@supatype/cli 0.1.0-alpha.12 → 0.1.0-alpha.14

package/src/commands/keys.ts

@@ -1,5 +1,5 @@
 import type { Command } from "commander"
-import { readFileSync, existsSync } from "node:fs"
+import { readFileSync, existsSync, writeFileSync } from "node:fs"
 import { resolve } from "node:path"
 import { signJwt } from "../jwt.js"
 
@@ -41,13 +41,58 @@ export function registerKeys(program: Command): void {
 
 // ─── Helpers ─────────────────────────────────────────────────────────────────
 
-export function resolveSecret(): string | undefined {
+/** Mint a long-lived anon + service_role JWT pair from a secret. */
+export function signKeyPair(
+  secret: string,
+  expYears = 10,
+): { anonKey: string; serviceKey: string } {
+  const now = Math.floor(Date.now() / 1000)
+  const exp = now + expYears * 365 * 24 * 60 * 60
+  return {
+    anonKey: signJwt({ iss: "supatype", role: "anon", iat: now, exp }, secret),
+    serviceKey: signJwt({ iss: "supatype", role: "service_role", iat: now, exp }, secret),
+  }
+}
+
+/**
+ * Generate keys from the JWT_SECRET found in `dir`'s .env (or env var) and
+ * rewrite the ANON_KEY / SERVICE_ROLE_KEY lines in that .env file in place.
+ * Returns the minted pair, or null if no secret could be resolved.
+ */
+export function generateAndWriteKeys(
+  dir: string,
+  expYears = 10,
+): { anonKey: string; serviceKey: string } | null {
+  const secret = resolveSecret(dir)
+  if (!secret) return null
+
+  const { anonKey, serviceKey } = signKeyPair(secret, expYears)
+
+  const envPath = resolve(dir, ".env")
+  if (existsSync(envPath)) {
+    let content = readFileSync(envPath, "utf8")
+    content = upsertEnvVar(content, "ANON_KEY", anonKey)
+    content = upsertEnvVar(content, "SERVICE_ROLE_KEY", serviceKey)
+    writeFileSync(envPath, content, "utf8")
+  }
+
+  return { anonKey, serviceKey }
+}
+
+function upsertEnvVar(content: string, key: string, value: string): string {
+  const re = new RegExp(`^${key}=.*$`, "m")
+  if (re.test(content)) return content.replace(re, `${key}=${value}`)
+  const sep = content.endsWith("\n") || content.length === 0 ? "" : "\n"
+  return `${content}${sep}${key}=${value}\n`
+}
+
+export function resolveSecret(dir: string = process.cwd()): string | undefined {
   // 1. Check environment variable
   const fromEnv = process.env["JWT_SECRET"]
   if (fromEnv) return fromEnv
 
-  // 2. Parse .env file in cwd
-  const envPath = resolve(process.cwd(), ".env")
+  // 2. Parse .env file in the target directory
+  const envPath = resolve(dir, ".env")
   if (!existsSync(envPath)) return undefined
 
   try {

package/src/engine-client.ts

@@ -13,7 +13,8 @@ import { mkdirSync, writeFileSync, unlinkSync, existsSync, readdirSync } from "n
 import { tmpdir, homedir } from "node:os"
 import { join } from "node:path"
 import { loadConfig } from "./config.js"
-import { resolveBinary, currentPlatform, cachePath } from "./binary-cache.js"
+import { currentPlatform, cachePath } from "./binary-cache.js"
+import { ensureBinary } from "./ensure-binary.js"
 
