npm - kasy-cli - Versions diffs - 1.21.9 → 1.23.0 - Mend

kasy-cli 1.21.9 → 1.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (269) hide show

package/lib/scaffold/backends/supabase/deploy.js CHANGED Viewed

@@ -88,6 +88,42 @@ async function getOrgsList() {
   return { ok: true, orgs: orgs.map((o) => ({ id: o.id, name: o.name || o.id })) };
 }
+/**
+ * Classify a failed `supabase projects create` (or login) error so the caller
+ * can show targeted guidance instead of a raw API string:
+ *   - 'login'      → not authenticated (token missing/expired)
+ *   - 'free_limit' → Free plan active-project cap reached for this organization
+ *   - 'unknown'    → anything else (caller shows the raw message)
+ *
+ * Matching is intentionally loose: the Supabase Management API wording for the
+ * Free-plan cap has shifted over time ("maximum number of projects", "free plan",
+ * "project limit", "upgrade to a paid plan"…), so we key off stable keywords
+ * rather than an exact string that would silently stop matching after a change.
+ *
+ * @param {string} error
+ * @returns {'login'|'free_limit'|'unknown'}
+ */
+function classifyCreateError(error) {
+  const msg = (error || '').toLowerCase();
+  if (!msg) return 'unknown';
+  if (
+    msg.includes('login required') ||
+    msg.includes('not logged in') ||
+    msg.includes('access token') ||
+    msg.includes('unauthorized') ||
+    msg.includes('401')
+  ) {
+    return 'login';
+  }
+  const freeLimit =
+    /maximum number of (active )?projects/.test(msg) ||
+    /project limit/.test(msg) ||
+    (/free/.test(msg) && /(plan|tier)/.test(msg) && /(limit|maximum|reached|exceed)/.test(msg)) ||
+    (/reached/.test(msg) && /limit/.test(msg)) ||
+    /upgrade .*(plan|pro|paid)/.test(msg);
+  return freeLimit ? 'free_limit' : 'unknown';
+}
 /**
  * Create a new Supabase project.
  * @param {string} projectName
@@ -338,7 +374,7 @@ async function setSecret(projectDir, key, value) {
  * Uses execFile to avoid shell injection on user-supplied values.
  */
 async function setSupabaseSecrets(projectDir, secrets = {}) {
-  const { rcWebhookKey, metaAccessToken, metaDatasetId, firebaseProjectId, firebaseServiceAccountJson, llmApiKey, llmProvider, llmSystemPrompt } = secrets;
+  const { rcWebhookKey, metaAccessToken, metaDatasetId, firebaseProjectId, firebaseServiceAccountJson, aiApiKey, aiProvider, aiSystemPrompt, stripeSecretKey, stripeWebhookSecret, stripeProductId } = secrets;
   const steps = [];
   if (firebaseProjectId && String(firebaseProjectId).trim()) {
@@ -373,19 +409,34 @@ async function setSupabaseSecrets(projectDir, secrets = {}) {
     steps.push({ name: 'secret META_DATASET_ID', ok: r.ok, error: r.error });
   }
-  if (llmApiKey && String(llmApiKey).trim()) {
-    const r = await setSecret(projectDir, 'LLM_API_KEY', String(llmApiKey).trim());
