kasy-cli 1.19.3 → 1.20.1

package/README.md

@@ -4,14 +4,22 @@ CLI for scaffolding production-ready Flutter SaaS apps.
 
 ## Install
 
+**macOS & Linux**
+
 ```bash
-npm install -g kasy-cli
+curl -fsSL https://kasy.dev/install | bash
+```
+
+**Windows (PowerShell)**
+
+```powershell
+irm https://kasy.dev/install.ps1 | iex
 ```
 
-Or run without installing:
+Or via npm:
 
 ```bash
-npx kasy-cli new
+npm install -g kasy-cli
 ```
 
 ## Quick start

package/bin/kasy.js

@@ -357,6 +357,7 @@ function buildProgram(language) {
       .option('--web', 'Run on web — prints localhost URL in lime so you open it in your own browser (your extensions, your accounts)')
       .option('--open', 'With --web: auto-launch a clean Chrome window (Flutter profile, no extensions) instead of just printing the URL')
       .option('--web-port <port>', 'Fixed port for web (default 5555) — keeps the origin stable so Firebase Auth sessions persist between runs')
+      .option('--web-hostname <host>', 'Host for web (default localhost) — localhost is a Firebase-authorized domain by default, so Google sign-in works without console changes')
       .option('-d, --device <id>', 'Run on specific device ID')
       .option('--prod', 'Use production dart-defines (from launch.json)')
       .option('--no-defines', 'Skip dart-defines from launch.json')

