npm - mantenimento-app - Versions diffs - 2.2.9 → 2.3.0 - Mend

mantenimento-app 2.2.9 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +97 -34
package/app.js +541 -85
package/backend/server.js +346 -23
package/frontend/public/app.js +541 -85
package/frontend/public/autologin.html +40 -0
package/frontend/public/index.html +29 -6
package/frontend/public/styles.css +66 -0
package/frontend/public/supabase-config.js +4 -11
package/package.json +5 -1
package/scripts/auth-url-check.mjs +166 -0
package/scripts/create-url-login-token.mjs +52 -0
package/scripts/manage-donor-users.mjs +229 -0
package/scripts/sql/grant-donor.sql +22 -0
package/scripts/sql/revoke-donor.sql +19 -0

package/frontend/public/autologin.html ADDED Viewed

@@ -0,0 +1,40 @@
+<!doctype html>
+<html lang="it">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>AutoLogin Redirect - Mantenimento App</title>
+  <meta name="robots" content="noindex,nofollow" />
+</head>
+<body>
+  <noscript>JavaScript richiesto per il redirect di autologin.</noscript>
+  <script>
+    (function () {
+      try {
+        const current = new URL(window.location.href);
+        const query = new URLSearchParams(current.search);
+        if (!query.has('autologin')) {
+          query.set('autologin', '1');
+        }
+        if ((!query.has('authToken') || !String(query.get('authToken') || '').trim()) && current.hash) {
+          const hashParams = new URLSearchParams(String(current.hash || '').replace(/^#/, ''));
+          const hashToken = String(hashParams.get('authToken') || '').trim();
+          if (hashToken) {
+            query.set('authToken', hashToken);
+          }
+        }
+        const target = new URL('./', current);
+        target.search = query.toString();
+        target.hash = '';
+        window.location.replace(target.toString());
+      } catch (_) {
+        window.location.replace('./');
+      }
+    })();
+  </script>
+</body>
+</html>

