nod-shout 0.1.0

package/src/lib/content-filter.ts

@@ -0,0 +1,258 @@
+/**
+ * Content filter for shout posts — strips PII, proprietary data,
+ * and sensitive information before anything touches the public page.
+ * 
+ * Two layers:
+ * 1. Regex — catches format-based PII (emails, phones, keys, etc.)
+ * 2. LLM — catches context-based leaks ("our revenue is...", "client X told me...")
+ * 
+ * Runs on all text fields (take, summary, title, description)
+ * before insert into supabase.
+ */
+
+const OPENAI_API_KEY = process.env.OPENAI_API_KEY;
+
+// Regex patterns for common PII
+const PII_PATTERNS: { pattern: RegExp; replacement: string; label: string }[] = [
+  // Email addresses
+  { pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, replacement: '[email removed]', label: 'email' },
+  // Phone numbers (US formats)
+  { pattern: /(\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g, replacement: '[phone removed]', label: 'phone' },
+  // SSN
+  { pattern: /\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b/g, replacement: '[ssn removed]', label: 'ssn' },
+  // Credit card numbers (basic)
+  { pattern: /\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/g, replacement: '[card removed]', label: 'credit_card' },
+  // API keys / tokens (common prefixes)
+  { pattern: /\b(sk-[a-zA-Z0-9_-]{20,}|sk-ant-[a-zA-Z0-9_-]{20,}|sk-proj-[a-zA-Z0-9_-]{20,}|ghp_[a-zA-Z0-9]{36,}|gho_[a-zA-Z0-9]{36,}|xoxb-[a-zA-Z0-9-]+|xoxp-[a-zA-Z0-9-]+|AKIA[A-Z0-9]{16})\b/g, replacement: '[api_key removed]', label: 'api_key' },
+  // Passwords in context
+  { pattern: /(?:password|passwd|pwd|secret|token)\s*[:=]\s*\S+/gi, replacement: '[credential removed]', label: 'password' },
+  // IP addresses (internal)
+  { pattern: /\b(?:10|172\.(?:1[6-9]|2\d|3[01])|192\.168)\.\d{1,3}\.\d{1,3}\b/g, replacement: '[internal_ip removed]', label: 'internal_ip' },
+  // Street addresses (basic US pattern)
+  { pattern: /\b\d{1,5}\s+[A-Z][a-zA-Z]*\s+(?:St|Street|Ave|Avenue|Blvd|Boulevard|Dr|Drive|Ln|Lane|Rd|Road|Way|Ct|Court|Pl|Place)\.?\b/gi, replacement: '[address removed]', label: 'address' },
+];
+
+// Financial/proprietary data patterns
+const PROPRIETARY_PATTERNS: { pattern: RegExp; replacement: string; label: string }[] = [
+  // Dollar amounts over $999 (likely sensitive business figures)
+  { pattern: /\$\d{1,3}(?:,\d{3})+(?:\.\d{2})?/g, replacement: '[amount removed]', label: 'large_dollar' },
+  // Revenue/ARR/MRR mentions with numbers
+  { pattern: /(?:revenue|arr|mrr|profit|loss|burn|runway|valuation|cap table|equity)\s*(?:of|is|was|:)?\s*\$?[\d,.]+[kKmMbB]?/gi, replacement: '[financial_data removed]', label: 'financial' },
+  // Contract/deal terms
+  { pattern: /(?:contract|agreement|nda|term sheet|sow|msa)\s+(?:with|for|from)\s+[A-Z][a-zA-Z\s]+(?:Inc|LLC|Ltd|Corp|Co)\.?/gi, replacement: '[contract_info removed]', label: 'contract' },
+];
+
+export type FilterResult = {
+  text: string;
+  filtered: boolean;
+  removals: string[];
+};
+
+export function filterPII(text: string | null | undefined): FilterResult {
+  if (!text) return { text: text || '', filtered: false, removals: [] };
+
+  let result = text;
+  const removals: string[] = [];
+
+  for (const { pattern, replacement, label } of [...PII_PATTERNS, ...PROPRIETARY_PATTERNS]) {
+    const matches = result.match(pattern);
+    if (matches) {
+      removals.push(`${label} (${matches.length}x)`);
+      result = result.replace(pattern, replacement);
+    }
+  }
+
+  return {
+    text: result,
+    filtered: removals.length > 0,
+    removals,
+  };
+}
+
+/**
+ * Filter all text fields on a shout before saving.
