kasy-cli 1.31.0 → 1.31.2

package/lib/commands/new.js

@@ -1908,9 +1908,13 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
         fcmSpinner.stop(tr('new.fcm.generating'));
         if (fcmResult.ok) {
           fcmServiceAccountJson = fcmResult.json;
+          if (fcmResult.policyAdjusted) ui.log.info(tr('new.fcm.policyLifted'));
           printStepResult({ name: 'fcm-key', ok: true, detail: tr('new.fcm.ok') }, language);
         } else {
-          printStepResult({ name: 'fcm-key', ok: false, detail: tr('new.fcm.failSupabase') }, language);
+          const detail = (fcmResult.errorKind === 'orgPolicyNoPermission' || fcmResult.errorKind === 'orgPolicyBlocked')
+            ? tr('new.fcm.orgPolicyBlocked')
+            : tr('new.fcm.failSupabase');
+          printStepResult({ name: 'fcm-key', ok: false, detail }, language);
         }
       }
 
@@ -2002,13 +2006,17 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
             await fs.appendFile(gitignorePath, `\n# FCM service account key (credentials — do not commit)\n${gitignoreEntry}\n`, 'utf8');
           }
         }
+        if (fcmResult.policyAdjusted) ui.log.info(tr('new.fcm.policyLifted'));
         printStepResult({ name: 'fcm-key-saved', ok: true }, language);
         ui.log.message(tr('new.fcm.serverConfig'));
       } catch (_) {
         printStepResult({ name: 'fcm-key-saved', ok: false, detail: 'salvar arquivo de chave falhou' }, language);
       }
     } else {
-      printStepResult({ name: 'fcm-key', ok: false, detail: tr('new.fcm.failApi') }, language);
+      const detail = (fcmResult.errorKind === 'orgPolicyNoPermission' || fcmResult.errorKind === 'orgPolicyBlocked')
+        ? tr('new.fcm.orgPolicyBlocked')
+        : tr('new.fcm.failApi');
+      printStepResult({ name: 'fcm-key', ok: false, detail }, language);
     }
   }
 

package/lib/scaffold/backends/supabase/deploy.js

@@ -188,17 +188,18 @@ async function getProjectKeys(projectRef) {
 }
 
 // The Supabase CLI stores its access token via go-keyring under the service
-// "Supabase CLI" with the key/user "access-token". Each OS keeps that in a
-// different vault, so reading it back is per-OS. Used by the Management API
+// "Supabase CLI". The account/key has varied across CLI versions (e.g.
+// "supabase", "access-token"), so we DON'T hardcode it — we read by service
+// only. Each OS keeps this in a different vault. Used by the Management API
 // calls below (auth providers), which the CLI itself has no command for.
 const SUPABASE_KEYRING_SERVICE = 'Supabase CLI';
-const SUPABASE_KEYRING_USER = 'access-token';
 
