npm - kasy-cli - Versions diffs - 1.31.13 → 1.32.0 - Mend

kasy-cli 1.31.13 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (101) hide show

package/lib/commands/new.js CHANGED Viewed

@@ -44,7 +44,7 @@ const { generateApiProject } = require('../scaffold/backends/api/generator');
 const { createProjectAndGetKeys, setupLinkedProject, checkLoggedIn, getOrgsList, getProjectsByOrg, getProjectKeys, classifyCreateError } = require('../scaffold/backends/supabase/deploy');
 const { writeSupabaseGoogleAuthOptions, readSupabaseGoogleCredentials, getGoogleClientSecretViaGcloud, flutterfireConfigure, writeGoogleAuthOptions, ensureGoogleServiceInfoPlist, writeGoogleIosUrlScheme, writeGoogleIosUrlSchemeFromClientId } = require('../scaffold/shared/post-build');
 const { toPackageName } = require('../scaffold/backends/firebase/tokens');
-const { setupFromScratch, setupExistingProject, listBillingAccounts, listGcpOrganizations, checkGcloudAuth, getFirebaseAccount, getGcloudInstallInstructions, enableAuthProviders, ensureFirebaseAuthInitialized, registerDebugSha1 } = require('../scaffold/backends/firebase/setup-from-scratch');
+const { setupFromScratch, setupExistingProject, listBillingAccounts, listGcpOrganizations, checkGcloudAuth, getFirebaseAccount, getGcloudInstallInstructions, enableAuthProviders, ensureFirebaseAuthInitialized, authorizeLocalhostForProject, registerDebugSha1 } = require('../scaffold/backends/firebase/setup-from-scratch');
 const { enableAuthViaFirebaseCli } = require('../scaffold/backends/firebase/enable-auth-via-cli');
 const { createFcmServiceAccountKey } = require('../scaffold/shared/fcm-service-account');
@@ -509,6 +509,11 @@ function printSuccessCard(tr, answers, targetDir) {
     }
   }
+  if (answers.backend === 'api') {
+    lines.push(kleur.yellow(`! ${tr('new.success.api.serverContracts')}`));
+    lines.push('');
+  }
   lines.push(kleur.bold(tr('new.success.nextSteps')));
   lines.push('');
@@ -1827,6 +1832,15 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
       // Supabase setup runs in fcmOnly mode, which intentionally leaves Firebase
       // Auth untouched, so initialize it here (idempotent) before the deploy.
       await ensureFirebaseAuthInitialized(answers.firebaseProjectId);
+      // Web Google sign-in on Supabase brokers the Google ID token through the
+      // Firebase popup (signInWithPopup), which only runs from an authorized
+      // domain. fcmOnly setup skips the authorizedDomains step, so localhost is
+      // missing here and the web popup dies with [firebase_auth/unauthorized-domain].
+      // Add it best-effort now that auth is initialized. Native (mobile) is unaffected.
+      const localhostDomains = await authorizeLocalhostForProject(answers.firebaseProjectId);
+      if (!localhostDomains.ok) {
+        ui.log.warn(tr('new.google.localhostDomainWarn'));
+      }
       const cliResult = await enableAuthViaFirebaseCli({
         projectDir: targetDir,
         projectId: answers.firebaseProjectId,

package/lib/scaffold/CHANGELOG.json CHANGED Viewed

@@ -1,4 +1,13 @@
 {
+  "1.32.0": {
+    "modules": {
+      "core": {
+        "pt": "Proporção da web agora se adapta à largura real da janela: telas com escala alta do sistema (Windows em 125/150/175%) não ficam mais cortadas (sidebar/header), e o Mac continua igual. Ajuste só na web, nativo intocado.",
+        "en": "Web proportion now adapts to the real window width: high system-scale displays (Windows at 125/150/175%) no longer look cropped (sidebar/header), and Mac stays the same. Web-only, native untouched.",
+        "es": "La proporción en web ahora se adapta al ancho real de la ventana: pantallas con escala alta del sistema (Windows al 125/150/175%) ya no se ven recortadas (sidebar/header), y Mac queda igual. Solo en web, nativo intacto."
