agentlink-sh 0.28.0 → 0.30.0

package/dist/chunk-DFDS5V5Z.js

@@ -1,1070 +0,0 @@
-#!/usr/bin/env node
-import {
-  authenticatedFetch,
-  ensureAccessToken,
-  loadProjectCredential,
-  resolvePoolerDbUrl,
-  saveProjectCredential
-} from "./chunk-K5XVJEHP.js";
-import {
-  ensureGitignorePattern,
-  runCommand
-} from "./chunk-IV5ZSOKF.js";
-import {
-  amber,
-  blue,
-  bold,
-  dim,
-  red
-} from "./chunk-MHI6VJ75.js";
-import {
-  pgd,
-  sb
-} from "./chunk-ILLYV7U7.js";
-
-// src/db.ts
-import fs3 from "fs";
-import os from "os";
-import path3 from "path";
-import { input } from "@inquirer/prompts";
-
-// src/manifest.ts
-import fs from "fs";
-import path from "path";
-var ALLOWED_CLOUD_ENV_NAMES = ["dev", "prod"];
-var ALLOWED_ACTIVE_ENV_NAMES = ["local", "dev", "prod"];
-function assertAllowedEnvNameForAdd(name) {
-  if (ALLOWED_CLOUD_ENV_NAMES.includes(name)) return;
-  throw new Error(
-    `Environment "${name}" is not supported. Only "dev" and "prod" can be added.
-  Agent Link enforces a fixed local \u2192 dev \u2192 prod model \u2014 no staging, no custom names.`
-  );
-}
-function assertAllowedEnvNameForUse(name) {
-  if (ALLOWED_ACTIVE_ENV_NAMES.includes(name)) return;
-  throw new Error(
-    `Environment "${name}" is not supported. Only "local", "dev", and "prod" are valid env use targets.
-  Agent Link enforces a fixed local \u2192 dev \u2192 prod model.`
-  );
-}
-function assertManifestEnvNames(manifest) {
-  if (!manifest.cloud?.environments) return;
-  const invalid = Object.keys(manifest.cloud.environments).filter(
-    (n) => !ALLOWED_CLOUD_ENV_NAMES.includes(n)
-  );
-  if (invalid.length === 0) return;
-  const list = invalid.map((n) => `"${n}"`).join(", ");
-  const removeHints = invalid.map((n) => `    agentlink env remove ${n}`).join("\n");
-  throw new Error(
-    `Unsupported environments in agentlink.json: ${list}.
-  Agent Link enforces a fixed local \u2192 dev \u2192 prod model.
-  Remove the offending entries:
-${removeHints}`
-  );
-}
-function isBareManifest(manifest) {
-  return manifest?.bare === true;
-}
-function isLegacyCloud(cloud) {
-  if (!cloud || typeof cloud !== "object") return false;
-  const obj = cloud;
-  return typeof obj.projectRef === "string" && !obj.environments;
-}
-function normalizeLegacyCloud(cloud) {
-  return {
-    default: "dev",
-    environments: {
-      dev: {
-        projectRef: cloud.projectRef,
-        region: cloud.region,
-        apiUrl: cloud.apiUrl
-      }
-    }
-  };
-}
-function readManifest(cwd) {
-  try {
-    const raw = fs.readFileSync(path.join(cwd, "agentlink.json"), "utf-8");
-    const manifest = JSON.parse(raw);
-    if (manifest.cloud && isLegacyCloud(manifest.cloud)) {
-      manifest.cloud = normalizeLegacyCloud(manifest.cloud);
-    }
-    return manifest;
-  } catch {
-    return void 0;
-  }
-}
-function writeManifest(cwd, manifest) {
-  const filePath = path.join(cwd, "agentlink.json");
-  fs.writeFileSync(filePath, JSON.stringify(manifest, null, 2) + "\n");
-}
-function resolveCloudEnv(cloud, envFlag) {
-  const envName = envFlag ?? cloud.default;
-  if (envName === "local") {
-    throw new Error(
-      `Environment "local" is a local Docker environment \u2014 not a cloud project.`
-    );
-  }
-  const env = cloud.environments[envName];
-  if (!env) {
-    const available = Object.keys(cloud.environments).join(", ");
-    throw new Error(
-      `Cloud environment "${envName}" not found. Available: ${available}`
-    );
-  }
-  return env;
-}
-function addCloudEnvironment(cwd, name, env) {
-  const manifest = readManifest(cwd);
-  if (!manifest) {
-    throw new Error("No agentlink.json found. Run `agentlink` to scaffold a project first.");
-  }
-  if (!manifest.cloud) {
-    manifest.cloud = { default: "local", environments: {} };
-  }
-  if (manifest.cloud.environments[name]) {
-    throw new Error(
-      `Environment "${name}" already exists. Remove it first with \`agentlink env remove ${name}\`.`
-    );
-  }
-  manifest.cloud.environments[name] = env;
-  writeManifest(cwd, manifest);
-}
-function removeCloudEnvironment(cwd, name) {
-  const manifest = readManifest(cwd);
-  if (!manifest?.cloud) {
-    throw new Error("No cloud environments configured.");
-  }
-  if (name === "local") {
-    throw new Error("Cannot remove the local environment.");
-  }
-  if (!manifest.cloud.environments[name]) {
-    throw new Error(`Environment "${name}" not found.`);
-  }
-  if (manifest.cloud.default === name) {
-    throw new Error(
-      `Cannot remove the active environment "${name}". Switch first with \`agentlink env use <other>\`.`
-    );
-  }
-  delete manifest.cloud.environments[name];
-  writeManifest(cwd, manifest);
-}
-function setCloudEnvOrgId(cwd, name, orgId) {
-  if (name === "local") return;
-  const manifest = readManifest(cwd);
-  if (!manifest?.cloud?.environments[name]) return;
-  const current = manifest.cloud.environments[name].orgId;
-  if (current === orgId) return;
-  if (current && current !== orgId) {
-    throw new Error(
-      `Refusing to overwrite orgId for env "${name}": manifest has "${current}", attempted "${orgId}".`
-    );
-  }
-  manifest.cloud.environments[name].orgId = orgId;
-  writeManifest(cwd, manifest);
-}
-function setDefaultEnvironment(cwd, name) {
-  const manifest = readManifest(cwd);
-  if (!manifest) {
-    throw new Error("No agentlink.json found.");
-  }
-  if (!manifest.cloud) {
-    manifest.cloud = { default: "local", environments: {} };
-  }
-  if (name !== "local" && !manifest.cloud.environments[name]) {
-    const available = ["local", ...Object.keys(manifest.cloud.environments)].join(", ");
-    throw new Error(`Environment "${name}" not found. Available: ${available}`);
-  }
-  manifest.cloud.default = name;
-  if (name === "local") {
-    manifest.mode = manifest.mode === "cloud" ? "existing" : manifest.mode;
-  } else {
-    manifest.mode = "cloud";
-  }
-  writeManifest(cwd, manifest);
-}
-function listEnvironments(cwd) {
-  const manifest = readManifest(cwd);
