@vibecodemax/cli 0.1.6 → 0.1.8

package/dist/cli.js

@@ -2,14 +2,15 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import { spawnSync } from "node:child_process";
-import { checkS3Context, setupS3Storage, smokeTestS3 } from "./storageS3.js";
+import { randomBytes } from "node:crypto";
+import { checkS3Context, setupS3Storage } from "./storageS3.js";
 const SETUP_STATE_PATH = path.join(".vibecodemax", "setup-state.json");
+const SETUP_CONFIG_PATH = path.join(".vibecodemax", "setup-config.json");
 const MANAGEMENT_API_BASE = "https://api.supabase.com";
 const DEFAULT_LOCALHOST_URL = "http://localhost:3000";
 const STORAGE_PUBLIC_BUCKET = "public-assets";
 const STORAGE_PRIVATE_BUCKET = "private-uploads";
 const STORAGE_REQUIRED_FILE_SIZE_LIMIT = 10 * 1024 * 1024;
-const STORAGE_HEALTHCHECK_PREFIX = "_vibecodemax/healthcheck/default";
 const STORAGE_MIME_TYPES_BY_CATEGORY = {
     images: ["image/jpeg", "image/png", "image/webp", "image/gif"],
     documents: [
@@ -23,15 +24,25 @@ const STORAGE_MIME_TYPES_BY_CATEGORY = {
     video: ["video/mp4", "video/webm", "video/quicktime"],
 };
 const STORAGE_DEFAULT_MIME_CATEGORIES = ["images"];
-const STORAGE_REQUIRED_POLICY_NAMES = [
-    "public_assets_select_own",
-    "public_assets_insert_own",
-    "public_assets_update_own",
-    "public_assets_delete_own",
-    "private_uploads_select_own",
-    "private_uploads_insert_own",
-    "private_uploads_update_own",
-    "private_uploads_delete_own",
+const STRIPE_EVENTS = [
+    "checkout.session.completed",
+    "customer.subscription.created",
+    "customer.subscription.updated",
+    "customer.subscription.deleted",
+    "invoice.payment_succeeded",
+    "invoice.payment_failed",
+];
+const LEMON_EVENTS = [
+    "order_created",
+    "subscription_created",
+    "subscription_updated",
+    "subscription_cancelled",
+    "subscription_resumed",
+    "subscription_expired",
+    "subscription_paused",
+    "subscription_unpaused",
+    "subscription_payment_failed",
+    "subscription_payment_success",
 ];
 function printJson(value) {
     process.stdout.write(`${JSON.stringify(value)}\n`);
@@ -58,7 +69,7 @@ function parseArgs(argv) {
     let subcommand;
     const flags = {};
     let index = 0;
-    if ((command === "admin" || command === "storage") && rest[0] && !rest[0].startsWith("--")) {
+    if ((command === "admin" || command === "storage" || command === "payments") && rest[0] && !rest[0].startsWith("--")) {
         subcommand = rest[0];
         index = 1;
     }
@@ -114,6 +125,18 @@ function loadLocalEnv(cwd = process.cwd()) {
         },
     };
 }
+function readSetupConfig(cwd = process.cwd()) {
+    const raw = readFileIfExists(path.join(cwd, SETUP_CONFIG_PATH)).trim();
+    if (!raw)
+        return {};
+    try {
+        const parsed = JSON.parse(raw);
+        return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : {};
+    }
+    catch {
+        return {};
+    }
+}
 function isNonEmptyString(value) {
     return typeof value === "string" && value.trim().length > 0;
 }
@@ -656,6 +679,44 @@ function runLinkedSupabaseCommand(command, cwd, failureCode, fallbackMessage) {
     }
     return typeof result.stdout === "string" ? result.stdout.trim() : "";
 }
+function isMigrationOrderingConflict(message) {
+    return /Found local migration files to be inserted before the last migration on remote database\./i.test(message);
+}
+function runStorageMigrationPush(commandBase, cwd) {
+    const firstResult = spawnSync(process.env.SHELL || "/bin/zsh", ["-lc", commandBase], {
+        cwd,
+        env: process.env,
+        encoding: "utf8",
+    });
+    if (firstResult.status === 0) {
+        return {
+            stdout: typeof firstResult.stdout === "string" ? firstResult.stdout.trim() : "",
+            includeAll: false,
+        };
+    }
+    const firstMessage = [firstResult.stderr, firstResult.stdout]
+        .map((value) => (typeof value === "string" ? value.trim() : ""))
+        .find(Boolean) || "Failed to apply storage migrations to the linked Supabase project.";
+    if (!isMigrationOrderingConflict(firstMessage)) {
+        fail("STORAGE_POLICY_MIGRATION_APPLY_FAILED", firstMessage);
+    }
+    const retryCommand = `${commandBase} --include-all`;
+    const retryResult = spawnSync(process.env.SHELL || "/bin/zsh", ["-lc", retryCommand], {
+        cwd,
+        env: process.env,
+        encoding: "utf8",
+    });
+    if (retryResult.status !== 0) {
+        const retryMessage = [retryResult.stderr, retryResult.stdout]
