kasy-cli 1.31.13 → 1.32.0

package/lib/scaffold/backends/supabase/patch/lib/features/authentication/api/authentication_api.dart

@@ -1,5 +1,6 @@
 import 'dart:convert';
 import 'package:crypto/crypto.dart';
+import 'package:firebase_auth/firebase_auth.dart' as fb_auth;
 import 'package:flutter/foundation.dart' show kIsWeb;
 import 'package:flutter/services.dart' show PlatformException;
 import 'package:flutter_facebook_auth/flutter_facebook_auth.dart';
@@ -149,6 +150,13 @@ Note: wait a minute after enabling anonymous sign-in before trying again. It tak
 
   @override
   Future<Credentials> signinWithApple() async {
+    // Apple on web needs a paid Apple Service ID + secret (not configured here);
+    // getAppleIDCredential force-unwraps webAuthenticationOptions and crashes on
+    // web. The UI hides the Apple button on web; guard here too so a programmatic
+    // call fails with a clear error instead of a null-check crash.
+    if (kIsWeb) {
+      throw ApiError(code: 501, message: 'Apple sign-in on web is not supported.');
+    }
     final rawNonce = client.auth.generateRawNonce();
     final hashedNonce = sha256.convert(utf8.encode(rawNonce)).toString();
 
@@ -212,16 +220,16 @@ Note: wait a minute after enabling anonymous sign-in before trying again. It tak
   @override
   Future<Credentials> signinWithGoogle() async {
     if (kIsWeb) {
-      // google_sign_in's imperative authenticate() is UNSUPPORTED on web (the v7
-      // web plugin throws UnimplementedError). Use Supabase's OAuth redirect flow:
-      // it sends the user to Google and back; the session arrives on return and is
-      // picked up by the auth state listener. Requires your web origin in Supabase
-      // Auth -> URL Configuration (Site URL / Redirect URLs).
-      await client.auth.signInWithOAuth(
-        OAuthProvider.google,
-        redirectTo: Uri.base.origin,
+      // google_sign_in v7 can't do imperative auth on web. Get the Google ID token
+      // via Firebase's popup (zero manual config — reuses the Firebase web OAuth
+      // client + authorized domains, which the kit already sets up) and sign into
+      // Supabase with it. Supabase remains the auth backend.
+      final idToken = await _googleIdTokenFromWebPopup();
+      final res = await client.auth.signInWithIdToken(
+        provider: OAuthProvider.google,
+        idToken: idToken,
       );
-      return Credentials(id: '', token: '');
+      return Credentials(id: res.user!.id, token: res.session?.accessToken ?? '');
     }
     final googleSignIn = GoogleSignIn.instance;
     // Web: clientId = Web Client ID (no serverClientId needed)
@@ -264,6 +272,33 @@ Note: wait a minute after enabling anonymous sign-in before trying again. It tak
     
   }
 
+  /// Web only: obtains a Google ID token via Firebase's popup. google_sign_in v7
+  /// can't do imperative auth on the web, but the kit already initializes Firebase
+  /// (for FCM), so we reuse Firebase's working web OAuth client to get the token,
+  /// then sign into Supabase with it — no Supabase callback / Google console step
+  /// needed. The token's audience is the Firebase web client ID, which is the same
+  /// one configured as Supabase's Google provider, so signInWithIdToken accepts it.
+  Future<String> _googleIdTokenFromWebPopup() async {
+    try {
+      final cred = await fb_auth.FirebaseAuth.instance.signInWithPopup(
+        fb_auth.GoogleAuthProvider(),
+      );
+      final idToken = (cred.credential as fb_auth.OAuthCredential?)?.idToken;
+      if (idToken == null) {
+        throw ApiError(code: 401, message: 'No Google ID token from Firebase popup.');
+      }
+      return idToken;
+    } on fb_auth.FirebaseAuthException catch (e) {
+      if (e.code == 'popup-closed-by-user' ||
+          e.code == 'cancelled-popup-request' ||
+          e.code == 'web-context-cancelled' ||
+          e.code == 'user-cancelled') {
+        throw const UserCancelledSignInException();
+      }
+      rethrow;
+    }
+  }
+
   @override
   Future<Credentials> signinWithGooglePlay() {
     // Google Play Games sign-in is not supported for Supabase backend.
@@ -281,6 +316,11 @@ Note: wait a minute after enabling anonymous sign-in before trying again. It tak
   
