kasy-cli 1.31.1 → 1.31.2

package/lib/commands/new.js

@@ -1908,9 +1908,13 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
         fcmSpinner.stop(tr('new.fcm.generating'));
         if (fcmResult.ok) {
           fcmServiceAccountJson = fcmResult.json;
+          if (fcmResult.policyAdjusted) ui.log.info(tr('new.fcm.policyLifted'));
           printStepResult({ name: 'fcm-key', ok: true, detail: tr('new.fcm.ok') }, language);
         } else {
-          printStepResult({ name: 'fcm-key', ok: false, detail: tr('new.fcm.failSupabase') }, language);
+          const detail = (fcmResult.errorKind === 'orgPolicyNoPermission' || fcmResult.errorKind === 'orgPolicyBlocked')
+            ? tr('new.fcm.orgPolicyBlocked')
+            : tr('new.fcm.failSupabase');
+          printStepResult({ name: 'fcm-key', ok: false, detail }, language);
         }
       }
 
@@ -2002,13 +2006,17 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
             await fs.appendFile(gitignorePath, `\n# FCM service account key (credentials — do not commit)\n${gitignoreEntry}\n`, 'utf8');
           }
         }
+        if (fcmResult.policyAdjusted) ui.log.info(tr('new.fcm.policyLifted'));
         printStepResult({ name: 'fcm-key-saved', ok: true }, language);
         ui.log.message(tr('new.fcm.serverConfig'));
       } catch (_) {
         printStepResult({ name: 'fcm-key-saved', ok: false, detail: 'salvar arquivo de chave falhou' }, language);
       }
     } else {
-      printStepResult({ name: 'fcm-key', ok: false, detail: tr('new.fcm.failApi') }, language);
+      const detail = (fcmResult.errorKind === 'orgPolicyNoPermission' || fcmResult.errorKind === 'orgPolicyBlocked')
+        ? tr('new.fcm.orgPolicyBlocked')
+        : tr('new.fcm.failApi');
+      printStepResult({ name: 'fcm-key', ok: false, detail }, language);
     }
   }
 

package/lib/scaffold/backends/supabase/deploy.js

@@ -299,6 +299,51 @@ async function getSupabaseAccessToken() {
   return null;
 }
 
+/**
+ * PATCH the Supabase Management API auth config with a JSON body.
+ *
+ * Uses Node's built-in fetch (Node 18+) instead of shelling out to curl. curl
+ * with a single-quoted JSON body is unreliable on Windows: cmd.exe does not strip
+ * single quotes and treats the inner double quotes specially, so the body arrives
+ * mangled and the response comes back as the leaked payload — which then fails to
+ * parse ("Unexpected token ''', \"'{external\"... is not valid JSON"). fetch sends
+ * the exact bytes with no shell quoting involved, identically on every OS.
+ *
+ * @param {string} projectRef
+ * @param {string} token - Supabase access token
+ * @param {object} body - auth config fields to PATCH
+ * @returns {Promise<{ ok: boolean, data?: object, error?: string }>}
+ */
+async function patchAuthConfig(projectRef, token, body) {
+  let res;
+  try {
+    res = await fetch(
+      `https://api.supabase.com/v1/projects/${projectRef}/config/auth`,
+      {
+        method: 'PATCH',
+        headers: {
+          Authorization: `Bearer ${token}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(body),
+      }
+    );
+  } catch (err) {
+    return { ok: false, error: `Network error calling Management API: ${err.message}` };
+  }
+  const text = await res.text();
+  let data;
+  try {
+    data = JSON.parse(text);
+  } catch {
+    return { ok: false, error: `Management API returned non-JSON (HTTP ${res.status}): ${text.slice(0, 200)}` };
+  }
+  if (!res.ok) {
+    return { ok: false, error: data.message || `Management API error (HTTP ${res.status})`, data };
+  }
+  return { ok: true, data };
+}
+
 /**
  * Enable Google Sign-In on the Supabase project via Management API.
  *
@@ -313,27 +358,15 @@ async function enableGoogleSignIn(projectRef, webClientId, clientSecret) {
   if (!webClientId || !clientSecret) return { ok: false, error: 'webClientId and clientSecret are required' };
   const token = await getSupabaseAccessToken();
   if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
-  const payload = JSON.stringify({
+  const result = await patchAuthConfig(projectRef, token, {
     external_google_enabled: true,
     external_google_client_id: webClientId,
     external_google_secret: clientSecret,
     external_google_skip_nonce_check: true,
   });
-  const result = await run(
-    `curl -s -X PATCH "https://api.supabase.com/v1/projects/${projectRef}/config/auth" ` +
-    `-H "Authorization: Bearer ${token}" ` +
-    `-H "Content-Type: application/json" ` +
-    `-d '${payload}'`,
-    process.cwd()
-  );
   if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    if (data.external_google_enabled === true) return { ok: true };
-    return { ok: false, error: data.message || JSON.stringify(data) };
-  } catch {
-    return { ok: false, error: 'Could not parse Management API response' };
-  }
+  if (result.data.external_google_enabled === true) return { ok: true };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
 }
 
