@sprinterai/supabase 0.2.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Sprinter AI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/__test-utils__/mock-supabase.d.ts

@@ -0,0 +1,18 @@
+import type { SupabaseClient } from "@supabase/supabase-js";
+type MockQueryResult = {
+    data: unknown;
+    error: null | {
+        message: string;
+        code?: string;
+    };
+};
+/**
+ * Create a mock Supabase client for testing.
+ * Call `mockTable(name, result)` to configure per-table responses.
+ */
+export declare function createMockClient(): SupabaseClient & {
+    mockTable: (name: string, result: MockQueryResult) => void;
+    mockAuth: (claims: Record<string, unknown> | null) => void;
+};
+export {};
+//# sourceMappingURL=mock-supabase.d.ts.map

package/dist/__test-utils__/mock-supabase.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mock-supabase.d.ts","sourceRoot":"","sources":["../../src/__test-utils__/mock-supabase.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAE5D,KAAK,eAAe,GAAG;IACrB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,IAAI,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAClD,CAAC;AAuDF;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,cAAc,GAAG;IACnD,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,KAAK,IAAI,CAAC;IAC3D,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,KAAK,IAAI,CAAC;CAC5D,CA+CA"}

package/dist/__test-utils__/mock-supabase.js

@@ -0,0 +1,89 @@
+import { vi } from "vitest";
+/**
+ * Creates a chainable mock Supabase query builder.
+ * Each method returns the builder, and the final await resolves the configured result.
+ */
+function createMockQueryBuilder(result) {
+    const builder = {};
+    const methods = [
+        "select",
+        "insert",
+        "update",
+        "upsert",
+        "delete",
+        "eq",
+        "neq",
+        "gt",
+        "gte",
+        "lt",
+        "lte",
+        "like",
+        "ilike",
+        "in",
+        "contains",
+        "order",
+        "limit",
+        "single",
+        "maybeSingle",
+        "range",
+        "match",
+        "filter",
+        "not",
+        "or",
+    ];
+    for (const method of methods) {
+        builder[method] = vi.fn().mockReturnValue(builder);
+    }
+    // Override terminal methods to return the result
+    builder.single.mockResolvedValue(result);
+    builder.maybeSingle.mockResolvedValue(result);
+    // Make the builder itself thenable (for when you just await the chain)
+    builder.then = (resolve, reject) => {
+        return Promise.resolve(result).then(resolve, reject);
+    };
+    return builder;
+}
+/**
+ * Create a mock Supabase client for testing.
+ * Call `mockTable(name, result)` to configure per-table responses.
+ */
+export function createMockClient() {
+    const tableResults = new Map();
+    let authClaims = null;
+    const client = {
+        from: vi.fn((table) => {
+            const result = tableResults.get(table) ?? {
+                data: null,
+                error: null,
+            };
+            return createMockQueryBuilder(result);
+        }),
+        auth: {
+            getClaims: vi.fn(() => Promise.resolve({
+                data: authClaims ? { claims: authClaims } : null,
+                error: null,
+            })),
+            getUser: vi.fn(() => Promise.resolve({
+                data: {
+                    user: authClaims
+                        ? { id: authClaims.sub, email: authClaims.email }
+                        : null,
+                },
+                error: null,
+            })),
+        },
+        channel: vi.fn(() => ({
+            on: vi.fn().mockReturnThis(),
+            subscribe: vi.fn(),
+            unsubscribe: vi.fn(),
+        })),
+        mockTable(name, result) {
+            tableResults.set(name, result);
+        },
+        mockAuth(claims) {
+            authClaims = claims;
+        },
+    };
+    return client;
+}
+//# sourceMappingURL=mock-supabase.js.map