+            .map((value) => (typeof value === "string" ? value.trim() : ""))
+            .find(Boolean) || "Failed to apply storage migrations to the linked Supabase project.";
+        fail("STORAGE_POLICY_MIGRATION_APPLY_FAILED", retryMessage);
+    }
+    return {
+        stdout: typeof retryResult.stdout === "string" ? retryResult.stdout.trim() : "",
+        includeAll: true,
+    };
+}
 function normalizeStorageMimeCategories(rawValue) {
     const requested = rawValue
         .split(",")
@@ -664,11 +725,18 @@ function normalizeStorageMimeCategories(rawValue) {
     const selected = requested.filter((value) => Object.prototype.hasOwnProperty.call(STORAGE_MIME_TYPES_BY_CATEGORY, value));
     return selected.length > 0 ? [...new Set(selected)] : [...STORAGE_DEFAULT_MIME_CATEGORIES];
 }
-function resolveStorageMimeCategories(flags) {
-    const raw = readStringFlag(flags, "mime-categories");
-    if (!raw)
+function resolveStorageMimeCategories(cwd) {
+    const setupConfig = readSetupConfig(cwd);
+    const storageConfig = setupConfig.storage && typeof setupConfig.storage === "object"
+        ? setupConfig.storage
+        : {};
+    const rawCategories = Array.isArray(storageConfig.mimeCategories)
+        ? storageConfig.mimeCategories.filter((value) => isNonEmptyString(value))
+        : [];
+    if (rawCategories.length === 0) {
         return [...STORAGE_DEFAULT_MIME_CATEGORIES];
-    return normalizeStorageMimeCategories(raw);
+    }
+    return normalizeStorageMimeCategories(rawCategories.join(","));
 }
 function expandStorageMimeCategories(categories) {
     const mimeTypes = [];
@@ -694,28 +762,47 @@ function parseStorageMigrationFilename(filename) {
     return null;
 }
 function discoverStorageMigrationFiles(cwd) {
-    const migrationsRoot = path.join(cwd, "supabase", "migrations");
-    if (!fs.existsSync(migrationsRoot)) {
+    const storageMigrationsRoot = path.join(cwd, "supabase", "storage-migrations");
+    const activeMigrationsRoot = path.join(cwd, "supabase", "migrations");
+    if (!fs.existsSync(activeMigrationsRoot)) {
         fail("MISSING_STORAGE_MIGRATIONS", "supabase/migrations is missing. Run bootstrap.base first so the local Supabase project is initialized.");
     }
-    const selected = fs.readdirSync(migrationsRoot)
+    if (!fs.existsSync(storageMigrationsRoot)) {
+        fail("MISSING_STORAGE_MIGRATIONS", "supabase/storage-migrations is missing. Regenerate the project so storage-owned migrations are available locally.");
+    }
+    const policyFiles = fs.readdirSync(storageMigrationsRoot)
         .map((filename) => parseStorageMigrationFilename(filename))
-        .filter((entry) => entry !== null && entry.scope.startsWith("storage_"))
+        .filter((entry) => entry !== null && /(^|_)storage_policies$/.test(entry.scope))
         .sort((a, b) => a.filename.localeCompare(b.filename));
-    if (selected.length === 0) {
-        fail("MISSING_STORAGE_MIGRATIONS", "No storage migration files were found. Add a migration matching YYYYMMDDHHMMSS_storage_*.sql in supabase/migrations.");
-    }
-    const policyFiles = selected
-        .filter((entry) => /(^|_)storage_policies\.sql$/.test(entry.filename))
-        .map((entry) => entry.filename);
     if (policyFiles.length === 0) {
-        fail("MISSING_STORAGE_POLICY_MIGRATION", "No storage policy migration file was found. Add a migration ending in storage_policies.sql in supabase/migrations.");
+        fail("MISSING_STORAGE_POLICY_MIGRATION", "No storage policy migration file was found in supabase/storage-migrations. This directory is for storage policy SQL only. Buckets are created by storage bootstrap through the Supabase Storage API. Regenerate the project or add a file ending in _storage_policies.sql.");
     }
     return {
-        files: selected.map((entry) => entry.filename),
-        policyFiles,
+        files: policyFiles.map((entry) => entry.filename),
+        policyFiles: policyFiles.map((entry) => entry.filename),
     };
 }
+function materializeStorageMigrationFiles(cwd, files) {
+    const storageMigrationsRoot = path.join(cwd, "supabase", "storage-migrations");
+    const activeMigrationsRoot = path.join(cwd, "supabase", "migrations");
+    const preparedFiles = [];
+    for (const filename of files) {
+        const sourcePath = path.join(storageMigrationsRoot, filename);
+        const targetPath = path.join(activeMigrationsRoot, filename);
+        const sourceSql = fs.readFileSync(sourcePath, "utf8");
