kasy-cli 1.32.0 → 1.35.0

package/lib/commands/facebook.js

@@ -0,0 +1,189 @@
+/**
+ * `kasy facebook` — guided Facebook Login setup.
+ *
+ * Facebook needs a Meta app (created manually on developers.facebook.com — no API
+ * for that, like Apple). This command guides that manual part (opens the Meta link,
+ * tells you exactly what to grab and which redirect URIs to register) and then
+ * automates everything that CAN be automated:
+ *   - writes App ID + Client Token into iOS Info.plist + Android strings.xml
+ *   - enables the Facebook provider on the backend: Firebase (Identity Toolkit) or
+ *     Supabase (Management API), using App ID + App Secret
+ *   - API backend: writes native files only (auth lives on your server)
+ *
+ * Credentials are cached in ~/.kasy/facebook.json so future projects reuse them
+ * (the `kasy new` auto-apply uses the same cache).
+ */
+
+const path = require('node:path');
+const fs = require('fs-extra');
+const kleur = require('kleur');
+const ui = require('../utils/ui');
+const { printCompactHeader } = require('../utils/brand');
+const { createTranslator, detectDefaultLanguage } = require('../utils/i18n');
+const { promptOpenBrowser } = require('../utils/browser');
+const { loadFacebookCreds, saveFacebookCreds, writeFacebookCredentials, setFacebookWebFlag } = require('../utils/facebook');
+const { configureFirebaseFacebook } = require('../scaffold/backends/firebase/setup-from-scratch');
+const { enableFacebookSignIn } = require('../scaffold/backends/supabase/deploy');
+
+const META_APPS_URL = 'https://developers.facebook.com/apps';
+
+/** Resolve App ID / Client Token / App Secret from flags, then cache, then prompts. */
+async function resolveFbCreds(options, backend, t) {
+  const cached = await loadFacebookCreds();
+  const needsSecret = backend === 'firebase' || backend === 'supabase';
+
+  if (options.appId || options.clientToken || options.appSecret) {
+    return {
+      appId: options.appId || cached?.appId,
+      clientToken: options.clientToken || cached?.clientToken,
+      appSecret: options.appSecret || cached?.appSecret,
+    };
+  }
+
+  if (cached) {
+    const reuse = await ui.confirm({
+      message: t('facebook.useSaved').replace('{id}', cached.appId),
+      initialValue: true,
+    });
+    if (reuse) return cached;
+  }
+
+  const req = (v) => (v && v.trim() ? undefined : t('facebook.required'));
+  const appId = await ui.text({ message: t('facebook.appIdPrompt'), placeholder: '1234567890', validate: req });
+  const clientToken = await ui.text({ message: t('facebook.clientTokenPrompt'), validate: req });
+  let appSecret = '';
+  if (needsSecret) {
+    appSecret = await ui.text({ message: t('facebook.appSecretPrompt'), validate: req });
+  }
+  return { appId: appId.trim(), clientToken: clientToken.trim(), appSecret: (appSecret || '').trim() };
+}
+
+/** Push the Facebook provider config to the project's backend. */
+async function applyBackend(backend, projectId, creds, t, s) {
+  if (backend === 'firebase') {
+    s.start(t('facebook.configuringFirebase'));
+    const r = await configureFirebaseFacebook({ projectId, appId: creds.appId, appSecret: creds.appSecret });
+    s.stop(r.ok ? t('facebook.firebaseOk') : t('facebook.backendFailed'));
+    return r;
+  }
+  if (backend === 'supabase') {
+    s.start(t('facebook.configuringSupabase'));
+    const r = await enableFacebookSignIn(projectId, { appId: creds.appId, appSecret: creds.appSecret });
+    s.stop(r.ok ? t('facebook.supabaseOk') : t('facebook.backendFailed'));
+    return r;
+  }
+  return { ok: false, skipped: true };
+}
+
+async function runFacebook(directory, options = {}) {
+  const language = options.language || detectDefaultLanguage();
+  const t = createTranslator(language);
+  printCompactHeader(t);
+  ui.intro(kleur.bold(t('facebook.title')));
+
+  const projectDir = path.resolve(directory || '.');
+  let kit;
+  try {
+    kit = await fs.readJson(path.join(projectDir, 'kit_setup.json'));
+  } catch {
+    ui.cancel(t('facebook.notKasyProject'));
+    return;
+  }
+
+  const backend = kit.backendProvider || 'firebase';