+      }
+    }
+  },
   "1.31.12": {
     "modules": {
       "core": {

package/lib/scaffold/backends/api/patch/README.md CHANGED Viewed

@@ -37,6 +37,7 @@ Ficam no `.vscode/launch.json` como variáveis de ambiente de build (`--dart-def
 | `RC_ANDROID_PROD_KEY` | RevenueCat | Dashboard RevenueCat → Apps → Google Play (chave `goog_`, usada automaticamente em Android físico) |
 | `SENTRY_DSN` | Sentry | Dashboard Sentry → Projeto → DSN |
 | `MIXPANEL_TOKEN` | Mixpanel | Dashboard Mixpanel → Configurações → Token |
+| `AI_CHAT_ENDPOINT` | IA Chat | URL do seu endpoint SSE de chat (ex.: `https://sua-api/ai-chat`) |
 Para atualizar, edite o `.vscode/launch.json`.
@@ -157,8 +158,92 @@ Formato de uma conversa (o "última mensagem" é desnormalizado para a lista fic
 ```
 Ao salvar uma mensagem, o servidor deve atualizar `updated_at`, `last_message_role` e
-`last_message_content` da conversa. O streaming da resposta da IA continua no endpoint
-`AI_CHAT_ENDPOINT` (SSE) — ele só recebe `message` + `history`, não persiste nada.
+`last_message_content` da conversa.
+### Endpoint: AI Chat (resposta em streaming)
+A resposta da IA é transmitida palavra a palavra via SSE por um endpoint separado,
+cuja URL vem do `--dart-define=AI_CHAT_ENDPOINT=...` (quadro de credenciais acima).
+Este endpoint **não persiste nada** — só faz o proxy para o provedor (OpenAI/Gemini)
+e devolve o texto em stream. A chave do provedor fica **só no servidor**.
+```
+POST {AI_CHAT_ENDPOINT}
+  Auth: Authorization: Bearer <token>   (enviado automaticamente pelo app)
+  Content-Type: application/json
+  body:
+  {
+    "message": "última mensagem do usuário",
+    "history": [ { "role": "user" | "assistant", "content": "..." } ]
+  }
+  200 OK  (text/event-stream)
+  → devolva o texto da resposta em chunks (stream); o app concatena e renderiza
+    em tempo real. Mantenha a chave da IA (OPENAI/GEMINI) apenas no servidor.
+```
+Se `AI_CHAT_ENDPOINT` não estiver definido, o chat mostra o estado "não configurado"
+(o app não quebra). Referência pronta: a Edge Function `ai-chat` do backend Supabase.
+---
+## Excluir conta
+O app chama um endpoint para o usuário excluir a própria conta. **É obrigatório
+para publicar na App Store e na Play Store**, então o seu backend precisa implementá-lo.
+```
+DELETE /users/me
+  Auth: Authorization: Bearer <token>   (identifica o usuário; enviado pelo app)
+  O servidor DEVE:
+   1. Apagar o usuário do sistema de auth para que aquele login nunca mais entre.
+   2. Apagar em cascata TODOS os dados do usuário: perfil, devices/tokens de push,
+      conversas + mensagens de IA, votos de feature requests, assinaturas, avatar.
+  → responda 2xx em caso de sucesso.
+```
+Sem esse endpoint, a exclusão de conta falha silenciosamente (404/405) num projeto
+API novo.
+---
+## Notificações push (FCM)
+Push **nativo (Android/iOS)** depende do seu servidor: o app registra o token do
+device e o seu backend envia via **FCM HTTP v1**. Na **web**, push é no-op de propósito
+(o app não registra token e não tenta enviar — só mostra as notificações que já existem).
+A chave de Service Account do Firebase foi salva pelo `kasy new` em
+`.kasy/fcm-service-account.json`. Carregue-a no servidor (ex.: variável
+`FIREBASE_SERVICE_ACCOUNT_JSON`) e use-a para chamar a FCM HTTP v1. Referência pronta
+de implementação: a Edge Function `send-push-notification` do backend Supabase.