 // ---------------------------------------------------------------------------
 // Types (kept for backward compatibility with existing callers)
@@ -86,10 +87,16 @@ async function getEngineBin(): Promise<string> {
 
   try {
     const config = loadConfig(cwd)
-    _engineBin = await resolveBinary("engine", config)
+    // Download-on-miss (with retry) so a fresh machine or a failed postinstall
+    // self-heals on first use instead of silently skipping type/admin refresh.
+    _engineBin = await ensureBinary("engine", config)
     return _engineBin
-  } catch {
-    // No valid project config — fall through to default cache path.
+  } catch (err) {
+    // A real download/verification failure must surface, not fall back to a
+    // possibly-stale cached binary from a different version.
+    const message = err instanceof Error ? err.message : String(err)
+    if (message.includes("Failed to download")) throw err
+    // Otherwise (no valid project config) fall through to default cache scan.
   }
 
   // No config found — scan the cache for any available engine binary.

package/src/kong-config.ts

@@ -18,6 +18,11 @@ export interface KongDeclarativeOptions {
   studioServiceUrl?: string | undefined
   /** See {@link RuntimeRouteOptions.studioStripPath}. */
   studioStripPath?: boolean | undefined
+  /**
+   * When set, append a global Kong `acme` plugin (Let's Encrypt) with Redis/Valkey
+   * storage so the self-host gateway provisions and renews TLS automatically.
+   */
+  acme?: { email: string; domain: string; redisHost: string } | undefined
 }
 
 /** Escape a string for use inside YAML double quotes. */
@@ -85,9 +90,27 @@ ${route.paths.map((path) => `          - ${path}`).join("\n")}
 ${protocols}${routePlugins}${graphqlPlugins}`
   }).join("\n")
 
+  const acme = opts.acme
+  const pluginsBlock = acme
+    ? `
+plugins:
+  - name: acme
+    config:
+      account_email: ${yamlQuotedString(acme.email)}
+      tos_accepted: true
+      domains:
+        - ${yamlQuotedString(acme.domain)}
+      storage: redis
+      storage_config:
+        redis:
+          host: ${yamlQuotedString(acme.redisHost)}
+          port: 6379
+`
+    : ""
+
   return `_format_version: "3.0"
 ${consumersBlock}
 services:
 ${servicesBlock}
-`
+${pluginsBlock}`
 }

package/src/project-config.ts

@@ -59,6 +59,16 @@ export interface SupatypeProjectConfig {
     postgrestPort?: number
     /** Domain for ACME TLS certificate (mode=standalone). */
     domain?: string
+    /**
+     * TLS for self-host HTTPS (Kong ACME / Let's Encrypt).
+     * Requires `mode: "standalone"` and a non-empty `domain`.
+     */
+    tls?: {
+      /** ACME contact email for Let's Encrypt (required to enable HTTPS). */
+      email?: string
+      /** "kong" (default) = Kong acme plugin; "none" = stay HTTP even with a domain. */
+      provider?: "kong" | "none"
+    }
   }
   app: {
     /**
@@ -298,6 +308,23 @@ export function mergeProjectConfig(
     ...(base.admin !== undefined || override.admin !== undefined
       ? { admin: { ...base.admin, ...override.admin } as NonNullable<SupatypeProjectConfig["admin"]> }
       : {}),
+    ...(base.environments !== undefined || override.environments !== undefined
+      ? (() => {
+          const b = base.environments
+          const o = override.environments
+          const mergedBranchDefaults =
+            b?.branchDefaults !== undefined || o?.branchDefaults !== undefined
+              ? { ...(b?.branchDefaults ?? {}), ...(o?.branchDefaults ?? {}) }
+              : undefined
+          return {
+            environments: {
+              ...b,
+              ...o,
+              ...(mergedBranchDefaults !== undefined ? { branchDefaults: mergedBranchDefaults } : {}),
+            } as NonNullable<SupatypeProjectConfig["environments"]>,
+          }
+        })()
+      : {}),
   }
 }
 
@@ -373,6 +400,24 @@ export function serverBaseUrl(cfg: SupatypeProjectConfig): string | undefined {
   }
 }
 
