kasy-cli 1.30.0 → 1.31.0

package/lib/scaffold/backends/supabase/deploy.js

@@ -9,14 +9,14 @@
  * Requires: supabase CLI installed, user logged in (supabase login).
  */
 
-const { exec, execFile } = require('node:child_process');
+const { exec } = require('node:child_process');
 const { promisify } = require('node:util');
 const path = require('node:path');
+const os = require('node:os');
 const fs = require('fs-extra');
 const { augmentedEnv } = require('../../../utils/env-tools');
 
 const execAsync = promisify(exec);
-const execFileAsync = promisify(execFile);
 
 /**
  * Parse JSON from a CLI's stdout tolerantly. The Supabase CLI sometimes prints
@@ -187,20 +187,102 @@ async function getProjectKeys(projectRef) {
   }
 }
 
+// The Supabase CLI stores its access token via go-keyring under the service
+// "Supabase CLI" with the key/user "access-token". Each OS keeps that in a
+// different vault, so reading it back is per-OS. Used by the Management API
+// calls below (auth providers), which the CLI itself has no command for.
+const SUPABASE_KEYRING_SERVICE = 'Supabase CLI';
+const SUPABASE_KEYRING_USER = 'access-token';
+
+// Read a generic credential out of the Windows Credential Manager. go-keyring's
+// wincred backend names the target "<service>:<user>" and stores the secret as a
+// raw blob (UTF-8 or UTF-16LE depending on version), so we return the base64 of
+// the blob and let the caller pick the right decoding.
+async function readWindowsCredentialBase64(target) {
+  const ps = `
+$ErrorActionPreference = 'Stop'
+$sig = @"
+using System;
+using System.Runtime.InteropServices;
+public class KasyCred {
+  [DllImport("advapi32.dll", CharSet=CharSet.Unicode, SetLastError=true)]
+  public static extern bool CredRead(string target, int type, int flags, out IntPtr cred);
+  [DllImport("advapi32.dll")] public static extern void CredFree(IntPtr cred);
+  [StructLayout(LayoutKind.Sequential)] public struct CREDENTIAL {
+    public int Flags; public int Type; public IntPtr TargetName; public IntPtr Comment;
+    public System.Runtime.InteropServices.ComTypes.FILETIME LastWritten;
+    public int CredentialBlobSize; public IntPtr CredentialBlob; public int Persist;
+    public int AttributeCount; public IntPtr Attributes; public IntPtr TargetAlias; public IntPtr UserName;
+  }
+}
+"@
+Add-Type $sig | Out-Null
+$ptr = [IntPtr]::Zero
+if ([KasyCred]::CredRead('${target}', 1, 0, [ref]$ptr)) {
+  $c = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ptr, [type]([KasyCred+CREDENTIAL]))
+  $bytes = New-Object byte[] $c.CredentialBlobSize
+  [System.Runtime.InteropServices.Marshal]::Copy($c.CredentialBlob, $bytes, 0, $c.CredentialBlobSize)
+  [KasyCred]::CredFree($ptr)
+  [Convert]::ToBase64String($bytes)
+}
+`;
+  const encoded = Buffer.from(ps, 'utf16le').toString('base64');
+  const { stdout } = await execAsync(
+    `powershell -NoProfile -ExecutionPolicy Bypass -EncodedCommand ${encoded}`,
+    { windowsHide: true, maxBuffer: 1024 * 1024 },
+  );
+  return (stdout || '').trim();
+}
+
 /**
- * Get the Supabase access token stored by `supabase login`.
- * macOS: stored in Keychain under "Supabase CLI" (go-keyring-base64 encoded).
- * Fallback: SUPABASE_ACCESS_TOKEN environment variable.
+ * Get the Supabase access token stored by `supabase login`, cross-platform:
+ *   - SUPABASE_ACCESS_TOKEN env var (any OS, also the CI path)
+ *   - macOS: Keychain (`security`)
+ *   - Windows: Credential Manager (CredRead via PowerShell)
+ *   - Linux: libsecret (`secret-tool`)
+ * Returns null if none works (caller degrades to a manual hint).
  */
 async function getSupabaseAccessToken() {
   if (process.env.SUPABASE_ACCESS_TOKEN) return process.env.SUPABASE_ACCESS_TOKEN;
-  try {
-    const { stdout } = await execAsync('security find-generic-password -s "Supabase CLI" -w');
-    const raw = stdout.trim();
-    if (raw.startsWith('go-keyring-base64:')) {
-      return Buffer.from(raw.replace('go-keyring-base64:', ''), 'base64').toString('utf8');
+
+  const decodeKeyring = (raw) => {
+    const s = (raw || '').trim();
+    if (!s) return null;
+    if (s.startsWith('go-keyring-base64:')) {
+      return Buffer.from(s.replace('go-keyring-base64:', ''), 'base64').toString('utf8').trim() || null;
+    }
+    return s;
+  };
+
+  if (process.platform === 'darwin') {
+    try {
+      const { stdout } = await execAsync(`security find-generic-password -s "${SUPABASE_KEYRING_SERVICE}" -w`);
+      return decodeKeyring(stdout);
+    } catch {
+      return null;
+    }
+  }
+
+  if (process.platform === 'win32') {
+    try {
+      const b64 = await readWindowsCredentialBase64(`${SUPABASE_KEYRING_SERVICE}:${SUPABASE_KEYRING_USER}`);
+      if (!b64) return null;
+      const buf = Buffer.from(b64, 'base64');
+      // UTF-16LE blobs have a NUL after most bytes; UTF-8 blobs don't.
+      const nulCount = buf.reduce((n, b) => n + (b === 0 ? 1 : 0), 0);
+      const token = (nulCount > buf.length / 4 ? buf.toString('utf16le') : buf.toString('utf8')).trim();
+      return decodeKeyring(token);
+    } catch {
+      return null;
     }
-    return raw || null;
+  }
+
+  // Linux (libsecret).
+  try {
+    const { stdout } = await execAsync(
+      `secret-tool lookup service "${SUPABASE_KEYRING_SERVICE}" username "${SUPABASE_KEYRING_USER}"`,
+    );
+    return decodeKeyring(stdout);
   } catch {
     return null;
   }
@@ -352,19 +434,30 @@ async function dbPush(projectDir) {
 }
 
