kasy-cli 1.34.0 → 1.35.0

package/README.md

@@ -51,7 +51,7 @@ The wizard will ask for your app name, bundle ID, and backend. A complete Flutte
 
 ## Optional modules
 
-`sentry` · `analytics` · `revenuecat` · `onboarding` · `widget` · `llm_chat` · `facebook` · `local_notifications` · `feedback` · `ci`
+`sentry` · `analytics` · `revenuecat` · `onboarding` · `widget` · `ai_chat` · `facebook` · `local_notifications` · `feedback` · `ci`
 
 ## Requirements
 

package/bin/kasy.js

@@ -8,6 +8,7 @@ const { runDoctor } = require('../lib/commands/doctor');
 const { runFeatures } = require('../lib/commands/features');
 const { runValidate } = require('../lib/commands/validate');
 const { runDeployCommand } = require('../lib/commands/deploy');
+const { runReleaseVersion } = require('../lib/commands/release-version');
 const { runConfigure } = require('../lib/commands/configure');
 const { runAppleWeb } = require('../lib/commands/apple-web');
 const { runFacebook } = require('../lib/commands/facebook');
@@ -327,6 +328,27 @@ function buildProgram(language) {
     t
   );
 
+  applyLocalizedHelp(
+    program
+      .command('release-version')
+      .argument('[directory]', 'Project folder (default: current directory)', '.')
+      .option('-v, --version <version>', 'Version now live in the stores (SemVer, e.g. 1.4.0)')
+      .option('-f, --force', 'Make it a forced (blocking) update — sets app_min_version')
+      .option('-p, --project <id>', 'Firebase Project ID')
+      .option('-y, --yes', 'Skip confirmations (non-interactive / CI)')
+      .description(t('cli.command.releaseVersion.description'))
+      .action(async (directory, options) => {
+        await runReleaseVersion(directory, {
+          language,
+          version: options.version,
+          force: Boolean(options.force),
+          project: options.project,
+          yes: Boolean(options.yes),
+        });
+      }),
+    t
+  );
+
   applyLocalizedHelp(
     program
       .command('configure')
@@ -432,7 +454,7 @@ function buildProgram(language) {
   applyLocalizedHelp(
     program
       .command('add')
-      .argument('[feature]', 'Feature to add (e.g. sentry, analytics, revenuecat, onboarding, llm_chat, ci...)')
+      .argument('[feature]', 'Feature to add (e.g. sentry, analytics, revenuecat, onboarding, ai_chat, ci...)')
       .option('--list', 'List all available features and their current status')
       .option('--yes', 'Skip interactive prompts (use placeholder values)')
       .option('-d, --directory <path>', 'Project folder (default: current directory)', '.')
@@ -446,7 +468,7 @@ function buildProgram(language) {
   applyLocalizedHelp(
     program
       .command('remove')
-      .argument('[feature]', 'Feature to remove (e.g. sentry, analytics, llm_chat, ci...)')
+      .argument('[feature]', 'Feature to remove (e.g. sentry, analytics, ai_chat, ci...)')
       .option('--yes', 'Skip confirmation prompt')
       .option('-d, --directory <path>', 'Project folder (default: current directory)', '.')
       .description(t('cli.command.remove.description'))

package/docs/cli-reference.md

@@ -17,7 +17,7 @@ kasy new                        # interativo — pergunta tudo
 kasy new meu-app               # cria na pasta meu-app
 kasy new --yes                 # modo rápido, preset Starter
 kasy new --backend supabase    # define backend sem perguntar
-kasy new --with llm_chat,sentry  # pré-seleciona features
+kasy new --with ai_chat,sentry  # pré-seleciona features
 ```
 
 **Opções:**
@@ -36,12 +36,12 @@ kasy new --with llm_chat,sentry  # pré-seleciona features
 Adiciona uma feature a um projeto Kasy existente.
