kasy-cli 1.31.1 → 1.31.3

package/lib/commands/check.js

@@ -186,7 +186,9 @@ async function runCheck(options = {}) {
       if (options.fix && firebaseProjectId) {
         const fixSpinner = ui.spinner();
         fixSpinner.start(t('check.fbSak.spin'));
-        const fcmResult = await createFcmServiceAccountKey(firebaseProjectId);
+        const fcmResult = await createFcmServiceAccountKey(firebaseProjectId, {
+          onProgress: (stage) => { if (stage === 'orgPolicy') fixSpinner.message(t('new.fcm.adjustingOrgPolicy')); },
+        });
         fixSpinner.stop(t('check.fbSak.spinDone'));
 
         if (fcmResult.ok) {

package/lib/commands/new.js

@@ -546,6 +546,10 @@ function printStepResult(step, lang = 'pt') {
   const detail = step.detail ? kleur.dim(` — ${step.detail.split('\n')[0]}`) : '';
   if (step.ok) {
     ui.log.success(`${label}${detail}`);
+  } else if (step.warn) {
+    // Non-fatal: something we deliberately deferred (e.g. pub get on a slow
+    // connection). Show it as a warning, not a scary red error.
+    ui.log.warn(`${label}${detail}`);
   } else {
     ui.log.error(`${label}${detail}`);
   }
@@ -1904,13 +1908,19 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
       if (answers.firebaseProjectId) {
         const fcmSpinner = ui.timedSpinner();
         fcmSpinner.start(tr('new.fcm.generating'));
-        const fcmResult = await createFcmServiceAccountKey(answers.firebaseProjectId);
+        const fcmResult = await createFcmServiceAccountKey(answers.firebaseProjectId, {
+          onProgress: (stage) => { if (stage === 'orgPolicy') fcmSpinner.message(tr('new.fcm.adjustingOrgPolicy')); },
+        });
         fcmSpinner.stop(tr('new.fcm.generating'));
         if (fcmResult.ok) {
           fcmServiceAccountJson = fcmResult.json;
+          if (fcmResult.policyAdjusted) ui.log.info(tr('new.fcm.policyLifted'));
           printStepResult({ name: 'fcm-key', ok: true, detail: tr('new.fcm.ok') }, language);
         } else {
-          printStepResult({ name: 'fcm-key', ok: false, detail: tr('new.fcm.failSupabase') }, language);
+          const detail = (fcmResult.errorKind === 'orgPolicyNoPermission' || fcmResult.errorKind === 'orgPolicyBlocked')
+            ? tr('new.fcm.orgPolicyBlocked')
+            : tr('new.fcm.failSupabase');
+          printStepResult({ name: 'fcm-key', ok: false, detail }, language);
         }
       }
 
@@ -1986,7 +1996,9 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
   if (backend === 'api' && answers.firebaseProjectId) {
     const fcmSpinner = ui.timedSpinner();
     fcmSpinner.start(tr('new.fcm.generating'));
-    const fcmResult = await createFcmServiceAccountKey(answers.firebaseProjectId);
+    const fcmResult = await createFcmServiceAccountKey(answers.firebaseProjectId, {
+      onProgress: (stage) => { if (stage === 'orgPolicy') fcmSpinner.message(tr('new.fcm.adjustingOrgPolicy')); },
+    });
     fcmSpinner.stop(tr('new.fcm.generating'));
     if (fcmResult.ok) {
       try {
@@ -2002,13 +2014,17 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
             await fs.appendFile(gitignorePath, `\n# FCM service account key (credentials — do not commit)\n${gitignoreEntry}\n`, 'utf8');
           }
         }
+        if (fcmResult.policyAdjusted) ui.log.info(tr('new.fcm.policyLifted'));
         printStepResult({ name: 'fcm-key-saved', ok: true }, language);
         ui.log.message(tr('new.fcm.serverConfig'));
       } catch (_) {
         printStepResult({ name: 'fcm-key-saved', ok: false, detail: 'salvar arquivo de chave falhou' }, language);
       }
     } else {
-      printStepResult({ name: 'fcm-key', ok: false, detail: tr('new.fcm.failApi') }, language);
+      const detail = (fcmResult.errorKind === 'orgPolicyNoPermission' || fcmResult.errorKind === 'orgPolicyBlocked')
+        ? tr('new.fcm.orgPolicyBlocked')
+        : tr('new.fcm.failApi');
+      printStepResult({ name: 'fcm-key', ok: false, detail }, language);
     }
   }
 

package/lib/scaffold/backends/supabase/deploy.js

@@ -299,6 +299,51 @@ async function getSupabaseAccessToken() {
   return null;
 }
 