   @override
   Future<Credentials> signupFromAnonymousWithApple() async {
+    // See signinWithApple: Apple on web is unsupported here; the UI hides the button
+    // on web, and this guard prevents a null-check crash on a programmatic call.
+    if (kIsWeb) {
+      throw ApiError(code: 501, message: 'Apple sign-in on web is not supported.');
+    }
     final rawNonce = client.auth.generateRawNonce();
     final hashedNonce = sha256.convert(utf8.encode(rawNonce)).toString();
 
@@ -323,14 +363,26 @@ Note: wait a minute after enabling anonymous sign-in before trying again. It tak
   @override
   Future<Credentials> signupFromAnonymousWithGoogle() async {
     if (kIsWeb) {
-      // Imperative GoogleSignIn.authenticate() is UNSUPPORTED on web. Use Supabase's
-      // OAuth redirect; the session arrives on return via the auth listener. (On web
-      // this signs in with Google instead of linking the anonymous user.)
-      await client.auth.signInWithOAuth(
-        OAuthProvider.google,
-        redirectTo: Uri.base.origin,
-      );
-      return Credentials(id: '', token: '');
+      // Web: get the Google ID token via Firebase's popup (see signinWithGoogle) and
+      // link it to the current anonymous Supabase user.
+      final idToken = await _googleIdTokenFromWebPopup();
+      try {
+        final response = await client.auth.linkIdentityWithIdToken(
+          provider: OAuthProvider.google,
+          idToken: idToken,
+        );
+        return Credentials(id: response.user!.id, token: response.session?.accessToken ?? '');
+      } on AuthException catch (e) {
+        if (e.code == 'identity_already_exists') {
+          await _deleteCurrentAnonymousUser();
+          final res = await client.auth.signInWithIdToken(
+            provider: OAuthProvider.google,
+            idToken: idToken,
+          );
+          return Credentials(id: res.user!.id, token: res.session?.accessToken ?? '');
+        }
+        rethrow;
+      }
     }
     final scopes = ['email'];
     final googleSignIn = GoogleSignIn.instance;

package/lib/scaffold/backends/supabase/patch/lib/features/subscriptions/api/stripe_backend_api.dart

@@ -30,6 +30,7 @@ class StripeBackendApi {
     String? successUrl,
     String? cancelUrl,
     String? locale,
+    bool? allowPromoCodes,
   }) async {
     final res = await _client.functions.invoke(
       'stripe-create-checkout-session',
@@ -38,16 +39,25 @@ class StripeBackendApi {
         if (successUrl != null) 'successUrl': successUrl,
         if (cancelUrl != null) 'cancelUrl': cancelUrl,
         if (locale != null) 'locale': locale,
+        if (allowPromoCodes != null) 'allowPromoCodes': allowPromoCodes,
       },
     );
     return (res.data as Map)['url'] as String;
   }
 
   /// Create a Customer Portal session (manage / cancel) and return its URL.
-  Future<String> createPortalSession({String? returnUrl}) async {
+  /// Pass [planSwitching] = true to auto-configure the portal with
+  /// upgrade/downgrade support (no manual Stripe dashboard setup needed).
+  Future<String> createPortalSession({
+    String? returnUrl,
+    bool? planSwitching,
+  }) async {
     final res = await _client.functions.invoke(
       'stripe-create-portal-session',
-      body: {if (returnUrl != null) 'returnUrl': returnUrl},
+      body: {
+        if (returnUrl != null) 'returnUrl': returnUrl,
+        if (planSwitching != null) 'planSwitching': planSwitching,
+      },
     );
     return (res.data as Map)['url'] as String;
   }

package/lib/scaffold/backends/supabase/pubspec.yaml.tpl

@@ -25,6 +25,12 @@ dependencies:
   dio: ^5.9.2
   facebook_app_events: ^0.24.0
   firebase_app_installations: ^0.4.0+7
+  # Web-only Google sign-in: on web, google_sign_in v7 can't do imperative auth, so we
+  # get the Google ID token via Firebase's popup (zero manual config, reuses the
+  # Firebase web client + authorized domains) and hand it to Supabase signInWithIdToken.
+  # Supabase stays the auth backend; mobile keeps the native google_sign_in flow.
+  # Kept before firebase_core so the deps stay alphabetical (sort_pub_dependencies).
+  firebase_auth: ^6.1.4
   firebase_core: ^4.5.0
   firebase_messaging: ^16.1.2
   firebase_remote_config: ^6.2.0