+/**
+ * True when `supatype self-host compose` should render Kong ACME TLS (Let's Encrypt).
+ * Gated on a real self-host render (not `supatype dev`), standalone mode, a non-empty
+ * domain, an ACME contact email, and `tls.provider !== "none"`.
+ */
+export function selfHostTlsEnabled(
+  cfg: SupatypeProjectConfig,
+  devLocal = false,
+): boolean {
+  if (devLocal) return false
+  if (cfg.server.mode !== "standalone") return false
+  const domain = cfg.server.domain?.trim()
+  if (!domain) return false
+  const tls = cfg.server.tls
+  if (!tls || tls.provider === "none") return false
+  return Boolean(tls.email?.trim())
+}
+
 /** Resolved runtime provider (`config.provider` ?? `database.provider` ?? native). */
 export function resolveRuntimeProvider(cfg: SupatypeProjectConfig): "native" | "docker" {
   return cfg.provider ?? cfg.database.provider ?? "native"

package/src/prompts.ts

@@ -0,0 +1,21 @@
+import * as p from "@clack/prompts"
+import { SUPATYPE_ASCII_LOGO_WORDMARK, colorLogoLines } from "./dev-logo.js"
+
+/** Print the coloured Supatype ASCII wordmark at the top of an interactive command. */
+export function printLogo(): void {
+  console.log()
+  console.log(colorLogoLines([...SUPATYPE_ASCII_LOGO_WORDMARK]).join("\n"))
+  console.log()
+}
+
+/**
+ * Unwrap a clack prompt result, exiting cleanly when the user cancels (Ctrl-C).
+ * Shared by all interactive commands so cancellation behaves consistently.
+ */
+export function ensureNotCancelled<T>(value: T | symbol, cancelMessage = "Cancelled."): T {
+  if (p.isCancel(value)) {
+    p.cancel(cancelMessage)
+    process.exit(0)
+  }
+  return value as T
+}

package/src/scripts/postinstall.ts

@@ -38,7 +38,13 @@ async function main() {
   }
 
   if (anyFailed) {
-    console.error("[supatype] Some downloads failed. Run 'supatype update' to retry.")
+    // npm hides postinstall output unless --foreground-scripts, so don't rely on
+    // this being seen: the CLI re-attempts the download (with retry) on first use.
+    console.error(
+      "[supatype] Some component binaries failed to download. " +
+        "They will be re-downloaded automatically on first use; " +
+        "run 'supatype update' to retry now.",
+    )
   } else {
     console.log("[supatype] All component binaries downloaded successfully.")
   }

package/src/self-host-compose.ts

@@ -1,7 +1,7 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"
 import { dirname, join, relative, resolve } from "node:path"
 import { spawnSync } from "node:child_process"
-import { preferredFunctionsPathFromProject, type SupatypeProjectConfig } from "./project-config.js"
+import { preferredFunctionsPathFromProject, selfHostTlsEnabled, type SupatypeProjectConfig } from "./project-config.js"
 import { hasEngineOverride, hasStudioOverride, pinnedVersion, fetchLatestVersion, VERSION_PIN_LOCAL } from "./binary-cache.js"
 import { buildKongDeclarative } from "./kong-config.js"
 