 
 ```bash
-kasy add llm_chat
+kasy add ai_chat
 kasy add sentry
 kasy add revenuecat
 kasy add --list               # lista features disponíveis e status
-kasy add --yes llm_chat       # sem perguntas interativas
-kasy add -d ./outro-app llm_chat
+kasy add --yes ai_chat       # sem perguntas interativas
+kasy add -d ./outro-app ai_chat
 ```
 
 **Features disponíveis:**
@@ -54,7 +54,7 @@ kasy add -d ./outro-app llm_chat
 | `onboarding` | Fluxo de onboarding customizável |
 | `web` | Suporte a Flutter Web |
 | `widget` | Home widgets para iOS e Android |
-| `llm_chat` | Chat com IA via Cloud/Edge Functions |
+| `ai_chat` | Chat com IA via Cloud/Edge Functions |
 | `feedback` | Sistema de feedback e feature requests |
 | `ci` | CI/CD com GitHub Actions / Codemagic |
 
@@ -203,7 +203,7 @@ lib/
     home/           # tela principal
     notifications/  # notificações locais e push
     settings/       # configurações do app
-    llm_chat/       # [feature] chat com IA
+    ai_chat/        # [feature] chat com IA
     feedbacks/      # [feature] feedback e feature requests
     onboarding/     # [feature] onboarding
     subscription/   # [feature] assinaturas (RevenueCat)
@@ -246,6 +246,6 @@ No desenvolvimento local, ficam em `.env` (copiado de `.env.example`). `--dart-d
 | `MIXPANEL_TOKEN` | analytics | Token do Mixpanel |
 | `RC_ANDROID_API_KEY` | revenuecat | Chave Android do RevenueCat |
 | `RC_IOS_API_KEY` | revenuecat | Chave iOS do RevenueCat |
-| `LLM_CHAT_ENDPOINT` | llm_chat | URL da Cloud/Edge Function |
+| `AI_CHAT_ENDPOINT` | ai_chat | URL da Cloud/Edge Function |
 | `BACKEND_URL` | supabase/api | URL do backend |
 | `SUPABASE_TOKEN` | supabase | Anon key do Supabase |

package/lib/commands/new.js

@@ -1850,22 +1850,24 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
       // Supabase setup runs in fcmOnly mode, which intentionally leaves Firebase
       // Auth untouched, so initialize it here (idempotent) before the deploy.
       await ensureFirebaseAuthInitialized(answers.firebaseProjectId);
-      // Web Google sign-in on Supabase brokers the Google ID token through the
-      // Firebase popup (signInWithPopup), which only runs from an authorized
-      // domain. fcmOnly setup skips the authorizedDomains step, so localhost is
-      // missing here and the web popup dies with [firebase_auth/unauthorized-domain].
-      // Add it best-effort now that auth is initialized. Native (mobile) is unaffected.
-      const localhostDomains = await authorizeLocalhostForProject(answers.firebaseProjectId);
-      if (!localhostDomains.ok) {
-        ui.log.warn(tr('new.google.localhostDomainWarn'));
-      }
       const cliResult = await enableAuthViaFirebaseCli({
         projectDir: targetDir,
         projectId: answers.firebaseProjectId,
         appName: answers.appName,
         googleOnly: true,
       });
+      // Web Google sign-in on Supabase brokers the Google ID token through the
+      // Firebase popup (signInWithPopup), which only runs from an authorized
+      // domain. New projects don't get `localhost` seeded automatically, so the web
+      // popup would die with [firebase_auth/unauthorized-domain]. Authorize it now —
+      // AFTER the deploy, which fully materializes and stabilizes the auth config.
+      // Doing it right after initializeAuth raced the config's propagation and
+      // intermittently failed. Best-effort + retries. Native (mobile) is unaffected.
+      const localhostDomains = await authorizeLocalhostForProject(answers.firebaseProjectId);
       googleSpinner.stop(tr('new.google.enabling'));
+      if (!localhostDomains.ok) {
+        ui.log.warn(tr('new.google.localhostDomainWarn'));
+      }
 
       if (cliResult.ok) {
         // The deploy created the OAuth Web Client + iOS client. Re-run flutterfire so

package/lib/commands/release-version.js

@@ -0,0 +1,234 @@
+/**
+ * `kasy release-version` — announce a new app version to existing users.