package/dist/__test-utils__/mock-supabase.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mock-supabase.js","sourceRoot":"","sources":["../../src/__test-utils__/mock-supabase.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAQ5B;;;GAGG;AACH,SAAS,sBAAsB,CAAC,MAAuB;IACrD,MAAM,OAAO,GAA4B,EAAE,CAAC;IAE5C,MAAM,OAAO,GAAG;QACd,QAAQ;QACR,QAAQ;QACR,QAAQ;QACR,QAAQ;QACR,QAAQ;QACR,IAAI;QACJ,KAAK;QACL,IAAI;QACJ,KAAK;QACL,IAAI;QACJ,KAAK;QACL,MAAM;QACN,OAAO;QACP,IAAI;QACJ,UAAU;QACV,OAAO;QACP,OAAO;QACP,QAAQ;QACR,aAAa;QACb,OAAO;QACP,OAAO;QACP,QAAQ;QACR,KAAK;QACL,IAAI;KACL,CAAC;IAEF,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,iDAAiD;IAChD,OAAO,CAAC,MAAmC,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACtE,OAAO,CAAC,WAAwC,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAE5E,uEAAuE;IACvE,OAAO,CAAC,IAAI,GAAG,CACb,OAAuC,EACvC,MAA8B,EAC9B,EAAE;QACF,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACvD,CAAC,CAAC;IAEF,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAI9B,MAAM,YAAY,GAAG,IAAI,GAAG,EAA2B,CAAC;IACxD,IAAI,UAAU,GAAmC,IAAI,CAAC;IAEtD,MAAM,MAAM,GAAG;QACb,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,KAAa,EAAE,EAAE;YAC5B,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI;gBACxC,IAAI,EAAE,IAAI;gBACV,KAAK,EAAE,IAAI;aACZ,CAAC;YACF,OAAO,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACxC,CAAC,CAAC;QACF,IAAI,EAAE;YACJ,SAAS,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CACpB,OAAO,CAAC,OAAO,CAAC;gBACd,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,IAAI;gBAChD,KAAK,EAAE,IAAI;aACZ,CAAC,CACH;YACD,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAClB,OAAO,CAAC,OAAO,CAAC;gBACd,IAAI,EAAE;oBACJ,IAAI,EAAE,UAAU;wBACd,CAAC,CAAC,EAAE,EAAE,EAAE,UAAU,CAAC,GAAG,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE;wBACjD,CAAC,CAAC,IAAI;iBACT;gBACD,KAAK,EAAE,IAAI;aACZ,CAAC,CACH;SACF;QACD,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;YACpB,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,cAAc,EAAE;YAC5B,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;YAClB,WAAW,EAAE,EAAE,CAAC,EAAE,EAAE;SACrB,CAAC,CAAC;QACH,SAAS,CAAC,IAAY,EAAE,MAAuB;YAC7C,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACjC,CAAC;QACD,QAAQ,CAAC,MAAsC;YAC7C,UAAU,GAAG,MAAM,CAAC;QACtB,CAAC;KAIF,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/auth/adapter.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Auth adapter — centralized auth functions for the Sprinter platform.
+ *
+ * Architecture:
+ * - getClaims() for auth validation (local JWT, zero DB calls)
+ * - getUser() ONLY for login/provisioning (hits auth server)
+ * - getSession() NEVER for authorization (not server-verified)
+ *
+ * All functions take a SupabaseClient parameter — the caller (Next.js, etc.)
+ * is responsible for creating the client with proper cookie handling.
+ */
+import type { TenantContext, AppPermission } from '@sprinterai/core';
+import type { SupabaseClient } from '@supabase/supabase-js';
+/**
+ * Require an authenticated user. Returns full tenant context.
+ * Throws 401 if not authenticated.
+ */
+export declare function requireAuth(client: SupabaseClient, options?: {
+    tenantSlugOverride?: string;
+}): Promise<TenantContext>;
+/**
+ * Require an admin user (owner or admin role). Returns tenant context.
+ * Throws 401 if not authenticated, 403 if not admin.
+ */
+export declare function requireAdmin(client: SupabaseClient, options?: {
+    tenantSlugOverride?: string;
+}): Promise<TenantContext>;
+/**
+ * Check if a user has a specific permission in their active tenant.
+ */
+export declare function hasPermission(client: SupabaseClient, permission: AppPermission, options?: {
+    tenantSlugOverride?: string;
+}): Promise<boolean>;
+/**
+ * Require a specific permission. Returns tenant context if authorized.
+ * Throws 401 if not authenticated, 403 if missing the required permission.
+ */
+export declare function requirePermission(client: SupabaseClient, permission: AppPermission, options?: {
+    tenantSlugOverride?: string;
+}): Promise<TenantContext>;
+//# sourceMappingURL=adapter.d.ts.map