-// Read a generic credential out of the Windows Credential Manager. go-keyring's
-// wincred backend names the target "<service>:<user>" and stores the secret as a
-// raw blob (UTF-8 or UTF-16LE depending on version), so we return the base64 of
-// the blob and let the caller pick the right decoding.
-async function readWindowsCredentialBase64(target) {
+// Read the Supabase token out of the Windows Credential Manager. go-keyring's
+// wincred backend names the target "<service>:<user>", but since the user part
+// differs by CLI version we ENUMERATE every credential whose target starts with
+// the service name and return the first non-empty blob as base64 — the caller
+// picks the decoding. Robust to the account name we can't see from here.
+async function readWindowsSupabaseTokenBase64() {
   const ps = `
 $ErrorActionPreference = 'Stop'
 $sig = @"
@@ -206,7 +207,7 @@ using System;
 using System.Runtime.InteropServices;
 public class KasyCred {
   [DllImport("advapi32.dll", CharSet=CharSet.Unicode, SetLastError=true)]
-  public static extern bool CredRead(string target, int type, int flags, out IntPtr cred);
+  public static extern bool CredEnumerate(string filter, int flag, out int count, out IntPtr creds);
   [DllImport("advapi32.dll")] public static extern void CredFree(IntPtr cred);
   [StructLayout(LayoutKind.Sequential)] public struct CREDENTIAL {
     public int Flags; public int Type; public IntPtr TargetName; public IntPtr Comment;
@@ -217,13 +218,18 @@ public class KasyCred {
 }
 "@
 Add-Type $sig | Out-Null
-$ptr = [IntPtr]::Zero
-if ([KasyCred]::CredRead('${target}', 1, 0, [ref]$ptr)) {
-  $c = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ptr, [type]([KasyCred+CREDENTIAL]))
-  $bytes = New-Object byte[] $c.CredentialBlobSize
-  [System.Runtime.InteropServices.Marshal]::Copy($c.CredentialBlob, $bytes, 0, $c.CredentialBlobSize)
-  [KasyCred]::CredFree($ptr)
-  [Convert]::ToBase64String($bytes)
+$count = 0; $ptr = [IntPtr]::Zero
+if ([KasyCred]::CredEnumerate('${SUPABASE_KEYRING_SERVICE}*', 0, [ref]$count, [ref]$ptr)) {
+  for ($i = 0; $i -lt $count; $i++) {
+    $credPtr = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($ptr, $i * [IntPtr]::Size)
+    $c = [System.Runtime.InteropServices.Marshal]::PtrToStructure($credPtr, [type]([KasyCred+CREDENTIAL]))
+    if ($c.CredentialBlobSize -gt 0) {
+      $bytes = New-Object byte[] $c.CredentialBlobSize
+      [System.Runtime.InteropServices.Marshal]::Copy($c.CredentialBlob, $bytes, 0, $c.CredentialBlobSize)
+      [Convert]::ToBase64String($bytes)
+      break
+    }
+  }
 }
 `;
   const encoded = Buffer.from(ps, 'utf16le').toString('base64');
@@ -265,7 +271,7 @@ async function getSupabaseAccessToken() {
 
   if (process.platform === 'win32') {
     try {
-      const b64 = await readWindowsCredentialBase64(`${SUPABASE_KEYRING_SERVICE}:${SUPABASE_KEYRING_USER}`);
+      const b64 = await readWindowsSupabaseTokenBase64();
       if (!b64) return null;
       const buf = Buffer.from(b64, 'base64');
       // UTF-16LE blobs have a NUL after most bytes; UTF-8 blobs don't.
@@ -277,15 +283,65 @@ async function getSupabaseAccessToken() {
     }
   }
 
-  // Linux (libsecret).
+  // Linux (libsecret). The account key has varied by CLI version, so try the
+  // ones we've seen before giving up.
+  for (const user of ['supabase', 'access-token']) {
+    try {
+      const { stdout } = await execAsync(
+        `secret-tool lookup service "${SUPABASE_KEYRING_SERVICE}" username "${user}"`,
+      );
+      const token = decodeKeyring(stdout);
+      if (token) return token;
+    } catch {
+      // try next
+    }
+  }
+  return null;
+}
+
+/**
+ * PATCH the Supabase Management API auth config with a JSON body.
+ *
+ * Uses Node's built-in fetch (Node 18+) instead of shelling out to curl. curl
+ * with a single-quoted JSON body is unreliable on Windows: cmd.exe does not strip
+ * single quotes and treats the inner double quotes specially, so the body arrives
+ * mangled and the response comes back as the leaked payload — which then fails to
+ * parse ("Unexpected token ''', \"'{external\"... is not valid JSON"). fetch sends
+ * the exact bytes with no shell quoting involved, identically on every OS.
+ *
+ * @param {string} projectRef
+ * @param {string} token - Supabase access token
+ * @param {object} body - auth config fields to PATCH
+ * @returns {Promise<{ ok: boolean, data?: object, error?: string }>}
+ */
+async function patchAuthConfig(projectRef, token, body) {
+  let res;
   try {
-    const { stdout } = await execAsync(
-      `secret-tool lookup service "${SUPABASE_KEYRING_SERVICE}" username "${SUPABASE_KEYRING_USER}"`,
+    res = await fetch(
+      `https://api.supabase.com/v1/projects/${projectRef}/config/auth`,
+      {
+        method: 'PATCH',
+        headers: {
+          Authorization: `Bearer ${token}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(body),
+      }
     );
-    return decodeKeyring(stdout);
+  } catch (err) {
+    return { ok: false, error: `Network error calling Management API: ${err.message}` };
+  }
+  const text = await res.text();
+  let data;
+  try {
+    data = JSON.parse(text);
   } catch {
-    return null;
+    return { ok: false, error: `Management API returned non-JSON (HTTP ${res.status}): ${text.slice(0, 200)}` };
   }
+  if (!res.ok) {
+    return { ok: false, error: data.message || `Management API error (HTTP ${res.status})`, data };
+  }
+  return { ok: true, data };
 }
 
