npm - @vibecodemax/cli - Versions diffs - 0.1.10 → 0.1.11 - Mend

@vibecodemax/cli 0.1.10 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -46,7 +46,7 @@ npx @vibecodemax/cli admin ensure-admin --email admin@example.com
 This command reads `SUPABASE_SERVICE_ROLE_KEY` and `SUPABASE_URL` or `NEXT_PUBLIC_SUPABASE_URL` from local env files, performs lookup/create/promote/verify locally, and prints JSON only.
-If a new user is created, the CLI output includes `temporaryPassword`. Show that password to the user directly and do not forward it into MCP payloads.
+If a new user is created, the CLI output does not expose a password. The result indicates that password setup still needs a user-facing reset or invite flow.
 ### `configure-site-redirects`
@@ -73,18 +73,6 @@ Enables Google OAuth using credentials from `.env.bootstrap.local`. The Supabase
 npx @vibecodemax/cli enable-google-provider
 ```
-### `apply-auth-templates`
-Applies custom auth email templates from local project files. The Supabase personal access token must be stored as `SUPABASE_ACCESS_TOKEN`.
-```bash
-npx @vibecodemax/cli apply-auth-templates \
-  --confirm-email-enabled true \
-  --confirm-email-path src/email/confirm-email.html \
-  --reset-password-enabled true \
-  --reset-password-path src/email/reset-password.html
-```
 ## Output
 All commands print structured JSON to stdout and exit with code 0 on success, non-zero on failure.
@@ -99,4 +87,4 @@ All commands print structured JSON to stdout and exit with code 0 on success, no
 ## Security
-Credentials are read from local env files and sent only to the relevant provider APIs. No secret values appear in CLI output.
+Credentials are read from local env files and sent only to the relevant provider APIs. No secret values appear in CLI output. Secret-bearing local commands avoid putting credentials on child-process argv, and `read-setup-state` requires `.vibecodemax/setup-state.json` to remain secret-free.

package/dist/cli.js CHANGED Viewed

@@ -48,6 +48,21 @@ const LEMON_EVENTS = [
     "subscription_payment_failed",
     "subscription_payment_success",
 ];
+const SECRET_LIKE_KEY_PATTERN = /(access[_-]?token|refresh[_-]?token|service[_-]?role|webhook[_-]?secret|api[_-]?key|secret|password)/i;
+const SECRET_LIKE_VALUE_PATTERN = /(sb_secret_[A-Za-z0-9_-]+|sk_(?:test|live)_[A-Za-z0-9]+|whsec_[A-Za-z0-9]+|SUPABASE_SERVICE_ROLE_KEY|SUPABASE_ACCESS_TOKEN)/;
+const CHILD_PROCESS_ENV_KEYS = [
+    "PATH",
+    "HOME",
+    "USERPROFILE",
+    "APPDATA",
+    "LOCALAPPDATA",
+    "TMPDIR",
+    "TMP",
+    "TEMP",
+    "SYSTEMROOT",
+    "COMSPEC",
+    "SHELL",
+];
 function printJson(value) {
     process.stdout.write(`${JSON.stringify(value)}\n`);
 }
@@ -73,7 +88,7 @@ function parseArgs(argv) {
     let subcommand;
     const flags = {};
     let index = 0;
-    if ((command === "admin" || command === "storage" || command === "payments") && rest[0] && !rest[0].startsWith("--")) {
+    if ((command === "base" || command === "admin" || command === "storage" || command === "payments") && rest[0] && !rest[0].startsWith("--")) {
         subcommand = rest[0];
         index = 1;
     }
@@ -231,12 +246,43 @@ function requireServiceRoleKey(envValues) {
     return requireEnvValue(envValues, "SUPABASE_SERVICE_ROLE_KEY", ".env.local");
 }
 function mergeEnvFile(filePath, nextValues) {
+    for (const [key, value] of Object.entries(nextValues)) {
+        if (/[\r\n]/.test(value)) {
+            fail("INVALID_ENV_VALUE", `${key} contains a newline and cannot be written safely to ${path.basename(filePath)}.`);
+        }
+    }
     const existing = parseDotEnv(readFileIfExists(filePath));
     const merged = { ...existing, ...nextValues };
     const keys = Object.keys(merged).sort();
     const content = `${keys.map((key) => `${key}=${merged[key]}`).join("\n")}\n`;
     fs.writeFileSync(filePath, content, "utf8");
 }
+function detectSecretLikeEntry(value, keyPath = "setupState") {
+    if (Array.isArray(value)) {
+        for (let index = 0; index < value.length; index += 1) {
+            const nested = detectSecretLikeEntry(value[index], `${keyPath}[${index}]`);
+            if (nested)
+                return nested;
+        }
+        return null;
+    }
+    if (value && typeof value === "object") {
+        for (const [key, nestedValue] of Object.entries(value)) {
+            const nestedPath = `${keyPath}.${key}`;
+            if (SECRET_LIKE_KEY_PATTERN.test(key)) {
+                return nestedPath;
+            }
