kasy-cli 1.21.8 → 1.22.0

package/lib/scaffold/backends/firebase/enable-auth-via-cli.js

@@ -63,9 +63,12 @@ async function mergeAuthIntoFirebaseJson(projectDir, providers) {
  * @param {string} options.projectId
  * @param {string} options.appName
  * @param {string} [options.supportEmail] - falls back to active gcloud account
+ * @param {boolean} [options.googleOnly] - Supabase: enable ONLY Google (the deploy's
+ *   side effect creates the OAuth Web Client we need). Anonymous/Email/Password in
+ *   Firebase Auth would be dead config there, since the app uses Supabase Auth.
  * @returns {{ ok: boolean, error?: string, supportEmail?: string }}
  */
-async function enableAuthViaFirebaseCli({ projectDir, projectId, appName, supportEmail }) {
+async function enableAuthViaFirebaseCli({ projectDir, projectId, appName, supportEmail, googleOnly = false }) {
   // 1. Resolve support email (required by Google's OAuth consent screen)
   let email = (supportEmail || '').trim();
   if (!email) email = await getGcloudAccountEmail();
@@ -76,15 +79,20 @@ async function enableAuthViaFirebaseCli({ projectDir, projectId, appName, suppor
     };
   }
 
-  // 2. Merge firebase.json
-  const merge = await mergeAuthIntoFirebaseJson(projectDir, {
-    anonymous: true,
-    emailPassword: true,
+  // 2. Merge firebase.json. Google is always enabled (it's the whole point — the
+  // deploy creates its OAuth Web Client). Anonymous + Email/Password are added only
+  // for the Firebase backend, whose app actually signs in through Firebase Auth.
+  const providers = {
     googleSignIn: {
       oAuthBrandDisplayName: appName,
       supportEmail: email,
     },
-  });
+  };
+  if (!googleOnly) {
+    providers.anonymous = true;
+    providers.emailPassword = true;
+  }
+  const merge = await mergeAuthIntoFirebaseJson(projectDir, providers);
   if (!merge.ok) return merge;
 
   // 3. Deploy. --non-interactive prevents the CLI from prompting on edge cases.

package/lib/scaffold/backends/firebase/generator.js

@@ -1,12 +1,12 @@
 /**
  * Firebase project generator.
  *
- * Wrapper fino sobre generateProject().
- * A lógica de geração comum (cópia, pub get, slang, build_runner, flutterfire)
- * vive em cli/lib/scaffold/generate.js.
+ * Thin wrapper over generateProject().
+ * The common generation logic (copy, pub get, slang, build_runner, flutterfire)
+ * lives in cli/lib/scaffold/generate.js.
  *
- * Hook específico:
- *   postBuild → runDeploy (opcional, controlado por options.deploy)
+ * Specific hook:
+ *   postBuild → runDeploy (optional, controlled by options.deploy)
  */
 
 const { generateProject } = require('../../generate');

package/lib/scaffold/backends/firebase/setup-from-scratch.js

@@ -730,34 +730,24 @@ async function ensureLocalhostAuthorizedDomains(projectId, token) {
 }
 
