edsger 0.72.2 → 0.72.4

package/dist/commands/quality-benchmark/index.d.ts

@@ -1,11 +1,10 @@
 /**
  * CLI command: `edsger quality-benchmark <productId>`
  *
- * Runs the quality-benchmark phase against the product's GitHub repo and
- * writes the resulting JSON report to disk. Persistence to the
- * `quality_reports` table is the caller's responsibility — desktop-app
- * picks the JSON up via stdout / file and writes via its supabase
- * client, exactly the same pattern used by other CLI commands.
+ * Runs the quality-benchmark phase against the product's GitHub repo,
+ * writes the resulting JSON report to disk, and persists it to the
+ * `quality_reports` table via the supabase SDK (RLS-scoped; MCP
+ * fallback when no desktop session is synced) unless --no-save.
  *
  * Default invocation (desktop): no --repo, no --branch — the CLI fetches
  * the product's GitHub config via MCP, clones (or reuses) the repo into
@@ -33,7 +32,7 @@ export interface QualityBenchmarkCliOptions {
     install?: boolean;
     output?: string;
     verbose?: boolean;
-    /** When false, skip the quality_reports/save MCP call. */
+    /** When false, skip persisting the report to quality_reports. */
     save?: boolean;
     /** Overwrite any existing report row for this (product, commit, rubric). */
     force?: boolean;

package/dist/commands/quality-benchmark/index.js

@@ -1,11 +1,10 @@
 /**
  * CLI command: `edsger quality-benchmark <productId>`
  *
- * Runs the quality-benchmark phase against the product's GitHub repo and
- * writes the resulting JSON report to disk. Persistence to the
- * `quality_reports` table is the caller's responsibility — desktop-app
- * picks the JSON up via stdout / file and writes via its supabase
- * client, exactly the same pattern used by other CLI commands.
+ * Runs the quality-benchmark phase against the product's GitHub repo,
+ * writes the resulting JSON report to disk, and persists it to the
+ * `quality_reports` table via the supabase SDK (RLS-scoped; MCP
+ * fallback when no desktop session is synced) unless --no-save.
  *
  * Default invocation (desktop): no --repo, no --branch — the CLI fetches
  * the product's GitHub config via MCP, clones (or reuses) the repo into
@@ -26,10 +25,10 @@
 import { mkdirSync, writeFileSync } from 'node:fs';
 import { dirname, resolve } from 'node:path';
 import { getGitHubConfigByProduct, getGitHubConfigByRepository, getRepositoryBasics, } from '../../api/github.js';
-import { callMcpEndpoint } from '../../api/mcp-client.js';
 import { fetchProductBasics } from '../../phases/find-shared/mcp.js';
 import { runQualityBenchmark, } from '../../phases/quality-benchmark/index.js';
 import { prepareQualityWorkspace } from '../../phases/quality-benchmark/workspace.js';
+import { saveQualityReport } from '../../services/quality-reports.js';
 import { getSupabase } from '../../supabase/client.js';
 import { logError, logInfo, logSuccess, logWarning, } from '../../utils/logger.js';
 export async function runQualityBenchmarkCli(productId, options) {
@@ -166,10 +165,12 @@ export async function runQualityBenchmarkCli(productId, options) {
     mkdirSync(dirname(outputPath), { recursive: true });
     writeFileSync(outputPath, JSON.stringify(reportEnvelope, null, 2), 'utf8');
     logSuccess(`Report written to ${outputPath}`);
-    // Persist via MCP unless the caller opted out.
+    // Persist to quality_reports unless the caller opted out. Goes through
+    // the supabase SDK directly (RLS-scoped), with an MCP fallback for
+    // sessions authorized by an MCP token only.
     if (options.save !== false) {
         try {
-            const saved = (await callMcpEndpoint('quality_reports/save', {
+            const saved = await saveQualityReport({
                 product_id: repoOnly ? null : productId,
                 repository_id: repositoryId,
                 commit_sha: outcome.commitSha,
@@ -193,14 +194,13 @@ export async function runQualityBenchmarkCli(productId, options) {
                 completed_at: outcome.completedAt,
                 duration_seconds: outcome.durationSeconds,
                 replace_existing: options.force === true,
-            }));
-            const row = JSON.parse(saved.content?.[0]?.text ?? '{}');
-            if (row.id) {
-                logSuccess(`Saved to quality_reports.id = ${row.id}`);
+            });
+            if (saved.id) {
+                logSuccess(`Saved to quality_reports.id = ${saved.id}`);
             }
         }
         catch (err) {
-            logWarning(`Failed to persist report via MCP (will keep local file): ${err instanceof Error ? err.message : String(err)}`);
+            logWarning(`Failed to persist report (will keep local file): ${err instanceof Error ? err.message : String(err)}`);
         }
     }
     logInfo(`Overall: grade ${outcome.report.overall_grade ?? '?'} (${outcome.report.overall_score ?? '?'})`);