+            const nested = detectSecretLikeEntry(nestedValue, nestedPath);
+            if (nested)
+                return nested;
+        }
+        return null;
+    }
+    if (typeof value === "string" && SECRET_LIKE_VALUE_PATTERN.test(value)) {
+        return keyPath;
+    }
+    return null;
+}
 function readSetupState() {
     const setupStatePath = path.join(process.cwd(), SETUP_STATE_PATH);
     const content = readFileIfExists(setupStatePath).trim();
@@ -254,11 +300,19 @@ function readSetupState() {
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
         fail("INVALID_SETUP_STATE", `${SETUP_STATE_PATH} must contain a JSON object.`);
     }
+    const secretPath = detectSecretLikeEntry(parsed);
+    if (secretPath) {
+        fail("SECRET_IN_SETUP_STATE", `${SETUP_STATE_PATH} must remain secret-free. Remove secret-like data before reading it through the CLI.`, 1, {
+            keyPath: secretPath,
+        });
+    }
     printJson({ ok: true, setupState: parsed });
 }
-async function managementRequest({ method, projectRef, token, body }) {
-    const endpoint = `${MANAGEMENT_API_BASE}/v1/projects/${projectRef}/config/auth`;
-    const response = await fetch(endpoint, {
+async function managementRequest({ method, projectRef, token, body, endpoint }) {
+    const resolvedEndpoint = endpoint
+        ? `${MANAGEMENT_API_BASE}${endpoint}`
+        : `${MANAGEMENT_API_BASE}/v1/projects/${projectRef}/config/auth`;
+    const response = await fetch(resolvedEndpoint, {
         method,
         headers: {
             Accept: "application/json",
@@ -294,49 +348,6 @@ function readAuthConfigEnvelope(responseJson) {
         return envelope.config.auth;
     return responseJson;
 }
-function normalizeTemplateText(value) {
-    if (!isNonEmptyString(value))
-        return "";
-    return value.replace(/\r\n/g, "\n").trim();
-}
-function buildTemplateDesiredFields(options) {
-    const desired = {};
-    if (options.confirmEmailEnabled) {
-        const confirmHtml = normalizeTemplateText(readFileIfExists(path.resolve(process.cwd(), options.confirmEmailPath || "")));
-        if (!confirmHtml) {
-            fail("MISSING_TEMPLATE_FILE", `Confirm email template content is missing. Check ${options.confirmEmailPath}.`);
-        }
-        desired.mailer_subjects_confirmation = isNonEmptyString(options.confirmEmailSubject)
-            ? options.confirmEmailSubject.trim()
-            : "Confirm your signup";
-        desired.mailer_templates_confirmation_content = confirmHtml;
-    }
-    if (options.resetPasswordEnabled) {
-        const resetHtml = normalizeTemplateText(readFileIfExists(path.resolve(process.cwd(), options.resetPasswordPath || "")));
-        if (!resetHtml) {
-            fail("MISSING_TEMPLATE_FILE", `Reset password template content is missing. Check ${options.resetPasswordPath}.`);
-        }
-        desired.mailer_subjects_recovery = isNonEmptyString(options.resetPasswordSubject)
-            ? options.resetPasswordSubject.trim()
-            : "Reset your password";
-        desired.mailer_templates_recovery_content = resetHtml;
-    }
-    return desired;
-}
-function diffTemplateFields(currentAuthConfig = {}, desiredFields) {
-    const patch = {};
-    const changedKeys = [];
-    for (const [key, desiredValue] of Object.entries(desiredFields)) {
-        const currentValue = currentAuthConfig[key];
-        const normalizedCurrent = typeof currentValue === "string" ? normalizeTemplateText(currentValue) : currentValue;
-        const normalizedDesired = typeof desiredValue === "string" ? normalizeTemplateText(desiredValue) : desiredValue;
-        if (normalizedCurrent !== normalizedDesired) {
-            patch[key] = desiredValue;
-            changedKeys.push(key);
-        }
-    }
-    return { patch, changedKeys, noChanges: changedKeys.length === 0 };
-}
 async function configureSiteRedirects(flags) {
     const { envLocalPath, envBootstrapPath, values } = loadLocalEnv();
     const projectRef = resolveProjectRef(flags, values);
@@ -427,34 +438,318 @@ async function enableGoogleProvider(flags) {
         applied: ["external_google_enabled", "external_google_client_id", "external_google_secret"],
     });
 }
-async function applyAuthTemplates(flags) {
-    const { envBootstrapPath, values } = loadLocalEnv();
-    const projectRef = resolveProjectRef(flags, values);
-    if (!projectRef) {
-        fail("MISSING_PROJECT_REF", "SUPABASE_PROJECT_REF is missing. Add it to .env.bootstrap.local or ensure NEXT_PUBLIC_SUPABASE_URL is present in .env.local.");