+ *
+ * The "update available" prompt in the app compares the installed version
+ * (read automatically from pubspec.yaml) against two Firebase Remote Config
+ * keys:
+ *
+ *   app_latest_version — newer version published to the stores → OPTIONAL update
+ *   app_min_version    — oldest version still allowed         → FORCED  update
+ *
+ * Updating those keys is normally a manual step in the Firebase console (on
+ * purpose: publishing to the store and *announcing* the update are different
+ * moments). This command automates the announcing part. It reuses the existing
+ * Firebase CLI login (`firebase login`) — no service account key, nothing billed.
+ *
+ * Safety: it bumps `app_latest_version` (optional) by default. Forcing an update
+ * (`app_min_version`) is opt-in via `--force`, because a wrong value locks every
+ * user out of the app with no way to dismiss.
+ *
+ * It never overwrites the rest of your Remote Config: it fetches the live
+ * template, edits only the version keys, and re-publishes.
+ */
+
+'use strict';
+
+const path = require('node:path');
+const fs = require('fs-extra');
+const kleur = require('kleur');
+const { exec } = require('node:child_process');
+const { promisify } = require('node:util');
+
+const ui = require('../utils/ui');
+const { printCompactHeader } = require('../utils/brand');
+const { createTranslator } = require('../utils/i18n');
+const { getStoredLanguage } = require('../utils/license');
+
+const execAsync = promisify(exec);
+
+const SEMVER_RE = /^\d+\.\d+\.\d+$/;
+const TEMPLATE_FILE = 'remoteconfig.template.json';
+
+// ── Helpers ─────────────────────────────────────────────────────────────────
+
+/** Semantic version from `version: 1.2.3+45` (drops the build number). */
+function readPubspecVersion(content) {
+  const match = content.match(/^version:\s*(\d+\.\d+\.\d+)\+?\d*\s*$/m);
+  return match ? match[1] : null;
+}
+
+/** Firebase project id — google-services.json is always present; .firebaserc as fallback. */
+async function detectProjectId(projectDir) {
+  const gsPath = path.join(projectDir, 'android', 'app', 'google-services.json');
+  if (await fs.pathExists(gsPath)) {
+    try {
+      const data = await fs.readJson(gsPath);
+      if (data?.project_info?.project_id) return data.project_info.project_id;
+    } catch (_) {}
+  }
+  const rcPath = path.join(projectDir, '.firebaserc');
+  if (await fs.pathExists(rcPath)) {
+    try {
+      const rc = await fs.readJson(rcPath);
+      if (rc.projects?.default) return rc.projects.default;
+    } catch (_) {}
+  }
+  return null;
+}
+
+async function runFirebase(cmd, projectDir) {
+  try {
+    const { stdout, stderr } = await execAsync(cmd, {
+      cwd: projectDir,
+      maxBuffer: 50 * 1024 * 1024,
+    });
+    return { ok: true, stdout, stderr };
+  } catch (err) {
+    return { ok: false, error: (err.stderr || err.message || '').trim() };
+  }
+}
+
+/** Set one string parameter, preserving any existing description / metadata. */
+function setStringParam(template, key, value) {
+  template.parameters = template.parameters || {};
+  const existing = template.parameters[key] || {};
+  template.parameters[key] = {
+    ...existing,
+    defaultValue: { value },
+    valueType: 'STRING',
+  };
+}
+
+/**
+ * Ensure firebase.json points the remoteconfig deploy at our template file.
+ * Works on every backend: Supabase / API projects may not ship a firebase.json
+ * (they use Firebase Remote Config but don't deploy functions), so we create a
+ * minimal one rather than failing.
