kasy-cli 1.31.0 → 1.31.1

package/lib/scaffold/backends/supabase/deploy.js

@@ -188,17 +188,18 @@ async function getProjectKeys(projectRef) {
 }
 
 // The Supabase CLI stores its access token via go-keyring under the service
-// "Supabase CLI" with the key/user "access-token". Each OS keeps that in a
-// different vault, so reading it back is per-OS. Used by the Management API
+// "Supabase CLI". The account/key has varied across CLI versions (e.g.
+// "supabase", "access-token"), so we DON'T hardcode it — we read by service
+// only. Each OS keeps this in a different vault. Used by the Management API
 // calls below (auth providers), which the CLI itself has no command for.
 const SUPABASE_KEYRING_SERVICE = 'Supabase CLI';
-const SUPABASE_KEYRING_USER = 'access-token';
 
-// Read a generic credential out of the Windows Credential Manager. go-keyring's
-// wincred backend names the target "<service>:<user>" and stores the secret as a
-// raw blob (UTF-8 or UTF-16LE depending on version), so we return the base64 of
-// the blob and let the caller pick the right decoding.
-async function readWindowsCredentialBase64(target) {
+// Read the Supabase token out of the Windows Credential Manager. go-keyring's
+// wincred backend names the target "<service>:<user>", but since the user part
+// differs by CLI version we ENUMERATE every credential whose target starts with
+// the service name and return the first non-empty blob as base64 — the caller
+// picks the decoding. Robust to the account name we can't see from here.
+async function readWindowsSupabaseTokenBase64() {
   const ps = `
 $ErrorActionPreference = 'Stop'
 $sig = @"
@@ -206,7 +207,7 @@ using System;
 using System.Runtime.InteropServices;
 public class KasyCred {
   [DllImport("advapi32.dll", CharSet=CharSet.Unicode, SetLastError=true)]
-  public static extern bool CredRead(string target, int type, int flags, out IntPtr cred);
+  public static extern bool CredEnumerate(string filter, int flag, out int count, out IntPtr creds);
   [DllImport("advapi32.dll")] public static extern void CredFree(IntPtr cred);
   [StructLayout(LayoutKind.Sequential)] public struct CREDENTIAL {
     public int Flags; public int Type; public IntPtr TargetName; public IntPtr Comment;
@@ -217,13 +218,18 @@ public class KasyCred {
 }
 "@
 Add-Type $sig | Out-Null
-$ptr = [IntPtr]::Zero
-if ([KasyCred]::CredRead('${target}', 1, 0, [ref]$ptr)) {
-  $c = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ptr, [type]([KasyCred+CREDENTIAL]))
-  $bytes = New-Object byte[] $c.CredentialBlobSize
-  [System.Runtime.InteropServices.Marshal]::Copy($c.CredentialBlob, $bytes, 0, $c.CredentialBlobSize)
-  [KasyCred]::CredFree($ptr)
-  [Convert]::ToBase64String($bytes)
+$count = 0; $ptr = [IntPtr]::Zero
+if ([KasyCred]::CredEnumerate('${SUPABASE_KEYRING_SERVICE}*', 0, [ref]$count, [ref]$ptr)) {
+  for ($i = 0; $i -lt $count; $i++) {
+    $credPtr = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($ptr, $i * [IntPtr]::Size)
+    $c = [System.Runtime.InteropServices.Marshal]::PtrToStructure($credPtr, [type]([KasyCred+CREDENTIAL]))
+    if ($c.CredentialBlobSize -gt 0) {
+      $bytes = New-Object byte[] $c.CredentialBlobSize
+      [System.Runtime.InteropServices.Marshal]::Copy($c.CredentialBlob, $bytes, 0, $c.CredentialBlobSize)
+      [Convert]::ToBase64String($bytes)
+      break
+    }
+  }
 }
 `;
   const encoded = Buffer.from(ps, 'utf16le').toString('base64');
@@ -265,7 +271,7 @@ async function getSupabaseAccessToken() {
 
   if (process.platform === 'win32') {
     try {
-      const b64 = await readWindowsCredentialBase64(`${SUPABASE_KEYRING_SERVICE}:${SUPABASE_KEYRING_USER}`);
+      const b64 = await readWindowsSupabaseTokenBase64();
       if (!b64) return null;
       const buf = Buffer.from(b64, 'base64');
       // UTF-16LE blobs have a NUL after most bytes; UTF-8 blobs don't.
@@ -277,15 +283,20 @@ async function getSupabaseAccessToken() {
     }
   }
 
