agentlink-sh 0.26.0 → 0.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +4 -24
  2. package/dist/{chunk-7NV5CYOF.js → chunk-DFDS5V5Z.js} +46 -40
  3. package/dist/{chunk-DM6KG5YU.js → chunk-ILLYV7U7.js} +9 -1
  4. package/dist/{chunk-4CW46BPC.js → chunk-K5XVJEHP.js} +16 -3
  5. package/dist/{cloud-ZXVJMV5Q.js → cloud-L4LRFCKV.js} +4 -2
  6. package/dist/{constants-PWT7TUWD.js → constants-TCRAHGH6.js} +3 -1
  7. package/dist/{db-DNK3TD5Y.js → db-7M37DHEA.js} +3 -3
  8. package/dist/index.js +4021 -659
  9. package/dist/{oauth-JGWRORJM.js → oauth-2QHJGBWP.js} +1 -1
  10. package/package.json +1 -1
package/README.md CHANGED
@@ -6,28 +6,10 @@ Teach AI agents the right way to build on Supabase.
6
6
 
7
7
  ## Install & Run
8
8
 
9
- ### macOS
9
+ Install cli globally.
10
10
 
11
11
  ```bash
12
- curl -fsSL https://agentlink.sh/install | sh
13
- ```
14
-
15
- ### Linux
16
-
17
- ```bash
18
- wget -qO- https://agentlink.sh/install | sh
19
- ```
20
-
21
- ### Windows (PowerShell)
22
-
23
- ```powershell
24
- irm https://agentlink.sh/install.ps1 | iex
25
- ```
26
-
27
- ### npx (any platform with Node.js 18+)
28
-
29
- ```bash
30
- npx agentlink-sh@latest
12
+ npm i -g agentlink-sh@latest
31
13
  ```
32
14
 
33
15
  Or run directly with npx (requires Node.js 18+):
@@ -36,8 +18,6 @@ Or run directly with npx (requires Node.js 18+):
36
18
  npx agentlink-sh@latest
37
19
  ```
38
20
 
39
- The install scripts automatically detect your OS, install Node.js if needed, and set up the CLI globally.
40
-
41
21
  ## Quick start
42
22
 
43
23
  ```bash
@@ -312,7 +292,7 @@ Apply one or more server-side config sections to a cloud env. The three subsyste
312
292
 
313
293
  | Subcommand | What it does |
314
294
  |-----------|--------------|
315
- | `secrets` | Seed Vault (`SUPABASE_URL` / `SUPABASE_PUBLISHABLE_KEY` / `SUPABASE_SECRET_KEY`) **and** mirror to edge-function secrets under `SB_*` prefix (set-if-absentuser-set custom values survive). |
295
+ | `secrets` | Seed Vault (`SUPABASE_URL` / `SUPABASE_PUBLISHABLE_KEY` / `SUPABASE_SECRET_KEY`). Edge functions read the platform-injected `SUPABASE_*` env vars directly no `SB_*` mirror. |
316
296
  | `db` | PATCH PostgREST to expose the `api` schema. |
317
297
  | `auth` | PATCH auth config (hooks + signup settings). |
318
298
  | `all` | Run all three in order. |
@@ -392,7 +372,7 @@ agentlink db rebuild # Wipes migrations, re-applies schemas, create
392
372
 
393
373
  The scaffold runs a multi-step process:
394
374
 
395
- 1. **Prerequisites** — Checks for Supabase CLI, pg-delta, and psql
375
+ 1. **Prerequisites** — Supabase CLI and pgdelta come bundled with `agentlink-sh` (no manual install). Local mode also checks for psql and Docker.
396
376
  2. **Configure files** — Writes template files, `config.toml`, and `.env.local`
397
377
  3. **Start Supabase** — Starts locally (Docker) or creates a Cloud project
398
378
  4. **Read config** — Reads Supabase API keys and connection info
package/dist/{chunk-7NV5CYOF.js → chunk-DFDS5V5Z.js} RENAMED
@@ -5,7 +5,7 @@ import {
5
5
  loadProjectCredential,
6
6
  resolvePoolerDbUrl,
7
7
  saveProjectCredential
8
- } from "./chunk-4CW46BPC.js";
8
+ } from "./chunk-K5XVJEHP.js";
9
9
  import {
10
10
  ensureGitignorePattern,
11
11
  runCommand
@@ -20,7 +20,7 @@ import {
20
20
  import {
21
21
  pgd,
22
22
  sb
23
- } from "./chunk-DM6KG5YU.js";
23
+ } from "./chunk-ILLYV7U7.js";
24
24
 