 /**
@@ -302,27 +358,15 @@ async function enableGoogleSignIn(projectRef, webClientId, clientSecret) {
   if (!webClientId || !clientSecret) return { ok: false, error: 'webClientId and clientSecret are required' };
   const token = await getSupabaseAccessToken();
   if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
-  const payload = JSON.stringify({
+  const result = await patchAuthConfig(projectRef, token, {
     external_google_enabled: true,
     external_google_client_id: webClientId,
     external_google_secret: clientSecret,
     external_google_skip_nonce_check: true,
   });
-  const result = await run(
-    `curl -s -X PATCH "https://api.supabase.com/v1/projects/${projectRef}/config/auth" ` +
-    `-H "Authorization: Bearer ${token}" ` +
-    `-H "Content-Type: application/json" ` +
-    `-d '${payload}'`,
-    process.cwd()
-  );
   if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    if (data.external_google_enabled === true) return { ok: true };
-    return { ok: false, error: data.message || JSON.stringify(data) };
-  } catch {
-    return { ok: false, error: 'Could not parse Management API response' };
-  }
+  if (result.data.external_google_enabled === true) return { ok: true };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
 }
 
 /**
@@ -346,28 +390,16 @@ async function enableAppleSignIn(projectRef, bundleId) {
   if (!bundleId) return { ok: false, error: 'bundleId is required' };
   const token = await getSupabaseAccessToken();
   if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
-  const payload = JSON.stringify({
+  const result = await patchAuthConfig(projectRef, token, {
     external_apple_enabled: true,
     external_apple_client_id: bundleId,
   });
-  const result = await run(
-    `curl -s -X PATCH "https://api.supabase.com/v1/projects/${projectRef}/config/auth" ` +
-    `-H "Authorization: Bearer ${token}" ` +
-    `-H "Content-Type: application/json" ` +
-    `-d '${payload}'`,
-    process.cwd()
-  );
   if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    const allowedIds = String(data.external_apple_client_id || '')
-      .split(',')
-      .map((s) => s.trim());
-    if (data.external_apple_enabled === true && allowedIds.includes(bundleId)) return { ok: true };
-    return { ok: false, error: data.message || JSON.stringify(data) };
-  } catch {
-    return { ok: false, error: 'Could not parse Management API response' };
-  }
+  const allowedIds = String(result.data.external_apple_client_id || '')
+    .split(',')
+    .map((s) => s.trim());
+  if (result.data.external_apple_enabled === true && allowedIds.includes(bundleId)) return { ok: true };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
 }
 
 /**
@@ -380,24 +412,12 @@ async function enableAppleSignIn(projectRef, bundleId) {
 async function enableAnonymousSignIn(projectRef) {
   const token = await getSupabaseAccessToken();
   if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
-  const payload = JSON.stringify({
+  const result = await patchAuthConfig(projectRef, token, {
     external_anonymous_users_enabled: true,
     mailer_autoconfirm: true,
   });
-  const result = await run(
-    `curl -s -X PATCH "https://api.supabase.com/v1/projects/${projectRef}/config/auth" ` +
-    `-H "Authorization: Bearer ${token}" ` +
-    `-H "Content-Type: application/json" ` +
-    `-d '${payload}'`,
-    process.cwd()
-  );
   if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    return { ok: data.external_anonymous_users_enabled === true };
-  } catch {
-    return { ok: false, error: 'Could not parse Management API response' };
-  }
+  return { ok: result.data.external_anonymous_users_enabled === true };
 }
 
 /**

package/lib/scaffold/shared/fcm-service-account.js

@@ -75,13 +75,52 @@ async function grantFcmAdminRole(projectId, saEmail) {
   return { ok: true };
 }
 