+ */
+async function ensureFirebaseJsonWired(projectDir) {
+  const fbPath = path.join(projectDir, 'firebase.json');
+  const fb = (await fs.pathExists(fbPath)) ? await fs.readJson(fbPath) : {};
+  if (fb.remoteconfig && fb.remoteconfig.template === TEMPLATE_FILE) return false;
+  fb.remoteconfig = { template: TEMPLATE_FILE };
+  await fs.writeJson(fbPath, fb, { spaces: 2 });
+  return true;
+}
+
+// ── Main ──────────────────────────────────────────────────────────────────
+
+async function runReleaseVersion(directory, options = {}) {
+  const language = options.language || getStoredLanguage() || 'en';
+  const t = createTranslator(language);
+  const projectDir = path.resolve(directory || '.');
+  const cancel = () => { ui.cancel(t('releaseVersion.aborted')); process.exit(0); };
+
+  printCompactHeader(t);
+  ui.intro(kleur.bold(t('releaseVersion.intro')));
+
+  // 1. Validate project
+  if (!(await fs.pathExists(path.join(projectDir, 'kit_setup.json')))) {
+    ui.log.error(t('releaseVersion.notKasy'));
+    ui.cancel(t('releaseVersion.aborted'));
+    process.exit(1);
+  }
+
+  // 2. Installed version (suggestion)
+  let installed = null;
+  const pubspecPath = path.join(projectDir, 'pubspec.yaml');
+  if (await fs.pathExists(pubspecPath)) {
+    installed = readPubspecVersion(await fs.readFile(pubspecPath, 'utf8'));
+  }
+  if (installed) {
+    ui.log.message(kleur.gray(t('releaseVersion.current', { version: installed })));
+  }
+
+  // 3. Firebase project
+  const projectId = options.project || (await detectProjectId(projectDir));
+  if (!projectId) {
+    ui.log.error(t('releaseVersion.noProject'));
+    ui.cancel(t('releaseVersion.aborted'));
+    process.exit(1);
+  }
+  ui.log.message(kleur.gray(t('releaseVersion.detectedProject', { id: projectId })));
+
+  // 4. Which version to announce
+  let version = options.version;
+  if (version && !SEMVER_RE.test(String(version).trim())) {
+    ui.log.error(t('releaseVersion.badVersion'));
+    process.exit(1);
+  }
+  if (!version) {
+    version = await ui.text({
+      message: t('releaseVersion.qVersion'),
+      placeholder: installed || '1.0.0',
+      initialValue: installed || '',
+      validate: (v) => (SEMVER_RE.test(String(v || '').trim()) ? undefined : t('releaseVersion.badVersion')),
+      onCancel: cancel,
+    });
+  }
+  version = String(version).trim();
+
+  // 5. Optional vs forced (forced is opt-in)
+  let forced = Boolean(options.force);
+  if (!forced && !options.yes) {
+    ui.log.message(kleur.yellow(t('releaseVersion.forcedHint')));
+    forced = await ui.confirm({
+      message: t('releaseVersion.qForced'),
+      initialValue: false,
+      onCancel: cancel,
+    });
+  }
+
+  // 6. Confirm
+  ui.log.message(
+    forced
+      ? kleur.red(t('releaseVersion.summaryForced', { version }))
+      : kleur.cyan(t('releaseVersion.summaryOptional', { version }))
+  );
+  if (!options.yes) {
+    const go = await ui.confirm({ message: t('releaseVersion.qConfirm'), onCancel: cancel });
+    if (!go) cancel();
+  }
+
+  // 7. Fetch live template, edit only the version keys, re-publish
+  const spinner = ui.spinner();
+  spinner.start(t('releaseVersion.fetching'));
+
+  const templatePath = path.join(projectDir, TEMPLATE_FILE);
+  const fetched = await runFirebase(
+    `firebase remoteconfig:get --project ${projectId} -o "${templatePath}"`,
+    projectDir
+  );
+
+  let template;
+  if (fetched.ok && (await fs.pathExists(templatePath))) {
+    try {
+      template = await fs.readJson(templatePath);
+    } catch (_) {
+      template = {};
+    }
+  } else {
+    // First-time / empty config — start fresh (don't abort).
+    template = {};
+  }
+  // Drop server-assigned metadata so the deploy creates a clean new version.