 /**
- * Set a single Supabase secret safely using execFile (no shell expansion).
- * supabase secrets set accepts KEY=VALUE as a positional arg.
+ * Set a single Supabase secret.
+ *
+ * On Windows the supabase binary is `supabase.cmd`, which execFile (no shell)
+ * can't launch — it failed with "spawn supabase ENOENT". We go through the
+ * shell-based run() instead, which resolves the .cmd and uses the augmented
+ * PATH. To keep the secret value off the command line (no shell escaping /
+ * injection), we hand it to the CLI via a temporary --env-file rather than as a
+ * positional KEY=VALUE arg.
  */
 async function setSecret(projectDir, key, value) {
+  let tmpDir;
   try {
-    await execFileAsync('supabase', ['secrets', 'set', `${key}=${value}`], {
-      cwd: projectDir,
-      maxBuffer: 10 * 1024 * 1024,
-      env: process.env,
-    });
+    tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'kasy-secret-'));
+    const envFile = path.join(tmpDir, 'secret.env');
+    // The value is single-line (JSON is compacted upstream). dotenv splits on the
+    // first '=' only, so any '=' inside the value is preserved.
+    await fs.writeFile(envFile, `${key}=${value}\n`, 'utf8');
+    const r = await run(`supabase secrets set --env-file "${envFile}"`, projectDir);
+    if (!r.ok) return { ok: false, error: (r.stderr || r.error || '').slice(0, 300) };
     return { ok: true };
   } catch (err) {
     return { ok: false, error: err.message };
+  } finally {
+    if (tmpDir) await fs.remove(tmpDir).catch(() => {});
   }
 }
 

package/lib/scaffold/shared/fcm-service-account.js

@@ -14,12 +14,14 @@ const { promisify } = require('node:util');
 const fs = require('fs-extra');
 const path = require('node:path');
 const os = require('node:os');
+const { augmentedEnv } = require('../../utils/env-tools');
 
 const execAsync = promisify(exec);
 
 async function run(cmd) {
   try {
-    const { stdout, stderr } = await execAsync(cmd, { maxBuffer: 5 * 1024 * 1024 });
+    // augmentedEnv so a gcloud installed earlier this run is found on Windows.
+    const { stdout, stderr } = await execAsync(cmd, { maxBuffer: 5 * 1024 * 1024, env: augmentedEnv() });
     return { ok: true, stdout: stdout.trim(), stderr: stderr.trim() };
   } catch (err) {
     return {
@@ -86,17 +88,31 @@ async function createFcmServiceAccountKey(projectId) {
     return { ok: false, error: 'projectId is required' };
   }
 