package/lib/scaffold/generate.js

@@ -219,7 +219,7 @@ async function generateProject(targetDir, backend, options, hooks = {}) {
     await writeVsCodeLaunch(targetDir, appName, backend, modules, answers, language);
     await writeEnvExample(targetDir, modules, answers, language);
     await writeEnvFileIfMissing(targetDir);
-    await writeFeaturesConfig(targetDir, modules, answers, language);
+    await writeFeaturesConfig(targetDir, modules, answers, language, backend);
     await writeRouter(targetDir, modules, packageName, moduleAnswers.defaultPaywall || 'basic');
     await writeMakefile(targetDir, language, backend, modules, answers);
     await writeKitSetup(targetDir, {

package/lib/scaffold/shared/generator-utils.js

@@ -616,7 +616,7 @@ async function writeRouter(projectDir, modules, packageName, defaultPaywall = 'b
  * @param {object} [answers={}] - moduleAnswers (rcTestKey, stripe keys, etc.)
  * @param {string} [language='en'] - User's CLI language (en, pt, es)
  */
-async function writeFeaturesConfig(projectDir, modules, answers = {}, language = 'en') {
+async function writeFeaturesConfig(projectDir, modules, answers = {}, language = 'en', backend = 'firebase') {
   const withOnboarding = modules.includes('onboarding');
   const withAiChat   = modules.includes('ai_chat');
   const withFeedback            = modules.includes('feedback');
@@ -624,6 +624,10 @@ async function writeFeaturesConfig(projectDir, modules, answers = {}, language =
   const withStripe              = modules.includes('stripe');
   const withLocalReminders  = modules.includes('local_reminders');
   const withWeb                 = modules.includes('web');
+  // Apple sign-in on web only works on Firebase (signInWithPopup). Supabase/API
+  // throw on web (no Service ID + token exchange), so they must ship this false
+  // and hide the Apple button on web. Native always shows it.
+  const withAppleWebSignin = backend === 'firebase';
 
   const f = getStrings(language).features;
   const content = `${f.comment1}
@@ -635,7 +639,14 @@ const bool withFeedback            = ${withFeedback};
 const bool withRevenuecat          = ${withRevenuecat};
 // Stripe web subscriptions module (independent from RevenueCat mobile IAP).
 const bool withStripe              = ${withStripe};
+// When true, Stripe Checkout shows a promo-code / coupon field.
+const bool withStripePromoCodes = true;
+// When true, the Stripe Customer Portal lets subscribers switch plans (upgrade / downgrade).
+const bool withStripePlanSwitching = true;
 const bool withLocalReminders  = ${withLocalReminders};
+// Apple sign-in on web: Firebase supports it (signInWithPopup); Supabase/API throw
+// on web, so they ship false. Native always shows the Apple button.
+const bool withAppleWebSignin = ${withAppleWebSignin};
 ${f.comment3}
 ${f.comment4}
 ${f.comment5}
@@ -1347,10 +1358,18 @@ async function removeFacebookSigninFromAuthPages(projectDir) {
   for (const p of pages) {
     if (!(await fs.pathExists(p))) continue;
     let content = await fs.readFile(p, 'utf8');
-    // Remove import line
+    // Legacy: remove the standalone FacebookSigninComponent + its import, if present.
     content = content.replace(/^import 'package:[^']+\/features\/authentication\/ui\/components\/facebook_signin\.dart';\n/m, '');
-    // Remove component line (any leading whitespace)
     content = content.replace(/[ \t]*const FacebookSigninComponent\(\),\n/g, '');
+    // Current UI: the Facebook button is an inline _SocialSigninTile/_SocialSignupTile
+    // in the social row (label: t.auth.signin.facebook ... signinWithFacebook()). Strip
+    // the whole tile plus the SizedBox spacer that precedes it, anchored on the facebook
+    // label so the Google/Apple tiles are never touched. Runs before dartFix/format, so
+    // it matches the kit's raw formatting verbatim.
+    content = content.replace(
+      /\n[ \t]*const SizedBox\(width: KasySpacing\.sm\),\n[ \t]*Expanded\(\n[ \t]*child: _Social(?:Signin|Signup)Tile\(\n[ \t]*label: t\.auth\.signin\.facebook,[\s\S]*?\.signinWithFacebook\(\),\n[ \t]*\),\n[ \t]*\),/,
+      '',
+    );
     await fs.writeFile(p, content, 'utf8');
   }
 }