 /**
- * Enable Firebase Auth sign-in providers: Email/Password, Anonymous and Google.
- * Uses the Identity Toolkit Admin v2 REST API with gcloud credentials.
+ * Initialize Firebase Auth (Identity Platform) for a project. Brand-new projects
+ * have no auth config, so any Admin v2 operation (PATCH /config, or the Firebase
+ * CLI `deploy --only auth`) fails with CONFIGURATION_NOT_FOUND until this runs.
  *
- * Flow:
- *  1. Call identityPlatform:initializeAuth to create the auth config for the project
- *     (required for new projects — PATCH fails with CONFIGURATION_NOT_FOUND without it).
- *  2. PATCH /config to enable Email/Password and Anonymous.
- *  3. POST defaultSupportedIdpConfigs to enable Google Sign-In.
- *     Google Sign-In requires an OAuth client_id that Firebase creates when the user
- *     enables it in the Console — if the client doesn't exist yet this step is skipped
- *     and googleSignInSkipped=true is returned so the caller can show a targeted hint.
- *
- * Non-fatal: returns { ok: false, error } without throwing if the API call fails.
+ * The endpoint is idempotent: it returns {} both on first init and when auth was
+ * already initialized. Non-fatal by contract — callers proceed on failure since
+ * the config may already exist.
  *
  * @param {string} projectId
- * @returns {{ ok: boolean, googleSignInSkipped?: boolean, error?: string }}
+ * @returns {{ ok: boolean, error?: string }}
  */
-async function enableAuthProviders(projectId, { maxRetries = 3, retryDelayMs = 15000 } = {}) {
+async function ensureFirebaseAuthInitialized(projectId, { maxRetries = 3, retryDelayMs = 15000 } = {}) {
   let token;
   try {
     token = await getAccessToken();
   } catch (_) {
     return { ok: false, error: 'Could not get access token' };
   }
-
-  // Step 1: Initialize Firebase Auth for the project.
-  // New projects have no auth config — PATCH returns CONFIGURATION_NOT_FOUND without this.
-  // The endpoint is idempotent: it returns {} on success or if already initialized.
   const initUrl = `https://identitytoolkit.googleapis.com/v2/projects/${projectId}/identityPlatform:initializeAuth`;
   for (let attempt = 1; attempt <= maxRetries; attempt++) {
     const initRes = await fetch(initUrl, {
@@ -769,19 +759,45 @@ async function enableAuthProviders(projectId, { maxRetries = 3, retryDelayMs = 1
       },
       body: JSON.stringify({}),
     });
-    if (initRes.ok) break;
-    await initRes.text(); // consume body to release connection
+    if (initRes.ok) return { ok: true };
+    const text = await initRes.text(); // consume body to release connection
     if (attempt < maxRetries && (initRes.status === 404 || initRes.status === 503)) {
       await sleep(retryDelayMs);
       try { token = await getAccessToken(); } catch (_) {}
       continue;
     }
-    // Non-fatal — still attempt PATCH below in case auth was already initialized.
-    break;
+    return { ok: false, error: `${initRes.status}: ${text}` };
   }
+  return { ok: false, error: 'initializeAuth: exhausted retries' };
+}
+
+/**
+ * Enable Firebase Auth sign-in providers: Email/Password, Anonymous and Google.
+ * Uses the Identity Toolkit Admin v2 REST API with gcloud credentials.
+ *
+ * Flow:
+ *  1. Call identityPlatform:initializeAuth to create the auth config for the project
+ *     (required for new projects — PATCH fails with CONFIGURATION_NOT_FOUND without it).
+ *  2. PATCH /config to enable Email/Password and Anonymous.
+ *  3. POST defaultSupportedIdpConfigs to enable Google Sign-In.
+ *     Google Sign-In requires an OAuth client_id that Firebase creates when the user
+ *     enables it in the Console — if the client doesn't exist yet this step is skipped
+ *     and googleSignInSkipped=true is returned so the caller can show a targeted hint.
+ *
+ * Non-fatal: returns { ok: false, error } without throwing if the API call fails.
+ *
+ * @param {string} projectId
+ * @returns {{ ok: boolean, googleSignInSkipped?: boolean, error?: string }}
+ */
+async function enableAuthProviders(projectId, { maxRetries = 3, retryDelayMs = 15000 } = {}) {
+  // Step 1: Initialize Firebase Auth (non-fatal — the PATCH below still runs in
+  // case auth was already initialized). The shared helper keeps the init logic in
+  // one place so the Supabase flow can reuse it before its `deploy --only auth`.
+  await ensureFirebaseAuthInitialized(projectId, { maxRetries, retryDelayMs });
 