 /**
@@ -357,28 +390,16 @@ async function enableAppleSignIn(projectRef, bundleId) {
   if (!bundleId) return { ok: false, error: 'bundleId is required' };
   const token = await getSupabaseAccessToken();
   if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
-  const payload = JSON.stringify({
+  const result = await patchAuthConfig(projectRef, token, {
     external_apple_enabled: true,
     external_apple_client_id: bundleId,
   });
-  const result = await run(
-    `curl -s -X PATCH "https://api.supabase.com/v1/projects/${projectRef}/config/auth" ` +
-    `-H "Authorization: Bearer ${token}" ` +
-    `-H "Content-Type: application/json" ` +
-    `-d '${payload}'`,
-    process.cwd()
-  );
   if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    const allowedIds = String(data.external_apple_client_id || '')
-      .split(',')
-      .map((s) => s.trim());
-    if (data.external_apple_enabled === true && allowedIds.includes(bundleId)) return { ok: true };
-    return { ok: false, error: data.message || JSON.stringify(data) };
-  } catch {
-    return { ok: false, error: 'Could not parse Management API response' };
-  }
+  const allowedIds = String(result.data.external_apple_client_id || '')
+    .split(',')
+    .map((s) => s.trim());
+  if (result.data.external_apple_enabled === true && allowedIds.includes(bundleId)) return { ok: true };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
 }
 
 /**
@@ -391,24 +412,12 @@ async function enableAppleSignIn(projectRef, bundleId) {
 async function enableAnonymousSignIn(projectRef) {
   const token = await getSupabaseAccessToken();
   if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
-  const payload = JSON.stringify({
+  const result = await patchAuthConfig(projectRef, token, {
     external_anonymous_users_enabled: true,
     mailer_autoconfirm: true,
   });
-  const result = await run(
-    `curl -s -X PATCH "https://api.supabase.com/v1/projects/${projectRef}/config/auth" ` +
-    `-H "Authorization: Bearer ${token}" ` +
-    `-H "Content-Type: application/json" ` +
-    `-d '${payload}'`,
-    process.cwd()
-  );
   if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    return { ok: data.external_anonymous_users_enabled === true };
-  } catch {
-    return { ok: false, error: 'Could not parse Management API response' };
-  }
+  return { ok: result.data.external_anonymous_users_enabled === true };
 }
 
 /**

package/lib/scaffold/shared/fcm-service-account.js

@@ -75,13 +75,52 @@ async function grantFcmAdminRole(projectId, saEmail) {
   return { ok: true };
 }
 
+/**
+ * Detects the one failure mode that NO amount of retrying can fix: the GCP org
+ * policy constraints/iam.disableServiceAccountKeyCreation. Google turns this on by
+ * default for organizations created since 2024 ("secure by default"), so a brand-new
+ * org blocks service-account key creation outright. gcloud reports it as
+ * FAILED_PRECONDITION: "Key creation is not allowed on this service account."
+ */
+function isKeyCreationBlockedByOrgPolicy(result) {
+  const blob = `${result.error || ''} ${result.stderr || ''} ${result.stdout || ''}`;
+  return /disableServiceAccountKeyCreation|Key creation is not allowed/i.test(blob);
+}
+
+/**
+ * Lifts the disableServiceAccountKeyCreation constraint for a SINGLE project (not the
+ * whole organization) so the Firebase Admin SDK key can be created. This is the
+ * standard, Google-documented way to allow SA keys where they are genuinely required
+ * — here, so Supabase Edge Functions / a REST server can authenticate to FCM HTTP v1.
+ *
+ * The override is scoped to the app's own project, leaving the org-wide policy intact.
+ * Requires the caller to have roles/orgpolicy.policyAdmin (org owners normally do).
+ *
+ * @param {string} projectId
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function allowServiceAccountKeyCreation(projectId) {
+  const result = await run(
+    `gcloud resource-manager org-policies disable-enforce` +
+    ` iam.disableServiceAccountKeyCreation --project=${projectId}`
+  );
+  if (!result.ok) {
+    return { ok: false, error: result.stderr || result.error };
+  }
+  return { ok: true };
+}
+
 /**
  * Generates a new private key for the Firebase Admin SDK service account and returns
  * the JSON content as a string. The temporary key file is deleted immediately after reading.
  * Also ensures the service account has the roles/firebasecloudmessaging.admin IAM role.
  *
+ * If the org blocks SA key creation (default on new GCP orgs), the constraint is lifted
+ * for this project only and key creation is retried — otherwise push would silently come
+ * out unconfigured on every fresh organization.
+ *
  * @param {string} projectId - Firebase/GCP project ID
- * @returns {{ ok: boolean, json?: string, saEmail?: string, error?: string }}
+ * @returns {{ ok: boolean, json?: string, saEmail?: string, policyAdjusted?: boolean, errorKind?: string, error?: string }}
  */
 async function createFcmServiceAccountKey(projectId) {
   if (!projectId || !projectId.trim()) {
@@ -116,24 +155,51 @@ async function createFcmServiceAccountKey(projectId) {
   }
 