25
25
  // src/db.ts
26
26
  import fs3 from "fs";
@@ -212,7 +212,7 @@ import fs2 from "fs";
212
212
  import path2 from "path";
213
213
 
214
214
  // src/sql/check_setup.sql
215
- var check_setup_default = "SELECT jsonb_build_object(\n 'extensions', jsonb_build_object(\n 'pg_net', EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_net'),\n 'pg_cron', EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_cron'),\n 'vault', EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'supabase_vault'),\n 'pgmq', EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pgmq'),\n -- pg_graphql must be dropped to enforce schema isolation (reported true when absent)\n 'pg_graphql_dropped', NOT EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_graphql')\n ),\n 'queues', jsonb_build_object(\n 'agentlink_tasks', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'pgmq' AND table_name = 'q_agentlink_tasks'\n )\n ),\n 'tables', jsonb_build_object(\n 'profiles', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'profiles'\n ),\n 'tenants', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'tenants'\n ),\n 'memberships', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'memberships'\n ),\n 'invitations', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'invitations'\n )\n ),\n 'functions', jsonb_build_object(\n '_internal_admin_get_secret',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_internal_admin_get_secret'\n ),\n '_internal_admin_call_edge_function',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_internal_admin_call_edge_function'\n ),\n 'api._admin_enqueue_task',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = '_admin_enqueue_task'\n ),\n 'api._admin_queue_read',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = '_admin_queue_read'\n ),\n 'api._admin_queue_delete',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = '_admin_queue_delete'\n ),\n 'api._admin_queue_archive',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = '_admin_queue_archive'\n ),\n 'set_updated_at',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = 'set_updated_at'\n ),\n '_internal_admin_handle_new_user',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_internal_admin_handle_new_user'\n ),\n 'api.profile_get',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'profile_get'\n ),\n 'api.profile_update',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'profile_update'\n ),\n '_hook_before_user_created',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_hook_before_user_created'\n ),\n '_hook_send_email',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_hook_send_email'\n ),\n '_auth_tenant_id',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_auth_tenant_id'\n ),\n '_auth_tenant_role',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_auth_tenant_role'\n ),\n '_auth_has_role',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_auth_has_role'\n ),\n '_auth_is_tenant_member',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_auth_is_tenant_member'\n ),\n 'api.tenant_select',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'tenant_select'\n ),\n 'api.tenant_list',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'tenant_list'\n ),\n 'api.tenant_create',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'tenant_create'\n ),\n 'api.invitation_create',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'invitation_create'\n ),\n 'api.invitation_accept',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'invitation_accept'\n ),\n 'api.membership_list',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'membership_list'\n )\n ),\n 'triggers', jsonb_build_object(\n 'trg_profiles_updated_at',\n EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_profiles_updated_at'\n ),\n 'trg_auth_users_new_user',\n EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_auth_users_new_user'\n ),\n 'trg_tenants_updated_at',\n EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_tenants_updated_at'\n )\n ),\n 'secrets', jsonb_build_object(\n 'SUPABASE_URL',\n EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_URL'),\n 'SUPABASE_PUBLISHABLE_KEY',\n EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_PUBLISHABLE_KEY'),\n 'SUPABASE_SECRET_KEY',\n EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_SECRET_KEY')\n ),\n 'api_schema', EXISTS (\n SELECT 1 FROM information_schema.schemata WHERE schema_name = 'api'\n ),\n 'api_schema_anon_usage',\n has_schema_privilege('anon', 'api', 'USAGE'),\n 'ready', (\n EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_net')\n AND EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_cron')\n AND EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'supabase_vault')\n AND EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pgmq')\n AND NOT EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_graphql')\n AND EXISTS (SELECT 1 FROM information_schema.schemata WHERE schema_name = 'api')\n AND has_schema_privilege('anon', 'api', 'USAGE')\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'pgmq' AND table_name = 'q_agentlink_tasks'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_internal_admin_get_secret'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_internal_admin_call_edge_function'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = '_admin_enqueue_task'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = '_admin_queue_read'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = '_admin_queue_delete'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = '_admin_queue_archive'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'profiles'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'tenants'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'memberships'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'invitations'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = 'set_updated_at'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_internal_admin_handle_new_user'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'profile_get'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'profile_update'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_hook_before_user_created'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_hook_send_email'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_auth_tenant_id'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_auth_tenant_role'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_auth_has_role'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_auth_is_tenant_member'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'tenant_select'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'tenant_list'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'tenant_create'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'invitation_create'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'invitation_accept'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'membership_list'\n )\n AND EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_profiles_updated_at'\n )\n AND EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_auth_users_new_user'\n )\n AND EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_tenants_updated_at'\n )\n AND EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_URL')\n AND EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_PUBLISHABLE_KEY')\n AND EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_SECRET_KEY')\n )\n) AS setup_status;\n";
215