   // Step 2: Enable Email/Password and Anonymous auth providers.
   const configUrl = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/config?updateMask=signIn.email,signIn.anonymous`;
+  let token;
   let lastError;
   for (let attempt = 1; attempt <= maxRetries; attempt++) {
     try { token = await getAccessToken(); } catch (_) {
@@ -996,27 +1012,34 @@ async function setupFromScratch(appName, bundleId, options = {}) {
   const addResult = await addFirebaseToProject(projectId, { onProgress });
   if (!addResult.ok) return { ok: false, error: `[addFirebase] ${addResult.error}`, projectId };
 
-  // Enable Email/Password, Anonymous and Google Sign-In auth providers automatically.
-  // Non-fatal — project setup continues even if this call fails.
-  const authResult = await enableAuthProviders(projectId);
-  if (!authResult.ok) {
-    onProgress('auth-providers-warn', {
-      error: authResult.error,
-      url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
-    });
-  } else if (authResult.googleSignInSkipped) {
-    // Email/Password and Anonymous were enabled. Google Sign-In needs an OAuth client
-    // that Firebase creates when you enable it in the Console for the first time.
-    onProgress('auth-google-warn', {
-      url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
-    });
-  }
-  // Providers were enabled but localhost couldn't be authorized — warn so the user
-  // isn't surprised by [firebase_auth/unauthorized-domain] on web sign-in.
-  if (authResult.ok && authResult.localhostAuthorized === false) {
-    onProgress('auth-localhost-warn', {
-      url: `https://console.firebase.google.com/project/${projectId}/authentication/settings`,
-    });
+  // Firebase Auth providers (Email/Password, Anonymous, Google, Apple) only matter
+  // for the Firebase backend, whose app authenticates against Firebase Auth. In
+  // fcmOnly mode the app is Supabase/API and authenticates elsewhere, so we leave
+  // Firebase Auth untouched — this project exists purely for FCM/push (and, for
+  // Supabase, the Google OAuth client, which new.js creates separately via
+  // `firebase deploy --only auth`). Non-fatal — setup continues even if it fails.
+  let authResult = null;
+  if (!fcmOnly) {
+    authResult = await enableAuthProviders(projectId);
+    if (!authResult.ok) {
+      onProgress('auth-providers-warn', {
+        error: authResult.error,
+        url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
+      });
+    } else if (authResult.googleSignInSkipped) {
+      // Email/Password and Anonymous were enabled. Google Sign-In needs an OAuth client
+      // that Firebase creates when you enable it in the Console for the first time.
+      onProgress('auth-google-warn', {
+        url: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
+      });
+    }
+    // Providers were enabled but localhost couldn't be authorized — warn so the user
+    // isn't surprised by [firebase_auth/unauthorized-domain] on web sign-in.
+    if (authResult.ok && authResult.localhostAuthorized === false) {
+      onProgress('auth-localhost-warn', {
+        url: `https://console.firebase.google.com/project/${projectId}/authentication/settings`,
+      });
+    }
   }
 
   // Firestore + Storage are Firebase-backend features (and need Blaze). In
@@ -1089,8 +1112,8 @@ async function setupFromScratch(appName, bundleId, options = {}) {
   return {
     ok: true,
     projectId,
-    authEnabled: authResult.ok,
-    googleSignInSkipped: authResult.ok && !!authResult.googleSignInSkipped,
+    authEnabled: authResult ? authResult.ok : null,
+    googleSignInSkipped: authResult ? (authResult.ok && !!authResult.googleSignInSkipped) : false,
     sha1Skipped,
     sha1Error,
     sha1ManualUrl: `https://console.firebase.google.com/project/${projectId}/settings/general/android:${bundleId}`,
@@ -1238,6 +1261,7 @@ module.exports = {
   applyStorageCors,
   checkBillingEnabled,
   enableAuthProviders,
+  ensureFirebaseAuthInitialized,
   ensureLocalhostAuthorizedDomains,
   listBillingAccounts,
   listGcpOrganizations,

package/lib/scaffold/backends/firebase/tokens.js

@@ -21,7 +21,7 @@ const ORIGINAL_SHORT_NAME = 'appfirebase';
 