+/**
+ * PATCH the Supabase Management API auth config with a JSON body.
+ *
+ * Uses Node's built-in fetch (Node 18+) instead of shelling out to curl. curl
+ * with a single-quoted JSON body is unreliable on Windows: cmd.exe does not strip
+ * single quotes and treats the inner double quotes specially, so the body arrives
+ * mangled and the response comes back as the leaked payload — which then fails to
+ * parse ("Unexpected token ''', \"'{external\"... is not valid JSON"). fetch sends
+ * the exact bytes with no shell quoting involved, identically on every OS.
+ *
+ * @param {string} projectRef
+ * @param {string} token - Supabase access token
+ * @param {object} body - auth config fields to PATCH
+ * @returns {Promise<{ ok: boolean, data?: object, error?: string }>}
+ */
+async function patchAuthConfig(projectRef, token, body) {
+  let res;
+  try {
+    res = await fetch(
+      `https://api.supabase.com/v1/projects/${projectRef}/config/auth`,
+      {
+        method: 'PATCH',
+        headers: {
+          Authorization: `Bearer ${token}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(body),
+      }
+    );
+  } catch (err) {
+    return { ok: false, error: `Network error calling Management API: ${err.message}` };
+  }
+  const text = await res.text();
+  let data;
+  try {
+    data = JSON.parse(text);
+  } catch {
+    return { ok: false, error: `Management API returned non-JSON (HTTP ${res.status}): ${text.slice(0, 200)}` };
+  }
+  if (!res.ok) {
+    return { ok: false, error: data.message || `Management API error (HTTP ${res.status})`, data };
+  }
+  return { ok: true, data };
+}
+
 /**
  * Enable Google Sign-In on the Supabase project via Management API.
  *
@@ -313,27 +358,15 @@ async function enableGoogleSignIn(projectRef, webClientId, clientSecret) {
   if (!webClientId || !clientSecret) return { ok: false, error: 'webClientId and clientSecret are required' };
   const token = await getSupabaseAccessToken();
   if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
-  const payload = JSON.stringify({
+  const result = await patchAuthConfig(projectRef, token, {
     external_google_enabled: true,
     external_google_client_id: webClientId,
     external_google_secret: clientSecret,
     external_google_skip_nonce_check: true,
   });
-  const result = await run(
-    `curl -s -X PATCH "https://api.supabase.com/v1/projects/${projectRef}/config/auth" ` +
-    `-H "Authorization: Bearer ${token}" ` +
-    `-H "Content-Type: application/json" ` +
-    `-d '${payload}'`,
-    process.cwd()
-  );
   if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    if (data.external_google_enabled === true) return { ok: true };
-    return { ok: false, error: data.message || JSON.stringify(data) };
-  } catch {
-    return { ok: false, error: 'Could not parse Management API response' };
-  }
+  if (result.data.external_google_enabled === true) return { ok: true };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
 }
 
 /**
@@ -357,28 +390,16 @@ async function enableAppleSignIn(projectRef, bundleId) {
   if (!bundleId) return { ok: false, error: 'bundleId is required' };
   const token = await getSupabaseAccessToken();
   if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
-  const payload = JSON.stringify({
+  const result = await patchAuthConfig(projectRef, token, {
     external_apple_enabled: true,
     external_apple_client_id: bundleId,
   });
-  const result = await run(
-    `curl -s -X PATCH "https://api.supabase.com/v1/projects/${projectRef}/config/auth" ` +
-    `-H "Authorization: Bearer ${token}" ` +
-    `-H "Content-Type: application/json" ` +
-    `-d '${payload}'`,
-    process.cwd()
-  );
   if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    const allowedIds = String(data.external_apple_client_id || '')
-      .split(',')
-      .map((s) => s.trim());
-    if (data.external_apple_enabled === true && allowedIds.includes(bundleId)) return { ok: true };
-    return { ok: false, error: data.message || JSON.stringify(data) };
-  } catch {
-    return { ok: false, error: 'Could not parse Management API response' };
-  }
+  const allowedIds = String(result.data.external_apple_client_id || '')
+    .split(',')
+    .map((s) => s.trim());
+  if (result.data.external_apple_enabled === true && allowedIds.includes(bundleId)) return { ok: true };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
 }
 
