agentlink-sh 0.30.1 → 0.32.0

package/README.md

@@ -377,7 +377,7 @@ The scaffold runs a multi-step process:
 7. **Verify setup** — Runs verification queries to confirm all components
 8. **Setup frontend** — Writes React + Vite or NextJS files (if selected)
 9. **Install frontend deps** — Runs `npm install` for the frontend
-10. **Configure Claude Code** — Sets up `CLAUDE.md` and Claude settings
+10. **Configure Claude Code** — Sets up `AGENTS.md` and Claude settings
 11. **Install MCP** — Installs Supabase MCP server (local mode only)
 12. **Install plugin** — Installs Agent Link plugin and companion skills
 13. **Finalize** — Creates git repo, writes `agentlink.json` manifest
@@ -425,7 +425,7 @@ The CLI installs all recommended companion skills for Claude Code automatically.
 ```
 my-app/
 ├── agentlink.json                  # Project manifest
-├── CLAUDE.md                       # AI agent instructions
+├── AGENTS.md                       # AI agent instructions
 ├── .env.local                      # Environment variables
 ├── .env.example
 ├── .claude/

package/dist/index.js

@@ -1123,6 +1123,7 @@ function formatBytes(n) {
 import fs4 from "fs";
 import path4 from "path";
 import { input as input2, select } from "@inquirer/prompts";
+import open from "open";
 var promptTheme = {
   prefix: { idle: blue("?"), done: blue("\u2714") },
   style: {
@@ -1447,7 +1448,30 @@ async function resendSetup(cwd, opts = {}) {
     apiKey = globalDefaults.api_key;
     fromEmail = globalDefaults.from_email;
   } else {
-    console.log(`  ${dim("Get your API key at:")} ${blue("https://resend.com/api-keys")}`);
+    const apiKeysUrl = "https://resend.com/api-keys";
+    if (!hasExistingApiKey) {
+      const hasKeyAtHand = await selectYesNo({
+        message: "Do you have a Resend API key at hand?",
+        default: true,
+        yesLabel: "Yes \u2014 I'll paste it in the next step",
+        noLabel: "No, I need to create one \u2014 open the Resend dashboard",
+        theme: promptTheme
+      });
+      console.log();
+      if (hasKeyAtHand) {
+        console.log(`  ${dim("Get your API key at:")} ${blue(apiKeysUrl)}`);
+      } else {
+        try {
+          await open(apiKeysUrl);
+          console.log(`  ${blue("\u25CF")} Opened ${blue(apiKeysUrl)}`);
+        } catch {
+          console.log(`  ${amber("Could not open browser.")} Visit: ${blue(apiKeysUrl)}`);
+        }
+        console.log(`  ${dim("Create a key in the dashboard, then paste it below.")}`);
+      }
+    } else {
+      console.log(`  ${dim("Get your API key at:")} ${blue(apiKeysUrl)}`);
+    }
     const rawKey = (await input2({
       message: hasExistingApiKey ? "Resend API key (press Enter to keep current):" : "Resend API key:",
       theme: apiKeyTheme,
@@ -5455,6 +5479,37 @@ DROP TRIGGER IF EXISTS trg_auth_users_new_user ON auth.users;
 CREATE TRIGGER trg_auth_users_new_user
   AFTER INSERT ON auth.users
   FOR EACH ROW EXECUTE FUNCTION public._internal_admin_handle_new_user();
+
+-- supabase_auth_admin (the GoTrue auth service role) needs USAGE on the
+-- public schema to execute the _hook_* functions it calls during signup and
+-- email flows. Supabase pre-grants public USAGE to postgres/anon/
+-- authenticated/service_role but NOT to supabase_auth_admin, and the regen
+-- script's platform-default strip drops it from pg-delta's plan \u2014 so
+-- re-assert it here. Without it a migration-built DB diverges from a
+-- db-apply-built one. Idempotent.
+GRANT USAGE ON SCHEMA public TO supabase_auth_admin;
+
+-- Lock down the api._admin_* SECURITY DEFINER functions to service_role.
+--
+-- These bypass RLS and have no auth_verify_access guard \u2014 they're meant to
+-- be called only by trusted server-side code (edge functions via the
+-- service role). They live in the api schema, which IS exposed via
+-- PostgREST, so a stray client grant is directly reachable.
+--
+-- WHY THIS IS HERE AND NOT IN THE pg-delta PLAN: Postgres grants EXECUTE to
+-- PUBLIC by default on every new function. The declarative schemas
+-- (_admin_queues.sql) revoke that with an explicit
+-- "REVOKE ALL ... FROM PUBLIC, anon, authenticated", but pg-delta's plan
+-- does NOT model the built-in PUBLIC default grant \u2014 it only emits
+-- "REVOKE ... FROM authenticated" and leaves the implicit PUBLIC grant in
+-- place. anon/authenticated are members of PUBLIC, so without this block a
+-- migration-built DB (fresh prod via db push) would leave these privileged
+-- functions anon-callable, diverging from a db-apply-built dev DB. Re-assert
+-- the full revoke here so both paths converge. REVOKE is idempotent.