-    steps.push({ name: 'secret LLM_API_KEY', ok: r.ok, error: r.error });
+  if (aiApiKey && String(aiApiKey).trim()) {
+    const r = await setSecret(projectDir, 'AI_API_KEY', String(aiApiKey).trim());
+    steps.push({ name: 'secret AI_API_KEY', ok: r.ok, error: r.error });
+  }
+  if (aiProvider && String(aiProvider).trim()) {
+    const r = await setSecret(projectDir, 'AI_PROVIDER', String(aiProvider).trim());
+    steps.push({ name: 'secret AI_PROVIDER', ok: r.ok, error: r.error });
+  }
+  if (aiSystemPrompt && String(aiSystemPrompt).trim()) {
+    const r = await setSecret(projectDir, 'AI_SYSTEM_PROMPT', String(aiSystemPrompt).trim());
+    steps.push({ name: 'secret AI_SYSTEM_PROMPT', ok: r.ok, error: r.error });
+  }
+  if (stripeSecretKey && String(stripeSecretKey).trim()) {
+    const r = await setSecret(projectDir, 'STRIPE_SECRET_KEY', String(stripeSecretKey).trim());
+    steps.push({ name: 'secret STRIPE_SECRET_KEY', ok: r.ok, error: r.error });
   }
-  if (llmProvider && String(llmProvider).trim()) {
-    const r = await setSecret(projectDir, 'LLM_PROVIDER', String(llmProvider).trim());
-    steps.push({ name: 'secret LLM_PROVIDER', ok: r.ok, error: r.error });
+  if (stripeWebhookSecret && String(stripeWebhookSecret).trim()) {
+    const r = await setSecret(projectDir, 'STRIPE_WEBHOOK_SECRET', String(stripeWebhookSecret).trim());
+    steps.push({ name: 'secret STRIPE_WEBHOOK_SECRET', ok: r.ok, error: r.error });
   }
-  if (llmSystemPrompt && String(llmSystemPrompt).trim()) {
-    const r = await setSecret(projectDir, 'LLM_SYSTEM_PROMPT', String(llmSystemPrompt).trim());
-    steps.push({ name: 'secret LLM_SYSTEM_PROMPT', ok: r.ok, error: r.error });
+  if (stripeProductId && String(stripeProductId).trim()) {
+    const r = await setSecret(projectDir, 'STRIPE_PRODUCT_ID', String(stripeProductId).trim());
+    steps.push({ name: 'secret STRIPE_PRODUCT_ID', ok: r.ok, error: r.error });
   }
   return steps;
@@ -410,7 +461,7 @@ async function deployFunctions(projectDir, functionNames = []) {
   for (const name of toDeploy) {
     const fnPath = path.join(functionsDir, name);
     if (!(await fs.pathExists(fnPath))) continue;
-    const noVerifyJwt = (name === 'llm-chat' || name === 'revenuecat-webhook' || name === 'send-push-notification') ? ' --no-verify-jwt' : '';
+    const noVerifyJwt = (name === 'ai-chat' || name === 'revenuecat-webhook' || name === 'send-push-notification' || name === 'stripe-webhook') ? ' --no-verify-jwt' : '';
     const result = await run(`supabase functions deploy ${name}${noVerifyJwt}`, projectDir);
     steps.push({ name: `deploy ${name}`, ok: result.ok, error: result.error });
   }
@@ -540,6 +591,7 @@ module.exports = {
   getOrgsList,
   getProjectsByOrg,
   createProject,
+  classifyCreateError,
   getProjectKeys,
   linkProject,
   dbPush,