package/frontend/public/index.html CHANGED Viewed

@@ -102,8 +102,8 @@
           <button class="top-actions-trigger" type="button" aria-expanded="false" aria-controls="topActionsMenu">Azioni rapide</button>
           <div class="top-actions-menu" id="topActionsMenu" aria-label="Azioni applicazione">
             <button class="btn-secondary" id="btnReset" type="button">Reset valori</button>
-            <button class="btn-secondary" id="btnExportJson" type="button">Esporta JSON cifrato</button>
-            <button class="btn-secondary" id="btnImportJson" type="button">Carica JSON cifrato</button>
+            <button class="btn-secondary" id="btnExportJson" type="button">Esporta JSON</button>
+            <button class="btn-secondary" id="btnImportJson" type="button">Carica JSON</button>
             <button class="btn-secondary" id="btnPdf" type="button">Genera e scarica PDF</button>
             <input id="fileJson" type="file" accept="application/json,.json" style="display:none" />
           </div>
@@ -364,17 +364,23 @@
                 </label>
                 <input id="primaCasaMutuoImporto" type="number" min="0" step="50" value="0" />
               </div>
-              <div class="field">
+              <div class="field" style="display: none;">
+                <label for="primaCasaValoreLocativo" class="label-row"><span id="lblPrimaCasaValoreLocativo">Casa (valore locativo) ({currency})</span>
+                  <span class="hint" id="hintPrimaCasaValoreLocativo" title="Valore locativo mensile della casa assegnata, usato per valorizzare il beneficio economico implicito.">i</span>
+                </label>
+                <input id="primaCasaValoreLocativo" type="number" min="0" step="50" value="1000" />
+              </div>
+              <div class="field" style="display: none;">
                 <label for="primaCasaAssegnataA" class="label-row"><span id="lblPrimaCasaAssegnataA">Casa assegnata a</span>
                   <span class="hint" id="hintPrimaCasaAssegnataA" title="Seleziona il coniuge a cui e ceduta la prima casa.">i</span>
                 </label>
                 <select id="primaCasaAssegnataA">
                   <option value="">Nessuna cessione</option>
-                  <option value="1">Coniuge 1</option>
+                  <option value="1" selected>Coniuge 1</option>
                   <option value="2">Coniuge 2</option>
                 </select>
               </div>
-              <div class="field">
+              <div class="field" style="display: none;">
                 <div class="mortgage-split-slider" id="primaCasaMutuoSliderWrap">
                   <div class="mortgage-split-side mortgage-split-side-left" id="primaCasaSplitLeft">
                     <div class="mortgage-split-name" id="primaCasaSplitLeftName">Coniuge 1</div>
@@ -596,11 +602,28 @@
     <button class="coffee-float-btn" title="Offrimi un caff&egrave;!">&#9749;</button>
   </div>
+  <div id="exportModeModal" class="export-mode-modal is-hidden" aria-hidden="true">
+    <div class="export-mode-modal-backdrop" data-export-modal-close="1"></div>
+    <div class="export-mode-modal-dialog" role="dialog" aria-modal="true" aria-labelledby="exportModeModalTitle">
+      <h3 id="exportModeModalTitle">Esportazione JSON</h3>
+      <p id="exportModeModalWarning">Per impostazione predefinita il file viene cifrato e puo essere importato solo dallo stesso utente KeyLock.</p>
+      <label class="export-mode-checkbox">
+        <input type="checkbox" id="chkExportPlainJson" />
+        <span id="lblExportPlainJson">Esporta JSON non cifrato (compatibile con altri utenti)</span>
+      </label>
+      <p id="exportModeModalRisk" class="export-mode-risk">Conferma esplicita richiesta: il file non cifrato puo essere letto da chiunque.</p>
+      <div class="export-mode-actions">
+        <button type="button" class="btn-secondary" id="btnCancelExportMode">Annulla</button>
+        <button type="button" class="btn-secondary" id="btnConfirmExportMode">Conferma export</button>
+      </div>
+    </div>
+  </div>
   <script src="supabase-config.js"></script>
   <script src="supabase.min.js"></script>
   <script src="fabric.min.js"></script>
   <script src="html2pdf.bundle.min.js"></script>
-    <script src="app.js?v=2.2.9"></script>
+    <script src="app.js?v=2.3.0"></script>
 </body>
 </html>

package/frontend/public/styles.css CHANGED Viewed

@@ -3345,4 +3345,70 @@
         border: 1px solid #cfcfcf;
         background: #fff;
       }
+    }
+    .export-mode-modal {
+      position: fixed;
+      inset: 0;
+      z-index: 9999;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 16px;
+    }
+    .export-mode-modal.is-hidden {
+      display: none;
+    }
+    .export-mode-modal-backdrop {
+      position: absolute;
+      inset: 0;
+      background: rgba(22, 42, 42, 0.48);
+    }
+    .export-mode-modal-dialog {
+      position: relative;
+      width: min(540px, 100%);
+      border-radius: var(--radius);
+      border: 1px solid var(--line);
+      background: var(--panel);
+      box-shadow: var(--shadow);
+      padding: 18px;
+      z-index: 1;
+    }
+    .export-mode-modal-dialog h3 {
+      margin: 0 0 10px;
+      font-size: 1.05rem;
+    }
+    .export-mode-modal-dialog p {
+      margin: 0 0 10px;
+      color: var(--muted);
+    }
+    .export-mode-checkbox {
+      display: flex;
+      align-items: flex-start;
+      gap: 8px;
+      margin: 12px 0 8px;
+      color: var(--ink);
+      font-weight: 600;
+    }
+    .export-mode-checkbox input {
+      margin-top: 2px;
+    }
+    .export-mode-risk {
+      color: var(--warn) !important;
+      font-size: 0.92rem;
+    }
+    .export-mode-actions {
+      margin-top: 14px;
+      display: flex;
+      justify-content: flex-end;
+      gap: 8px;
     }