package/lib/commands/new.js

@@ -50,7 +50,7 @@ const { generateFirebaseProject } = require('../scaffold/backends/firebase/gener
 const { generateSupabaseProject } = require('../scaffold/backends/supabase/generator');
 const { generateApiProject } = require('../scaffold/backends/api/generator');
 const { createProjectAndGetKeys, setupLinkedProject, checkLoggedIn, getOrgsList, getProjectsByOrg, getProjectKeys } = require('../scaffold/backends/supabase/deploy');
-const { writeSupabaseGoogleAuthOptions, readSupabaseGoogleCredentials, getGoogleClientSecretViaGcloud, flutterfireConfigure, writeGoogleAuthOptions, writeGoogleIosUrlScheme } = require('../scaffold/shared/post-build');
+const { writeSupabaseGoogleAuthOptions, readSupabaseGoogleCredentials, getGoogleClientSecretViaGcloud, flutterfireConfigure, writeGoogleAuthOptions, writeGoogleIosUrlScheme, writeGoogleIosUrlSchemeFromClientId } = require('../scaffold/shared/post-build');
 const { toPackageName } = require('../scaffold/backends/firebase/tokens');
 const { setupFromScratch, setupExistingProject, listBillingAccounts, listGcpOrganizations, checkGcloudAuth, getGcloudInstallInstructions, enableAuthProviders, registerDebugSha1 } = require('../scaffold/backends/firebase/setup-from-scratch');
 const { enableAuthViaFirebaseCli } = require('../scaffold/backends/firebase/enable-auth-via-cli');
@@ -212,7 +212,7 @@ const STEP_LABELS = {
   'supabase db push':  { en: 'Database migrated',    pt: 'Banco migrado',        es: 'Base de datos migrada' },
   'anonymous sign-in': { en: 'Anonymous sign-in enabled', pt: 'Login anonimo ativado', es: 'Inicio de sesion anonimo activado' },
   'google sign-in': { en: 'Google Sign-In enabled', pt: 'Google Sign-In ativado', es: 'Google Sign-In activado' },
-  'apple sign-in': { en: 'Apple Sign-In ready (configure credentials before testing — kasy.dev/docs/apple)', pt: 'Apple Sign-In preparado (configure as credenciais antes de testar — kasy.dev/docs/apple)', es: 'Apple Sign-In listo (configura las credenciales antes de probar — kasy.dev/docs/apple)' },
+  'apple sign-in': { en: 'Apple Sign-In enabled (native iOS ready; for web add a Service ID at kasy.dev/docs/apple)', pt: 'Apple Sign-In ativado (iOS nativo pronto; para web adicione um Service ID em kasy.dev/docs/apple)', es: 'Apple Sign-In activado (iOS nativo listo; para web añade un Service ID en kasy.dev/docs/apple)' },
   'google-auth-options': { en: 'Google client IDs written', pt: 'Client IDs do Google gravados', es: 'Client IDs de Google escritos' },
   'ios-url-scheme': { en: 'iOS URL scheme registered', pt: 'URL scheme iOS registrado', es: 'URL scheme iOS registrado' },
   'google-ios-url-scheme': { en: 'iOS Google URL scheme registered', pt: 'URL scheme Google iOS registrado', es: 'URL scheme Google iOS registrado' },
@@ -220,7 +220,7 @@ const STEP_LABELS = {
   'secret REVENUECAT_WEBHOOK_KEY': { en: 'RevenueCat webhook secret', pt: 'Secret webhook RevenueCat', es: 'Secret webhook RevenueCat' },
   'secret META_ACCESS_TOKEN': { en: 'Meta Access Token', pt: 'Meta Access Token', es: 'Meta Access Token' },
   'secret META_DATASET_ID': { en: 'Meta Dataset ID', pt: 'Meta Dataset ID', es: 'Meta Dataset ID' },
-  'fcm-key': { en: 'FCM Service Account key generated', pt: 'Chave FCM gerada automaticamente', es: 'Clave FCM generada automáticamente' },
+  'fcm-key': { en: 'FCM Service Account key', pt: 'Chave de Service Account FCM', es: 'Clave de Service Account FCM' },
   'fcm-key-saved': { en: 'FCM key saved to .kasy/', pt: 'Chave FCM salva em .kasy/', es: 'Clave FCM guardada en .kasy/' },
   'secret FIREBASE_SERVICE_ACCOUNT_JSON': { en: 'FCM Service Account configured', pt: 'Service Account FCM configurado', es: 'Service Account FCM configurado' },
   'gcp-project': { en: 'GCP project created', pt: 'Projeto GCP criado', es: 'Proyecto GCP creado' },
@@ -233,6 +233,7 @@ const STEP_LABELS = {
   'sha1': { en: 'SHA-1 added for Google Sign-In', pt: 'SHA-1 adicionado para Google Sign-In', es: 'SHA-1 añadido para Google Sign-In' },
   'service-account': { en: 'Service account key created', pt: 'Chave de conta de servico criada', es: 'Clave de cuenta de servicio creada' },
   'firestore': { en: 'Firestore database created', pt: 'Banco Firestore criado', es: 'Base de datos Firestore creada' },
+  'firestore-rules': { en: 'Firestore security rules deployed', pt: 'Regras de seguranca Firestore publicadas', es: 'Reglas de seguridad Firestore desplegadas' },
   'storage': { en: 'Firebase Storage bucket created', pt: 'Bucket Firebase Storage criado', es: 'Bucket Firebase Storage creado' },
   'storage-cors': { en: 'CORS enabled on Storage (web images)', pt: 'CORS ativado no Storage (imagens na web)', es: 'CORS activado en Storage (imágenes en web)' },
 };
@@ -255,6 +256,7 @@ const STEP_PROGRESS = {
   'sha1':          { en: 'Adding SHA-1 for Google Sign-In…',        pt: 'Adicionando SHA-1 para Google Sign-In…', es: 'Añadiendo SHA-1 para Google Sign-In…' },
   'service-account': { en: 'Creating service account key…',         pt: 'Criando chave de conta de servico…',      es: 'Creando clave de cuenta de servicio…' },
   'firestore':     { en: 'Creating Firestore database…',            pt: 'Criando banco Firestore…',                es: 'Creando base de datos Firestore…' },
+  'firestore-rules': { en: 'Deploying Firestore security rules…',  pt: 'Publicando regras de seguranca Firestore…', es: 'Desplegando reglas de seguridad Firestore…' },
   'storage':       { en: 'Creating Firebase Storage bucket…',       pt: 'Criando bucket Firebase Storage…',        es: 'Creando bucket Firebase Storage…' },
   'storage-cors':  { en: 'Enabling CORS on Storage…',                pt: 'Ativando CORS no Storage…',               es: 'Activando CORS en Storage…' },
   'deploy-retry-wait':   { en: 'Waiting 4 min for GCP permissions to propagate… (do not close terminal)', pt: 'Aguardando 4 min para permissões do GCP propagarem… (não feche o terminal)', es: 'Esperando 4 min para propagar permisos de GCP… (no cierres la terminal)' },
@@ -772,6 +774,9 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
         } else if (key === 'auth-providers-warn') {
           ps1.stop();
           ui.log.warn(`${tr('new.firebase.interactive.authWarn')}\n${kleur.cyan(data?.url || '')}`);
+        } else if (key === 'auth-localhost-warn') {
+          ps1.stop();
+          ui.log.warn(`${tr('new.firebase.localhostWarn')}\n${kleur.cyan(data?.url || '')}`);
         }
       };
       let setupResult = await setupFromScratch(core.appName.trim(), core.bundleId.trim(), {
@@ -1179,6 +1184,9 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
         } else if (key === 'auth-google-warn') {
           ps4.stop();
           ui.log.warn(`${tr('new.firebase.existing.googleSignInManual')}\n${kleur.cyan(data?.url || '')}`);
+        } else if (key === 'auth-localhost-warn') {
+          ps4.stop();
+          ui.log.warn(`${tr('new.firebase.localhostWarn')}\n${kleur.cyan(data?.url || '')}`);
         }
       },
     });
@@ -1209,16 +1217,23 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
     // --with flag was passed: use those modules directly, skip preset prompt.
     modules = preselectedModules;
   } else if (isQuick) {
-    // Quick mode: ship all features by default. Facebook is excluded because
-    // it requires App ID + token that we can't auto-generate — the user adds
-    // it later with `kasy add facebook` when they have the credentials.
-    modules = (MODULE_PRESETS.full || []).filter((m) => m !== 'facebook');
+    // Quick mode: ship all features the backend supports. Facebook is excluded
+    // because it requires App ID + token that we can't auto-generate — the user
+    // adds it later with `kasy add facebook` when they have the credentials.
+    // Filter by availableIn so backend-specific features (e.g. feedback needs a
+    // DB) don't leak into a backend that can't support them.
+    const quickAvailable = new Set(
+      getVisibleFeatures({ audience: KASY_AUDIENCE, backend }).map((f) => f.id)
+    );
+    modules = (MODULE_PRESETS.full || []).filter((m) => m !== 'facebook' && quickAvailable.has(m));
   } else {
     section('new.advanced.section.features');
     // Advanced mode: full multiselect — built from catalog, filtered by audience + backend.
     const visibleFeatures = getVisibleFeatures({ audience: KASY_AUDIENCE, backend });
 