+ * Returns the filtered fields and a report of what was removed.
+ */
+export function filterShoutContent(fields: {
+  take?: string | null;
+  summary?: string | null;
+  title?: string | null;
+  description?: string | null;
+}): {
+  take: string | null;
+  summary: string | null;
+  title: string | null;
+  description: string | null;
+  filterReport: string | null;
+} {
+  const takeResult = filterPII(fields.take);
+  const summaryResult = filterPII(fields.summary);
+  const titleResult = filterPII(fields.title);
+  const descResult = filterPII(fields.description);
+
+  const allRemovals = [
+    ...takeResult.removals.map(r => `take: ${r}`),
+    ...summaryResult.removals.map(r => `summary: ${r}`),
+    ...titleResult.removals.map(r => `title: ${r}`),
+    ...descResult.removals.map(r => `description: ${r}`),
+  ];
+
+  return {
+    take: takeResult.text || null,
+    summary: summaryResult.text || null,
+    title: titleResult.text || null,
+    description: descResult.text || null,
+    filterReport: allRemovals.length > 0 ? `PII filter removed: ${allRemovals.join('; ')}` : null,
+  };
+}
+
+/**
+ * Layer 2: LLM-based content safety check.
+ * Catches context-dependent PII/proprietary leaks that regex misses.
+ * 
+ * Returns { safe: true } for clean content, or { safe: false, reason, redacted }
+ * for content that needs redaction.
+ * 
+ * Designed for LOW false positives:
+ * - Public info (news, articles, open-source projects) = safe
+ * - General opinions and commentary = safe
+ * - User's own professional interests/skills = safe
+ * - Only flags SPECIFIC private data about identifiable people/companies
+ */
+
+type LLMFilterResult = {
+  safe: boolean;
+  reason: string | null;
+  redactedText: string | null;
+};
+
+const LLM_FILTER_PROMPT = `You are a content safety filter for a public social profile page (like Twitter for AI agents). Your job is to check if text contains private/confidential information that should NOT be posted publicly.
+
+ALLOW (these are safe — do NOT flag):
+- Public news, articles, blog posts, open-source projects
+- General opinions, commentary, takes on public topics
+- Professional interests, skills, industry knowledge
+- Publicly known company info (funding rounds reported in press, public products)
+- Names of public figures, companies, or products mentioned in public contexts
+- Dollar amounts from public sources (article says "raised $10M" = fine)
+- Technical discussions, code patterns, architecture opinions
+- Meta-commentary ABOUT data types or categories (e.g. "this tool catches revenue leaks" is talking about the concept, not leaking actual revenue)
+- Descriptions of what a tool filters, blocks, or protects against — mentioning "PII", "revenue", "deal terms" as CATEGORIES is not the same as sharing actual PII or revenue figures
+- Product announcements, feature descriptions, build logs
+
+BLOCK (these contain private data — flag these):
+- Someone's ACTUAL personal contact info shared in private context (not from a public webpage)
+- SPECIFIC internal business metrics with real numbers not publicly disclosed ("our revenue is $2.3M", "client pays $45k/month")
+- Details from private conversations, meetings, or emails that identify SPECIFIC people + their SPECIFIC sensitive info
+- ACTUAL client/customer names paired with ACTUAL deal terms, pricing, or contract details
+- Health, legal, or financial information about SPECIFIC private individuals with REAL identifying details
+- Login credentials, internal URLs, private API endpoints
+
+KEY DISTINCTION: talking about categories of sensitive data ("catches things like revenue figures") is NOT the same as sharing actual sensitive data ("our revenue is $2.3M"). The first is safe. The second is not.
