kasy-cli 1.30.0 → 1.31.1

package/lib/scaffold/backends/supabase/deploy.js

@@ -9,14 +9,14 @@
  * Requires: supabase CLI installed, user logged in (supabase login).
  */
 
-const { exec, execFile } = require('node:child_process');
+const { exec } = require('node:child_process');
 const { promisify } = require('node:util');
 const path = require('node:path');
+const os = require('node:os');
 const fs = require('fs-extra');
 const { augmentedEnv } = require('../../../utils/env-tools');
 
 const execAsync = promisify(exec);
-const execFileAsync = promisify(execFile);
 
 /**
  * Parse JSON from a CLI's stdout tolerantly. The Supabase CLI sometimes prints
@@ -187,23 +187,116 @@ async function getProjectKeys(projectRef) {
   }
 }
 
+// The Supabase CLI stores its access token via go-keyring under the service
+// "Supabase CLI". The account/key has varied across CLI versions (e.g.
+// "supabase", "access-token"), so we DON'T hardcode it — we read by service
+// only. Each OS keeps this in a different vault. Used by the Management API
+// calls below (auth providers), which the CLI itself has no command for.
+const SUPABASE_KEYRING_SERVICE = 'Supabase CLI';
+
+// Read the Supabase token out of the Windows Credential Manager. go-keyring's
+// wincred backend names the target "<service>:<user>", but since the user part
+// differs by CLI version we ENUMERATE every credential whose target starts with
+// the service name and return the first non-empty blob as base64 — the caller
+// picks the decoding. Robust to the account name we can't see from here.
+async function readWindowsSupabaseTokenBase64() {
+  const ps = `
+$ErrorActionPreference = 'Stop'
+$sig = @"
+using System;
+using System.Runtime.InteropServices;
+public class KasyCred {
+  [DllImport("advapi32.dll", CharSet=CharSet.Unicode, SetLastError=true)]
+  public static extern bool CredEnumerate(string filter, int flag, out int count, out IntPtr creds);
+  [DllImport("advapi32.dll")] public static extern void CredFree(IntPtr cred);
+  [StructLayout(LayoutKind.Sequential)] public struct CREDENTIAL {
+    public int Flags; public int Type; public IntPtr TargetName; public IntPtr Comment;
+    public System.Runtime.InteropServices.ComTypes.FILETIME LastWritten;
+    public int CredentialBlobSize; public IntPtr CredentialBlob; public int Persist;
+    public int AttributeCount; public IntPtr Attributes; public IntPtr TargetAlias; public IntPtr UserName;
+  }
+}
+"@
+Add-Type $sig | Out-Null
+$count = 0; $ptr = [IntPtr]::Zero
+if ([KasyCred]::CredEnumerate('${SUPABASE_KEYRING_SERVICE}*', 0, [ref]$count, [ref]$ptr)) {
+  for ($i = 0; $i -lt $count; $i++) {
+    $credPtr = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($ptr, $i * [IntPtr]::Size)
+    $c = [System.Runtime.InteropServices.Marshal]::PtrToStructure($credPtr, [type]([KasyCred+CREDENTIAL]))
+    if ($c.CredentialBlobSize -gt 0) {
+      $bytes = New-Object byte[] $c.CredentialBlobSize
+      [System.Runtime.InteropServices.Marshal]::Copy($c.CredentialBlob, $bytes, 0, $c.CredentialBlobSize)
+      [Convert]::ToBase64String($bytes)
+      break
+    }
+  }
+}
+`;
+  const encoded = Buffer.from(ps, 'utf16le').toString('base64');
+  const { stdout } = await execAsync(
+    `powershell -NoProfile -ExecutionPolicy Bypass -EncodedCommand ${encoded}`,
+    { windowsHide: true, maxBuffer: 1024 * 1024 },
+  );
+  return (stdout || '').trim();
+}
+
 /**
- * Get the Supabase access token stored by `supabase login`.
- * macOS: stored in Keychain under "Supabase CLI" (go-keyring-base64 encoded).
- * Fallback: SUPABASE_ACCESS_TOKEN environment variable.
+ * Get the Supabase access token stored by `supabase login`, cross-platform:
+ *   - SUPABASE_ACCESS_TOKEN env var (any OS, also the CI path)
+ *   - macOS: Keychain (`security`)
+ *   - Windows: Credential Manager (CredRead via PowerShell)
+ *   - Linux: libsecret (`secret-tool`)
+ * Returns null if none works (caller degrades to a manual hint).
  */
 async function getSupabaseAccessToken() {
   if (process.env.SUPABASE_ACCESS_TOKEN) return process.env.SUPABASE_ACCESS_TOKEN;
-  try {
-    const { stdout } = await execAsync('security find-generic-password -s "Supabase CLI" -w');
-    const raw = stdout.trim();
-    if (raw.startsWith('go-keyring-base64:')) {
-      return Buffer.from(raw.replace('go-keyring-base64:', ''), 'base64').toString('utf8');
+
+  const decodeKeyring = (raw) => {
+    const s = (raw || '').trim();
+    if (!s) return null;
+    if (s.startsWith('go-keyring-base64:')) {
+      return Buffer.from(s.replace('go-keyring-base64:', ''), 'base64').toString('utf8').trim() || null;
+    }
+    return s;
+  };
+
+  if (process.platform === 'darwin') {
+    try {
+      const { stdout } = await execAsync(`security find-generic-password -s "${SUPABASE_KEYRING_SERVICE}" -w`);
+      return decodeKeyring(stdout);
+    } catch {
+      return null;
+    }
+  }
+
+  if (process.platform === 'win32') {
+    try {
+      const b64 = await readWindowsSupabaseTokenBase64();
+      if (!b64) return null;
+      const buf = Buffer.from(b64, 'base64');
+      // UTF-16LE blobs have a NUL after most bytes; UTF-8 blobs don't.
+      const nulCount = buf.reduce((n, b) => n + (b === 0 ? 1 : 0), 0);
+      const token = (nulCount > buf.length / 4 ? buf.toString('utf16le') : buf.toString('utf8')).trim();
+      return decodeKeyring(token);
+    } catch {
+      return null;
+    }
+  }
+
+  // Linux (libsecret). The account key has varied by CLI version, so try the
+  // ones we've seen before giving up.
+  for (const user of ['supabase', 'access-token']) {
+    try {
+      const { stdout } = await execAsync(
+        `secret-tool lookup service "${SUPABASE_KEYRING_SERVICE}" username "${user}"`,
+      );
+      const token = decodeKeyring(stdout);
+      if (token) return token;
+    } catch {
+      // try next
     }
-    return raw || null;
-  } catch {
-    return null;
   }
+  return null;
 }
 