-  // Linux (libsecret).
-  try {
-    const { stdout } = await execAsync(
-      `secret-tool lookup service "${SUPABASE_KEYRING_SERVICE}" username "${SUPABASE_KEYRING_USER}"`,
-    );
-    return decodeKeyring(stdout);
-  } catch {
-    return null;
+  // Linux (libsecret). The account key has varied by CLI version, so try the
+  // ones we've seen before giving up.
+  for (const user of ['supabase', 'access-token']) {
+    try {
+      const { stdout } = await execAsync(
+        `secret-tool lookup service "${SUPABASE_KEYRING_SERVICE}" username "${user}"`,
+      );
+      const token = decodeKeyring(stdout);
+      if (token) return token;
+    } catch {
+      // try next
+    }
   }
+  return null;
 }
 
 /**

package/lib/scaffold/shared/fcm-service-account.js

@@ -97,7 +97,7 @@ async function createFcmServiceAccountKey(projectId) {
   // the discover+grant with backoff before giving up.
   let saEmail = '';
   let lastErr = 'Firebase Admin SDK service account not found';
-  for (let attempt = 1; attempt <= 5; attempt++) {
+  for (let attempt = 1; attempt <= 7; attempt++) {
     const saResult = await findFirebaseAdminSdkSA(projectId.trim());
     if (saResult.ok) {
       const roleResult = await grantFcmAdminRole(projectId.trim(), saResult.email);
@@ -109,7 +109,7 @@ async function createFcmServiceAccountKey(projectId) {
     } else {
       lastErr = saResult.error;
     }
-    if (attempt < 5) await sleep(8000);
+    if (attempt < 7) await sleep(10000);
   }
   if (!saEmail) {
     return { ok: false, error: lastErr };

package/lib/scaffold/shared/post-build.js

@@ -38,7 +38,11 @@ async function run(cmd, cwd, timeout) {
 }
 
 async function pubGet(projectDir) {
-  return run('flutter pub get', projectDir, 300_000); // 5 min
+  // 15 min: the FIRST `flutter pub get` on a fresh machine downloads the whole
+  // dependency tree (this template pulls in firebase, supabase, revenuecat,
+  // stripe, sentry…), which timed out at the old 5-min cap on slower Windows
+  // connections. It's a ceiling, not a wait — a warm cache still returns fast.
+  return run('flutter pub get', projectDir, 900_000);
 }
 
 async function slangGenerate(projectDir) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.31.0",
+  "version": "1.31.1",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"

package/templates/firebase/lib/core/bottom_menu/active_tab_notifier.dart

@@ -0,0 +1,14 @@
+import 'package:flutter/foundation.dart';
+
+/// The bottom-bar tab the user last opened, held at top level so it outlives the
+/// [BottomMenu] remount that happens whenever the responsive layout flips
+/// small↔large (e.g. toggling the web device preview, which renders the app in a
+/// phone-width frame). Persisting it lets the bottom bar restore the tab instead
+/// of snapping back to the first one on remount or hard reload (F5).
+///
+/// It lives in its own dependency-free file so both [BottomMenu] and the logout
+/// flow can touch it without an import cycle. Cleared on logout so a fresh login
+/// always lands on the default tab. Null until the user opens a tab.
+final ValueNotifier<String?> activeTabRouteNotifier = ValueNotifier<String?>(
+  null,
+);