-    // web has an extra runtime constraint: firebase create-mode only
+    // In Firebase create-mode the web app is already decided by the
+    // `firebaseIncludeWeb` prompt above, so hide `web` from the multiselect there
+    // to avoid asking twice. Supabase, API and Firebase existing-mode show it.
     const isWebExcluded = backend === 'firebase' && firebaseSetupMode === 'create';
 
     // Visual groups in display order (header key → feature ids in this group)
@@ -1473,7 +1488,9 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
     firebaseProjectId: core.firebaseProjectId.trim(),
     modules: modules || [],
     backend,
-    includeWeb: backend === 'firebase' ? firebaseIncludeWeb : true,
+    // Web platform follows the `web` feature so the flutterfire web app and the
+    // web/ folder stay in sync across all backends (Firebase, Supabase, API).
+    includeWeb: modules.includes('web'),
     supabaseUrl: core.supabaseUrl?.trim(),
     supabaseAnonKey: core.supabaseAnonKey?.trim(),
     apiBaseUrl: core.apiBaseUrl?.trim(),
@@ -1581,38 +1598,66 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
     : (supabaseExistingResult?.ok ? { projectRef: supabaseExistingResult.projectRef, dbPassword: supabaseExistingResult.dbPassword } : null);
 
   if (backend === 'supabase') {
-    // ── Auto-resolve Google credentials from flutterfire output files ────────
+    // ── Google Sign-In: create a real Google OAuth client, then push it to Supabase ──
     const flutterfireOk = result.steps.find((s) => s.name === 'flutterfire')?.ok;
-    if (flutterfireOk) {
+    if (flutterfireOk && answers.firebaseProjectId) {
+      // Supabase Google Sign-In needs a genuine OAuth Web Client (id + secret).
+      // The only reliable way to create it is the Firebase CLI auth deploy, the
+      // same path the Firebase backend uses. The REST API cannot create the OAuth
+      // client, which is why Google used to come out disabled on Supabase projects.
+      const googleSpinner = ui.spinner();
+      googleSpinner.start(tr('new.google.enabling'));
+      const cliResult = await enableAuthViaFirebaseCli({
+        projectDir: targetDir,
+        projectId: answers.firebaseProjectId,
+        appName: answers.appName,
+      });
+      googleSpinner.stop(tr('new.google.enabling'));
+
+      if (cliResult.ok) {
+        // The deploy created the OAuth Web Client + iOS client. Re-run flutterfire so
+        // google-services.json and GoogleService-Info.plist pick up the new Client IDs.
+        const rerunSpinner = ui.spinner();
+        rerunSpinner.start(tr('new.google.refreshConfigs'));
+        await flutterfireConfigure(targetDir, answers.firebaseProjectId, {
+          includeWeb: answers.includeWeb !== false,
+        });
+        rerunSpinner.stop(tr('new.google.refreshConfigs'));
+      } else if (cliResult.error === 'support_email_required') {
+        ui.log.warn(tr('new.google.manualHint.noEmail'));
+      }
+
+      // Read the Web + iOS Client IDs from the refreshed config files.
       const fileCreds = await readSupabaseGoogleCredentials(targetDir);
       googleWebClientId = fileCreds.webClientId;
       googleIosClientId = fileCreds.iosClientId;
 