+/**
+ * Detects the one failure mode that NO amount of retrying can fix: the GCP org
+ * policy constraints/iam.disableServiceAccountKeyCreation. Google turns this on by
+ * default for organizations created since 2024 ("secure by default"), so a brand-new
+ * org blocks service-account key creation outright. gcloud reports it as
+ * FAILED_PRECONDITION: "Key creation is not allowed on this service account."
+ */
+function isKeyCreationBlockedByOrgPolicy(result) {
+  const blob = `${result.error || ''} ${result.stderr || ''} ${result.stdout || ''}`;
+  return /disableServiceAccountKeyCreation|Key creation is not allowed/i.test(blob);
+}
+
+/**
+ * Lifts the disableServiceAccountKeyCreation constraint for a SINGLE project (not the
+ * whole organization) so the Firebase Admin SDK key can be created. This is the
+ * standard, Google-documented way to allow SA keys where they are genuinely required
+ * — here, so Supabase Edge Functions / a REST server can authenticate to FCM HTTP v1.
+ *
+ * The override is scoped to the app's own project, leaving the org-wide policy intact.
+ * Requires the caller to have roles/orgpolicy.policyAdmin (org owners normally do).
+ *
+ * @param {string} projectId
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function allowServiceAccountKeyCreation(projectId) {
+  const result = await run(
+    `gcloud resource-manager org-policies disable-enforce` +
+    ` iam.disableServiceAccountKeyCreation --project=${projectId}`
+  );
+  if (!result.ok) {
+    return { ok: false, error: result.stderr || result.error };
+  }
+  return { ok: true };
+}
+
 /**
  * Generates a new private key for the Firebase Admin SDK service account and returns
  * the JSON content as a string. The temporary key file is deleted immediately after reading.
  * Also ensures the service account has the roles/firebasecloudmessaging.admin IAM role.
  *
+ * If the org blocks SA key creation (default on new GCP orgs), the constraint is lifted
+ * for this project only and key creation is retried — otherwise push would silently come
+ * out unconfigured on every fresh organization.
+ *
  * @param {string} projectId - Firebase/GCP project ID
- * @returns {{ ok: boolean, json?: string, saEmail?: string, error?: string }}
+ * @returns {{ ok: boolean, json?: string, saEmail?: string, policyAdjusted?: boolean, errorKind?: string, error?: string }}
  */
 async function createFcmServiceAccountKey(projectId) {
   if (!projectId || !projectId.trim()) {
@@ -97,7 +136,7 @@ async function createFcmServiceAccountKey(projectId) {
   // the discover+grant with backoff before giving up.
   let saEmail = '';
   let lastErr = 'Firebase Admin SDK service account not found';
-  for (let attempt = 1; attempt <= 5; attempt++) {
+  for (let attempt = 1; attempt <= 7; attempt++) {
     const saResult = await findFirebaseAdminSdkSA(projectId.trim());
     if (saResult.ok) {
       const roleResult = await grantFcmAdminRole(projectId.trim(), saResult.email);
@@ -109,31 +148,58 @@ async function createFcmServiceAccountKey(projectId) {
     } else {
       lastErr = saResult.error;
     }
-    if (attempt < 5) await sleep(8000);
+    if (attempt < 7) await sleep(10000);
   }
   if (!saEmail) {
     return { ok: false, error: lastErr };
   }
 
   const tmpPath = path.join(os.tmpdir(), `kasy-fcm-${Date.now()}.json`);
+  const createKey = () => run(
+    `gcloud iam service-accounts keys create "${tmpPath}"` +
+    ` --iam-account="${saEmail}"` +
+    ` --project=${projectId.trim()}`
+  );
 