 /**
@@ -352,19 +445,30 @@ async function dbPush(projectDir) {
 }
 
 /**
- * Set a single Supabase secret safely using execFile (no shell expansion).
- * supabase secrets set accepts KEY=VALUE as a positional arg.
+ * Set a single Supabase secret.
+ *
+ * On Windows the supabase binary is `supabase.cmd`, which execFile (no shell)
+ * can't launch — it failed with "spawn supabase ENOENT". We go through the
+ * shell-based run() instead, which resolves the .cmd and uses the augmented
+ * PATH. To keep the secret value off the command line (no shell escaping /
+ * injection), we hand it to the CLI via a temporary --env-file rather than as a
+ * positional KEY=VALUE arg.
  */
 async function setSecret(projectDir, key, value) {
+  let tmpDir;
   try {
-    await execFileAsync('supabase', ['secrets', 'set', `${key}=${value}`], {
-      cwd: projectDir,
-      maxBuffer: 10 * 1024 * 1024,
-      env: process.env,
-    });
+    tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'kasy-secret-'));
+    const envFile = path.join(tmpDir, 'secret.env');
+    // The value is single-line (JSON is compacted upstream). dotenv splits on the
+    // first '=' only, so any '=' inside the value is preserved.
+    await fs.writeFile(envFile, `${key}=${value}\n`, 'utf8');
+    const r = await run(`supabase secrets set --env-file "${envFile}"`, projectDir);
+    if (!r.ok) return { ok: false, error: (r.stderr || r.error || '').slice(0, 300) };
     return { ok: true };
   } catch (err) {
     return { ok: false, error: err.message };
+  } finally {
+    if (tmpDir) await fs.remove(tmpDir).catch(() => {});
   }
 }
 