 /**
@@ -391,24 +412,12 @@ async function enableAppleSignIn(projectRef, bundleId) {
 async function enableAnonymousSignIn(projectRef) {
   const token = await getSupabaseAccessToken();
   if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
-  const payload = JSON.stringify({
+  const result = await patchAuthConfig(projectRef, token, {
     external_anonymous_users_enabled: true,
     mailer_autoconfirm: true,
   });
-  const result = await run(
-    `curl -s -X PATCH "https://api.supabase.com/v1/projects/${projectRef}/config/auth" ` +
-    `-H "Authorization: Bearer ${token}" ` +
-    `-H "Content-Type: application/json" ` +
-    `-d '${payload}'`,
-    process.cwd()
-  );
   if (!result.ok) return { ok: false, error: result.error };
-  try {
-    const data = JSON.parse(result.stdout);
-    return { ok: data.external_anonymous_users_enabled === true };
-  } catch {
-    return { ok: false, error: 'Could not parse Management API response' };
-  }
+  return { ok: result.data.external_anonymous_users_enabled === true };
 }
 
 /**

package/lib/scaffold/generate.js

@@ -319,22 +319,40 @@ async function generateProject(targetDir, backend, options, hooks = {}) {
   // ── 2. Post-build comum ────────────────────────────────────────────────────
   onProgress('pub-get');
   const pubGetResult = await pubGet(targetDir);
-  steps.push({ name: 'pub-get', ok: pubGetResult.ok, detail: pubGetResult.ok ? null : pubGetResult.error });
-  if (!pubGetResult.ok) return { steps };
-
-  onProgress('slang');
-  const slangResult = await slangGenerate(targetDir);
-  steps.push({ name: 'slang', ok: slangResult.ok, detail: slangResult.ok ? null : slangResult.error });
-  if (!slangResult.ok) return { steps };
-
-  onProgress('build-runner');
-  const buildRunnerResult = await buildRunner(targetDir);
-  steps.push({
-    name: 'build-runner',
-    ok: buildRunnerResult.ok,
-    detail: buildRunnerResult.ok ? null : buildRunnerResult.error,
-  });
-  if (!buildRunnerResult.ok) return { steps };
+
+  // pub get is the prerequisite for the codegen steps (slang, build_runner): they
+  // run `dart run` inside the project and can't work without dependencies. If it
+  // didn't finish (a very slow/flaky Windows download, even after retries), DON'T
+  // abort the whole project — skip only the codegen steps and keep going, so
+  // flutterfire + backend config still complete. The user finishes with one
+  // `flutter pub get` later, which the IDE / `kasy run` does automatically. That
+  // turns a hard "Command failed" into a near-complete project plus one next step.
+  if (pubGetResult.ok) {
+    steps.push({ name: 'pub-get', ok: true });
+
+    onProgress('slang');
+    const slangResult = await slangGenerate(targetDir);
+    steps.push({ name: 'slang', ok: slangResult.ok, detail: slangResult.ok ? null : slangResult.error });
+    if (!slangResult.ok) return { steps };
+
+    onProgress('build-runner');
+    const buildRunnerResult = await buildRunner(targetDir);
+    steps.push({
+      name: 'build-runner',
+      ok: buildRunnerResult.ok,
+      detail: buildRunnerResult.ok ? null : buildRunnerResult.error,
+    });
+    if (!buildRunnerResult.ok) return { steps };
+  } else {
+    const deferredMsg = {
+      en: 'not downloaded yet (slow connection); open the project in VS Code to install',
+      pt: 'não baixou agora (conexão lenta); abra o projeto no VS Code que ele instala',
+      es: 'no se descargó ahora (conexión lenta); abre el proyecto en VS Code para instalar',
+    };
+    steps.push({ name: 'pub-get', ok: false, warn: true, detail: deferredMsg[language] || deferredMsg.en });
+    steps.push({ name: 'slang', skipped: true });
+    steps.push({ name: 'build-runner', skipped: true });
+  }
 
   onProgress('flutterfire');
   const ffResult = await flutterfireConfigure(targetDir, firebaseProjectId, { includeWeb });

package/lib/scaffold/shared/fcm-service-account.js

@@ -75,20 +75,126 @@ async function grantFcmAdminRole(projectId, saEmail) {
   return { ok: true };
 }
 