+### Endpoints: devices (tokens de push)
+```
+POST   /users/{userId}/devices                          → registra/atualiza um device (body com token, platform, etc.)
+PUT    /devices/{deviceId}                               → atualiza um device existente
+DELETE /devices/{deviceId}                               → remove um device
+PATCH  /users/{userId}/devices/{installationId}/touch    → marca o device como ativo agora (last-seen)
+POST   /users/{userId}/devices/cleanup-stale             → remove devices antigos/inválidos
+DELETE /users/{userId}/devices                           → remove todos os devices do usuário (ex.: no logout)
+```
+### Endpoints: notifications
+```
+GET    /users/{userId}/notifications?page=&pageSize=     → lista paginada, mais recente primeiro
+PUT    /users/{userId}/notifications/{id}                → marca como lida
+DELETE /users/{userId}/notifications/{id}                → apaga uma notificação
+GET    /users/{userId}/notifications/unread              → SSE: stream da contagem de não-lidas (alimenta a "bolinha")
+POST   /users/{userId}/notifications                     → cria/envia para UM usuário (body: title, body, image_url?, data.route?, type)
+POST   /notifications/broadcast                          → envia para TODOS (mesmo body)
+```
+Todas exigem `Authorization: Bearer <token>` (enviado automaticamente). Ao criar uma
+notificação, o servidor persiste o registro **e** dispara o push via FCM para os devices
+do destinatário.
 ---

package/lib/scaffold/backends/api/patch/lib/features/authentication/api/authentication_api.dart CHANGED Viewed

@@ -3,6 +3,7 @@ import 'package:kasy_kit/core/data/api/http_client.dart';
 import 'package:kasy_kit/core/data/entities/user_entity.dart';
 import 'package:kasy_kit/features/authentication/api/authentication_api_interface.dart';
 import 'package:kasy_kit/features/authentication/repositories/exceptions/authentication_exceptions.dart';
+import 'package:flutter/foundation.dart' show kIsWeb;
 import 'package:flutter/services.dart' show PlatformException;
 import 'package:dio/dio.dart';
 import 'package:flutter_facebook_auth/flutter_facebook_auth.dart';
@@ -119,6 +120,15 @@ class HttpAuthenticationApi implements AuthenticationApi {
   @override
   Future<Credentials> signinWithGoogle() async {
+    // google_sign_in v7 authenticate() is unsupported on web (throws). The API
+    // backend is wire-it-yourself, so fail clearly instead of an opaque crash.
+    if (kIsWeb) {
+      throw UnimplementedError(
+        'Google sign-in on web is not wired for the API backend. Use '
+        'google_sign_in_web (renderButton) or a backend OAuth redirect, then '
+        'exchange the token with your API.',
+      );
+    }
     final googleSignIn = GoogleSignIn.instance;
     await googleSignIn.initialize(
       clientId: const String.fromEnvironment('GOOGLE_CLIENT_ID'),
@@ -153,6 +163,15 @@ class HttpAuthenticationApi implements AuthenticationApi {
   @override
   Future<Credentials> signinWithApple() async {
+    // Apple on web needs a paid Apple Service ID + secret and a backend token
+    // exchange; getAppleIDCredential crashes on web. The UI hides the Apple button
+    // on web; guard here too so a programmatic call fails clearly.
+    if (kIsWeb) {
+      throw UnimplementedError(
+        'Apple sign-in on web needs a paid Apple Service ID + secret and a backend '
+        'token exchange; it is not wired for the API backend.',
+      );
+    }
     late final AuthorizationCredentialAppleID credential;
     try {
       credential = await SignInWithApple.getAppleIDCredential(
@@ -212,6 +231,14 @@ class HttpAuthenticationApi implements AuthenticationApi {
   ///        POST /auth/link-google  {id_token, access_token}  → Credentials
   @override
   Future<Credentials> signupFromAnonymousWithGoogle() async {
+    // See signinWithGoogle: authenticate() is unsupported on web.