package/dist/auth/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../../src/auth/adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAErE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAqB5D;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,cAAc,EACtB,OAAO,CAAC,EAAE;IAAE,kBAAkB,CAAC,EAAE,MAAM,CAAA;CAAE,GACxC,OAAO,CAAC,aAAa,CAAC,CAMxB;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,cAAc,EACtB,OAAO,CAAC,EAAE;IAAE,kBAAkB,CAAC,EAAE,MAAM,CAAA;CAAE,GACxC,OAAO,CAAC,aAAa,CAAC,CAMxB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,cAAc,EACtB,UAAU,EAAE,aAAa,EACzB,OAAO,CAAC,EAAE;IAAE,kBAAkB,CAAC,EAAE,MAAM,CAAA;CAAE,GACxC,OAAO,CAAC,OAAO,CAAC,CAOlB;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,cAAc,EACtB,UAAU,EAAE,aAAa,EACzB,OAAO,CAAC,EAAE;IAAE,kBAAkB,CAAC,EAAE,MAAM,CAAA;CAAE,GACxC,OAAO,CAAC,aAAa,CAAC,CAOxB"}

package/dist/auth/adapter.js

@@ -0,0 +1,73 @@
+/**
+ * Auth adapter — centralized auth functions for the Sprinter platform.
+ *
+ * Architecture:
+ * - getClaims() for auth validation (local JWT, zero DB calls)
+ * - getUser() ONLY for login/provisioning (hits auth server)
+ * - getSession() NEVER for authorization (not server-verified)
+ *
+ * All functions take a SupabaseClient parameter — the caller (Next.js, etc.)
+ * is responsible for creating the client with proper cookie handling.
+ */
+import { isAdminRole } from '@sprinterai/core';
+import { getTenantContext } from '../tenant/context';
+import { getUserId } from './claims';
+import { getUserPermissions } from './permissions';
+function createAuthenticationError(message) {
+    const error = new Error(message);
+    error.name = 'AuthenticationError';
+    error.status = 401;
+    return error;
+}
+function createAuthorizationError(message) {
+    const error = new Error(message);
+    error.name = 'AuthorizationError';
+    error.status = 403;
+    return error;
+}
+/**
+ * Require an authenticated user. Returns full tenant context.
+ * Throws 401 if not authenticated.
+ */
+export async function requireAuth(client, options) {
+    const ctx = await getTenantContext(client, options);
+    if (!ctx.userId) {
+        throw createAuthenticationError('Not authenticated');
+    }
+    return ctx;
+}
+/**
+ * Require an admin user (owner or admin role). Returns tenant context.
+ * Throws 401 if not authenticated, 403 if not admin.
+ */
+export async function requireAdmin(client, options) {
+    const ctx = await requireAuth(client, options);
+    if (!isAdminRole(ctx.role)) {
+        throw createAuthorizationError('Insufficient permissions: admin role required');
+    }
+    return ctx;
+}
+/**
+ * Check if a user has a specific permission in their active tenant.
+ */
+export async function hasPermission(client, permission, options) {
+    const uid = await getUserId(client);
+    if (!uid)
+        return false;
+    const ctx = await getTenantContext(client, options);
+    const permissions = await getUserPermissions(client, ctx.userId, ctx.tenantId);
+    return permissions.includes(permission);
+}
+/**
+ * Require a specific permission. Returns tenant context if authorized.
+ * Throws 401 if not authenticated, 403 if missing the required permission.
+ */
+export async function requirePermission(client, permission, options) {
+    const ctx = await requireAuth(client, options);
+    const permissions = await getUserPermissions(client, ctx.userId, ctx.tenantId);
+    if (!permissions.includes(permission)) {
+        throw createAuthorizationError(`Insufficient permissions: ${permission} required`);
+    }
+    return ctx;
+}
+//# sourceMappingURL=adapter.js.map