   // Right after granting the FCM admin role (and on a brand-new project), the
   // IAM permission takes a moment to propagate — so the first key-create often
   // fails with "permission still propagating". Back off and retry a few times
   // before giving up, instead of leaving push half-configured.
   let keyResult;
-  for (let attempt = 1; attempt <= 4; attempt++) {
-    keyResult = await run(
-      `gcloud iam service-accounts keys create "${tmpPath}"` +
-      ` --iam-account="${saEmail}"` +
-      ` --project=${projectId.trim()}`
-    );
+  let policyAdjusted = false;
+  const maxAttempts = 6;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    keyResult = await createKey();
     if (keyResult.ok) break;
-    if (attempt < 4) await sleep(7000);
+
+    // The org blocks SA keys (default on new GCP orgs). This is NOT a propagation
+    // race that retrying alone can fix — the constraint must be lifted. Lift it for
+    // THIS project once, then keep retrying: an org policy change itself takes a
+    // minute or more to take effect. If we can't lift it (no policy-admin
+    // permission), report a specific, actionable error instead of "still propagating".
+    if (isKeyCreationBlockedByOrgPolicy(keyResult)) {
+      if (!policyAdjusted) {
+        const lift = await allowServiceAccountKeyCreation(projectId.trim());
+        if (!lift.ok) {
+          await fs.remove(tmpPath).catch(() => {});
+          return { ok: false, errorKind: 'orgPolicyNoPermission', error: lift.error };
+        }
+        policyAdjusted = true;
+      }
+      if (attempt < maxAttempts) await sleep(15000);
+      continue;
+    }
+    if (attempt < maxAttempts) await sleep(7000);
   }
 
   if (!keyResult.ok) {
     await fs.remove(tmpPath).catch(() => {});
+    // Only surface the "ask an org admin" message when we genuinely could NOT lift
+    // the policy. If we DID lift it but the change is still propagating, fall through
+    // to the generic "still propagating, run again" message instead of blaming perms.
+    if (!policyAdjusted && isKeyCreationBlockedByOrgPolicy(keyResult)) {
+      return { ok: false, errorKind: 'orgPolicyBlocked', error: keyResult.error };
+    }
     return { ok: false, error: `Failed to generate key: ${keyResult.error}` };
   }
 
@@ -141,7 +207,7 @@ async function createFcmServiceAccountKey(projectId) {
     const jsonContent = await fs.readFile(tmpPath, 'utf8');
     await fs.remove(tmpPath).catch(() => {});
     JSON.parse(jsonContent); // validate
-    return { ok: true, json: jsonContent.trim(), saEmail };
+    return { ok: true, json: jsonContent.trim(), saEmail, policyAdjusted };
   } catch (err) {
     await fs.remove(tmpPath).catch(() => {});
     return { ok: false, error: `Failed to read generated key: ${err.message}` };

package/lib/scaffold/shared/post-build.js

@@ -38,7 +38,11 @@ async function run(cmd, cwd, timeout) {
 }
 
 async function pubGet(projectDir) {
-  return run('flutter pub get', projectDir, 300_000); // 5 min
+  // 15 min: the FIRST `flutter pub get` on a fresh machine downloads the whole
+  // dependency tree (this template pulls in firebase, supabase, revenuecat,
+  // stripe, sentry…), which timed out at the old 5-min cap on slower Windows
+  // connections. It's a ceiling, not a wait — a warm cache still returns fast.
+  return run('flutter pub get', projectDir, 900_000);
 }
 
 async function slangGenerate(projectDir) {
@@ -896,17 +900,19 @@ async function getGoogleClientSecretViaGcloud(firebaseProjectId) {
     if (!tokenResult.ok || !tokenResult.stdout.trim()) return '';
     const token = tokenResult.stdout.trim();
 
-    const curlCmd = [
-      'curl -sf',
-      `-H "Authorization: Bearer ${token}"`,
-      `-H "x-goog-user-project: ${firebaseProjectId}"`,
-      `"https://identitytoolkit.googleapis.com/admin/v2/projects/${firebaseProjectId}/defaultSupportedIdpConfigs/google.com"`,
-    ].join(' ');
-
-    const result = await run(curlCmd, process.cwd());
-    if (!result.ok || !result.stdout.trim()) return '';
-
-    const data = JSON.parse(result.stdout.trim());
+    // Use fetch (Node 18+) instead of curl: no shell quoting, identical on every OS,
+    // and it does not depend on curl being on PATH (not guaranteed on Windows).
+    const res = await fetch(
+      `https://identitytoolkit.googleapis.com/admin/v2/projects/${firebaseProjectId}/defaultSupportedIdpConfigs/google.com`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          'x-goog-user-project': firebaseProjectId,
+        },
+      }
+    );
+    if (!res.ok) return '';
+    const data = await res.json();
     return data.clientSecret || '';
   } catch (_) {
     return '';