package/lib/scaffold/shared/fcm-service-account.js

@@ -14,12 +14,14 @@ const { promisify } = require('node:util');
 const fs = require('fs-extra');
 const path = require('node:path');
 const os = require('node:os');
+const { augmentedEnv } = require('../../utils/env-tools');
 
 const execAsync = promisify(exec);
 
 async function run(cmd) {
   try {
-    const { stdout, stderr } = await execAsync(cmd, { maxBuffer: 5 * 1024 * 1024 });
+    // augmentedEnv so a gcloud installed earlier this run is found on Windows.
+    const { stdout, stderr } = await execAsync(cmd, { maxBuffer: 5 * 1024 * 1024, env: augmentedEnv() });
     return { ok: true, stdout: stdout.trim(), stderr: stderr.trim() };
   } catch (err) {
     return {
@@ -86,17 +88,31 @@ async function createFcmServiceAccountKey(projectId) {
     return { ok: false, error: 'projectId is required' };
   }
 
-  const saResult = await findFirebaseAdminSdkSA(projectId.trim());
-  if (!saResult.ok) {
-    return { ok: false, error: saResult.error };
-  }
-
-  const saEmail = saResult.email;
+  const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
 
-  // Ensure the service account can send FCM messages (idempotent)
-  const roleResult = await grantFcmAdminRole(projectId.trim(), saEmail);
-  if (!roleResult.ok) {
-    return { ok: false, error: roleResult.error };
+  // On a brand-new project the Firebase Admin SDK service account is provisioned
+  // asynchronously after Firebase is added, and the IAM role grant also needs a
+  // moment to take. Both can fail immediately on the first try, which is why
+  // push used to come out half-configured on fresh Supabase/API projects. Retry
+  // the discover+grant with backoff before giving up.
+  let saEmail = '';
+  let lastErr = 'Firebase Admin SDK service account not found';
+  for (let attempt = 1; attempt <= 7; attempt++) {
+    const saResult = await findFirebaseAdminSdkSA(projectId.trim());
+    if (saResult.ok) {
+      const roleResult = await grantFcmAdminRole(projectId.trim(), saResult.email);
+      if (roleResult.ok) {
+        saEmail = saResult.email;
+        break;
+      }
+      lastErr = roleResult.error;
+    } else {
+      lastErr = saResult.error;
+    }
+    if (attempt < 7) await sleep(10000);
+  }
+  if (!saEmail) {
+    return { ok: false, error: lastErr };
   }
 
   const tmpPath = path.join(os.tmpdir(), `kasy-fcm-${Date.now()}.json`);
@@ -105,7 +121,6 @@ async function createFcmServiceAccountKey(projectId) {
   // IAM permission takes a moment to propagate — so the first key-create often
   // fails with "permission still propagating". Back off and retry a few times
   // before giving up, instead of leaving push half-configured.
-  const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
   let keyResult;
   for (let attempt = 1; attempt <= 4; attempt++) {
     keyResult = await run(

package/lib/scaffold/shared/post-build.js

@@ -38,7 +38,11 @@ async function run(cmd, cwd, timeout) {
 }
 
 async function pubGet(projectDir) {
-  return run('flutter pub get', projectDir, 300_000); // 5 min
+  // 15 min: the FIRST `flutter pub get` on a fresh machine downloads the whole
+  // dependency tree (this template pulls in firebase, supabase, revenuecat,
+  // stripe, sentry…), which timed out at the old 5-min cap on slower Windows
+  // connections. It's a ceiling, not a wait — a warm cache still returns fast.
+  return run('flutter pub get', projectDir, 900_000);
 }
 
 async function slangGenerate(projectDir) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.30.0",
+  "version": "1.31.1",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"