+function readObject(value) {
+    return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
+function readIdentifier(value) {
+    if (typeof value === "number" && Number.isFinite(value))
+        return String(value);
+    return isNonEmptyString(value) ? value.trim() : "";
+}
+function normalizeDependencyManagerFlag(flags) {
+    const dependencyManager = readStringFlag(flags, "dependency-manager");
+    if (dependencyManager === "pnpm")
+        return "pnpm";
+    if (dependencyManager === "yarn")
+        return "yarn";
+    return "npm";
+}
+function getSupabaseRunnerCommand(dependencyManager) {
+    if (dependencyManager === "pnpm") {
+        return { command: "pnpm", args: ["exec", "supabase"] };
+    }
+    if (dependencyManager === "yarn") {
+        return { command: "yarn", args: ["supabase"] };
     }
+    return { command: "npx", args: ["supabase"] };
+}
+function runSupabaseCommand(args, dependencyManager) {
+    const runner = getSupabaseRunnerCommand(dependencyManager);
+    const result = spawnSync(runner.command, [...runner.args, ...args], {
+        cwd: process.cwd(),
+        encoding: "utf8",
+    });
+    if (result.status !== 0) {
+        fail("SUPABASE_CLI_ERROR", [result.stderr, result.stdout].find(isNonEmptyString) || `Supabase CLI ${args.join(" ")} failed.`, 1, { exitCode: result.status ?? 1 });
+    }
+}
+async function supabaseManagementApiRequest(params) {
+    const response = await fetch(`${MANAGEMENT_API_BASE}${params.endpoint}`, {
+        method: params.method,
+        headers: {
+            Accept: "application/json",
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${params.token}`,
+        },
+        body: params.body === undefined ? undefined : JSON.stringify(params.body),
+    });
+    let json = null;
+    try {
+        json = await response.json();
+    }
+    catch {
+        json = null;
+    }
+    if (!response.ok) {
+        const message = extractErrorMessage(json) || `Supabase returned ${response.status}`;
+        fail("MANAGEMENT_API_ERROR", message, 1, { status: response.status, endpoint: params.endpoint });
+    }
+    return json;
+}
+function readArrayResponse(value) {
+    if (Array.isArray(value))
+        return value;
+    const record = readObject(value);
+    for (const key of ["organizations", "projects", "api_keys", "apiKeys", "data"]) {
+        if (Array.isArray(record[key]))
+            return record[key];
+    }
+    return [];
+}
+function parseOrganizationRecord(value) {
+    const record = readObject(value);
+    const id = readIdentifier(record.id);
+    const name = readIdentifier(record.name || record.organization_name || record.slug || record.ref);
+    if (!id || !name)
+        return null;
+    return { id, name };
+}
+function parseProjectRecord(value) {
+    const record = readObject(value);
+    const ref = readIdentifier(record.id || record.ref || record.project_ref || record.projectRef);
+    const name = readIdentifier(record.name || record.project_name || record.projectName);
+    if (!ref || !name)
+        return null;
+    return {
+        ref,
+        name,
+        status: readIdentifier(record.status || record.project_status || record.state),
+        region: readIdentifier(record.region || record.region_code || record.aws_region || record.location),
+    };
+}
+function formatOrganizationsForPrompt(orgs) {
+    if (orgs.length === 0)
+        return "No Supabase organizations were found for this account.";
+    return orgs.map((org) => `- ${org.name} (${org.id})`).join("\n");
+}
+function formatProjectsForPrompt(projects) {
+    if (projects.length === 0)
+        return "No existing Supabase projects were found for this account.";
+    return projects.map((project) => {
+        const details = [project.ref, project.region].filter(Boolean).join(" • ");
+        return details ? `- ${project.name} (${details})` : `- ${project.name} (${project.ref})`;
+    }).join("\n");
+}
+async function listSupabaseOrganizations(token) {
+    const json = await supabaseManagementApiRequest({ method: "GET", token, endpoint: "/v1/organizations" });
+    return readArrayResponse(json)
+        .map(parseOrganizationRecord)
+        .filter((entry) => Boolean(entry));
+}
+async function createSupabaseOrganization(token, name) {
+    const json = await supabaseManagementApiRequest({
+        method: "POST",
+        token,
+        endpoint: "/v1/organizations",
+        body: { name },
+    });