+    if (kIsWeb) {
+      throw UnimplementedError(
+        'Google sign-in on web is not wired for the API backend. Use '
+        'google_sign_in_web (renderButton) or a backend OAuth redirect, then '
+        'exchange the token with your API.',
+      );
+    }
     final googleSignIn = GoogleSignIn.instance;
     await googleSignIn.initialize(
       clientId: const String.fromEnvironment('GOOGLE_CLIENT_ID'),
@@ -242,6 +269,13 @@ class HttpAuthenticationApi implements AuthenticationApi {
   ///   POST /auth/link-apple  {identity_token, authorization_code}  → Credentials
   @override
   Future<Credentials> signupFromAnonymousWithApple() async {
+    // See signinWithApple: Apple on web is not wired for the API backend.
+    if (kIsWeb) {
+      throw UnimplementedError(
+        'Apple sign-in on web needs a paid Apple Service ID + secret and a backend '
+        'token exchange; it is not wired for the API backend.',
+      );
+    }
     late final AuthorizationCredentialAppleID credential;
     try {
       credential = await SignInWithApple.getAppleIDCredential(

package/lib/scaffold/backends/api/patch/lib/features/subscriptions/api/stripe_backend_api.dart CHANGED Viewed

@@ -38,6 +38,7 @@ class StripeBackendApi {
     String? successUrl,
     String? cancelUrl,
     String? locale,
+    bool? allowPromoCodes,
   }) async {
     final Response res = await _client.post(
       '/stripe/checkout-session',
@@ -46,16 +47,25 @@ class StripeBackendApi {
         if (successUrl != null) 'successUrl': successUrl,
         if (cancelUrl != null) 'cancelUrl': cancelUrl,
         if (locale != null) 'locale': locale,
+        if (allowPromoCodes != null) 'allowPromoCodes': allowPromoCodes,
       },
     );
     return (res.data as Map)['url'] as String;
   }
   /// Create a Customer Portal session (manage / cancel) and return its URL.
-  Future<String> createPortalSession({String? returnUrl}) async {
+  /// Pass [planSwitching] = true to auto-configure the portal with
+  /// upgrade/downgrade support (no manual Stripe dashboard setup needed).
+  Future<String> createPortalSession({
+    String? returnUrl,
+    bool? planSwitching,
+  }) async {
     final Response res = await _client.post(
       '/stripe/portal-session',
-      data: {if (returnUrl != null) 'returnUrl': returnUrl},
+      data: {
+        if (returnUrl != null) 'returnUrl': returnUrl,
+        if (planSwitching != null) 'planSwitching': planSwitching,
+      },
     );
     return (res.data as Map)['url'] as String;
   }

package/lib/scaffold/backends/firebase/setup-from-scratch.js CHANGED Viewed

@@ -743,6 +743,27 @@ async function ensureLocalhostAuthorizedDomains(projectId, token) {
   return { ok: true, added: missing };
 }
+/**
+ * Authorize localhost (and 127.0.0.1) on a project's Firebase Auth config,
+ * fetching the gcloud access token internally. Exported so callers that don't
+ * run the full setup (e.g. the Supabase backend, which sets up Firebase in
+ * fcmOnly mode and never reaches enableAuthProviders) can still authorize the
+ * domains the web Google popup needs. Best-effort: returns { ok, error } and
+ * never throws.