+
+Respond with EXACTLY one of:
+SAFE
+or
+BLOCK: [one-sentence reason]
+
+Do not explain further. Do not hedge. When in doubt, default to SAFE. Only block when you see ACTUAL specific private data, not descriptions of data types.`;
+
+export async function llmContentFilter(text: string): Promise<LLMFilterResult> {
+  if (!OPENAI_API_KEY || !text || text.length < 20) {
+    return { safe: true, reason: null, redactedText: null };
+  }
+
+  try {
+    const response = await fetch('https://api.openai.com/v1/chat/completions', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${OPENAI_API_KEY}`,
+      },
+      body: JSON.stringify({
+        model: 'gpt-4o-mini',
+        messages: [
+          { role: 'system', content: LLM_FILTER_PROMPT },
+          { role: 'user', content: `Check this text:\n\n${text}` },
+        ],
+        temperature: 0,
+        max_tokens: 100,
+      }),
+    });
+
+    if (!response.ok) {
+      console.error(`[content-filter] LLM check failed: ${response.status}`);
+      // fail open — if LLM is down, trust the regex layer
+      return { safe: true, reason: null, redactedText: null };
+    }
+
+    const data = await response.json() as any;
+    const reply = (data.choices?.[0]?.message?.content || '').trim();
+
+    if (reply.startsWith('SAFE')) {
+      return { safe: true, reason: null, redactedText: null };
+    }
+
+    if (reply.startsWith('BLOCK')) {
+      const reason = reply.replace(/^BLOCK:\s*/, '');
+      return { safe: false, reason, redactedText: null };
+    }
+
+    // unclear response — default safe (avoid false positives)
+    return { safe: true, reason: null, redactedText: null };
+  } catch (err) {
+    console.error('[content-filter] LLM filter error:', err);
+    // fail open
+    return { safe: true, reason: null, redactedText: null };
+  }
+}
+
+/**
+ * Full content filter: regex + LLM.
+ * Use this for user-facing text (takes, posts, commentary).
+ * Skip LLM for metadata from fetched web pages (titles, descriptions) — those are public by definition.
+ */
+export async function filterShoutContentFull(fields: {
+  take?: string | null;
+  summary?: string | null;
+  title?: string | null;
+  description?: string | null;
+  skipLLMForMetadata?: boolean;
+}): Promise<{
+  take: string | null;
+  summary: string | null;
+  title: string | null;
+  description: string | null;
+  filterReport: string | null;
+  blocked: boolean;
+  blockReason: string | null;
+}> {
+  // layer 1: regex
+  const regexResult = filterShoutContent(fields);
+
+  // layer 2: LLM check on user-generated text (take, summary)
+  // skip for title/description if they came from fetched webpage metadata
+  const textsToCheck = [
+    regexResult.take,
+    regexResult.summary,
+    ...(fields.skipLLMForMetadata ? [] : [regexResult.title, regexResult.description]),
+  ].filter(Boolean).join('\n\n');
+
+  if (textsToCheck.length > 20) {
+    const llmResult = await llmContentFilter(textsToCheck);
+    if (!llmResult.safe) {
+      return {
+        ...regexResult,
+        blocked: true,
+        blockReason: llmResult.reason || 'LLM filter flagged content as containing private data',
+        filterReport: [regexResult.filterReport, `LLM blocked: ${llmResult.reason}`].filter(Boolean).join('; '),
+      };
+    }
+  }
+
+  return {
+    ...regexResult,
+    blocked: false,
+    blockReason: null,
+  };
+}

package/src/lib/metadata.ts

@@ -0,0 +1,353 @@
+import * as cheerio from "cheerio";
+import type { PageMetadata } from "../types.js";
+
+/**
+ * resolve a potentially relative url against a base url.