-  if (!manifest) return [];
-  const defaultName = manifest.cloud?.default ?? (manifest.mode === "cloud" ? "dev" : "local");
-  const entries = [];
-  entries.push({
-    name: "local",
-    isDefault: defaultName === "local",
-    isLocal: true
-  });
-  if (manifest.cloud?.environments) {
-    for (const [name, env] of Object.entries(manifest.cloud.environments)) {
-      entries.push({
-        name,
-        env,
-        isDefault: defaultName === name,
-        isLocal: false
-      });
-    }
-  }
-  return entries;
-}
-
-// src/supabase.ts
-import { spawn } from "child_process";
-import fs2 from "fs";
-import path2 from "path";
-
-// src/sql/check_setup.sql
-var check_setup_default = "SELECT jsonb_build_object(\n  'extensions', jsonb_build_object(\n    'pg_net',  EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_net'),\n    'pg_cron', EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_cron'),\n    'vault',   EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'supabase_vault'),\n    'pgmq',    EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pgmq'),\n    -- pg_graphql must be dropped to enforce schema isolation (reported true when absent)\n    'pg_graphql_dropped', NOT EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_graphql')\n  ),\n  'queues', jsonb_build_object(\n    'agentlink_tasks', EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'pgmq' AND table_name = 'q_agentlink_tasks'\n    )\n  ),\n  'tables', jsonb_build_object(\n    'profiles', EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'profiles'\n    ),\n    'tenants', EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'tenants'\n    ),\n    'memberships', EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'memberships'\n    ),\n    'invitations', EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'invitations'\n    ),\n    'roles', EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'roles'\n    ),\n    'permissions', EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'permissions'\n    ),\n    'role_permissions', EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'role_permissions'\n    ),\n    'session_tenants', EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'session_tenants'\n    )\n  ),\n  'functions', jsonb_build_object(\n    '_internal_admin_get_secret',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_internal_admin_get_secret'\n      ),\n    '_internal_admin_call_edge_function',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_internal_admin_call_edge_function'\n      ),\n    'api._admin_enqueue_task',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = '_admin_enqueue_task'\n      ),\n    'api._admin_queue_read',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = '_admin_queue_read'\n      ),\n    'api._admin_queue_delete',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = '_admin_queue_delete'\n      ),\n    'api._admin_queue_archive',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = '_admin_queue_archive'\n      ),\n    'set_updated_at',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = 'set_updated_at'\n      ),\n    '_internal_admin_handle_new_user',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_internal_admin_handle_new_user'\n      ),\n    'api.profile_get',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = 'profile_get'\n      ),\n    'api.profile_update',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = 'profile_update'\n      ),\n    '_hook_before_user_created',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_hook_before_user_created'\n      ),\n    '_hook_custom_access_token',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_hook_custom_access_token'\n      ),\n    '_hook_send_email',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_hook_send_email'\n      ),\n    '_auth_tenant_id',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_auth_tenant_id'\n      ),\n    '_auth_tenant_role',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_auth_tenant_role'\n      ),\n    '_auth_has_role',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_auth_has_role'\n      ),\n    '_auth_has_permission',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_auth_has_permission'\n      ),\n    '_auth_is_tenant_member',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'public'\n          AND routine_name = '_auth_is_tenant_member'\n      ),\n    'api.tenant_select',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = 'tenant_select'\n      ),\n    'api.tenant_list',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = 'tenant_list'\n      ),\n    'api.tenant_create',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = 'tenant_create'\n      ),\n    'api.invitation_create',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = 'invitation_create'\n      ),\n    'api.invitation_accept',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = 'invitation_accept'\n      ),\n    'api.membership_list',\n      EXISTS (\n        SELECT 1 FROM information_schema.routines\n        WHERE routine_schema = 'api'\n          AND routine_name = 'membership_list'\n      )\n  ),\n  'triggers', jsonb_build_object(\n    'trg_profiles_updated_at',\n      EXISTS (\n        SELECT 1 FROM pg_trigger WHERE tgname = 'trg_profiles_updated_at'\n      ),\n    'trg_auth_users_new_user',\n      EXISTS (\n        SELECT 1 FROM pg_trigger WHERE tgname = 'trg_auth_users_new_user'\n      ),\n    'trg_tenants_updated_at',\n      EXISTS (\n        SELECT 1 FROM pg_trigger WHERE tgname = 'trg_tenants_updated_at'\n      )\n  ),\n  'secrets', jsonb_build_object(\n    'SUPABASE_URL',\n      EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_URL'),\n    'SUPABASE_PUBLISHABLE_KEY',\n      EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_PUBLISHABLE_KEY'),\n    'SUPABASE_SECRET_KEY',\n      EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_SECRET_KEY')\n  ),\n  'api_schema', EXISTS (\n    SELECT 1 FROM information_schema.schemata WHERE schema_name = 