@supatype/cli 0.1.0-alpha.7 → 0.1.0-alpha.8

package/src/docker-postgres.ts

@@ -9,7 +9,7 @@
 import { spawnSync } from "node:child_process"
 
 export interface DockerPgOptions {
-  /** Docker image to run. Defaults to supatype/postgres:17-latest. */
+  /** Docker image to run. Defaults to supatype/postgres:latest. */
   image: string
   /** Project name — used to derive the container and volume names. */
   projectName: string
@@ -20,6 +20,26 @@ export interface DockerPgOptions {
 }
 
 const PG_USER = "supatype_admin"
+/** Must match `dockerPgStart` default `POSTGRES_PASSWORD`. */
+const DEFAULT_DEV_PASSWORD = "postgres"
+
+function dockerPgPsql(
+  name: string,
+  db: string,
+  sql: string,
+  password = DEFAULT_DEV_PASSWORD,
+) {
+  return spawnSync(
+    "docker",
+    [
+      "exec",
+      "-e", `PGPASSWORD=${password}`,
+      name,
+      "psql", "--no-password", "-U", PG_USER, "-d", db, "-tAc", sql,
+    ],
+    { encoding: "utf8", stdio: "pipe" },
+  )
+}
 
 /** Derived container name for a project. */
 export function containerName(projectName: string): string {
@@ -72,6 +92,72 @@ export function dockerPgStop(projectName: string): void {
   spawnSync("docker", ["stop", containerName(projectName)], { encoding: "utf8" })
 }
 
+function dockerPgLogsTail(name: string, tail = 120): string {
+  const logs = spawnSync(
+    "docker",
+    ["logs", "--tail", String(tail), name],
+    { encoding: "utf8" },
+  )
+  return `${logs.stdout ?? ""}${logs.stderr ?? ""}`
+}
+
+function dockerPgHealthStatus(name: string): string | undefined {
+  const inspect = spawnSync(
+    "docker",
+    ["inspect", "-f", "{{if .State.Health}}{{.State.Health.Status}}{{end}}", name],
+    { encoding: "utf8", stdio: "pipe" },
+  )
+  if (inspect.status !== 0) return undefined
+  const status = inspect.stdout?.trim()
+  return status === "" ? undefined : status
+}
+
+/** True when the final post-init Postgres process is accepting connections. */
+export function dockerPgPostInitServing(logs: string): boolean {
+  const ready = "database system is ready to accept connections"
+  const lastReady = logs.lastIndexOf(ready)
+  if (lastReady === -1) return false
+
+  const initDone = logs.lastIndexOf("PostgreSQL init process complete")
+  if (initDone === -1) {
+    // Reused data volume — this run did not re-run entrypoint init.
+    return true
+  }
+  return initDone < lastReady
+}
+
+function migrateStillRunning(logs: string): boolean {
+  return /99-supatype-migrate\.sh: running .+\.sql/.test(logs)
+}
+
+function psqlTruthy(stdout: string | undefined): boolean {
+  const v = (stdout ?? "").replace(/\r/g, "").trim().toLowerCase()
+  return v === "t" || v === "true"
+}
+
+const ANON_ROLE_SQL = "SELECT EXISTS (SELECT FROM pg_roles WHERE rolname = 'anon')"
+
+function dockerPgHasAnonRole(
+  name: string,
+  projectName: string,
+  password = DEFAULT_DEV_PASSWORD,
+): boolean {
+  for (const db of [projectName, "postgres"]) {
+    const result = dockerPgPsql(name, db, ANON_ROLE_SQL, password)
+    if (result.status === 0 && psqlTruthy(result.stdout)) return true
+  }
+  return false
+}
+
+function dockerPgExecReady(name: string): boolean {
+  const ready = spawnSync(
+    "docker",
+    ["exec", name, "pg_isready", "-U", PG_USER, "-q"],
+    { encoding: "utf8", stdio: "pipe" },
+  )
+  return ready.status === 0
+}
+
 /**
  * Poll until Postgres accepts connections and the image entrypoint init has
  * finished (anon/authenticated/service_role come from supatype-postgres
@@ -79,50 +165,121 @@ export function dockerPgStop(projectName: string): void {
  */
 export async function dockerPgWaitReady(
   projectName: string,
-  timeoutMs = 30_000,
+  timeoutMs = 180_000,
+  password = DEFAULT_DEV_PASSWORD,
 ): Promise<void> {
   const name = containerName(projectName)
   const deadline = Date.now() + timeoutMs
+  let servingWithoutAnonMs = 0
+  let lastPsqlDetail = ""
 