package/dist/auth/adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.js","sourceRoot":"","sources":["../../src/auth/adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAG/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAEnD,SAAS,yBAAyB,CAAC,OAAe;IAChD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,CAA4B,CAAC;IAC5D,KAAK,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACnC,KAAK,CAAC,MAAM,GAAG,GAAG,CAAC;IACnB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,wBAAwB,CAAC,OAAe;IAC/C,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,CAA4B,CAAC;IAC5D,KAAK,CAAC,IAAI,GAAG,oBAAoB,CAAC;IAClC,KAAK,CAAC,MAAM,GAAG,GAAG,CAAC;IACnB,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAsB,EACtB,OAAyC;IAEzC,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,yBAAyB,CAAC,mBAAmB,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAsB,EACtB,OAAyC;IAEzC,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,wBAAwB,CAAC,+CAA+C,CAAC,CAAC;IAClF,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAsB,EACtB,UAAyB,EACzB,OAAyC;IAEzC,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAEvB,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpD,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/E,OAAO,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAsB,EACtB,UAAyB,EACzB,OAAyC;IAEzC,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/C,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/E,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,MAAM,wBAAwB,CAAC,6BAA6B,UAAU,WAAW,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/auth/claims.d.ts

@@ -0,0 +1,31 @@
+import type { SupabaseClient } from '@supabase/supabase-js';
+/** JWT claims extracted from the Supabase session. */
+export interface JwtClaims {
+    sub: string;
+    email?: string;
+    role?: string;
+    [key: string]: unknown;
+}
+/**
+ * Get JWT claims from the current Supabase session. Zero network calls —
+ * validates the JWT signature locally using cached JWKS keys.
+ * Returns null if no valid session exists.
+ *
+ * If the token is expired, the Supabase client refreshes it automatically
+ * (one network call), then validates the new token locally.
+ *
+ * Prefer this over `supabase.auth.getUser()` for auth checks. Only use
+ * `getUser()` for critical operations (login, provisioning) that need
+ * server-verified identity.
+ */
+export declare function getClaims(client: SupabaseClient): Promise<JwtClaims | null>;
+/**
+ * Get user ID from JWT claims. Zero network calls — validates JWT signature locally.
+ * Returns null if no valid session exists.
+ *
+ * Prefer this over `supabase.auth.getUser()` for auth checks. Only use
+ * `getUser()` for critical operations (login, provisioning) that need
+ * server-verified identity.
+ */
+export declare function getUserId(client: SupabaseClient): Promise<string | null>;
+//# sourceMappingURL=claims.d.ts.map

package/dist/auth/claims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claims.d.ts","sourceRoot":"","sources":["../../src/auth/claims.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAE5D,sDAAsD;AACtD,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,SAAS,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAIjF;AAED;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAG9E"}

package/dist/auth/claims.js

@@ -0,0 +1,31 @@
+/**
+ * Get JWT claims from the current Supabase session. Zero network calls —
+ * validates the JWT signature locally using cached JWKS keys.
+ * Returns null if no valid session exists.
+ *
+ * If the token is expired, the Supabase client refreshes it automatically
+ * (one network call), then validates the new token locally.
+ *
+ * Prefer this over `supabase.auth.getUser()` for auth checks. Only use
+ * `getUser()` for critical operations (login, provisioning) that need
+ * server-verified identity.
+ */
+export async function getClaims(client) {
+    const { data } = await client.auth.getClaims();
+    if (!data?.claims)
+        return null;
+    return data.claims;
+}
+/**
+ * Get user ID from JWT claims. Zero network calls — validates JWT signature locally.
+ * Returns null if no valid session exists.
+ *
+ * Prefer this over `supabase.auth.getUser()` for auth checks. Only use
+ * `getUser()` for critical operations (login, provisioning) that need
+ * server-verified identity.
+ */
+export async function getUserId(client) {
+    const claims = await getClaims(client);
+    return claims?.sub ?? null;
+}
+//# sourceMappingURL=claims.js.map