+  const projectId = backend === 'firebase' ? kit.firebaseProjectId : kit.supabaseProjectId;
+
+  // 1. Guide the manual Meta part (no API to automate it).
+  ui.note(t('facebook.metaIntro'), t('facebook.metaTitle'));
+  await promptOpenBrowser({
+    url: META_APPS_URL,
+    label: t('facebook.metaOpenLabel'),
+    confirmMessage: t('facebook.metaOpenConfirm'),
+    t,
+  });
+
+  // 2. Collect credentials (cache-aware).
+  const creds = await resolveFbCreds(options, backend, t);
+  if (!creds.appId) {
+    ui.cancel(t('facebook.incomplete'));
+    return;
+  }
+  await saveFacebookCreds(creds);
+
+  // 3. Write the native build-time files (same for every backend).
+  const native = await writeFacebookCredentials(projectDir, creds.appId, creds.clientToken);
+  if (native.plist === 'ok' || native.strings === 'ok') ui.log.success(t('facebook.nativeOk'));
+  else ui.log.warn(t('facebook.nativeMissing'));
+
+  // 4. Enable the backend provider (Firebase/Supabase). API backend has no managed auth.
+  let backendEnabled = false;
+  if (backend === 'api') {
+    ui.note(t('facebook.backendApi'), t('facebook.metaTitle'));
+  } else if (!projectId) {
+    ui.log.warn(t('facebook.missingProjectId'));
+  } else if (!creds.appSecret) {
+    ui.log.warn(t('facebook.noSecret'));
+  } else {
+    const s = ui.spinner();
+    const r = await applyBackend(backend, projectId, creds, t, s);
+    backendEnabled = !!r.ok;
+    if (!r.ok && !r.skipped) ui.log.error(r.error || 'unknown error');
+  }
+
+  // 5. Web: Facebook on the web works on the Firebase backend (signInWithPopup).
+  // Only flip the flag (which shows the web button) AFTER the provider was actually
+  // enabled — otherwise the button would be a dead button. On Supabase the web flow
+  // isn't wired in the app yet (roadmap), so we never flip it there.
+  if (backend === 'firebase' && backendEnabled) {
+    const flag = await setFacebookWebFlag(projectDir, true);
+    if (flag.ok) ui.log.success(t('facebook.flagUpdated'));
+    const redirectUrl = `https://${projectId}.firebaseapp.com/__/auth/handler`;
+    ui.note(`${t('facebook.redirectNote')}\n${kleur.cyan(redirectUrl)}`, t('facebook.metaTitle'));
+  } else if (backend === 'supabase') {
+    ui.log.info(t('facebook.webRoadmap'));
+  }
+
+  ui.outro(t('facebook.allDone'));
+}
+
+/**
+ * Called by `kasy new`: if Facebook login is enabled in the project AND credentials
+ * were saved before (`kasy facebook`), configure it for the fresh project (native
+ * files + backend provider) without prompting. Returns status for the success card.
+ *
+ * @returns {{ applied: boolean, pending: boolean }}
+ */
+async function autoApplyFacebookIfCached(targetDir) {
+  let kit;
+  try {
+    kit = await fs.readJson(path.join(targetDir, 'kit_setup.json'));
+  } catch {
+    return { applied: false, pending: false };
+  }
+  // The 'facebook' module drives both the login button and the Pixel flag.
+  if (!kit.withFacebookPixel) return { applied: false, pending: false };
+
+  const creds = await loadFacebookCreds();
+  if (!creds) return { applied: false, pending: true };
+
+  // Native files (App ID + Client Token) apply to every backend — Facebook native
+  // works on iOS/Android on Firebase and Supabase alike.
+  await writeFacebookCredentials(targetDir, creds.appId, creds.clientToken);
+
+  const backend = kit.backendProvider || 'firebase';
+  const projectId = backend === 'firebase' ? kit.firebaseProjectId : kit.supabaseProjectId;
+  if ((backend === 'firebase' || backend === 'supabase') && projectId && creds.appSecret) {
+    if (backend === 'firebase') {
+      await configureFirebaseFacebook({ projectId, appId: creds.appId, appSecret: creds.appSecret });
+    } else {
+      await enableFacebookSignIn(projectId, { appId: creds.appId, appSecret: creds.appSecret });
+    }
+  }
+  // Show the web Facebook button only where it works in-app (Firebase popup).
+  if (backend === 'firebase' && projectId && creds.appSecret) {
+    await setFacebookWebFlag(targetDir, true);
+  }
+  return { applied: true, pending: false };
+}
+
+module.exports = { runFacebook, autoApplyFacebookIfCached };