+        if (fs.existsSync(targetPath)) {
+            const existingSql = fs.readFileSync(targetPath, "utf8");
+            if (existingSql !== sourceSql) {
+                fail("STORAGE_MIGRATION_CONFLICT", `Active migration ${filename} does not match supabase/storage-migrations/${filename}.`);
+            }
+        }
+        else {
+            fs.copyFileSync(sourcePath, targetPath);
+        }
+        preparedFiles.push(filename);
+    }
+    return preparedFiles;
+}
 async function storageRequest(params) {
     const response = await fetch(`${params.supabaseUrl}${params.endpoint}`, {
         method: params.method,
@@ -842,9 +929,6 @@ async function ensureStorageBucket(supabaseUrl, serviceRoleKey, bucketId, isPubl
         verified: true,
     };
 }
-function buildStorageHealthcheckObjectPath(runId) {
-    return `${STORAGE_HEALTHCHECK_PREFIX}/${runId}/upload.txt`;
-}
 async function checkSupabaseContext() {
     const { values, envLocalPath } = loadLocalEnv();
     const missingKeys = [];
@@ -880,10 +964,11 @@ async function setupSupabaseStorage(flags) {
     const serviceRoleKey = requireServiceRoleKey(values);
     const dependencyManager = detectDependencyManager(cwd, flags);
     const supabaseRunner = getSupabaseRunner(dependencyManager);
-    const mimeCategories = resolveStorageMimeCategories(flags);
+    const mimeCategories = resolveStorageMimeCategories(cwd);
     const allowedMimeTypes = expandStorageMimeCategories(mimeCategories);
     const migrations = discoverStorageMigrationFiles(cwd);
-    runLinkedSupabaseCommand(`${supabaseRunner} db push --linked`, cwd, "STORAGE_POLICY_MIGRATION_APPLY_FAILED", "Failed to apply storage migrations to the linked Supabase project.");
+    const preparedMigrationFiles = materializeStorageMigrationFiles(cwd, migrations.files);
+    const migrationPush = runStorageMigrationPush(`${supabaseRunner} db push --linked`, cwd);
     const publicBucket = await ensureStorageBucket(supabaseUrl, serviceRoleKey, STORAGE_PUBLIC_BUCKET, true, allowedMimeTypes);
     const privateBucket = await ensureStorageBucket(supabaseUrl, serviceRoleKey, STORAGE_PRIVATE_BUCKET, false, allowedMimeTypes);
     mergeEnvFile(envLocalPath, {
@@ -902,55 +987,393 @@ async function setupSupabaseStorage(flags) {
         fileSizeLimit: STORAGE_REQUIRED_FILE_SIZE_LIMIT,
         migrationFiles: migrations.files,
         policyFiles: migrations.policyFiles,
+        preparedMigrationFiles,
         policyMigrationsDiscovered: true,
         policyMigrationsApplied: true,
-        policiesVerified: true,
-        policyVerificationMethod: "linked_db_push",
+        migrationPushIncludeAll: migrationPush.includeAll,
         envWritten: ["SUPABASE_PUBLIC_BUCKET", "SUPABASE_PRIVATE_BUCKET"],
     });
 }
-async function smokeTestSupabase() {
+function normalizePaymentsMode(value) {
+    return value === "production" ? "production" : "test";
+}
+function isStripePublishableKey(value) {
+    return isNonEmptyString(value) && /^pk_(test|live)_[A-Za-z0-9_]+$/.test(value.trim());
+}
+function isStripeSecretKey(value) {
+    return isNonEmptyString(value) && /^sk_(test|live)_[A-Za-z0-9_]+$/.test(value.trim());
+}
+function isStripeWebhookSecret(value) {
+    return isNonEmptyString(value) && /^whsec_[A-Za-z0-9]+$/.test(value.trim());
+}
+function isNumericStoreId(value) {
+    return isNonEmptyString(value) && /^\d+$/.test(value.trim());
+}
+function requireWebhookUrl(value, expectedPath, provider) {
+    const trimmed = value.trim();
+    if (!trimmed) {
+        fail("INVALID_WEBHOOK_URL", `${provider} webhook URL is required.`);
+    }
+    try {
+        const parsed = new URL(trimmed);
+        if (parsed.protocol !== "https:" || parsed.pathname !== expectedPath) {
+            fail("INVALID_WEBHOOK_URL", `${provider} webhook URL must be an https URL ending in ${expectedPath}.`);
+        }
+    }
+    catch {
+        fail("INVALID_WEBHOOK_URL", `${provider} webhook URL must be a valid https URL ending in ${expectedPath}.`);
+    }
+    return trimmed;
+}
+function formEncode(value, prefix = "") {
+    const entries = [];
+    if (Array.isArray(value)) {
+        value.forEach((item, index) => {
+            entries.push(...formEncode(item, `${prefix}[${index}]`));
+        });
+        return entries;
+    }
+    if (value && typeof value === "object") {
+        for (const [key, nested] of Object.entries(value)) {
+            entries.push(...formEncode(nested, prefix ? `${prefix}[${key}]` : key));
+        }
+        return entries;
+    }
