agentlink-sh 0.26.0

package/dist/chunk-4CW46BPC.js

@@ -0,0 +1,787 @@
+#!/usr/bin/env node
+import {
+  delay,
+  runCommand
+} from "./chunk-IV5ZSOKF.js";
+import {
+  amber,
+  blue,
+  bold,
+  dim,
+  link,
+  red
+} from "./chunk-MHI6VJ75.js";
+import {
+  sb
+} from "./chunk-DM6KG5YU.js";
+
+// src/cloud.ts
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { input, select as select2 } from "@inquirer/prompts";
+
+// src/prompts.ts
+import { select } from "@inquirer/prompts";
+async function selectYesNo(opts) {
+  const def = opts.default ?? false;
+  const yesChoice = { name: opts.yesLabel ?? "Yes", value: true };
+  const noChoice = { name: opts.noLabel ?? "No", value: false };
+  const choices = def ? [yesChoice, noChoice] : [noChoice, yesChoice];
+  return await select({
+    message: opts.message,
+    // `theme` is typed as `unknown` here; cast at the call boundary so
+    // the helper signature stays simple.
+    theme: opts.theme,
+    default: def,
+    choices
+  });
+}
+
+// src/cloud.ts
+import open from "open";
+var theme = {
+  prefix: { idle: blue("?"), done: blue("\u2714") },
+  style: {
+    answer: (text) => amber(text),
+    message: (text) => bold(text),
+    error: (text) => red(`> ${text}`),
+    help: (text) => dim(text),
+    highlight: (text) => blue(text),
+    key: (text) => blue(bold(`<${text}>`))
+  }
+};
+function credentialsPath() {
+  return path.join(os.homedir(), ".config", "agentlink", "credentials.json");
+}
+function loadCredentials() {
+  try {
+    return JSON.parse(fs.readFileSync(credentialsPath(), "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveCredentials(creds) {
+  const filePath = credentialsPath();
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(filePath, JSON.stringify(creds, null, 2) + "\n", { mode: 384 });
+}
+var _authContext = {};
+function isAuthError(err) {
+  const msg = err instanceof Error ? err.message : String(err);
+  return /\(401\)|unauthorized|invalid.*token/i.test(msg);
+}
+async function refreshIfNeeded(entry) {
+  if (entry.expires_at > Date.now() / 1e3 + 60) {
+    return entry;
+  }
+  if (!entry.refresh_token) return null;
+  try {
+    const { refreshOAuthToken } = await import("./oauth-JGWRORJM.js");
+    const tokens = await refreshOAuthToken(entry.refresh_token);
+    return {
+      ...entry,
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      expires_at: Math.floor(Date.now() / 1e3) + tokens.expires_in
+    };
+  } catch {
+    return null;
+  }
+}
+async function signOut(opts = {}) {
+  const notes = [];
+  const filePath = credentialsPath();
+  let agentlinkStoreCleared = false;
+  if (fs.existsSync(filePath)) {
+    try {
+      const before = loadCredentials();
+      const hadAnything = !!before.oauth || Object.keys(before.oauth_by_org ?? {}).length > 0 || !!before.supabase_access_token;
+      saveCredentials({});
+      agentlinkStoreCleared = hadAnything;
+      notes.push(
+        hadAnything ? `Cleared credentials at ${filePath}` : `Credentials store at ${filePath} was already empty`
+      );
+    } catch (err) {
+      notes.push(`Could not clear ${filePath}: ${err?.message ?? err}`);
+    }
+  } else {
+    notes.push(`No credentials file at ${filePath} (already clean)`);
+  }
+  const envVarCleared = !!process.env.SUPABASE_ACCESS_TOKEN;
+  delete process.env.SUPABASE_ACCESS_TOKEN;
+  if (opts.cwd) {