package/lib/commands/new.js

@@ -46,6 +46,8 @@ const { writeSupabaseGoogleAuthOptions, readSupabaseGoogleCredentials, getGoogle
 const { toPackageName } = require('../scaffold/backends/firebase/tokens');
 const { setupFromScratch, setupExistingProject, listBillingAccounts, listGcpOrganizations, checkGcloudAuth, getFirebaseAccount, getGcloudInstallInstructions, enableAuthProviders, ensureFirebaseAuthInitialized, authorizeLocalhostForProject, registerDebugSha1 } = require('../scaffold/backends/firebase/setup-from-scratch');
 const { enableAuthViaFirebaseCli } = require('../scaffold/backends/firebase/enable-auth-via-cli');
+const { autoApplyAppleWebIfCached } = require('./apple-web');
+const { autoApplyFacebookIfCached } = require('./facebook');
 const { createFcmServiceAccountKey } = require('../scaffold/shared/fcm-service-account');
 
 // Default region for creating Supabase projects via the API.
@@ -481,7 +483,7 @@ function printCreateFromScratchStatus(result, tr) {
   }
 }
 
-function printSuccessCard(tr, answers, targetDir) {
+function printSuccessCard(tr, answers, targetDir, appleWebStatus = null, facebookStatus = null) {
   const folderName = path.basename(targetDir);
 
   const lines = [];
@@ -509,6 +511,22 @@ function printSuccessCard(tr, answers, targetDir) {
     }
   }
 
+  if (appleWebStatus === 'configured') {
+    lines.push(paintLime(`✓ ${tr('new.success.appleWeb.configured')}`));
+    lines.push('');
+  } else if (appleWebStatus === 'pending') {
+    lines.push(kleur.yellow(`! ${tr('new.success.appleWeb.pending')}`));
+    lines.push('');
+  }
+
+  if (facebookStatus === 'configured') {
+    lines.push(paintLime(`✓ ${tr('new.success.facebook.configured')}`));
+    lines.push('');
+  } else if (facebookStatus === 'pending') {
+    lines.push(kleur.yellow(`! ${tr('new.success.facebook.pending')}`));
+    lines.push('');
+  }
+
   if (answers.backend === 'api') {
     lines.push(kleur.yellow(`! ${tr('new.success.api.serverContracts')}`));
     lines.push('');
@@ -1832,22 +1850,24 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
       // Supabase setup runs in fcmOnly mode, which intentionally leaves Firebase
       // Auth untouched, so initialize it here (idempotent) before the deploy.
       await ensureFirebaseAuthInitialized(answers.firebaseProjectId);
-      // Web Google sign-in on Supabase brokers the Google ID token through the
-      // Firebase popup (signInWithPopup), which only runs from an authorized
-      // domain. fcmOnly setup skips the authorizedDomains step, so localhost is
-      // missing here and the web popup dies with [firebase_auth/unauthorized-domain].
-      // Add it best-effort now that auth is initialized. Native (mobile) is unaffected.
-      const localhostDomains = await authorizeLocalhostForProject(answers.firebaseProjectId);
-      if (!localhostDomains.ok) {
-        ui.log.warn(tr('new.google.localhostDomainWarn'));
-      }
       const cliResult = await enableAuthViaFirebaseCli({
         projectDir: targetDir,
         projectId: answers.firebaseProjectId,
         appName: answers.appName,
         googleOnly: true,
       });
+      // Web Google sign-in on Supabase brokers the Google ID token through the
+      // Firebase popup (signInWithPopup), which only runs from an authorized
+      // domain. New projects don't get `localhost` seeded automatically, so the web
+      // popup would die with [firebase_auth/unauthorized-domain]. Authorize it now —
+      // AFTER the deploy, which fully materializes and stabilizes the auth config.
+      // Doing it right after initializeAuth raced the config's propagation and
+      // intermittently failed. Best-effort + retries. Native (mobile) is unaffected.
+      const localhostDomains = await authorizeLocalhostForProject(answers.firebaseProjectId);
       googleSpinner.stop(tr('new.google.enabling'));
+      if (!localhostDomains.ok) {
+        ui.log.warn(tr('new.google.localhostDomainWarn'));
+      }
 
       if (cliResult.ok) {
         // The deploy created the OAuth Web Client + iOS client. Re-run flutterfire so
@@ -2118,7 +2138,37 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
   // APNs key (iOS push) is intentionally not mentioned here — it only becomes
   // relevant when shipping to iOS, and the docs at kasy.dev/docs/apns explain it.
 