+    const direct = parseOrganizationRecord(json);
+    if (direct)
+        return direct;
+    const nested = parseOrganizationRecord(readObject(json).organization || readObject(json).data);
+    if (nested)
+        return nested;
+    fail("INVALID_MANAGEMENT_RESPONSE", "Supabase organization creation did not return an organization identifier.");
+}
+async function listSupabaseProjects(token) {
+    const json = await supabaseManagementApiRequest({ method: "GET", token, endpoint: "/v1/projects" });
+    return readArrayResponse(json)
+        .map(parseProjectRecord)
+        .filter((entry) => Boolean(entry));
+}
+function generateDbPassword() {
+    return randomBytes(24).toString("base64url");
+}
+async function createSupabaseProject(token, params) {
+    const json = await supabaseManagementApiRequest({
+        method: "POST",
+        token,
+        endpoint: "/v1/projects",
+        body: {
+            organization_id: params.organizationId,
+            name: params.projectName,
+            region: params.region,
+            db_pass: params.dbPassword,
+        },
+    });
+    const direct = parseProjectRecord(json);
+    if (direct)
+        return direct;
+    const nested = parseProjectRecord(readObject(json).project || readObject(json).data);
+    if (nested)
+        return nested;
+    fail("INVALID_MANAGEMENT_RESPONSE", "Supabase project creation did not return a project ref.");
+}
+async function waitForSupabaseProjectReady(token, projectRef) {
+    const readyStatuses = new Set(["ACTIVE_HEALTHY", "ACTIVE", "HEALTHY", "READY"]);
+    const pendingStatuses = new Set(["INACTIVE", "CREATING", "COMING_UP", "INIT", "UNKNOWN"]);
+    for (let attempt = 0; attempt < 36; attempt += 1) {
+        const json = await supabaseManagementApiRequest({ method: "GET", token, endpoint: `/v1/projects/${projectRef}` });
+        const project = parseProjectRecord(json) || parseProjectRecord(readObject(json).project || readObject(json).data);
+        const status = readIdentifier(project?.status || readObject(json).status || readObject(json).project_status).toUpperCase();
+        if (!status || readyStatuses.has(status))
+            return;
+        if (!pendingStatuses.has(status))
+            return;
+        await new Promise((resolve) => setTimeout(resolve, 5000));
+    }
+    fail("PROJECT_NOT_READY", `Supabase project ${projectRef} did not become ready in time.`);
+}
+async function fetchSupabaseProjectKeys(token, projectRef) {
+    const json = await supabaseManagementApiRequest({
+        method: "GET",
+        token,
+        endpoint: `/v1/projects/${projectRef}/api-keys?reveal=true`,
+    });
+    const records = readArrayResponse(json).map(readObject);
+    const values = records
+        .map((record) => [record.api_key, record.apiKey, record.key, record.value].find(isNonEmptyString))
+        .filter((value) => isNonEmptyString(value));
+    const publishableKey = values.find((value) => value.startsWith("sb_publishable_")) || "";
+    const serviceRoleKey = values.find((value) => value.startsWith("sb_secret_")) || "";
+    if (!publishableKey || !serviceRoleKey) {
+        fail("MISSING_PROJECT_KEYS", `Supabase did not return publishable and secret API keys for project ${projectRef}.`);
+    }
+    return {
+        projectUrl: `https://${projectRef}.supabase.co`,
+        publishableKey,
+        serviceRoleKey,
+    };
+}
+function writeSupabaseProjectEnv(envLocalPath, envBootstrapPath, values) {
+    mergeEnvFile(envLocalPath, {
+        NEXT_PUBLIC_SUPABASE_URL: values.projectUrl,
+        SUPABASE_URL: values.projectUrl,
+        NEXT_PUBLIC_SUPABASE_ANON_KEY: values.publishableKey,
+        SUPABASE_SERVICE_ROLE_KEY: values.serviceRoleKey,
+    });
+    const bootstrapValues = {
+        SUPABASE_PROJECT_REF: values.projectRef,
+    };
+    if (isNonEmptyString(values.dbPassword)) {
+        bootstrapValues.SUPABASE_DB_PASSWORD = values.dbPassword;
+    }
+    mergeEnvFile(envBootstrapPath, bootstrapValues);
+    return {
+        envKeysWritten: [
+            "NEXT_PUBLIC_SUPABASE_URL",
+            "SUPABASE_URL",
+            "NEXT_PUBLIC_SUPABASE_ANON_KEY",
+            "SUPABASE_SERVICE_ROLE_KEY",
+        ],
+        bootstrapKeysWritten: Object.keys(bootstrapValues),
+    };
+}
+async function checkBaseSupabaseAccessToken() {
+    const { envBootstrapPath, values } = loadLocalEnv();
     const accessToken = requireAuthAccessToken(values, path.basename(envBootstrapPath));
-    const desiredFields = buildTemplateDesiredFields({