+ *
+ * @param {string} projectId
+ * @returns {{ ok: boolean, added?: string[], error?: string }}
+ */
+async function authorizeLocalhostForProject(projectId) {
+  let token;
+  try {
+    token = await getAccessToken();
+  } catch (_) {
+    return { ok: false, error: 'Could not get access token' };
+  }
+  return ensureLocalhostAuthorizedDomains(projectId, token);
+}
 /**
  * Initialize Firebase Auth (Identity Platform) for a project. Brand-new projects
  * have no auth config, so any Admin v2 operation (PATCH /config, or the Firebase
@@ -1277,6 +1298,7 @@ module.exports = {
   enableAuthProviders,
   ensureFirebaseAuthInitialized,
   ensureLocalhostAuthorizedDomains,
+  authorizeLocalhostForProject,
   listBillingAccounts,
   listGcpOrganizations,
   checkGcloudAuth,

package/lib/scaffold/backends/supabase/deploy.js CHANGED Viewed

@@ -363,6 +363,11 @@ async function enableGoogleSignIn(projectRef, webClientId, clientSecret) {
     external_google_client_id: webClientId,
     external_google_secret: clientSecret,
     external_google_skip_nonce_check: true,
+    // Allow the web app's dev origin as a redirect target so the web OAuth flow
+    // (signInWithOAuth redirectTo) and email links (recovery/confirm) land back on
+    // the app. http://localhost:5555 is the port `kasy run --web` uses. Add your
+    // production web origin here when you deploy to the web.
+    uri_allow_list: 'http://localhost:5555,http://localhost:5555/**',
   });
   if (!result.ok) return { ok: false, error: result.error };
   if (result.data.external_google_enabled === true) return { ok: true };

package/lib/scaffold/backends/supabase/edge-functions/send-push-notification/README.md CHANGED Viewed

@@ -1,35 +1,39 @@
 # send-push-notification
-Edge Function que envia push notifications via Firebase Cloud Messaging (FCM) quando uma notificação é inserida na tabela `notifications`.
+Edge Function que envia push notifications via Firebase Cloud Messaging (FCM)
+quando uma notificação é inserida na tabela `notifications`.
-## Setup (1x por projeto)
+## Tudo isto é automático
-### 1. Configurar secrets no Supabase
+O `kasy new` e o `kasy deploy` já deixam o push funcionando no Supabase, sem passo
+manual:
-```bash
-supabase secrets set FIREBASE_PROJECT_ID=your-firebase-project-id
-supabase secrets set FIREBASE_SERVICE_ACCOUNT_JSON='{"type":"service_account","project_id":"..."}'
-```
+- **Secrets** `FIREBASE_PROJECT_ID` e `FIREBASE_SERVICE_ACCOUNT_JSON` são definidos
+  automaticamente (a chave de Service Account é gerada pela CLI).
+- **A chamada automática** da função quando uma notificação é inserida vem de um
+  **trigger no banco** (`pg_net`), criado pela migration
+  `20240101000006_notification_webhook.sql`. **Não é** um Database Webhook do painel.
+- O trigger só dispara quando `notify_user IS DISTINCT FROM false` (ex.: a notificação
+  de boas-vindas usa `notify_user = false` porque o usuário já está dentro do app).
+> ⚠️ **Não crie um Database Webhook no painel** apontando para esta função. O trigger
+> `pg_net` já faz isso; um webhook duplicado faria o push **disparar duas vezes**.
-O JSON do service account: Firebase Console → Project Settings → Service Accounts → **Generate new private key**.
+## Fallback manual (só se a automação falhar)
-### 2. Deploy da Edge Function
+Se por algum motivo os secrets não tiverem sido definidos, rode:
 ```bash
+supabase secrets set FIREBASE_PROJECT_ID=your-firebase-project-id
+supabase secrets set FIREBASE_SERVICE_ACCOUNT_JSON='{"type":"service_account","project_id":"..."}'
 supabase functions deploy send-push-notification --project-ref YOUR_PROJECT_REF
 ```
-### 3. Configurar Database Webhook
-No Supabase Dashboard → **Database → Webhooks → Create webhook**:
-| Campo | Valor |
-|-------|-------|
-| Name | `on_notification_inserted` |
-| Table | `notifications` |
-| Events | `INSERT` |
-| Method | POST |
-| URL | `https://YOUR_PROJECT_REF.supabase.co/functions/v1/send-push-notification` |
-| Headers | `Authorization: Bearer YOUR_SUPABASE_ANON_KEY` |
+O JSON do service account: Firebase Console → Project Settings → Service Accounts →
+**Generate new private key**.