+/**
+ * Detects the one failure mode that NO amount of retrying can fix: the GCP org
+ * policy constraints/iam.disableServiceAccountKeyCreation. Google turns this on by
+ * default for organizations created since 2024 ("secure by default"), so a brand-new
+ * org blocks service-account key creation outright. gcloud reports it as
+ * FAILED_PRECONDITION: "Key creation is not allowed on this service account."
+ */
+function isKeyCreationBlockedByOrgPolicy(result) {
+  const blob = `${result.error || ''} ${result.stderr || ''} ${result.stdout || ''}`;
+  return /disableServiceAccountKeyCreation|Key creation is not allowed/i.test(blob);
+}
+
+/**
+ * Lifts the disableServiceAccountKeyCreation constraint for a SINGLE project (not the
+ * whole organization) so the Firebase Admin SDK key can be created. This is the
+ * standard, Google-documented way to allow SA keys where they are genuinely required
+ * — here, so Supabase Edge Functions / a REST server can authenticate to FCM HTTP v1.
+ *
+ * The override is scoped to the app's own project, leaving the org-wide policy intact.
+ * Requires the caller to have roles/orgpolicy.policyAdmin (org owners normally do).
+ *
+ * @param {string} projectId
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function allowServiceAccountKeyCreation(projectId) {
+  const result = await run(
+    `gcloud resource-manager org-policies disable-enforce` +
+    ` iam.disableServiceAccountKeyCreation --project=${projectId}`
+  );
+  if (!result.ok) {
+    return { ok: false, error: result.stderr || result.error };
+  }
+  return { ok: true };
+}
+
+/**
+ * True when a gcloud command failed because the account lacks the required IAM
+ * permission (as opposed to a transient/propagation error). Used to tell "you
+ * can't do this" apart from "try again in a moment".
+ */
+function isPermissionError(result) {
+  const blob = `${result.error || ''} ${result.stderr || ''}`;
+  return /PERMISSION_DENIED|does not have permission|Permission .*denied|\bforbidden\b|\b403\b/i.test(blob);
+}
+
+/**
+ * The active gcloud account as an IAM member string (e.g. "user:me@gmail.com").
+ * Service-account logins get the "serviceAccount:" prefix instead.
+ */
+async function getCurrentGcloudMember() {
+  const result = await run('gcloud config get-value account');
+  if (!result.ok) return null;
+  const email = (result.stdout || '').trim();
+  if (!email || email === '(unset)') return null;
+  const prefix = email.endsWith('.gserviceaccount.com') ? 'serviceAccount' : 'user';
+  return `${prefix}:${email}`;
+}
+
+/**
+ * The organization ID a project belongs to, or null if the project has no org
+ * (most personal Google accounts) — in which case there is no org policy to lift.
+ */
+async function getProjectOrganizationId(projectId) {
+  const result = await run(
+    `gcloud projects get-ancestors ${projectId} --format="value(id,type)"`
+  );
+  if (!result.ok) return null;
+  for (const line of (result.stdout || '').split('\n')) {
+    const [id, type] = line.trim().split(/\s+/);
+    if (type === 'organization' && id) return id;
+  }
+  return null;
+}
+
+/**
+ * Grants roles/orgpolicy.policyAdmin to an org member. Org OWNERS lack this role
+ * by default but CAN grant it (organizationAdmin includes setIamPolicy), which is
+ * what lets the lift below succeed. Returns ok:false if the account can't grant it
+ * (e.g. it's a non-owner member of a company org).
+ */
+async function grantOrgPolicyAdmin(orgId, member) {
+  const result = await run(
+    `gcloud organizations add-iam-policy-binding ${orgId}` +
+    ` --member="${member}" --role="roles/orgpolicy.policyAdmin" --condition=None`
+  );
+  return { ok: result.ok, error: result.stderr || result.error };
+}
+
+/**
+ * Removes the policyAdmin role we granted, returning the org to its original
+ * posture. Best effort — cleanup must never fail the overall key creation.
+ * The project-level unenforce stays (it needs no admin role and is the minimum
+ * required to rotate the key later).
+ */
+async function removeOrgPolicyAdmin(orgId, member) {
+  await run(
+    `gcloud organizations remove-iam-policy-binding ${orgId}` +
+    ` --member="${member}" --role="roles/orgpolicy.policyAdmin" --condition=None`
+  );
+}
+
 /**
  * Generates a new private key for the Firebase Admin SDK service account and returns
  * the JSON content as a string. The temporary key file is deleted immediately after reading.
  * Also ensures the service account has the roles/firebasecloudmessaging.admin IAM role.
  *
+ * If the org blocks SA key creation (default on new GCP orgs), the constraint is lifted
+ * for this project only and key creation is retried — otherwise push would silently come
+ * out unconfigured on every fresh organization.
+ *
  * @param {string} projectId - Firebase/GCP project ID
- * @returns {{ ok: boolean, json?: string, saEmail?: string, error?: string }}
+ * @returns {{ ok: boolean, json?: string, saEmail?: string, policyAdjusted?: boolean, errorKind?: string, error?: string }}
  */
-async function createFcmServiceAccountKey(projectId) {
+async function createFcmServiceAccountKey(projectId, { onProgress } = {}) {
   if (!projectId || !projectId.trim()) {
     return { ok: false, error: 'projectId is required' };
   }
 