   while (Date.now() < deadline) {
-    const ready = spawnSync(
-      "docker",
-      ["exec", name, "pg_isready", "-U", PG_USER, "-q"],
-      { encoding: "utf8" },
-    )
-    if (ready.status === 0) {
-      const initDone = spawnSync(
-        "docker",
-        [
-          "exec", name,
-          "psql", "-U", PG_USER, "-d", projectName, "-tAc",
-          "SELECT EXISTS (SELECT FROM pg_roles WHERE rolname = 'anon')",
-        ],
-        { encoding: "utf8", stdio: "pipe" },
-      )
-      if (initDone.status === 0 && initDone.stdout?.trim() === "t") return
+    const health = dockerPgHealthStatus(name)
+    const logs = dockerPgLogsTail(name)
+    const serving =
+      health === "healthy" ||
+      dockerPgPostInitServing(logs) ||
+      dockerPgExecReady(name)
+
+    if (serving && !migrateStillRunning(logs)) {
+      if (dockerPgHasAnonRole(name, projectName, password)) return
+
+      const probe = dockerPgPsql(name, projectName, ANON_ROLE_SQL, password)
+      lastPsqlDetail = [
+        probe.status !== 0 ? `psql exit ${probe.status}` : "",
+        probe.stderr?.trim(),
+        probe.stdout?.trim() ? `stdout=${probe.stdout.trim()}` : "",
+      ]
+        .filter(Boolean)
+        .join("; ")
+
+      const reusedVolume =
+        logs.includes("database system is ready to accept connections") &&
+        !logs.includes("PostgreSQL init process complete")
+
+      if (reusedVolume) {
+        servingWithoutAnonMs += 500
+        if (servingWithoutAnonMs >= 5_000) throw staleVolumeError(name)
+      } else {
+        servingWithoutAnonMs = 0
+      }
+    } else {
+      servingWithoutAnonMs = 0
     }
-    await sleep(300)
+
+    await sleep(500)
   }
 
-  const logs = spawnSync("docker", ["logs", "--tail", "30", name], {
-    encoding: "utf8",
-  })
+  const logs = dockerPgLogsTail(name, 80)
   throw new Error(
     `Docker Postgres "${name}" did not finish image init within ${timeoutMs}ms.\n` +
       "  API roles (anon, authenticated, service_role) are created by the supatype/postgres\n" +
       "  entrypoint (99-supatype-migrate.sh), not by the CLI.\n" +
       "  If you upgraded the image, remove the stale volume:\n" +
       `    docker volume rm ${name}-data\n` +
-      (logs.stdout ? `  stdout:\n${indent(logs.stdout)}\n` : "") +
-      (logs.stderr ? `  stderr:\n${indent(logs.stderr)}\n` : ""),
+      (lastPsqlDetail ? `  Last anon probe: ${lastPsqlDetail}\n` : "") +
+      (logs ? `  logs (tail):\n${indent(logs)}\n` : ""),
+  )
+}
+
+function staleVolumeError(name: string): Error {
+  return new Error(
+    `Docker Postgres "${name}" is up but API roles are missing.\n` +
+      "  The data volume was initialised without supatype/postgres migrations (stale or wrong image).\n" +
+      "  Remove the volume so first-boot 99-supatype-migrate.sh runs again:\n" +
+      `    docker volume rm ${name}-data`,
   )
 }
 
