agentlink-sh 0.30.0 → 0.31.0

package/dist/index.js

@@ -1123,6 +1123,7 @@ function formatBytes(n) {
 import fs4 from "fs";
 import path4 from "path";
 import { input as input2, select } from "@inquirer/prompts";
+import open from "open";
 var promptTheme = {
   prefix: { idle: blue("?"), done: blue("\u2714") },
   style: {
@@ -1447,7 +1448,30 @@ async function resendSetup(cwd, opts = {}) {
     apiKey = globalDefaults.api_key;
     fromEmail = globalDefaults.from_email;
   } else {
-    console.log(`  ${dim("Get your API key at:")} ${blue("https://resend.com/api-keys")}`);
+    const apiKeysUrl = "https://resend.com/api-keys";
+    if (!hasExistingApiKey) {
+      const hasKeyAtHand = await selectYesNo({
+        message: "Do you have a Resend API key at hand?",
+        default: true,
+        yesLabel: "Yes \u2014 I'll paste it in the next step",
+        noLabel: "No, I need to create one \u2014 open the Resend dashboard",
+        theme: promptTheme
+      });
+      console.log();
+      if (hasKeyAtHand) {
+        console.log(`  ${dim("Get your API key at:")} ${blue(apiKeysUrl)}`);
+      } else {
+        try {
+          await open(apiKeysUrl);
+          console.log(`  ${blue("\u25CF")} Opened ${blue(apiKeysUrl)}`);
+        } catch {
+          console.log(`  ${amber("Could not open browser.")} Visit: ${blue(apiKeysUrl)}`);
+        }
+        console.log(`  ${dim("Create a key in the dashboard, then paste it below.")}`);
+      }
+    } else {
+      console.log(`  ${dim("Get your API key at:")} ${blue(apiKeysUrl)}`);
+    }
     const rawKey = (await input2({
       message: hasExistingApiKey ? "Resend API key (press Enter to keep current):" : "Resend API key:",
       theme: apiKeyTheme,
@@ -5455,6 +5479,37 @@ DROP TRIGGER IF EXISTS trg_auth_users_new_user ON auth.users;
 CREATE TRIGGER trg_auth_users_new_user
   AFTER INSERT ON auth.users
   FOR EACH ROW EXECUTE FUNCTION public._internal_admin_handle_new_user();
+
+-- supabase_auth_admin (the GoTrue auth service role) needs USAGE on the
+-- public schema to execute the _hook_* functions it calls during signup and
+-- email flows. Supabase pre-grants public USAGE to postgres/anon/
+-- authenticated/service_role but NOT to supabase_auth_admin, and the regen
+-- script's platform-default strip drops it from pg-delta's plan \u2014 so
+-- re-assert it here. Without it a migration-built DB diverges from a
+-- db-apply-built one. Idempotent.
+GRANT USAGE ON SCHEMA public TO supabase_auth_admin;
+
+-- Lock down the api._admin_* SECURITY DEFINER functions to service_role.
+--
+-- These bypass RLS and have no auth_verify_access guard \u2014 they're meant to
+-- be called only by trusted server-side code (edge functions via the
+-- service role). They live in the api schema, which IS exposed via
+-- PostgREST, so a stray client grant is directly reachable.
+--
+-- WHY THIS IS HERE AND NOT IN THE pg-delta PLAN: Postgres grants EXECUTE to
+-- PUBLIC by default on every new function. The declarative schemas
+-- (_admin_queues.sql) revoke that with an explicit
+-- "REVOKE ALL ... FROM PUBLIC, anon, authenticated", but pg-delta's plan
+-- does NOT model the built-in PUBLIC default grant \u2014 it only emits
+-- "REVOKE ... FROM authenticated" and leaves the implicit PUBLIC grant in
+-- place. anon/authenticated are members of PUBLIC, so without this block a
+-- migration-built DB (fresh prod via db push) would leave these privileged
+-- functions anon-callable, diverging from a db-apply-built dev DB. Re-assert
+-- the full revoke here so both paths converge. REVOKE is idempotent.
+REVOKE ALL ON FUNCTION api._admin_enqueue_task(text, jsonb, integer) FROM PUBLIC, anon, authenticated;
+REVOKE ALL ON FUNCTION api._admin_queue_read(integer, integer) FROM PUBLIC, anon, authenticated;
+REVOKE ALL ON FUNCTION api._admin_queue_delete(bigint) FROM PUBLIC, anon, authenticated;
+REVOKE ALL ON FUNCTION api._admin_queue_archive(bigint) FROM PUBLIC, anon, authenticated;
 `;
 
 // src/template/supabase/functions/_shared/responses.ts
@@ -11008,7 +11063,7 @@ import fs18 from "fs";
 import path18 from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
 import { input as input6, select as select5 } from "@inquirer/prompts";
-import open from "open";
+import open2 from "open";
 
 // src/banner.ts
 var TITLE = [
@@ -11237,40 +11292,6 @@ function ensureClaudeSettings(projectDir, isCloud) {
   fs14.writeFileSync(filePath, JSON.stringify(merged, null, 2) + "\n");
 }
 