package/dist/services/quality-reports.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Quality reports service — persists `edsger quality-benchmark` results.
+ *
+ * Writes go through the supabase SDK directly when the desktop-synced
+ * session is available (RLS gates access: product owner / active team
+ * member, or repo team access via `user_has_repository_access` for
+ * repo-only reports). Falls back to the MCP edge function
+ * (`quality_reports/save`) when no usable session is synced — e.g.
+ * standalone CLI runs authorized by an MCP token.
+ */
+export interface SaveQualityReportParams {
+    /** Product scope; null for repo-only reports. */
+    product_id: string | null;
+    /** Repository scope; required when product_id is null. */
+    repository_id: string | null;
+    commit_sha: string;
+    rubric_version: string;
+    branch?: string | null;
+    repo_root?: string | null;
+    detected_context?: unknown;
+    tool_versions?: Record<string, string>;
+    unavailable_tools?: unknown[];
+    applied_checks?: unknown;
+    tool_outputs?: Record<string, unknown>;
+    external_signals?: unknown;
+    dropped_findings?: number;
+    dimension_scores?: unknown;
+    overall_score?: number | null;
+    overall_grade?: string | null;
+    executive_summary?: string | null;
+    low_confidence?: boolean;
+    status?: string;
+    started_at?: string | null;
+    completed_at?: string | null;
+    duration_seconds?: number | null;
+    /** Delete any existing row for this (scope, commit, rubric) before insert. */
+    replace_existing?: boolean;
+}
+/**
+ * Insert a completed quality report row. Returns the new row id, or null
+ * if the saved row could not be parsed (MCP path only).
+ */
+export declare function saveQualityReport(params: SaveQualityReportParams): Promise<{
+    id: string | null;
+}>;

package/dist/services/quality-reports.js

@@ -0,0 +1,93 @@
+/**
+ * Quality reports service — persists `edsger quality-benchmark` results.
+ *
+ * Writes go through the supabase SDK directly when the desktop-synced
+ * session is available (RLS gates access: product owner / active team
+ * member, or repo team access via `user_has_repository_access` for
+ * repo-only reports). Falls back to the MCP edge function
+ * (`quality_reports/save`) when no usable session is synced — e.g.
+ * standalone CLI runs authorized by an MCP token.
+ */
+import { callMcpEndpoint } from '../api/mcp-client.js';
+import { ensureSupabaseSession, getSupabase } from '../supabase/client.js';
+/**
+ * Insert a completed quality report row. Returns the new row id, or null
+ * if the saved row could not be parsed (MCP path only).
+ */
+export async function saveQualityReport(params) {
+    const { product_id, repository_id, commit_sha, rubric_version } = params;
+    if (!product_id && !repository_id) {
+        throw new Error('Either product_id or repository_id is required');
+    }
+    if (await ensureSupabaseSession()) {
+        const supabase = getSupabase();
+        if (params.replace_existing) {
+            // Clear the existing row on the natural cache key for this report's
+            // scope. Product-scoped: UNIQUE(product_id, commit_sha, rubric_version).
+            // Repo-only: UNIQUE(repository_id, commit_sha, rubric_version) WHERE
+            // product_id IS NULL — the repo-only delete MUST also require
+            // product_id IS NULL so it never clobbers a product report of the same
+            // linked repo at this commit.
+            let del = supabase
+                .from('quality_reports')
+                .delete()
+                .eq('commit_sha', commit_sha)
+                .eq('rubric_version', rubric_version);
+            del = product_id
+                ? del.eq('product_id', product_id)
+                : del.eq('repository_id', repository_id).is('product_id', null);
+            const { error: delErr } = await del;
+            if (delErr) {
+                throw new Error(`Failed to clear existing report: ${delErr.message}`);
+            }
+        }
+        const { data: { user }, } = await supabase.auth.getUser();
+        const { data, error } = await supabase
+            .from('quality_reports')
+            .insert({
+            product_id: product_id ?? null,
+            repository_id: repository_id ?? null,
+            commit_sha,
+            rubric_version,
+            branch: params.branch ?? null,
+            repo_root: params.repo_root ?? null,
+            detected_context: params.detected_context ?? {},
+            tool_versions: params.tool_versions ?? {},
+            unavailable_tools: params.unavailable_tools ?? [],
+            applied_checks: params.applied_checks ?? {},
+            tool_outputs: params.tool_outputs ?? {},
+            external_signals: params.external_signals ?? {},
+            dropped_findings: params.dropped_findings ?? 0,
+            dimension_scores: params.dimension_scores ?? {},
+            overall_score: params.overall_score ?? null,
+            overall_grade: params.overall_grade ?? null,
+            executive_summary: params.executive_summary ?? null,
+            low_confidence: params.low_confidence ?? false,
+            status: params.status ?? 'completed',
+            started_at: params.started_at ?? null,
+            completed_at: params.completed_at ?? new Date().toISOString(),
+            duration_seconds: params.duration_seconds ?? null,
+            created_by: user?.id ?? null,
+        })
+            .select('id')
+            .single();
+        if (error) {
+            if (error.code === '23505') {
+                throw new Error(`quality report already exists for ` +
+                    `(${product_id ? 'product' : 'repository'}, commit, rubric); ` +
+                    `pass --force to overwrite`);
+            }
+            throw new Error(`Failed to save quality report: ${error.message}`);
+        }
+        return { id: data?.id ?? null };
+    }
+    // No synced session — fall back to the MCP edge function (MCP-token auth).
+    const saved = (await callMcpEndpoint('quality_reports/save', params));
+    try {
+        const row = JSON.parse(saved.content?.[0]?.text ?? '{}');
+        return { id: row.id ?? null };
+    }
+    catch {
+        return { id: null };
+    }
+}

