB has realtime via pb.collection(c).subscribe("*", cb) but the event shape and filter model differ from Supabase channels. Rewrite by hand.`));
+        return;
+    }
+    if (first.method === "rpc") {
+        // supabase.rpc("fn_name", args). The function name + args are
+        // on the `rpc` step itself — NOT on a downstream `.select()`
+        // or `.then()`. Use that step's call.
+        const fnName = first.call ? (readFirstStringArg(first.call) ?? "<unknown>") : "<unknown>";
+        flags.push(makeFlag(path, "unsupported", "rpc", `supabase.rpc(${JSON.stringify(fnName)}, ...) — Postgres function calls don't have a PocketBase equivalent. Move the logic into your app server code OR a PB hook (.pb_hooks/).`));
+        return;
+    }
+    if (first.method === "functions" && steps[1]?.method === "invoke") {
+        const invokeStep = steps[1];
+        const fnName = invokeStep.call
+            ? (readFirstStringArg(invokeStep.call) ?? "<unknown>")
+            : "<unknown>";
+        flags.push(makeFlag(path, "unsupported", "functions.invoke", `supabase.functions.invoke(${JSON.stringify(fnName)}, ...) — Edge Functions don't run on Percher. Move the function code into the Percher app server, or host it on a separate platform (Deno Deploy, Cloudflare Workers) and call it via fetch.`));
+        return;
+    }
+    // `from.upsert` is handled inside rewriteFromChain (the
+    // from-chain rewriter already walks .from() chains and is the
+    // canonical place for terminal-method classification). Flagging
+    // it here too would double up the report.
+}
+/**
+ * Storage operations Percher knows the migration intent for. The
+ * walker picks the first matching step in the chain so a trailing
+ * `.then()` / `.catch()` doesn't end up as the reported pattern.
+ *
+ * Not exhaustive — keeping the set narrow has the upside of clean
+ * names in flags, but the downside that any newly-added Supabase
+ * storage method we forget to add here would fall through. The
+ * fallback `findFallbackStorageMethod` covers that case by walking
+ * the chain end-to-start and picking the last non-continuation,
+ * non-structural method, so a forgotten entry still produces a
+ * useful flag (just without the canonical name).
+ *
+ * Codex P2 round 9 (2026-05-17): added `createSignedUrls` (plural)
+ * which was missed — it's a legit storage API.
+ */
+const STORAGE_OPERATIONS = new Set([
+    "upload",
+    "uploadToSignedUrl",
+    "download",
+    "list",
+    "remove",
+    "move",
+    "copy",
+    "createSignedUrl",
+    "createSignedUrls",
+    "createSignedUploadUrl",
+    "getPublicUrl",
+    "update",
+    "exists",
+    "info",
+]);
+/**
+ * Promise / standard-JS continuations the walker skips when
+ * looking for the "actual" storage operation in a chain. A
+ * trailing `.then(...)` or `.catch(...)` after the storage call
+ * shouldn't be reported as the operation.
+ */
+const CHAIN_CONTINUATIONS = new Set(["then", "catch", "finally"]);
+function findStorageOperation(steps) {
+    // First pass: known storage operations. Stable canonical names
+    // are preferred when the user uses a known method.
+    for (const step of steps) {
+        if (STORAGE_OPERATIONS.has(step.method))
+            return step;
+    }
+    // Fallback: any method that's not a Promise continuation and
+    // not the structural `.from(bucket)` / `.storage`. Walk
+    // END-TO-START so trailing `.then()` doesn't shadow the real
+    // operation. Codex P2 round 9 fix: previously fell back to
+    // `steps[1]` which is always `.from`, misreporting valid
+    // storage methods we forgot to add to the allowlist as
+    // `storage.from`.
+    for (let i = steps.length - 1; i >= 0; i--) {
+        const step = steps[i];
+        if (step.method === "storage" || step.method === "from")
+            continue;
+        if (CHAIN_CONTINUATIONS.has(step.method))
+            continue;
+        return step;
+    }
+    return null;
+}
+/**
+ * Walk down callee.object until we hit a non-MemberExpression /
+ * non-CallExpression node. Returns the root expression (typically
+ * an Identifier like `supabase` or `sb`).