+  delete template.version;
+  delete template.etag;
+
+  setStringParam(template, 'app_latest_version', version);
+  if (forced) setStringParam(template, 'app_min_version', version);
+
+  await fs.writeJson(templatePath, template, { spaces: 2 });
+  await ensureFirebaseJsonWired(projectDir);
+
+  spinner.message(t('releaseVersion.deploying'));
+  const deployed = await runFirebase(
+    `firebase deploy --only remoteconfig --project ${projectId}`,
+    projectDir
+  );
+
+  if (!deployed.ok) {
+    spinner.error(t('releaseVersion.failed'));
+    ui.log.error(deployed.error);
+    process.exit(1);
+  }
+
+  spinner.stop(t('releaseVersion.done', { version }));
+  ui.outro(
+    forced
+      ? kleur.red(t('releaseVersion.summaryForced', { version }))
+      : kleur.cyan(t('releaseVersion.summaryOptional', { version }))
+  );
+}
+
+module.exports = { runReleaseVersion };

package/lib/commands/update.js

@@ -116,6 +116,29 @@ function applyCoreFiles(projectDir) {
   return applyFileList(CORE_FILES, projectDir);
 }
 
+/**
+ * After an update overwrites files, point the developer to the git-based merge.
+ * Deliberately short (3 lines) to keep the CLI clean — the full how-to and the AI
+ * merge prompt live in the project's AGENTS.md. Best-effort: stays silent if git
+ * is unavailable or nothing actually changed (so a clean update prints nothing).
+ */
+async function printMergeHint(projectDir, t) {
+  let changed = [];
+  try {
+    const { stdout } = await execAsync('git diff --name-only', { cwd: projectDir, env: augmentedEnv() });
+    changed = stdout.split('\n').map((s) => s.trim()).filter(Boolean);
+  } catch {
+    return; // not a git repo, or git not installed — say nothing
+  }
+  if (changed.length === 0) return;
+  ui.note(
+    `${t('update.mergeHint.body', { count: changed.length })}\n` +
+      `${kleur.dim(t('update.mergeHint.aiPrompt'))}\n` +
+      `${kleur.dim(t('update.mergeHint.seeAgents'))}`,
+    t('update.mergeHint.title'),
+  );
+}
+
 /** Same detection logic used by add.js and remove.js. */
 async function getActiveModules(kitSetup, projectDir) {
   const modules = [];
@@ -214,6 +237,7 @@ async function runUpdate(module, options = {}) {
 
       kitSetup.cliVersion = currentVersion;
       await fs.outputFile(kitSetupPath, JSON.stringify(kitSetup, null, 2) + '\n', 'utf8');
+      await printMergeHint(projectDir, t);
       ui.outro(t('update.componentsSuccess'));
       return;
     }
@@ -262,6 +286,7 @@ async function runUpdate(module, options = {}) {
 
       kitSetup.cliVersion = currentVersion;
       await fs.outputFile(kitSetupPath, JSON.stringify(kitSetup, null, 2) + '\n', 'utf8');
+      await printMergeHint(projectDir, t);
       ui.outro(t('update.coreSuccess'));
       return;
     }
@@ -301,6 +326,7 @@ async function runUpdate(module, options = {}) {
       }
       kitSetup.cliVersion = currentVersion;
       await fs.outputFile(kitSetupPath, JSON.stringify(kitSetup, null, 2) + '\n', 'utf8');
+      await printMergeHint(projectDir, t);
       ui.outro(t('update.iosRelease.success'));
       return;
     }
@@ -392,6 +418,7 @@ async function runUpdate(module, options = {}) {
     kitSetup.cliVersion = currentVersion;
     await fs.outputFile(kitSetupPath, JSON.stringify(kitSetup, null, 2) + '\n', 'utf8');
 
+    await printMergeHint(projectDir, t);
     ui.outro(t('update.success', { module: normalized }));
     return;
   }

package/lib/scaffold/CHANGELOG.json

@@ -1,4 +1,13 @@
 {
+  "1.35.0": {
+    "modules": {
+      "core": {
+        "pt": "Confiança pra escalar: (1) trava anti-patch-desatualizado no publish — se um arquivo do kit muda mas o patch Supabase/API não acompanha, o `npm publish` falha apontando o que revisar (nunca mais release com backend regredido em silêncio). (2) Atualizar projeto existente ficou claro: depois de `kasy update core/components/<feature>`, a CLI mostra quais arquivos mudaram e como juntar suas customizações com o novo (inclusive um prompt pronto pra IA); o passo a passo também fica no AGENTS.md do projeto. (3) Login Google na web (Supabase): a CLI agora autoriza o localhost no Firebase depois do deploy e com novas tentativas, então o popup do Google na web para de falhar com \"unauthorized-domain\" em projetos recém-criados. (4) Login com Google na web (Supabase): corrigido o erro \"missing sub claim\" que impedia o login Google no navegador. Na web não existe usuário anônimo, então o app agora cria a conta direto em vez de tentar vincular a um anônimo inexistente (mesmo comportamento defensivo do Firebase). (5) Proporção da web refinada: a escala 0.95 vale só no desktop (tablet, mobile e nativo ficam no tamanho real, igual ao device preview), e a compensação de escala alta do sistema agora olha o tamanho da TELA, não da janela, então só estreitar o navegador não encolhe mais a interface.",
+        "en": "Confidence to scale: (1) stale-patch tripwire at publish — if a kit file changes but the Supabase/API patch doesn't follow, `npm publish` fails pointing to what to review (no more silently regressed backends in a release). (2) Updating an existing project is now clear: after `kasy update core/components/<feature>`, the CLI shows which files changed and how to merge your customizations with the new version (including a ready AI prompt); the step-by-step also lives in the project AGENTS.md. (3) Google web login (Supabase): the CLI now authorizes localhost on Firebase after the deploy and with retries, so the web Google popup stops failing with \"unauthorized-domain\" on freshly created projects. (4) Google web login (Supabase): fixed the \"missing sub claim\" error that blocked Google login in the browser. On web there is no anonymous user, so the app now creates the account directly instead of trying to link to a non-existent anonymous one (matching the Firebase backend's defensive behavior). (5) Web proportion refined: the 0.95 scale applies on desktop only (tablet, mobile and native render at real size, matching the device preview), and the high-OS-scale compensation now keys off the SCREEN size, not the window, so merely narrowing the browser no longer shrinks the UI.",
+        "es": "Confianza para escalar: (1) tripwire de patch desactualizado en el publish — si un archivo del kit cambia pero el patch Supabase/API no lo sigue, `npm publish` falla indicando qué revisar (nunca más un backend regresado en silencio). (2) Actualizar un proyecto existente quedó claro: tras `kasy update core/components/<feature>`, la CLI muestra qué archivos cambiaron y cómo combinar tus personalizaciones con lo nuevo (incluido un prompt listo para IA); el paso a paso también está en el AGENTS.md del proyecto. (3) Inicio de sesión Google en web (Supabase): la CLI ahora autoriza localhost en Firebase después del deploy y con reintentos, así el popup de Google en web deja de fallar con \"unauthorized-domain\" en proyectos recién creados. (4) Inicio de sesión Google en web (Supabase): corregido el error \"missing sub claim\" que bloqueaba el login con Google en el navegador. En web no hay usuario anónimo, así que la app ahora crea la cuenta directamente en vez de intentar vincular a un anónimo inexistente (igual que el comportamiento defensivo del backend Firebase). (5) Proporción web refinada: la escala 0.95 aplica solo en desktop (tablet, móvil y nativo se ven a tamaño real, igual que el device preview), y la compensación de escala alta del sistema ahora usa el tamaño de la PANTALLA, no de la ventana, así que solo estrechar el navegador ya no encoge la interfaz."