package/lib/utils/i18n/messages-en.js

@@ -740,6 +740,7 @@ module.exports = {
     'new.success.featuresInstalled': 'Features enabled:',
     'new.success.bundleId': 'App identifier (bundle ID)',
     'new.success.bundleId.hint': "Your app's unique identifier on Android, iOS and Firebase (push).",
+    'new.success.api.serverContracts': 'API backend: you must implement the server contracts (delete account, AI chat and push). See patch/README.md',
     'new.success.nextSteps': 'Next steps:',
     'new.success.step.cd': 'Go to your project folder:',
     'new.success.step.deploy': 'Push the server to Firebase (DB + functions):',
@@ -754,6 +755,7 @@ module.exports = {
     'new.google.manualHint': 'Google Sign-In: enable manually in the Console (Google provider):',
     'new.google.manualHint.noEmail': 'Google Sign-In: could not detect a support email (gcloud has no account). Enable manually in the Console:',
     'new.google.supabaseManual': 'Google Sign-In: client created, but the secret was not available yet. Enable it later in the Supabase dashboard (Authentication > Providers > Google).',
+    'new.google.localhostDomainWarn': 'Google sign-in on web: could not authorize localhost in the Firebase authorized domains automatically. If the Google popup fails with "unauthorized-domain", add localhost in Firebase Console > Authentication > Settings > Authorized domains.',
     'new.fcm.ok': 'generated automatically',
     'new.fcm.failSupabase': 'not generated (GCP permission still propagating); set FIREBASE_SERVICE_ACCOUNT_JSON in your Supabase secrets',
     'new.fcm.failApi': 'not generated (GCP permission still propagating); run the command again in a few minutes',

package/lib/utils/i18n/messages-es.js

@@ -740,6 +740,7 @@ module.exports = {
     'new.success.featuresInstalled': 'Recursos activados:',
     'new.success.bundleId': 'Identificador de la app (bundle ID)',
     'new.success.bundleId.hint': 'Identificador único de tu app en Android, iOS y Firebase (push).',
+    'new.success.api.serverContracts': 'Backend API: debes implementar los contratos del servidor (eliminar cuenta, IA chat y push). Consulta patch/README.md',
     'new.success.nextSteps': 'Próximos pasos:',
     'new.success.step.cd': 'Ve a la carpeta del proyecto:',
     'new.success.step.deploy': 'Sube el servidor a Firebase (DB + funciones):',
@@ -754,6 +755,7 @@ module.exports = {
     'new.google.manualHint': 'Inicio de sesión con Google: actívalo manualmente en la consola (proveedor Google):',
     'new.google.manualHint.noEmail': 'Inicio de sesión con Google: no detecté un email de soporte (gcloud sin cuenta). Actívalo manualmente en la consola:',
     'new.google.supabaseManual': 'Inicio de sesión con Google: cliente creado, pero el secret aún no estaba disponible. Actívalo luego en el panel de Supabase (Authentication > Providers > Google).',
+    'new.google.localhostDomainWarn': 'Inicio de sesión con Google en web: no se pudo autorizar localhost en los dominios de Firebase automáticamente. Si el popup de Google falla con "unauthorized-domain", agrega localhost en Firebase Console > Authentication > Settings > Authorized domains.',
     'new.fcm.ok': 'generada automáticamente',
     'new.fcm.failSupabase': 'no generada (permiso de GCP aún propagando); define FIREBASE_SERVICE_ACCOUNT_JSON en los secrets de Supabase',
     'new.fcm.failApi': 'no generada (permiso de GCP aún propagando); ejecuta el comando de nuevo en unos minutos',