'api'\n  ),\n  'api_schema_anon_usage',\n    has_schema_privilege('anon', 'api', 'USAGE'),\n  'ready', (\n    EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_net')\n    AND EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_cron')\n    AND EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'supabase_vault')\n    AND EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pgmq')\n    AND NOT EXISTS (SELECT 1 FROM pg_extension WHERE extname = 'pg_graphql')\n    AND EXISTS (SELECT 1 FROM information_schema.schemata WHERE schema_name = 'api')\n    AND has_schema_privilege('anon', 'api', 'USAGE')\n    AND EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'pgmq' AND table_name = 'q_agentlink_tasks'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_internal_admin_get_secret'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_internal_admin_call_edge_function'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = '_admin_enqueue_task'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = '_admin_queue_read'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = '_admin_queue_delete'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = '_admin_queue_archive'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'profiles'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'tenants'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'memberships'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'invitations'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'roles'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'permissions'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'role_permissions'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.tables\n      WHERE table_schema = 'public' AND table_name = 'session_tenants'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = 'set_updated_at'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_internal_admin_handle_new_user'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = 'profile_get'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = 'profile_update'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_hook_before_user_created'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_hook_custom_access_token'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_hook_send_email'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_auth_tenant_id'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_auth_tenant_role'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_auth_has_role'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_auth_has_permission'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'public' AND routine_name = '_auth_is_tenant_member'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = 'tenant_select'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = 'tenant_list'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = 'tenant_create'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = 'invitation_create'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = 'invitation_accept'\n    )\n    AND EXISTS (\n      SELECT 1 FROM information_schema.routines\n      WHERE routine_schema = 'api' AND routine_name = 'membership_list'\n    )\n    AND EXISTS (\n      SELECT 1 FROM pg_trigger WHERE tgname = 'trg_profiles_updated_at'\n    )\n    AND EXISTS (\n      SELECT 1 FROM pg_trigger WHERE tgname = 'trg_auth_users_new_user'\n    )\n    AND EXISTS (\n      SELECT 1 FROM pg_trigger WHERE tgname = 'trg_tenants_updated_at'\n    )\n    AND EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_URL')\n    AND EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_PUBLISHABLE_KEY')\n    AND EXISTS (SELECT 1 FROM vault.secrets WHERE name = 'SUPABASE_SECRET_KEY')\n  )\n) AS setup_status;\n";
-
-// src/sql.ts
-function upsertSecret(value, name) {
-  const safeValue = value.replace(/'/g, "''");
-  return `DO $$ DECLARE
-  _id uuid;
-BEGIN
-  SELECT id INTO _id FROM vault.secrets WHERE name = '${name}';
-  IF _id IS NOT NULL THEN
-    PERFORM vault.update_secret(_id, '${safeValue}', '${name}');
-  ELSE
-    PERFORM vault.create_secret('${safeValue}', '${name}');
-  END IF;
-END $$;`;
-}
-function seedSQL(publishableKey, secretKey) {
-  return [
-    upsertSecret("http://host.docker.internal:54321", "SUPABASE_URL"),
-    upsertSecret(publishableKey, "SUPABASE_PUBLISHABLE_KEY"),
-    upsertSecret(secretKey, "SUPABASE_SECRET_KEY"),
-    upsertSecret("", "ALLOWED_SIGNUP_DOMAINS")
-  ].join("\n");
-}
-function cloudSeedSQL(apiUrl, publishableKey, secretKey) {
-  return [
-    upsertSecret(apiUrl, "SUPABASE_URL"),
-    upsertSecret(publishableKey, "SUPABASE_PUBLISHABLE_KEY"),
-    upsertSecret(secretKey, "SUPABASE_SECRET_KEY"),
-    upsertSecret("", "ALLOWED_SIGNUP_DOMAINS")
-  ].join("\n");
-}
-
-// src/supabase.ts
-async function parseSupabaseStatus(cwd) {
-  try {
-    const jsonOut = await runCommand(`${sb()} status -o json`, cwd);
-    const data = JSON.parse(jsonOut);
-    const status = {
-      dbUrl: data.DB_URL ?? data.db_url ?? "",
-      apiUrl: data.API_URL ?? data.api_url ?? "",
-      publishableKey: data.PUBLISHABLE_KEY ?? data.publishable_key ?? "",
-      secretKey: data.SECRET_KEY ?? data.secret_key ?? ""
-    };
-    if (status.dbUrl && status.publishableKey && status.secretKey) {
-      return status;
-    }
-  } catch {
-  }
-  const out = await runCommand(`${sb()} status`, cwd);
-  const extract = (pattern) => {
-    const match = out.match(pattern);
-    return match?.[1]?.trim() ?? "";
-  };
-  return {
-    dbUrl: extract(/DB URL\s*[:=]\s*(.+)/i),
-    apiUrl: extract(/API URL\s*[:=]\s*(.+)/i),
-    publishableKey: extract(/(?:anon|publishable)\s*key\s*[:=]\s*(.+)/i),
-    secretKey: extract(/(?:service.role|secret)\s*key\s*[:=]\s*(.+)/i)
-  };
-}
-function runSQL(sql, dbUrl) {
-  return new Promise((resolve, reject) => {
-    const child = spawn("psql", [dbUrl, "-t", "-A"], {
-      stdio: ["pipe", "pipe", "pipe"]
-    });
-    const stdout = [];
-    const stderr = [];
-    child.stdout.on("data", (data) => stdout.push(data.toString()));