-      // Enable Google Sign-In in Firebase Auth so Identity Toolkit stores the client secret.
-      // This is the same step that setupFromScratch runs for Firebase backend.
-      // For Supabase, Firebase Auth is not used for auth, but enabling Google here is the
-      // only way to make the client secret available via the Identity Toolkit API.
-      // Non-fatal: silently ignored if it fails (e.g. API not yet propagated).
-      if (answers.firebaseProjectId) {
-        const authResult = await enableAuthProviders(answers.firebaseProjectId);
-        if (authResult.ok && !authResult.googleSignInSkipped) {
-          printStepResult({ name: 'google sign-in', ok: true }, language);
-        }
-        if (authResult.appleEnabled) {
-          printStepResult({ name: 'apple sign-in', ok: true }, language);
+      // Read the OAuth Client Secret from the Identity Toolkit now that the client
+      // exists. It can lag a moment behind the deploy, so retry briefly.
+      if (googleWebClientId) {
+        for (let attempt = 1; attempt <= 3 && !googleClientSecret; attempt++) {
+          googleClientSecret = await getGoogleClientSecretViaGcloud(answers.firebaseProjectId);
+          if (!googleClientSecret && attempt < 3) {
+            await new Promise((resolve) => setTimeout(resolve, 2000));
+          }
         }
       }
 
-      // Try to get the Client Secret from Identity Toolkit API (requires gcloud auth)
-      if (answers.firebaseProjectId && googleWebClientId) {
-        googleClientSecret = await getGoogleClientSecretViaGcloud(answers.firebaseProjectId);
-      }
-
-      // Always write google_auth_options.dart with whatever credentials we have
+      // Persist the Client IDs into the app and register the iOS URL scheme.
       if (googleWebClientId) {
         const gaResult = await writeSupabaseGoogleAuthOptions(targetDir, googleWebClientId, googleIosClientId);
         printStepResult({ name: 'google-auth-options', ok: gaResult.ok, detail: gaResult.error }, language);
       }
+      if (googleIosClientId) {
+        const iosResult = await writeGoogleIosUrlSchemeFromClientId(targetDir, googleIosClientId);
+        printStepResult({ name: 'google-ios-url-scheme', ok: iosResult.ok, detail: iosResult.error }, language);
+      }
+
+      // Google is only enabled on Supabase when we have both the Web Client ID and
+      // its secret. If either is missing, point the user to the dashboard to finish.
+      if (!googleWebClientId || !googleClientSecret) {
+        ui.log.warn(tr('new.google.supabaseManual'));
+      }
     }
 
     if (supabaseSetupPayload) {
@@ -1625,9 +1670,9 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
         fcmSpinner.stop(tr('new.fcm.generating'));
         if (fcmResult.ok) {
           fcmServiceAccountJson = fcmResult.json;
-          printStepResult({ name: 'fcm-key', ok: true }, language);
+          printStepResult({ name: 'fcm-key', ok: true, detail: tr('new.fcm.ok') }, language);
         } else {
-          printStepResult({ name: 'fcm-key', ok: false, detail: 'configure FIREBASE_SERVICE_ACCOUNT_JSON manualmente' }, language);
+          printStepResult({ name: 'fcm-key', ok: false, detail: tr('new.fcm.failSupabase') }, language);
         }
       }
 