package/templates/firebase/lib/core/bottom_menu/active_tab_notifier.dart

@@ -0,0 +1,14 @@
+import 'package:flutter/foundation.dart';
+
+/// The bottom-bar tab the user last opened, held at top level so it outlives the
+/// [BottomMenu] remount that happens whenever the responsive layout flips
+/// small↔large (e.g. toggling the web device preview, which renders the app in a
+/// phone-width frame). Persisting it lets the bottom bar restore the tab instead
+/// of snapping back to the first one on remount or hard reload (F5).
+///
+/// It lives in its own dependency-free file so both [BottomMenu] and the logout
+/// flow can touch it without an import cycle. Cleared on logout so a fresh login
+/// always lands on the default tab. Null until the user opens a tab.
+final ValueNotifier<String?> activeTabRouteNotifier = ValueNotifier<String?>(
+  null,
+);

package/templates/firebase/lib/core/bottom_menu/bottom_menu.dart

@@ -4,6 +4,7 @@ import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:kasy_kit/components/kasy_sidebar.dart';
+import 'package:kasy_kit/core/bottom_menu/active_tab_notifier.dart';
 import 'package:kasy_kit/core/bottom_menu/bottom_router.dart';
 import 'package:kasy_kit/core/bottom_menu/kasy_bottom_bar_factory.dart';
 import 'package:kasy_kit/core/bottom_menu/web_content_wrapper.dart';
@@ -15,6 +16,12 @@ import 'package:kasy_kit/core/widgets/responsive_layout.dart';
 import 'package:kasy_kit/features/settings/ui/widgets/kasy_user_avatar.dart';
 import 'package:kasy_kit/i18n/translations.g.dart';
 
+/// Records the active tab so it survives the next remount. Wired to
+/// [bart.BartScaffold.onRouteChanged]. See [activeTabRouteNotifier].
+void _rememberActiveTab(bart.BartMenuRoute route) {
+  activeTabRouteNotifier.value = route.path;
+}
+
 /// Bottom navigation host powered by Bart (https://pub.dev/packages/bart).
 ///
 /// [ResponsiveLayout] swaps between three [bart.BartScaffold]s (small / medium /
@@ -89,6 +96,7 @@ class BottomMenu extends StatelessWidget {
             showBottomBarOnStart: showBottomBarOnStart,
             scaffoldOptions: scaffoldOptions,
             sideBarOptions: connectedSidebar(),
+            onRouteChanged: _rememberActiveTab,
           ),
         );
 
@@ -104,6 +112,7 @@ class BottomMenu extends StatelessWidget {
           initialRoute: resolvedInitialRoute,
           showBottomBarOnStart: showBottomBarOnStart,
           scaffoldOptions: scaffoldOptions,
+          onRouteChanged: _rememberActiveTab,
         ),
         medium: connectedScaffold(),
         large: connectedScaffold(),
@@ -115,6 +124,19 @@ class BottomMenu extends StatelessWidget {
     if (route != null) {
       return route;
     }
+    // Restore the last tab across a remount. This is the reliable source: the
+    // browser URL is contended by both GoRouter and Bart, but this notifier is
+    // owned solely by the bottom bar and lives above the rebuilt subtree.
+    //
+    // The value is returned as a BARE tab name (e.g. "settings", not
+    // "/settings"). Bart's NestedNavigator matches routes by their exact path,
+    // which has no leading slash; passing a "/"-prefixed route makes Flutter's
+    // Navigator split it into segments that never match, so it falls back to the
+    // first tab (home). See bart's nested_navigator.dart onGenerateRoute.
+    final String? lastTab = activeTabRouteNotifier.value;
+    if (lastTab != null && _isKnownTab(lastTab)) {
+      return _bareTab(lastTab);
+    }
     if (!kIsWeb) {
       return null;
     }
@@ -124,21 +146,22 @@ class BottomMenu extends StatelessWidget {
       return null;
     }
     // A single segment is a bottom-bar tab (home/notifications/settings/…).
-    // Bart keeps the browser URL in sync with the active tab via
-    // history.pushState, so honoring it here means a remount (e.g. toggling the
-    // web device preview) or a hard reload restores the tab the user was on
-    // instead of snapping back to the first one. Only accept it when it maps to
-    // a real tab; anything else falls back to the default tab.
+    // Bart keeps the browser URL in sync via history.pushState, so honoring it
+    // here also restores the tab on a hard reload (F5). Only accept it when it
+    // maps to a real tab; anything else falls back to the default tab.
     if (segments.length == 1) {
-      final String tab = segments.first;
-      final bool isKnownTab = subRoutes().any(
-        (r) => r.path.replaceAll('/', '') == tab,
-      );
-      return isKnownTab ? '/$tab' : null;
+      return _isKnownTab(segments.first) ? _bareTab(segments.first) : null;
     }
     return '/${segments.join('/')}';
   }
 