-    child.stderr.on("data", (data) => stderr.push(data.toString()));
-    child.on("close", (code) => {
-      const out = stdout.join("").trim();
-      if (code !== 0) {
-        reject(new Error(`psql failed (exit ${code}): ${stderr.join("").trim()}`));
-      } else {
-        resolve(out);
-      }
-    });
-    child.on("error", (err) => reject(err));
-    child.stdin.write(sql);
-    child.stdin.end();
-  });
-}
-function updateConfigToml(projectDir, options) {
-  const dryRun = options?.dryRun ?? false;
-  const configPath = path2.join(projectDir, "supabase", "config.toml");
-  const original = fs2.readFileSync(configPath, "utf-8");
-  let content = original;
-  const patches = [];
-  content = content.replace(
-    /^(schemas\s*=\s*\[)([^\]]*)\]/m,
-    (match, prefix, inner) => {
-      const items = inner.split(",").map((s) => s.trim()).filter(Boolean);
-      if (items.some((item) => item === '"api"' || item === "'api'")) {
-        return match;
-      }
-      items.push('"api"');
-      patches.push('api.schemas: add "api"');
-      return `# TODO: After migration, only "api" should remain in schemas
-${prefix}${items.join(", ")}]`;
-    }
-  );
-  const seedPath = '"./seeds/local-secrets.seed.sql"';
-  if (content.includes("[db.seed]")) {
-    content = content.replace(
-      /(\[db\.seed\][^\[]*sql_paths\s*=\s*\[)([^\]]*)\]/m,
-      (match, prefix, inner) => {
-        if (inner.includes("local-secrets.seed.sql")) return match;
-        const items = inner.split(",").map((s) => s.trim()).filter(Boolean);
-        items.push(seedPath);
-        patches.push("db.seed.sql_paths: add local-secrets.seed.sql");
-        return `${prefix}${items.join(", ")}]`;
-      }
-    );
-  } else {
-    content = content.trimEnd() + `
-
-[db.seed]
-sql_paths = [${seedPath}]
-`;
-    patches.push("db.seed: add section with local-secrets.seed.sql");
-  }
-  if (content !== original && !dryRun) {
-    fs2.writeFileSync(configPath, content);
-  }
-  patches.push(...updateConfigTomlSendEmailHook(projectDir, { dryRun }));
-  patches.push(...updateConfigTomlBeforeUserCreatedHook(projectDir, { dryRun }));
-  patches.push(...updateConfigTomlCustomAccessTokenHook(projectDir, { dryRun }));
-  patches.push(...updateConfigTomlAuthEmailConfirmations(projectDir, { dryRun }));
-  patches.push(...renameInternalEdgeFunctionSections(projectDir, { dryRun }));
-  return patches;
-}
-function renameInternalEdgeFunctionSections(projectDir, options) {
-  const dryRun = options?.dryRun ?? false;
-  const configPath = path2.join(projectDir, "supabase", "config.toml");
-  if (!fs2.existsSync(configPath)) return [];
-  let content = fs2.readFileSync(configPath, "utf-8");
-  const original = content;
-  const patches = [];
-  const renames = [
-    ["send-email", "internal-send-auth-email"],
-    ["invite-member", "internal-invite-member"],
-    ["queue-worker", "internal-queue-worker"]
-  ];
-  for (const [oldName, newName] of renames) {
-    if (content.includes(`[functions.${newName}]`)) continue;
-    const oldHeader = `[functions.${oldName}]`;
-    if (content.includes(oldHeader)) {
-      content = content.replace(oldHeader, `[functions.${newName}]`);
-      patches.push(`functions.${oldName} \u2192 functions.${newName}`);
-    }
-  }
-  if (content !== original && !dryRun) {
-    fs2.writeFileSync(configPath, content);
-  }
-  return patches;
-}
-function migrateRenamedEdgeFunctionDirs(projectDir) {
-  const fnDir = path2.join(projectDir, "supabase", "functions");
-  if (!fs2.existsSync(fnDir)) return [];
-  const renames = [
-    ["send-email", "internal-send-auth-email"],
-    ["invite-member", "internal-invite-member"],
-    ["queue-worker", "internal-queue-worker"]
-  ];
-  const migrated = [];
-  for (const [oldName, newName] of renames) {
-    const oldPath = path2.join(fnDir, oldName);
-    const newPath = path2.join(fnDir, newName);
-    const oldExists = fs2.existsSync(oldPath);
-    const newExists = fs2.existsSync(newPath);
-    if (oldExists && !newExists) {
-      fs2.renameSync(oldPath, newPath);
-      migrated.push(`${oldName} \u2192 ${newName}`);
-    } else if (oldExists && newExists) {
-      fs2.rmSync(oldPath, { recursive: true, force: true });
-      migrated.push(`${oldName} (removed orphan; ${newName} already present)`);
-    }
-  }
-  return migrated;
-}
-function writeConfigToml(projectDir, projectId) {
-  const configPath = path2.join(projectDir, "supabase", "config.toml");
-  const content = `project_id = "${projectId}"
-
-[api]
-enabled = true
-port = 54321
-schemas = ["api"]
-extra_search_path = ["public", "extensions"]
-max_rows = 1000
-
-[db]
-port = 54322
-shadow_port = 54320
-major_version = 17
-
-[db.migrations]
-schema_paths = ["./schemas/_schemas.sql", "./schemas/_extensions.sql", "./schemas/**/*.sql"]
-
-[db.seed]
-sql_paths = ["./seed.sql", "./seeds/local-secrets.seed.sql"]
-
-[auth]
-enabled = true
-site_url = "http://127.0.0.1:3000"
-# Wildcards cover the full canonical auth flow:
-#   /auth/confirm           \u2014 single PKCE callback for signup, magiclink, recovery, email_change
-#   /auth/update-password   \u2014 recovery destination after confirm exchange
-#   /accept-invite          \u2014 workspace invitation acceptance
-#   /auth/check-inbox       \u2014 pending state (no PKCE redirect ever lands here, but allowing
-#                              the prefix prevents accidental denies during dev)
-additional_redirect_urls = [
-  "http://127.0.0.1:3000/**",
-  "http://localhost:3000/**",
-  "http://127.0.0.1:5173/**",
-  "http://localhost:5173/**",
-  "https://127.0.0.1:3000/**",
-]
-jwt_expiry = 3600
-enable_refresh_token_rotation = true
-refresh_token_reuse_interval = 10
-enable_signup = true
-enable_anonymous_sign_ins = false
-minimum_password_length = 6
-
-[auth.email]
-enable_signup = true
-double_confirm_changes = true
-# Disabled on scaffold so the first local sign-up lands in the app without
-# needing SMTP. Set to true before shipping to production.