+REVOKE ALL ON FUNCTION api._admin_enqueue_task(text, jsonb, integer) FROM PUBLIC, anon, authenticated;
+REVOKE ALL ON FUNCTION api._admin_queue_read(integer, integer) FROM PUBLIC, anon, authenticated;
+REVOKE ALL ON FUNCTION api._admin_queue_delete(bigint) FROM PUBLIC, anon, authenticated;
+REVOKE ALL ON FUNCTION api._admin_queue_archive(bigint) FROM PUBLIC, anon, authenticated;
 `;
 
 // src/template/supabase/functions/_shared/responses.ts
@@ -6439,7 +6494,7 @@ async function countTargetUserTables(projectRef) {
   }
 }
 
-// src/claude-md.ts
+// src/agents-md.ts
 import fs8 from "fs";
 import path8 from "path";
 var MARKER_START = "<!-- agentlink:config:start -->";
@@ -6555,8 +6610,8 @@ Run \`supabase status\` to get the local API URL, DB URL, publishable key, and s
   return `${MARKER_START}
 ${content}${MARKER_END}`;
 }
-function writeClaudeMd(options) {
-  const filePath = path8.join(options.projectDir, "CLAUDE.md");
+function writeAgentsMd(options) {
+  const filePath = path8.join(options.projectDir, "AGENTS.md");
   const section = generateSection(options);
   if (!fs8.existsSync(filePath)) {
     fs8.writeFileSync(filePath, section + "\n");
@@ -6741,7 +6796,7 @@ function writeBareManifest(cwd) {
     // `mode: "bare"` is diagnostic only — `setDefaultEnvironment` in
     // manifest.ts will overwrite it to "cloud" on the first `env add dev`.
     // The DURABLE flag is `bare: true` below: it's orthogonal to mode and
-    // survives every env mutation, so downstream checks (CLAUDE.md guards,
+    // survives every env mutation, so downstream checks (AGENTS.md guards,
     // envDeploy sequence) can reliably detect "this project isn't
     // scaffolded" regardless of what `mode` says right now.
     mode: "bare",
@@ -6962,14 +7017,14 @@ async function envAdd(name, cwd, opts = {}) {
     setDefaultEnvironment(cwd, name);
     console.log(`  ${blue("\u2714")} Default environment set to "${name}"`);
     if (!bare) {
-      writeClaudeMd({
+      writeAgentsMd({
         projectDir: cwd,
         mode: "cloud",
         projectRef: env2.projectRef,
         region: env2.region,
         envName: name
       });
-      console.log(`  ${blue("\u2714")} CLAUDE.md regenerated for "${name}"`);
+      console.log(`  ${blue("\u2714")} AGENTS.md regenerated for "${name}"`);
     }
   }
   let shouldDeploy;
@@ -7423,10 +7478,10 @@ async function envUse(name, cwd) {
   const updatedManifest = readManifest(cwd);
   if (!isBareManifest(updatedManifest)) {
     if (name === "local") {
-      writeClaudeMd({ projectDir: cwd, mode: "local" });
+      writeAgentsMd({ projectDir: cwd, mode: "local" });
     } else {
       const env2 = updatedManifest.cloud.environments[name];
-      writeClaudeMd({
+      writeAgentsMd({
         projectDir: cwd,
         mode: "cloud",
         projectRef: env2.projectRef,
@@ -7434,7 +7489,7 @@ async function envUse(name, cwd) {
         envName: name
       });
     }
-    console.log(`  ${blue("\u2714")} CLAUDE.md regenerated for ${name} mode`);
+    console.log(`  ${blue("\u2714")} AGENTS.md regenerated for ${name} mode`);
   }
   console.log(`
   ${blue(isRefresh ? "Refreshed" : "Switched to")} ${bold(name)}`);
@@ -7646,17 +7701,17 @@ async function envRelink(name, cwd, opts = {}) {
     });
     console.log(`  ${blue("\u2714")} .env.local updated (pooler URL from API)`);
     if (!isBareManifest(manifest)) {
-      writeClaudeMd({
+      writeAgentsMd({
         projectDir: cwd,
         mode: "cloud",
         projectRef: env2.projectRef,
         region: env2.region,
         envName: name
       });
-      console.log(`  ${blue("\u2714")} CLAUDE.md updated`);
+      console.log(`  ${blue("\u2714")} AGENTS.md updated`);
     }
   } else {
-    console.log(`  ${dim(`.env.local and CLAUDE.md left on the active env \u2014 prod never auto-activates (use \`env use prod\` to switch).`)}`);
+    console.log(`  ${dim(`.env.local and AGENTS.md left on the active env \u2014 prod never auto-activates (use \`env use prod\` to switch).`)}`);
   }
   if (opts.deploy === false) {