 /** Connection string for the Docker container (local dev credentials). */
-export function dockerDbUrl(projectName: string, port: number): string {
-  // Local image has no TLS; sqlx/libpq default "prefer" can mis-handle the SSLRequest on some hosts.
-  return `postgres://${PG_USER}:postgres@127.0.0.1:${port}/${projectName}?sslmode=disable`
+export function dockerDbUrl(projectName: string, port: number, password = DEFAULT_DEV_PASSWORD): string {
+  // Host → published port. sqlx/libpq "prefer" can mis-handle SSL on some hosts (e.g. Docker Desktop on Windows).
+  return `postgres://${PG_USER}:${password}@127.0.0.1:${port}/${projectName}?sslmode=disable`
+}
+
+/**
+ * DB URL for processes sharing the Postgres container network namespace
+ * (supatype-server migrate in a one-shot container). Uses loopback inside the
+ * container where pg_hba grants trust — avoids host-published-port SCRAM/SSL issues.
+ */
+export function dockerPgLoopbackDbUrl(projectName: string, password = DEFAULT_DEV_PASSWORD): string {
+  return `postgres://${PG_USER}:${password}@127.0.0.1:5432/${projectName}?sslmode=disable`
+}
+
+/**
+ * Published Hub tag for local dev when CDN server version is not on Docker Hub yet.
+ * Keep in sync with tests/integration/scripts/compose-smoke.sh.
+ */
+export const DEFAULT_SERVER_DOCKER_IMAGE = "supatype/server:latest"
+
+/**
+ * Run `supatype-server migrate` on the Postgres container network (loopback trust).
+ * Used on Windows + database.provider docker — host-published :5432 breaks libpq TLS there.
+ */
+export function runGotrueMigrationsViaDocker(
+  pgContainerName: string,
+  serverImage: string,
+  migrateEnv: Record<string, string>,
+): void {
+  const envArgs = Object.entries(migrateEnv).flatMap(([k, v]) => ["-e", `${k}=${v}`])
+  const result = spawnSync(
+    "docker",
+    [
+      "run", "--rm",
+      "--network", `container:${pgContainerName}`,
+      ...envArgs,
+      serverImage,
+      "migrate",
+    ],
+    { encoding: "utf8", stdio: "pipe" },
+  )
+  if (result.status !== 0) {
+    const detail = (result.stderr ?? result.stdout ?? "").trim()
+    throw new Error(
+      `GoTrue migrations failed in Docker (exit ${result.status ?? "unknown"})` +
+        (detail ? `:\n${detail}` : ""),
+    )
+  }
 }
 
 function sleep(ms: number): Promise<void> {

package/src/engine-client.ts

@@ -21,9 +21,12 @@ import { resolveBinary, currentPlatform, cachePath } from "./binary-cache.js"
 
 export interface Operation {
   kind: "create_table" | "alter_table" | "drop_table" | "create_index" | "drop_index" |
-        "create_policy" | "drop_policy" | "add_column" | "drop_column" | "alter_column"
-  description: string
-  risk?: "safe" | "warn" | "danger"
+        "create_policy" | "drop_policy" | "add_column" | "drop_column" | "alter_column" |
+        "recreate_column"
+  type?: string
+  description?: string
+  risk?: "safe" | "warn" | "danger" | "cautious" | "destructive"
+  warning?: string
   sql?: string
 }
 
@@ -196,13 +199,15 @@ function endpointToArgs(
   const dbUrl = (body["database_url"] as string | undefined) ?? ""
   const schema = (body["schema"] as string | undefined) ?? "public"
   const force = body["force"] ? ["--force"] : []
+  const nonInteractive =
+    body["non_interactive"] === true || body["force"] === true ? ["--non-interactive"] : []
 
   switch (endpoint) {
     case "/diff":
       return ["diff", "--input", reqFile, "--database-url", dbUrl, "--schema", schema]
 
     case "/push":
-      return ["push", "--input", reqFile, "--database-url", dbUrl, "--schema", schema, ...force]
+      return ["push", "--input", reqFile, "--database-url", dbUrl, "--schema", schema, ...force, ...nonInteractive]
 
     case "/parse":
       return ["parse", "--input", reqFile]

package/src/kong-config.ts

@@ -14,6 +14,10 @@ export interface KongDeclarativeOptions {
   functionsServiceUrl?: string | undefined
   /** Self-host: route API paths through supatype-server (see runtime-routes). */
   unifiedGateway?: boolean | undefined
+  /** Studio UI upstream (default: in-compose `studio:3002`). */
+  studioServiceUrl?: string | undefined
+  /** See {@link RuntimeRouteOptions.studioStripPath}. */
+  studioStripPath?: boolean | undefined
 }
 
 /** Escape a string for use inside YAML double quotes. */
@@ -35,6 +39,8 @@ export function buildKongDeclarative(opts: KongDeclarativeOptions = {}): string
     ...(opts.unifiedGateway !== true &&
       opts.staticAppServiceUrl !== undefined && { staticAppServiceUrl: opts.staticAppServiceUrl }),
     ...(opts.functionsServiceUrl !== undefined && { functionsServiceUrl: opts.functionsServiceUrl }),
+    ...(opts.studioServiceUrl !== undefined && { studioServiceUrl: opts.studioServiceUrl }),
+    ...(opts.studioStripPath === false && { studioStripPath: false }),
   })
 