-        confirmEmailEnabled: readStringFlag(flags, "confirm-email-enabled") === "true",
-        confirmEmailSubject: readStringFlag(flags, "confirm-email-subject"),
-        confirmEmailPath: readStringFlag(flags, "confirm-email-path"),
-        resetPasswordEnabled: readStringFlag(flags, "reset-password-enabled") === "true",
-        resetPasswordSubject: readStringFlag(flags, "reset-password-subject"),
-        resetPasswordPath: readStringFlag(flags, "reset-password-path"),
+    const [organizations, projects] = await Promise.all([
+        listSupabaseOrganizations(accessToken),
+        listSupabaseProjects(accessToken),
+    ]);
+    printJson({
+        ok: true,
+        command: "base check-supabase-access-token",
+        hasExistingProjects: projects.length > 0,
+        projectCount: projects.length,
+        projectList: formatProjectsForPrompt(projects),
+        projects: projects.map((project) => ({ ref: project.ref, name: project.name, region: project.region })),
+        hasOrganizations: organizations.length > 0,
+        organizationCount: organizations.length,
+        organizationList: formatOrganizationsForPrompt(organizations),
+        organizations: organizations,
     });
-    const current = await managementRequest({ method: "GET", projectRef, token: accessToken });
-    const currentAuthConfig = readAuthConfigEnvelope(current);
-    const diff = diffTemplateFields(currentAuthConfig, desiredFields);
-    if (!diff.noChanges) {
-        await managementRequest({ method: "PATCH", projectRef, token: accessToken, body: diff.patch });
+}
+async function createBaseSupabaseProject(flags) {
+    const { envLocalPath, envBootstrapPath, values } = loadLocalEnv();
+    const accessToken = requireAuthAccessToken(values, path.basename(envBootstrapPath));
+    const dependencyManager = normalizeDependencyManagerFlag(flags);
+    const selection = readStringFlag(flags, "organization-selection");
+    if (!selection) {
+        fail("MISSING_ORGANIZATION_SELECTION", "--organization-selection is required.");
+    }
+    const projectName = readStringFlag(flags, "project-name");
+    if (!projectName) {
+        fail("MISSING_PROJECT_NAME", "--project-name is required.");
+    }
+    const region = readStringFlag(flags, "region");
+    if (!region) {
+        fail("MISSING_PROJECT_REGION", "--region is required.");
+    }
+    let organizationId = selection;
+    let createdOrganization = false;
+    if (selection === "create") {
+        const organizationName = readStringFlag(flags, "organization-name");
+        if (!organizationName) {
+            fail("MISSING_ORGANIZATION_NAME", "--organization-name is required when --organization-selection create is used.");
+        }
+        const organization = await createSupabaseOrganization(accessToken, organizationName);
+        organizationId = organization.id;
+        createdOrganization = true;
+    }
+    const existingDbPassword = readIdentifier(values.SUPABASE_DB_PASSWORD);
+    const dbPassword = existingDbPassword || generateDbPassword();
+    const project = await createSupabaseProject(accessToken, {
+        organizationId,
+        projectName,
+        region,
+        dbPassword,
+    });
+    await waitForSupabaseProjectReady(accessToken, project.ref);
+    runSupabaseCommand(["link", "--project-ref", project.ref], dependencyManager);
+    const keys = await fetchSupabaseProjectKeys(accessToken, project.ref);
+    const writes = writeSupabaseProjectEnv(envLocalPath, envBootstrapPath, {
+        projectRef: project.ref,
+        projectUrl: keys.projectUrl,
+        publishableKey: keys.publishableKey,
+        serviceRoleKey: keys.serviceRoleKey,
+        dbPassword,
+    });
+    printJson({
+        ok: true,
+        command: "base create-supabase-project",
+        projectRef: project.ref,
+        projectUrl: keys.projectUrl,
+        envKeysWritten: writes.envKeysWritten,
+        bootstrapKeysWritten: writes.bootstrapKeysWritten,
+        dbPasswordGenerated: true,
+        dbPasswordReused: Boolean(existingDbPassword),
+        createdOrganization,
+    });
+}
+async function linkBaseSupabaseProject(flags) {
+    const { envLocalPath, envBootstrapPath, values } = loadLocalEnv();
+    const accessToken = requireAuthAccessToken(values, path.basename(envBootstrapPath));
+    const dependencyManager = normalizeDependencyManagerFlag(flags);
+    const projectRef = readStringFlag(flags, "project-ref");
+    if (!projectRef) {