+  String _bareTab(String path) => path.replaceAll('/', '');
+
+  bool _isKnownTab(String path) {
+    final String tab = _bareTab(path);
+    return subRoutes().any((r) => _bareTab(r.path) == tab);
+  }
+
   String _initialWebPath(Uri uri) {
     final path = uri.path;
     if (path != '/' && path.isNotEmpty) {

package/templates/firebase/lib/core/states/user_state_notifier.dart

@@ -1,6 +1,7 @@
 import 'dart:async';
 
 import 'package:flutter/foundation.dart';
+import 'package:kasy_kit/core/bottom_menu/active_tab_notifier.dart';
 import 'package:kasy_kit/core/config/features.dart';
 import 'package:kasy_kit/core/data/models/entitlement.dart';
 import 'package:kasy_kit/core/data/models/subscription.dart';
@@ -139,6 +140,9 @@ class UserStateNotifier extends _$UserStateNotifier implements OnStartService {
     // Biometric lock is a per-account preference, not a device-wide one.
     // The next user signing in on this install should start without it set.
     await ref.read(sharedPreferencesProvider).setBiometricEnabled(false);
+    // Forget the last bottom-bar tab so the next login lands on the default tab
+    // (Home) instead of wherever the previous account left off.
+    activeTabRouteNotifier.value = null;
     state = const UserState(user: User.anonymous());
     if (mode == AuthenticationMode.anonymous) {
       await _loadAnonymousState();

package/templates/firebase/lib/core/web_device_preview/web_device_preview.dart

@@ -13,7 +13,10 @@ import 'package:provider/provider.dart';
 import 'package:shared_preferences/shared_preferences.dart';
 import 'package:universal_html/html.dart' as html;
 
-const String webDevicePreviewEnabledPrefKey = 'web_device_preview_enabled';
+// Suffixed `_v2` because the default flipped from OFF to ON. Values saved under
+// the old key were written while the default was OFF, so we ignore them and
+// start fresh — every install now gets the new ON default until it's toggled.
+const String webDevicePreviewEnabledPrefKey = 'web_device_preview_enabled_v2';
 const String _platformPrefKey = 'web_device_preview_platform';
 const String _iosIndexPrefKey = 'web_device_preview_ios_index';
 const String _androidIndexPrefKey = 'web_device_preview_android_index';
@@ -203,11 +206,11 @@ class _WebDevicePreviewState extends State<WebDevicePreview>
   Future<void> _bootstrap() async {
     final prefs = await SharedPreferences.getInstance();
 
-    // Default OFF: the web app renders at its real desktop proportions instead
-    // of inside a simulated device frame (which distorts scale/proportion).
-    // Devs who want to preview the mobile app in a device frame toggle it on
-    // (shortcut), and that choice persists for subsequent launches.
-    final savedEnabled = prefs.getBool(webDevicePreviewEnabledPrefKey) ?? false;
+    // Default ON: previewing the mobile app inside a device frame is the
+    // expected first view for this mobile-first template. Devs who prefer the
+    // real desktop proportions toggle it off (shortcut), and that choice
+    // persists for subsequent launches.
+    final savedEnabled = prefs.getBool(webDevicePreviewEnabledPrefKey) ?? true;
     final savedPlatform = prefs.getInt(_platformPrefKey);
     final savedIosIndex = prefs.getInt(_iosIndexPrefKey);
     final savedAndroidIndex = prefs.getInt(_androidIndexPrefKey);

package/templates/firebase/pubspec.yaml

@@ -16,7 +16,7 @@ publish_to: 'none' # Remove this line if you wish to publish to pub.dev
 # https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
 # In Windows, build-name is used as the major, minor, and patch parts
 # of the product and file versions while build-number is used as the build suffix.
-version: 1.0.0+34
+version: 1.0.0+35
 
 environment:
   sdk: ^3.11.0