 /**
  * Normalize app name to a valid Dart package name.
- * "Meu App Incrível" → "meu_app_incrivel"
+ * "My Café App" → "my_cafe_app"
  */
 function toPackageName(appName) {
   return (appName || '')
@@ -52,8 +52,8 @@ function bundleIdToPath(bundleId) {
 
 const ORIGINAL_BUNDLE_ID_PATH = bundleIdToPath(ORIGINAL_BUNDLE_ID);
 
-// Facebook — só caracteres permitidos no URL scheme da Apple (RFC1738).
-// Sem credenciais no `kasy new`, mantém estes placeholders (login FB não funciona até trocar).
+// Facebook — only the characters allowed in Apple's URL scheme (RFC1738).
+// Without credentials in `kasy new`, keep these placeholders (FB login won't work until replaced).
 const FB_APP_ID_PLACEHOLDER = '000000000000000';
 const FB_CLIENT_TOKEN_PLACEHOLDER = '00000000000000000000000000000000';
 
@@ -91,7 +91,7 @@ function buildTokens({ appName, bundleId, fbAppId, fbToken, defaultPaywall = 'ba
     [`"${ORIGINAL_SHORT_NAME}"`]: `"${shortName}"`,
     // pubspec.yaml name field
     [`name: ${ORIGINAL_PACKAGE}`]: `name: ${packageName}`,
-    // Facebook (placeholders → user values ou mantém placeholder válido p/ App Store)
+    // Facebook (placeholders → user values, or keep a valid placeholder for the App Store)
     [FB_APP_ID_PLACEHOLDER]: fbAppId?.trim() || FB_APP_ID_PLACEHOLDER,
     [`fb${FB_APP_ID_PLACEHOLDER}`]: fbAppId?.trim() ? `fb${fbAppId.trim()}` : `fb${FB_APP_ID_PLACEHOLDER}`,
     [FB_CLIENT_TOKEN_PLACEHOLDER]: fbToken?.trim() || FB_CLIENT_TOKEN_PLACEHOLDER,

package/lib/scaffold/backends/supabase/deploy.js

@@ -88,6 +88,42 @@ async function getOrgsList() {
   return { ok: true, orgs: orgs.map((o) => ({ id: o.id, name: o.name || o.id })) };
 }
 
+/**
+ * Classify a failed `supabase projects create` (or login) error so the caller
+ * can show targeted guidance instead of a raw API string:
+ *   - 'login'      → not authenticated (token missing/expired)
+ *   - 'free_limit' → Free plan active-project cap reached for this organization
+ *   - 'unknown'    → anything else (caller shows the raw message)
+ *
+ * Matching is intentionally loose: the Supabase Management API wording for the
+ * Free-plan cap has shifted over time ("maximum number of projects", "free plan",
+ * "project limit", "upgrade to a paid plan"…), so we key off stable keywords
+ * rather than an exact string that would silently stop matching after a change.
+ *
+ * @param {string} error
+ * @returns {'login'|'free_limit'|'unknown'}
+ */
+function classifyCreateError(error) {
+  const msg = (error || '').toLowerCase();
+  if (!msg) return 'unknown';
+  if (
+    msg.includes('login required') ||
+    msg.includes('not logged in') ||
+    msg.includes('access token') ||
+    msg.includes('unauthorized') ||
+    msg.includes('401')
+  ) {
+    return 'login';
+  }
+  const freeLimit =
+    /maximum number of (active )?projects/.test(msg) ||
+    /project limit/.test(msg) ||
+    (/free/.test(msg) && /(plan|tier)/.test(msg) && /(limit|maximum|reached|exceed)/.test(msg)) ||
+    (/reached/.test(msg) && /limit/.test(msg)) ||
+    /upgrade .*(plan|pro|paid)/.test(msg);
+  return freeLimit ? 'free_limit' : 'unknown';
+}
+
 /**
  * Create a new Supabase project.
  * @param {string} projectName
@@ -338,7 +374,7 @@ async function setSecret(projectDir, key, value) {
  * Uses execFile to avoid shell injection on user-supplied values.
  */
 async function setSupabaseSecrets(projectDir, secrets = {}) {
-  const { rcWebhookKey, metaAccessToken, metaDatasetId, firebaseProjectId, firebaseServiceAccountJson, llmApiKey, llmProvider, llmSystemPrompt } = secrets;
+  const { rcWebhookKey, metaAccessToken, metaDatasetId, firebaseProjectId, firebaseServiceAccountJson, aiApiKey, aiProvider, aiSystemPrompt, stripeSecretKey, stripeWebhookSecret, stripeProductId } = secrets;
   const steps = [];
 