+ var check_setup_default = "SELECT jsonb_build_object(\n 'extensions', jsonb_build_object(\n 'pg_net', EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_net'),\n 'pg_cron', EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_cron'),\n 'vault', EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'supabase_vault'),\n 'pgmq', EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pgmq'),\n -- pg_graphql must be dropped to enforce schema isolation (reported true when absent)\n 'pg_graphql_dropped', NOT EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_graphql')\n ),\n 'queues', jsonb_build_object(\n 'agentlink_tasks', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'pgmq' AND table_name = 'q_agentlink_tasks'\n )\n ),\n 'tables', jsonb_build_object(\n 'profiles', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'profiles'\n ),\n 'tenants', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'tenants'\n ),\n 'memberships', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'memberships'\n ),\n 'invitations', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'invitations'\n ),\n 'roles', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'roles'\n ),\n 'permissions', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'permissions'\n ),\n 'role_permissions', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'role_permissions'\n ),\n 'session_tenants', EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'session_tenants'\n )\n ),\n 'functions', jsonb_build_object(\n '_internal_admin_get_secret',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_internal_admin_get_secret'\n ),\n '_internal_admin_call_edge_function',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_internal_admin_call_edge_function'\n ),\n 'api._admin_enqueue_task',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = '_admin_enqueue_task'\n ),\n 'api._admin_queue_read',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = '_admin_queue_read'\n ),\n 'api._admin_queue_delete',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = '_admin_queue_delete'\n ),\n 'api._admin_queue_archive',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = '_admin_queue_archive'\n ),\n 'set_updated_at',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = 'set_updated_at'\n ),\n '_internal_admin_handle_new_user',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_internal_admin_handle_new_user'\n ),\n 'api.profile_get',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'profile_get'\n ),\n 'api.profile_update',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'profile_update'\n ),\n '_hook_before_user_created',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_hook_before_user_created'\n ),\n '_hook_custom_access_token',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_hook_custom_access_token'\n ),\n '_hook_send_email',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_hook_send_email'\n ),\n '_auth_tenant_id',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_auth_tenant_id'\n ),\n '_auth_tenant_role',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_auth_tenant_role'\n ),\n '_auth_has_role',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_auth_has_role'\n ),\n '_auth_has_permission',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_auth_has_permission'\n ),\n '_auth_is_tenant_member',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public'\n AND routine_name = '_auth_is_tenant_member'\n ),\n 'api.tenant_select',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'tenant_select'\n ),\n 'api.tenant_list',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'tenant_list'\n ),\n 'api.tenant_create',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'tenant_create'\n ),\n 'api.invitation_create',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'invitation_create'\n ),\n 'api.invitation_accept',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'invitation_accept'\n ),\n 'api.membership_list',\n EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api'\n AND routine_name = 'membership_list'\n )\n ),\n 'triggers', jsonb_build_object(\n 'trg_profiles_updated_at',\n EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_profiles_updated_at'\n ),\n 'trg_auth_users_new_user',\n EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_auth_users_new_user'\n ),\n 'trg_tenants_updated_at',\n EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_tenants_updated_at'\n )\n ),\n 'secrets', jsonb_build_object(\n 'SUPABASE_URL',\n EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_URL'),\n 'SUPABASE_PUBLISHABLE_KEY',\n EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_PUBLISHABLE_KEY'),\n 'SUPABASE_SECRET_KEY',\n EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_SECRET_KEY')\n ),\n 'api_schema', EXISTS (\n SELECT 1 FROM information_schema.schemata WHERE schema_name = 'api'\n ),\n 'api_schema_anon_usage',\n has_schema_privilege('anon', 'api', 'USAGE'),\n 'ready', (\n EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_net')\n AND EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_cron')\n AND EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'supabase_vault')\n AND EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pgmq')\n AND NOT EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_graphql')\n AND EXISTS (SELECT 1 FROM information_schema.schemata WHERE schema_name = 'api')\n AND has_schema_privilege('anon', 'api', 'USAGE')\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'pgmq' AND table_name = 'q_agentlink_tasks'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_internal_admin_get_secret'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_internal_admin_call_edge_function'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = '_admin_enqueue_task'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = '_admin_queue_read'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = '_admin_queue_delete'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = '_admin_queue_archive'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'profiles'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'tenants'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'memberships'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'invitations'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'roles'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'permissions'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'role_permissions'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.tables\n WHERE table_schema = 'public' AND table_name = 'session_tenants'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = 'set_updated_at'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_internal_admin_handle_new_user'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'profile_get'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'profile_update'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_hook_before_user_created'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_hook_custom_access_token'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_hook_send_email'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_auth_tenant_id'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_auth_tenant_role'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_auth_has_role'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_auth_has_permission'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'public' AND routine_name = '_auth_is_tenant_member'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'tenant_select'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'tenant_list'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'tenant_create'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'invitation_create'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'invitation_accept'\n )\n AND EXISTS (\n SELECT 1 FROM information_schema.routines\n WHERE routine_schema = 'api' AND routine_name = 'membership_list'\n )\n AND EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_profiles_updated_at'\n )\n AND EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_auth_users_new_user'\n )\n AND EXISTS (\n SELECT 1 FROM pg_trigger WHERE tgname = 'trg_tenants_updated_at'\n )\n AND EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_URL')\n AND EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_PUBLISHABLE_KEY')\n AND EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_SECRET_KEY')\n )\n) AS setup_status;\n";
216
216
 