package/frontend/public/supabase-config.js CHANGED Viewed

@@ -3,17 +3,10 @@
 window.KEYLOCK_SUPABASE_URL = "https://xyluwvzuogdsgzyganqp.supabase.co";
 window.KEYLOCK_SUPABASE_ANON_KEY = "sb_publishable_f6_mJK6kgHKTjUMY7V9YJg_i6QCzG3g";
-// Optional named backends for the published frontend.
-// Example usage:
-//   https://favagit.github.io/mantenimento-app/?env=dev
-//   https://favagit.github.io/mantenimento-app/?env=prod
+// Default backend used when no ?env / ?apiBase override is provided.
+window.KEYLOCK_CALC_API_BASE = "https://mantenimento-app.onrender.com";
 window.KEYLOCK_CALC_API_ENVS = {
 	dev: "",
-	prod: ""
-};
-// Optional frontend variants (used by ?frontend=dev on the published app).
-// The dev URL can point to the feature branch static preview.
-window.KEYLOCK_FRONTEND_VARIANT_ENVS = {
-	dev: "https://raw.githack.com/FaVaGit/mantenimento-app/feature/v2-scenario-lab/frontend/public/index.html"
+	prod: "https://mantenimento-app.onrender.com"
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mantenimento-app",
-  "version": "2.2.9",
+  "version": "2.3.0",
   "description": "Frontend + backend architecture for the mantenimento calculator",
   "type": "commonjs",
   "main": "backend/calculate-model.js",
@@ -14,6 +14,10 @@
     "dev": "node scripts/dev-server.mjs",
     "dev:watch": "node scripts/build-frontend.mjs --watch",
     "build:frontend": "node scripts/build-frontend.mjs",
+    "auth:url-token": "node scripts/create-url-login-token.mjs",
+    "auth:url-check": "node scripts/auth-url-check.mjs",
+    "donor:grant": "node scripts/manage-donor-users.mjs --mode=grant",
+    "donor:revoke": "node scripts/manage-donor-users.mjs --mode=revoke",
     "start": "npm run build:frontend && node backend/server.js"
   },
   "keywords": [