   const tmpPath = path.join(os.tmpdir(), `kasy-fcm-${Date.now()}.json`);
+  const createKey = () => run(
+    `gcloud iam service-accounts keys create "${tmpPath}"` +
+    ` --iam-account="${saEmail}"` +
+    ` --project=${projectId.trim()}`
+  );
 
   // Right after granting the FCM admin role (and on a brand-new project), the
   // IAM permission takes a moment to propagate — so the first key-create often
   // fails with "permission still propagating". Back off and retry a few times
   // before giving up, instead of leaving push half-configured.
   let keyResult;
-  for (let attempt = 1; attempt <= 4; attempt++) {
-    keyResult = await run(
-      `gcloud iam service-accounts keys create "${tmpPath}"` +
-      ` --iam-account="${saEmail}"` +
-      ` --project=${projectId.trim()}`
-    );
+  let policyAdjusted = false;
+  const maxAttempts = 6;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    keyResult = await createKey();
     if (keyResult.ok) break;
-    if (attempt < 4) await sleep(7000);
+
+    // The org blocks SA keys (default on new GCP orgs). This is NOT a propagation
+    // race that retrying alone can fix — the constraint must be lifted. Lift it for
+    // THIS project once, then keep retrying: an org policy change itself takes a
+    // minute or more to take effect. If we can't lift it (no policy-admin
+    // permission), report a specific, actionable error instead of "still propagating".
+    if (isKeyCreationBlockedByOrgPolicy(keyResult)) {
+      if (!policyAdjusted) {
+        const lift = await allowServiceAccountKeyCreation(projectId.trim());
+        if (!lift.ok) {
+          await fs.remove(tmpPath).catch(() => {});
+          return { ok: false, errorKind: 'orgPolicyNoPermission', error: lift.error };
+        }
+        policyAdjusted = true;
+      }
+      if (attempt < maxAttempts) await sleep(15000);
+      continue;
+    }
+    if (attempt < maxAttempts) await sleep(7000);
   }
 
   if (!keyResult.ok) {
     await fs.remove(tmpPath).catch(() => {});
+    // Only surface the "ask an org admin" message when we genuinely could NOT lift
+    // the policy. If we DID lift it but the change is still propagating, fall through
+    // to the generic "still propagating, run again" message instead of blaming perms.
+    if (!policyAdjusted && isKeyCreationBlockedByOrgPolicy(keyResult)) {
+      return { ok: false, errorKind: 'orgPolicyBlocked', error: keyResult.error };
+    }
     return { ok: false, error: `Failed to generate key: ${keyResult.error}` };
   }
 
@@ -141,7 +207,7 @@ async function createFcmServiceAccountKey(projectId) {
     const jsonContent = await fs.readFile(tmpPath, 'utf8');
     await fs.remove(tmpPath).catch(() => {});
     JSON.parse(jsonContent); // validate
-    return { ok: true, json: jsonContent.trim(), saEmail };
+    return { ok: true, json: jsonContent.trim(), saEmail, policyAdjusted };
   } catch (err) {
     await fs.remove(tmpPath).catch(() => {});
     return { ok: false, error: `Failed to read generated key: ${err.message}` };

package/lib/scaffold/shared/post-build.js

@@ -900,17 +900,19 @@ async function getGoogleClientSecretViaGcloud(firebaseProjectId) {
     if (!tokenResult.ok || !tokenResult.stdout.trim()) return '';
     const token = tokenResult.stdout.trim();
 