   const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+  const notify = (stage) => { try { if (onProgress) onProgress(stage); } catch (_) {} };
 
   // On a brand-new project the Firebase Admin SDK service account is provisioned
   // asynchronously after Firebase is added, and the IAM role grant also needs a
@@ -116,24 +222,73 @@ async function createFcmServiceAccountKey(projectId) {
   }
 
   const tmpPath = path.join(os.tmpdir(), `kasy-fcm-${Date.now()}.json`);
+  const createKey = () => run(
+    `gcloud iam service-accounts keys create "${tmpPath}"` +
+    ` --iam-account="${saEmail}"` +
+    ` --project=${projectId.trim()}`
+  );
 
-  // Right after granting the FCM admin role (and on a brand-new project), the
-  // IAM permission takes a moment to propagate — so the first key-create often
-  // fails with "permission still propagating". Back off and retry a few times
-  // before giving up, instead of leaving push half-configured.
+  // Phase 1 — try a direct create. On personal Google accounts with no
+  // organization there is no blocking policy, so this just works once the IAM
+  // role settles. A couple of quick retries cover that role propagation.
   let keyResult;
-  for (let attempt = 1; attempt <= 4; attempt++) {
-    keyResult = await run(
-      `gcloud iam service-accounts keys create "${tmpPath}"` +
-      ` --iam-account="${saEmail}"` +
-      ` --project=${projectId.trim()}`
-    );
-    if (keyResult.ok) break;
-    if (attempt < 4) await sleep(7000);
+  for (let attempt = 1; attempt <= 3; attempt++) {
+    keyResult = await createKey();
+    if (keyResult.ok || !isKeyCreationBlockedByOrgPolicy(keyResult)) break;
+    if (attempt < 3) await sleep(5000);
   }
 