-  printSuccessCard(tr, answers, targetDir);
+  // Apple web: auto-configure if the developer saved credentials on a previous
+  // project; otherwise it stays pending and the success card points to the command.
+  let appleWebStatus = null;
+  try {
+    const aw = await autoApplyAppleWebIfCached(targetDir);
+    if (aw.applied) {
+      appleWebStatus = 'configured';
+      ui.log.success(tr('new.appleWeb.autoConfigured'));
+    } else if (aw.pending) {
+      appleWebStatus = 'pending';
+    }
+  } catch (_) {
+    // Non-fatal: web Apple is optional and can be configured later.
+  }
+
+  // Facebook: auto-configure if it's enabled in the project and credentials were
+  // saved on a previous project; otherwise pending and the card points to the command.
+  let facebookStatus = null;
+  try {
+    const fb = await autoApplyFacebookIfCached(targetDir);
+    if (fb.applied) {
+      facebookStatus = 'configured';
+      ui.log.success(tr('new.facebook.autoConfigured'));
+    } else if (fb.pending) {
+      facebookStatus = 'pending';
+    }
+  } catch (_) {
+    // Non-fatal: Facebook is optional and can be configured later.
+  }
+
+  printSuccessCard(tr, answers, targetDir, appleWebStatus, facebookStatus);
 