     const deployCmd = `npx agentlink-sh@latest env deploy ${name}`;
@@ -11008,7 +11063,7 @@ import fs18 from "fs";
 import path18 from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
 import { input as input6, select as select5 } from "@inquirer/prompts";
-import open from "open";
+import open2 from "open";
 
 // src/banner.ts
 var TITLE = [
@@ -11237,40 +11292,6 @@ function ensureClaudeSettings(projectDir, isCloud) {
   fs14.writeFileSync(filePath, JSON.stringify(merged, null, 2) + "\n");
 }
 
-// src/migrate.ts
-var BASELINE_MIGRATIONS = [
-  {
-    version: "20200101000000",
-    name: "initial_agentlink_bootstrap"
-  },
-  {
-    version: "20200101000001",
-    name: "initial_agentlink_scaffold"
-  }
-];
-var BASELINE_MIGRATION = BASELINE_MIGRATIONS[1];
-var MARK_BASELINE_MIGRATIONS_APPLIED_SQL = `
--- Ensure the schema_migrations ledger exists. On a freshly-created
--- Supabase project this is usually pre-created by the platform, but
--- we don't depend on that \u2014 IF NOT EXISTS makes both lines safe to
--- re-run.
-CREATE SCHEMA IF NOT EXISTS supabase_migrations;
-
-CREATE TABLE IF NOT EXISTS supabase_migrations.schema_migrations (
-  version text PRIMARY KEY,
-  statements text[],
-  name text
-);
-
--- Mark the agentlink baselines as applied. The actual SQL has already
--- been run via pg-delta declarative apply (in scaffold) or will be run
--- via \`supabase db push\` (in env add prod). These rows only exist to
--- tell future \`db push\` calls "you don't need to apply these again."
-INSERT INTO supabase_migrations.schema_migrations (version, name) VALUES
-${BASELINE_MIGRATIONS.map((m) => `  ('${m.version}', '${m.name}')`).join(",\n")}
-ON CONFLICT (version) DO NOTHING;
-`;
-
 // src/scaffold.ts
 import { fileURLToPath as fileURLToPath2 } from "url";
 var __dirname = path15.dirname(fileURLToPath2(import.meta.url));
@@ -11608,8 +11629,6 @@ SUPABASE_DB_PASSWORD=${ctx.dbPass}
         }
         spinner.text = "Setting up database \u2014 Waiting for Postgres to accept connections";
         await waitForDatabaseReady(ctx.projectRef, spinner);
-        spinner.text = "Setting up database \u2014 Applying schemas (extensions, isolation, auth hooks, triggers)";
-        await dbApply({ cwd: projectDir, dbUrl: ctx.dbUrl, skipTypes: true, quiet: true });
         for (const [relPath, content] of Object.entries(TEMPLATE_FILES)) {
           if (!relPath.startsWith("migrations/")) continue;
           const full = path15.join(projectDir, "supabase", relPath);
@@ -11618,8 +11637,13 @@ SUPABASE_DB_PASSWORD=${ctx.dbPass}
             fs15.writeFileSync(full, content);
           }
         }
-        spinner.text = "Setting up database \u2014 Marking baseline migrations applied";
-        await runCloudSQL(MARK_BASELINE_MIGRATIONS_APPLIED_SQL, ctx.projectRef);
+        spinner.text = "Setting up database \u2014 Applying baseline migrations";
+        await runCommand(
+          `${sb()} db push --db-url ${JSON.stringify(ctx.dbUrl)}`,
+          projectDir,
+          void 0,
+          cloudEnv
+        );
         spinner.text = "Setting up database \u2014 Storing API keys in Vault";
         await runCloudSQL(cloudSeedSQL(ctx.apiUrl, ctx.publishableKey, ctx.secretKey), ctx.projectRef);
         spinner.text = "Setting up database \u2014 Deploying edge functions (internal-send-auth-email, internal-queue-worker, internal-invite-member)";
@@ -11634,8 +11658,6 @@ SUPABASE_DB_PASSWORD=${ctx.dbPass}
         spinner.text = "Setting up database \u2014 Enabling auth hooks and signup settings";
         await updateAuthConfig(ctx.projectRef, { ...AUTH_CONFIG, ...AUTH_CONFIG_DEV_OVERRIDES });
       } else {
-        spinner.text = "Setting up database \u2014 Applying schemas (extensions, isolation, auth hooks, triggers)";
-        await dbApply({ cwd: projectDir, dbUrl: ctx.dbUrl, skipTypes: true, quiet: true });
         for (const [relPath, content] of Object.entries(TEMPLATE_FILES)) {
           if (!relPath.startsWith("migrations/")) continue;
           const full = path15.join(projectDir, "supabase", relPath);