+    const envPath = path.join(opts.cwd, ".env.local");
+    if (fs.existsSync(envPath)) {
+      try {
+        let content = fs.readFileSync(envPath, "utf-8");
+        if (/^SUPABASE_ACCESS_TOKEN=/m.test(content)) {
+          content = content.replace(/^SUPABASE_ACCESS_TOKEN=.*\n?/m, "");
+          fs.writeFileSync(envPath, content);
+          notes.push(`Stripped SUPABASE_ACCESS_TOKEN from ${envPath}`);
+        }
+      } catch (err) {
+        notes.push(`Could not clean ${envPath}: ${err?.message ?? err}`);
+      }
+    }
+  }
+  let keychainCleared = false;
+  try {
+    await runCommand(`${sb()} logout --yes`);
+    keychainCleared = true;
+    notes.push("Cleared OS keychain entry via `supabase logout`");
+  } catch (err) {
+    const msg = err?.message ?? String(err);
+    if (/not\s+(?:logged\s+in|authenticated)|no\s+access\s+token|access token not provided/i.test(msg)) {
+      notes.push("OS keychain had no Supabase CLI entry (already clean)");
+    } else {
+      notes.push(`Could not run \`supabase logout\`: ${msg.split("\n")[0]}`);
+    }
+  }
+  return {
+    agentlinkStoreCleared,
+    envVarCleared,
+    keychainCleared,
+    credentialsPath: filePath,
+    notes
+  };
+}
+function clearAccessToken(opts = {}) {
+  delete process.env.SUPABASE_ACCESS_TOKEN;
+  const creds = loadCredentials();
+  delete creds.oauth;
+  if (opts.orgId && creds.oauth_by_org) {
+    delete creds.oauth_by_org[opts.orgId];
+  }
+  saveCredentials(creds);
+  if (opts.projectDir) {
+    const envPath = path.join(opts.projectDir, ".env.local");
+    if (fs.existsSync(envPath)) {
+      let content = fs.readFileSync(envPath, "utf-8");
+      if (/^SUPABASE_ACCESS_TOKEN=/m.test(content)) {
+        content = content.replace(/^SUPABASE_ACCESS_TOKEN=.*\n?/m, "");
+        fs.writeFileSync(envPath, content);
+      }
+    }
+  }
+}
+async function authenticatedFetch(url, init) {
+  const token = process.env.SUPABASE_ACCESS_TOKEN;
+  if (!token) {
+    throw new Error("SUPABASE_ACCESS_TOKEN is required");
+  }
+  const headers = new Headers(init?.headers);
+  headers.set("Authorization", `Bearer ${token}`);
+  const res = await fetch(url, { ...init, headers });
+  if (res.status === 401 || res.status === 403) {
+    console.log(`
+  ${amber("\u25B2")} Access token expired or revoked. Re-authenticating...
+`);
+    clearAccessToken({ projectDir: _authContext.projectDir, orgId: _authContext.orgId });
+    await ensureAccessToken({
+      nonInteractive: _authContext.nonInteractive,
+      projectDir: _authContext.projectDir,
+      orgId: _authContext.orgId,
+      orgSlug: _authContext.orgSlug
+    });
+    const newToken = process.env.SUPABASE_ACCESS_TOKEN;
+    const retryHeaders = new Headers(init?.headers);
+    retryHeaders.set("Authorization", `Bearer ${newToken}`);
+    return fetch(url, { ...init, headers: retryHeaders });
+  }
+  return res;
+}
+async function authenticatedRunCommand(cmd, cwd) {
+  if (!process.env.SUPABASE_ACCESS_TOKEN) {
+    await ensureAccessToken({
+      nonInteractive: _authContext.nonInteractive,
+      projectDir: _authContext.projectDir,
+      orgId: _authContext.orgId,
+      orgSlug: _authContext.orgSlug
+    });
+  }
+  try {
+    return await runCommand(cmd, cwd);
+  } catch (err) {
+    if (isAuthError(err)) {
+      console.log(`
+  ${amber("\u25B2")} Access token expired or revoked. Re-authenticating...