package/lib/utils/i18n/messages-en.js

@@ -746,6 +746,8 @@ module.exports = {
     'new.fcm.ok': 'generated automatically',
     'new.fcm.failSupabase': 'not generated (GCP permission still propagating); set FIREBASE_SERVICE_ACCOUNT_JSON in your Supabase secrets',
     'new.fcm.failApi': 'not generated (GCP permission still propagating); run the command again in a few minutes',
+    'new.fcm.policyLifted': 'Enabled service account key creation for this project (required for push notifications)',
+    'new.fcm.orgPolicyBlocked': 'not generated: your Google Cloud organization blocks service account keys. Ask an organization admin to allow it, or generate the key in the Firebase Console (Project settings > Service accounts > Generate new private key)',
     'new.sha1.registering': 'Registering SHA-1 for Google Sign-In (Android)…',
     'new.sha1.failed': 'SHA-1 not added automatically: {error}',
     'new.sha1.manual': 'Add it manually so Google Sign-In works on Android:',

package/lib/utils/i18n/messages-es.js

@@ -746,6 +746,8 @@ module.exports = {
     'new.fcm.ok': 'generada automáticamente',
     'new.fcm.failSupabase': 'no generada (permiso de GCP aún propagando); define FIREBASE_SERVICE_ACCOUNT_JSON en los secrets de Supabase',
     'new.fcm.failApi': 'no generada (permiso de GCP aún propagando); ejecuta el comando de nuevo en unos minutos',
+    'new.fcm.policyLifted': 'Habilitada la creación de claves de cuenta de servicio en este proyecto (necesario para las notificaciones push)',
+    'new.fcm.orgPolicyBlocked': 'no generada: tu organización en Google Cloud bloquea las claves de cuenta de servicio. Pide a un administrador de la organización que lo permita, o genera la clave en la Firebase Console (Configuración del proyecto > Cuentas de servicio > Generar nueva clave privada)',
     'new.sha1.registering': 'Registrando SHA-1 para Google Sign-In (Android)…',
     'new.sha1.failed': 'SHA-1 no añadido automáticamente: {error}',
     'new.sha1.manual': 'Agregalo manualmente para que Google Sign-In funcione en Android:',

package/lib/utils/i18n/messages-pt.js

@@ -746,6 +746,8 @@ module.exports = {
     'new.fcm.ok': 'gerada automaticamente',
     'new.fcm.failSupabase': 'não gerada (permissão do GCP ainda propagando); defina FIREBASE_SERVICE_ACCOUNT_JSON nos secrets do Supabase',
     'new.fcm.failApi': 'não gerada (permissão do GCP ainda propagando); rode o comando de novo em alguns minutos',
+    'new.fcm.policyLifted': 'Liberada a criação de chaves de service account neste projeto (necessário para as notificações push)',
+    'new.fcm.orgPolicyBlocked': 'não gerada: sua organização no Google Cloud bloqueia chaves de service account. Peça a um administrador da organização para liberar, ou gere a chave no Firebase Console (Configurações do projeto > Contas de serviço > Gerar nova chave privada)',
     'new.sha1.registering': 'Registrando SHA-1 para Google Sign-In (Android)…',
     'new.sha1.failed': 'SHA-1 não adicionado automaticamente: {error}',
     'new.sha1.manual': 'Adicione manualmente para o Google Sign-In funcionar no Android:',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.31.0",
+  "version": "1.31.2",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"

package/templates/firebase/lib/core/bottom_menu/active_tab_notifier.dart

@@ -0,0 +1,14 @@
+import 'package:flutter/foundation.dart';
+
+/// The bottom-bar tab the user last opened, held at top level so it outlives the
+/// [BottomMenu] remount that happens whenever the responsive layout flips
+/// small↔large (e.g. toggling the web device preview, which renders the app in a
+/// phone-width frame). Persisting it lets the bottom bar restore the tab instead
+/// of snapping back to the first one on remount or hard reload (F5).
+///
+/// It lives in its own dependency-free file so both [BottomMenu] and the logout
+/// flow can touch it without an import cycle. Cleared on logout so a fresh login
+/// always lands on the default tab. Null until the user opens a tab.
+final ValueNotifier<String?> activeTabRouteNotifier = ValueNotifier<String?>(
+  null,
+);