@@ -228,6 +228,11 @@ export function renderSelfHostCompose(
   const projectMount = projectMountPath(cwd)
   const kongMount = kongMountPath(cwd)
   const devLocal = options?.devLocal === true
+  const tlsEnabled = selfHostTlsEnabled(config, devLocal)
+  const domain = config.server.domain?.trim() ?? ""
+  // When TLS is on, default external URLs to https://<domain> so auth links/redirects use HTTPS.
+  const externalUrlFallback = tlsEnabled ? `https://${domain}` : "http://localhost:18473"
+  const siteUrlFallback = tlsEnabled ? `https://${domain}` : "http://localhost:3000"
   const studioHostDev = devLocal && hasStudioOverride(config)
   const appEnv = serverAppEnvForCompose(config, devLocal)
   const staticDir = staticDirForCompose(config) ?? "./dist"
@@ -239,7 +244,7 @@ export function renderSelfHostCompose(
   studio:
 ${studioService}
     environment:
-      SUPATYPE_CLOUD_JSON: '{"url":"\${API_EXTERNAL_URL:-http://localhost:18473}","anonKey":"\${ANON_KEY:-}"}'
+      SUPATYPE_CLOUD_JSON: '{"url":"\${API_EXTERNAL_URL:-${externalUrlFallback}}","anonKey":"\${ANON_KEY:-}"}'
     expose:
       - "3002"
 `
@@ -270,6 +275,43 @@ ${studioService}
       - "9000:9000"
       - "9001:9001"
 `
+  const kongTlsEnv = tlsEnabled
+    ? `      KONG_PROXY_LISTEN: "0.0.0.0:8000, 0.0.0.0:8443 ssl"
+      KONG_LUA_SSL_TRUSTED_CERTIFICATE: system
+`
+    : ""
+  const kongPorts = tlsEnabled
+    ? `      - "80:8000"
+      - "443:8443"`
+    : `      - "\${SUPATYPE_KONG_PORT:-18473}:8000"`
+  const kongTlsDependsOn = tlsEnabled ? "\n      - valkey" : ""
+  const valkeyBlock = tlsEnabled
+    ? `
+  valkey:
+    image: \${SUPATYPE_VALKEY_IMAGE:-valkey/valkey:8-alpine}
+    command: ["valkey-server", "--appendonly", "yes"]
+    expose:
+      - "6379"
+    volumes:
+      - valkey-data:/data
+`
+    : ""
+  const tlsHintComment = tlsEnabled
+    ? ""
+    : `  # HTTPS is off. To enable automatic TLS (Let's Encrypt) for production, set in supatype.config.ts:
+  #   server: { mode: "standalone", domain: "your.domain", tls: { email: "you@example.com" } }
+  # then re-run \`supatype self-host compose up -d\`. Kong publishes :80/:443 and provisions certs automatically.
+`
+  const volumesBlock = tlsEnabled
+    ? `volumes:
+  db-data:
+  minio-data:
+  valkey-data:
+`
+    : `volumes:
+  db-data:
+  minio-data:
+`
 