@@ -1651,12 +1696,14 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
         const google = googleWebClientId && googleClientSecret
           ? { webClientId: googleWebClientId, clientSecret: googleClientSecret }
           : {};
+        const apple = answers.bundleId ? { bundleId: answers.bundleId } : {};
         const setupSteps = await setupLinkedProject(
           targetDir,
           supabaseSetupPayload.projectRef,
           supabaseSetupPayload.dbPassword,
           secrets,
-          google
+          google,
+          apple
         );
         setupSpinner.stop(tr('new.supabase.setup'));
         setupSteps.forEach((s) => printStepResult(s, language));
@@ -1718,7 +1765,7 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
         printStepResult({ name: 'fcm-key-saved', ok: false, detail: 'salvar arquivo de chave falhou' }, language);
       }
     } else {
-      printStepResult({ name: 'fcm-key', ok: false, detail: 'configure FIREBASE_SERVICE_ACCOUNT_JSON manualmente' }, language);
+      printStepResult({ name: 'fcm-key', ok: false, detail: tr('new.fcm.failApi') }, language);
     }
   }
 
@@ -1759,12 +1806,12 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
   }
 
   // ── Google + Apple Sign-In: use Firebase CLI for Google (creates OAuth client),
-  // then REST API for Apple as best-effort. ───────────────────────────────────
+  // then REST API for Apple as best-effort.
   // Firebase CLI's `deploy --only auth` is the only documented path that auto-
-  // creates the OAuth 2.0 Web Client without manual Console clicks — the same
+  // creates the OAuth 2.0 Web Client without manual Console clicks, the same
   // backend that the Console hits internally.
-  // (Supabase backend keeps the REST-only retry — its OAuth client is provisioned
-  // differently via the linked Firebase Web app.)
+  // (The Supabase backend runs the same CLI deploy earlier, in its own block, then
+  // pushes the resulting Google + Apple credentials to Supabase via the Mgmt API.)
   if (backend === 'firebase' && answers.firebaseProjectId && flutterfireStep?.ok) {
     const googleSpinner = ui.spinner();
     googleSpinner.start(tr('new.google.enabling'));
@@ -1804,6 +1851,9 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
     if (appleResult.appleEnabled) {
       printStepResult({ name: 'apple sign-in', ok: true }, language);
     }
+    if (appleResult.localhostAuthorized === false) {
+      ui.log.warn(`${tr('new.firebase.localhostWarn')}\n${kleur.cyan(`https://console.firebase.google.com/project/${answers.firebaseProjectId}/authentication/settings`)}`);
+    }
   }
 
   // APNs key (iOS push) is intentionally not mentioned here — it only becomes

package/lib/commands/run.js

@@ -292,10 +292,24 @@ async function runRun(directory, options = {}) {
   }
 
   if (isChromeTarget || isWebServerTarget) {
+    // Pin the host to `localhost` so the app's origin is always an authorized
+    // domain. Firebase Auth authorizes `localhost` by default but NOT
+    // `127.0.0.1`, and `flutter run -d chrome` would otherwise auto-launch
+    // Chrome at 127.0.0.1 — which breaks Google sign-in with
+    // [firebase_auth/unauthorized-domain]. Forcing localhost makes Google
+    // login work out of the box, no Firebase Console changes required.
+    deviceArgs.push('--web-hostname', options.webHostname || 'localhost');
     // Pin a fixed port so the Chrome origin stays the same between runs.
     // Firebase Auth persists sessions per-origin (IndexedDB) — a random port
     // each run means the user gets logged out every restart.
     deviceArgs.push('--web-port', options.webPort || '5555');
+    // Google Sign-In opens an auth popup that must talk back to the app window.
+    // The web server's default Cross-Origin-Opener-Policy can sever that link
+    // ("Cross-Origin-Opener-Policy policy would block the window.closed call"),
+    // so in a plain browser tab (kasy run --web, no dedicated Chrome) the popup
+    // can't report success and sign-in appears to fail. `same-origin-allow-popups`
+    // keeps the opener relationship intact while staying same-origin safe.
+    deviceArgs.push('--web-header', 'Cross-Origin-Opener-Policy=same-origin-allow-popups');
   }
 
   // Read dart-defines from .vscode/launch.json (skip if --no-defines)

package/lib/scaffold/backends/api/patch/lib/core/data/api/meta_ads_api.dart

@@ -10,7 +10,7 @@ final metaAdsApiProvider = Provider<MetaAdsApi>(
 ///
 /// Your backend must expose:
 ///   POST /meta-track-event
-///   Authorization: Bearer <user-token>
+///   Authorization: Bearer `<user-token>`
 ///   Body: { "event_name": "CompleteRegistration", "custom_data": {} }
 ///
 /// The backend is responsible for calling the Meta Graph API server-to-server.