package/templates/firebase/lib/core/bottom_menu/bottom_menu.dart

@@ -4,6 +4,7 @@ import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:kasy_kit/components/kasy_sidebar.dart';
+import 'package:kasy_kit/core/bottom_menu/active_tab_notifier.dart';
 import 'package:kasy_kit/core/bottom_menu/bottom_router.dart';
 import 'package:kasy_kit/core/bottom_menu/kasy_bottom_bar_factory.dart';
 import 'package:kasy_kit/core/bottom_menu/web_content_wrapper.dart';
@@ -15,19 +16,8 @@ import 'package:kasy_kit/core/widgets/responsive_layout.dart';
 import 'package:kasy_kit/features/settings/ui/widgets/kasy_user_avatar.dart';
 import 'package:kasy_kit/i18n/translations.g.dart';
 
-/// The bottom-bar tab the user last opened, held at top level so it outlives the
-/// [BottomMenu] remount that happens whenever the responsive layout flips
-/// small↔large. Toggling the web device preview does exactly that: the app
-/// renders inside a phone-width frame when on and at full desktop width when
-/// off, so each toggle rebuilds [bart.BartScaffold] from scratch (its index
-/// notifier starts at 0). Persisting the tab here lets [BottomMenu] restore it
-/// instead of snapping back to the first tab. Null until the user opens a tab.
-final ValueNotifier<String?> activeTabRouteNotifier = ValueNotifier<String?>(
-  null,
-);
-
 /// Records the active tab so it survives the next remount. Wired to
-/// [bart.BartScaffold.onRouteChanged].
+/// [bart.BartScaffold.onRouteChanged]. See [activeTabRouteNotifier].
 void _rememberActiveTab(bart.BartMenuRoute route) {
   activeTabRouteNotifier.value = route.path;
 }

package/templates/firebase/lib/core/states/user_state_notifier.dart

@@ -1,6 +1,7 @@
 import 'dart:async';
 
 import 'package:flutter/foundation.dart';
+import 'package:kasy_kit/core/bottom_menu/active_tab_notifier.dart';
 import 'package:kasy_kit/core/config/features.dart';
 import 'package:kasy_kit/core/data/models/entitlement.dart';
 import 'package:kasy_kit/core/data/models/subscription.dart';
@@ -139,6 +140,9 @@ class UserStateNotifier extends _$UserStateNotifier implements OnStartService {
     // Biometric lock is a per-account preference, not a device-wide one.
     // The next user signing in on this install should start without it set.
     await ref.read(sharedPreferencesProvider).setBiometricEnabled(false);
+    // Forget the last bottom-bar tab so the next login lands on the default tab
+    // (Home) instead of wherever the previous account left off.
+    activeTabRouteNotifier.value = null;
     state = const UserState(user: User.anonymous());
     if (mode == AuthenticationMode.anonymous) {
       await _loadAnonymousState();

package/templates/firebase/lib/core/web_device_preview/web_device_preview.dart

@@ -13,7 +13,10 @@ import 'package:provider/provider.dart';
 import 'package:shared_preferences/shared_preferences.dart';
 import 'package:universal_html/html.dart' as html;
 
-const String webDevicePreviewEnabledPrefKey = 'web_device_preview_enabled';
+// Suffixed `_v2` because the default flipped from OFF to ON. Values saved under
+// the old key were written while the default was OFF, so we ignore them and
+// start fresh — every install now gets the new ON default until it's toggled.
+const String webDevicePreviewEnabledPrefKey = 'web_device_preview_enabled_v2';
 const String _platformPrefKey = 'web_device_preview_platform';
 const String _iosIndexPrefKey = 'web_device_preview_ios_index';
 const String _androidIndexPrefKey = 'web_device_preview_android_index';

package/templates/firebase/pubspec.yaml

@@ -16,7 +16,7 @@ publish_to: 'none' # Remove this line if you wish to publish to pub.dev
 # https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
 # In Windows, build-name is used as the major, minor, and patch parts
 # of the product and file versions while build-number is used as the build suffix.
-version: 1.0.0+34
+version: 1.0.0+35
 
 environment:
   sdk: ^3.11.0