package/lib/utils/i18n/messages-pt.js

@@ -740,6 +740,7 @@ module.exports = {
     'new.success.featuresInstalled': 'Recursos ativados:',
     'new.success.bundleId': 'Identificador do app (bundle ID)',
     'new.success.bundleId.hint': 'Identificador único do seu app no Android, iOS e Firebase (push).',
+    'new.success.api.serverContracts': 'Backend API: você precisa implementar os contratos do servidor (excluir conta, IA chat e push). Veja patch/README.md',
     'new.success.nextSteps': 'Próximos passos:',
     'new.success.step.cd': 'Entre na pasta do projeto:',
     'new.success.step.deploy': 'Suba o servidor pro Firebase (banco + funções):',
@@ -754,6 +755,7 @@ module.exports = {
     'new.google.manualHint': 'Login com Google: ative manualmente no Console (provedor Google):',
     'new.google.manualHint.noEmail': 'Login com Google: não consegui detectar um e-mail de suporte (gcloud sem conta). Ative manualmente no Console:',
     'new.google.supabaseManual': 'Login com Google: client criado, mas o secret ainda não estava disponível. Ative depois no painel do Supabase (Authentication > Providers > Google).',
+    'new.google.localhostDomainWarn': 'Login com Google na web: não consegui autorizar o localhost nos domínios do Firebase automaticamente. Se o popup do Google falhar com "unauthorized-domain", adicione localhost em Firebase Console > Authentication > Settings > Authorized domains.',
     'new.fcm.ok': 'gerada automaticamente',
     'new.fcm.failSupabase': 'não gerada (permissão do GCP ainda propagando); defina FIREBASE_SERVICE_ACCOUNT_JSON nos secrets do Supabase',
     'new.fcm.failApi': 'não gerada (permissão do GCP ainda propagando); rode o comando de novo em alguns minutos',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.31.13",
+  "version": "1.32.0",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"
@@ -31,7 +31,7 @@
     "access": "public"
   },
   "scripts": {
-    "prepack": "node scripts/check-feature-patches.js && node scripts/bundle-template.js && node test/generated-matches-kit.test.js && node test/supabase-verify-jwt.test.js && node test/supabase-cors.test.js && node test/supabase-google-web.test.js && node test/backend-pubspec-local-reminders.test.js",
+    "prepack": "node scripts/check-feature-patches.js && node scripts/bundle-template.js && node test/generated-matches-kit.test.js && node test/supabase-verify-jwt.test.js && node test/supabase-cors.test.js && node test/supabase-google-web.test.js && node test/backend-pubspec-local-reminders.test.js && node test/stripe-webhook-orphan-guard.test.js && node test/facebook-strip.test.js && node test/path-provider-pin.test.js && node test/features-flags-parity.test.js",
     "start": "node ./bin/kasy.js",
     "setup": "node ./bin/kasy.js setup",
     "doctor": "node ./bin/kasy.js doctor",

package/templates/firebase/docs/auth-setup.en.md

@@ -69,7 +69,13 @@ Requires an [Apple Developer](https://developer.apple.com) account (paid).
 1. Open `ios/Runner.xcworkspace` in Xcode
 2. Target **Runner** → **Signing & Capabilities** → **+ Capability** → add **Sign In with Apple**
 
-> **Android and Web**: no additional setup needed. The Firebase SDK handles the flow on Android. For Web, the Services ID (Step 3) already covers the redirect flow via `firebaseapp.com`.
+> **iOS / macOS**: the Apple button shows automatically once the steps above are done.
+>
+> **Android**: the Apple button is hidden by design (it needs the paid Services ID web flow and adds little on Android for a SaaS). Leave it hidden.
+>
+> **Web (Firebase)**: works after Steps 1-4 above (`withAppleWebSignin` already ships `true`). The Services ID Return URL (`firebaseapp.com/__/auth/handler`) covers the popup flow.
+>
+> **Web (Supabase)**: the CLI ships `withAppleWebSignin = false` (native iOS works; web needs more). To enable it: in Supabase → Authentication → Providers → Apple, add the **client secret** (a JWT signed with your `.p8` key + Services ID), then set `withAppleWebSignin = true` in `lib/core/config/features.dart`.
 
 ---
 

package/templates/firebase/docs/auth-setup.es.md

@@ -69,7 +69,13 @@ Requiere cuenta de [Apple Developer](https://developer.apple.com) (de pago).
 1. Abre `ios/Runner.xcworkspace` en Xcode
 2. Target **Runner** → **Signing & Capabilities** → **+ Capability** → agrega **Sign In with Apple**
 