@@ -11644,8 +11666,11 @@ SUPABASE_DB_PASSWORD=${ctx.dbPass}
             fs15.writeFileSync(full, content);
           }
         }
-        spinner.text = "Setting up database \u2014 Marking baseline migrations applied";
-        await runSQL(MARK_BASELINE_MIGRATIONS_APPLIED_SQL, ctx.dbUrl);
+        spinner.text = "Setting up database \u2014 Applying baseline migrations";
+        await runCommand(
+          `${sb()} db push --db-url ${JSON.stringify(ctx.dbUrl)}`,
+          projectDir
+        );
         spinner.text = "Setting up database \u2014 Storing API keys in Vault";
         await runSQL(seedSQL(ctx.publishableKey, ctx.secretKey), ctx.dbUrl);
       }
@@ -11756,7 +11781,7 @@ SUPABASE_DB_PASSWORD=${ctx.dbPass}
   await trackedStep("configure-claude", "Configuring Claude Code", async () => {
     ensureClaudeSettings(projectDir, !!options.cloud || !!options.skipEnv);
     const mode2 = options.skipEnv ? "pending-env" : options.cloud ? "cloud" : "local";
-    writeClaudeMd({
+    writeAgentsMd({
       projectDir,
       mode: mode2,
       projectRef: ctx.projectRef,
@@ -12061,8 +12086,8 @@ ${red("Error:")} Supabase is not running.
       projectDir
     );
   });
-  await step("Updating CLAUDE.md", async () => {
-    writeClaudeMd({
+  await step("Updating AGENTS.md", async () => {
+    writeAgentsMd({
       projectDir,
       mode: isCloud ? "cloud" : "local",
       projectRef: env2?.projectRef,
@@ -12259,7 +12284,7 @@ async function runDryRun(projectDir, isCloud) {
   console.log(`
   ${bold("Side effects")} ${dim("(skipped in dry run)")}`);
   console.log(`    ${dim("\u2022")} update agent plugin + companion skills`);
-  console.log(`    ${dim("\u2022")} rewrite .claude/CLAUDE.md, .claude/settings.json`);
+  console.log(`    ${dim("\u2022")} rewrite AGENTS.md, .claude/settings.json`);
   console.log(`    ${dim("\u2022")} apply ${sqlCount} SQL schema file(s) to ${isCloud ? "cloud DB" : "local DB"}`);
   if (isCloud) {
     console.log(`    ${dim("\u2022")} update PostgREST config + auth config`);
@@ -12293,7 +12318,7 @@ async function printUpdateSummary(projectDir, allowDirty) {
     // config.toml, .gitignore
     ".claude/": [],
     "root": []
-    // agentlink.json, CLAUDE.md, .env.local, etc.
+    // agentlink.json, AGENTS.md, .env.local, etc.
   };
   for (const file of changed) {
     if (file.startsWith("supabase/schemas/")) groups["supabase/schemas/"].push(file);
@@ -12565,7 +12590,7 @@ async function runFinalActionPicker(summary, relPath) {
   if (action === "exit") return;
   if (action === "dashboard") {
     try {
-      await open(dashboardUrl);
+      await open2(dashboardUrl);
       console.log();
       console.log(`  ${dim("Opened")} ${blue(dashboardUrl)}`);
       console.log();
@@ -13515,7 +13540,7 @@ env.command("add [name]").description("Add or re-add a cloud environment (dev or
     console.log();
     console.log(`  ${bold("To use local development:")}`);
     console.log(`    ${dim("supabase start")}                          ${dim("# bring up the local Docker stack")}`);
-    console.log(`    ${dim("npx agentlink-sh@latest env use local")}   ${dim("# point .env.local + CLAUDE.md at it")}`);
+    console.log(`    ${dim("npx agentlink-sh@latest env use local")}   ${dim("# point .env.local + AGENTS.md at it")}`);
     console.log();
     console.log(`  ${dim("Or scaffold a new project against local Docker:")} ${dim("npx agentlink-sh@latest <name> --local")}`);
     console.log();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentlink-sh",
-  "version": "0.30.1",
+  "version": "0.32.0",
   "description": "CLI for building Supabase apps with AI agents",
   "bin": {
     "agentlink": "dist/index.js"
@@ -13,7 +13,8 @@
     "build": "tsup",
     "dev": "tsup --watch",
     "lint": "eslint src/",
-    "regen-migrations": "tsx scripts/regen-baseline-migration.ts"
+    "regen-migrations": "tsx scripts/regen-baseline-migration.ts",
+    "check-migrations": "tsx scripts/check-migrations.ts"
   },
   "dependencies": {
     "@inquirer/prompts": "^8.3.0",