package/lib/scaffold/backends/supabase/edge-functions/admin-list-users/index.ts ADDED Viewed

@@ -0,0 +1,149 @@
+/**
+ * Supabase Edge Function: Admin — List Users
+ *
+ * Lists app users for the admin console. Returns the most-recent users (bounded
+ * to MAX_SCAN) with their subscriber status already resolved; the Flutter client
+ * (admin_users_tab.dart) does search / sort / pagination locally so those
+ * interactions are instant. Shape: { users, totalUsers, truncated } — identical
+ * to the Firebase Cloud Function so the shared UI stays the same.
+ *
+ * Security (two layers):
+ *   1. The caller is verified with THEIR OWN JWT (getUser) and must carry
+ *      role == "admin" on their own public.users row (read under their RLS).
+ *   2. Only AFTER that check do we use the service role to read across all
+ *      users — the users/subscriptions RLS exposes only a user's own row, so a
+ *      non-admin can never reach other people's data.
+ *
+ * Deployed WITH JWT verification (the default) — see deploy.js.
+ */
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
+const corsHeaders = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+};
+// In-memory cap: load up to this many of the most recent users in one call.
+// Larger apps should add a dedicated search index (see README).
+const MAX_SCAN = 1000;
+// A user counts as a subscriber when their subscription is currently usable.
+const ACTIVE_SUBSCRIPTION_STATUSES = ["ACTIVE", "LIFETIME"];
+interface AdminUser {
+  id: string;
+  email: string | null;
+  name: string | null;
+  createdAt: number | null; // epoch millis
+  subscriber: boolean;
+}
+function json(body: unknown, status: number): Response {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { ...corsHeaders, "Content-Type": "application/json" },
+  });
+}
+Deno.serve(async (req: Request) => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+  if (req.method !== "POST") {
+    return json({ error: "Method not allowed" }, 405);
+  }
+  const authHeader = req.headers.get("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    return json({ error: "Missing or invalid Authorization header" }, 401);
+  }
+  const supabaseUrl = Deno.env.get("SUPABASE_URL");
+  const anonKey = Deno.env.get("SUPABASE_ANON_KEY");
+  const serviceRoleKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY");
+  if (!supabaseUrl || !anonKey || !serviceRoleKey) {
+    console.error("[admin-list-users] Missing SUPABASE_URL / ANON / SERVICE key");
+    return json({ error: "Server configuration error" }, 500);
+  }
+  // 1. Verify the caller with their own JWT.
+  const token = authHeader.replace("Bearer ", "");
+  const supabaseAuth = createClient(supabaseUrl, anonKey, {
+    global: { headers: { Authorization: authHeader } },
+  });
+  const {
+    data: { user },
+    error: authError,
+  } = await supabaseAuth.auth.getUser(token);
+  if (authError || !user) {
+    console.warn("[admin-list-users] Unauthenticated request:", authError?.message);
+    return json({ error: "You must be authenticated" }, 401);
+  }
+  try {
+    // 2. Admin gate: the caller's own row must carry role == "admin".
+    //    This read runs under the caller's RLS (own row only) — no privilege.
+    const { data: caller, error: callerError } = await supabaseAuth
+      .from("users")
+      .select("role")
+      .eq("id", user.id)
+      .maybeSingle();
+    if (callerError || !caller || caller.role !== "admin") {
+      console.warn(`[admin-list-users] Non-admin request from ${user.id}`);
+      return json({ error: "Admin role required" }, 403);
+    }
+    // 3. Verified admin → service role can read across all users/subscriptions.
+    const admin = createClient(supabaseUrl, serviceRoleKey);
+    // Newest first; users without a creation_date sort to the end (Postgres,
+    // unlike Firestore, keeps NULL-date rows instead of dropping them). The
+    // client re-sorts anyway, so this only decides which rows survive the cap.
+    const { data: rows, error: rowsError } = await admin
+      .from("users")
+      .select("id, email, name, creation_date")
+      .order("creation_date", { ascending: false, nullsFirst: false })
+      .limit(MAX_SCAN);
+    if (rowsError) throw rowsError;
+    const docs = rows ?? [];
+    const ids = docs.map((d) => d.id);
+    const activeSubscribers = new Set<string>();
+    if (ids.length > 0) {
+      const { data: subs, error: subError } = await admin
+        .from("subscriptions")
+        .select("user_id, status")
+        .in("user_id", ids);
+      if (subError) throw subError;
+      for (const s of subs ?? []) {
+        if (ACTIVE_SUBSCRIPTION_STATUSES.includes(s.status)) {
+          activeSubscribers.add(s.user_id);
+        }
+      }
+    }
+    const users: AdminUser[] = docs.map((d) => ({
+      id: d.id,
+      email: (d.email as string) || null,
+      name: (d.name as string) || null,
+      createdAt: d.creation_date ? new Date(d.creation_date).getTime() : null,
+      subscriber: activeSubscribers.has(d.id),
+    }));
+    const { count } = await admin
+      .from("users")
+      .select("*", { count: "exact", head: true });
+    const totalUsers = count ?? users.length;
+    return json(
+      { users, totalUsers, truncated: totalUsers > users.length },
+      200,
+    );
+  } catch (e) {
+    console.error("[admin-list-users] Error:", e);
+    return json({ error: "Failed to list users" }, 500);
+  }
+});

package/lib/scaffold/backends/supabase/edge-functions/{llm-chat → ai-chat}/index.ts RENAMED Viewed