+        fail("MISSING_PROJECT_REF", "--project-ref is required.");
     }
+    runSupabaseCommand(["link", "--project-ref", projectRef], dependencyManager);
+    const keys = await fetchSupabaseProjectKeys(accessToken, projectRef);
+    const writes = writeSupabaseProjectEnv(envLocalPath, envBootstrapPath, {
+        projectRef,
+        projectUrl: keys.projectUrl,
+        publishableKey: keys.publishableKey,
+        serviceRoleKey: keys.serviceRoleKey,
+    });
     printJson({
         ok: true,
-        command: "apply-auth-templates",
+        command: "base link-supabase-project",
         projectRef,
-        changedKeys: diff.changedKeys,
-        appliedKeys: diff.changedKeys,
-        noChanges: diff.noChanges,
+        projectUrl: keys.projectUrl,
+        envKeysWritten: writes.envKeysWritten,
+        bootstrapKeysWritten: writes.bootstrapKeysWritten,
     });
 }
 async function supabaseAdminRequest(params) {
@@ -662,6 +957,24 @@ function getDependencyInstallCommand(dependencyManager, packageName) {
         return `yarn add -D ${packageName}`;
     return `npm install --save-dev ${packageName}`;
 }
+function buildChildProcessEnv(overrides = {}) {
+    const env = {};
+    for (const key of CHILD_PROCESS_ENV_KEYS) {
+        const value = process.env[key];
+        if (isNonEmptyString(value)) {
+            env[key] = value;
+        }
+    }
+    for (const [key, value] of Object.entries(process.env)) {
+        if ((key.startsWith("FAKE_") || key.startsWith("MOCK_")) && isNonEmptyString(value)) {
+            env[key] = value;
+        }
+    }
+    return {
+        ...env,
+        ...overrides,
+    };
+}
 function runShellCommand(command, cwd) {
     const result = spawnSync(process.env.SHELL || "/bin/zsh", ["-lc", command], {
         cwd,
@@ -676,6 +989,20 @@ function runShellCommand(command, cwd) {
     }
     return typeof result.stdout === "string" ? result.stdout.trim() : "";
 }
+function runDirectCommand(executable, args, cwd, options) {
+    const result = spawnSync(executable, args, {
+        cwd,
+        env: options.env,
+        encoding: "utf8",
+    });
+    if (result.status !== 0) {
+        const message = [result.stderr, result.stdout]
+            .map((value) => (typeof value === "string" ? value.trim() : ""))
+            .find(Boolean) || options.fallbackMessage;
+        fail(options.failureCode, message);
+    }
+    return typeof result.stdout === "string" ? result.stdout.trim() : "";
+}
 function runLinkedSupabaseCommand(command, cwd, failureCode, fallbackMessage) {
     const result = spawnSync(process.env.SHELL || "/bin/zsh", ["-lc", command], {
         cwd,
@@ -1125,11 +1452,17 @@ function ensureStripeLocalScripts(cwd, dependencyManager, localhostUrl) {
         scripts,
     };
 }
-function waitForStripeListenSecret(command, cwd) {
+function waitForStripeListenSecret(secretKey, localhostUrl, cwd) {
     return new Promise((resolve, reject) => {
-        const child = spawn(process.env.SHELL || "/bin/zsh", ["-lc", command], {
+        const child = spawn("stripe", [
+            "listen",
+            "--events",
+            STRIPE_EVENTS.join(","),
+            "--forward-to",
+            `${localhostUrl}/api/webhooks/stripe`,
+        ], {
             cwd,
-            env: process.env,
+            env: buildChildProcessEnv({ STRIPE_API_KEY: secretKey }),
             stdio: ["ignore", "pipe", "pipe"],
             detached: true,
         });
@@ -1307,12 +1640,27 @@ function checkStripeCli() {
 }
 function loginStripeCli(flags) {
     const { values } = loadLocalEnv();
-    ensureStripeCliInstalled(process.cwd());
+    const cwd = process.cwd();
+    ensureStripeCliInstalled(cwd);
     const authMode = readStringFlag(flags, "auth-mode") === "api_key" ? "api_key" : "tty";
-    const command = authMode === "api_key"
-        ? `stripe login --api-key ${shellQuote(requireEnvValue(values, "STRIPE_SECRET_KEY", ".env.local"))}`
-        : "stripe login";
-    runShellCommand(command, process.cwd());
+    if (authMode === "api_key") {
+        const secretKey = requireEnvValue(values, "STRIPE_SECRET_KEY", ".env.local");
+        if (!isStripeSecretKey(secretKey)) {
+            fail("INVALID_PAYMENTS_ENV", "STRIPE_SECRET_KEY is missing or malformed in .env.local.");
+        }
+        runDirectCommand("stripe", ["get", "/v1/account"], cwd, {
+            env: buildChildProcessEnv({ STRIPE_API_KEY: secretKey }),
+            failureCode: "LOCAL_COMMAND_FAILED",