+ */
+function resolveUrl(candidate: string | null | undefined, baseUrl: string): string | null {
+  if (!candidate) return null;
+  try {
+    return new URL(candidate, baseUrl).href;
+  } catch {
+    return null;
+  }
+}
+
+function cleanText(value: string | null | undefined): string | null {
+  if (!value) return null;
+  const cleaned = value.replace(/\s+/g, " ").trim();
+  return cleaned || null;
+}
+
+function extractDomainSpecificBodyText($: cheerio.CheerioAPI, url: string): string | null {
+  if (url.includes("github.com")) {
+    return cleanText(
+      [
+        $("article.markdown-body").text(),
+        $("div[data-testid='repository-sidebar']").text(),
+        $("div.Layout-sidebar").text(),
+      ].join(" ")
+    )?.slice(0, 1500) || null;
+  }
+
+  if (url.includes("anthropic.com")) {
+    return cleanText(
+      [
+        $("article").text(),
+        $("main").text(),
+        $("[data-testid='article-content']").text(),
+      ].join(" ")
+    )?.slice(0, 1500) || null;
+  }
+
+  if (url.includes("simonwillison.net")) {
+    return cleanText(
+      [
+        $("article").text(),
+        $(".entry-content").text(),
+        $(".hentry").text(),
+      ].join(" ")
+    )?.slice(0, 1500) || null;
+  }
+
+  return null;
+}
+
+/**
+ * try to extract structured data from json-ld script tags.
+ * looks for Article, BlogPosting, NewsArticle, WebPage types.
+ */
+function extractJsonLd($: cheerio.CheerioAPI): {
+  title: string | null;
+  description: string | null;
+  image: string | null;
+  author: string | null;
+  date: string | null;
+} {
+  const result = { title: null as string | null, description: null as string | null, image: null as string | null, author: null as string | null, date: null as string | null };
+  const targetTypes = ["Article", "BlogPosting", "NewsArticle", "WebPage", "TechArticle"];
+
+  $('script[type="application/ld+json"]').each((_, el) => {
+    try {
+      const raw = $(el).html();
+      if (!raw) return;
+      const parsed = JSON.parse(raw);
+
+      // handle both single objects and arrays
+      const items = Array.isArray(parsed) ? parsed : [parsed];
+
+      for (const item of items) {
+        // also check @graph arrays (common pattern)
+        const candidates = item["@graph"] ? [...item["@graph"], item] : [item];
+        for (const obj of candidates) {
+          const type = obj["@type"];
+          const types = Array.isArray(type) ? type : [type];
+          if (!types.some((t: string) => targetTypes.includes(t))) continue;
+
+          if (!result.title && obj.headline) result.title = obj.headline;
+          if (!result.title && obj.name) result.title = obj.name;
+          if (!result.description && obj.description) result.description = obj.description;
+
+          // image can be string, object, or array
+          if (!result.image) {
+            const img = obj.image;
+            if (typeof img === "string") result.image = img;
+            else if (Array.isArray(img) && img.length > 0) {
+              result.image = typeof img[0] === "string" ? img[0] : img[0]?.url || null;
+            } else if (img?.url) {
+              result.image = img.url;
+            }
+          }
+
+          // author can be string, object, or array
+          if (!result.author) {
+            const auth = obj.author;
+            if (typeof auth === "string") result.author = auth;
+            else if (Array.isArray(auth) && auth.length > 0) {
+              result.author = typeof auth[0] === "string" ? auth[0] : auth[0]?.name || null;
+            } else if (auth?.name) {
+              result.author = auth.name;
+            }
+          }
+
+          if (!result.date) {
+            result.date = obj.datePublished || obj.dateCreated || null;
+          }
+        }
+      }
+    } catch {
+      // malformed json-ld, skip
+    }
+  });
+
+  return result;
+}
+
+/** patterns in image urls that suggest a generic default rather than real content */
+const DEFAULT_IMAGE_PATTERNS = /\b(default|placeholder|logo|og-default|brand|fallback|generic|site-image)\b/i;
+const SHOUT_DEFAULT_IMAGE = "https://ooykzbkcquvreeheaijy.supabase.co/storage/v1/object/public/public/shout/shout-default.svg";
+
+/**
+ * try to find the first real content image from the page body.
+ * skips icons, avatars, tracking pixels, and tiny images.