+`);
+      clearAccessToken({ projectDir: _authContext.projectDir, orgId: _authContext.orgId });
+      await ensureAccessToken({
+        nonInteractive: _authContext.nonInteractive,
+        projectDir: _authContext.projectDir,
+        orgId: _authContext.orgId,
+        orgSlug: _authContext.orgSlug
+      });
+      return runCommand(cmd, cwd);
+    }
+    throw err;
+  }
+}
+async function ensureAccessToken(opts = {}) {
+  const { orgId, orgSlug, nonInteractive, projectDir } = opts;
+  _authContext = { projectDir, nonInteractive, orgId, orgSlug };
+  if (process.env.SUPABASE_ACCESS_TOKEN) return;
+  const creds = loadCredentials();
+  if (orgId) {
+    const entry = creds.oauth_by_org?.[orgId];
+    if (entry) {
+      const fresh = await refreshIfNeeded(entry);
+      if (fresh) {
+        if (fresh !== entry) {
+          saveCredentials({
+            ...creds,
+            oauth_by_org: { ...creds.oauth_by_org ?? {}, [orgId]: fresh }
+          });
+        }
+        process.env.SUPABASE_ACCESS_TOKEN = fresh.access_token;
+        return;
+      }
+    }
+  }
+  if (creds.oauth) {
+    const fresh = await refreshIfNeeded(creds.oauth);
+    if (fresh) {
+      if (fresh !== creds.oauth) {
+        saveCredentials({ ...loadCredentials(), oauth: fresh });
+      }
+      process.env.SUPABASE_ACCESS_TOKEN = fresh.access_token;
+      try {
+        const derived = (await listOrganizations())[0];
+        if (derived) {
+          const updated = loadCredentials();
+          if (!updated.oauth_by_org?.[derived.id]) {
+            updated.oauth_by_org = {
+              ...updated.oauth_by_org ?? {},
+              [derived.id]: { ...fresh, org_name: derived.name, org_slug: derived.slug }
+            };
+          }
+          delete updated.oauth;
+          saveCredentials(updated);
+        }
+      } catch {
+      }
+      return;
+    }
+  }
+  if (!orgId && creds.oauth_by_org) {
+    for (const [id, entry] of Object.entries(creds.oauth_by_org)) {
+      const fresh = await refreshIfNeeded(entry);
+      if (fresh) {
+        if (fresh !== entry) {
+          const latest = loadCredentials();
+          saveCredentials({
+            ...latest,
+            oauth_by_org: { ...latest.oauth_by_org ?? {}, [id]: fresh }
+          });
+        }
+        process.env.SUPABASE_ACCESS_TOKEN = fresh.access_token;
+        return;
+      }
+    }
+  }
+  if (creds.supabase_access_token) {
+    process.env.SUPABASE_ACCESS_TOKEN = creds.supabase_access_token;
+    const masked = creds.supabase_access_token.slice(0, 8) + "..." + creds.supabase_access_token.slice(-4);
+    console.log(`  ${blue("\u25CF")} Existing access token found ${dim(`(source: ${credentialsPath()})`)}`);
+    console.log(`  ${dim(masked)}`);
+    console.log();
+    if (!nonInteractive) {
+      const replace = await selectYesNo({
+        message: "Use stored token?",
+        default: true,
+        theme
+      });
+      if (replace) return;
+      delete process.env.SUPABASE_ACCESS_TOKEN;
+    } else {
+      return;
+    }
+  }
+  if (nonInteractive) {
+    throw new Error(
+      "SUPABASE_ACCESS_TOKEN is required for cloud mode.\n  Set it via --token, SUPABASE_ACCESS_TOKEN env var, or run `agentlink sb login`."