   return `# Generated by supatype self-host compose
 # Kong → supatype-server (unified gateway) → internal PostgREST / storage / etc.
@@ -330,12 +372,12 @@ ${dbPorts}    volumes:
       SUPATYPE_FUNCTIONS_ROOT: /project/functions
       SUPATYPE_DENO_FUNCTIONS_DIR: /project/functions
       PORT: "8001"
-      SUPATYPE_URL: \${API_EXTERNAL_URL:-http://localhost:18473}
+      SUPATYPE_URL: \${API_EXTERNAL_URL:-${externalUrlFallback}}
       SUPATYPE_ANON_KEY: \${ANON_KEY:-}
       SUPATYPE_SERVICE_ROLE_KEY: \${SERVICE_ROLE_KEY:-}
       STRIPE_SECRET_KEY: \${STRIPE_SECRET_KEY:-}
       STRIPE_WEBHOOK_SECRET: \${STRIPE_WEBHOOK_SECRET:-}
-      SITE_URL: \${SITE_URL:-\${API_EXTERNAL_URL:-http://localhost:18473}}
+      SITE_URL: \${SITE_URL:-\${API_EXTERNAL_URL:-${externalUrlFallback}}}
     depends_on:
       db:
         condition: service_healthy
@@ -374,7 +416,7 @@ ${serverPorts}    volumes:
       SUPATYPE_POSTGREST_URL: http://postgrest:3000
       SUPATYPE_GRAPHQL_URL: http://postgrest:3000
       SUPATYPE_STORAGE_URL: http://storage:5000
-      SUPATYPE_URL: \${API_EXTERNAL_URL:-http://localhost:18473}
+      SUPATYPE_URL: \${API_EXTERNAL_URL:-${externalUrlFallback}}
       SUPATYPE_ANON_KEY: \${ANON_KEY:-}
       SUPATYPE_SERVICE_ROLE_KEY: \${SERVICE_ROLE_KEY:-}
       SUPATYPE_SQL_DATABASE_URL: "postgresql://\${POSTGRES_USER:-supatype_admin}:\${POSTGRES_PASSWORD:-postgres}@db:5432/\${POSTGRES_DB:-supatype}"
@@ -384,11 +426,11 @@ ${serverPorts}    volumes:
 ${appEnv}
       GOTRUE_API_HOST: 0.0.0.0
       GOTRUE_API_PORT: 9999
-      API_EXTERNAL_URL: \${API_EXTERNAL_URL:-http://localhost:18473}
-      GOTRUE_API_EXTERNAL_URL: \${API_EXTERNAL_URL:-http://localhost:18473}
+      API_EXTERNAL_URL: \${API_EXTERNAL_URL:-${externalUrlFallback}}
+      GOTRUE_API_EXTERNAL_URL: \${API_EXTERNAL_URL:-${externalUrlFallback}}
       GOTRUE_DB_DRIVER: postgres
       GOTRUE_DB_DATABASE_URL: "postgres://\${POSTGRES_USER:-supatype_admin}:\${POSTGRES_PASSWORD:-postgres}@db:5432/\${POSTGRES_DB:-supatype}?search_path=auth"
-      GOTRUE_SITE_URL: \${SITE_URL:-http://localhost:3000}
+      GOTRUE_SITE_URL: \${SITE_URL:-${siteUrlFallback}}
       GOTRUE_JWT_SECRET: \${JWT_SECRET:-super-secret-jwt-token-change-in-production}
       GOTRUE_JWT_EXP: 3600
       GOTRUE_JWT_AUD: authenticated
@@ -428,8 +470,7 @@ ${minioPorts}    volumes:
     depends_on:
       db:
         condition: service_healthy
-${studioBlock}
-  kong:
+${studioBlock}${valkeyBlock}${tlsHintComment}  kong:
     image: kong:3.6
     environment:
       KONG_DATABASE: "off"
@@ -438,17 +479,14 @@ ${studioBlock}
       KONG_ADMIN_ACCESS_LOG: /dev/stdout
       KONG_PROXY_ERROR_LOG: /dev/stderr
       KONG_ADMIN_ERROR_LOG: /dev/stderr
-    volumes:
+${kongTlsEnv}    volumes:
       - ${kongMount}:/etc/kong/kong.yml:ro
     ports:
-      - "\${SUPATYPE_KONG_PORT:-18473}:8000"
+${kongPorts}
     depends_on:
-${kongDependsOn}
+${kongDependsOn}${kongTlsDependsOn}
 
-volumes:
-  db-data:
-  minio-data:
-`
+${volumesBlock}`
 }
 
 function ensureComposeManifest(cwd: string): void {
@@ -480,6 +518,9 @@ export function writeSelfHostCompose(
   ensureComposeManifest(cwd)
   writeFileSync(paths.composePath, renderSelfHostCompose(config, cwd, options), "utf8")
   const studioHostDev = options?.devLocal === true && hasStudioOverride(config)
+  const tlsEnabled = selfHostTlsEnabled(config, options?.devLocal === true)
+  const domain = config.server.domain?.trim()
+  const acmeEmail = config.server.tls?.email?.trim()
   writeFileSync(
     paths.kongPath,
     buildKongDeclarative({
@@ -488,6 +529,9 @@ export function writeSelfHostCompose(
         studioServiceUrl: COMPOSE_STUDIO_HOST_URL,
         studioStripPath: false,
       }),
+      ...(tlsEnabled && domain && acmeEmail
+        ? { acme: { email: acmeEmail, domain, redisHost: "valkey" } }
+        : {}),
     }),
     "utf8",
   )