+            fallbackMessage: "Stripe CLI could not authenticate using STRIPE_SECRET_KEY.",
+        });
+    }
+    else {
+        runDirectCommand("stripe", ["login"], cwd, {
+            env: buildChildProcessEnv(),
+            failureCode: "LOCAL_COMMAND_FAILED",
+            fallbackMessage: "Stripe CLI login failed.",
+        });
+    }
     printJson({
         ok: true,
         command: "payments login-stripe-cli",
@@ -1432,10 +1780,9 @@ async function setupStripeLocalhost(flags) {
     }
     ensureStripeCliInstalled(cwd);
     const scriptResult = ensureStripeLocalScripts(cwd, dependencyManager, localhostUrl);
-    const listenCommand = `stripe listen --api-key ${shellQuote(secretKey.trim())} --events ${STRIPE_EVENTS.join(",")} --forward-to ${localhostUrl}/api/webhooks/stripe`;
     let signingSecret = "";
     try {
-        signingSecret = await waitForStripeListenSecret(listenCommand, cwd);
+        signingSecret = await waitForStripeListenSecret(secretKey.trim(), localhostUrl, cwd);
     }
     catch (error) {
         fail("STRIPE_LOCALHOST_SETUP_FAILED", error instanceof Error ? error.message : "Failed to capture Stripe localhost webhook signing secret.");
@@ -1602,6 +1949,9 @@ async function main() {
             ok: true,
             commands: [
                 "read-setup-state",
+                "base check-supabase-access-token",
+                "base create-supabase-project",
+                "base link-supabase-project",
                 "admin ensure-admin",
                 "storage check-supabase-context",
                 "storage setup-supabase",
@@ -1619,7 +1969,6 @@ async function main() {
                 "configure-site-redirects",
                 "configure-email-password",
                 "enable-google-provider",
-                "apply-auth-templates",
             ],
         });
         return;
@@ -1632,6 +1981,12 @@ async function main() {
     }
     if (command === "read-setup-state")
         return readSetupState();
+    if (command === "base" && subcommand === "check-supabase-access-token")
+        return checkBaseSupabaseAccessToken();
+    if (command === "base" && subcommand === "create-supabase-project")
+        return createBaseSupabaseProject(flags);
+    if (command === "base" && subcommand === "link-supabase-project")
+        return linkBaseSupabaseProject(flags);
     if (command === "admin" && subcommand === "ensure-admin")
         return ensureAdmin(flags);
     if (command === "storage" && subcommand === "check-supabase-context")
@@ -1666,8 +2021,6 @@ async function main() {
         return configureEmailPassword(flags);
     if (command === "enable-google-provider")
         return enableGoogleProvider(flags);
-    if (command === "apply-auth-templates")
-        return applyAuthTemplates(flags);
     fail("UNKNOWN_COMMAND", `Unknown command: ${command}`);
 }
 main().catch((error) => {

package/dist/storageS3.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import * as crypto from "node:crypto";
-import { S3Client, HeadBucketCommand, CreateBucketCommand, PutPublicAccessBlockCommand, PutBucketEncryptionCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketCorsCommand, GetBucketLocationCommand, GetPublicAccessBlockCommand, GetBucketEncryptionCommand, GetBucketOwnershipControlsCommand, GetBucketPolicyCommand, GetBucketCorsCommand, } from "@aws-sdk/client-s3";
+import { S3Client, HeadBucketCommand, CreateBucketCommand, PutPublicAccessBlockCommand, PutBucketEncryptionCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketCorsCommand, DeleteBucketCorsCommand, GetBucketLocationCommand, GetPublicAccessBlockCommand, GetBucketEncryptionCommand, GetBucketOwnershipControlsCommand, GetBucketPolicyCommand, GetBucketCorsCommand, } from "@aws-sdk/client-s3";
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
 const SETUP_CONFIG_PATH = path.join(".vibecodemax", "setup-config.json");
 const DEFAULT_BUCKETS = {
@@ -98,6 +98,11 @@ function readStringFlag(flags, key) {
     return typeof value === "string" ? value.trim() : "";
 }
 function mergeEnvFile(filePath, nextValues) {
+    for (const [key, value] of Object.entries(nextValues)) {
+        if (/[\r\n]/.test(value)) {
+            fail("INVALID_ENV_VALUE", `${key} contains a newline and cannot be written safely to ${path.basename(filePath)}.`);
+        }
+    }
     const existing = parseDotEnv(readFileIfExists(filePath));
     const merged = { ...existing, ...nextValues };
     const keys = Object.keys(merged).sort();