+    );
+  }
+  const method = await select2({
+    message: "How would you like to authenticate?",
+    theme,
+    choices: [
+      { name: "Login with Supabase (opens browser)", value: "oauth" },
+      { name: "Enter access token manually", value: "manual" }
+    ]
+  });
+  if (method === "oauth") {
+    const { oauthLogin } = await import("./oauth-JGWRORJM.js");
+    const tokens = await oauthLogin({ organizationSlug: orgSlug });
+    process.env.SUPABASE_ACCESS_TOKEN = tokens.access_token;
+    let derivedOrg;
+    try {
+      const orgs = await listOrganizations();
+      derivedOrg = orgs[0];
+    } catch {
+    }
+    const entry = {
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      expires_at: Math.floor(Date.now() / 1e3) + tokens.expires_in,
+      org_name: derivedOrg?.name,
+      org_slug: derivedOrg?.slug
+    };
+    const targetOrgId = derivedOrg?.id ?? orgId;
+    const current = loadCredentials();
+    if (targetOrgId) {
+      saveCredentials({
+        ...current,
+        oauth_by_org: { ...current.oauth_by_org ?? {}, [targetOrgId]: entry }
+      });
+    } else {
+      saveCredentials({ ...current, oauth: entry });
+    }
+    console.log(`  ${blue("\u2714")} Authenticated via Supabase OAuth${derivedOrg?.name ? ` for ${derivedOrg.name}` : ""}`);
+    console.log(`  ${dim("Token stored at " + credentialsPath())}`);
+    console.log();
+    return;
+  }
+  const tokenUrl = "https://supabase.com/dashboard/account/tokens";
+  try {
+    await open(tokenUrl);
+    console.log(`  ${blue("\u25CF")} Opened ${link(tokenUrl)}`);
+  } catch {
+    console.log(`  ${amber("Could not open browser.")} Visit: ${link(tokenUrl)}`);
+  }
+  console.log();
+  const token = await input({
+    message: "Enter your Supabase access token:",
+    theme,
+    transformer: (value, { isFinal }) => {
+      if (isFinal) {
+        const t = value.trim();
+        return t.length > 12 ? t.slice(0, 8) + "\u25CF".repeat(t.length - 12) + t.slice(-4) : "\u25CF".repeat(t.length);
+      }
+      return "\u25CF".repeat(value.length);
+    },
+    validate: (val) => val.trim().length > 0 || "Token is required"
+  });
+  const trimmed = token.trim();
+  process.env.SUPABASE_ACCESS_TOKEN = trimmed;
+  saveCredentials({ ...loadCredentials(), supabase_access_token: trimmed });
+  console.log(`  ${blue("\u25CF")} Token stored at ${dim(credentialsPath())}`);
+  console.log();
+}
+var REGIONS = [
+  { id: "us-east-1", name: "US East (N. Virginia)" },
+  { id: "us-east-2", name: "US East (Ohio)" },
+  { id: "us-west-1", name: "US West (N. California)" },
+  { id: "us-west-2", name: "US West (Oregon)" },
+  { id: "ca-central-1", name: "Canada (Central)" },
+  { id: "sa-east-1", name: "South America (S\xE3o Paulo)" },
+  { id: "eu-west-1", name: "EU West (Ireland)" },
+  { id: "eu-west-2", name: "EU West (London)" },
+  { id: "eu-west-3", name: "EU West (Paris)" },
+  { id: "eu-central-1", name: "EU Central (Frankfurt)" },
+  { id: "eu-central-2", name: "EU Central (Zurich)" },
+  { id: "eu-north-1", name: "EU North (Stockholm)" },
+  { id: "ap-southeast-1", name: "Asia Pacific (Singapore)" },
+  { id: "ap-southeast-2", name: "Asia Pacific (Sydney)" },
+  { id: "ap-northeast-1", name: "Asia Pacific (Tokyo)" },
+  { id: "ap-south-1", name: "Asia Pacific (Mumbai)" }
+];
+async function listOrganizations() {
+  const out = await authenticatedRunCommand(`${sb()} orgs list -o json`);
+  return JSON.parse(out);
+}
+async function listOrganizationsForToken(accessToken) {
+  try {
+    const res = await fetch("https://api.supabase.com/v1/organizations", {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!res.ok) return [];
+    return await res.json();
+  } catch {
+    return [];