package/scripts/auth-url-check.mjs ADDED Viewed

@@ -0,0 +1,166 @@
+#!/usr/bin/env node
+/**
+ * auth-url-check.mjs
+ *
+ * Validates the full autologin URL-login pipeline end-to-end:
+ *   1. Calls /api/auth/url-login/start  (generates token on server)
+ *   2. Calls /api/auth/url-login/exchange  (redeems token for session)
+ *   3. Reports ok / error with details
+ *
+ * Usage:
+ *   node scripts/auth-url-check.mjs \
+ *     --backendUrl=https://mantenimento-app.onrender.com \
+ *     --bootstrapKey=<BOOTSTRAP_KEY> \
+ *     [--sub=favagit] [--verbose]
+ *
+ * Env vars (used as fallback if CLI args are absent):
+ *   AUTH_URL_LOGIN_BOOTSTRAP_KEY
+ *   AUTH_URL_LOGIN_BACKEND_URL   (defaults to http://localhost:3001)
+ *   AUTH_URL_LOGIN_ALLOWED_USER  (first in comma-separated list used as default sub)
+ */
+import { readFileSync } from 'fs';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+// ── Load .env from project root (best-effort, no hard dep on dotenv) ──────────
+const __dir = dirname(fileURLToPath(import.meta.url));
+const envPath = resolve(__dir, '..', '.env');
+try {
+  const envContent = readFileSync(envPath, 'utf8');
+  for (const line of envContent.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eqIdx = trimmed.indexOf('=');
+    if (eqIdx < 1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    const raw = trimmed.slice(eqIdx + 1).trim();
+    const val = raw.replace(/^['"]|['"]$/g, '');
+    if (!(key in process.env)) process.env[key] = val;
+  }
+} catch {
+  // .env not found — ok, rely on environment
+}
+// ── CLI args ──────────────────────────────────────────────────────────────────
+const args = process.argv.slice(2);
+const getArg = (name, fallback = '') => {
+  const prefix = `--${name}=`;
+  const found = args.find((a) => a.startsWith(prefix));
+  return found ? found.slice(prefix.length) : fallback;
+};
+const hasFlag = (name) => args.includes(`--${name}`);
+const backendUrl = (
+  getArg('backendUrl',
+    process.env.AUTH_URL_LOGIN_BACKEND_URL || 'http://localhost:3001'
+  )
+).replace(/\/$/, '');
+const bootstrapKey = getArg(
+  'bootstrapKey',
+  process.env.AUTH_URL_LOGIN_BOOTSTRAP_KEY || ''
+);
+const defaultSub = (process.env.AUTH_URL_LOGIN_ALLOWED_USER || 'favagit')
+  .split(',')[0].trim();
+const sub = getArg('sub', defaultSub);
+const verbose = hasFlag('verbose');
+// ── Helpers ───────────────────────────────────────────────────────────────────
+const ok  = (msg) => console.log(`  \x1b[32m✓\x1b[0m  ${msg}`);
+const err = (msg) => console.log(`  \x1b[31m✗\x1b[0m  ${msg}`);
+const inf = (msg) => verbose && console.log(`  \x1b[90m→  ${msg}\x1b[0m`);
+// ── Pre-flight checks ─────────────────────────────────────────────────────────
+console.log('\n\x1b[1mauth:url-check\x1b[0m — autologin pipeline validation');
+console.log('─'.repeat(50));
+console.log(`  backend : ${backendUrl}`);
+console.log(`  subject : ${sub}`);
+console.log('─'.repeat(50));
+let exitCode = 0;
+if (!bootstrapKey) {
+  err('AUTH_URL_LOGIN_BOOTSTRAP_KEY is not set (--bootstrapKey= or env var)');
+  process.exit(1);
+}
+// ── Step 1: generate token via /start ─────────────────────────────────────────
+let loginUrl = '';
+let authToken = '';
+try {
+  const startUrl = `${backendUrl}/api/auth/url-login/start?k=${encodeURIComponent(bootstrapKey)}&sub=${encodeURIComponent(sub)}&format=json`;
+  inf(`GET ${startUrl.replace(bootstrapKey, '<BOOTSTRAP_KEY>')}`);
+  const res = await fetch(startUrl);
+  const body = await res.json().catch(() => null);
+  if (!res.ok || !body?.ok) {
+    err(`/start returned ${res.status}: ${JSON.stringify(body)}`);
+    process.exit(1);
+  }
+  loginUrl = body.url || '';
+  ok(`/api/auth/url-login/start → ${res.status} ok`);
+  inf(`returned url: ${loginUrl}`);
+  // Extract authToken from returned URL
+  const urlObj = new URL(loginUrl);
+  authToken = urlObj.searchParams.get('authToken') || '';
+  if (!authToken) {
+    // Try hash fragment
+    const hash = urlObj.hash.slice(1);
+    authToken = new URLSearchParams(hash).get('authToken') || '';
+  }
+  if (!authToken) {
+    err('authToken not found in the URL returned by /start');
+    process.exit(1);
+  }
+  ok(`authToken extracted (${authToken.length} chars)`);
+} catch (e) {
+  err(`/start request failed: ${e.message}`);
+  process.exit(1);
+}
+// ── Step 2: exchange token via /exchange ─────────────────────────────────────
+try {
+  const exchangeUrl = `${backendUrl}/api/auth/url-login/exchange`;
+  inf(`POST ${exchangeUrl}  token length=${authToken.length}`);
+  const res = await fetch(exchangeUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ token: authToken }),
+  });
+  const body = await res.json().catch(() => null);
+  if (!res.ok || !body?.ok) {
+    err(`/exchange returned ${res.status}: ${JSON.stringify(body)}`);
+    exitCode = 1;
+  } else {
+    const email = body.session?.user?.email || body.user?.email || '(unknown)';
+    ok(`/api/auth/url-login/exchange → ${res.status} ok`);
+    ok(`Logged in as: ${email}`);
+    if (verbose && body.session?.access_token) {
+      inf(`access_token (first 32): ${body.session.access_token.slice(0, 32)}...`);
+    }
+  }
+} catch (e) {
+  err(`/exchange request failed: ${e.message}`);
+  exitCode = 1;
+}
+// ── Summary ───────────────────────────────────────────────────────────────────
+console.log('─'.repeat(50));
+if (exitCode === 0) {
+  console.log('\x1b[32m\x1b[1m  PASSED\x1b[0m — autologin pipeline is functional');
+  console.log(`\n  Share this link (valid for ~120 s):\n  ${loginUrl}\n`);
+} else {
+  console.log('\x1b[31m\x1b[1m  FAILED\x1b[0m — see errors above');
+}
+console.log();
+process.exit(exitCode);

package/scripts/create-url-login-token.mjs ADDED Viewed

@@ -0,0 +1,52 @@
+#!/usr/bin/env node
+import crypto from 'crypto';
+const args = process.argv.slice(2);
+const getArg = (name, fallback = '') => {
+  const prefix = `--${name}=`;
+  const found = args.find((arg) => arg.startsWith(prefix));
+  return found ? found.slice(prefix.length) : fallback;
+};
+const secret = String(getArg('secret', process.env.AUTH_URL_LOGIN_SECRET || '')).trim();
+const subject = String(getArg('sub', process.env.AUTH_URL_LOGIN_ALLOWED_USER || 'favagit')).trim().toLowerCase();
+const ttlSecRaw = Number(getArg('ttl', process.env.AUTH_URL_LOGIN_TTL_SEC || '120'));
+const ttlSec = Number.isFinite(ttlSecRaw) ? Math.max(30, Math.min(180, Math.floor(ttlSecRaw))) : 120;
+const baseUrl = String(getArg('baseUrl', 'https://favagit.github.io/mantenimento-app/')).trim();
+if (!secret) {
+  console.error('Missing AUTH_URL_LOGIN_SECRET (env or --secret=...).');
+  process.exit(1);
+}
+if (!subject) {
+  console.error('Missing subject (--sub=...).');
+  process.exit(1);
+}
+const toBase64Url = (value) => Buffer.from(value)
+  .toString('base64')
+  .replace(/\+/g, '-')
+  .replace(/\//g, '_')
+  .replace(/=+$/g, '');
+const now = Math.floor(Date.now() / 1000);
+const payload = {
+  sub: subject,
+  aud: 'url-login',
+  iat: now,
+  exp: now + ttlSec,
+  jti: typeof crypto.randomUUID === 'function'
+    ? crypto.randomUUID()
+    : crypto.randomBytes(16).toString('hex')
+};
+const payloadPart = toBase64Url(JSON.stringify(payload));
+const signatureHex = crypto.createHmac('sha256', secret).update(payloadPart).digest('hex');
+const signaturePart = toBase64Url(Buffer.from(signatureHex, 'hex'));
+const token = `${payloadPart}.${signaturePart}`;
+const joiner = baseUrl.includes('?') ? '&' : '?';
+const url = `${baseUrl}${joiner}autologin=1&authToken=${encodeURIComponent(token)}`;
+console.log('token:', token);
+console.log('url  :', url);

package/scripts/manage-donor-users.mjs ADDED Viewed

@@ -0,0 +1,229 @@
+#!/usr/bin/env node
+import fs from 'fs';
+import path from 'path';
+function loadDotEnvFromWorkspaceRoot() {
+  try {
+    const root = process.cwd();
+    const envPath = path.join(root, '.env');
+    if (!fs.existsSync(envPath)) return;
+    const content = fs.readFileSync(envPath, 'utf8');
+    const lines = String(content || '').split(/\r?\n/);
+    for (const line of lines) {
+      const trimmed = String(line || '').trim();
+      if (!trimmed || trimmed.startsWith('#')) continue;
+      const idx = trimmed.indexOf('=');
+      if (idx <= 0) continue;
+      const key = trimmed.slice(0, idx).trim();
+      const value = trimmed.slice(idx + 1).trim().replace(/^['"]|['"]$/g, '');
+      if (!key || process.env[key] != null) continue;
+      process.env[key] = value;
+    }
+  } catch (_) {
+    // best effort only
+  }
+}
+loadDotEnvFromWorkspaceRoot();
+const args = process.argv.slice(2);
+const getArg = (name, fallback = '') => {
+  const prefix = `--${name}=`;
+  const found = args.find((arg) => arg.startsWith(prefix));
+  return found ? found.slice(prefix.length) : fallback;
+};
+const hasFlag = (name) => args.includes(`--${name}`);
+const mode = String(getArg('mode', '') || '').trim().toLowerCase();
+const usernamesRaw = String(getArg('users', '') || '').trim();
+const emailsRaw = String(getArg('emails', '') || '').trim();
+const dryRun = hasFlag('dry-run');
+const supabaseUrl = String(process.env.DONOR_ADMIN_SUPABASE_URL || process.env.AUTH_URL_LOGIN_SUPABASE_URL || '').trim().replace(/\/+$/, '');
+const serviceRoleKey = String(process.env.DONOR_ADMIN_SUPABASE_SERVICE_ROLE_KEY || process.env.SUPABASE_SERVICE_ROLE_KEY || '').trim();
+function fail(message) {
+  console.error(message);
+  process.exit(1);
+}
+function parseCsv(value) {
+  return String(value || '')
+    .split(',')
+    .map((v) => v.trim().toLowerCase())
+    .filter(Boolean);
+}
+function usage() {
+  console.log([
+    'Usage:',
+    '  node scripts/manage-donor-users.mjs --mode=grant --users=favagit,fabio.vacchino',
+    '  node scripts/manage-donor-users.mjs --mode=revoke --users=favagit',
+    '  node scripts/manage-donor-users.mjs --mode=grant --emails=user1@example.com,user2@example.com',
+    '',
+    'Options:',
+    '  --mode=grant|revoke      Required',
+    '  --users=a,b,c            Comma-separated username local parts (email before @)',
+    '  --emails=a@x.com,b@y.it  Comma-separated full emails',
+    '  --dry-run                Print actions without writing changes',
+    '',
+    'Environment variables:',
+    '  DONOR_ADMIN_SUPABASE_URL',
+    '  DONOR_ADMIN_SUPABASE_SERVICE_ROLE_KEY'
+  ].join('\n'));
+}
+if (!mode || !['grant', 'revoke'].includes(mode)) {
+  usage();
+  fail('\nMissing or invalid --mode. Use grant or revoke.');
+}
+const targetUsers = new Set(parseCsv(usernamesRaw));
+const targetEmails = new Set(parseCsv(emailsRaw));
+if (!targetUsers.size && !targetEmails.size) {
+  usage();
+  fail('\nSpecify at least one target via --users or --emails.');
+}
+if (!supabaseUrl) {
+  fail('Missing DONOR_ADMIN_SUPABASE_URL (or AUTH_URL_LOGIN_SUPABASE_URL).');
+}
+if (!serviceRoleKey) {
+  fail('Missing DONOR_ADMIN_SUPABASE_SERVICE_ROLE_KEY (or SUPABASE_SERVICE_ROLE_KEY).');
+}
+const headers = {
+  apikey: serviceRoleKey,
+  Authorization: `Bearer ${serviceRoleKey}`,
+  'Content-Type': 'application/json'
+};
+async function fetchJson(url, options = {}) {
+  const res = await fetch(url, options);
+  const body = await res.json().catch(() => ({}));
+  return { ok: res.ok, status: res.status, body };
+}
+async function listAllUsers() {