@@ -287,6 +292,11 @@ function isRegionMismatchError(error) {
     const status = getAwsStatus(error);
     return status === 301 || code === "PermanentRedirect" || code === "AuthorizationHeaderMalformed" || code === "IncorrectEndpoint" || code === "IllegalLocationConstraintException";
 }
+function isMissingCorsConfiguration(error) {
+    const code = getAwsCode(error);
+    const status = getAwsStatus(error);
+    return code === "NoSuchCORSConfiguration" || status === 404;
+}
 async function ensureSingleBucket(s3Client, bucket, region) {
     let created = false;
     try {
@@ -366,16 +376,23 @@ async function applyBucketSafety(region, credentials, buckets) {
 }
 async function applyBucketCors(region, credentials, buckets) {
     const { s3Client } = createAwsClients(region, credentials);
-    for (const bucket of [buckets.public, buckets.private]) {
-        try {
-            await s3Client.send(new PutBucketCorsCommand({
-                Bucket: bucket,
-                CORSConfiguration: BUCKET_CORS_CONFIGURATION,
-            }));
-        }
-        catch (error) {
-            const message = error instanceof Error ? error.message : `Failed to apply CORS to ${bucket}.`;
-            fail("AWS_POLICY_APPLY_FAILED", message, 1, { bucket, awsCode: getAwsCode(error), awsStatus: getAwsStatus(error) });
+    try {
+        await s3Client.send(new PutBucketCorsCommand({
+            Bucket: buckets.public,
+            CORSConfiguration: BUCKET_CORS_CONFIGURATION,
+        }));
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : `Failed to apply CORS to ${buckets.public}.`;
+        fail("AWS_POLICY_APPLY_FAILED", message, 1, { bucket: buckets.public, awsCode: getAwsCode(error), awsStatus: getAwsStatus(error) });
+    }
+    try {
+        await s3Client.send(new DeleteBucketCorsCommand({ Bucket: buckets.private }));
+    }
+    catch (error) {
+        if (!isMissingCorsConfiguration(error)) {
+            const message = error instanceof Error ? error.message : `Failed to remove CORS from ${buckets.private}.`;
+            fail("AWS_POLICY_APPLY_FAILED", message, 1, { bucket: buckets.private, awsCode: getAwsCode(error), awsStatus: getAwsStatus(error) });
         }
     }
 }
@@ -438,7 +455,16 @@ async function getBucketEvidence(s3Client, bucket, regionHint) {
     const encryptionResponse = await s3Client.send(new GetBucketEncryptionCommand({ Bucket: bucket }));
     const ownershipResponse = await s3Client.send(new GetBucketOwnershipControlsCommand({ Bucket: bucket }));
     const policyResponse = await s3Client.send(new GetBucketPolicyCommand({ Bucket: bucket }));
-    const corsResponse = await s3Client.send(new GetBucketCorsCommand({ Bucket: bucket }));
+    let corsRules = [];
+    try {
+        const corsResponse = await s3Client.send(new GetBucketCorsCommand({ Bucket: bucket }));
+        corsRules = corsResponse.CORSRules || [];
+    }
+    catch (error) {
+        if (!isMissingCorsConfiguration(error)) {
+            throw error;
+        }
+    }
     const policyText = typeof policyResponse.Policy === "string" ? policyResponse.Policy : "";
     return {
         bucketRegion,
@@ -447,7 +473,7 @@ async function getBucketEvidence(s3Client, bucket, regionHint) {
         ownershipControls: ownershipResponse.OwnershipControls?.Rules?.[0]?.ObjectOwnership || null,
         policyApplied: Boolean(policyText),
         hasPublicReadPolicy: policyText.includes("\"Action\":\"s3:GetObject\"") || policyText.includes("\"Action\":[\"s3:GetObject\"]"),
-        corsRules: corsResponse.CORSRules || [],
+        corsRules,
     };
 }
 async function verifyTwoBuckets(region, credentials, buckets) {
@@ -473,7 +499,7 @@ async function verifyTwoBuckets(region, credentials, buckets) {
         Boolean(privateEvidence.publicAccessBlock?.RestrictPublicBuckets) &&
         privateEvidence.policyApplied === true &&
         privateEvidence.hasPublicReadPolicy === false &&
-        Array.isArray(privateEvidence.corsRules) && privateEvidence.corsRules.length > 0;
+        Array.isArray(privateEvidence.corsRules) && privateEvidence.corsRules.length === 0;
     if (!publicOk || !privateOk) {
         fail("AWS_VERIFY_FAILED", "AWS S3 bucket configuration verification failed.", 1, {
             publicBucket: buckets.public,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vibecodemax/cli",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "description": "VibeCodeMax CLI — local provider setup for bootstrap and project configuration",
   "type": "module",
   "bin": {