package/tests/config.test.ts

@@ -249,4 +249,30 @@ describe("mergeProjectConfig()", () => {
     expect(merged.app.start).toBe("dev:site")
     expect(merged.app.static_dir).toBe("./dist")
   })
+
+  it("preserves base environments when a local override sets only server.mode", () => {
+    const base = defineConfig({
+      ...minimalProject("p"),
+      server: { mode: "standalone", domain: "api.example.com" },
+      environments: { default: "production" },
+    })
+    const merged = mergeProjectConfig(base, { server: { mode: "dev" } })
+    expect(merged.server.mode).toBe("dev")
+    expect(merged.environments?.default).toBe("production")
+  })
+
+  it("deep-merges environments.branchDefaults across base and override", () => {
+    const base = defineConfig({
+      ...minimalProject("p"),
+      environments: { default: "production", branchDefaults: { main: "production" } },
+    })
+    const merged = mergeProjectConfig(base, {
+      environments: { branchDefaults: { staging: "preview" } },
+    })
+    expect(merged.environments?.default).toBe("production")
+    expect(merged.environments?.branchDefaults).toEqual({
+      main: "production",
+      staging: "preview",
+    })
+  })
 })

package/tests/init.test.ts

@@ -2,7 +2,7 @@ import { describe, it, expect, beforeEach, afterEach } from "vitest"
 import { mkdirSync, rmSync, existsSync, readFileSync, writeFileSync } from "node:fs"
 import { join } from "node:path"
 import { tmpdir } from "node:os"
-import { scaffold } from "../src/commands/init.js"
+import { scaffold, defaultScaffoldOptions } from "../src/commands/init.js"
 
 let tmpRoot: string
 
@@ -17,7 +17,7 @@ afterEach(() => {
 
 describe("scaffold()", () => {
   it("creates all expected files", () => {
-    scaffold(tmpRoot, "my-app")
+    scaffold(tmpRoot, defaultScaffoldOptions("my-app"))
 
     const expected = [
       "package.json",
@@ -35,7 +35,7 @@ describe("scaffold()", () => {
   })
 
   it("supatype.config.ts embeds the project name and exports defineConfig", () => {
-    scaffold(tmpRoot, "blog-app")
+    scaffold(tmpRoot, defaultScaffoldOptions("blog-app"))
     const content = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
     expect(content).toContain("blog-app")
     expect(content).toContain("defineConfig")
@@ -46,7 +46,7 @@ describe("scaffold()", () => {
   })
 
   it("package.json includes @supatype/cli and @supatype/types", () => {
-    scaffold(tmpRoot, "pkg-app")
+    scaffold(tmpRoot, defaultScaffoldOptions("pkg-app"))
     const content = readFileSync(join(tmpRoot, "package.json"), "utf8")
     expect(content).toContain("@supatype/cli")
     expect(content).toContain("@supatype/types")
@@ -56,18 +56,18 @@ describe("scaffold()", () => {
   it("skips package.json when it already exists", () => {
     const pkgPath = join(tmpRoot, "package.json")
     writeFileSync(pkgPath, '{"name":"existing"}', "utf8")
-    scaffold(tmpRoot, "my-app")
+    scaffold(tmpRoot, defaultScaffoldOptions("my-app"))
     expect(readFileSync(pkgPath, "utf8")).toBe('{"name":"existing"}')
   })
 
   it("supatype.config.ts documents self-host workflow", () => {
-    scaffold(tmpRoot, "my-app")
+    scaffold(tmpRoot, defaultScaffoldOptions("my-app"))
     const content = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
     expect(content).toContain("self-host")
   })
 
   it(".env contains DATABASE_URL, JWT_SECRET, POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB", () => {
-    scaffold(tmpRoot, "my-app")
+    scaffold(tmpRoot, defaultScaffoldOptions("my-app"))
     const content = readFileSync(join(tmpRoot, ".env"), "utf8")
     expect(content).toContain("DATABASE_URL=")
     expect(content).toContain("JWT_SECRET=")
@@ -77,23 +77,24 @@ describe("scaffold()", () => {
   })
 
   it(".env contains ANON_KEY, SERVICE_ROLE_KEY, and SITE_URL placeholders", () => {
-    scaffold(tmpRoot, "my-app")
+    scaffold(tmpRoot, defaultScaffoldOptions("my-app"))
     const content = readFileSync(join(tmpRoot, ".env"), "utf8")
     expect(content).toContain("ANON_KEY=")
     expect(content).toContain("SERVICE_ROLE_KEY=")
     expect(content).toContain("SITE_URL=")
   })
 