+      }
+    }
+  },
   "1.34.0": {
     "modules": {
       "core": {

package/lib/scaffold/backends/api/patch/lib/features/authentication/api/authentication_api.dart

@@ -222,6 +222,30 @@ class HttpAuthenticationApi implements AuthenticationApi {
   @override
   Future<String?> getCurrentUserDisplayName() async => null;
 
+  @override
+  Future<String?> getCurrentUserPhotoUrl() async => null;
+
+  @override
+  Future<List<String>> getLinkedProviders() async => const [];
+
+  @override
+  Future<void> setPassword(String password) {
+    // Wire this to your backend, e.g. POST /auth/set-password { password }.
+    throw UnimplementedError(
+      '❌ Implement setPassword() to send the new password to your backend.',
+    );
+  }
+
+  @override
+  Future<List<String>> linkableSocialProviders() async => const [];
+
+  @override
+  Future<void> linkSocialProvider(String provider) {
+    throw UnimplementedError(
+      '❌ Implement linkSocialProvider() to link a social provider on your backend.',
+    );
+  }
+
   /// Links an anonymous/guest session to a permanent Google account.
   ///
   /// Expected flow:

package/lib/scaffold/backends/api/patch/lib/features/authentication/api/authentication_api_interface.dart

@@ -73,6 +73,21 @@ abstract class AuthenticationApi implements OnStartService {
 
   /// Returns the display name of the current user, or null.
   Future<String?> getCurrentUserDisplayName();
+
+  /// Returns the photo URL of the current user, or null.
+  Future<String?> getCurrentUserPhotoUrl();
+
+  /// Returns all sign-in providers linked to the current account.
+  Future<List<String>> getLinkedProviders();
+
+  /// Sets or updates an email/password credential for the current user.
+  Future<void> setPassword(String password);
+
+  /// Social providers the current user can still link to their account.
+  Future<List<String>> linkableSocialProviders();
+
+  /// Links a social provider to the current account.
+  Future<void> linkSocialProvider(String provider);
 }
 
 class PhoneAlreadyLinkedException implements Exception {

package/lib/scaffold/backends/api/patch/lib/features/authentication/repositories/authentication_repository.dart

@@ -99,6 +99,18 @@ abstract class AuthenticationRepository {
 
   /// Returns the display name of the current user, or null.
   Future<String?> getCurrentUserDisplayName();
+
+  /// Returns the photo URL of the current user, or null.
+  Future<String?> getCurrentUserPhotoUrl();
+
+  /// Returns the sign-in provider used ('google'|'apple'|'facebook'|'email'|'phone'), or null.
+  Future<List<String>> getLinkedProviders();
+
+  Future<void> setPassword(String password);
+
+  Future<List<String>> linkableSocialProviders();
+
+  Future<void> linkSocialProvider(String provider);
 }
 
 /// this is an example on how to create an authentication repository using firebase
@@ -403,4 +415,19 @@ class HttpAuthenticationRepository implements AuthenticationRepository {
 
   @override
   Future<String?> getCurrentUserDisplayName() => _authenticationApi.getCurrentUserDisplayName();
+
+  @override
+  Future<String?> getCurrentUserPhotoUrl() => _authenticationApi.getCurrentUserPhotoUrl();
+
+  @override
+  Future<List<String>> getLinkedProviders() => _authenticationApi.getLinkedProviders();
+
+  @override
+  Future<void> setPassword(String password) => _authenticationApi.setPassword(password);
+
+  @override
+  Future<List<String>> linkableSocialProviders() => _authenticationApi.linkableSocialProviders();
+
+  @override
+  Future<void> linkSocialProvider(String provider) => _authenticationApi.linkSocialProvider(provider);
 }

package/lib/scaffold/backends/api/patch/lib/features/subscriptions/api/entities/subscription_entity.dart

@@ -36,6 +36,7 @@ sealed class SubscriptionEntity with _$SubscriptionEntity {
     @JsonKey(name: 'creation_date') DateTime? creationDate,
     @JsonKey(name: 'last_update_date') DateTime? lastUpdateDate,
     @JsonKey(name: 'period_end_date') DateTime? periodEndDate,
+    @JsonKey(name: 'trial_end') DateTime? trialEnd,
     @JsonKey(name: 'status') required SubscriptionStatus status,
     @JsonKey(name: 'store', unknownEnumValue: SubscriptionStore.unknown)
     SubscriptionStore? store,

package/lib/scaffold/backends/firebase/setup-from-scratch.js

@@ -710,37 +710,51 @@ async function checkBillingEnabled(projectId) {
  * with only [localhost] would wipe firebaseapp.com / web.app. Idempotent: it's a
  * no-op when both entries are already present.