@@ -1,23 +1,23 @@
 /**
- * Supabase Edge Function: LLM Chat Proxy (streaming)
+ * Supabase Edge Function: AI Chat Proxy (streaming)
  *
  * Receives {message, history} from the Flutter app and streams the response
  * back as Server-Sent Events (SSE). The API key never leaves the server.
  *
  * Secrets required (set via `supabase secrets set`):
- *   - LLM_API_KEY: API key for OpenAI or Gemini
- *   - LLM_PROVIDER: "openai" (default) or "gemini"
- *   - LLM_SYSTEM_PROMPT: System prompt for the agent (optional)
+ *   - AI_API_KEY: API key for OpenAI or Gemini
+ *   - AI_PROVIDER: "openai" (default) or "gemini"
+ *   - AI_SYSTEM_PROMPT: System prompt for the agent (optional)
  *
  * App dart-define:
- *   - LLM_CHAT_ENDPOINT: https://<project-ref>.supabase.co/functions/v1/llm-chat
+ *   - AI_CHAT_ENDPOINT: https://<project-ref>.supabase.co/functions/v1/ai-chat
  *
- * Deploy: supabase functions deploy llm-chat --no-verify-jwt
+ * Deploy: supabase functions deploy ai-chat --no-verify-jwt
  */
-const LLM_API_KEY = Deno.env.get("LLM_API_KEY") ?? "";
-const LLM_PROVIDER = Deno.env.get("LLM_PROVIDER") ?? "openai";
-const LLM_SYSTEM_PROMPT = Deno.env.get("LLM_SYSTEM_PROMPT") ?? "";
+const AI_API_KEY = Deno.env.get("AI_API_KEY") ?? "";
+const AI_PROVIDER = Deno.env.get("AI_PROVIDER") ?? "openai";
+const AI_SYSTEM_PROMPT = Deno.env.get("AI_SYSTEM_PROMPT") ?? "";
 const SUPABASE_URL = Deno.env.get("SUPABASE_URL") ?? "";
 const SUPABASE_SERVICE_ROLE_KEY = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY") ?? "";
@@ -41,14 +41,14 @@ interface ChatMessage {
 // Pipes the OpenAI SSE stream directly to the Deno response.
 function streamOpenAI(message: string, history: ChatMessage[]): Promise<Response> {
   const messages: { role: string; content: string }[] = [];
-  if (LLM_SYSTEM_PROMPT) messages.push({ role: "system", content: LLM_SYSTEM_PROMPT });
+  if (AI_SYSTEM_PROMPT) messages.push({ role: "system", content: AI_SYSTEM_PROMPT });
   messages.push(...history);
   messages.push({ role: "user", content: message });
   return fetch("https://api.openai.com/v1/chat/completions", {
     method: "POST",
     headers: {
-      Authorization: `Bearer ${LLM_API_KEY}`,
+      Authorization: `Bearer ${AI_API_KEY}`,
       "Content-Type": "application/json",
     },
     body: JSON.stringify({ model: "gpt-4o-mini", messages, stream: true }),
@@ -74,13 +74,13 @@ function streamGemini(message: string, history: ChatMessage[]): Promise<Response
   ];
   const body: Record<string, unknown> = { contents };
-  if (LLM_SYSTEM_PROMPT) {
-    body.systemInstruction = { parts: [{ text: LLM_SYSTEM_PROMPT }] };
+  if (AI_SYSTEM_PROMPT) {
+    body.systemInstruction = { parts: [{ text: AI_SYSTEM_PROMPT }] };
   }
   // alt=sse makes Gemini return the same SSE format as OpenAI
   return fetch(
-    `https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-flash:streamGenerateContent?key=${LLM_API_KEY}&alt=sse`,
+    `https://generativelanguage.googleapis.com/v1beta/models/gemini-1.5-flash:streamGenerateContent?key=${AI_API_KEY}&alt=sse`,
     {
       method: "POST",
       headers: { "Content-Type": "application/json" },
@@ -136,21 +136,21 @@ Deno.serve(async (req: Request) => {
     return Response.json({ error: "Missing message" }, { status: 400 });
   }
-  if (!LLM_API_KEY) {
+  if (!AI_API_KEY) {
     return Response.json(
-      { error: "LLM_API_KEY not configured. Run: supabase secrets set LLM_API_KEY=..." },
+      { error: "AI_API_KEY not configured. Run: supabase secrets set AI_API_KEY=..." },
       { status: 500 }
     );
   }
   try {
-    return LLM_PROVIDER === "gemini"
+    return AI_PROVIDER === "gemini"
       ? await streamGemini(message, history)
       : await streamOpenAI(message, history);
   } catch (err) {
-    console.error("[llm-chat]", err);
+    console.error("[ai-chat]", err);
     // Send error as SSE event so the Flutter client can surface it
-    const errorEvent = `data: ${JSON.stringify({ error: "LLM request failed" })}\n\n`;
+    const errorEvent = `data: ${JSON.stringify({ error: "AI request failed" })}\n\n`;
     return new Response(errorEvent, { headers: SSE_HEADERS });
   }
 });