217
217
  // src/sql.ts
218
218
  function upsertSecret(value, name) {
@@ -295,39 +295,6 @@ function runSQL(sql, dbUrl) {
295
295
  child.stdin.end();
296
296
  });
297
297
  }
298
- function writeMigrationTemplates(projectDir, templates, baseTimestamp, options) {
299
- const dryRun = options?.dryRun ?? false;
300
- const migrationsDir = path2.join(projectDir, "supabase", "migrations");
301
- if (!dryRun) fs2.mkdirSync(migrationsDir, { recursive: true });
302
- const createdVersions = [];
303
- const createdFilenames = [];
304
- const base = baseTimestamp ?? /* @__PURE__ */ new Date();
305
- let offsetSeconds = 0;
306
- const existingFiles = fs2.existsSync(migrationsDir) ? fs2.readdirSync(migrationsDir) : [];
307
- for (const [name, content] of Object.entries(templates)) {
308
- const existing = existingFiles.find((f) => f.endsWith(`_agentlink_${name}.sql`));
309
- if (existing) continue;
310
- const ts = new Date(base.getTime() + offsetSeconds * 1e3);
311
- const version = ts.toISOString().replace(/\D/g, "").slice(0, 14);
312
- const filename = `${version}_agentlink_${name}.sql`;
313
- if (!dryRun) fs2.writeFileSync(path2.join(migrationsDir, filename), content);
314
- createdVersions.push(version);
315
- createdFilenames.push(filename);
316
- offsetSeconds++;
317
- }
318
- return { createdVersions, createdFilenames };
319
- }
320
- async function repairMigrations(projectDir, versions, local = true, env) {
321
- const localFlag = local ? " --local" : "";
322
- for (const version of versions) {
323
- await runCommand(
324
- `${sb()} migration repair ${version} --status applied${localFlag}`,
325
- projectDir,
326
- void 0,
327
- env
328
- );
329
- }
330
- }
331
298
  function updateConfigToml(projectDir, options) {
332
299
  const dryRun = options?.dryRun ?? false;
333
300
  const configPath = path2.join(projectDir, "supabase", "config.toml");
@@ -372,6 +339,7 @@ sql_paths = [${seedPath}]
372
339
  }
373
340
  patches.push(...updateConfigTomlSendEmailHook(projectDir, { dryRun }));
374
341
  patches.push(...updateConfigTomlBeforeUserCreatedHook(projectDir, { dryRun }));
342
+ patches.push(...updateConfigTomlCustomAccessTokenHook(projectDir, { dryRun }));
375
343
  patches.push(...updateConfigTomlAuthEmailConfirmations(projectDir, { dryRun }));
376
344
  patches.push(...renameInternalEdgeFunctionSections(projectDir, { dryRun }));
377
345
  return patches;
@@ -450,7 +418,19 @@ sql_paths = ["./seed.sql", "./seeds/local-secrets.seed.sql"]
450
418
  [auth]
451
419
  enabled = true
452
420
  site_url = "http://127.0.0.1:3000"
453
- additional_redirect_urls = ["https://127.0.0.1:3000"]
421
+ # Wildcards cover the full canonical auth flow:
422
+ # /auth/confirm \u2014 single PKCE callback for signup, magiclink, recovery, email_change
423
+ # /auth/update-password \u2014 recovery destination after confirm exchange
424
+ # /accept-invite \u2014 workspace invitation acceptance
425
+ # /auth/check-inbox \u2014 pending state (no PKCE redirect ever lands here, but allowing
426
+ # the prefix prevents accidental denies during dev)
427
+ additional_redirect_urls = [
428
+ "http://127.0.0.1:3000/**",
429
+ "http://localhost:3000/**",
430
+ "http://127.0.0.1:5173/**",
431
+ "http://localhost:5173/**",
432
+ "https://127.0.0.1:3000/**",
433
+ ]
454
434
  jwt_expiry = 3600
455
435
  enable_refresh_token_rotation = true
456
436
  refresh_token_reuse_interval = 10
@@ -479,6 +459,10 @@ uri = "pg-functions://postgres/public/_hook_send_email"
479
459
  enabled = true
480
460
  uri = "pg-functions://postgres/public/_hook_before_user_created"
481
461
 