package/dist/supabase/client.d.ts

@@ -19,5 +19,16 @@ export declare function getSupabase(): SupabaseClient;
  * usable for direct-SDK calls.
  */
 export declare function hasSupabaseSession(): boolean;
+/**
+ * Wait for the most recent setSession to finish applying, then report whether
+ * the client actually holds a usable user session.
+ *
+ * Returns false when the synced token was stale/expired and supabase-js
+ * dropped the session — in that state REST calls run as `anon` (auth.uid() is
+ * NULL) and any insert into an RLS table with `WITH CHECK (auth.uid() =
+ * user_id)` is rejected. Writers should gate the direct-SDK path on this and
+ * fall back to the MCP edge function (service-role) when it returns false.
+ */
+export declare function ensureSupabaseSession(): Promise<boolean>;
 /** Reset module state. Test-only. */
 export declare function resetSupabaseClient(): void;

package/dist/supabase/client.js

@@ -14,6 +14,8 @@ const AUTH_FILE = join(homedir(), '.edsger', 'auth.json');
 let _client = null;
 let _watcherInstalled = false;
 let _lastAppliedAccessToken;
+/** The in-flight setSession promise, awaited by ensureSupabaseSession(). */
+let _sessionReady = null;
 /**
  * Get (or lazily create) the shared SupabaseClient.
  *
@@ -39,7 +41,11 @@ export function getSupabase() {
             detectSessionInUrl: false,
         },
     });
-    void _client.auth.setSession({
+    // Capture the setSession promise so writers can await it (via
+    // ensureSupabaseSession) before issuing inserts. Without this, the first
+    // REST call can race ahead of setSession and go out as `anon` (no user
+    // JWT), tripping the `auth.uid() = user_id` RLS check.
+    _sessionReady = _client.auth.setSession({
         access_token: accessToken,
         refresh_token: refreshToken ?? '',
     });
@@ -54,6 +60,32 @@ export function getSupabase() {
 export function hasSupabaseSession() {
     return Boolean(getSupabaseUrl() && getSupabaseAnonKey() && getAccessToken());
 }
+/**
+ * Wait for the most recent setSession to finish applying, then report whether
+ * the client actually holds a usable user session.
+ *
+ * Returns false when the synced token was stale/expired and supabase-js
+ * dropped the session — in that state REST calls run as `anon` (auth.uid() is
+ * NULL) and any insert into an RLS table with `WITH CHECK (auth.uid() =
+ * user_id)` is rejected. Writers should gate the direct-SDK path on this and
+ * fall back to the MCP edge function (service-role) when it returns false.
+ */
+export async function ensureSupabaseSession() {
+    if (!hasSupabaseSession()) {
+        return false;
+    }
+    try {
+        const client = getSupabase();
+        if (_sessionReady) {
+            await _sessionReady;
+        }
+        const { data } = await client.auth.getSession();
+        return Boolean(data.session?.access_token);
+    }
+    catch {
+        return false;
+    }
+}
 function installAuthWatcher() {
     if (_watcherInstalled) {
         return;
@@ -70,7 +102,7 @@ function installAuthWatcher() {
                 return;
             }
             _lastAppliedAccessToken = nextAccess;
-            void _client.auth.setSession({
+            _sessionReady = _client.auth.setSession({
                 access_token: nextAccess,
                 refresh_token: nextRefresh ?? '',
             });
@@ -87,4 +119,5 @@ export function resetSupabaseClient() {
     _client = null;
     _watcherInstalled = false;
     _lastAppliedAccessToken = undefined;
+    _sessionReady = null;
 }