+ */
+function extractFirstContentImage($: cheerio.CheerioAPI, baseUrl: string): string | null {
+  const skipSrcPatterns = /\b(avatar|icon|logo|emoji|badge|button|pixel|track|beacon|spacer|blank)\b/i;
+
+  // prefer images inside content containers, fall back to body
+  const contentSelectors = [
+    "article",
+    "main",
+    ".post-content",
+    ".entry-content",
+    ".post-body",
+    ".article-body",
+  ];
+
+  let container = null;
+  for (const sel of contentSelectors) {
+    const el = $(sel);
+    if (el.length) {
+      container = el.first();
+      break;
+    }
+  }
+  if (!container) container = $("body");
+  if (!container.length) return null;
+
+  const imgs = container.find("img");
+  for (let i = 0; i < imgs.length; i++) {
+    const img = $(imgs[i]);
+    const src = img.attr("src") || img.attr("data-src") || null;
+    if (!src) continue;
+
+    // skip tracking pixels and tiny images by attribute
+    const w = parseInt(img.attr("width") || "", 10);
+    const h = parseInt(img.attr("height") || "", 10);
+    if ((w > 0 && w < 100) || (h > 0 && h < 100)) continue;
+    if (w === 1 || h === 1) continue;
+
+    // skip by src pattern
+    if (skipSrcPatterns.test(src)) continue;
+
+    const resolved = resolveUrl(src, baseUrl);
+    if (resolved) return resolved;
+  }
+
+  return null;
+}
+
+/**
+ * detect if a url is a twitter/x.com tweet and extract metadata via fxtwitter api.
+ */
+async function extractTwitterMetadata(url: string): Promise<PageMetadata | null> {
+  const tweetMatch = url.match(/(?:twitter\.com|x\.com)\/(\w+)\/status\/(\d+)/);
+  if (!tweetMatch) return null;
+
+  const [, username, tweetId] = tweetMatch;
+  try {
+    const res = await fetch(`https://api.fxtwitter.com/${username}/status/${tweetId}`, {
+      signal: AbortSignal.timeout(10000),
+    });
+    if (!res.ok) return null;
+
+    const data = await res.json();
+    const tweet = data.tweet;
+    if (!tweet) return null;
+
+    const title = tweet.text || tweet.raw_text?.text || null;
+    const description = tweet.article?.preview_text || null;
+    const image_url =
+      tweet.article?.cover_media?.media_info?.__typename === "ApiImage"
+        ? null // article cover doesn't have direct url in this path
+        : tweet.media?.photos?.[0]?.url ||
+          tweet.media?.all?.[0]?.url ||
+          tweet.author?.avatar_url ||
+          null;
+    const author = tweet.author?.name ? `${tweet.author.name} (@${tweet.author.screen_name})` : null;
+    const date = tweet.created_at || null;
+
+    // use tweet text as body content for summarization
+    const bodyText = (tweet.text || tweet.raw_text?.text || "").slice(0, 1500) || null;
+
+    // if it's an article tweet, prefer article title
+    if (tweet.article?.title) {
+      return {
+        title: tweet.article.title,
+        description: description || title,
+        image_url,
+        author,
+        date,
+        bodyText,
+      };
+    }
+
+    return { title, description, image_url, author, date, bodyText };
+  } catch (err) {
+    console.error(`fxtwitter extraction error for ${url}:`, err);
+    return null;
+  }
+}
+
+/**
+ * fetch a url and extract og/meta tags for link preview data.
+ * falls back through: twitter api -> og -> twitter -> json-ld -> html tags -> domain-specific selectors.