package/templates/firebase/lib/core/bottom_menu/bottom_menu.dart

@@ -4,6 +4,7 @@ import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:kasy_kit/components/kasy_sidebar.dart';
+import 'package:kasy_kit/core/bottom_menu/active_tab_notifier.dart';
 import 'package:kasy_kit/core/bottom_menu/bottom_router.dart';
 import 'package:kasy_kit/core/bottom_menu/kasy_bottom_bar_factory.dart';
 import 'package:kasy_kit/core/bottom_menu/web_content_wrapper.dart';
@@ -15,19 +16,8 @@ import 'package:kasy_kit/core/widgets/responsive_layout.dart';
 import 'package:kasy_kit/features/settings/ui/widgets/kasy_user_avatar.dart';
 import 'package:kasy_kit/i18n/translations.g.dart';
 
-/// The bottom-bar tab the user last opened, held at top level so it outlives the
-/// [BottomMenu] remount that happens whenever the responsive layout flips
-/// small↔large. Toggling the web device preview does exactly that: the app
-/// renders inside a phone-width frame when on and at full desktop width when
-/// off, so each toggle rebuilds [bart.BartScaffold] from scratch (its index
-/// notifier starts at 0). Persisting the tab here lets [BottomMenu] restore it
-/// instead of snapping back to the first tab. Null until the user opens a tab.
-final ValueNotifier<String?> activeTabRouteNotifier = ValueNotifier<String?>(
-  null,
-);
-
 /// Records the active tab so it survives the next remount. Wired to
-/// [bart.BartScaffold.onRouteChanged].
+/// [bart.BartScaffold.onRouteChanged]. See [activeTabRouteNotifier].
 void _rememberActiveTab(bart.BartMenuRoute route) {
   activeTabRouteNotifier.value = route.path;
 }

package/templates/firebase/lib/core/states/user_state_notifier.dart

@@ -1,6 +1,7 @@
 import 'dart:async';
 
 import 'package:flutter/foundation.dart';
+import 'package:kasy_kit/core/bottom_menu/active_tab_notifier.dart';
 import 'package:kasy_kit/core/config/features.dart';
 import 'package:kasy_kit/core/data/models/entitlement.dart';
 import 'package:kasy_kit/core/data/models/subscription.dart';
@@ -139,6 +140,9 @@ class UserStateNotifier extends _$UserStateNotifier implements OnStartService {
     // Biometric lock is a per-account preference, not a device-wide one.
     // The next user signing in on this install should start without it set.
     await ref.read(sharedPreferencesProvider).setBiometricEnabled(false);
+    // Forget the last bottom-bar tab so the next login lands on the default tab
+    // (Home) instead of wherever the previous account left off.
+    activeTabRouteNotifier.value = null;
     state = const UserState(user: User.anonymous());
     if (mode == AuthenticationMode.anonymous) {
       await _loadAnonymousState();

package/templates/firebase/lib/core/web_device_preview/web_device_preview.dart

@@ -13,7 +13,10 @@ import 'package:provider/provider.dart';
 import 'package:shared_preferences/shared_preferences.dart';
 import 'package:universal_html/html.dart' as html;
 
-const String webDevicePreviewEnabledPrefKey = 'web_device_preview_enabled';
+// Suffixed `_v2` because the default flipped from OFF to ON. Values saved under
+// the old key were written while the default was OFF, so we ignore them and
+// start fresh — every install now gets the new ON default until it's toggled.
+const String webDevicePreviewEnabledPrefKey = 'web_device_preview_enabled_v2';
 const String _platformPrefKey = 'web_device_preview_platform';
 const String _iosIndexPrefKey = 'web_device_preview_ios_index';
 const String _androidIndexPrefKey = 'web_device_preview_android_index';

package/templates/firebase/pubspec.yaml

@@ -16,7 +16,7 @@ publish_to: 'none' # Remove this line if you wish to publish to pub.dev
 # https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
 # In Windows, build-name is used as the major, minor, and patch parts
 # of the product and file versions while build-number is used as the build suffix.
-version: 1.0.0+34
+version: 1.0.0+35
 
 environment:
   sdk: ^3.11.0