package/dist/auth/claims.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"claims.js","sourceRoot":"","sources":["../../src/auth/claims.ts"],"names":[],"mappings":"AAUA;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,MAAsB;IACpD,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/C,IAAI,CAAC,IAAI,EAAE,MAAM;QAAE,OAAO,IAAI,CAAC;IAC/B,OAAO,IAAI,CAAC,MAAmB,CAAC;AAClC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,MAAsB;IACpD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;IACvC,OAAO,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC;AAC7B,CAAC"}

package/dist/auth/claims.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=claims.test.d.ts.map

package/dist/auth/claims.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claims.test.d.ts","sourceRoot":"","sources":["../../src/auth/claims.test.ts"],"names":[],"mappings":""}

package/dist/auth/claims.test.js

@@ -0,0 +1,32 @@
+import { describe, it, expect } from "vitest";
+import { getClaims, getUserId } from "./claims";
+import { createMockClient } from "../__test-utils__/mock-supabase";
+describe("getClaims", () => {
+    it("returns claims from a valid session", async () => {
+        const client = createMockClient();
+        client.mockAuth({ sub: "user-123", email: "test@example.com" });
+        const claims = await getClaims(client);
+        expect(claims).toEqual({ sub: "user-123", email: "test@example.com" });
+    });
+    it("returns null when no session exists", async () => {
+        const client = createMockClient();
+        client.mockAuth(null);
+        const claims = await getClaims(client);
+        expect(claims).toBeNull();
+    });
+});
+describe("getUserId", () => {
+    it("returns user ID from claims", async () => {
+        const client = createMockClient();
+        client.mockAuth({ sub: "user-456" });
+        const id = await getUserId(client);
+        expect(id).toBe("user-456");
+    });
+    it("returns null when not authenticated", async () => {
+        const client = createMockClient();
+        client.mockAuth(null);
+        const id = await getUserId(client);
+        expect(id).toBeNull();
+    });
+});
+//# sourceMappingURL=claims.test.js.map

package/dist/auth/claims.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"claims.test.js","sourceRoot":"","sources":["../../src/auth/claims.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AAEnE,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAEhE,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEtB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;QAErC,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;QACnC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEtB,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAC;QACnC,MAAM,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;IACxB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,5 @@
+export { getClaims, getUserId } from "./claims";
+export type { JwtClaims } from "./claims";
+export { getUserPermissions, getPermissionsForRole } from "./permissions";
+export { requireAuth, requireAdmin, hasPermission, requirePermission, } from "./adapter";
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAChD,YAAY,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EACb,iBAAiB,GAClB,MAAM,WAAW,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,4 @@
+export { getClaims, getUserId } from "./claims";
+export { getUserPermissions, getPermissionsForRole } from "./permissions";
+export { requireAuth, requireAdmin, hasPermission, requirePermission, } from "./adapter";
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAEhD,OAAO,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,YAAY,EACZ,aAAa,EACb,iBAAiB,GAClB,MAAM,WAAW,CAAC"}

package/dist/auth/permissions.d.ts

@@ -0,0 +1,14 @@
+import type { AppPermission } from '@sprinterai/core';
+import type { SupabaseClient } from '@supabase/supabase-js';
+/**
+ * Get all permissions for a user in a specific tenant.
+ * Queries the denormalized user_permissions table.
+ */
+export declare function getUserPermissions(client: SupabaseClient, userId: string, tenantId: string): Promise<AppPermission[]>;
+/**
+ * Get permissions granted to a specific role.
+ * Used for agent autonomous execution — agents get their role's permissions.
+ * Requires admin client to bypass RLS.
+ */
+export declare function getPermissionsForRole(adminClient: SupabaseClient, roleId: string): Promise<AppPermission[]>;
+//# sourceMappingURL=permissions.d.ts.map