-  const saResult = await findFirebaseAdminSdkSA(projectId.trim());
-  if (!saResult.ok) {
-    return { ok: false, error: saResult.error };
-  }
-
-  const saEmail = saResult.email;
+  const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
 
-  // Ensure the service account can send FCM messages (idempotent)
-  const roleResult = await grantFcmAdminRole(projectId.trim(), saEmail);
-  if (!roleResult.ok) {
-    return { ok: false, error: roleResult.error };
+  // On a brand-new project the Firebase Admin SDK service account is provisioned
+  // asynchronously after Firebase is added, and the IAM role grant also needs a
+  // moment to take. Both can fail immediately on the first try, which is why
+  // push used to come out half-configured on fresh Supabase/API projects. Retry
+  // the discover+grant with backoff before giving up.
+  let saEmail = '';
+  let lastErr = 'Firebase Admin SDK service account not found';
+  for (let attempt = 1; attempt <= 5; attempt++) {
+    const saResult = await findFirebaseAdminSdkSA(projectId.trim());
+    if (saResult.ok) {
+      const roleResult = await grantFcmAdminRole(projectId.trim(), saResult.email);
+      if (roleResult.ok) {
+        saEmail = saResult.email;
+        break;
+      }
+      lastErr = roleResult.error;
+    } else {
+      lastErr = saResult.error;
+    }
+    if (attempt < 5) await sleep(8000);
+  }
+  if (!saEmail) {
+    return { ok: false, error: lastErr };
   }
 
   const tmpPath = path.join(os.tmpdir(), `kasy-fcm-${Date.now()}.json`);
@@ -105,7 +121,6 @@ async function createFcmServiceAccountKey(projectId) {
   // IAM permission takes a moment to propagate — so the first key-create often
   // fails with "permission still propagating". Back off and retry a few times
   // before giving up, instead of leaving push half-configured.
-  const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
   let keyResult;
   for (let attempt = 1; attempt <= 4; attempt++) {
     keyResult = await run(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.30.0",
+  "version": "1.31.0",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"

package/templates/firebase/lib/core/bottom_menu/bottom_menu.dart

@@ -15,6 +15,23 @@ import 'package:kasy_kit/core/widgets/responsive_layout.dart';
 import 'package:kasy_kit/features/settings/ui/widgets/kasy_user_avatar.dart';
 import 'package:kasy_kit/i18n/translations.g.dart';
 
+/// The bottom-bar tab the user last opened, held at top level so it outlives the
+/// [BottomMenu] remount that happens whenever the responsive layout flips
+/// small↔large. Toggling the web device preview does exactly that: the app
+/// renders inside a phone-width frame when on and at full desktop width when
+/// off, so each toggle rebuilds [bart.BartScaffold] from scratch (its index
+/// notifier starts at 0). Persisting the tab here lets [BottomMenu] restore it
+/// instead of snapping back to the first tab. Null until the user opens a tab.
+final ValueNotifier<String?> activeTabRouteNotifier = ValueNotifier<String?>(
+  null,
+);
+
+/// Records the active tab so it survives the next remount. Wired to
+/// [bart.BartScaffold.onRouteChanged].
+void _rememberActiveTab(bart.BartMenuRoute route) {
+  activeTabRouteNotifier.value = route.path;
+}
+
 /// Bottom navigation host powered by Bart (https://pub.dev/packages/bart).
 ///
 /// [ResponsiveLayout] swaps between three [bart.BartScaffold]s (small / medium /
@@ -89,6 +106,7 @@ class BottomMenu extends StatelessWidget {
             showBottomBarOnStart: showBottomBarOnStart,
             scaffoldOptions: scaffoldOptions,
             sideBarOptions: connectedSidebar(),
+            onRouteChanged: _rememberActiveTab,
           ),
         );
 