-Sem este webhook, a edge function não é chamada automaticamente.
+Se preferir o trigger via painel em vez do `pg_net` (não recomendado, e nunca os dois
+ao mesmo tempo), use Database → Webhooks → Create webhook na tabela `notifications`,
+evento `INSERT`, POST para
+`https://YOUR_PROJECT_REF.supabase.co/functions/v1/send-push-notification`,
+header `Authorization: Bearer YOUR_SUPABASE_ANON_KEY`.

package/lib/scaffold/backends/supabase/edge-functions/send-push-notification/index.ts CHANGED Viewed

@@ -1,22 +1,19 @@
 /**
  * Supabase Edge Function: Send Push Notification via FCM
  *
- * Triggered by a Supabase Database Webhook when a row is inserted
- * into the `notifications` table. Reads device FCM tokens for the
- * target user and sends a push notification via Firebase Cloud Messaging
- * HTTP v1 API.
+ * Triggered automatically by a database trigger (pg_net) when a row is inserted
+ * into the `notifications` table with notify_user != false (migration
+ * 20240101000006_notification_webhook.sql) — NOT by a Dashboard Database Webhook.
+ * Reads device FCM tokens for the target user and sends a push notification via
+ * Firebase Cloud Messaging HTTP v1 API.
  *
- * Secrets required (set via `supabase secrets set`):
+ * Secrets (set automatically by `kasy new` / `kasy deploy`):
  *   - FIREBASE_PROJECT_ID: Your Firebase project ID (e.g. my-app-12345)
  *   - FIREBASE_SERVICE_ACCOUNT_JSON: Full JSON of your Firebase service account key
  *       (Firebase Console → Project Settings → Service Accounts → Generate new private key)
  *
- * Database Webhook setup (Supabase Dashboard → Database → Webhooks):
- *   - Table: notifications
- *   - Event: INSERT
- *   - Method: POST
- *   - URL: https://<PROJECT_REF>.supabase.co/functions/v1/send-push-notification
- *   - HTTP Headers: Authorization: Bearer <SUPABASE_ANON_KEY>
+ * Do NOT also create a Dashboard Database Webhook for this function — the pg_net
+ * trigger already calls it; a second webhook would double-fire push. See README.md.
  *
  * @see https://firebase.google.com/docs/cloud-messaging/send-message
  */

package/lib/scaffold/backends/supabase/edge-functions/stripe-create-checkout-session/index.ts CHANGED Viewed

@@ -97,7 +97,7 @@ Deno.serve(async (req: Request) => {
   }
   const uid = user.id;
-  let body: { priceId?: string; successUrl?: string; cancelUrl?: string; locale?: string };
+  let body: { priceId?: string; successUrl?: string; cancelUrl?: string; locale?: string; allowPromoCodes?: boolean };
   try {
     body = await req.json();
   } catch {
@@ -110,6 +110,7 @@ Deno.serve(async (req: Request) => {
   const successUrl = body.successUrl ?? "";
   const cancelUrl = body.cancelUrl ?? successUrl;
   const locale = body.locale?.substring(0, 2).toLowerCase();
+  const allowPromoCodes = body.allowPromoCodes === true;
   try {
     const stripe = new Stripe(secretKey);
@@ -136,6 +137,7 @@ Deno.serve(async (req: Request) => {
         metadata: { supabaseUID: uid },
         ...(trialDays ? { trial_period_days: trialDays } : {}),
       },
+      ...(allowPromoCodes ? { allow_promotion_codes: true } : {}),
     });
     return Response.json({ url: session.url }, { headers: corsHeaders });
   } catch (err) {

package/lib/scaffold/backends/supabase/edge-functions/stripe-create-portal-session/index.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 /**
  * Supabase Edge Function: Stripe — Create Customer Portal Session
  *
- * Creates a Stripe Customer Portal session (manage / cancel) for the
- * authenticated user and returns its URL. The user is identified by the
+ * Creates a Stripe Customer Portal session (manage / cancel / switch plan) for
+ * the authenticated user and returns its URL. The user is identified by the
  * verified JWT and the Stripe customer is looked up server-side.