package/dist/auth/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/auth/permissions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACtD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAE5D;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,cAAc,EACtB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,EAAE,CAAC,CAQ1B;AAED;;;;GAIG;AACH,wBAAsB,qBAAqB,CACzC,WAAW,EAAE,cAAc,EAC3B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,EAAE,CAAC,CAO1B"}

package/dist/auth/permissions.js

@@ -0,0 +1,25 @@
+/**
+ * Get all permissions for a user in a specific tenant.
+ * Queries the denormalized user_permissions table.
+ */
+export async function getUserPermissions(client, userId, tenantId) {
+    const { data } = await client
+        .from('user_permissions')
+        .select('permission')
+        .eq('user_id', userId)
+        .eq('tenant_id', tenantId);
+    return (data ?? []).map((row) => row.permission);
+}
+/**
+ * Get permissions granted to a specific role.
+ * Used for agent autonomous execution — agents get their role's permissions.
+ * Requires admin client to bypass RLS.
+ */
+export async function getPermissionsForRole(adminClient, roleId) {
+    const { data } = await adminClient
+        .from('role_permissions')
+        .select('permission')
+        .eq('role_id', roleId);
+    return (data ?? []).map((row) => row.permission);
+}
+//# sourceMappingURL=permissions.js.map

package/dist/auth/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/auth/permissions.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAsB,EACtB,MAAc,EACd,QAAgB;IAEhB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM;SAC1B,IAAI,CAAC,kBAAkB,CAAC;SACxB,MAAM,CAAC,YAAY,CAAC;SACpB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;SACrB,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAE7B,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAA2B,EAAE,EAAE,CAAC,GAAG,CAAC,UAA2B,CAAC,CAAC;AAC5F,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,WAA2B,EAC3B,MAAc;IAEd,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,WAAW;SAC/B,IAAI,CAAC,kBAAkB,CAAC;SACxB,MAAM,CAAC,YAAY,CAAC;SACpB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAEzB,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAA2B,EAAE,EAAE,CAAC,GAAG,CAAC,UAA2B,CAAC,CAAC;AAC5F,CAAC"}

package/dist/auth/permissions.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=permissions.test.d.ts.map

package/dist/auth/permissions.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.test.d.ts","sourceRoot":"","sources":["../../src/auth/permissions.test.ts"],"names":[],"mappings":""}

package/dist/auth/permissions.test.js

@@ -0,0 +1,40 @@
+import { describe, it, expect } from "vitest";
+import { getUserPermissions, getPermissionsForRole } from "./permissions";
+import { createMockClient } from "../__test-utils__/mock-supabase";
+describe("getUserPermissions", () => {
+    it("returns permissions for a user in a tenant", async () => {
+        const client = createMockClient();
+        client.mockTable("user_permissions", {
+            data: [
+                { permission: "entities.own.create" },
+                { permission: "entities.own.read" },
+            ],
+            error: null,
+        });
+        const perms = await getUserPermissions(client, "user-1", "tenant-1");
+        expect(perms).toEqual(["entities.own.create", "entities.own.read"]);
+    });
+    it("returns empty array when no permissions found", async () => {
+        const client = createMockClient();
+        client.mockTable("user_permissions", { data: null, error: null });
+        const perms = await getUserPermissions(client, "user-1", "tenant-1");
+        expect(perms).toEqual([]);
+    });
+});
+describe("getPermissionsForRole", () => {
+    it("returns permissions for a role", async () => {
+        const client = createMockClient();
+        client.mockTable("role_permissions", {
+            data: [
+                { permission: "entities.all.create" },
+                { permission: "entities.all.read" },
+                { permission: "entities.all.update" },
+            ],
+            error: null,
+        });
+        const perms = await getPermissionsForRole(client, "role-admin");
+        expect(perms).toHaveLength(3);
+        expect(perms).toContain("entities.all.create");
+    });
+});
+//# sourceMappingURL=permissions.test.js.map