package/lib/scaffold/backends/supabase/edge-functions/revenuecat-webhook/index.ts CHANGED Viewed

@@ -36,6 +36,8 @@ const Stores = {
   PLAY_STORE: "PLAY_STORE",
   APPLE_STORE: "APPLE_STORE",
   EARLY_BIRD: "EARLY_BIRD",
+  // Subscription purchased on the web via Stripe (written by stripe-webhook).
+  STRIPE: "STRIPE",
 } as const;
 type SubscriptionStatusType = (typeof SubscriptionStatus)[keyof typeof SubscriptionStatus];

package/lib/scaffold/backends/supabase/edge-functions/stripe-create-checkout-session/index.ts ADDED Viewed

@@ -0,0 +1,123 @@
+/**
+ * Supabase Edge Function: Stripe — Create Checkout Session
+ *
+ * Creates a hosted Stripe Checkout session (mode=subscription) for the
+ * authenticated user and returns its URL. The user identity is taken from the
+ * verified JWT, never trusted from the request body, so a client cannot check
+ * out on behalf of someone else.
+ *
+ * Deployed WITH JWT verification.
+ *
+ * Secrets required:
+ *   - STRIPE_SECRET_KEY: sk_test_... / sk_live_...
+ *   - SUPABASE_URL / SUPABASE_ANON_KEY / SUPABASE_SERVICE_ROLE_KEY (auto-provided)
+ *
+ * Body: { priceId: string, successUrl?: string, cancelUrl?: string }
+ */
+import Stripe from "npm:stripe@18";
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
+const corsHeaders = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+};
+// Maps a Supabase auth user -> its Stripe customer id.
+const CUSTOMERS_TABLE = "stripe_customers";
+function trialDaysFor(price: Stripe.Price, product: Stripe.Product): number | null {
+  const meta = price.metadata?.trial_days ?? product.metadata?.trial_days;
+  return meta ? Number(meta) : null;
+}
+async function getUid(req: Request, supabaseUrl: string, anonKey: string): Promise<string | null> {
+  const authHeader = req.headers.get("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) return null;
+  const token = authHeader.replace("Bearer ", "");
+  const client = createClient(supabaseUrl, anonKey, {
+    global: { headers: { Authorization: authHeader } },
+  });
+  const { data: { user }, error } = await client.auth.getUser(token);
+  if (error || !user) return null;
+  return user.id;
+}
+// deno-lint-ignore no-explicit-any
+async function getOrCreateCustomer(stripe: Stripe, admin: any, uid: string): Promise<string> {
+  const { data } = await admin
+    .from(CUSTOMERS_TABLE)
+    .select("customer_id")
+    .eq("user_id", uid)
+    .maybeSingle();
+  const existing = data?.customer_id as string | undefined;
+  if (existing) return existing;
+  const customer = await stripe.customers.create({ metadata: { supabaseUID: uid } });
+  await admin.from(CUSTOMERS_TABLE).upsert({ user_id: uid, customer_id: customer.id });
+  return customer.id;
+}
+Deno.serve(async (req: Request) => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+  if (req.method !== "POST") {
+    return Response.json({ error: "Method not allowed" }, { status: 405, headers: corsHeaders });
+  }
+  const secretKey = Deno.env.get("STRIPE_SECRET_KEY");
+  const supabaseUrl = Deno.env.get("SUPABASE_URL");
+  const anonKey = Deno.env.get("SUPABASE_ANON_KEY");
+  const serviceRoleKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY");
+  if (!secretKey || !supabaseUrl || !anonKey || !serviceRoleKey) {
+    return Response.json({ error: "Server configuration error" }, { status: 500, headers: corsHeaders });
+  }
+  const uid = await getUid(req, supabaseUrl, anonKey);
+  if (!uid) {
+    return Response.json({ error: "Sign in required" }, { status: 401, headers: corsHeaders });
+  }
+  let body: { priceId?: string; successUrl?: string; cancelUrl?: string };
+  try {
+    body = await req.json();
+  } catch {
+    return Response.json({ error: "Invalid JSON" }, { status: 400, headers: corsHeaders });
+  }
+  const priceId = body.priceId;
+  if (!priceId) {
+    return Response.json({ error: "priceId is required" }, { status: 400, headers: corsHeaders });
+  }
+  const successUrl = body.successUrl ?? "";
+  const cancelUrl = body.cancelUrl ?? successUrl;
+  try {
+    const stripe = new Stripe(secretKey);
+    const admin = createClient(supabaseUrl, serviceRoleKey);
+    const customerId = await getOrCreateCustomer(stripe, admin, uid);
+    const price = await stripe.prices.retrieve(priceId, { expand: ["product"] });
+    const trialDays = trialDaysFor(price, price.product as Stripe.Product);
+    const session = await stripe.checkout.sessions.create({
+      mode: "subscription",
+      customer: customerId,
+      client_reference_id: uid,
+      line_items: [{ price: priceId, quantity: 1 }],
+      success_url: successUrl,
+      cancel_url: cancelUrl,
+      subscription_data: {
+        metadata: { supabaseUID: uid },
+        ...(trialDays ? { trial_period_days: trialDays } : {}),
+      },
+    });
+    return Response.json({ url: session.url }, { headers: corsHeaders });
+  } catch (err) {
+    console.error("[stripe-create-checkout-session]", err);
+    return Response.json(
+      { error: err instanceof Error ? err.message : "Internal error" },
+      { status: 500, headers: corsHeaders },
+    );
+  }
+});