-// src/migrate.ts
-var BASELINE_MIGRATIONS = [
-  {
-    version: "20200101000000",
-    name: "initial_agentlink_bootstrap"
-  },
-  {
-    version: "20200101000001",
-    name: "initial_agentlink_scaffold"
-  }
-];
-var BASELINE_MIGRATION = BASELINE_MIGRATIONS[1];
-var MARK_BASELINE_MIGRATIONS_APPLIED_SQL = `
--- Ensure the schema_migrations ledger exists. On a freshly-created
--- Supabase project this is usually pre-created by the platform, but
--- we don't depend on that \u2014 IF NOT EXISTS makes both lines safe to
--- re-run.
-CREATE SCHEMA IF NOT EXISTS supabase_migrations;
-
-CREATE TABLE IF NOT EXISTS supabase_migrations.schema_migrations (
-  version text PRIMARY KEY,
-  statements text[],
-  name text
-);
-
--- Mark the agentlink baselines as applied. The actual SQL has already
--- been run via pg-delta declarative apply (in scaffold) or will be run
--- via \`supabase db push\` (in env add prod). These rows only exist to
--- tell future \`db push\` calls "you don't need to apply these again."
-INSERT INTO supabase_migrations.schema_migrations (version, name) VALUES
-${BASELINE_MIGRATIONS.map((m) => `  ('${m.version}', '${m.name}')`).join(",\n")}
-ON CONFLICT (version) DO NOTHING;
-`;
-
 // src/scaffold.ts
 import { fileURLToPath as fileURLToPath2 } from "url";
 var __dirname = path15.dirname(fileURLToPath2(import.meta.url));
@@ -11608,8 +11629,6 @@ SUPABASE_DB_PASSWORD=${ctx.dbPass}
         }
         spinner.text = "Setting up database \u2014 Waiting for Postgres to accept connections";
         await waitForDatabaseReady(ctx.projectRef, spinner);
-        spinner.text = "Setting up database \u2014 Applying schemas (extensions, isolation, auth hooks, triggers)";
-        await dbApply({ cwd: projectDir, dbUrl: ctx.dbUrl, skipTypes: true, quiet: true });
         for (const [relPath, content] of Object.entries(TEMPLATE_FILES)) {
           if (!relPath.startsWith("migrations/")) continue;
           const full = path15.join(projectDir, "supabase", relPath);
@@ -11618,8 +11637,13 @@ SUPABASE_DB_PASSWORD=${ctx.dbPass}
             fs15.writeFileSync(full, content);
           }
         }
-        spinner.text = "Setting up database \u2014 Marking baseline migrations applied";
-        await runCloudSQL(MARK_BASELINE_MIGRATIONS_APPLIED_SQL, ctx.projectRef);
+        spinner.text = "Setting up database \u2014 Applying baseline migrations";
+        await runCommand(
+          `${sb()} db push --db-url ${JSON.stringify(ctx.dbUrl)}`,
+          projectDir,
+          void 0,
+          cloudEnv
+        );
         spinner.text = "Setting up database \u2014 Storing API keys in Vault";
         await runCloudSQL(cloudSeedSQL(ctx.apiUrl, ctx.publishableKey, ctx.secretKey), ctx.projectRef);
         spinner.text = "Setting up database \u2014 Deploying edge functions (internal-send-auth-email, internal-queue-worker, internal-invite-member)";
@@ -11634,8 +11658,6 @@ SUPABASE_DB_PASSWORD=${ctx.dbPass}
         spinner.text = "Setting up database \u2014 Enabling auth hooks and signup settings";
         await updateAuthConfig(ctx.projectRef, { ...AUTH_CONFIG, ...AUTH_CONFIG_DEV_OVERRIDES });
       } else {
-        spinner.text = "Setting up database \u2014 Applying schemas (extensions, isolation, auth hooks, triggers)";
-        await dbApply({ cwd: projectDir, dbUrl: ctx.dbUrl, skipTypes: true, quiet: true });
         for (const [relPath, content] of Object.entries(TEMPLATE_FILES)) {
           if (!relPath.startsWith("migrations/")) continue;
           const full = path15.join(projectDir, "supabase", relPath);
@@ -11644,8 +11666,11 @@ SUPABASE_DB_PASSWORD=${ctx.dbPass}
             fs15.writeFileSync(full, content);
           }
         }
-        spinner.text = "Setting up database \u2014 Marking baseline migrations applied";
-        await runSQL(MARK_BASELINE_MIGRATIONS_APPLIED_SQL, ctx.dbUrl);
+        spinner.text = "Setting up database \u2014 Applying baseline migrations";
+        await runCommand(
+          `${sb()} db push --db-url ${JSON.stringify(ctx.dbUrl)}`,
+          projectDir
+        );
         spinner.text = "Setting up database \u2014 Storing API keys in Vault";
         await runSQL(seedSQL(ctx.publishableKey, ctx.secretKey), ctx.dbUrl);
       }
@@ -12565,7 +12590,7 @@ async function runFinalActionPicker(summary, relPath) {
   if (action === "exit") return;
   if (action === "dashboard") {
     try {
-      await open(dashboardUrl);
+      await open2(dashboardUrl);
       console.log();
       console.log(`  ${dim("Opened")} ${blue(dashboardUrl)}`);
       console.log();
@@ -12914,6 +12939,7 @@ ${red("Error:")} ${error}`);
   }
   let cloudConfig;
   if (useCloud && !skipEnv) {
+    await ensureAccessToken({ nonInteractive, projectDir: process.cwd() });
     const picked = await pickOrg(process.cwd(), {
       org: opts.orgId,
       nonInteractive

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentlink-sh",
-  "version": "0.30.0",
+  "version": "0.31.0",
   "description": "CLI for building Supabase apps with AI agents",
   "bin": {
     "agentlink": "dist/index.js"
@@ -13,7 +13,8 @@
     "build": "tsup",
     "dev": "tsup --watch",
     "lint": "eslint src/",
-    "regen-migrations": "tsx scripts/regen-baseline-migration.ts"
+    "regen-migrations": "tsx scripts/regen-baseline-migration.ts",
+    "check-migrations": "tsx scripts/check-migrations.ts"
   },
   "dependencies": {
     "@inquirer/prompts": "^8.3.0",