   const consumersBlock = secured
@@ -60,6 +66,15 @@ consumers:
       ? `        protocols:\n${route.protocols.map((p) => `          - ${p}`).join("\n")}\n`
       : ""
     const stripPath = route.stripPath ?? false
+    const graphqlPlugins = route.graphqlPostgrest
+      ? `        plugins:
+          - name: request-transformer
+            config:
+              add:
+                headers:
+                  - Content-Profile:graphql_public
+`
+      : ""
     return `  - name: ${route.serviceName}
     url: ${route.serviceUrl}
     routes:
@@ -67,7 +82,7 @@ consumers:
         strip_path: ${stripPath}
         paths:
 ${route.paths.map((path) => `          - ${path}`).join("\n")}
-${protocols}${routePlugins}`
+${protocols}${routePlugins}${graphqlPlugins}`
   }).join("\n")
 
   return `_format_version: "3.0"

package/src/process-manager.ts

@@ -25,6 +25,8 @@ export interface ProcessOptions {
   maxBackoffMs?: number
   /** Called when the process exits cleanly (code 0). */
   onExit?: () => void
+  /** Use shell to spawn (required for pnpm/npm/yarn .cmd shims on Windows). */
+  shell?: boolean
 }
 
 const RESET = "\x1b[0m"
@@ -47,6 +49,7 @@ export class ProcessManager {
       initialBackoffMs: 1_000,
       maxBackoffMs: 30_000,
       onExit: () => {},
+      shell: false,
       ...opts,
     }
     this.backoffMs = this.opts.initialBackoffMs
@@ -82,7 +85,12 @@ export class ProcessManager {
     if (this.stopped) return
 
     const env = { ...process.env, ...this.opts.env } as NodeJS.ProcessEnv
-    this.child = spawn(this.bin, this.args, { env, cwd: this.opts.cwd, stdio: "pipe" })
+    this.child = spawn(this.bin, this.args, {
+      env,
+      cwd: this.opts.cwd,
+      stdio: "pipe",
+      ...(this.opts.shell ? { shell: true } : {}),
+    })
 
     const pid = this.child.pid
     if (pid) this.writePid(pid)
@@ -103,6 +111,15 @@ export class ProcessManager {
       }
     })
 
+    this.child.once("error", (err) => {
+      if (this.stopped) return
+      process.stderr.write(`${prefix}failed to start: ${err.message}\n`)
+      setTimeout(() => {
+        this.backoffMs = Math.min(this.backoffMs * 2, this.opts.maxBackoffMs)
+        this.spawn()
+      }, this.backoffMs)
+    })
+
     this.child.once("exit", (code, signal) => {
       if (this.stopped) return
 

package/src/project-config.ts

@@ -7,6 +7,12 @@ import type { ComponentVersions } from "./components.js"
 // ---------------------------------------------------------------------------
 
 export interface SupatypeProjectConfig {
+  /**
+   * Runtime stack for local dev and `supatype update`.
+   * "native" = host binaries (default). "docker" = self-host Compose stack.
+   * Falls back to `database.provider` when omitted (deprecated).
+   */
+  provider?: "native" | "docker"
   supatype?: {
     /**
      * Base directory for Supatype project assets (schema, functions, etc).
@@ -34,7 +40,7 @@ export interface SupatypeProjectConfig {
     data_dir?: string
     /**
      * Docker image to use (provider=docker).
-     * Defaults to supatype/postgres:17-latest.
+     * Defaults to supatype/postgres:latest.
      * Override in supatype.local.config.ts for local builds.
      */
     image?: string
@@ -72,6 +78,11 @@ export interface SupatypeProjectConfig {
      * When omitted, dev still falls back to `SUPATYPE_APP_UPSTREAM` for non-proxy app modes.
      */
     vite_dev_url?: string
+    /**
+     * package.json script name for `supatype dev` to run when mode is proxy.
+     * Default: `"start"`. Ignored for static/none modes.
+     */
+    start?: string
   }
   /**
    * Pinned binary versions per component. Use **`"local"`** with the matching **`overrides.*`**
@@ -192,6 +203,11 @@ export interface SupatypeProjectConfig {
    * When omitted, `DATABASE_URL` from the environment is used, then a local default DSN.
    */
   connection?: string
+  /** Studio admin panel access (Gap Appendices task 47). */
+  admin?: {
+    /** JWT `app_metadata.role` values allowed to use Studio. Default: admin, supatype_admin */
+    roles?: string[]
+  }
 }
 