-  it("schema/index.ts exports a User model using RFC v2 Model<>", () => {
-    scaffold(tmpRoot, "my-app")
+  it("schema/index.ts exports a Profile model using RFC v2 Model<>", () => {
+    scaffold(tmpRoot, defaultScaffoldOptions("my-app"))
     const content = readFileSync(join(tmpRoot, "schema/index.ts"), "utf8")
-    expect(content).toContain("export type User")
+    expect(content).toContain("export type Profile")
+    expect(content).toContain("display_name")
     expect(content).toContain("Model<")
     expect(content).toContain("access:")
   })
 
   it(".gitignore excludes .env, node_modules, and engine binary", () => {
-    scaffold(tmpRoot, "my-app")
+    scaffold(tmpRoot, defaultScaffoldOptions("my-app"))
     const content = readFileSync(join(tmpRoot, ".gitignore"), "utf8")
     expect(content).toContain(".env")
     expect(content).toContain("node_modules/")
@@ -102,19 +103,19 @@ describe("scaffold()", () => {
   })
 
   it("seed.ts references the project name", () => {
-    scaffold(tmpRoot, "acme")
+    scaffold(tmpRoot, defaultScaffoldOptions("acme"))
     const content = readFileSync(join(tmpRoot, "seed.ts"), "utf8")
     expect(content).toContain("acme")
   })
 
   it("different project names produce different config bodies", () => {
-    scaffold(tmpRoot, "alpha")
+    scaffold(tmpRoot, defaultScaffoldOptions("alpha"))
     const alpha = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
 