   if (firebaseProjectId && String(firebaseProjectId).trim()) {
@@ -373,19 +409,34 @@ async function setSupabaseSecrets(projectDir, secrets = {}) {
     steps.push({ name: 'secret META_DATASET_ID', ok: r.ok, error: r.error });
   }
 
-  if (llmApiKey && String(llmApiKey).trim()) {
-    const r = await setSecret(projectDir, 'LLM_API_KEY', String(llmApiKey).trim());
-    steps.push({ name: 'secret LLM_API_KEY', ok: r.ok, error: r.error });
+  if (aiApiKey && String(aiApiKey).trim()) {
+    const r = await setSecret(projectDir, 'AI_API_KEY', String(aiApiKey).trim());
+    steps.push({ name: 'secret AI_API_KEY', ok: r.ok, error: r.error });
+  }
+
+  if (aiProvider && String(aiProvider).trim()) {
+    const r = await setSecret(projectDir, 'AI_PROVIDER', String(aiProvider).trim());
+    steps.push({ name: 'secret AI_PROVIDER', ok: r.ok, error: r.error });
+  }
+
+  if (aiSystemPrompt && String(aiSystemPrompt).trim()) {
+    const r = await setSecret(projectDir, 'AI_SYSTEM_PROMPT', String(aiSystemPrompt).trim());
+    steps.push({ name: 'secret AI_SYSTEM_PROMPT', ok: r.ok, error: r.error });
+  }
+
+  if (stripeSecretKey && String(stripeSecretKey).trim()) {
+    const r = await setSecret(projectDir, 'STRIPE_SECRET_KEY', String(stripeSecretKey).trim());
+    steps.push({ name: 'secret STRIPE_SECRET_KEY', ok: r.ok, error: r.error });
   }
 
-  if (llmProvider && String(llmProvider).trim()) {
-    const r = await setSecret(projectDir, 'LLM_PROVIDER', String(llmProvider).trim());
-    steps.push({ name: 'secret LLM_PROVIDER', ok: r.ok, error: r.error });
+  if (stripeWebhookSecret && String(stripeWebhookSecret).trim()) {
+    const r = await setSecret(projectDir, 'STRIPE_WEBHOOK_SECRET', String(stripeWebhookSecret).trim());
+    steps.push({ name: 'secret STRIPE_WEBHOOK_SECRET', ok: r.ok, error: r.error });
   }
 
-  if (llmSystemPrompt && String(llmSystemPrompt).trim()) {
-    const r = await setSecret(projectDir, 'LLM_SYSTEM_PROMPT', String(llmSystemPrompt).trim());
-    steps.push({ name: 'secret LLM_SYSTEM_PROMPT', ok: r.ok, error: r.error });
+  if (stripeProductId && String(stripeProductId).trim()) {
+    const r = await setSecret(projectDir, 'STRIPE_PRODUCT_ID', String(stripeProductId).trim());
+    steps.push({ name: 'secret STRIPE_PRODUCT_ID', ok: r.ok, error: r.error });
   }
 