   ui.outro(kleur.bold(tr('new.success.title')));
 }

package/lib/commands/release-version.js

@@ -0,0 +1,234 @@
+/**
+ * `kasy release-version` — announce a new app version to existing users.
+ *
+ * The "update available" prompt in the app compares the installed version
+ * (read automatically from pubspec.yaml) against two Firebase Remote Config
+ * keys:
+ *
+ *   app_latest_version — newer version published to the stores → OPTIONAL update
+ *   app_min_version    — oldest version still allowed         → FORCED  update
+ *
+ * Updating those keys is normally a manual step in the Firebase console (on
+ * purpose: publishing to the store and *announcing* the update are different
+ * moments). This command automates the announcing part. It reuses the existing
+ * Firebase CLI login (`firebase login`) — no service account key, nothing billed.
+ *
+ * Safety: it bumps `app_latest_version` (optional) by default. Forcing an update
+ * (`app_min_version`) is opt-in via `--force`, because a wrong value locks every
+ * user out of the app with no way to dismiss.
+ *
+ * It never overwrites the rest of your Remote Config: it fetches the live
+ * template, edits only the version keys, and re-publishes.
+ */
+
+'use strict';
+
+const path = require('node:path');
+const fs = require('fs-extra');
+const kleur = require('kleur');
+const { exec } = require('node:child_process');
+const { promisify } = require('node:util');
+
+const ui = require('../utils/ui');
+const { printCompactHeader } = require('../utils/brand');
+const { createTranslator } = require('../utils/i18n');
+const { getStoredLanguage } = require('../utils/license');
+
+const execAsync = promisify(exec);
+
+const SEMVER_RE = /^\d+\.\d+\.\d+$/;
+const TEMPLATE_FILE = 'remoteconfig.template.json';
+
+// ── Helpers ─────────────────────────────────────────────────────────────────
+
+/** Semantic version from `version: 1.2.3+45` (drops the build number). */
+function readPubspecVersion(content) {
+  const match = content.match(/^version:\s*(\d+\.\d+\.\d+)\+?\d*\s*$/m);
+  return match ? match[1] : null;
+}
+
+/** Firebase project id — google-services.json is always present; .firebaserc as fallback. */
+async function detectProjectId(projectDir) {
+  const gsPath = path.join(projectDir, 'android', 'app', 'google-services.json');
+  if (await fs.pathExists(gsPath)) {
+    try {
+      const data = await fs.readJson(gsPath);
+      if (data?.project_info?.project_id) return data.project_info.project_id;
+    } catch (_) {}
+  }
+  const rcPath = path.join(projectDir, '.firebaserc');
+  if (await fs.pathExists(rcPath)) {
+    try {
+      const rc = await fs.readJson(rcPath);
+      if (rc.projects?.default) return rc.projects.default;
+    } catch (_) {}
+  }
+  return null;
+}
+
+async function runFirebase(cmd, projectDir) {
+  try {
+    const { stdout, stderr } = await execAsync(cmd, {
+      cwd: projectDir,
+      maxBuffer: 50 * 1024 * 1024,
+    });
+    return { ok: true, stdout, stderr };
+  } catch (err) {
+    return { ok: false, error: (err.stderr || err.message || '').trim() };
+  }
+}
+
+/** Set one string parameter, preserving any existing description / metadata. */
+function setStringParam(template, key, value) {
+  template.parameters = template.parameters || {};
+  const existing = template.parameters[key] || {};
+  template.parameters[key] = {
+    ...existing,
+    defaultValue: { value },
+    valueType: 'STRING',
+  };
+}
+
+/**
+ * Ensure firebase.json points the remoteconfig deploy at our template file.
+ * Works on every backend: Supabase / API projects may not ship a firebase.json
+ * (they use Firebase Remote Config but don't deploy functions), so we create a
+ * minimal one rather than failing.
+ */
+async function ensureFirebaseJsonWired(projectDir) {
+  const fbPath = path.join(projectDir, 'firebase.json');
+  const fb = (await fs.pathExists(fbPath)) ? await fs.readJson(fbPath) : {};
+  if (fb.remoteconfig && fb.remoteconfig.template === TEMPLATE_FILE) return false;
+  fb.remoteconfig = { template: TEMPLATE_FILE };
+  await fs.writeJson(fbPath, fb, { spaces: 2 });
+  return true;
+}
+
+// ── Main ──────────────────────────────────────────────────────────────────