462
+ [auth.hook.custom_access_token]
463
+ enabled = true
464
+ uri = "pg-functions://postgres/public/_hook_custom_access_token"
465
+
482
466
  [functions.internal-queue-worker]
483
467
  enabled = true
484
468
  verify_jwt = false
@@ -529,6 +513,22 @@ uri = "pg-functions://postgres/public/_hook_before_user_created"
529
513
  }
530
514
  return [];
531
515
  }
516
+ function updateConfigTomlCustomAccessTokenHook(projectDir, options) {
517
+ const dryRun = options?.dryRun ?? false;
518
+ const configPath = path2.join(projectDir, "supabase", "config.toml");
519
+ let content = fs2.readFileSync(configPath, "utf-8");
520
+ if (!content.includes("[auth.hook.custom_access_token]")) {
521
+ content = content.trimEnd() + `
522
+
523
+ [auth.hook.custom_access_token]
524
+ enabled = true
525
+ uri = "pg-functions://postgres/public/_hook_custom_access_token"
526
+ `;
527
+ if (!dryRun) fs2.writeFileSync(configPath, content);
528
+ return ["auth.hook.custom_access_token: add section"];
529
+ }
530
+ return [];
531
+ }
532
532
  function updateConfigTomlAuthEmailConfirmations(projectDir, options) {
533
533
  const dryRun = options?.dryRun ?? false;
534
534
  const configPath = path2.join(projectDir, "supabase", "config.toml");
@@ -788,11 +788,19 @@ async function dbApply(options) {
788
788
  }
789
789
  const dbUrl = await resolveDbUrl(options.cwd, options.dbUrl);
790
790
  if (!options.quiet) console.log("Applying schemas...");
791
- await runCommand(
791
+ const applyOutput = await runCommand(
792
792
  `${pgd()} declarative apply --path ./supabase/schemas/ --target ${JSON.stringify(dbUrl)}`,
793
793
  options.cwd,
794
794
  options.quiet ? void 0 : (line) => console.log(line)
795
795
  );
796
+ if (/^Stuck after \d+ round/m.test(applyOutput)) {
797
+ if (options.quiet) {
798
+ console.error(applyOutput);
799
+ }
800
+ throw new Error(
801
+ "pg-delta declarative apply did not complete cleanly \u2014 some statements failed and the database state is inconsistent with supabase/schemas/. Fix the errors listed above (typically duplicate definitions or unresolved references) and re-run."
802
+ );
803
+ }
796
804
  if (!options.skipTypes) {
797
805
  if (!options.quiet) console.log("\nGenerating types...");
798
806
  try {
@@ -1038,8 +1046,6 @@ export {
1038
1046
  cloudSeedSQL,
1039
1047
  parseSupabaseStatus,
1040
1048
  runSQL,
1041
- writeMigrationTemplates,
1042
- repairMigrations,
1043
1049
  updateConfigToml,
1044
1050
  migrateRenamedEdgeFunctionDirs,
1045
1051
  writeConfigToml,
package/dist/{chunk-DM6KG5YU.js → chunk-ILLYV7U7.js} RENAMED
@@ -53,6 +53,8 @@ var AUTH_CONFIG = {
53
53
  hook_send_email_uri: "pg-functions://postgres/public/_hook_send_email",
54
54
  hook_before_user_created_enabled: true,
55
55
  hook_before_user_created_uri: "pg-functions://postgres/public/_hook_before_user_created",
56
+ hook_custom_access_token_enabled: true,
57
+ hook_custom_access_token_uri: "pg-functions://postgres/public/_hook_custom_access_token",
56
58
  external_email_enabled: true,
57
59
  enable_signup: true,
58
60
  jwt_exp: 3600,
@@ -65,6 +67,11 @@ var AUTH_CONFIG = {
65
67
  var AUTH_CONFIG_DEV_OVERRIDES = {
66
68
  mailer_autoconfirm: true
67
69
  };
70
+ var RESEND_SMTP = {
71
+ host: "smtp.resend.com",
72
+ port: "465",
73
+ user: "resend"
74
+ };
68
75
 
69
76
  export {
70
77
  SUPPORTED_SUPABASE_CLI,
@@ -77,5 +84,6 @@ export {
77
84
  pgd,
78
85
  POSTGREST_CONFIG,
79
86
  AUTH_CONFIG,
80
- AUTH_CONFIG_DEV_OVERRIDES
87
+ AUTH_CONFIG_DEV_OVERRIDES,
88
+ RESEND_SMTP
81
89
  };
package/dist/{chunk-4CW46BPC.js → chunk-K5XVJEHP.js} RENAMED
@@ -13,7 +13,7 @@ import {
13
13
  } from "./chunk-MHI6VJ75.js";
14
14
  import {
15
15
  sb
16
- } from "./chunk-DM6KG5YU.js";
16
+ } from "./chunk-ILLYV7U7.js";
17
17
 
18
18
  // src/cloud.ts
19
19
  import fs from "fs";
@@ -77,7 +77,7 @@ async function refreshIfNeeded(entry) {
77
77
  }
78
78
  if (!entry.refresh_token) return null;
79
79
  try {
80
- const { refreshOAuthToken } = await import("./oauth-JGWRORJM.js");
80
+ const { refreshOAuthToken } = await import("./oauth-2QHJGBWP.js");
81
81
  const tokens = await refreshOAuthToken(entry.refresh_token);
82
82
  return {
83
83
  ...entry,
@@ -313,7 +313,7 @@ async function ensureAccessToken(opts = {}) {
313
313
  ]
314
314
  });
315
315
  if (method === "oauth") {
316
- const { oauthLogin } = await import("./oauth-JGWRORJM.js");
316
+ const { oauthLogin } = await import("./oauth-2QHJGBWP.js");
317
317
  const tokens = await oauthLogin({ organizationSlug: orgSlug });
318
318
  process.env.SUPABASE_ACCESS_TOKEN = tokens.access_token;
319
319
  let derivedOrg;
@@ -586,6 +586,18 @@ async function updateAuthConfig(projectRef, config) {
586
586
  throw new Error(`Failed to update auth config (${res.status}): ${body}`);
587
587
  }
588
588
  }
589
+ async function getAuthConfig(projectRef) {
590
+ try {
591
+ const res = await authenticatedFetch(
592
+ `https://api.supabase.com/v1/projects/${projectRef}/config/auth`,
593
+ { method: "GET" }
594
+ );
595
+ if (!res.ok) return null;
596
+ return await res.json();
597
+ } catch {
598
+ return null;
599
+ }
600
+ }
589
601
  async function waitForProjectReady(ref, spinner, timeoutMs = 3e5) {
590
602
  const start = Date.now();
591
603
  while (Date.now() - start < timeoutMs) {
@@ -771,6 +783,7 @@ export {
771
783
  runCloudSQL,
772
784
  updatePostgrestConfig,
773
785