-> **Android y Web**: no se necesita configuración adicional. El SDK de Firebase gestiona el flujo en Android. Para Web, el Services ID (Paso 3) ya cubre el flujo de redirect vía `firebaseapp.com`.
+> **iOS / macOS**: el botón Apple aparece automáticamente tras los pasos anteriores.
+>
+> **Android**: el botón Apple queda oculto por defecto (necesita el flujo del Services ID de pago y aporta poco en Android para un SaaS). Déjalo oculto.
+>
+> **Web (Firebase)**: funciona tras los Pasos 1 a 4 anteriores (`withAppleWebSignin` ya viene `true`). La Return URL del Services ID (`firebaseapp.com/__/auth/handler`) cubre el flujo de popup.
+>
+> **Web (Supabase)**: la CLI genera `withAppleWebSignin = false` (iOS nativo funciona; la web necesita más). Para habilitar: en Supabase → Authentication → Providers → Apple, agrega el **client secret** (un JWT firmado con la clave `.p8` + Services ID) y luego define `withAppleWebSignin = true` en `lib/core/config/features.dart`.
 
 ---
 

package/templates/firebase/docs/auth-setup.pt.md

@@ -69,7 +69,13 @@ Requer conta [Apple Developer](https://developer.apple.com) (paga).
 1. Abra `ios/Runner.xcworkspace` no Xcode
 2. Target **Runner** → **Signing & Capabilities** → **+ Capability** → adicione **Sign In with Apple**
 
-> **Android e Web**: não precisam de configuração adicional. O Firebase SDK gerencia o fluxo no Android. Para Web, o Services ID (Passo 3) já cobre o fluxo de redirect via `firebaseapp.com`.
+> **iOS / macOS**: o botão Apple aparece automaticamente depois dos passos acima.
+>
+> **Android**: o botão Apple fica escondido por padrão (exige o fluxo do Services ID pago e agrega pouco no Android para um SaaS). Deixe escondido.
+>
+> **Web (Firebase)**: funciona depois dos Passos 1 a 4 acima (`withAppleWebSignin` já vem `true`). A Return URL do Services ID (`firebaseapp.com/__/auth/handler`) cobre o fluxo de popup.
+>
+> **Web (Supabase)**: a CLI gera `withAppleWebSignin = false` (iOS nativo funciona; web precisa de mais). Para habilitar: em Supabase → Authentication → Providers → Apple, adicione o **client secret** (um JWT assinado com a chave `.p8` + Services ID) e depois defina `withAppleWebSignin = true` em `lib/core/config/features.dart`.
 
 ---
 

package/templates/firebase/functions/src/subscriptions/stripe_functions.ts

@@ -125,6 +125,8 @@ export const createCheckoutSession = onCall(
     const price = await stripe.prices.retrieve(priceId, {expand: ["product"]});
     const trialDays = trialDaysFor(price, price.product as Stripe.Product);
 
+    const allowPromoCodes = request.data?.allowPromoCodes as boolean | undefined;
+
     const session = await stripe.checkout.sessions.create({
       mode: "subscription",
       customer: customerId,
@@ -136,13 +138,70 @@ export const createCheckoutSession = onCall(
         metadata: {firebaseUID: uid},
         ...(trialDays ? {trial_period_days: trialDays} : {}),
       },
+      ...(allowPromoCodes ? {allow_promotion_codes: true} : {}),
     });
     return {url: session.url};
   },
 );
 