     const tmp2 = join(tmpdir(), `dt-init-test2-${Date.now()}`)
     mkdirSync(tmp2, { recursive: true })
     try {
-      scaffold(tmp2, "beta")
+      scaffold(tmp2, defaultScaffoldOptions("beta"))
       const beta = readFileSync(join(tmp2, "supatype.config.ts"), "utf8")
       expect(alpha).toContain("alpha")
       expect(beta).toContain("beta")
@@ -124,4 +125,116 @@ describe("scaffold()", () => {
       rmSync(tmp2, { recursive: true, force: true })
     }
   })
+
+  it("self-host target emits standalone mode + domain and a local override", () => {
+    scaffold(tmpRoot, { ...defaultScaffoldOptions("my-app", "self-host"), domain: "api.example.com" })
+    const content = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
+    expect(content).toContain('mode: "standalone"')
+    expect(content).toContain('domain: "api.example.com"')
+    expect(content).toContain('environments: { default: "production" }')
+    expect(existsSync(join(tmpRoot, "supatype.local.config.ts"))).toBe(true)
+    const local = readFileSync(join(tmpRoot, "supatype.local.config.ts"), "utf8")
+    expect(local).toContain('mode: "dev"')
+    expect(local).toContain("Partial<SupatypeConfig>")
+  })
+
+  it("self-host with a TLS email emits an active tls block", () => {
+    scaffold(tmpRoot, {
+      ...defaultScaffoldOptions("my-app", "self-host"),
+      domain: "api.example.com",
+      tlsEmail: "ops@example.com",
+    })
+    const content = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
+    expect(content).toContain('tls: { email: "ops@example.com" }')
+  })
+
+  it("self-host without a TLS email emits a commented tls hint", () => {
+    scaffold(tmpRoot, { ...defaultScaffoldOptions("my-app", "self-host"), domain: "api.example.com" })
+    const content = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
+    expect(content).toContain('// tls: { email: "you@example.com" }')
+  })
+
+  it("cloud target emits managed mode + environments and a local override", () => {
+    scaffold(tmpRoot, defaultScaffoldOptions("my-app", "cloud"))
+    const content = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
+    expect(content).toContain('mode: "managed"')
+    expect(content).toContain('environments: { default: "production" }')
+    expect(existsSync(join(tmpRoot, "supatype.local.config.ts"))).toBe(true)
+  })
+
+  it("later target stays in dev mode with no local override", () => {
+    scaffold(tmpRoot, defaultScaffoldOptions("my-app", "later"))
+    const content = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
+    expect(content).toContain('mode: "dev"')
+    expect(content).not.toContain("environments:")
+    expect(existsSync(join(tmpRoot, "supatype.local.config.ts"))).toBe(false)
+  })
+
+  it("static app mode writes the static dir and config block", () => {
+    scaffold(tmpRoot, {
+      ...defaultScaffoldOptions("my-app"),
+      app: { mode: "static", staticDir: "./dist" },
+    })
+    const content = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
+    expect(content).toContain('mode: "static"')
+    expect(content).toContain('static_dir: "./dist"')
+    expect(existsSync(join(tmpRoot, "dist/.gitkeep"))).toBe(true)
+  })
+
+  it("proxy app mode writes upstream and start in the config", () => {
+    scaffold(tmpRoot, {
+      ...defaultScaffoldOptions("my-app"),
+      app: { mode: "proxy", upstream: "http://localhost:4000", start: "dev" },
+    })
+    const content = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
+    expect(content).toContain('mode: "proxy"')
+    expect(content).toContain('upstream: "http://localhost:4000"')
+    expect(content).toContain('start: "dev"')
+  })
+
+  it("hello-world function scaffolds function files and a functions script", () => {
+    scaffold(tmpRoot, { ...defaultScaffoldOptions("my-app"), helloFunction: true })
+    expect(existsSync(join(tmpRoot, "functions/hello/index.ts"))).toBe(true)
+    expect(existsSync(join(tmpRoot, "functions/_shared/README.md"))).toBe(true)
+    expect(existsSync(join(tmpRoot, "functions/.env.local"))).toBe(true)
+    const pkg = readFileSync(join(tmpRoot, "package.json"), "utf8")
+    expect(pkg).toContain("supatype functions serve")
+  })
+
+  it("custom schema path is honored", () => {
+    scaffold(tmpRoot, { ...defaultScaffoldOptions("my-app"), schemaPath: "db/schema.ts" })
+    expect(existsSync(join(tmpRoot, "db/schema.ts"))).toBe(true)
+    const content = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
+    expect(content).toContain('path: "db/schema.ts"')
+  })
+
+  it("s3 storage and resend email reflect in config and .env", () => {
+    scaffold(tmpRoot, {
+      ...defaultScaffoldOptions("my-app"),
+      email: "resend",
+      storageLocal: "s3",
+      storageProduction: "s3",
+    })
+    const config = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
+    expect(config).toContain('email: { provider: "resend" }')
+    expect(config).toContain('storage: { provider: "s3" }')
+    const env = readFileSync(join(tmpRoot, ".env"), "utf8")
+    expect(env).toContain("RESEND_API_KEY=")
+    expect(env).toContain("S3_BUCKET=")
+    expect(env).toContain("local development and production")
+  })
+
+  it("mixed local dev and s3 production writes both storage sections", () => {
+    scaffold(tmpRoot, {
+      ...defaultScaffoldOptions("my-app"),
+      storageLocal: "local",
+      storageProduction: "s3",
+    })
+    const config = readFileSync(join(tmpRoot, "supatype.config.ts"), "utf8")
+    expect(config).toContain('provider: "local"')
+    expect(config).toContain("Production storage: external S3")
+    const env = readFileSync(join(tmpRoot, ".env"), "utf8")
+    expect(env).toContain("local development — MinIO")
+    expect(env).toContain("production — external bucket")
+  })
 })