 // ---------------------------------------------------------------------------
@@ -207,6 +223,9 @@ export function mergeProjectConfig(
   override: Partial<SupatypeProjectConfig>,
 ): SupatypeProjectConfig {
   return {
+    ...(base.provider !== undefined || override.provider !== undefined
+      ? { provider: override.provider ?? base.provider }
+      : {}),
     ...(base.supatype !== undefined || override.supatype !== undefined
       ? { supatype: { ...base.supatype, ...override.supatype } as NonNullable<SupatypeProjectConfig["supatype"]> }
       : {}),
@@ -263,6 +282,9 @@ export function mergeProjectConfig(
     ...(base.connection !== undefined || override.connection !== undefined
       ? { connection: override.connection ?? base.connection }
       : {}),
+    ...(base.admin !== undefined || override.admin !== undefined
+      ? { admin: { ...base.admin, ...override.admin } as NonNullable<SupatypeProjectConfig["admin"]> }
+      : {}),
   }
 }
 
@@ -330,6 +352,9 @@ export function serverBaseUrl(cfg: SupatypeProjectConfig): string | undefined {
   switch (cfg.server.mode) {
     case "dev":
     case "standalone":
+      if (cfg.server.mode === "dev" && resolveRuntimeProvider(cfg) === "docker") {
+        return `http://localhost:${COMPOSE_DEV_KONG_PORT}`
+      }
       return cfg.server.domain
         ? `https://${cfg.server.domain}`
         : `http://localhost:${port}`
@@ -338,6 +363,14 @@ export function serverBaseUrl(cfg: SupatypeProjectConfig): string | undefined {
   }
 }
 
+/** Resolved runtime provider (`config.provider` ?? `database.provider` ?? native). */
+export function resolveRuntimeProvider(cfg: SupatypeProjectConfig): "native" | "docker" {
+  return cfg.provider ?? cfg.database.provider ?? "native"
+}
+
+/** Kong gateway port when `provider: docker` (self-host compose dev). */
+export const COMPOSE_DEV_KONG_PORT = 18473
+
 /** The local Postgres DSN derived from project name (dev default). */
 export function localDSN(cfg: SupatypeProjectConfig): string {
   const port = 5432 // standard; per-project state dir isolates data dirs

package/src/runtime-routes.ts

@@ -6,6 +6,8 @@ export interface RuntimeRoute {
   stripPath?: boolean
   protocols?: string[]
   engineProtected?: boolean
+  /** Route /graphql/v1 to PostgREST /rpc/graphql with graphql_public Content-Profile. */
+  graphqlPostgrest?: boolean
 }
 
 export interface RuntimeRouteOptions {
@@ -18,6 +20,24 @@ export interface RuntimeRouteOptions {
    * which proxies to internal services — same model as `supatype dev`.
    */
   unifiedGateway?: boolean
+  /** Studio UI upstream (default: in-compose `studio:3002`). */
+  studioServiceUrl?: string
+  /**
+   * Strip `/studio/` before proxying to the Studio upstream.
+   * False for host Vite dev (`host.docker.internal`) where `base` is `/studio/`.
+   */
+  studioStripPath?: boolean
+}
+
+const DEFAULT_STUDIO_SERVICE_URL = "http://studio:3002"
+
+function studioServiceUrl(opts: RuntimeRouteOptions): string {
+  const url = opts.studioServiceUrl?.trim()
+  return url && url.length > 0 ? url : DEFAULT_STUDIO_SERVICE_URL
+}
+
+function studioStripPath(opts: RuntimeRouteOptions): boolean {
+  return opts.studioStripPath !== false
 }
 