+
+async function runReleaseVersion(directory, options = {}) {
+  const language = options.language || getStoredLanguage() || 'en';
+  const t = createTranslator(language);
+  const projectDir = path.resolve(directory || '.');
+  const cancel = () => { ui.cancel(t('releaseVersion.aborted')); process.exit(0); };
+
+  printCompactHeader(t);
+  ui.intro(kleur.bold(t('releaseVersion.intro')));
+
+  // 1. Validate project
+  if (!(await fs.pathExists(path.join(projectDir, 'kit_setup.json')))) {
+    ui.log.error(t('releaseVersion.notKasy'));
+    ui.cancel(t('releaseVersion.aborted'));
+    process.exit(1);
+  }
+
+  // 2. Installed version (suggestion)
+  let installed = null;
+  const pubspecPath = path.join(projectDir, 'pubspec.yaml');
+  if (await fs.pathExists(pubspecPath)) {
+    installed = readPubspecVersion(await fs.readFile(pubspecPath, 'utf8'));
+  }
+  if (installed) {
+    ui.log.message(kleur.gray(t('releaseVersion.current', { version: installed })));
+  }
+
+  // 3. Firebase project
+  const projectId = options.project || (await detectProjectId(projectDir));
+  if (!projectId) {
+    ui.log.error(t('releaseVersion.noProject'));
+    ui.cancel(t('releaseVersion.aborted'));
+    process.exit(1);
+  }
+  ui.log.message(kleur.gray(t('releaseVersion.detectedProject', { id: projectId })));
+
+  // 4. Which version to announce
+  let version = options.version;
+  if (version && !SEMVER_RE.test(String(version).trim())) {
+    ui.log.error(t('releaseVersion.badVersion'));
+    process.exit(1);
+  }
+  if (!version) {
+    version = await ui.text({
+      message: t('releaseVersion.qVersion'),
+      placeholder: installed || '1.0.0',
+      initialValue: installed || '',
+      validate: (v) => (SEMVER_RE.test(String(v || '').trim()) ? undefined : t('releaseVersion.badVersion')),
+      onCancel: cancel,
+    });
+  }
+  version = String(version).trim();
+
+  // 5. Optional vs forced (forced is opt-in)
+  let forced = Boolean(options.force);
+  if (!forced && !options.yes) {
+    ui.log.message(kleur.yellow(t('releaseVersion.forcedHint')));
+    forced = await ui.confirm({
+      message: t('releaseVersion.qForced'),
+      initialValue: false,
+      onCancel: cancel,
+    });
+  }
+
+  // 6. Confirm
+  ui.log.message(
+    forced
+      ? kleur.red(t('releaseVersion.summaryForced', { version }))
+      : kleur.cyan(t('releaseVersion.summaryOptional', { version }))
+  );
+  if (!options.yes) {
+    const go = await ui.confirm({ message: t('releaseVersion.qConfirm'), onCancel: cancel });
+    if (!go) cancel();
+  }
+
+  // 7. Fetch live template, edit only the version keys, re-publish
+  const spinner = ui.spinner();
+  spinner.start(t('releaseVersion.fetching'));
+
+  const templatePath = path.join(projectDir, TEMPLATE_FILE);
+  const fetched = await runFirebase(
+    `firebase remoteconfig:get --project ${projectId} -o "${templatePath}"`,
+    projectDir
+  );
+
+  let template;
+  if (fetched.ok && (await fs.pathExists(templatePath))) {
+    try {
+      template = await fs.readJson(templatePath);
+    } catch (_) {
+      template = {};
+    }
+  } else {
+    // First-time / empty config — start fresh (don't abort).
+    template = {};
+  }
+  // Drop server-assigned metadata so the deploy creates a clean new version.
+  delete template.version;
+  delete template.etag;
+
+  setStringParam(template, 'app_latest_version', version);
+  if (forced) setStringParam(template, 'app_min_version', version);
+
+  await fs.writeJson(templatePath, template, { spaces: 2 });
+  await ensureFirebaseJsonWired(projectDir);
+
+  spinner.message(t('releaseVersion.deploying'));
+  const deployed = await runFirebase(
+    `firebase deploy --only remoteconfig --project ${projectId}`,
+    projectDir
+  );
+
+  if (!deployed.ok) {
+    spinner.error(t('releaseVersion.failed'));
+    ui.log.error(deployed.error);
+    process.exit(1);
+  }
+
+  spinner.stop(t('releaseVersion.done', { version }));
+  ui.outro(
+    forced
+      ? kleur.red(t('releaseVersion.summaryForced', { version }))
+      : kleur.cyan(t('releaseVersion.summaryOptional', { version }))
+  );
+}
+
+module.exports = { runReleaseVersion };