+  // Phase 2 — the org blocks SA keys (default on orgs created since 2024). Lift the
+  // constraint for THIS project only. Lifting needs roles/orgpolicy.policyAdmin,
+  // which even org OWNERS lack by default — but an owner CAN grant it to itself
+  // (organizationAdmin includes setIamPolicy). So: try to lift; if denied, self-grant
+  // policyAdmin and retry the lift; roll the grant back in Phase 3.
+  let policyAdjusted = false;
+  let selfGranted = null; // { orgId, member } to roll back afterward
+  if (!keyResult.ok && isKeyCreationBlockedByOrgPolicy(keyResult)) {
+    notify('orgPolicy');
+    let lift = await allowServiceAccountKeyCreation(projectId.trim());
+
+    if (!lift.ok && isPermissionError(lift)) {
+      const orgId = await getProjectOrganizationId(projectId.trim());
+      const member = await getCurrentGcloudMember();
+      if (orgId && member) {
+        const grant = await grantOrgPolicyAdmin(orgId, member);
+        if (grant.ok) {
+          selfGranted = { orgId, member };
+          // The grant takes a moment to propagate before the lift is accepted.
+          for (let attempt = 1; attempt <= 8 && !lift.ok; attempt++) {
+            await sleep(15000);
+            lift = await allowServiceAccountKeyCreation(projectId.trim());
+          }
+        }
+      }
+    }
+
+    if (lift.ok) {
+      policyAdjusted = true;
+      // The lift itself takes ~1-2 min to take effect — retry the create with backoff.
+      for (let attempt = 1; attempt <= 10; attempt++) {
+        keyResult = await createKey();
+        if (keyResult.ok) break;
+        if (attempt < 10) await sleep(15000);
+      }
+    }
+  }
+
+  // Phase 3 — roll back the broad policyAdmin grant so the organization returns to
+  // its original posture. The project-level unenforce stays: it needs no admin role
+  // and is the minimum required to rotate this key later.
+  if (selfGranted) await removeOrgPolicyAdmin(selfGranted.orgId, selfGranted.member);
+
   if (!keyResult.ok) {
     await fs.remove(tmpPath).catch(() => {});
+    // "Ask an org admin" only when we genuinely could not lift the policy (e.g. a
+    // non-owner member of a company org). If we DID lift it but creation is still
+    // propagating, fall through to the generic "try again" message, not a perms blame.
+    if (!policyAdjusted && isKeyCreationBlockedByOrgPolicy(keyResult)) {
+      return { ok: false, errorKind: 'orgPolicyBlocked', error: keyResult.error };
+    }
     return { ok: false, error: `Failed to generate key: ${keyResult.error}` };
   }
 
@@ -141,7 +296,7 @@ async function createFcmServiceAccountKey(projectId) {
     const jsonContent = await fs.readFile(tmpPath, 'utf8');
     await fs.remove(tmpPath).catch(() => {});
     JSON.parse(jsonContent); // validate
-    return { ok: true, json: jsonContent.trim(), saEmail };
+    return { ok: true, json: jsonContent.trim(), saEmail, policyAdjusted };
   } catch (err) {
     await fs.remove(tmpPath).catch(() => {});
     return { ok: false, error: `Failed to read generated key: ${err.message}` };

package/lib/scaffold/shared/post-build.js

@@ -37,12 +37,21 @@ async function run(cmd, cwd, timeout) {
   }
 }
 
-async function pubGet(projectDir) {
-  // 15 min: the FIRST `flutter pub get` on a fresh machine downloads the whole
-  // dependency tree (this template pulls in firebase, supabase, revenuecat,
-  // stripe, sentry…), which timed out at the old 5-min cap on slower Windows
-  // connections. It's a ceiling, not a wait — a warm cache still returns fast.
-  return run('flutter pub get', projectDir, 900_000);
+async function pubGet(projectDir, { onAttempt } = {}) {
+  // The FIRST `flutter pub get` on a fresh machine downloads the whole dependency
+  // tree (firebase, supabase, revenuecat, stripe, sentry…). On a slow Windows
+  // connection — or with antivirus scanning every cached file — a single attempt
+  // can time out (the user saw 15 min, then "Command failed"). The pub cache is
+  // global and persists between attempts, so each retry resumes where the last one
+  // stopped and tends to finish fast. A retry also clears a hung download. Try a
+  // few times with a shorter per-attempt ceiling before giving up.
+  let last;
+  for (let attempt = 1; attempt <= 2; attempt++) {
+    if (onAttempt) onAttempt(attempt);
+    last = await run('flutter pub get', projectDir, 600_000); // 10 min per attempt
+    if (last.ok) return last;
+  }
+  return last;
 }
 
 async function slangGenerate(projectDir) {
@@ -900,17 +909,19 @@ async function getGoogleClientSecretViaGcloud(firebaseProjectId) {
     if (!tokenResult.ok || !tokenResult.stdout.trim()) return '';
     const token = tokenResult.stdout.trim();
 