+  const out = [];
+  let page = 1;
+  while (true) {
+    const url = `${supabaseUrl}/auth/v1/admin/users?page=${page}&per_page=1000`;
+    const response = await fetchJson(url, { headers });
+    if (!response.ok) {
+      const err = String(response.body?.msg || response.body?.error || `HTTP ${response.status}`);
+      fail(`Cannot list users: ${err}`);
+    }
+    const users = Array.isArray(response.body?.users) ? response.body.users : [];
+    out.push(...users);
+    if (!users.length || users.length < 1000) break;
+    page += 1;
+  }
+  return out;
+}
+function emailLocalPart(email) {
+  return String(email || '').trim().toLowerCase().split('@')[0] || '';
+}
+function shouldTargetUser(user) {
+  const email = String(user?.email || '').trim().toLowerCase();
+  const local = emailLocalPart(email);
+  if (targetEmails.has(email)) return true;
+  if (targetUsers.has(local)) return true;
+  return false;
+}
+function truthy(value) {
+  if (value === true || value === 1) return true;
+  const normalized = String(value || '').trim().toLowerCase();
+  return normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === 'on';
+}
+function patchUserMetadata(existingMeta, selectedMode) {
+  const next = { ...(existingMeta && typeof existingMeta === 'object' ? existingMeta : {}) };
+  if (selectedMode === 'grant') {
+    next.is_donor = true;
+    next.role = 'donor';
+    return next;
+  }
+  delete next.is_donor;
+  delete next.isDonor;
+  delete next.premium;
+  if (String(next.role || '').trim().toLowerCase() === 'donor') {
+    delete next.role;
+  }
+  return next;
+}
+function isAlreadyAligned(existingMeta, selectedMode) {
+  const meta = existingMeta && typeof existingMeta === 'object' ? existingMeta : {};
+  if (selectedMode === 'grant') {
+    return truthy(meta.is_donor) && String(meta.role || '').trim().toLowerCase() === 'donor';
+  }
+  return !truthy(meta.is_donor)
+    && !truthy(meta.isDonor)
+    && !truthy(meta.premium)
+    && String(meta.role || '').trim().toLowerCase() !== 'donor';
+}
+async function updateUserMetadata(userId, nextMeta) {
+  const url = `${supabaseUrl}/auth/v1/admin/users/${encodeURIComponent(userId)}`;
+  const response = await fetchJson(url, {
+    method: 'PUT',
+    headers,
+    body: JSON.stringify({ user_metadata: nextMeta })
+  });
+  if (!response.ok) {
+    const err = String(response.body?.msg || response.body?.error || `HTTP ${response.status}`);
+    throw new Error(err);
+  }
+}
+(async () => {
+  const allUsers = await listAllUsers();
+  const targets = allUsers.filter(shouldTargetUser);
+  if (!targets.length) {
+    console.log('No matching users found.');
+    process.exit(0);
+  }
+  let changed = 0;
+  let skipped = 0;
+  for (const user of targets) {
+    const email = String(user?.email || '').trim().toLowerCase();
+    const userId = String(user?.id || '').trim();
+    const currentMeta = user?.user_metadata && typeof user.user_metadata === 'object' ? user.user_metadata : {};
+    if (!userId || !email) {
+      skipped += 1;
+      continue;
+    }
+    if (isAlreadyAligned(currentMeta, mode)) {
+      console.log(`[skip] ${email} already aligned for mode=${mode}`);
+      skipped += 1;
+      continue;
+    }
+    const nextMeta = patchUserMetadata(currentMeta, mode);
+    if (dryRun) {
+      console.log(`[dry-run] would ${mode} donor for ${email}`);
+      changed += 1;
+      continue;
+    }
+    await updateUserMetadata(userId, nextMeta);
+    console.log(`[ok] ${mode} donor for ${email}`);
+    changed += 1;
+  }
+  console.log(`Done. targets=${targets.length} changed=${changed} skipped=${skipped} dryRun=${dryRun}`);
+})();