  *
  * Deployed WITHOUT the platform JWT gate (verify_jwt = false in config.toml) so the
@@ -13,7 +13,10 @@
  *   - STRIPE_SECRET_KEY
  *   - SUPABASE_URL / SUPABASE_ANON_KEY / SUPABASE_SERVICE_ROLE_KEY (auto-provided)
  *
- * Body: { returnUrl?: string }
+ * Optional env var:
+ *   - STRIPE_PRODUCT_ID: narrows plan-switching to a single product's prices.
+ *
+ * Body: { returnUrl?: string, planSwitching?: boolean }
  */
 import Stripe from "npm:stripe@18";
@@ -39,6 +42,52 @@ async function getUid(req: Request, supabaseUrl: string, anonKey: string): Promi
   return user.id;
 }
+// Creates (once) a Customer Portal configuration with subscription_update
+// (plan switching) enabled, then reuses it on every subsequent call.
+// Uses the Stripe list API to find an existing config — no extra DB table needed.
+// deno-lint-ignore no-explicit-any
+async function getOrCreatePortalConfig(stripe: Stripe): Promise<string | undefined> {
+  // Reuse an existing active config with plan switching already enabled
+  const configs = await stripe.billingPortal.configurations.list({ active: true, limit: 20 });
+  // deno-lint-ignore no-explicit-any
+  const existing = configs.data.find((c: any) => c.features?.subscription_update?.enabled);
+  if (existing) return existing.id;
+  // Build the price list grouped by product so Stripe knows what to switch between
+  const productId = Deno.env.get("STRIPE_PRODUCT_ID") ?? "";
+  // deno-lint-ignore no-explicit-any
+  const priceListParams: any = { active: true, type: "recurring", limit: 100 };
+  if (productId) priceListParams.product = productId;
+  const { data: prices } = await stripe.prices.list(priceListParams);
+  if (prices.length === 0) return undefined;
+  const byProduct: Record<string, string[]> = {};
+  for (const p of prices) {
+    // deno-lint-ignore no-explicit-any
+    const pid = typeof p.product === "string" ? p.product : (p.product as any).id;
+    if (!byProduct[pid]) byProduct[pid] = [];
+    byProduct[pid].push(p.id);
+  }
+  const products = Object.entries(byProduct).map(([prod, priceIds]) => ({
+    product: prod,
+    prices: priceIds,
+  }));
+  const config = await stripe.billingPortal.configurations.create({
+    features: {
+      subscription_update: {
+        enabled: true,
+        default_allowed_updates: ["price"],
+        products,
+      },
+      subscription_cancel: { enabled: true, mode: "at_period_end" },
+      payment_method_update: { enabled: true },
+    },
+  });
+  return config.id;
+}
 Deno.serve(async (req: Request) => {
   if (req.method === "OPTIONS") {
     return new Response(null, { status: 204, headers: corsHeaders });
@@ -61,9 +110,11 @@ Deno.serve(async (req: Request) => {
   }
   let returnUrl = "";
+  let planSwitching = false;
   try {
     const body = await req.json();
     returnUrl = (body?.returnUrl as string | undefined) ?? "";
+    planSwitching = body?.planSwitching === true;
   } catch {
     // body is optional
   }
@@ -84,9 +135,15 @@ Deno.serve(async (req: Request) => {
     }
     const stripe = new Stripe(secretKey);
+    // When plan switching is requested, resolve (or create) a portal configuration
+    // with subscription_update enabled — no manual Stripe dashboard setup needed.
+    const configId = planSwitching ? await getOrCreatePortalConfig(stripe) : undefined;
     const session = await stripe.billingPortal.sessions.create({
       customer: customerId,
       return_url: returnUrl,
+      ...(configId ? { configuration: configId } : {}),
     });
     return Response.json({ url: session.url }, { headers: corsHeaders });
   } catch (err) {