+  }
+}
+function listRegions() {
+  return REGIONS;
+}
+function detectClosestRegion() {
+  const tz = Intl.DateTimeFormat().resolvedOptions().timeZone ?? "";
+  const cityMap = {
+    "America/New_York": "us-east-1",
+    "America/Toronto": "us-east-1",
+    "America/Detroit": "us-east-1",
+    "America/Chicago": "us-east-2",
+    "America/Denver": "us-west-2",
+    "America/Phoenix": "us-west-2",
+    "America/Los_Angeles": "us-west-1",
+    "America/Vancouver": "us-west-1",
+    "America/Edmonton": "ca-central-1",
+    "America/Winnipeg": "ca-central-1",
+    "America/Sao_Paulo": "sa-east-1",
+    "America/Argentina/Buenos_Aires": "sa-east-1",
+    "America/Bogota": "sa-east-1",
+    "America/Lima": "sa-east-1",
+    "America/Santiago": "sa-east-1",
+    "America/Mexico_City": "us-east-1",
+    "Europe/London": "eu-west-2",
+    "Europe/Dublin": "eu-west-1",
+    "Europe/Paris": "eu-west-3",
+    "Europe/Madrid": "eu-west-3",
+    "Europe/Rome": "eu-west-3",
+    "Europe/Brussels": "eu-west-3",
+    "Europe/Berlin": "eu-central-1",
+    "Europe/Amsterdam": "eu-central-1",
+    "Europe/Vienna": "eu-central-1",
+    "Europe/Zurich": "eu-central-2",
+    "Europe/Stockholm": "eu-north-1",
+    "Europe/Helsinki": "eu-north-1",
+    "Europe/Oslo": "eu-north-1",
+    "Europe/Warsaw": "eu-central-1",
+    "Asia/Tokyo": "ap-northeast-1",
+    "Asia/Seoul": "ap-northeast-1",
+    "Asia/Singapore": "ap-southeast-1",
+    "Asia/Kuala_Lumpur": "ap-southeast-1",
+    "Asia/Jakarta": "ap-southeast-1",
+    "Asia/Bangkok": "ap-southeast-1",
+    "Asia/Kolkata": "ap-south-1",
+    "Asia/Mumbai": "ap-south-1",
+    "Asia/Dubai": "ap-south-1",
+    "Australia/Sydney": "ap-southeast-2",
+    "Australia/Melbourne": "ap-southeast-2",
+    "Pacific/Auckland": "ap-southeast-2"
+  };
+  if (cityMap[tz]) return cityMap[tz];
+  if (tz.startsWith("America/")) return "us-east-1";
+  if (tz.startsWith("US/")) return "us-east-1";
+  if (tz.startsWith("Canada/")) return "ca-central-1";
+  if (tz.startsWith("Europe/")) return "eu-central-1";
+  if (tz.startsWith("Asia/")) return "ap-southeast-1";
+  if (tz.startsWith("Australia/") || tz.startsWith("Pacific/")) return "ap-southeast-2";
+  if (tz.startsWith("Africa/")) return "eu-west-3";
+  return "us-east-1";
+}
+async function listProjects() {
+  const out = await authenticatedRunCommand(`${sb()} projects list -o json`);
+  return JSON.parse(out) ?? [];
+}
+async function listProjectsForToken(accessToken) {
+  try {
+    const res = await fetch("https://api.supabase.com/v1/projects", {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    if (!res.ok) return [];
+    return await res.json();
+  } catch {
+    return [];
+  }
+}
+async function refreshOAuthEntry(entry) {
+  return refreshIfNeeded(entry);
+}
+async function probeTokenAuth(accessToken) {
+  try {
+    const res = await fetch("https://api.supabase.com/v1/projects", {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    return res.status !== 401 && res.status !== 403;
+  } catch {
+    return true;
+  }
+}
+function clearOrgCredential(orgId) {
+  const creds = loadCredentials();
+  if (creds.oauth_by_org?.[orgId]) {
+    delete creds.oauth_by_org[orgId];
+    saveCredentials(creds);
+  }
+}
+async function createProject(opts) {
+  const out = await authenticatedRunCommand(
+    `${sb()} projects create ${JSON.stringify(opts.name)} --org-id ${opts.orgId} --region ${opts.region} --db-password ${opts.dbPass} -o json`
+  );
+  return JSON.parse(out);
+}
+async function getProject(ref) {
+  const out = await authenticatedRunCommand(`${sb()} projects list -o json`);
+  const projects = JSON.parse(out);
+  const project = projects.find((p) => p.id === ref);
+  if (!project) {
+    throw new Error(`Project ${ref} not found`);
+  }
+  return project;
+}
+async function deleteProject(ref) {
+  const res = await authenticatedFetch(
+    `https://api.supabase.com/v1/projects/${ref}`,
+    { method: "DELETE" }
+  );
+  if (res.status === 404) return;
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Failed to delete project ${ref} (${res.status}): ${body}`);
+  }
+}
+async function getApiKeys(ref) {
+  const res = await authenticatedFetch(
+    `https://api.supabase.com/v1/projects/${ref}/api-keys?reveal=true`
+  );
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Failed to fetch API keys (${res.status}): ${body}`);
+  }
+  const keys = await res.json();
+  const publishable = keys.find((k) => k.type === "publishable");
+  const secret = keys.find((k) => k.type === "secret");
+  if (!publishable?.api_key || !secret?.api_key) {
+    throw new Error("Could not find publishable/secret API keys for project");
+  }
+  return { publishableKey: publishable.api_key, secretKey: secret.api_key };
+}
+async function runCloudSQL(sql, projectRef) {
+  const res = await authenticatedFetch(
+    `https://api.supabase.com/v1/projects/${projectRef}/database/query`,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ query: sql })
+    }
+  );
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Cloud SQL query failed (${res.status}): ${body}`);
+  }
+  const rows = await res.json();
+  if (!Array.isArray(rows) || rows.length === 0) return "";
+  const firstValue = Object.values(rows[0])[0];
+  if (typeof firstValue === "object" && firstValue !== null) return JSON.stringify(firstValue);
+  return String(firstValue ?? "");
+}
+async function updatePostgrestConfig(projectRef, config) {
+  const res = await authenticatedFetch(
+    `https://api.supabase.com/v1/projects/${projectRef}/postgrest`,
+    {
+      method: "PATCH",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(config)
+    }
+  );
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Failed to update PostgREST config (${res.status}): ${body}`);
+  }
+}
+async function updateAuthConfig(projectRef, config) {
+  const res = await authenticatedFetch(
+    `https://api.supabase.com/v1/projects/${projectRef}/config/auth`,
+    {
+      method: "PATCH",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(config)
+    }
+  );
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Failed to update auth config (${res.status}): ${body}`);
+  }
+}
+async function waitForProjectReady(ref, spinner, timeoutMs = 3e5) {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const out = await authenticatedRunCommand(`${sb()} projects list -o json`);
+      const projects = JSON.parse(out);
+      const project = projects.find((p) => p.id === ref);
+      if (project?.status === "ACTIVE_HEALTHY") {
+        return project;
+      }
+      if (spinner && project) {
+        spinner.text = `Creating Supabase cloud project \u2014 status: ${project.status}`;
+      }
+    } catch {
+    }
+    await delay(5e3);
+  }
+  throw new Error(
+    `Project ${ref} did not become ready within ${timeoutMs / 1e3}s.
+  Check status at: https://supabase.com/dashboard/project/${ref}`
+  );
+}
+async function waitForDatabaseReady(projectRef, spinner, timeoutMs = 18e4) {
+  const start = Date.now();
+  let attempt = 0;
+  while (Date.now() - start < timeoutMs) {
+    attempt++;
+    try {
+      await runCloudSQL("SELECT 1", projectRef);
+      return;
+    } catch {
+      if (spinner) {
+        spinner.text = `Waiting for Postgres to accept connections (attempt ${attempt})`;
+      }
+      await delay(5e3);
+    }
+  }
+  throw new Error(
+    `Postgres on project ${projectRef} did not accept connections within ${timeoutMs / 1e3}s.
+  Check status at: https://supabase.com/dashboard/project/${projectRef}`
+  );
+}
+async function fetchPoolerUrl(projectRef) {
+  const res = await authenticatedFetch(
+    `https://api.supabase.com/v1/projects/${projectRef}/config/database/pooler`
+  );
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Failed to fetch pooler config (${res.status}): ${body}`);
+  }
+  const entries = await res.json();
+  const pooler = entries.find(
+    (e) => e.database_type === "PRIMARY" && e.pool_mode === "transaction"
+  ) ?? entries.find(
+    (e) => e.database_type === "PRIMARY"
+  ) ?? entries[0];
+  if (!pooler) {
+    throw new Error("No pooler configuration found for project");
+  }
+  return {
+    host: pooler.db_host,
+    port: pooler.db_port,
+    user: pooler.db_user,
+    dbName: pooler.db_name,
+    connectionString: pooler.connection_string
+  };
+}
+async function resolvePoolerDbUrl(projectRef, password) {
+  const pooler = await fetchPoolerUrl(projectRef);
+  return `postgresql://${pooler.user}:${encodeURIComponent(password)}@${pooler.host}:${pooler.port}/${pooler.dbName}`;
+}
+async function resolvePoolerDbUrlWithRetry(projectRef, password, attempts = 6, delayMs = 5e3) {
+  let lastErr;
+  for (let i = 0; i < attempts; i++) {
+    try {
+      return await resolvePoolerDbUrl(projectRef, password);
+    } catch (err) {
+      lastErr = err;
+      if (i < attempts - 1) await delay(delayMs);
+    }
+  }
+  throw lastErr instanceof Error ? lastErr : new Error(`Failed to resolve pooler URL after ${attempts} attempts`);
+}
+function saveProjectCredential(projectRef, dbPassword) {
+  const creds = loadCredentials();
+  if (!creds.project_credentials) creds.project_credentials = {};
+  const existing = creds.project_credentials[projectRef];
+  creds.project_credentials[projectRef] = {
+    ...existing ?? {},
+    db_password: dbPassword
+  };
+  saveCredentials(creds);
+}
+function loadProjectCredential(projectRef) {
+  const creds = loadCredentials();
+  return creds.project_credentials?.[projectRef]?.db_password;
+}
+function saveProjectSecretKey(projectRef, secretKey) {
+  if (!projectRef || !secretKey) return;
+  const creds = loadCredentials();
+  if (!creds.project_credentials) creds.project_credentials = {};
+  const existing = creds.project_credentials[projectRef];
+  creds.project_credentials[projectRef] = {
+    db_password: existing?.db_password ?? "",
+    ...existing,
+    secret_key: secretKey
+  };
+  saveCredentials(creds);
+}
+function loadProjectSecretKey(projectRef) {
+  const creds = loadCredentials();
+  return creds.project_credentials?.[projectRef]?.secret_key;
+}
+function removeProjectCredential(projectRef) {
+  const creds = loadCredentials();
+  if (creds.project_credentials?.[projectRef]) {
+    delete creds.project_credentials[projectRef];
+    saveCredentials(creds);
+  }
+}
+async function getProjectOrg(projectRef) {
+  const res = await authenticatedFetch(
+    `https://api.supabase.com/v1/projects/${projectRef}`
+  );
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Failed to fetch project details (${res.status}): ${body}`);
+  }
+  const project = await res.json();
+  if (!project.organization_id) {
+    throw new Error(`Project ${projectRef} has no organization_id in its API response.`);
+  }
+  return project.organization_id;
+}
+async function listSecrets(projectRef) {
+  const res = await authenticatedFetch(
+    `https://api.supabase.com/v1/projects/${projectRef}/secrets`
+  );
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Failed to list secrets (${res.status}): ${body}`);
+  }
+  const secrets = await res.json();
+  return secrets.map((s) => s.name);
+}
+async function setSecrets(projectRef, secrets) {
+  const body = Object.entries(secrets).map(([name, value]) => ({ name, value }));
+  const res = await authenticatedFetch(
+    `https://api.supabase.com/v1/projects/${projectRef}/secrets`,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    }
+  );
+  if (!res.ok) {
+    const respBody = await res.text();
+    throw new Error(`Failed to set secrets (${res.status}): ${respBody}`);
+  }
+}
+
+export {
+  selectYesNo,
+  credentialsPath,
+  loadCredentials,
+  saveCredentials,
+  signOut,
+  authenticatedFetch,
+  ensureAccessToken,
+  listOrganizations,
+  listOrganizationsForToken,
+  listRegions,
+  detectClosestRegion,
+  listProjects,
+  listProjectsForToken,
+  refreshOAuthEntry,
+  probeTokenAuth,
+  clearOrgCredential,
+  createProject,
+  getProject,
+  deleteProject,
+  getApiKeys,
+  runCloudSQL,
+  updatePostgrestConfig,
+  updateAuthConfig,
+  waitForProjectReady,
+  waitForDatabaseReady,
+  fetchPoolerUrl,
+  resolvePoolerDbUrl,
+  resolvePoolerDbUrlWithRetry,
+  saveProjectCredential,
+  loadProjectCredential,
+  saveProjectSecretKey,
+  loadProjectSecretKey,
+  removeProjectCredential,
+  getProjectOrg,
+  listSecrets,
+  setSecrets
+};