package/lib/scaffold/backends/supabase/edge-functions/stripe-create-portal-session/index.ts ADDED Viewed

@@ -0,0 +1,97 @@
+/**
+ * Supabase Edge Function: Stripe — Create Customer Portal Session
+ *
+ * Creates a Stripe Customer Portal session (manage / cancel) for the
+ * authenticated user and returns its URL. The user is identified by the
+ * verified JWT and the Stripe customer is looked up server-side.
+ *
+ * Deployed WITH JWT verification.
+ *
+ * Secrets required:
+ *   - STRIPE_SECRET_KEY
+ *   - SUPABASE_URL / SUPABASE_ANON_KEY / SUPABASE_SERVICE_ROLE_KEY (auto-provided)
+ *
+ * Body: { returnUrl?: string }
+ */
+import Stripe from "npm:stripe@18";
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
+const corsHeaders = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+};
+const CUSTOMERS_TABLE = "stripe_customers";
+async function getUid(req: Request, supabaseUrl: string, anonKey: string): Promise<string | null> {
+  const authHeader = req.headers.get("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) return null;
+  const token = authHeader.replace("Bearer ", "");
+  const client = createClient(supabaseUrl, anonKey, {
+    global: { headers: { Authorization: authHeader } },
+  });
+  const { data: { user }, error } = await client.auth.getUser(token);
+  if (error || !user) return null;
+  return user.id;
+}
+Deno.serve(async (req: Request) => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+  if (req.method !== "POST") {
+    return Response.json({ error: "Method not allowed" }, { status: 405, headers: corsHeaders });
+  }
+  const secretKey = Deno.env.get("STRIPE_SECRET_KEY");
+  const supabaseUrl = Deno.env.get("SUPABASE_URL");
+  const anonKey = Deno.env.get("SUPABASE_ANON_KEY");
+  const serviceRoleKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY");
+  if (!secretKey || !supabaseUrl || !anonKey || !serviceRoleKey) {
+    return Response.json({ error: "Server configuration error" }, { status: 500, headers: corsHeaders });
+  }
+  const uid = await getUid(req, supabaseUrl, anonKey);
+  if (!uid) {
+    return Response.json({ error: "Sign in required" }, { status: 401, headers: corsHeaders });
+  }
+  let returnUrl = "";
+  try {
+    const body = await req.json();
+    returnUrl = (body?.returnUrl as string | undefined) ?? "";
+  } catch {
+    // body is optional
+  }
+  try {
+    const admin = createClient(supabaseUrl, serviceRoleKey);
+    const { data } = await admin
+      .from(CUSTOMERS_TABLE)
+      .select("customer_id")
+      .eq("user_id", uid)
+      .maybeSingle();
+    const customerId = data?.customer_id as string | undefined;
+    if (!customerId) {
+      return Response.json(
+        { error: "No Stripe customer for user" },
+        { status: 400, headers: corsHeaders },
+      );
+    }
+    const stripe = new Stripe(secretKey);
+    const session = await stripe.billingPortal.sessions.create({
+      customer: customerId,
+      return_url: returnUrl,
+    });
+    return Response.json({ url: session.url }, { headers: corsHeaders });
+  } catch (err) {
+    console.error("[stripe-create-portal-session]", err);
+    return Response.json(
+      { error: err instanceof Error ? err.message : "Internal error" },
+      { status: 500, headers: corsHeaders },
+    );
+  }
+});