-    const curlCmd = [
-      'curl -sf',
-      `-H "Authorization: Bearer ${token}"`,
-      `-H "x-goog-user-project: ${firebaseProjectId}"`,
-      `"https://identitytoolkit.googleapis.com/admin/v2/projects/${firebaseProjectId}/defaultSupportedIdpConfigs/google.com"`,
-    ].join(' ');
-
-    const result = await run(curlCmd, process.cwd());
-    if (!result.ok || !result.stdout.trim()) return '';
-
-    const data = JSON.parse(result.stdout.trim());
+    // Use fetch (Node 18+) instead of curl: no shell quoting, identical on every OS,
+    // and it does not depend on curl being on PATH (not guaranteed on Windows).
+    const res = await fetch(
+      `https://identitytoolkit.googleapis.com/admin/v2/projects/${firebaseProjectId}/defaultSupportedIdpConfigs/google.com`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          'x-goog-user-project': firebaseProjectId,
+        },
+      }
+    );
+    if (!res.ok) return '';
+    const data = await res.json();
     return data.clientSecret || '';
   } catch (_) {
     return '';

package/lib/utils/i18n/messages-en.js

@@ -746,6 +746,9 @@ module.exports = {
     'new.fcm.ok': 'generated automatically',
     'new.fcm.failSupabase': 'not generated (GCP permission still propagating); set FIREBASE_SERVICE_ACCOUNT_JSON in your Supabase secrets',
     'new.fcm.failApi': 'not generated (GCP permission still propagating); run the command again in a few minutes',
+    'new.fcm.adjustingOrgPolicy': 'Enabling organization permissions for push (may take 1-2 min)…',
+    'new.fcm.policyLifted': 'Enabled service account key creation for this project (required for push notifications)',
+    'new.fcm.orgPolicyBlocked': 'not generated: your Google Cloud organization blocks service account keys. Ask an organization admin to allow it, or generate the key in the Firebase Console (Project settings > Service accounts > Generate new private key)',
     'new.sha1.registering': 'Registering SHA-1 for Google Sign-In (Android)…',
     'new.sha1.failed': 'SHA-1 not added automatically: {error}',
     'new.sha1.manual': 'Add it manually so Google Sign-In works on Android:',

package/lib/utils/i18n/messages-es.js

@@ -746,6 +746,9 @@ module.exports = {
     'new.fcm.ok': 'generada automáticamente',
     'new.fcm.failSupabase': 'no generada (permiso de GCP aún propagando); define FIREBASE_SERVICE_ACCOUNT_JSON en los secrets de Supabase',
     'new.fcm.failApi': 'no generada (permiso de GCP aún propagando); ejecuta el comando de nuevo en unos minutos',
+    'new.fcm.adjustingOrgPolicy': 'Habilitando permisos de la organización para el push (puede tardar 1-2 min)…',
+    'new.fcm.policyLifted': 'Habilitada la creación de claves de cuenta de servicio en este proyecto (necesario para las notificaciones push)',
+    'new.fcm.orgPolicyBlocked': 'no generada: tu organización en Google Cloud bloquea las claves de cuenta de servicio. Pide a un administrador de la organización que lo permita, o genera la clave en la Firebase Console (Configuración del proyecto > Cuentas de servicio > Generar nueva clave privada)',
     'new.sha1.registering': 'Registrando SHA-1 para Google Sign-In (Android)…',
     'new.sha1.failed': 'SHA-1 no añadido automáticamente: {error}',
     'new.sha1.manual': 'Agregalo manualmente para que Google Sign-In funcione en Android:',

package/lib/utils/i18n/messages-pt.js

@@ -746,6 +746,9 @@ module.exports = {
     'new.fcm.ok': 'gerada automaticamente',
     'new.fcm.failSupabase': 'não gerada (permissão do GCP ainda propagando); defina FIREBASE_SERVICE_ACCOUNT_JSON nos secrets do Supabase',
     'new.fcm.failApi': 'não gerada (permissão do GCP ainda propagando); rode o comando de novo em alguns minutos',
+    'new.fcm.adjustingOrgPolicy': 'Liberando permissões da organização para o push (pode levar 1-2 min)…',
+    'new.fcm.policyLifted': 'Liberada a criação de chaves de service account neste projeto (necessário para as notificações push)',
+    'new.fcm.orgPolicyBlocked': 'não gerada: sua organização no Google Cloud bloqueia chaves de service account. Peça a um administrador da organização para liberar, ou gere a chave no Firebase Console (Configurações do projeto > Contas de serviço > Gerar nova chave privada)',
     'new.sha1.registering': 'Registrando SHA-1 para Google Sign-In (Android)…',
     'new.sha1.failed': 'SHA-1 não adicionado automaticamente: {error}',
     'new.sha1.manual': 'Adicione manualmente para o Google Sign-In funcionar no Android:',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.31.1",
+  "version": "1.31.3",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"