+ */
+function findChainRoot(node) {
+    let cursor = node;
+    while (true) {
+        if (cursor.type === "CallExpression") {
+            const c = cursor;
+            if (c.callee.type !== "MemberExpression")
+                return null;
+            cursor = c.callee.object;
+            continue;
+        }
+        if (cursor.type === "MemberExpression") {
+            cursor = cursor.object;
+            continue;
+        }
+        return cursor;
+    }
+}
+function readChainSteps(outer) {
+    const reversed = [];
+    let cursor = outer;
+    while (true) {
+        if (cursor.type === "CallExpression") {
+            const call = cursor;
+            if (call.callee.type !== "MemberExpression")
+                break;
+            const callee = call.callee;
+            if (callee.property.type === "Identifier") {
+                reversed.push({
+                    method: callee.property.name,
+                    call,
+                });
+            }
+            cursor = callee.object;
+            continue;
+        }
+        if (cursor.type === "MemberExpression") {
+            const m = cursor;
+            if (m.property.type === "Identifier") {
+                reversed.push({
+                    method: m.property.name,
+                    call: null,
+                });
+            }
+            cursor = m.object;
+            continue;
+        }
+        break;
+    }
+    return reversed.reverse();
+}
+function readFirstStringArg(call) {
+    const a = call.arguments[0];
+    if (!a)
+        return null;
+    if (a.type === "Literal" || a.type === "StringLiteral") {
+        const v = a.value;
+        if (typeof v === "string")
+            return v;
+    }
+    return null;
+}
+function findObjectProp(obj, name) {
+    for (const prop of obj.properties) {
+        if ((prop.type === "Property" || prop.type === "ObjectProperty") &&
+            "key" in prop &&
+            prop.key.type === "Identifier" &&
+            prop.key.name === name) {
+            // Shorthand `{ email }`: value === key Identifier with the
+            // same name. Synthesize a fresh Identifier so the rewriter
+            // can wire it into the new call.
+            if (prop.shorthand === true) {
+                return jscodeshift.identifier(name);
+            }
+            if ("value" in prop) {
+                const val = prop.value;
+                if (val.type !== "SpreadElement" && val.type !== "RestElement") {
+                    return val;
+                }
+            }
+        }
+    }
+    return null;
+}
+function makeFlag(pathOrLoc, kind, pattern, note) {
+    // Accept either an ASTPath (which we pre-read OR read before
+    // replace) or a pre-captured loc object. Tests pin that flags
+    // carry line/column even after the source node was swapped out
+    // by path.replace — capture loc EAGERLY at each call site.
+    let line;
+    let column;
+    if ("node" in pathOrLoc) {
+        const loc = pathOrLoc.node.loc;
+        line = loc?.start.line;
+        column = loc?.start.column;
+    }
+    else {
+        line = pathOrLoc.line;
+        column = pathOrLoc.column;
+    }
+    return { kind, pattern, line, column, note };
+}
+/** Capture line/column from a path BEFORE the replace clobbers it. */
+function captureLoc(path) {
+    const loc = path.node.loc;
+    return { line: loc?.start.line, column: loc?.start.column };
+}
+/**
+ * Single entry point for every AST mutation: captures loc, swaps
+ * the node, pushes a flag, and flips state.mutated. Centralising
+ * these three steps eliminates the easy-to-miss bug where one of
+ * them is forgotten (which surfaced as the round-3 line/col-loss
+ * bug AND the round-4 envelope mutated-detection bug).
+ */
+function applyRewrite(path, replacement, kind, pattern, note, flags, state) {
+    const loc = captureLoc(path);
+    path.replace(replacement);
+    flags.push(makeFlag(loc, kind, pattern, note));
+    state.mutated = true;
+}
+/**
+ * Entry point matching jscodeshift's `transform` signature, in case
+ * a caller wants to run this as a standalone codemod via the
+ * jscodeshift CLI (`jscodeshift -t this-file.js src/`). Not used by
+ * Percher's own file walker — that calls `rewriteSupabaseSdk`
+ * directly for control over the flag-stream — but exposing it keeps
+ * the door open for ad-hoc usage.
+ */
+export default function transform(file, _api, options = {}) {
+    const result = rewriteSupabaseSdk({
+        source: file.source,
+        filePath: file.path,
+        pbIdentifier: typeof options.pbIdentifier === "string" ? options.pbIdentifier : undefined,
+    });
+    return result.changed ? result.rewritten : null;
+}
+//# sourceMappingURL=migrate-supabase-sdk.js.map