 const SERVER_GATEWAY = "http://server:9999"
@@ -25,7 +45,9 @@ const SERVER_GATEWAY = "http://server:9999"
 /**
  * Kong routes when self-host uses supatype-server as the single API gateway.
  */
-function runtimeRouteSpecUnified(): RuntimeRoute[] {
+function runtimeRouteSpecUnified(opts: RuntimeRouteOptions): RuntimeRoute[] {
+  const studioUrl = studioServiceUrl(opts)
+  const stripStudio = studioStripPath(opts)
   return [
     {
       name: "rest-v1",
@@ -61,7 +83,7 @@ function runtimeRouteSpecUnified(): RuntimeRoute[] {
       serviceUrl: SERVER_GATEWAY,
       paths: ["/realtime/v1/"],
       stripPath: false,
-      protocols: ["http", "https", "ws", "wss"],
+      protocols: ["http", "https"],
     },
     {
       name: "functions-v1",
@@ -72,10 +94,11 @@ function runtimeRouteSpecUnified(): RuntimeRoute[] {
     },
     {
       name: "graphql-v1",
-      serviceName: "supatype-server-graphql",
-      serviceUrl: SERVER_GATEWAY,
-      paths: ["/graphql/v1/"],
-      stripPath: false,
+      serviceName: "postgrest-graphql",
+      serviceUrl: "http://postgrest:3000/rpc/graphql",
+      paths: ["/graphql/v1"],
+      stripPath: true,
+      graphqlPostgrest: true,
     },
     {
       name: "studio-config-route",
@@ -91,12 +114,33 @@ function runtimeRouteSpecUnified(): RuntimeRoute[] {
       paths: ["/sql"],
       stripPath: false,
     },
+    {
+      name: "studio-auth",
+      serviceName: "supatype-server-studio-auth",
+      serviceUrl: SERVER_GATEWAY,
+      paths: ["/studio/auth/"],
+      stripPath: false,
+    },
+    {
+      name: "studio-proxy",
+      serviceName: "supatype-server-studio-proxy",
+      serviceUrl: SERVER_GATEWAY,
+      paths: ["/studio/proxy/"],
+      stripPath: false,
+    },
+    {
+      name: "studio-exact",
+      serviceName: "studio-exact",
+      serviceUrl: studioUrl,
+      paths: ["~/studio$"],
+      stripPath: stripStudio,
+    },
     {
       name: "studio",
       serviceName: "studio",
-      serviceUrl: "http://studio:3002",
+      serviceUrl: studioUrl,
       paths: ["/studio/"],
-      stripPath: true,
+      stripPath: stripStudio,
     },
     {
       name: "app-root",
@@ -113,6 +157,8 @@ function runtimeRouteSpecUnified(): RuntimeRoute[] {
  * Kept for tests or explicit opt-out only — self-host uses unifiedGateway.
  */
 function runtimeRouteSpecSplit(opts: RuntimeRouteOptions): RuntimeRoute[] {
+  const studioUrl = studioServiceUrl(opts)
+  const stripStudio = studioStripPath(opts)
   const routes: RuntimeRoute[] = [
     {
       name: "rest-v1",
@@ -148,7 +194,7 @@ function runtimeRouteSpecSplit(opts: RuntimeRouteOptions): RuntimeRoute[] {
       serviceUrl: "http://realtime:4000",
       paths: ["/realtime/v1/"],
       stripPath: true,
-      protocols: ["http", "https", "ws", "wss"],
+      protocols: ["http", "https"],
     },
     {
       name: "functions-v1",
@@ -157,12 +203,41 @@ function runtimeRouteSpecSplit(opts: RuntimeRouteOptions): RuntimeRoute[] {
       paths: ["/functions/v1/"],
       stripPath: false,
     },
+    {
+      name: "graphql-v1",
+      serviceName: "postgrest-graphql",
+      serviceUrl: "http://postgrest:3000/rpc/graphql",
+      paths: ["/graphql/v1"],
+      stripPath: true,
+      graphqlPostgrest: true,
+    },
+    {
+      name: "studio-auth",
+      serviceName: "auth-v1",
+      serviceUrl: "http://server:9999",
+      paths: ["/studio/auth/"],
+      stripPath: false,
+    },
+    {
+      name: "studio-proxy",
+      serviceName: "auth-v1",
+      serviceUrl: "http://server:9999",
+      paths: ["/studio/proxy/"],
+      stripPath: false,
+    },
+    {
+      name: "studio-exact",
+      serviceName: "studio-exact",
+      serviceUrl: studioUrl,
+      paths: ["~/studio$"],
+      stripPath: stripStudio,
+    },
     {
       name: "studio",
       serviceName: "studio",
-      serviceUrl: "http://studio:3002",
+      serviceUrl: studioUrl,
       paths: ["/studio/"],
-      stripPath: true,
+      stripPath: stripStudio,
     },
     {
       name: "studio-config-route",
@@ -210,7 +285,7 @@ function runtimeRouteSpecSplit(opts: RuntimeRouteOptions): RuntimeRoute[] {
  */
 export function runtimeRouteSpec(opts: RuntimeRouteOptions = {}): RuntimeRoute[] {
   if (opts.unifiedGateway) {
-    return runtimeRouteSpecUnified()
+    return runtimeRouteSpecUnified(opts)
   }
   return runtimeRouteSpecSplit(opts)
 }