package/lib/scaffold/backends/api/patch/lib/core/data/api/storage_api.dart

@@ -34,7 +34,7 @@ abstract class StorageApi {
 ///
 /// Expected endpoints:
 ///   POST   /storage/upload  — multipart/form-data with fields: file, folder, public
-///   DELETE /storage/file    — JSON body: { "path": "<imagePath>" }
+///   DELETE /storage/file    — JSON body: `{ "path": "<imagePath>" }`
 ///
 /// Expected upload response JSON:
 ///   { "path": "folder/filename.jpg", "url": "https://..." }

package/lib/scaffold/backends/api/patch/lib/core/data/entities/user_entity.dart

@@ -29,7 +29,7 @@ class Credentials {
   final String id;
   // this is the user security token (example: JWT)
   // but your can use an Oauth2 token with a refresh token too
-  final String token;
+  final String? token;
 
   Credentials({
     required this.id,

package/lib/scaffold/backends/api/patch/lib/features/authentication/api/authentication_api.dart

@@ -101,7 +101,7 @@ class HttpAuthenticationApi implements AuthenticationApi {
   }
 
   @override
-  Future<Credentials> signinAnonymously() async {
+  Future<Credentials> signinAnonymously() {
     // REST API backends typically do not support anonymous accounts natively.
     // Option A – skip anonymous sign-in: remove anonymous auth from the
     //   onboarding flow and require full registration before using the app.
@@ -145,7 +145,7 @@ class HttpAuthenticationApi implements AuthenticationApi {
   }
 
   @override
-  Future<Credentials> signinWithGooglePlay() async {
+  Future<Credentials> signinWithGooglePlay() {
     // google_sign_in 7.x removed SignInOption.games.
     // For Play Games support, use the games_services package separately.
     return signinWithGoogle();
@@ -166,14 +166,13 @@ class HttpAuthenticationApi implements AuthenticationApi {
       rethrow;
     }
     throw UnimplementedError('''
-    ❌ You must edit lib/features/authentication/api/authentication_api.dart 
+    ❌ You must edit lib/features/authentication/api/authentication_api.dart
     to send the Oauth2 token result to your backend
+    Available token: ${credential.identityToken}
     ----------------
     Please follow the instructions here:
     https://pub.dev/packages/sign_in_with_apple
     ''');
-    
-    
   }
 
   @override

package/lib/scaffold/backends/api/patch/lib/features/feedbacks/api/feature_request_api.dart

@@ -11,7 +11,7 @@ final featureRequestApiProvider = Provider<FeatureRequestApi>(
 );
 
 /// REST endpoints expected:
-///   GET  /feature-requests              → List<FeatureRequestEntity> (only active)
+///   GET  /feature-requests              → `List<FeatureRequestEntity>` (only active)
 ///   POST /feature-requests              body: {title, description} → 201 Created
 ///     Server creates with active: false and stores title/description in all locales.
 class FeatureRequestApi {

package/lib/scaffold/backends/api/patch/lib/features/feedbacks/api/feature_vote_api.dart

@@ -11,7 +11,7 @@ final featureVoteApiProvider = Provider<FeatureVoteApi>(
 );
 
 /// REST endpoints expected:
-///   GET    /feature-votes          → List<UserFeatureVoteEntity> (filtered by authenticated user)
+///   GET    /feature-votes          → `List<UserFeatureVoteEntity>` (filtered by authenticated user)
 ///   POST   /feature-votes          → UserFeatureVoteEntity  body: {feature_id}
 ///   DELETE /feature-votes/:id      → 204 No Content
 class FeatureVoteApi {

package/lib/scaffold/backends/api/patch/lib/features/llm_chat/api/llm_chat_api.dart

@@ -9,7 +9,7 @@ final llmChatApiProvider = Provider<LlmChatApi>(
 );
 
 /// REST endpoints expected on your backend:
-///   GET    /llm-messages            → List<LlmChatMessageEntity> (current user)
+///   GET    /llm-messages            → `List<LlmChatMessageEntity>` (current user)
 ///   POST   /llm-messages            → saves one message
 ///   DELETE /llm-messages            → clears all messages (current user)
 ///