   return steps;
@@ -410,7 +461,7 @@ async function deployFunctions(projectDir, functionNames = []) {
   for (const name of toDeploy) {
     const fnPath = path.join(functionsDir, name);
     if (!(await fs.pathExists(fnPath))) continue;
-    const noVerifyJwt = (name === 'llm-chat' || name === 'revenuecat-webhook' || name === 'send-push-notification') ? ' --no-verify-jwt' : '';
+    const noVerifyJwt = (name === 'ai-chat' || name === 'revenuecat-webhook' || name === 'send-push-notification' || name === 'stripe-webhook') ? ' --no-verify-jwt' : '';
     const result = await run(`supabase functions deploy ${name}${noVerifyJwt}`, projectDir);
     steps.push({ name: `deploy ${name}`, ok: result.ok, error: result.error });
   }
@@ -540,6 +591,7 @@ module.exports = {
   getOrgsList,
   getProjectsByOrg,
   createProject,
+  classifyCreateError,
   getProjectKeys,
   linkProject,
   dbPush,

package/lib/scaffold/backends/supabase/edge-functions/admin-list-users/index.ts

@@ -0,0 +1,149 @@
+/**
+ * Supabase Edge Function: Admin — List Users
+ *
+ * Lists app users for the admin console. Returns the most-recent users (bounded
+ * to MAX_SCAN) with their subscriber status already resolved; the Flutter client
+ * (admin_users_tab.dart) does search / sort / pagination locally so those
+ * interactions are instant. Shape: { users, totalUsers, truncated } — identical
+ * to the Firebase Cloud Function so the shared UI stays the same.
+ *
+ * Security (two layers):
+ *   1. The caller is verified with THEIR OWN JWT (getUser) and must carry
+ *      role == "admin" on their own public.users row (read under their RLS).
+ *   2. Only AFTER that check do we use the service role to read across all
+ *      users — the users/subscriptions RLS exposes only a user's own row, so a
+ *      non-admin can never reach other people's data.
+ *
+ * Deployed WITH JWT verification (the default) — see deploy.js.
+ */
+
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
+
+const corsHeaders = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+};
+
+// In-memory cap: load up to this many of the most recent users in one call.
+// Larger apps should add a dedicated search index (see README).
+const MAX_SCAN = 1000;
+
+// A user counts as a subscriber when their subscription is currently usable.
+const ACTIVE_SUBSCRIPTION_STATUSES = ["ACTIVE", "LIFETIME"];
+
+interface AdminUser {
+  id: string;
+  email: string | null;
+  name: string | null;
+  createdAt: number | null; // epoch millis
+  subscriber: boolean;
+}
+
+function json(body: unknown, status: number): Response {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { ...corsHeaders, "Content-Type": "application/json" },
+  });
+}
+
+Deno.serve(async (req: Request) => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+  if (req.method !== "POST") {
+    return json({ error: "Method not allowed" }, 405);
+  }
+
+  const authHeader = req.headers.get("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    return json({ error: "Missing or invalid Authorization header" }, 401);
+  }
+
+  const supabaseUrl = Deno.env.get("SUPABASE_URL");
+  const anonKey = Deno.env.get("SUPABASE_ANON_KEY");
+  const serviceRoleKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY");
+  if (!supabaseUrl || !anonKey || !serviceRoleKey) {
+    console.error("[admin-list-users] Missing SUPABASE_URL / ANON / SERVICE key");
+    return json({ error: "Server configuration error" }, 500);
+  }
+
+  // 1. Verify the caller with their own JWT.
+  const token = authHeader.replace("Bearer ", "");
+  const supabaseAuth = createClient(supabaseUrl, anonKey, {
+    global: { headers: { Authorization: authHeader } },
+  });
+  const {
+    data: { user },
+    error: authError,
+  } = await supabaseAuth.auth.getUser(token);
+  if (authError || !user) {
+    console.warn("[admin-list-users] Unauthenticated request:", authError?.message);
+    return json({ error: "You must be authenticated" }, 401);
+  }
+
+  try {
+    // 2. Admin gate: the caller's own row must carry role == "admin".
+    //    This read runs under the caller's RLS (own row only) — no privilege.
+    const { data: caller, error: callerError } = await supabaseAuth
+      .from("users")
+      .select("role")
+      .eq("id", user.id)
+      .maybeSingle();
+    if (callerError || !caller || caller.role !== "admin") {
+      console.warn(`[admin-list-users] Non-admin request from ${user.id}`);
+      return json({ error: "Admin role required" }, 403);
+    }
+
+    // 3. Verified admin → service role can read across all users/subscriptions.
+    const admin = createClient(supabaseUrl, serviceRoleKey);
+
+    // Newest first; users without a creation_date sort to the end (Postgres,
+    // unlike Firestore, keeps NULL-date rows instead of dropping them). The
+    // client re-sorts anyway, so this only decides which rows survive the cap.
+    const { data: rows, error: rowsError } = await admin
+      .from("users")
+      .select("id, email, name, creation_date")
+      .order("creation_date", { ascending: false, nullsFirst: false })
+      .limit(MAX_SCAN);
+    if (rowsError) throw rowsError;
+
+    const docs = rows ?? [];
+    const ids = docs.map((d) => d.id);
+
+    const activeSubscribers = new Set<string>();
+    if (ids.length > 0) {
+      const { data: subs, error: subError } = await admin
+        .from("subscriptions")
+        .select("user_id, status")
+        .in("user_id", ids);
+      if (subError) throw subError;
+      for (const s of subs ?? []) {
+        if (ACTIVE_SUBSCRIPTION_STATUSES.includes(s.status)) {
+          activeSubscribers.add(s.user_id);
+        }
+      }
+    }
+
+    const users: AdminUser[] = docs.map((d) => ({
+      id: d.id,
+      email: (d.email as string) || null,
+      name: (d.name as string) || null,
+      createdAt: d.creation_date ? new Date(d.creation_date).getTime() : null,
+      subscriber: activeSubscribers.has(d.id),
+    }));
+
+    const { count } = await admin
+      .from("users")
+      .select("*", { count: "exact", head: true });
+    const totalUsers = count ?? users.length;
+
+    return json(
+      { users, totalUsers, truncated: totalUsers > users.length },
+      200,
+    );
+  } catch (e) {
+    console.error("[admin-list-users] Error:", e);
+    return json({ error: "Failed to list users" }, 500);
+  }
+});

package/lib/scaffold/backends/supabase/edge-functions/{llm-chat → ai-chat}/index.ts

@@ -1,23 +1,23 @@
 /**
- * Supabase Edge Function: LLM Chat Proxy (streaming)
+ * Supabase Edge Function: AI Chat Proxy (streaming)
  *
  * Receives {message, history} from the Flutter app and streams the response
  * back as Server-Sent Events (SSE). The API key never leaves the server.
  *
  * Secrets required (set via `supabase secrets set`):
- *   - LLM_API_KEY: API key for OpenAI or Gemini
- *   - LLM_PROVIDER: "openai" (default) or "gemini"
- *   - LLM_SYSTEM_PROMPT: System prompt for the agent (optional)
+ *   - AI_API_KEY: API key for OpenAI or Gemini
+ *   - AI_PROVIDER: "openai" (default) or "gemini"
+ *   - AI_SYSTEM_PROMPT: System prompt for the agent (optional)
  *
  * App dart-define:
- *   - LLM_CHAT_ENDPOINT: https://<project-ref>.supabase.co/functions/v1/llm-chat
+ *   - AI_CHAT_ENDPOINT: https://<project-ref>.supabase.co/functions/v1/ai-chat
  *
- * Deploy: supabase functions deploy llm-chat --no-verify-jwt
+ * Deploy: supabase functions deploy ai-chat --no-verify-jwt
  */
 