 // ---------------------------------------------------------------------------
-// createPortalSession — Stripe Customer Portal (manage / cancel).
+// getOrCreatePortalConfig — creates (once) a Customer Portal configuration
+// with subscription_update (plan switching) enabled and caches its ID in
+// Firestore so we don't recreate it on every portal open. Falls back to
+// undefined (default portal) if there are no prices to switch between.
+// ---------------------------------------------------------------------------
+async function getOrCreatePortalConfig(stripe: Stripe): Promise<string | undefined> {
+  const db = admin.firestore();
+  const configRef = db.doc("_config/stripe_portal");
+  const snap = await configRef.get();
+  const cachedId = snap.data()?.configId as string | undefined;
+  if (cachedId) {
+    try {
+      const cfg = await stripe.billingPortal.configurations.retrieve(cachedId);
+      if (cfg.active) return cachedId;
+    } catch {
+      // Cached config was deleted on Stripe — recreate below
+    }
+  }
+
+  // Build allowed-prices list grouped by product. STRIPE_PRODUCT_ID narrows the
+  // query to a single product; if it's not set we use all active recurring prices.
+  const productId = stripeProductId.value();
+  const priceParams: Stripe.PriceListParams = {active: true, type: "recurring", limit: 100};
+  if (productId) priceParams.product = productId;
+  const {data: prices} = await stripe.prices.list(priceParams);
+
+  if (prices.length === 0) return undefined;
+
+  const byProduct: Record<string, string[]> = {};
+  for (const p of prices) {
+    const pid = typeof p.product === "string" ? p.product : p.product.id;
+    if (!byProduct[pid]) byProduct[pid] = [];
+    byProduct[pid].push(p.id);
+  }
+  const products = Object.entries(byProduct).map(([prod, priceIds]) => ({
+    product: prod,
+    prices: priceIds,
+  }));
+
+  const config = await stripe.billingPortal.configurations.create({
+    features: {
+      subscription_update: {
+        enabled: true,
+        default_allowed_updates: ["price"],
+        products,
+      },
+      subscription_cancel: {enabled: true, mode: "at_period_end"},
+      payment_method_update: {enabled: true},
+    },
+  });
+
+  await configRef.set({configId: config.id}, {merge: true});
+  return config.id;
+}
+
+// ---------------------------------------------------------------------------
+// createPortalSession — Stripe Customer Portal (manage / cancel / switch plan).
 // ---------------------------------------------------------------------------
 export const createPortalSession = onCall(
   {secrets: [stripeSecretKey]},
@@ -150,6 +209,7 @@ export const createPortalSession = onCall(
     const uid = request.auth?.uid;
     if (!uid) throw new HttpsError("unauthenticated", "Sign in required");
     const returnUrl = (request.data?.returnUrl as string | undefined) ?? "";
+    const planSwitching = request.data?.planSwitching as boolean | undefined;
 
     const stripe = stripeClient();
     const snap = await admin
@@ -161,9 +221,16 @@ export const createPortalSession = onCall(
     if (!customerId) {
       throw new HttpsError("failed-precondition", "No Stripe customer for user");
     }
+
+    // When plan switching is requested, resolve (or create) a portal configuration
+    // that has subscription_update enabled. This removes the need for any manual
+    // setup in the Stripe dashboard.
+    const configId = planSwitching ? await getOrCreatePortalConfig(stripe) : undefined;
+
     const session = await stripe.billingPortal.sessions.create({
       customer: customerId,
       return_url: returnUrl,
+      ...(configId ? {configuration: configId} : {}),
     });
     return {url: session.url};
   },
@@ -189,11 +256,18 @@ async function upsertFromStripeSubscription(sub: Stripe.Subscription): Promise<v
     console.log("[stripe-webhook] subscription without firebaseUID metadata, skipping");
     return;
   }
+  // Skip if the user no longer exists. Deleting an account cancels the Stripe
+  // customer, which fires customer.subscription.deleted AFTER deleteUserAccount
+  // already removed subscriptions/{uid} — without this guard the webhook would
+  // re-create an orphan doc for a user that is gone. (The Supabase webhook does
+  // the same check.) The lookup also gives us the email to denormalize below.
+  const user = await usersRepository.getFromId(uid);
+  if (!user) {
+    console.log(`[stripe-webhook] user ${uid} not found (likely deleted), skipping`);
+    return;
+  }
   const now = Timestamp.now();
   const existing = await subscriptionsRepository.getFromUserId(uid);
-  // Denormalize the subscriber's email onto the Firestore subscription doc (see
-  // SubscriptionData.email) so a subscribers list reads it without a second hop.
-  const user = await usersRepository.getFromId(uid);
   // In Stripe API v18 the billing period lives on each subscription item.
   const item = sub.items.data[0];
   const priceId = item?.price?.id ?? "";
@@ -211,7 +285,7 @@ async function upsertFromStripeSubscription(sub: Stripe.Subscription): Promise<v
       expirationDate: expiration,
       store: Stores.STRIPE,
       productId: priceId,
-      email: user?.email,
+      email: user.email,
     },
     subscriptionsRepository,
   );

package/templates/firebase/lib/components/kasy_accordion.dart

@@ -366,7 +366,7 @@ class _TrailingChevron extends StatelessWidget {
         duration: const Duration(milliseconds: 200),
         child: Icon(
           KasyIcons.chevronDown,
-          size: 18.5,
+          size: KasyIconSize.md,
           color: context.colors.muted,
         ),
       );
@@ -376,7 +376,7 @@ class _TrailingChevron extends StatelessWidget {
       duration: const Duration(milliseconds: 200),
       child: Icon(
         KasyIcons.chevronRight,
-        size: 18.5,
+        size: KasyIconSize.md,
         color: context.colors.muted,
       ),
     );

package/templates/firebase/lib/components/kasy_alert.dart

@@ -232,7 +232,7 @@ class KasyAlertCircleButton extends StatelessWidget {
           height: 36,
           child: Icon(
             icon,
-            size: 19,
+            size: KasyIconSize.md,
             color: context.colors.onSurface.withValues(alpha: 0.58),
           ),
         ),

package/templates/firebase/lib/components/kasy_app_bar.dart

@@ -292,7 +292,7 @@ class KasyAppBar extends StatelessWidget {
       ),
       _ => KasyChromeOrbIconButton(
         icon: KasyIcons.arrowBackIos,
-        iconSize: 18,
+        iconSize: KasyIconSize.md,
         foregroundColor: orbFg,
         fillColor: orbFill,
         onPressed: handleBack,
@@ -404,7 +404,7 @@ class KasyAppBar extends StatelessWidget {
       case KasyAppBarStyle.subpage:
         return KasyChromeOrbIconButton(
           icon: isDark ? KasyIcons.lightMode : KasyIcons.darkMode,
-          iconSize: 20,
+          iconSize: KasyIconSize.lg,
           foregroundColor: iconFg,
           fillColor: orbFill,
           onPressed: () {
@@ -421,7 +421,7 @@ class KasyAppBar extends StatelessWidget {
         if (trailing != null) return trailing!;
         return KasyChromeOrbIconButton(
           icon: isDark ? KasyIcons.lightMode : KasyIcons.darkMode,
-          iconSize: 20,
+          iconSize: KasyIconSize.lg,
           foregroundColor: iconFg,
           fillColor: orbFill,
           onPressed: () {

package/templates/firebase/lib/components/kasy_bottom_sheet.dart

@@ -298,7 +298,7 @@ class _IconBubble extends StatelessWidget {
       width: 72,
       height: 72,
       decoration: BoxDecoration(color: p.background, shape: BoxShape.circle),
-      child: Icon(icon, size: 30, color: p.foreground),
+      child: Icon(icon, size: KasyIconSize.xxl, color: p.foreground),
     );
   }
 

package/templates/firebase/lib/components/kasy_button.dart

@@ -417,17 +417,17 @@ class KasyButton extends StatelessWidget {
         iconOnlyExtent: 40,
         horizontalPadding: EdgeInsets.symmetric(horizontal: 16),
         labelFontSize: 13,
-        iconSize: 16,
-        iconOnlyGlyphSize: 12,
+        iconSize: KasyIconSize.sm,
+        iconOnlyGlyphSize: KasyIconSize.xxs,
         loadingSpinnerExtent: 13,
       ),
       KasyButtonSize.medium => const _KasyButtonMetrics(
-        height: 47,
-        iconOnlyExtent: 47,
+        height: 45,
+        iconOnlyExtent: 45,
         horizontalPadding: EdgeInsets.symmetric(horizontal: 18),
         labelFontSize: 14,
-        iconSize: 18,
-        iconOnlyGlyphSize: 14,
+        iconSize: KasyIconSize.md,
+        iconOnlyGlyphSize: KasyIconSize.xs,
         loadingSpinnerExtent: 14,
       ),
       KasyButtonSize.large => const _KasyButtonMetrics(
@@ -435,8 +435,8 @@ class KasyButton extends StatelessWidget {
         iconOnlyExtent: 54,
         horizontalPadding: EdgeInsets.symmetric(horizontal: 22),
         labelFontSize: 15,
-        iconSize: 19,
-        iconOnlyGlyphSize: 18,
+        iconSize: KasyIconSize.md,
+        iconOnlyGlyphSize: KasyIconSize.md,
         loadingSpinnerExtent: 15,
       ),
     };

package/templates/firebase/lib/components/kasy_chip.dart

@@ -36,7 +36,7 @@ class KasyChip extends StatelessWidget {
     final KasyColors c = context.colors;
     final Widget? avatar = icon == null
         ? null
-        : Icon(icon, size: 18, color: enabled ? c.primary : c.muted);
+        : Icon(icon, size: KasyIconSize.md, color: enabled ? c.primary : c.muted);
     final OutlinedBorder chipShape = RoundedRectangleBorder(
       borderRadius: BorderRadius.circular(KasyRadius.full),
       side: BorderSide(color: c.outline.withValues(alpha: 0.45)),