package/lib/commands/update.js

@@ -116,6 +116,29 @@ function applyCoreFiles(projectDir) {
   return applyFileList(CORE_FILES, projectDir);
 }
 
+/**
+ * After an update overwrites files, point the developer to the git-based merge.
+ * Deliberately short (3 lines) to keep the CLI clean — the full how-to and the AI
+ * merge prompt live in the project's AGENTS.md. Best-effort: stays silent if git
+ * is unavailable or nothing actually changed (so a clean update prints nothing).
+ */
+async function printMergeHint(projectDir, t) {
+  let changed = [];
+  try {
+    const { stdout } = await execAsync('git diff --name-only', { cwd: projectDir, env: augmentedEnv() });
+    changed = stdout.split('\n').map((s) => s.trim()).filter(Boolean);
+  } catch {
+    return; // not a git repo, or git not installed — say nothing
+  }
+  if (changed.length === 0) return;
+  ui.note(
+    `${t('update.mergeHint.body', { count: changed.length })}\n` +
+      `${kleur.dim(t('update.mergeHint.aiPrompt'))}\n` +
+      `${kleur.dim(t('update.mergeHint.seeAgents'))}`,
+    t('update.mergeHint.title'),
+  );
+}
+
 /** Same detection logic used by add.js and remove.js. */
 async function getActiveModules(kitSetup, projectDir) {
   const modules = [];
@@ -214,6 +237,7 @@ async function runUpdate(module, options = {}) {
 
       kitSetup.cliVersion = currentVersion;
       await fs.outputFile(kitSetupPath, JSON.stringify(kitSetup, null, 2) + '\n', 'utf8');
+      await printMergeHint(projectDir, t);
       ui.outro(t('update.componentsSuccess'));
       return;
     }
@@ -262,6 +286,7 @@ async function runUpdate(module, options = {}) {
 
       kitSetup.cliVersion = currentVersion;
       await fs.outputFile(kitSetupPath, JSON.stringify(kitSetup, null, 2) + '\n', 'utf8');
+      await printMergeHint(projectDir, t);
       ui.outro(t('update.coreSuccess'));
       return;
     }
@@ -301,6 +326,7 @@ async function runUpdate(module, options = {}) {
       }
       kitSetup.cliVersion = currentVersion;
       await fs.outputFile(kitSetupPath, JSON.stringify(kitSetup, null, 2) + '\n', 'utf8');
+      await printMergeHint(projectDir, t);
       ui.outro(t('update.iosRelease.success'));
       return;
     }
@@ -392,6 +418,7 @@ async function runUpdate(module, options = {}) {
     kitSetup.cliVersion = currentVersion;
     await fs.outputFile(kitSetupPath, JSON.stringify(kitSetup, null, 2) + '\n', 'utf8');
 