-const LLM_API_KEY = Deno.env.get("LLM_API_KEY") ?? "";
-const LLM_PROVIDER = Deno.env.get("LLM_PROVIDER") ?? "openai";
-const LLM_SYSTEM_PROMPT = Deno.env.get("LLM_SYSTEM_PROMPT") ?? "";
+const AI_API_KEY = Deno.env.get("AI_API_KEY") ?? "";
+const AI_PROVIDER = Deno.env.get("AI_PROVIDER") ?? "openai";
+const AI_SYSTEM_PROMPT = Deno.env.get("AI_SYSTEM_PROMPT") ?? "";
 const SUPABASE_URL = Deno.env.get("SUPABASE_URL") ?? "";
 const SUPABASE_SERVICE_ROLE_KEY = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY") ?? "";
 
@@ -41,14 +41,14 @@ interface ChatMessage {
 // Pipes the OpenAI SSE stream directly to the Deno response.
 function streamOpenAI(message: string, history: ChatMessage[]): Promise<Response> {
   const messages: { role: string; content: string }[] = [];
-  if (LLM_SYSTEM_PROMPT) messages.push({ role: "system", content: LLM_SYSTEM_PROMPT });
+  if (AI_SYSTEM_PROMPT) messages.push({ role: "system", content: AI_SYSTEM_PROMPT });
   messages.push(...history);
   messages.push({ role: "user", content: message });
 
   return fetch("https://api.openai.com/v1/chat/completions", {
     method: "POST",
     headers: {
-      Authorization: `Bearer ${LLM_API_KEY}`,
+      Authorization: `Bearer ${AI_API_KEY}`,
       "Content-Type": "application/json",
     },
     body: JSON.stringify({ model: "gpt-4o-mini", messages, stream: true }),
@@ -74,13 +74,13 @@ function streamGemini(message: string, history: ChatMessage[]): Promise<Response
   ];
 
   const body: Record<string, unknown> = { contents };
-  if (LLM_SYSTEM_PROMPT) {
-    body.systemInstruction = { parts: [{ text: LLM_SYSTEM_PROMPT }] };
+  if (AI_SYSTEM_PROMPT) {
+    body.systemInstruction = { parts: [{ text: AI_SYSTEM_PROMPT }] };
   }
 
   // alt=sse makes Gemini return the same SSE format as OpenAI
   return fetch(
-    `https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-flash:streamGenerateContent?key=${LLM_API_KEY}&alt=sse`,
+    `https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-flash:streamGenerateContent?key=${AI_API_KEY}&alt=sse`,
     {
       method: "POST",
       headers: { "Content-Type": "application/json" },
@@ -136,21 +136,21 @@ Deno.serve(async (req: Request) => {
     return Response.json({ error: "Missing message" }, { status: 400 });
   }
 
-  if (!LLM_API_KEY) {
+  if (!AI_API_KEY) {
     return Response.json(
-      { error: "LLM_API_KEY not configured. Run: supabase secrets set LLM_API_KEY=..." },
+      { error: "AI_API_KEY not configured. Run: supabase secrets set AI_API_KEY=..." },
       { status: 500 }
     );
   }
 
   try {
-    return LLM_PROVIDER === "gemini"
+    return AI_PROVIDER === "gemini"
       ? await streamGemini(message, history)
       : await streamOpenAI(message, history);
   } catch (err) {
-    console.error("[llm-chat]", err);
+    console.error("[ai-chat]", err);
     // Send error as SSE event so the Flutter client can surface it
-    const errorEvent = `data: ${JSON.stringify({ error: "LLM request failed" })}\n\n`;
+    const errorEvent = `data: ${JSON.stringify({ error: "AI request failed" })}\n\n`;
     return new Response(errorEvent, { headers: SSE_HEADERS });
   }
 });

package/lib/scaffold/backends/supabase/edge-functions/revenuecat-webhook/index.ts

@@ -36,6 +36,8 @@ const Stores = {
   PLAY_STORE: "PLAY_STORE",
   APPLE_STORE: "APPLE_STORE",
   EARLY_BIRD: "EARLY_BIRD",
+  // Subscription purchased on the web via Stripe (written by stripe-webhook).
+  STRIPE: "STRIPE",
 } as const;
 
 type SubscriptionStatusType = (typeof SubscriptionStatus)[keyof typeof SubscriptionStatus];