-    const curlCmd = [
-      'curl -sf',
-      `-H "Authorization: Bearer ${token}"`,
-      `-H "x-goog-user-project: ${firebaseProjectId}"`,
-      `"https://identitytoolkit.googleapis.com/admin/v2/projects/${firebaseProjectId}/defaultSupportedIdpConfigs/google.com"`,
-    ].join(' ');
-
-    const result = await run(curlCmd, process.cwd());
-    if (!result.ok || !result.stdout.trim()) return '';
-
-    const data = JSON.parse(result.stdout.trim());
+    // Use fetch (Node 18+) instead of curl: no shell quoting, identical on every OS,
+    // and it does not depend on curl being on PATH (not guaranteed on Windows).
+    const res = await fetch(
+      `https://identitytoolkit.googleapis.com/admin/v2/projects/${firebaseProjectId}/defaultSupportedIdpConfigs/google.com`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          'x-goog-user-project': firebaseProjectId,
+        },
+      }
+    );
+    if (!res.ok) return '';
+    const data = await res.json();
     return data.clientSecret || '';
   } catch (_) {
     return '';

package/lib/utils/i18n/messages-en.js

@@ -746,6 +746,8 @@ module.exports = {
     'new.fcm.ok': 'generated automatically',
     'new.fcm.failSupabase': 'not generated (GCP permission still propagating); set FIREBASE_SERVICE_ACCOUNT_JSON in your Supabase secrets',
     'new.fcm.failApi': 'not generated (GCP permission still propagating); run the command again in a few minutes',
+    'new.fcm.policyLifted': 'Enabled service account key creation for this project (required for push notifications)',
+    'new.fcm.orgPolicyBlocked': 'not generated: your Google Cloud organization blocks service account keys. Ask an organization admin to allow it, or generate the key in the Firebase Console (Project settings > Service accounts > Generate new private key)',
     'new.sha1.registering': 'Registering SHA-1 for Google Sign-In (Android)…',
     'new.sha1.failed': 'SHA-1 not added automatically: {error}',
     'new.sha1.manual': 'Add it manually so Google Sign-In works on Android:',

package/lib/utils/i18n/messages-es.js

@@ -746,6 +746,8 @@ module.exports = {
     'new.fcm.ok': 'generada automáticamente',
     'new.fcm.failSupabase': 'no generada (permiso de GCP aún propagando); define FIREBASE_SERVICE_ACCOUNT_JSON en los secrets de Supabase',
     'new.fcm.failApi': 'no generada (permiso de GCP aún propagando); ejecuta el comando de nuevo en unos minutos',
+    'new.fcm.policyLifted': 'Habilitada la creación de claves de cuenta de servicio en este proyecto (necesario para las notificaciones push)',
+    'new.fcm.orgPolicyBlocked': 'no generada: tu organización en Google Cloud bloquea las claves de cuenta de servicio. Pide a un administrador de la organización que lo permita, o genera la clave en la Firebase Console (Configuración del proyecto > Cuentas de servicio > Generar nueva clave privada)',
     'new.sha1.registering': 'Registrando SHA-1 para Google Sign-In (Android)…',
     'new.sha1.failed': 'SHA-1 no añadido automáticamente: {error}',
     'new.sha1.manual': 'Agregalo manualmente para que Google Sign-In funcione en Android:',

package/lib/utils/i18n/messages-pt.js

@@ -746,6 +746,8 @@ module.exports = {
     'new.fcm.ok': 'gerada automaticamente',
     'new.fcm.failSupabase': 'não gerada (permissão do GCP ainda propagando); defina FIREBASE_SERVICE_ACCOUNT_JSON nos secrets do Supabase',
     'new.fcm.failApi': 'não gerada (permissão do GCP ainda propagando); rode o comando de novo em alguns minutos',
+    'new.fcm.policyLifted': 'Liberada a criação de chaves de service account neste projeto (necessário para as notificações push)',
+    'new.fcm.orgPolicyBlocked': 'não gerada: sua organização no Google Cloud bloqueia chaves de service account. Peça a um administrador da organização para liberar, ou gere a chave no Firebase Console (Configurações do projeto > Contas de serviço > Gerar nova chave privada)',
     'new.sha1.registering': 'Registrando SHA-1 para Google Sign-In (Android)…',
     'new.sha1.failed': 'SHA-1 não adicionado automaticamente: {error}',
     'new.sha1.manual': 'Adicione manualmente para o Google Sign-In funcionar no Android:',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.31.1",
+  "version": "1.31.2",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"