package/dist/system/session-manager.js

@@ -10,7 +10,7 @@ import { hostname } from 'os';
 import { callMcpEndpoint } from '../api/mcp-client.js';
 import { getUserId } from '../auth/auth-store.js';
 import { getVersion } from '../constants.js';
-import { getSupabase, hasSupabaseSession } from '../supabase/client.js';
+import { ensureSupabaseSession, getSupabase, hasSupabaseSession, } from '../supabase/client.js';
 import { initLogSync, logInfo, logWarning, stopLogSync, } from '../utils/logger.js';
 let currentSessionId = null;
 let heartbeatTimer;
@@ -63,7 +63,13 @@ export async function registerSession(options) {
     const invocation = process.argv.slice(2).join(' ') || undefined;
     try {
         const userId = getUserId();
-        if (hasSupabaseSession() && userId) {
+        // ensureSupabaseSession() awaits the in-flight setSession and confirms the
+        // client holds a live user session — so a token that hasn't applied yet
+        // (race) or was dropped (stale → anon) doesn't silently write as anon and
+        // trip the cli_sessions RLS check. The desktop refreshes the token into
+        // auth.json before spawning the CLI, so this should hold for app-spawned
+        // runs; the MCP branch stays for the legacy no-Supabase-session path.
+        if (userId && (await ensureSupabaseSession())) {
             const row = {
                 session_id: sessionId,
                 user_id: userId,

package/dist/utils/logger.js

@@ -1,7 +1,7 @@
 import { callMcpEndpoint } from '../api/mcp-client.js';
 import { getUserId } from '../auth/auth-store.js';
 import { getVersion } from '../constants.js';
-import { getSupabase, hasSupabaseSession } from '../supabase/client.js';
+import { ensureSupabaseSession, getSupabase } from '../supabase/client.js';
 export const colors = {
     reset: '\x1b[0m',
     bright: '\x1b[1m',
@@ -49,13 +49,16 @@ export async function flushLogs() {
         return;
     }
     const batch = _logBuffer.splice(0);
+    const sessionId = _logSyncSessionId;
     try {
         const userId = getUserId();
-        if (hasSupabaseSession() && userId) {
+        if (userId && (await ensureSupabaseSession())) {
             // Direct-SDK path. user_id is set explicitly per row to satisfy the
-            // cli_logs RLS check (auth.uid() = user_id).
+            // cli_logs RLS check (auth.uid() = user_id). Gating on a confirmed
+            // session keeps a stale token (→ anon) from writing as anon and tripping
+            // RLS — desktop refreshes the token into auth.json before spawning.
             const rows = batch.slice(0, 200).map((log) => ({
-                session_id: _logSyncSessionId,
+                session_id: sessionId,
                 user_id: userId,
                 level: log.level,
                 message: log.message,
@@ -68,7 +71,7 @@ export async function flushLogs() {
         }
         else {
             await callMcpEndpoint('cli_logs/batch', {
-                session_id: _logSyncSessionId,
+                session_id: sessionId,
                 logs: batch,
             });
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "edsger",
-  "version": "0.72.2",
+  "version": "0.72.4",
   "type": "module",
   "bin": {
     "edsger": "dist/index.js"
@@ -54,8 +54,8 @@
     "commander": "^12.0.0",
     "cosmiconfig": "^9.0.0",
     "dotenv": "^16.4.5",
-    "edsger-contract": "0.9.1",
-    "edsger-tools": "0.9.1",
+    "edsger-contract": "0.9.2",
+    "edsger-tools": "0.9.2",
     "gray-matter": "^4.0.3",
     "zod": "^4.0.0"
   },