  updateAuthConfig,
786
+ getAuthConfig,
774
787
  waitForProjectReady,
775
788
  waitForDatabaseReady,
776
789
  fetchPoolerUrl,
package/dist/{cloud-ZXVJMV5Q.js → cloud-L4LRFCKV.js} RENAMED
@@ -9,6 +9,7 @@ import {
9
9
  ensureAccessToken,
10
10
  fetchPoolerUrl,
11
11
  getApiKeys,
12
+ getAuthConfig,
12
13
  getProject,
13
14
  getProjectOrg,
14
15
  listOrganizations,
@@ -35,10 +36,10 @@ import {
35
36
  updatePostgrestConfig,
36
37
  waitForDatabaseReady,
37
38
  waitForProjectReady
38
- } from "./chunk-4CW46BPC.js";
39
+ } from "./chunk-K5XVJEHP.js";
39
40
  import "./chunk-IV5ZSOKF.js";
40
41
  import "./chunk-MHI6VJ75.js";
41
- import "./chunk-DM6KG5YU.js";
42
+ import "./chunk-ILLYV7U7.js";
42
43
  export {
43
44
  authenticatedFetch,
44
45
  clearOrgCredential,
@@ -49,6 +50,7 @@ export {
49
50
  ensureAccessToken,
50
51
  fetchPoolerUrl,
51
52
  getApiKeys,
53
+ getAuthConfig,
52
54
  getProject,
53
55
  getProjectOrg,
54
56
  listOrganizations,
package/dist/{constants-PWT7TUWD.js → constants-TCRAHGH6.js} RENAMED
@@ -5,19 +5,21 @@ import {
5
5
  OAUTH_CLIENT_ID,
6
6
  OAUTH_CLIENT_SECRET,
7
7
  POSTGREST_CONFIG,
8
+ RESEND_SMTP,
8
9
  SUPPORTED_PGDELTA,
9
10
  SUPPORTED_SUPABASE_CLI,
10
11
  pgd,
11
12
  pgdeltaBin,
12
13
  sb,
13
14
  supabaseBin
14
- } from "./chunk-DM6KG5YU.js";
15
+ } from "./chunk-ILLYV7U7.js";
15
16
  export {
16
17
  AUTH_CONFIG,
17
18
  AUTH_CONFIG_DEV_OVERRIDES,
18
19
  OAUTH_CLIENT_ID,
19
20
  OAUTH_CLIENT_SECRET,
20
21
  POSTGREST_CONFIG,
22
+ RESEND_SMTP,
21
23
  SUPPORTED_PGDELTA,
22
24
  SUPPORTED_SUPABASE_CLI,
23
25
  pgd,
package/dist/{db-DNK3TD5Y.js → db-7M37DHEA.js} RENAMED
@@ -11,11 +11,11 @@ import {
11
11
  readEnvValue,
12
12
  resolveDbMode,
13
13
  resolveDbUrl
14
- } from "./chunk-7NV5CYOF.js";
15
- import "./chunk-4CW46BPC.js";
14
+ } from "./chunk-DFDS5V5Z.js";
15
+ import "./chunk-K5XVJEHP.js";
16
16
  import "./chunk-IV5ZSOKF.js";
17
17
  import "./chunk-MHI6VJ75.js";
18
- import "./chunk-DM6KG5YU.js";
18
+ import "./chunk-ILLYV7U7.js";
19
19
  export {
20
20
  dbApply,
21
21
  dbBackup,