-enable_confirmations = false
-
-[edge_runtime]
-enabled = true
-policy = "per_worker"
-inspector_port = 8083
-deno_version = 2
-
-[auth.hook.send_email]
-enabled = true
-uri = "pg-functions://postgres/public/_hook_send_email"
-
-[auth.hook.before_user_created]
-enabled = true
-uri = "pg-functions://postgres/public/_hook_before_user_created"
-
-[auth.hook.custom_access_token]
-enabled = true
-uri = "pg-functions://postgres/public/_hook_custom_access_token"
-
-[functions.internal-queue-worker]
-enabled = true
-verify_jwt = false
-
-[functions.internal-send-auth-email]
-enabled = true
-verify_jwt = false
-
-[functions.internal-invite-member]
-enabled = true
-verify_jwt = false
-`;
-  fs2.writeFileSync(configPath, content);
-}
-function updateConfigTomlSendEmailHook(projectDir, options) {
-  const dryRun = options?.dryRun ?? false;
-  const configPath = path2.join(projectDir, "supabase", "config.toml");
-  let content = fs2.readFileSync(configPath, "utf-8");
-  if (!content.includes("[auth.hook.send_email]")) {
-    content = content.trimEnd() + `
-
-[auth.hook.send_email]
-enabled = true
-uri = "pg-functions://postgres/public/_hook_send_email"
-
-[functions.internal-send-auth-email]
-enabled = true
-verify_jwt = false
-`;
-    if (!dryRun) fs2.writeFileSync(configPath, content);
-    return ["auth.hook.send_email: add section", "functions.internal-send-auth-email: add section"];
-  }
-  return [];
-}
-function updateConfigTomlBeforeUserCreatedHook(projectDir, options) {
-  const dryRun = options?.dryRun ?? false;
-  const configPath = path2.join(projectDir, "supabase", "config.toml");
-  let content = fs2.readFileSync(configPath, "utf-8");
-  if (!content.includes("[auth.hook.before_user_created]")) {
-    content = content.trimEnd() + `
-
-[auth.hook.before_user_created]
-enabled = true
-uri = "pg-functions://postgres/public/_hook_before_user_created"
-`;
-    if (!dryRun) fs2.writeFileSync(configPath, content);
-    return ["auth.hook.before_user_created: add section"];
-  }
-  return [];
-}
-function updateConfigTomlCustomAccessTokenHook(projectDir, options) {
-  const dryRun = options?.dryRun ?? false;
-  const configPath = path2.join(projectDir, "supabase", "config.toml");
-  let content = fs2.readFileSync(configPath, "utf-8");
-  if (!content.includes("[auth.hook.custom_access_token]")) {
-    content = content.trimEnd() + `
-
-[auth.hook.custom_access_token]
-enabled = true
-uri = "pg-functions://postgres/public/_hook_custom_access_token"
-`;
-    if (!dryRun) fs2.writeFileSync(configPath, content);
-    return ["auth.hook.custom_access_token: add section"];
-  }
-  return [];
-}
-function updateConfigTomlAuthEmailConfirmations(projectDir, options) {
-  const dryRun = options?.dryRun ?? false;
-  const configPath = path2.join(projectDir, "supabase", "config.toml");
-  const original = fs2.readFileSync(configPath, "utf-8");
-  let content = original;
-  if (!content.includes("[auth.email]")) {
-    content = content.trimEnd() + `
-
-[auth.email]
-enable_signup = true
-double_confirm_changes = true
-# Disabled on scaffold so the first local sign-up lands in the app without
-# needing SMTP. Set to true before shipping to production.
-enable_confirmations = false
-`;
-    if (!dryRun) fs2.writeFileSync(configPath, content);
-    return ["auth.email: add section with enable_confirmations=false"];
-  }
-  if (/^\s*enable_confirmations\s*=/m.test(content)) {
-    return [];
-  }
-  content = content.replace(
-    /^\[auth\.email\][^\n]*\n/m,
-    (match) => `${match}# Disabled on scaffold so the first local sign-up lands in the app without
-# needing SMTP. Set to true before shipping to production.
-enable_confirmations = false
-`
-  );
-  if (!dryRun) fs2.writeFileSync(configPath, content);
-  return ["auth.email.enable_confirmations: add with dev default (false)"];
-}
-function writeGitkeepFiles(projectDir) {
-  const schemasDir = path2.join(projectDir, "supabase", "schemas");
-  for (const sub of ["public", "api"]) {
-    const gitkeep = path2.join(schemasDir, sub, ".gitkeep");
-    fs2.mkdirSync(path2.dirname(gitkeep), { recursive: true });
-    if (!fs2.existsSync(gitkeep)) {
-      fs2.writeFileSync(gitkeep, "");
-    }
-  }
-}
-function writeDotEnv(projectDir, frontend, isCloud) {
-  const lines = [];
-  if (frontend === "nextjs") {
-    lines.push("NEXT_PUBLIC_SUPABASE_URL=", "NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=");
-  } else if (frontend === "vite") {
-    lines.push("VITE_SUPABASE_URL=", "VITE_SUPABASE_PUBLISHABLE_KEY=");
-  }
-  lines.push("SUPABASE_DB_URL=");
-  lines.push("RESEND_API_KEY=re_your_api_key_here");
-  lines.push("RESEND_FROM_EMAIL=Your App <noreply@yourdomain.com>");
-  if (!isCloud) {
-    lines.push("RESEND_BASE_URL=http://host.docker.internal:4657");
-  }
-  lines.push("APP_NAME=YourApp");
-  lines.push("");
-  fs2.writeFileSync(path2.join(projectDir, ".env.local"), lines.join("\n"));
-}
-function updateDotEnvKeys(projectDir, apiUrl, publishableKey, secretKey) {
-  const envPath = path2.join(projectDir, ".env.local");
-  let content = fs2.readFileSync(envPath, "utf-8");
-  content = content.replace(/^NEXT_PUBLIC_SUPABASE_URL=.*$/m, `NEXT_PUBLIC_SUPABASE_URL=${apiUrl}`).replace(/^NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=.*$/m, `NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=${publishableKey}`).replace(/^VITE_SUPABASE_URL=.*$/m, `VITE_SUPABASE_URL=${apiUrl}`).replace(/^VITE_SUPABASE_PUBLISHABLE_KEY=.*$/m, `VITE_SUPABASE_PUBLISHABLE_KEY=${publishableKey}`);
-  fs2.writeFileSync(envPath, content);
-}
-function writeEnvExamples(projectDir, frontend) {
-  const lines = ["# Supabase"];
-  if (frontend === "nextjs") {
-    lines.push(
-      "NEXT_PUBLIC_SUPABASE_URL=http://127.0.0.1:54321",
-      "NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=your-publishable-key"
-    );
-  } else if (frontend === "vite") {
-    lines.push(
-      "VITE_SUPABASE_URL=http://127.0.0.1:54321",
-      "VITE_SUPABASE_PUBLISHABLE_KEY=your-publishable-key"
-    );
-  }
-  lines.push(
-    "",
-    "# Resend (https://resend.com)",
-    "RESEND_API_KEY=re_your_api_key_here",
-    "RESEND_FROM_EMAIL=Your App <noreply@yourdomain.com>",
-    "",
-    "# Resend Base URL (points to local resend-box sandbox in dev; remove for production)",
-    "RESEND_BASE_URL=http://host.docker.internal:4657",
-    "",
-    "APP_NAME=YourApp",
-    ""
-  );
-  fs2.writeFileSync(path2.join(projectDir, ".env.example"), lines.join("\n"));
-}
-function writeLocalSecretsSeed(projectDir, publishableKey, secretKey) {