package/dist/auth/permissions.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.test.js","sourceRoot":"","sources":["../../src/auth/permissions.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC1E,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AAEnE,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,SAAS,CAAC,kBAAkB,EAAE;YACnC,IAAI,EAAE;gBACJ,EAAE,UAAU,EAAE,qBAAqB,EAAE;gBACrC,EAAE,UAAU,EAAE,mBAAmB,EAAE;aACpC;YACD,KAAK,EAAE,IAAI;SACZ,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;QACrE,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,qBAAqB,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,SAAS,CAAC,kBAAkB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAElE,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;QACrE,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,SAAS,CAAC,kBAAkB,EAAE;YACnC,IAAI,EAAE;gBACJ,EAAE,UAAU,EAAE,qBAAqB,EAAE;gBACrC,EAAE,UAAU,EAAE,mBAAmB,EAAE;gBACnC,EAAE,UAAU,EAAE,qBAAqB,EAAE;aACtC;YACD,KAAK,EAAE,IAAI;SACZ,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,MAAM,qBAAqB,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAChE,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/clients/admin.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Create a Supabase admin client using the service role key.
+ * Bypasses RLS — use only for system operations.
+ */
+export declare function createAdminClient(options?: {
+    supabaseUrl?: string;
+    supabaseServiceRoleKey?: string;
+}): import("@supabase/supabase-js").SupabaseClient<any, "public", "public", any, any>;
+//# sourceMappingURL=admin.d.ts.map

package/dist/clients/admin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.d.ts","sourceRoot":"","sources":["../../src/clients/admin.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC,qFAUA"}

package/dist/clients/admin.js

@@ -0,0 +1,14 @@
+import { createClient } from "@supabase/supabase-js";
+/**
+ * Create a Supabase admin client using the service role key.
+ * Bypasses RLS — use only for system operations.
+ */
+export function createAdminClient(options) {
+    const url = options?.supabaseUrl ?? process.env.NEXT_PUBLIC_SUPABASE_URL ?? "";
+    const key = options?.supabaseServiceRoleKey ??
+        process.env.SUPABASE_SECRET_KEY ??
+        process.env.SUPABASE_SERVICE_ROLE_KEY ??
+        "";
+    return createClient(url, key);
+}
+//# sourceMappingURL=admin.js.map

package/dist/clients/admin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.js","sourceRoot":"","sources":["../../src/clients/admin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAGjC;IACC,MAAM,GAAG,GACP,OAAO,EAAE,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,EAAE,CAAC;IACrE,MAAM,GAAG,GACP,OAAO,EAAE,sBAAsB;QAC/B,OAAO,CAAC,GAAG,CAAC,mBAAmB;QAC/B,OAAO,CAAC,GAAG,CAAC,yBAAyB;QACrC,EAAE,CAAC;IAEL,OAAO,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AAChC,CAAC"}

package/dist/clients/admin.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=admin.test.d.ts.map

package/dist/clients/admin.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.test.d.ts","sourceRoot":"","sources":["../../src/clients/admin.test.ts"],"names":[],"mappings":""}