  *
+ * Right after a project's auth config is initialized, the Admin v2 config endpoint
+ * can briefly answer 403/404/409 before it settles (and a PATCH can 409 on a
+ * concurrent edit). Those are retried — re-reading each round so the merge stays
+ * correct; 400 and other client errors are treated as fatal. Best-effort: returns
+ * { ok: false } after exhausting retries instead of throwing.
+ *
+ * @param {string} projectId
+ * @param {string} token
+ * @param {{ maxRetries?: number, retryDelayMs?: number }} [opts]
  * @returns {{ ok: boolean, added?: string[], error?: string }}
  */
-async function ensureLocalhostAuthorizedDomains(projectId, token) {
+async function ensureLocalhostAuthorizedDomains(projectId, token, { maxRetries = 4, retryDelayMs = 4000 } = {}) {
   const base = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/config`;
   const headers = {
     Authorization: `Bearer ${token}`,
     'Content-Type': 'application/json',
     'X-Goog-User-Project': projectId,
   };
-  // 1. Read the current authorized domains.
-  const getRes = await fetch(base, { headers });
-  if (!getRes.ok) {
-    const text = await getRes.text();
-    return { ok: false, error: `${getRes.status}: ${text}` };
-  }
-  const config = await getRes.json();
-  const current = Array.isArray(config.authorizedDomains) ? config.authorizedDomains : [];
   const required = ['localhost', '127.0.0.1'];
-  const missing = required.filter((d) => !current.includes(d));
-  if (missing.length === 0) return { ok: true, added: [] };
-  // 2. Merge and write back, keeping every domain that was already there.
-  const patchRes = await fetch(`${base}?updateMask=authorizedDomains`, {
-    method: 'PATCH',
-    headers,
-    body: JSON.stringify({ authorizedDomains: [...current, ...missing] }),
-  });
-  if (!patchRes.ok) {
-    const text = await patchRes.text();
-    return { ok: false, error: `${patchRes.status}: ${text}` };
+  const TRANSIENT = new Set([403, 404, 409, 429, 500, 503]);
+  let lastError = 'unknown';
+  for (let attempt = 1; attempt <= maxRetries; attempt++) {
+    // 1. Read the current authorized domains.
+    const getRes = await fetch(base, { headers });
+    if (!getRes.ok) {
+      lastError = `GET ${getRes.status}: ${await getRes.text()}`;
+      if (attempt < maxRetries && TRANSIENT.has(getRes.status)) { await sleep(retryDelayMs); continue; }
+      return { ok: false, error: lastError };
+    }
+    const config = await getRes.json();
+    const current = Array.isArray(config.authorizedDomains) ? config.authorizedDomains : [];
+    const missing = required.filter((d) => !current.includes(d));
+    if (missing.length === 0) return { ok: true, added: [] };
+    // 2. Merge and write back, keeping every domain that was already there.
+    const patchRes = await fetch(`${base}?updateMask=authorizedDomains`, {
+      method: 'PATCH',
+      headers,
+      body: JSON.stringify({ authorizedDomains: [...current, ...missing] }),
+    });
+    if (patchRes.ok) return { ok: true, added: missing };
+    lastError = `PATCH ${patchRes.status}: ${await patchRes.text()}`;
+    if (attempt < maxRetries && TRANSIENT.has(patchRes.status)) { await sleep(retryDelayMs); continue; }
+    return { ok: false, error: lastError };
   }
-  return { ok: true, added: missing };
+  return { ok: false, error: lastError };
 }
 
 /**