-  const seedsDir = path2.join(projectDir, "supabase", "seeds");
-  fs2.mkdirSync(seedsDir, { recursive: true });
-  const seedPath = path2.join(seedsDir, "local-secrets.seed.sql");
-  const content = [
-    "-- AgentLink: Vault secrets for local development",
-    "-- This file is managed by AgentLink CLI. Do not edit manually.",
-    "",
-    seedSQL(publishableKey, secretKey),
-    ""
-  ].join("\n");
-  fs2.writeFileSync(seedPath, content);
-}
-
-// src/ui.ts
-import ora from "ora";
-async function step(title, fn) {
-  const spinner = ora({ text: title, color: "yellow" }).start();
-  try {
-    const result = await fn(spinner);
-    spinner.suffixText = "";
-    spinner.stopAndPersist({ symbol: blue("\u2714"), text: title });
-    return result;
-  } catch (err) {
-    spinner.suffixText = "";
-    spinner.stopAndPersist({ symbol: red("\u2716"), text: title });
-    throw err;
-  }
-}
-function skipped(title, reason) {
-  console.log(`${dim("\u25CB")} ${dim(title)} ${dim(`[${reason}]`)}`);
-}
-
-// src/db.ts
-function stripQuotes(val) {
-  if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
-    return val.slice(1, -1);
-  }
-  return val;
-}
-function readEnvValue(projectDir, key) {
-  const envPath = path3.join(projectDir, ".env.local");
-  if (!fs3.existsSync(envPath)) return void 0;
-  const content = fs3.readFileSync(envPath, "utf-8");
-  const match = content.match(new RegExp(`^${key}=(.+)$`, "m"));
-  if (!match?.[1]) return void 0;
-  return stripQuotes(match[1].trim()) || void 0;
-}
-async function resolveDbMode(cwd, flagUrl, envFlag) {
-  if (flagUrl) return { kind: "local", dbUrl: flagUrl };
-  const manifest = readManifest(cwd);
-  if (manifest?.mode === "cloud" && manifest.cloud?.environments) {
-    const env = resolveCloudEnv(manifest.cloud, envFlag);
-    await ensureAccessToken({ orgId: env.orgId, nonInteractive: true, projectDir: cwd });
-    return { kind: "cloud", projectRef: env.projectRef };
-  }
-  return { kind: "local" };
-}
-async function resolveDbUrl(cwd, flagUrl) {
-  if (flagUrl) return flagUrl;
-  const envUrl = readEnvValue(cwd, "SUPABASE_DB_URL");
-  if (envUrl) return envUrl;
-  try {
-    const status = await parseSupabaseStatus(cwd);
-    if (status.dbUrl) return status.dbUrl;
-  } catch {
-  }
-  throw new Error(
-    "Could not detect DB URL. Ensure .env.local has SUPABASE_DB_URL, or pass --db-url, or run supabase start."
-  );
-}
-function resolveTypesOutputPath(cwd, outputFlag) {
-  if (outputFlag) return path3.resolve(cwd, outputFlag);
-  const m = readManifest(cwd);
-  const frontend = m?.frontend;
-  if (frontend === "nextjs") {
-    return path3.join(cwd, "types", "database.ts");
-  }
-  return path3.join(cwd, "src", "types", "database.ts");
-}
-function formatTable(rows) {
-  if (rows.length === 0) return "(0 rows)";
-  const columns = Object.keys(rows[0]);
-  const values = rows.map(
-    (row) => columns.map((col) => {
-      const v = row[col];
-      if (v === null || v === void 0) return "";
-      if (typeof v === "object") return JSON.stringify(v);
-      return String(v);
-    })
-  );
-  const widths = columns.map(
-    (col, i) => Math.max(col.length, ...values.map((row) => row[i].length))
-  );
-  const header = columns.map((col, i) => col.padEnd(widths[i])).join(" | ");
-  const separator = widths.map((w) => "-".repeat(w)).join("-+-");
-  const body = values.map((row) => row.map((val, i) => val.padEnd(widths[i])).join(" | ")).join("\n");
-  return `${header}
-${separator}
-${body}
-(${rows.length} ${rows.length === 1 ? "row" : "rows"})`;
-}
-async function dbSql(query, options) {
-  const mode = await resolveDbMode(options.cwd, options.dbUrl, options.env);
-  if (mode.kind === "cloud") {
-    const res = await authenticatedFetch(
-      `https://api.supabase.com/v1/projects/${mode.projectRef}/database/query`,
-      {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ query })
-      }
-    );
-    if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`Cloud SQL query failed (${res.status}): ${body}`);
-    }
-    const rows = await res.json();
-    if (options.json) {
-      console.log(JSON.stringify(rows, null, 2));
-    } else {
-      console.log(formatTable(rows));
-    }
-  } else {
-    const dbUrl = await resolveDbUrl(options.cwd, options.dbUrl);
-    const output = await runCommand(
-      `psql ${JSON.stringify(dbUrl)} -c ${JSON.stringify(query)}`,
-      options.cwd,
-      (line) => console.log(line)
-    );
-    if (output && !output.includes("\n")) console.log(output);
-  }
-}
-async function dbTypes(options) {
-  const mode = await resolveDbMode(options.cwd, options.dbUrl, options.env);
-  const outputPath = resolveTypesOutputPath(options.cwd, options.output);
-  let typesContent;
-  if (mode.kind === "cloud") {
-    const res = await authenticatedFetch(
-      `https://api.supabase.com/v1/projects/${mode.projectRef}/types/typescript?included_schemas=api`
-    );
-    if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`Failed to generate types (${res.status}): ${body}`);
-    }
-    const data = await res.json();
-    typesContent = data.types;
-  } else {
-    typesContent = await runCommand(
-      `${sb()} gen types typescript --local --schema api`,
-      options.cwd
-    );
-  }
-  fs3.mkdirSync(path3.dirname(outputPath), { recursive: true });
-  fs3.writeFileSync(outputPath, typesContent);
-  if (!options.quiet) {
-    const relPath = path3.relative(options.cwd, outputPath);
-    console.log(`Types written to ${relPath}`);
-  }
-}
-async function dbApply(options) {
-  const schemasDir = path3.join(options.cwd, "supabase", "schemas");
-  if (!fs3.existsSync(schemasDir)) {
-    console.log(`  ${dim("Skipping schema apply \u2014 supabase/schemas/ not found.")}`);
-    return;
-  }
-  const dbUrl = await resolveDbUrl(options.cwd, options.dbUrl);
-  if (!options.quiet) console.log("Applying schemas...");
-  const applyOutput = await runCommand(
-    `${pgd()} declarative apply --path ./supabase/schemas/ --target ${JSON.stringify(dbUrl)}`,
-    options.cwd,
-    options.quiet ? void 0 : (line) => console.log(line)
-  );
-  if (/^Stuck after \d+ round/m.test(applyOutput)) {
-    if (options.quiet) {
-      console.error(applyOutput);
-    }
-    throw new Error(
-      "pg-delta declarative apply did not complete cleanly \u2014 some statements failed and the database state is inconsistent with supabase/schemas/. Fix the errors listed above (typically duplicate definitions or unresolved references) and re-run."
-    );
-  }
-  if (!options.skipTypes) {
-    if (!options.quiet) console.log("\nGenerating types...");
-    try {
-      await dbTypes({ cwd: options.cwd, dbUrl: options.dbUrl, env: options.env, quiet: options.quiet });
-    } catch (err) {
-      console.warn(`Warning: type generation failed \u2014 ${err.message}`);
-    }
-  }
-  if (!options.quiet) {
-    console.log("\nDone. Run 'agentlink check' to verify.");
-  }
-}
-async function dbMigrate(name, options) {
-  const dbUrl = await resolveDbUrl(options.cwd, options.dbUrl);
-  const tmpDir = path3.join(os.tmpdir(), `agentlink-migrate-${Date.now()}`);
-  fs3.mkdirSync(tmpDir, { recursive: true });
-  const baselineCatalog = path3.join(tmpDir, "baseline.json");
-  const desiredCatalog = path3.join(tmpDir, "desired.json");
-  try {
-    console.log("=== Step 1/4: Exporting baseline catalog...");
-    await runCommand(
-      `${pgd()} catalog-export --target ${JSON.stringify(dbUrl)} --output ${JSON.stringify(baselineCatalog)}`,
-      options.cwd
-    );
-    console.log("=== Step 2/4: Applying schemas to get desired state...");
-    await runCommand(
-      `${pgd()} declarative apply --path ./supabase/schemas/ --target ${JSON.stringify(dbUrl)}`,
-      options.cwd
-    );
-    console.log("=== Step 3/4: Exporting desired state catalog...");
-    await runCommand(
-      `${pgd()} catalog-export --target ${JSON.stringify(dbUrl)} --output ${JSON.stringify(desiredCatalog)}`,
-      options.cwd
-    );
-    console.log("=== Step 4/4: Generating migration diff...");
-    const diff = await runCommand(
-      `${pgd()} plan --source ${JSON.stringify(baselineCatalog)} --target ${JSON.stringify(desiredCatalog)} --format sql --integration supabase --sql-format`,
-      options.cwd
-    ).catch(() => "");
-    if (!diff.trim()) {
-      console.log("No changes detected. Nothing to migrate.");
-      return;
-    }
-    const migrationsDir = path3.join(options.cwd, "supabase", "migrations");
-    fs3.mkdirSync(migrationsDir, { recursive: true });
-    const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/\D/g, "").slice(0, 14);
-    const filename = `${timestamp}_${name}.sql`;
-    const migrationPath = path3.join(migrationsDir, filename);
-    fs3.writeFileSync(migrationPath, diff);
-    const lineCount = diff.split("\n").length;
-    console.log(`
-Migration created: supabase/migrations/${filename}`);
-    console.log(`Lines: ${lineCount}`);
-    console.log("\nNOTE: pg-delta filters out cron + storage schemas.");
-    console.log("If your change includes cron.schedule() or storage policies,");
-    console.log("append them manually to the migration file.");
-  } finally {
-    fs3.rmSync(tmpDir, { recursive: true, force: true });
-  }
-}
-async function dbRebuild(options) {
-  const cwd = options.cwd;
-  const migrationsDir = path3.join(cwd, "supabase", "migrations");
-  if (fs3.existsSync(migrationsDir)) {
-    const files = fs3.readdirSync(migrationsDir).filter((f) => f.endsWith(".sql"));
-    for (const file of files) {
-      fs3.unlinkSync(path3.join(migrationsDir, file));
-    }
-    console.log(`Deleted ${files.length} migration file(s)`);
-  }
-  const progressPath = path3.join(cwd, ".agentlink-progress.json");
-  if (fs3.existsSync(progressPath)) {
-    fs3.unlinkSync(progressPath);
-    console.log("Cleared scaffold progress");
-  }
-  console.log("\nRe-applying schemas...");
-  await dbApply({ cwd, dbUrl: options.dbUrl, env: options.env, skipTypes: true, quiet: true });
-  console.log("\nRegenerating migration...");
-  await dbMigrate("agentlink_setup", { cwd, dbUrl: options.dbUrl, env: options.env });
-  console.log("\nGenerating types...");
-  try {
-    await dbTypes({ cwd, dbUrl: options.dbUrl, env: options.env });
-  } catch (err) {
-    console.warn(`Warning: type generation failed \u2014 ${err.message}`);
-  }
-  console.log("\nDone. Database rebuilt from schema files.");
-}
-async function dbUrlCheck(options) {
-  const mode = await resolveDbMode(options.cwd, options.dbUrl, options.env);
-  if (mode.kind !== "cloud" || !mode.projectRef) {
-    const dbUrl = await resolveDbUrl(options.cwd, options.dbUrl);
-    console.log(dbUrl);
-    return;
-  }
-  await ensureAccessToken({ nonInteractive: true, projectDir: options.cwd });
-  const password = loadProjectCredential(mode.projectRef);
-  if (!password) {
-    throw new Error(
-      `No stored password for project ${mode.projectRef}.
-  Run: agentlink env add dev`
-    );
-  }
-  const poolerUrl = await resolvePoolerDbUrl(mode.projectRef, password);
-  console.log(`Pooler URL: ${poolerUrl}`);
-  const currentUrl = readEnvValue(options.cwd, "SUPABASE_DB_URL");
-  if (currentUrl === poolerUrl) {
-    console.log("\u2714 .env.local is up to date");
-    return;
-  }
-  if (currentUrl) {
-    console.log(`
-Current:  ${currentUrl}`);
-    console.log(`Expected: ${poolerUrl}`);
-  }
-  if (options.fix) {
-    const envPath = path3.join(options.cwd, ".env.local");
-    if (fs3.existsSync(envPath)) {
-      let content = fs3.readFileSync(envPath, "utf-8");
-      if (/^SUPABASE_DB_URL=/m.test(content)) {
-        content = content.replace(/^SUPABASE_DB_URL=.*$/m, `SUPABASE_DB_URL=${poolerUrl}`);
-      } else {
-        content = content.trimEnd() + `
-SUPABASE_DB_URL=${poolerUrl}
-`;
-      }
-      fs3.writeFileSync(envPath, content);
-      console.log("\n\u2714 .env.local updated with correct pooler URL");
-    }
-  } else if (currentUrl !== poolerUrl) {
-    console.log("\nRun with --fix to update .env.local");
-  }
-}
-var passwordTheme = {
-  prefix: { idle: blue("?"), done: blue("\u2714") },
-  style: {
-    answer: (text) => amber(text),
-    message: (text) => bold(text),
-    help: (text) => dim(text)
-  }
-};
-async function dbPassword(cwd, value, opts = {}) {
-  const manifest = readManifest(cwd);
-  if (!manifest) {
-    throw new Error("No agentlink.json found. Run `agentlink` to scaffold a project first.");
-  }
-  if (!manifest.cloud?.environments) {
-    throw new Error("No cloud environment configured. This command is for cloud projects.");
-  }
-  const env = resolveCloudEnv(manifest.cloud, opts.env);
-  const projectRef = env.projectRef;
-  if (value) {
-    saveProjectCredential(projectRef, value);
-    console.log(`Password saved for project ${dim(projectRef)}`);
-  } else {
-    const current = loadProjectCredential(projectRef);
-    if (current) {
-      const masked = current.length > 8 ? current.slice(0, 4) + "\u25CF".repeat(current.length - 8) + current.slice(-4) : "\u25CF".repeat(current.length);
-      console.log(`Current password: ${dim(masked)} (project: ${projectRef})`);
-      console.log();
-    }
-    const resetUrl = `https://supabase.com/dashboard/project/${projectRef}/settings/database`;
-    console.log(`  ${dim("Reset your password at:")}`);
-    console.log(`  ${dim(resetUrl)}`);
-    console.log();
-    const newPassword = await input({
-      message: "Database password:",
-      theme: passwordTheme,
-      transformer: (v, { isFinal }) => {
-        if (isFinal) return "\u25CF".repeat(Math.min(v.length, 8));
-        return "\u25CF".repeat(v.length);
-      },
-      validate: (val) => val.trim().length > 0 || "Password is required"
-    });
-    saveProjectCredential(projectRef, newPassword.trim());
-    console.log(`Password saved for project ${dim(projectRef)}`);
-  }
-}
-async function dbBackup(options) {
-  const dbUrl = await resolveDbUrl(options.cwd, options.dbUrl);
-  const manifest = readManifest(options.cwd);
-  const envLabel = options.env ?? manifest?.cloud?.default ?? "local";
-  const now = /* @__PURE__ */ new Date();
-  const pad = (n) => String(n).padStart(2, "0");
-  const timestamp = `${now.getUTCFullYear()}-${pad(now.getUTCMonth() + 1)}-${pad(now.getUTCDate())}T${pad(now.getUTCHours())}-${pad(now.getUTCMinutes())}-${pad(now.getUTCSeconds())}`;
-  const outDir = path3.join(options.cwd, "supabase", "backups", envLabel, timestamp);
-  fs3.mkdirSync(outDir, { recursive: true });
-  ensureGitignorePattern(options.cwd, "supabase/backups/");
-  const rolesFile = path3.join(outDir, "roles.sql");
-  const schemaFile = path3.join(outDir, "schema.sql");
-  const dataFile = path3.join(outDir, "data.sql");
-  const urlArg = JSON.stringify(dbUrl);
-  console.log();
-  console.log(`  ${blue("\u25CF")} Backing up ${bold(envLabel)} \u2192 ${dim(path3.relative(options.cwd, outDir))}`);
-  console.log();
-  await step("Dumping roles", async () => {
-    await runCommand(
-      `${sb()} db dump --db-url ${urlArg} -f ${JSON.stringify(rolesFile)} --role-only`,
-      options.cwd
-    );
-  });
-  await step("Dumping schema", async () => {
-    await runCommand(
-      `${sb()} db dump --db-url ${urlArg} -f ${JSON.stringify(schemaFile)}`,
-      options.cwd
-    );
-  });
-  await step("Dumping data", async () => {
-    await runCommand(
-      `${sb()} db dump --db-url ${urlArg} -f ${JSON.stringify(dataFile)} --use-copy --data-only -x "storage.buckets_vectors" -x "storage.vector_indexes"`,
-      options.cwd
-    );
-  });
-  console.log();
-  console.log(`  ${blue("Done.")} Snapshot written:`);
-  for (const f of [rolesFile, schemaFile, dataFile]) {
-    const sz = fs3.statSync(f).size;
-    console.log(`    ${dim(path3.relative(options.cwd, f))}  ${dim(formatBytes(sz))}`);
-  }
-  console.log();
-}
-function formatBytes(n) {
-  if (n < 1024) return `${n} B`;
-  if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KB`;
-  return `${(n / 1024 / 1024).toFixed(1)} MB`;
-}
-
-export {
-  ALLOWED_CLOUD_ENV_NAMES,
-  assertAllowedEnvNameForAdd,
-  assertAllowedEnvNameForUse,
-  assertManifestEnvNames,
-  isBareManifest,
-  readManifest,
-  writeManifest,
-  resolveCloudEnv,
-  addCloudEnvironment,
-  removeCloudEnvironment,
-  setCloudEnvOrgId,
-  setDefaultEnvironment,
-  listEnvironments,
-  check_setup_default,
-  seedSQL,
-  cloudSeedSQL,
-  parseSupabaseStatus,
-  runSQL,
-  updateConfigToml,
-  migrateRenamedEdgeFunctionDirs,
-  writeConfigToml,
-  writeGitkeepFiles,
-  writeDotEnv,
-  updateDotEnvKeys,
-  writeEnvExamples,
-  writeLocalSecretsSeed,
-  step,
-  skipped,
-  readEnvValue,
-  resolveDbMode,
-  resolveDbUrl,
-  dbSql,
-  dbTypes,
-  dbApply,
-  dbMigrate,
-  dbRebuild,
-  dbUrlCheck,
-  dbPassword,
-  dbBackup
-};