+    if (value === null || value === undefined)
+        return entries;
+    entries.push([prefix, String(value)]);
+    return entries;
+}
+async function stripeRequest(params) {
+    const url = new URL(`https://api.stripe.com${params.path}`);
+    if (params.query) {
+        for (const [key, value] of formEncode(params.query)) {
+            url.searchParams.append(key, value);
+        }
+    }
+    const headers = {
+        Authorization: `Bearer ${params.secretKey}`,
+    };
+    let body;
+    if (params.body) {
+        headers["Content-Type"] = "application/x-www-form-urlencoded";
+        body = new URLSearchParams(formEncode(params.body));
+    }
+    const response = await fetch(url.toString(), {
+        method: params.method,
+        headers,
+        body,
+    });
+    const json = await response.json().catch(() => null);
+    if (!response.ok) {
+        const message = extractErrorMessage(json?.error) || extractErrorMessage(json) || `Stripe returned ${response.status}`;
+        fail("STRIPE_API_ERROR", message, 1, { status: response.status });
+    }
+    return json;
+}
+async function lemonRequest(params) {
+    const url = new URL(`https://api.lemonsqueezy.com/v1${params.path}`);
+    if (params.query) {
+        for (const [key, value] of Object.entries(params.query)) {
+            url.searchParams.set(key, value);
+        }
+    }
+    const response = await fetch(url.toString(), {
+        method: params.method,
+        headers: {
+            Accept: "application/vnd.api+json",
+            Authorization: `Bearer ${params.apiKey}`,
+            ...(params.body ? { "Content-Type": "application/vnd.api+json" } : {}),
+        },
+        body: params.body ? JSON.stringify(params.body) : undefined,
+    });
+    const json = await response.json().catch(() => null);
+    if (!response.ok) {
+        const detail = Array.isArray(json?.errors)
+            ? (json.errors[0]?.detail)
+            : null;
+        const message = isNonEmptyString(detail) ? detail : (extractErrorMessage(json) || `Lemon Squeezy returned ${response.status}`);
+        fail("LEMONSQUEEZY_API_ERROR", message, 1, { status: response.status });
+    }
+    return json;
+}
+function checkStripeKeys(flags) {
     const { values } = loadLocalEnv();
-    const supabaseUrl = requireSupabaseUrl(values);
-    const serviceRoleKey = requireServiceRoleKey(values);
-    const runId = `run_${Date.now()}`;
-    const objectPath = buildStorageHealthcheckObjectPath(runId);
-    const prefix = `${STORAGE_HEALTHCHECK_PREFIX}/${runId}/`;
-    await storageRequest({
-        supabaseUrl,
-        serviceRoleKey,
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const publishableKey = values.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY;
+    const secretKey = values.STRIPE_SECRET_KEY;
+    const expectedPublishablePrefix = mode === "test" ? "pk_test_" : "pk_live_";
+    const expectedSecretPrefix = mode === "test" ? "sk_test_" : "sk_live_";
+    const missingKeys = [];
+    const invalidKeys = [];
+    const mistakes = [];
+    if (!isNonEmptyString(publishableKey)) {
+        missingKeys.push("NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY");
+    }
+    else if (!isStripePublishableKey(publishableKey)) {
+        invalidKeys.push("NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY");
+    }
+    else if (!publishableKey.startsWith(expectedPublishablePrefix)) {
+        mistakes.push(`NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY does not match ${mode} mode.`);
+    }
+    if (!isNonEmptyString(secretKey)) {
+        missingKeys.push("STRIPE_SECRET_KEY");
+    }
+    else if (!isStripeSecretKey(secretKey)) {
+        invalidKeys.push("STRIPE_SECRET_KEY");
+    }
+    else if (!secretKey.startsWith(expectedSecretPrefix)) {
+        mistakes.push(`STRIPE_SECRET_KEY does not match ${mode} mode.`);
+    }
+    if (isNonEmptyString(publishableKey) && isNonEmptyString(secretKey)) {
+        if (publishableKey.startsWith("pk_live_") && secretKey.startsWith("sk_test_")) {
+            mistakes.push("Publishable and secret keys are from different Stripe modes (pk_live with sk_test).");
+        }
+        if (publishableKey.startsWith("pk_test_") && secretKey.startsWith("sk_live_")) {
+            mistakes.push("Publishable and secret keys are from different Stripe modes (pk_test with sk_live).");
+        }
+    }
+    if (missingKeys.length > 0 || invalidKeys.length > 0 || mistakes.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Stripe keys are missing, malformed, or inconsistent with the selected mode.", 1, { missingKeys, invalidKeys, mistakes });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-stripe-keys",
+        mode,
+        verified: true,
+        presentKeys: ["NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY", "STRIPE_SECRET_KEY"],
+        checks: ["presence", "format", "mode_consistency"],
+    });
+}
+function checkLemonKeys(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const apiKey = values.LEMONSQUEEZY_API_KEY;
+    const storeId = values.LEMONSQUEEZY_STORE_ID;
+    const missingKeys = [];
+    const invalidKeys = [];
+    if (!isNonEmptyString(apiKey)) {
+        missingKeys.push("LEMONSQUEEZY_API_KEY");
+    }
+    if (!isNonEmptyString(storeId)) {
+        missingKeys.push("LEMONSQUEEZY_STORE_ID");
+    }
+    else if (!isNumericStoreId(storeId)) {
+        invalidKeys.push("LEMONSQUEEZY_STORE_ID");
+    }
+    if (missingKeys.length > 0 || invalidKeys.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Lemon Squeezy API key or store ID is missing or malformed.", 1, { missingKeys, invalidKeys });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-lemonsqueezy-keys",
+        mode,
+        verified: true,
+        presentKeys: ["LEMONSQUEEZY_API_KEY", "LEMONSQUEEZY_STORE_ID"],
+        checks: ["presence", "store_id_format"],
+    });
+}
+async function createStripeWebhook(flags) {
+    const { envLocalPath, values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/stripe", "Stripe");
+    const secretKey = values.STRIPE_SECRET_KEY;
+    if (!isStripeSecretKey(secretKey)) {
+        fail("INVALID_PAYMENTS_ENV", "STRIPE_SECRET_KEY is missing or malformed in .env.local.");
+    }
+    const listed = await stripeRequest({
+        secretKey,
+        method: "GET",
+        path: "/v1/webhook_endpoints",
+        query: { limit: 100 },
+    });
+    const existing = Array.isArray(listed.data)
+        ? listed.data.find((endpoint) => {
+            const url = typeof endpoint.url === "string" ? endpoint.url : "";
+            const events = Array.isArray(endpoint.enabled_events) ? endpoint.enabled_events : [];
+            return url === webhookUrl && JSON.stringify([...events].sort()) === JSON.stringify([...STRIPE_EVENTS].sort());
+        })
+        : null;
+    if (existing && isStripeWebhookSecret(values.STRIPE_WEBHOOK_SECRET)) {
+        printJson({
+            ok: true,
+            command: "payments create-stripe-webhook",
+            mode,
+            created: false,
+            reused: true,
+            endpointId: typeof existing.id === "string" ? existing.id : null,
+            webhookUrl,
+            enabledEvents: STRIPE_EVENTS,
+            envWritten: [],
+        });
+        return;
+    }
+    const created = await stripeRequest({
+        secretKey,
         method: "POST",
-        endpoint: `/storage/v1/object/${STORAGE_PUBLIC_BUCKET}/${objectPath}`,
-        rawBody: "healthcheck probe",
-        contentType: "text/plain",
+        path: "/v1/webhook_endpoints",
+        body: {
+            url: webhookUrl,
+            enabled_events: STRIPE_EVENTS,
+            description: "VibeCodeMax payments webhook",
+        },
     });
-    const listResult = await storageRequest({
-        supabaseUrl,
-        serviceRoleKey,
+    if (!isStripeWebhookSecret(created.secret)) {
+        fail("STRIPE_WEBHOOK_CREATE_FAILED", "Stripe did not return a webhook signing secret.");
+    }
+    mergeEnvFile(envLocalPath, {
+        STRIPE_WEBHOOK_SECRET: created.secret.trim(),
+    });
+    printJson({
+        ok: true,
+        command: "payments create-stripe-webhook",
+        mode,
+        created: true,
+        reused: false,
+        endpointId: typeof created.id === "string" ? created.id : null,
+        webhookUrl: typeof created.url === "string" ? created.url : webhookUrl,
+        enabledEvents: STRIPE_EVENTS,
+        envWritten: ["STRIPE_WEBHOOK_SECRET"],
+    });
+}
+function checkStripeWebhookSecret(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/stripe", "Stripe");
+    const missingKeys = [];
+    const invalidKeys = [];
+    if (!isNonEmptyString(values.STRIPE_WEBHOOK_SECRET)) {
+        missingKeys.push("STRIPE_WEBHOOK_SECRET");
+    }
+    else if (!isStripeWebhookSecret(values.STRIPE_WEBHOOK_SECRET)) {
+        invalidKeys.push("STRIPE_WEBHOOK_SECRET");
+    }
+    if (missingKeys.length > 0 || invalidKeys.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Stripe webhook secret is missing or malformed in .env.local.", 1, { missingKeys, invalidKeys });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-stripe-webhook-secret",
+        mode,
+        verified: true,
+        webhookUrl,
+        presentKeys: ["STRIPE_WEBHOOK_SECRET"],
+        checks: ["presence", "format", "webhook_url_format"],
+    });
+}
+async function createLemonWebhook(flags) {
+    const { envLocalPath, values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/lemonsqueezy", "Lemon Squeezy");
+    const apiKey = values.LEMONSQUEEZY_API_KEY;
+    const storeId = values.LEMONSQUEEZY_STORE_ID;
+    if (!isNonEmptyString(apiKey)) {
+        fail("INVALID_PAYMENTS_ENV", "LEMONSQUEEZY_API_KEY is missing in .env.local.");
+    }
+    if (!isNumericStoreId(storeId)) {
+        fail("INVALID_PAYMENTS_ENV", "LEMONSQUEEZY_STORE_ID is missing or malformed in .env.local.");
+    }
+    const listed = await lemonRequest({
+        apiKey,
+        method: "GET",
+        path: "/webhooks",
+        query: {
+            "filter[store_id]": storeId.trim(),
+            "page[size]": "100",
+        },
+    });
+    const existing = Array.isArray(listed.data)
+        ? listed.data.find((endpoint) => {
+            const attrs = endpoint.attributes && typeof endpoint.attributes === "object"
+                ? endpoint.attributes
+                : {};
+            const relationships = endpoint.relationships && typeof endpoint.relationships === "object"
+                ? endpoint.relationships
+                : {};
+            const endpointStoreId = typeof relationships.store?.data?.id === "string"
+                ? (relationships.store.data.id)
+                : "";
+            const events = Array.isArray(attrs.events) ? attrs.events : [];
+            return String(attrs.url || "") === webhookUrl
+                && endpointStoreId === storeId.trim()
+                && JSON.stringify([...events].sort()) === JSON.stringify([...LEMON_EVENTS].sort());
+        })
+        : null;
+    if (existing && isNonEmptyString(values.LEMONSQUEEZY_WEBHOOK_SECRET)) {
+        printJson({
+            ok: true,
+            command: "payments create-lemonsqueezy-webhook",
+            mode,
+            created: false,
+            reused: true,
+            endpointId: typeof existing.id === "string" ? existing.id : null,
+            webhookUrl,
+            storeId: storeId.trim(),
+            enabledEvents: LEMON_EVENTS,
+            envWritten: [],
+        });
+        return;
+    }
+    const generatedSecret = randomBytes(24).toString("hex");
+    const created = await lemonRequest({
+        apiKey,
         method: "POST",
-        endpoint: `/storage/v1/object/list/${STORAGE_PUBLIC_BUCKET}`,
-        body: { prefix },
-        contentType: "application/json",
+        path: "/webhooks",
+        body: {
+            data: {
+                type: "webhooks",
+                attributes: {
+                    url: webhookUrl,
+                    events: LEMON_EVENTS,
+                    secret: generatedSecret,
+                    test_mode: mode === "test",
+                },
+                relationships: {
+                    store: {
+                        data: {
+                            type: "stores",
+                            id: storeId.trim(),
+                        },
+                    },
+                },
+            },
+        },
     });
-    await storageRequest({
-        supabaseUrl,
-        serviceRoleKey,
-        method: "DELETE",
-        endpoint: `/storage/v1/object/${STORAGE_PUBLIC_BUCKET}`,
-        body: { prefixes: [objectPath] },
-        contentType: "application/json",
+    mergeEnvFile(envLocalPath, {
+        LEMONSQUEEZY_WEBHOOK_SECRET: generatedSecret,
     });
     printJson({
         ok: true,
-        command: "storage smoke-test-supabase",
-        runId,
-        bucketId: STORAGE_PUBLIC_BUCKET,
-        objectPath,
-        prefix,
-        upload: true,
-        list: true,
-        delete: true,
-        listedItems: Array.isArray(listResult) ? listResult.length : 0,
+        command: "payments create-lemonsqueezy-webhook",
+        mode,
+        created: true,
+        reused: false,
+        endpointId: typeof created.data?.id === "string" ? created.data.id : null,
+        webhookUrl: typeof created.data?.attributes?.url === "string" ? created.data.attributes.url : webhookUrl,
+        storeId: storeId.trim(),
+        enabledEvents: LEMON_EVENTS,
+        envWritten: ["LEMONSQUEEZY_WEBHOOK_SECRET"],
+    });
+}
+function checkLemonWebhookSecret(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/lemonsqueezy", "Lemon Squeezy");
+    const missingKeys = [];
+    if (!isNonEmptyString(values.LEMONSQUEEZY_WEBHOOK_SECRET)) {
+        missingKeys.push("LEMONSQUEEZY_WEBHOOK_SECRET");
+    }
+    if (missingKeys.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Lemon Squeezy webhook secret is missing in .env.local.", 1, { missingKeys });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-lemonsqueezy-webhook-secret",
+        mode,
+        verified: true,
+        webhookUrl,
+        presentKeys: ["LEMONSQUEEZY_WEBHOOK_SECRET"],
+        checks: ["presence", "webhook_url_format"],
     });
 }
 async function main() {
@@ -963,10 +1386,14 @@ async function main() {
                 "admin ensure-admin",
                 "storage check-supabase-context",
                 "storage setup-supabase",
-                "storage smoke-test-supabase",
                 "storage check-s3-context",
                 "storage setup-s3",
-                "storage smoke-test-s3",
+                "payments check-stripe-keys",
+                "payments create-stripe-webhook",
+                "payments check-stripe-webhook-secret",
+                "payments check-lemonsqueezy-keys",
+                "payments create-lemonsqueezy-webhook",
+                "payments check-lemonsqueezy-webhook-secret",
                 "configure-site-redirects",
                 "configure-email-password",
                 "enable-google-provider",
@@ -989,14 +1416,22 @@ async function main() {
         return checkSupabaseContext();
     if (command === "storage" && subcommand === "setup-supabase")
         return setupSupabaseStorage(flags);
-    if (command === "storage" && subcommand === "smoke-test-supabase")
-        return smokeTestSupabase();
     if (command === "storage" && subcommand === "check-s3-context")
         return checkS3Context(flags);
     if (command === "storage" && subcommand === "setup-s3")
         return setupS3Storage(flags);
-    if (command === "storage" && subcommand === "smoke-test-s3")
-        return smokeTestS3(flags);
+    if (command === "payments" && subcommand === "check-stripe-keys")
+        return checkStripeKeys(flags);
+    if (command === "payments" && subcommand === "create-stripe-webhook")
+        return createStripeWebhook(flags);
+    if (command === "payments" && subcommand === "check-stripe-webhook-secret")
+        return checkStripeWebhookSecret(flags);
+    if (command === "payments" && subcommand === "check-lemonsqueezy-keys")
+        return checkLemonKeys(flags);
+    if (command === "payments" && subcommand === "create-lemonsqueezy-webhook")
+        return createLemonWebhook(flags);
+    if (command === "payments" && subcommand === "check-lemonsqueezy-webhook-secret")
+        return checkLemonWebhookSecret(flags);
     if (command === "configure-site-redirects")
         return configureSiteRedirects(flags);
     if (command === "configure-email-password")

package/dist/storageS3.js

@@ -1,7 +1,7 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import * as crypto from "node:crypto";
-import { S3Client, HeadBucketCommand, CreateBucketCommand, PutPublicAccessBlockCommand, PutBucketEncryptionCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketCorsCommand, GetBucketLocationCommand, GetPublicAccessBlockCommand, GetBucketEncryptionCommand, GetBucketOwnershipControlsCommand, GetBucketPolicyCommand, GetBucketCorsCommand, PutObjectCommand, ListObjectsV2Command, DeleteObjectCommand, GetObjectCommand, } from "@aws-sdk/client-s3";
+import { S3Client, HeadBucketCommand, CreateBucketCommand, PutPublicAccessBlockCommand, PutBucketEncryptionCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketCorsCommand, GetBucketLocationCommand, GetPublicAccessBlockCommand, GetBucketEncryptionCommand, GetBucketOwnershipControlsCommand, GetBucketPolicyCommand, GetBucketCorsCommand, } from "@aws-sdk/client-s3";
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
 const SETUP_CONFIG_PATH = path.join(".vibecodemax", "setup-config.json");
 const DEFAULT_BUCKETS = {
@@ -10,7 +10,6 @@ const DEFAULT_BUCKETS = {
 };
 const DEFAULT_PROJECT_SLUG = "vibecodemax";
 const DEFAULT_REGION = "us-east-1";
-const HEALTHCHECK_PREFIX = "_vibecodemax/healthcheck/default";
 const PUBLIC_ACCESS_BLOCK_PRIVATE = {
     BlockPublicAcls: true,
     IgnorePublicAcls: true,
@@ -482,55 +481,6 @@ async function verifyTwoBuckets(region, credentials, buckets) {
         });
     }
 }
-function buildObjectUrl(bucket, region, key) {
-    const encoded = key.split("/").map((segment) => encodeURIComponent(segment)).join("/");
-    if (region === "us-east-1")
-        return `https://${bucket}.s3.amazonaws.com/${encoded}`;
-    return `https://${bucket}.s3.${region}.amazonaws.com/${encoded}`;
-}
-async function smokeTestBuckets(region, credentials, buckets) {
-    const { s3Client } = createAwsClients(region, credentials);
-    const runId = `run_${Date.now()}`;
-    const prefix = `${HEALTHCHECK_PREFIX}/${runId}`;
-    const publicKey = `${prefix}/public-probe.txt`;
-    const privateKey = `${prefix}/private-probe.txt`;
-    await s3Client.send(new PutObjectCommand({ Bucket: buckets.public, Key: publicKey, Body: "public healthcheck probe", ContentType: "text/plain" }));
-    await s3Client.send(new PutObjectCommand({ Bucket: buckets.private, Key: privateKey, Body: "private healthcheck probe", ContentType: "text/plain" }));
-    const publicList = await s3Client.send(new ListObjectsV2Command({ Bucket: buckets.public, Prefix: prefix }));
-    const privateList = await s3Client.send(new ListObjectsV2Command({ Bucket: buckets.private, Prefix: prefix }));
-    const listPassed = Number(publicList.KeyCount || 0) > 0 && Number(privateList.KeyCount || 0) > 0;
-    if (!listPassed) {
-        fail("AWS_SMOKE_TEST_FAILED", "AWS S3 smoke-test list operation did not return the uploaded healthcheck objects.", 1, { prefix });
-    }
-    const publicUrl = buildObjectUrl(buckets.public, region, publicKey);
-    const privateUrl = buildObjectUrl(buckets.private, region, privateKey);
-    const publicReadResponse = await fetch(publicUrl);
-    const privateReadResponse = await fetch(privateUrl);
-    const publicRead = publicReadResponse.ok;
-    const privateReadBlocked = !privateReadResponse.ok;
-    if (!publicRead || !privateReadBlocked) {
-        fail("AWS_SMOKE_TEST_FAILED", "AWS S3 smoke-test public/private read checks failed.", 1, {
-            publicReadStatus: publicReadResponse.status,
-            privateReadStatus: privateReadResponse.status,
-        });
-    }
-    await s3Client.send(new GetObjectCommand({ Bucket: buckets.private, Key: privateKey }));
-    await s3Client.send(new DeleteObjectCommand({ Bucket: buckets.public, Key: publicKey }));
-    await s3Client.send(new DeleteObjectCommand({ Bucket: buckets.private, Key: privateKey }));
-    return {
-        ok: true,
-        command: "storage smoke-test-s3",
-        runId,
-        prefix,
-        buckets,
-        upload: true,
-        list: true,
-        publicRead: true,
-        privateRead: true,
-        delete: true,
-        publicObjectUrl: publicUrl,
-    };
-}
 export async function checkS3Context(flags) {
     const context = readAwsContext(flags);
     if (context.missingKeys.length > 0) {
@@ -603,28 +553,6 @@ export async function setupS3Storage(flags) {
         envWritten: ["AWS_REGION", "AWS_S3_PUBLIC_BUCKET", "AWS_S3_PRIVATE_BUCKET"],
     });
 }
-export async function smokeTestS3(flags) {
-    const context = readAwsContext(flags);
-    const publicBucket = context.localEnv.values.AWS_S3_PUBLIC_BUCKET || "";
-    const privateBucket = context.localEnv.values.AWS_S3_PRIVATE_BUCKET || "";
-    if (context.missingKeys.length > 0) {
-        fail("MISSING_ENV", `Missing required AWS values: ${context.missingKeys.join(", ")}. Add them to .env.bootstrap.local.`);
-    }
-    if (!isNonEmptyString(publicBucket) || !isNonEmptyString(privateBucket)) {
-        fail("MISSING_ENV", "AWS_S3_PUBLIC_BUCKET or AWS_S3_PRIVATE_BUCKET is missing. Run storage setup first so .env.local is populated.");
-    }
-    const credentials = {
-        accessKeyId: context.accessKeyId,
-        secretAccessKey: context.secretAccessKey,
-        ...(context.sessionToken ? { sessionToken: context.sessionToken } : {}),
-    };
-    await validateCredentials(context.region, credentials);
-    const result = await smokeTestBuckets(context.region, credentials, {
-        public: publicBucket.trim(),
-        private: privateBucket.trim(),
-    });
-    printJson(result);
-}
 export function __testOnlyDeterministicBuckets(projectSlug, accountId) {
     return deterministicBuckets({ projectSlug, accountId });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecodemax/cli",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "VibeCodeMax CLI — local provider setup for bootstrap and project configuration",
   "type": "module",
   "bin": {