package/dist/clients/admin.test.js

@@ -0,0 +1,31 @@
+import { describe, it, expect, vi } from "vitest";
+import { createAdminClient } from "./admin";
+vi.mock("@supabase/supabase-js", () => ({
+    createClient: vi.fn((url, key) => ({
+        url,
+        key,
+        mock: true,
+    })),
+}));
+describe("createAdminClient", () => {
+    it("creates an admin client with explicit options", () => {
+        const client = createAdminClient({
+            supabaseUrl: "https://test.supabase.co",
+            supabaseServiceRoleKey: "service-role-key",
+        });
+        expect(client).toBeDefined();
+        expect(client.url).toBe("https://test.supabase.co");
+        expect(client.key).toBe("service-role-key");
+    });
+    it("falls back to env vars when no options provided", () => {
+        process.env.NEXT_PUBLIC_SUPABASE_URL = "https://env.supabase.co";
+        process.env.SUPABASE_SECRET_KEY = "env-secret";
+        const client = createAdminClient();
+        expect(client).toBeDefined();
+        expect(client.url).toBe("https://env.supabase.co");
+        expect(client.key).toBe("env-secret");
+        delete process.env.NEXT_PUBLIC_SUPABASE_URL;
+        delete process.env.SUPABASE_SECRET_KEY;
+    });
+});
+//# sourceMappingURL=admin.test.js.map

package/dist/clients/admin.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.test.js","sourceRoot":"","sources":["../../src/clients/admin.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAE5C,EAAE,CAAC,IAAI,CAAC,uBAAuB,EAAE,GAAG,EAAE,CAAC,CAAC;IACtC,YAAY,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,GAAW,EAAE,GAAW,EAAE,EAAE,CAAC,CAAC;QACjD,GAAG;QACH,GAAG;QACH,IAAI,EAAE,IAAI;KACX,CAAC,CAAC;CACJ,CAAC,CAAC,CAAC;AAEJ,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,MAAM,GAAG,iBAAiB,CAAC;YAC/B,WAAW,EAAE,0BAA0B;YACvC,sBAAsB,EAAE,kBAAkB;SAC3C,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,CAAE,MAAkC,CAAC,GAAG,CAAC,CAAC,IAAI,CAClD,0BAA0B,CAC3B,CAAC;QACF,MAAM,CAAE,MAAkC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,yBAAyB,CAAC;QACjE,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,YAAY,CAAC;QAE/C,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;QAEnC,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,CAAE,MAAkC,CAAC,GAAG,CAAC,CAAC,IAAI,CAClD,yBAAyB,CAC1B,CAAC;QACF,MAAM,CAAE,MAAkC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAEnE,OAAO,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;QAC5C,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/clients/browser.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Create a Supabase browser client for use in client components.
+ * Reads env vars or accepts explicit URL/key.
+ */
+export declare function createBrowserClient(options?: {
+    supabaseUrl?: string;
+    supabaseAnonKey?: string;
+}): import("@supabase/supabase-js").SupabaseClient<any, "public", "public", any, any>;
+//# sourceMappingURL=browser.d.ts.map

package/dist/clients/browser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../src/clients/browser.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC5C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,qFAUA"}

package/dist/clients/browser.js

@@ -0,0 +1,14 @@
+import { createBrowserClient as createSSRBrowserClient } from "@supabase/ssr";
+/**
+ * Create a Supabase browser client for use in client components.
+ * Reads env vars or accepts explicit URL/key.
+ */
+export function createBrowserClient(options) {
+    const url = options?.supabaseUrl ?? process.env.NEXT_PUBLIC_SUPABASE_URL ?? "";
+    const key = options?.supabaseAnonKey ??
+        process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY ??
+        process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY ??
+        "";
+    return createSSRBrowserClient(url, key);
+}
+//# sourceMappingURL=browser.js.map

package/dist/clients/browser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.js","sourceRoot":"","sources":["../../src/clients/browser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,IAAI,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAE9E;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAGnC;IACC,MAAM,GAAG,GACP,OAAO,EAAE,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,EAAE,CAAC;IACrE,MAAM,GAAG,GACP,OAAO,EAAE,eAAe;QACxB,OAAO,CAAC,GAAG,CAAC,oCAAoC;QAChD,OAAO,CAAC,GAAG,CAAC,6BAA6B;QACzC,EAAE,CAAC;IAEL,OAAO,sBAAsB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AAC1C,CAAC"}

package/dist/clients/browser.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=browser.test.d.ts.map

package/dist/clients/browser.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.test.d.ts","sourceRoot":"","sources":["../../src/clients/browser.test.ts"],"names":[],"mappings":""}