@@ -104,6 +122,7 @@ class BottomMenu extends StatelessWidget {
           initialRoute: resolvedInitialRoute,
           showBottomBarOnStart: showBottomBarOnStart,
           scaffoldOptions: scaffoldOptions,
+          onRouteChanged: _rememberActiveTab,
         ),
         medium: connectedScaffold(),
         large: connectedScaffold(),
@@ -115,6 +134,19 @@ class BottomMenu extends StatelessWidget {
     if (route != null) {
       return route;
     }
+    // Restore the last tab across a remount. This is the reliable source: the
+    // browser URL is contended by both GoRouter and Bart, but this notifier is
+    // owned solely by the bottom bar and lives above the rebuilt subtree.
+    //
+    // The value is returned as a BARE tab name (e.g. "settings", not
+    // "/settings"). Bart's NestedNavigator matches routes by their exact path,
+    // which has no leading slash; passing a "/"-prefixed route makes Flutter's
+    // Navigator split it into segments that never match, so it falls back to the
+    // first tab (home). See bart's nested_navigator.dart onGenerateRoute.
+    final String? lastTab = activeTabRouteNotifier.value;
+    if (lastTab != null && _isKnownTab(lastTab)) {
+      return _bareTab(lastTab);
+    }
     if (!kIsWeb) {
       return null;
     }
@@ -124,21 +156,22 @@ class BottomMenu extends StatelessWidget {
       return null;
     }
     // A single segment is a bottom-bar tab (home/notifications/settings/…).
-    // Bart keeps the browser URL in sync with the active tab via
-    // history.pushState, so honoring it here means a remount (e.g. toggling the
-    // web device preview) or a hard reload restores the tab the user was on
-    // instead of snapping back to the first one. Only accept it when it maps to
-    // a real tab; anything else falls back to the default tab.
+    // Bart keeps the browser URL in sync via history.pushState, so honoring it
+    // here also restores the tab on a hard reload (F5). Only accept it when it
+    // maps to a real tab; anything else falls back to the default tab.
     if (segments.length == 1) {
-      final String tab = segments.first;
-      final bool isKnownTab = subRoutes().any(
-        (r) => r.path.replaceAll('/', '') == tab,
-      );
-      return isKnownTab ? '/$tab' : null;
+      return _isKnownTab(segments.first) ? _bareTab(segments.first) : null;
     }
     return '/${segments.join('/')}';
   }
 
+  String _bareTab(String path) => path.replaceAll('/', '');
+
+  bool _isKnownTab(String path) {
+    final String tab = _bareTab(path);
+    return subRoutes().any((r) => _bareTab(r.path) == tab);
+  }
+
   String _initialWebPath(Uri uri) {
     final path = uri.path;
     if (path != '/' && path.isNotEmpty) {

package/templates/firebase/lib/core/web_device_preview/web_device_preview.dart

@@ -203,11 +203,11 @@ class _WebDevicePreviewState extends State<WebDevicePreview>
   Future<void> _bootstrap() async {
     final prefs = await SharedPreferences.getInstance();
 
-    // Default OFF: the web app renders at its real desktop proportions instead
-    // of inside a simulated device frame (which distorts scale/proportion).
-    // Devs who want to preview the mobile app in a device frame toggle it on
-    // (shortcut), and that choice persists for subsequent launches.
-    final savedEnabled = prefs.getBool(webDevicePreviewEnabledPrefKey) ?? false;
+    // Default ON: previewing the mobile app inside a device frame is the
+    // expected first view for this mobile-first template. Devs who prefer the
+    // real desktop proportions toggle it off (shortcut), and that choice
+    // persists for subsequent launches.
+    final savedEnabled = prefs.getBool(webDevicePreviewEnabledPrefKey) ?? true;
     final savedPlatform = prefs.getInt(_platformPrefKey);
     final savedIosIndex = prefs.getInt(_iosIndexPrefKey);
     final savedAndroidIndex = prefs.getInt(_androidIndexPrefKey);