package/lib/scaffold/backends/supabase/edge-functions/stripe-list-prices/index.ts ADDED Viewed

@@ -0,0 +1,83 @@
+/**
+ * Supabase Edge Function: Stripe — List Prices
+ *
+ * Returns the active recurring Stripe prices mapped to the paywall offer
+ * contract used by the Flutter client (mirrors the Firebase `listPrices`
+ * callable). The Stripe secret key never leaves the server.
+ *
+ * Deployed WITH JWT verification (the platform checks the caller's token), so
+ * only an authenticated app user can reach it.
+ *
+ * Secrets required (set via `supabase secrets set`):
+ *   - STRIPE_SECRET_KEY: sk_test_... / sk_live_...
+ *   - STRIPE_PRODUCT_ID (optional): restrict prices to a single Stripe product.
+ */
+import Stripe from "npm:stripe@18";
+const corsHeaders = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "POST, OPTIONS",
+  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+};
+function trialDaysFor(price: Stripe.Price, product: Stripe.Product): number | null {
+  const meta = price.metadata?.trial_days ?? product.metadata?.trial_days;
+  return meta ? Number(meta) : null;
+}
+Deno.serve(async (req: Request) => {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+  const secretKey = Deno.env.get("STRIPE_SECRET_KEY");
+  if (!secretKey) {
+    return Response.json(
+      { error: "STRIPE_SECRET_KEY not configured. Run: supabase secrets set STRIPE_SECRET_KEY=..." },
+      { status: 500, headers: corsHeaders },
+    );
+  }
+  const stripe = new Stripe(secretKey);
+  try {
+    const params: Stripe.PriceListParams = {
+      active: true,
+      type: "recurring",
+      expand: ["data.product"],
+      limit: 100,
+    };
+    const productFilter = Deno.env.get("STRIPE_PRODUCT_ID");
+    if (productFilter) params.product = productFilter;
+    const prices = await stripe.prices.list(params);
+    const offers = prices.data
+      .filter((p) => Boolean(p.recurring))
+      .map((p) => {
+        const product = p.product as Stripe.Product;
+        const features = (product.marketing_features ?? [])
+          .map((f) => f.name)
+          .filter((n): n is string => Boolean(n));
+        return {
+          priceId: p.id,
+          productId: typeof p.product === "string" ? p.product : product.id,
+          productName: product.name ?? "",
+          description: product.description ?? "",
+          unitAmount: p.unit_amount ?? 0,
+          currency: p.currency,
+          interval: p.recurring?.interval ?? "month",
+          intervalCount: p.recurring?.interval_count ?? 1,
+          trialDays: trialDaysFor(p, product),
+          features,
+        };
+      });
+    return Response.json(offers, { headers: corsHeaders });
+  } catch (err) {
+    console.error("[stripe-list-prices]", err);
+    return Response.json(
+      { error: err instanceof Error ? err.message : "Internal error" },
+      { status: 500, headers: corsHeaders },
+    );
+  }
+});