+    await printMergeHint(projectDir, t);
     ui.outro(t('update.success', { module: normalized }));
     return;
   }

package/lib/scaffold/CHANGELOG.json

@@ -1,4 +1,31 @@
 {
+  "1.35.0": {
+    "modules": {
+      "core": {
+        "pt": "Confiança pra escalar: (1) trava anti-patch-desatualizado no publish — se um arquivo do kit muda mas o patch Supabase/API não acompanha, o `npm publish` falha apontando o que revisar (nunca mais release com backend regredido em silêncio). (2) Atualizar projeto existente ficou claro: depois de `kasy update core/components/<feature>`, a CLI mostra quais arquivos mudaram e como juntar suas customizações com o novo (inclusive um prompt pronto pra IA); o passo a passo também fica no AGENTS.md do projeto. (3) Login Google na web (Supabase): a CLI agora autoriza o localhost no Firebase depois do deploy e com novas tentativas, então o popup do Google na web para de falhar com \"unauthorized-domain\" em projetos recém-criados. (4) Login com Google na web (Supabase): corrigido o erro \"missing sub claim\" que impedia o login Google no navegador. Na web não existe usuário anônimo, então o app agora cria a conta direto em vez de tentar vincular a um anônimo inexistente (mesmo comportamento defensivo do Firebase). (5) Proporção da web refinada: a escala 0.95 vale só no desktop (tablet, mobile e nativo ficam no tamanho real, igual ao device preview), e a compensação de escala alta do sistema agora olha o tamanho da TELA, não da janela, então só estreitar o navegador não encolhe mais a interface.",
+        "en": "Confidence to scale: (1) stale-patch tripwire at publish — if a kit file changes but the Supabase/API patch doesn't follow, `npm publish` fails pointing to what to review (no more silently regressed backends in a release). (2) Updating an existing project is now clear: after `kasy update core/components/<feature>`, the CLI shows which files changed and how to merge your customizations with the new version (including a ready AI prompt); the step-by-step also lives in the project AGENTS.md. (3) Google web login (Supabase): the CLI now authorizes localhost on Firebase after the deploy and with retries, so the web Google popup stops failing with \"unauthorized-domain\" on freshly created projects. (4) Google web login (Supabase): fixed the \"missing sub claim\" error that blocked Google login in the browser. On web there is no anonymous user, so the app now creates the account directly instead of trying to link to a non-existent anonymous one (matching the Firebase backend's defensive behavior). (5) Web proportion refined: the 0.95 scale applies on desktop only (tablet, mobile and native render at real size, matching the device preview), and the high-OS-scale compensation now keys off the SCREEN size, not the window, so merely narrowing the browser no longer shrinks the UI.",
+        "es": "Confianza para escalar: (1) tripwire de patch desactualizado en el publish — si un archivo del kit cambia pero el patch Supabase/API no lo sigue, `npm publish` falla indicando qué revisar (nunca más un backend regresado en silencio). (2) Actualizar un proyecto existente quedó claro: tras `kasy update core/components/<feature>`, la CLI muestra qué archivos cambiaron y cómo combinar tus personalizaciones con lo nuevo (incluido un prompt listo para IA); el paso a paso también está en el AGENTS.md del proyecto. (3) Inicio de sesión Google en web (Supabase): la CLI ahora autoriza localhost en Firebase después del deploy y con reintentos, así el popup de Google en web deja de fallar con \"unauthorized-domain\" en proyectos recién creados. (4) Inicio de sesión Google en web (Supabase): corregido el error \"missing sub claim\" que bloqueaba el login con Google en el navegador. En web no hay usuario anónimo, así que la app ahora crea la cuenta directamente en vez de intentar vincular a un anónimo inexistente (igual que el comportamiento defensivo del backend Firebase). (5) Proporción web refinada: la escala 0.95 aplica solo en desktop (tablet, móvil y nativo se ven a tamaño real, igual que el device preview), y la compensación de escala alta del sistema ahora usa el tamaño de la PANTALLA, no de la ventana, así que solo estrechar el navegador ya no encoge la interfaz."
+      }
+    }
+  },
+  "1.34.0": {
+    "modules": {
+      "core": {
+        "pt": "Login com Facebook automatizado + Facebook na web (Firebase): novo comando `kasy facebook` guia os passos na Meta (abre o link), grava App ID + Client Token no iOS/Android e habilita o provedor no Firebase (Identity Toolkit) ou Supabase. No Firebase, o Facebook passa a funcionar na WEB (signInWithPopup) e o botão só aparece quando configurado (flag withFacebookWebSignin). Apple/Facebook na web no Supabase ficam como native-only (roadmap). Corrigido: o `kasy apple-web` agora liga o Apple web só no Firebase (não cria mais botão morto no Supabase). Credenciais ficam salvas e o `kasy new` aplica sozinho.",
+        "en": "Facebook Login automated + Facebook on web (Firebase): new `kasy facebook` command guides the Meta steps (opens the link), writes App ID + Client Token into iOS/Android and enables the provider on Firebase (Identity Toolkit) or Supabase. On Firebase, Facebook now works on the WEB (signInWithPopup) and the button only shows once configured (withFacebookWebSignin flag). Apple/Facebook on web for Supabase stay native-only (roadmap). Fixed: `kasy apple-web` now enables Apple web on Firebase only (no more dead button on Supabase). Credentials are cached and `kasy new` applies them automatically.",
+        "es": "Inicio de sesión con Facebook automatizado + Facebook en la web (Firebase): nuevo comando `kasy facebook` guía los pasos en Meta (abre el enlace), escribe App ID + Client Token en iOS/Android y habilita el proveedor en Firebase (Identity Toolkit) o Supabase. En Firebase, Facebook ahora funciona en la WEB (signInWithPopup) y el botón solo aparece cuando está configurado (flag withFacebookWebSignin). Apple/Facebook en la web para Supabase quedan como native-only (roadmap). Corregido: `kasy apple-web` ahora activa Apple web solo en Firebase (sin botón muerto en Supabase). Las credenciales se guardan y `kasy new` las aplica automáticamente."
+      }
+    }
+  },
+  "1.33.0": {
+    "modules": {
+      "core": {
+        "pt": "Login com Apple na WEB agora é automatizável (backend Firebase): novo comando `kasy apple-web` grava o codeFlowConfig (Service ID + Team ID + Key ID + .p8) no provedor Apple do Firebase, que re-assina o secret sozinho (não expira), reaproveitando suas credenciais salvas. Projetos Firebase novos já nascem com Apple web se você já configurou antes. O botão Apple na web só aparece quando funciona de verdade (sem botão morto); `kasy doctor` mostra se falta configurar. No Supabase, Apple na web é roadmap.",
+        "en": "Apple Sign-In on the WEB is now automatable (Firebase backend): new `kasy apple-web` command writes the codeFlowConfig (Service ID + Team ID + Key ID + .p8) into the Firebase Apple provider, which re-signs the secret itself (never expires), reusing your saved credentials. New Firebase projects ship web Apple ready if you configured it before. The web Apple button only shows when it actually works (no dead button); `kasy doctor` reports if it's pending. On Supabase, Apple on web is roadmap.",
+        "es": "El inicio de sesión con Apple en la WEB ahora es automatizable (backend Firebase): nuevo comando `kasy apple-web` escribe el codeFlowConfig (Service ID + Team ID + Key ID + .p8) en el proveedor Apple de Firebase, que vuelve a firmar el secret solo (no expira), reutilizando tus credenciales guardadas. Los proyectos Firebase nuevos vienen con Apple web listo si ya lo configuraste antes. El botón de Apple en la web solo aparece cuando funciona de verdad (sin botón muerto); `kasy doctor` indica si falta configurar. En Supabase, Apple en la web es roadmap."
+      }
+    }
+  },
   "1.32.0": {
     "modules": {
       "core": {

package/lib/scaffold/backends/api/patch/lib/features/authentication/api/authentication_api.dart

@@ -222,6 +222,30 @@ class HttpAuthenticationApi implements AuthenticationApi {
   @override
   Future<String?> getCurrentUserDisplayName() async => null;
 
+  @override
+  Future<String?> getCurrentUserPhotoUrl() async => null;
+
+  @override
+  Future<List<String>> getLinkedProviders() async => const [];
+
+  @override
+  Future<void> setPassword(String password) {
+    // Wire this to your backend, e.g. POST /auth/set-password { password }.
+    throw UnimplementedError(
+      '❌ Implement setPassword() to send the new password to your backend.',
+    );
+  }
+
+  @override
+  Future<List<String>> linkableSocialProviders() async => const [];
+
+  @override
+  Future<void> linkSocialProvider(String provider) {
+    throw UnimplementedError(
+      '❌ Implement linkSocialProvider() to link a social provider on your backend.',
+    );
+  }
+
   /// Links an anonymous/guest session to a permanent Google account.
   ///
   /// Expected flow: