kasy-cli 1.31.2 → 1.31.4

package/lib/commands/check.js

@@ -186,7 +186,9 @@ async function runCheck(options = {}) {
       if (options.fix && firebaseProjectId) {
         const fixSpinner = ui.spinner();
         fixSpinner.start(t('check.fbSak.spin'));
-        const fcmResult = await createFcmServiceAccountKey(firebaseProjectId);
+        const fcmResult = await createFcmServiceAccountKey(firebaseProjectId, {
+          onProgress: (stage) => { if (stage === 'orgPolicy') fixSpinner.message(t('new.fcm.adjustingOrgPolicy')); },
+        });
         fixSpinner.stop(t('check.fbSak.spinDone'));
 
         if (fcmResult.ok) {

package/lib/commands/new.js

@@ -546,6 +546,10 @@ function printStepResult(step, lang = 'pt') {
   const detail = step.detail ? kleur.dim(` — ${step.detail.split('\n')[0]}`) : '';
   if (step.ok) {
     ui.log.success(`${label}${detail}`);
+  } else if (step.warn) {
+    // Non-fatal: something we deliberately deferred (e.g. pub get on a slow
+    // connection). Show it as a warning, not a scary red error.
+    ui.log.warn(`${label}${detail}`);
   } else {
     ui.log.error(`${label}${detail}`);
   }
@@ -1904,7 +1908,9 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
       if (answers.firebaseProjectId) {
         const fcmSpinner = ui.timedSpinner();
         fcmSpinner.start(tr('new.fcm.generating'));
-        const fcmResult = await createFcmServiceAccountKey(answers.firebaseProjectId);
+        const fcmResult = await createFcmServiceAccountKey(answers.firebaseProjectId, {
+          onProgress: (stage) => { if (stage === 'orgPolicy') fcmSpinner.message(tr('new.fcm.adjustingOrgPolicy')); },
+        });
         fcmSpinner.stop(tr('new.fcm.generating'));
         if (fcmResult.ok) {
           fcmServiceAccountJson = fcmResult.json;
@@ -1990,7 +1996,9 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
   if (backend === 'api' && answers.firebaseProjectId) {
     const fcmSpinner = ui.timedSpinner();
     fcmSpinner.start(tr('new.fcm.generating'));
-    const fcmResult = await createFcmServiceAccountKey(answers.firebaseProjectId);
+    const fcmResult = await createFcmServiceAccountKey(answers.firebaseProjectId, {
+      onProgress: (stage) => { if (stage === 'orgPolicy') fcmSpinner.message(tr('new.fcm.adjustingOrgPolicy')); },
+    });
     fcmSpinner.stop(tr('new.fcm.generating'));
     if (fcmResult.ok) {
       try {

package/lib/scaffold/generate.js

@@ -319,22 +319,40 @@ async function generateProject(targetDir, backend, options, hooks = {}) {
   // ── 2. Post-build comum ────────────────────────────────────────────────────
   onProgress('pub-get');
   const pubGetResult = await pubGet(targetDir);
-  steps.push({ name: 'pub-get', ok: pubGetResult.ok, detail: pubGetResult.ok ? null : pubGetResult.error });
-  if (!pubGetResult.ok) return { steps };
-
-  onProgress('slang');
-  const slangResult = await slangGenerate(targetDir);
-  steps.push({ name: 'slang', ok: slangResult.ok, detail: slangResult.ok ? null : slangResult.error });
-  if (!slangResult.ok) return { steps };
-
-  onProgress('build-runner');
-  const buildRunnerResult = await buildRunner(targetDir);
-  steps.push({
-    name: 'build-runner',
-    ok: buildRunnerResult.ok,
-    detail: buildRunnerResult.ok ? null : buildRunnerResult.error,
-  });
-  if (!buildRunnerResult.ok) return { steps };
+
+  // pub get is the prerequisite for the codegen steps (slang, build_runner): they
+  // run `dart run` inside the project and can't work without dependencies. If it
+  // didn't finish (a very slow/flaky Windows download, even after retries), DON'T
+  // abort the whole project — skip only the codegen steps and keep going, so
+  // flutterfire + backend config still complete. The user finishes with one
+  // `flutter pub get` later, which the IDE / `kasy run` does automatically. That
+  // turns a hard "Command failed" into a near-complete project plus one next step.
+  if (pubGetResult.ok) {
+    steps.push({ name: 'pub-get', ok: true });
+
+    onProgress('slang');
+    const slangResult = await slangGenerate(targetDir);
+    steps.push({ name: 'slang', ok: slangResult.ok, detail: slangResult.ok ? null : slangResult.error });
+    if (!slangResult.ok) return { steps };
+
+    onProgress('build-runner');
+    const buildRunnerResult = await buildRunner(targetDir);
+    steps.push({
+      name: 'build-runner',
+      ok: buildRunnerResult.ok,
+      detail: buildRunnerResult.ok ? null : buildRunnerResult.error,
+    });
+    if (!buildRunnerResult.ok) return { steps };
+  } else {
+    const deferredMsg = {
+      en: 'not downloaded yet (slow connection); open the project in VS Code to install',
+      pt: 'não baixou agora (conexão lenta); abra o projeto no VS Code que ele instala',
+      es: 'no se descargó ahora (conexión lenta); abre el proyecto en VS Code para instalar',
+    };
+    steps.push({ name: 'pub-get', ok: false, warn: true, detail: deferredMsg[language] || deferredMsg.en });
+    steps.push({ name: 'slang', skipped: true });
+    steps.push({ name: 'build-runner', skipped: true });
+  }
 
   onProgress('flutterfire');
   const ffResult = await flutterfireConfigure(targetDir, firebaseProjectId, { includeWeb });
@@ -391,7 +409,12 @@ async function generateProject(targetDir, backend, options, hooks = {}) {
   // `kasy new` without needing `kasy deploy` first. Fast (<30s), billing-free.
   // Without this the project gets Firebase's default deny-all rules, causing
   // every Firestore read to throw permission-denied and the app to log the user out.
-  if (firebaseProjectId) {
+  //
+  // FIREBASE BACKEND ONLY. Supabase/API projects do have a Firebase project, but
+  // ONLY for FCM push — there is no Firestore there, so deploying firestore:rules
+  // is incoherent (it targets a database that doesn't exist) and just hangs for
+  // minutes. The data layer for those backends is Supabase/the REST API.
+  if (backend === 'firebase' && firebaseProjectId) {
     onProgress('firestore-rules');
     const rulesResult = await deployFirestoreRules(targetDir, firebaseProjectId);
     steps.push({ name: 'firestore-rules', ok: rulesResult.ok, detail: rulesResult.ok ? null : rulesResult.error });

package/lib/scaffold/shared/fcm-service-account.js

@@ -110,6 +110,72 @@ async function allowServiceAccountKeyCreation(projectId) {
   return { ok: true };
 }
 
+/**
+ * True when a gcloud command failed because the account lacks the required IAM
+ * permission (as opposed to a transient/propagation error). Used to tell "you
+ * can't do this" apart from "try again in a moment".
+ */
+function isPermissionError(result) {
+  const blob = `${result.error || ''} ${result.stderr || ''}`;
+  return /PERMISSION_DENIED|does not have permission|Permission .*denied|\bforbidden\b|\b403\b/i.test(blob);
+}
+
+/**
+ * The active gcloud account as an IAM member string (e.g. "user:me@gmail.com").
+ * Service-account logins get the "serviceAccount:" prefix instead.
+ */
+async function getCurrentGcloudMember() {
+  const result = await run('gcloud config get-value account');
+  if (!result.ok) return null;
+  const email = (result.stdout || '').trim();
+  if (!email || email === '(unset)') return null;
+  const prefix = email.endsWith('.gserviceaccount.com') ? 'serviceAccount' : 'user';
+  return `${prefix}:${email}`;
+}
+
+/**
+ * The organization ID a project belongs to, or null if the project has no org
+ * (most personal Google accounts) — in which case there is no org policy to lift.
+ */
+async function getProjectOrganizationId(projectId) {
+  const result = await run(
+    `gcloud projects get-ancestors ${projectId} --format="value(id,type)"`
+  );
+  if (!result.ok) return null;
+  for (const line of (result.stdout || '').split('\n')) {
+    const [id, type] = line.trim().split(/\s+/);
+    if (type === 'organization' && id) return id;
+  }
+  return null;
+}
+
+/**
+ * Grants roles/orgpolicy.policyAdmin to an org member. Org OWNERS lack this role
+ * by default but CAN grant it (organizationAdmin includes setIamPolicy), which is
+ * what lets the lift below succeed. Returns ok:false if the account can't grant it
+ * (e.g. it's a non-owner member of a company org).
+ */
+async function grantOrgPolicyAdmin(orgId, member) {
+  const result = await run(
+    `gcloud organizations add-iam-policy-binding ${orgId}` +
+    ` --member="${member}" --role="roles/orgpolicy.policyAdmin" --condition=None`
+  );
+  return { ok: result.ok, error: result.stderr || result.error };
+}
+
+/**
+ * Removes the policyAdmin role we granted, returning the org to its original
+ * posture. Best effort — cleanup must never fail the overall key creation.
+ * The project-level unenforce stays (it needs no admin role and is the minimum
+ * required to rotate the key later).
+ */
+async function removeOrgPolicyAdmin(orgId, member) {
+  await run(
+    `gcloud organizations remove-iam-policy-binding ${orgId}` +
+    ` --member="${member}" --role="roles/orgpolicy.policyAdmin" --condition=None`
+  );
+}
+
 /**
  * Generates a new private key for the Firebase Admin SDK service account and returns
  * the JSON content as a string. The temporary key file is deleted immediately after reading.
@@ -122,12 +188,13 @@ async function allowServiceAccountKeyCreation(projectId) {
  * @param {string} projectId - Firebase/GCP project ID
  * @returns {{ ok: boolean, json?: string, saEmail?: string, policyAdjusted?: boolean, errorKind?: string, error?: string }}
  */
-async function createFcmServiceAccountKey(projectId) {
+async function createFcmServiceAccountKey(projectId, { onProgress } = {}) {
   if (!projectId || !projectId.trim()) {
     return { ok: false, error: 'projectId is required' };
   }
 
   const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+  const notify = (stage) => { try { if (onProgress) onProgress(stage); } catch (_) {} };
 
   // On a brand-new project the Firebase Admin SDK service account is provisioned
   // asynchronously after Firebase is added, and the IAM role grant also needs a
@@ -161,42 +228,64 @@ async function createFcmServiceAccountKey(projectId) {
     ` --project=${projectId.trim()}`
   );
 
-  // Right after granting the FCM admin role (and on a brand-new project), the
-  // IAM permission takes a moment to propagate — so the first key-create often
-  // fails with "permission still propagating". Back off and retry a few times
-  // before giving up, instead of leaving push half-configured.
+  // Phase 1 — try a direct create. On personal Google accounts with no
+  // organization there is no blocking policy, so this just works once the IAM
+  // role settles. A couple of quick retries cover that role propagation.
   let keyResult;
-  let policyAdjusted = false;
-  const maxAttempts = 6;
-  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+  for (let attempt = 1; attempt <= 3; attempt++) {
     keyResult = await createKey();
-    if (keyResult.ok) break;
-
-    // The org blocks SA keys (default on new GCP orgs). This is NOT a propagation
-    // race that retrying alone can fix — the constraint must be lifted. Lift it for
-    // THIS project once, then keep retrying: an org policy change itself takes a
-    // minute or more to take effect. If we can't lift it (no policy-admin
-    // permission), report a specific, actionable error instead of "still propagating".
-    if (isKeyCreationBlockedByOrgPolicy(keyResult)) {
-      if (!policyAdjusted) {
-        const lift = await allowServiceAccountKeyCreation(projectId.trim());
-        if (!lift.ok) {
-          await fs.remove(tmpPath).catch(() => {});
-          return { ok: false, errorKind: 'orgPolicyNoPermission', error: lift.error };
+    if (keyResult.ok || !isKeyCreationBlockedByOrgPolicy(keyResult)) break;
+    if (attempt < 3) await sleep(5000);
+  }
+
+  // Phase 2 — the org blocks SA keys (default on orgs created since 2024). Lift the
+  // constraint for THIS project only. Lifting needs roles/orgpolicy.policyAdmin,
+  // which even org OWNERS lack by default — but an owner CAN grant it to itself
+  // (organizationAdmin includes setIamPolicy). So: try to lift; if denied, self-grant
+  // policyAdmin and retry the lift; roll the grant back in Phase 3.
+  let policyAdjusted = false;
+  let selfGranted = null; // { orgId, member } to roll back afterward
+  if (!keyResult.ok && isKeyCreationBlockedByOrgPolicy(keyResult)) {
+    notify('orgPolicy');
+    let lift = await allowServiceAccountKeyCreation(projectId.trim());
+
+    if (!lift.ok && isPermissionError(lift)) {
+      const orgId = await getProjectOrganizationId(projectId.trim());
+      const member = await getCurrentGcloudMember();
+      if (orgId && member) {
+        const grant = await grantOrgPolicyAdmin(orgId, member);
+        if (grant.ok) {
+          selfGranted = { orgId, member };
+          // The grant takes a moment to propagate before the lift is accepted.
+          for (let attempt = 1; attempt <= 8 && !lift.ok; attempt++) {
+            await sleep(15000);
+            lift = await allowServiceAccountKeyCreation(projectId.trim());
+          }
         }
-        policyAdjusted = true;
       }
-      if (attempt < maxAttempts) await sleep(15000);
-      continue;
     }
-    if (attempt < maxAttempts) await sleep(7000);
+
+    if (lift.ok) {
+      policyAdjusted = true;
+      // The lift itself takes ~1-2 min to take effect — retry the create with backoff.
+      for (let attempt = 1; attempt <= 10; attempt++) {
+        keyResult = await createKey();
+        if (keyResult.ok) break;
+        if (attempt < 10) await sleep(15000);
+      }
+    }
   }
 
+  // Phase 3 — roll back the broad policyAdmin grant so the organization returns to
+  // its original posture. The project-level unenforce stays: it needs no admin role
+  // and is the minimum required to rotate this key later.
+  if (selfGranted) await removeOrgPolicyAdmin(selfGranted.orgId, selfGranted.member);
+
   if (!keyResult.ok) {
     await fs.remove(tmpPath).catch(() => {});
-    // Only surface the "ask an org admin" message when we genuinely could NOT lift
-    // the policy. If we DID lift it but the change is still propagating, fall through
-    // to the generic "still propagating, run again" message instead of blaming perms.
+    // "Ask an org admin" only when we genuinely could not lift the policy (e.g. a
+    // non-owner member of a company org). If we DID lift it but creation is still
+    // propagating, fall through to the generic "try again" message, not a perms blame.
     if (!policyAdjusted && isKeyCreationBlockedByOrgPolicy(keyResult)) {
       return { ok: false, errorKind: 'orgPolicyBlocked', error: keyResult.error };
     }

package/lib/scaffold/shared/post-build.js

@@ -37,12 +37,21 @@ async function run(cmd, cwd, timeout) {
   }
 }
 
-async function pubGet(projectDir) {
-  // 15 min: the FIRST `flutter pub get` on a fresh machine downloads the whole
-  // dependency tree (this template pulls in firebase, supabase, revenuecat,
-  // stripe, sentry…), which timed out at the old 5-min cap on slower Windows
-  // connections. It's a ceiling, not a wait — a warm cache still returns fast.
-  return run('flutter pub get', projectDir, 900_000);
+async function pubGet(projectDir, { onAttempt } = {}) {
+  // The FIRST `flutter pub get` on a fresh machine downloads the whole dependency
+  // tree (firebase, supabase, revenuecat, stripe, sentry…). On a slow Windows
+  // connection — or with antivirus scanning every cached file — a single attempt
+  // can time out (the user saw 15 min, then "Command failed"). The pub cache is
+  // global and persists between attempts, so each retry resumes where the last one
+  // stopped and tends to finish fast. A retry also clears a hung download. Try a
+  // few times with a shorter per-attempt ceiling before giving up.
+  let last;
+  for (let attempt = 1; attempt <= 2; attempt++) {
+    if (onAttempt) onAttempt(attempt);
+    last = await run('flutter pub get', projectDir, 600_000); // 10 min per attempt
+    if (last.ok) return last;
+  }
+  return last;
 }
 
 async function slangGenerate(projectDir) {

package/lib/utils/i18n/messages-en.js

@@ -746,6 +746,7 @@ module.exports = {
     'new.fcm.ok': 'generated automatically',
     'new.fcm.failSupabase': 'not generated (GCP permission still propagating); set FIREBASE_SERVICE_ACCOUNT_JSON in your Supabase secrets',
     'new.fcm.failApi': 'not generated (GCP permission still propagating); run the command again in a few minutes',
+    'new.fcm.adjustingOrgPolicy': 'Enabling organization permissions for push (may take 1-2 min)…',
     'new.fcm.policyLifted': 'Enabled service account key creation for this project (required for push notifications)',
     'new.fcm.orgPolicyBlocked': 'not generated: your Google Cloud organization blocks service account keys. Ask an organization admin to allow it, or generate the key in the Firebase Console (Project settings > Service accounts > Generate new private key)',
     'new.sha1.registering': 'Registering SHA-1 for Google Sign-In (Android)…',

package/lib/utils/i18n/messages-es.js

@@ -746,6 +746,7 @@ module.exports = {
     'new.fcm.ok': 'generada automáticamente',
     'new.fcm.failSupabase': 'no generada (permiso de GCP aún propagando); define FIREBASE_SERVICE_ACCOUNT_JSON en los secrets de Supabase',
     'new.fcm.failApi': 'no generada (permiso de GCP aún propagando); ejecuta el comando de nuevo en unos minutos',
+    'new.fcm.adjustingOrgPolicy': 'Habilitando permisos de la organización para el push (puede tardar 1-2 min)…',
     'new.fcm.policyLifted': 'Habilitada la creación de claves de cuenta de servicio en este proyecto (necesario para las notificaciones push)',
     'new.fcm.orgPolicyBlocked': 'no generada: tu organización en Google Cloud bloquea las claves de cuenta de servicio. Pide a un administrador de la organización que lo permita, o genera la clave en la Firebase Console (Configuración del proyecto > Cuentas de servicio > Generar nueva clave privada)',
     'new.sha1.registering': 'Registrando SHA-1 para Google Sign-In (Android)…',

package/lib/utils/i18n/messages-pt.js

@@ -746,6 +746,7 @@ module.exports = {
     'new.fcm.ok': 'gerada automaticamente',
     'new.fcm.failSupabase': 'não gerada (permissão do GCP ainda propagando); defina FIREBASE_SERVICE_ACCOUNT_JSON nos secrets do Supabase',
     'new.fcm.failApi': 'não gerada (permissão do GCP ainda propagando); rode o comando de novo em alguns minutos',
+    'new.fcm.adjustingOrgPolicy': 'Liberando permissões da organização para o push (pode levar 1-2 min)…',
     'new.fcm.policyLifted': 'Liberada a criação de chaves de service account neste projeto (necessário para as notificações push)',
     'new.fcm.orgPolicyBlocked': 'não gerada: sua organização no Google Cloud bloqueia chaves de service account. Peça a um administrador da organização para liberar, ou gere a chave no Firebase Console (Configurações do projeto > Contas de serviço > Gerar nova chave privada)',
     'new.sha1.registering': 'Registrando SHA-1 para Google Sign-In (Android)…',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.31.2",
+  "version": "1.31.4",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"