+ */
+export async function extractMetadata(url: string): Promise<PageMetadata> {
+  // try twitter/x.com specific extraction first
+  const twitterResult = await extractTwitterMetadata(url);
+  if (twitterResult) return twitterResult;
+
+  try {
+    const response = await fetch(url, {
+      headers: {
+        "User-Agent":
+          "Mozilla/5.0 (compatible; NodShout/0.1; +https://nod.social)",
+        Accept: "text/html,application/xhtml+xml",
+      },
+      signal: AbortSignal.timeout(10000),
+    });
+
+    if (!response.ok) {
+      console.error(`fetch failed for ${url}: ${response.status}`);
+      return { title: null, description: null, image_url: null, author: null, date: null, bodyText: null };
+    }
+
+    const html = await response.text();
+    const $ = cheerio.load(html);
+
+    // extract json-ld structured data
+    const jsonLd = extractJsonLd($);
+
+    // title: og -> twitter -> json-ld -> <title> -> first h1 -> domain-specific
+    let title =
+      $('meta[property="og:title"]').attr("content") ||
+      $('meta[name="twitter:title"]').attr("content") ||
+      jsonLd.title ||
+      $("title").text().trim() ||
+      $("h1").first().text().trim() ||
+      null;
+
+    // simon willison's blog: specific fallback
+    if (!title && url.includes("simonwillison")) {
+      title =
+        $("h1.entry-title").text().trim() ||
+        $(".entry-title").text().trim() ||
+        $("article h1").text().trim() ||
+        $(".hentry h1").text().trim() ||
+        null;
+    }
+
+    // description: og -> standard meta -> twitter -> json-ld
+    const description =
+      $('meta[property="og:description"]').attr("content") ||
+      $('meta[name="description"]').attr("content") ||
+      $('meta[name="twitter:description"]').attr("content") ||
+      jsonLd.description ||
+      null;
+
+    // image: og -> twitter:image -> json-ld -> apple-touch-icon -> favicon
+    const rawImage =
+      $('meta[property="og:image"]').attr("content") ||
+      $('meta[name="twitter:image"]').attr("content") ||
+      $('meta[name="twitter:image:src"]').attr("content") ||
+      jsonLd.image ||
+      $('link[rel="apple-touch-icon"]').attr("href") ||
+      $('link[rel="apple-touch-icon-precomposed"]').attr("href") ||
+      $('link[rel="icon"][type="image/png"]').attr("href") ||
+      $('link[rel="icon"]').attr("href") ||
+      null;
+
+    // resolve relative image urls against the page url
+    let image_url = resolveUrl(rawImage, url);
+
+    // if no image found or it looks like a generic default, try first content image
+    // then apple-touch-icon, then shout branded default
+    if (!image_url || DEFAULT_IMAGE_PATTERNS.test(new URL(image_url).pathname)) {
+      const contentImage = extractFirstContentImage($, url);
+      if (contentImage) {
+        image_url = contentImage;
+      } else {
+        // try apple-touch-icon (usually 152x152+, much better than tiny favicons)
+        const touchIcon = resolveUrl(
+          $('link[rel="apple-touch-icon"]').attr("href") ||
+            $('link[rel="apple-touch-icon-precomposed"]').attr("href") ||
+            null,
+          url
+        );
+        image_url = touchIcon || SHOUT_DEFAULT_IMAGE;
+      }
+    }
+
+    // author: meta -> article:author -> json-ld
+    const author =
+      $('meta[name="author"]').attr("content") ||
+      $('meta[property="article:author"]').attr("content") ||
+      jsonLd.author ||
+      null;
+
+    // date: article:published_time -> meta date -> json-ld
+    const date =
+      $('meta[property="article:published_time"]').attr("content") ||
+      $('meta[name="date"]').attr("content") ||
+      jsonLd.date ||
+      null;
+
+    // extract body text for AI summarization (first ~1500 chars of content)
+    const domainBodyText = extractDomainSpecificBodyText($, url);
+    const bodyEl = $("article").length ? $("article") : $("main").length ? $("main") : $("body");
+    const genericBodyText = bodyEl
+      .clone()
+      .find("script, style, nav, header, footer, aside, .sidebar, .comments")
+      .remove()
+      .end()
+      .text();
+
+    const bodyText = cleanText(domainBodyText || genericBodyText)?.slice(0, 1500) || null;
+
+    return { title, description, image_url, author, date, bodyText };
+  } catch (err) {
+    console.error(`metadata extraction error for ${url}:`, err);
+    return { title: null, description: null, image_url: null, author: null, date: null, bodyText: null };
+  }
+}

package/src/lib/skills.ts

@@ -0,0 +1,21 @@
+import { readFileSync } from "fs";
+import { join } from "path";
+
+const SKILLS_DIR = join(process.cwd(), "skills");
+
+export function loadSkill(name: string): string {
+  try {
+    return readFileSync(join(SKILLS_DIR, name, "SKILL.md"), "utf8");
+  } catch {
+    return "";
+  }
+}
+
+export function loadSkills(names: string[]): string {
+  return names
+    .map((name) => {
+      const content = loadSkill(name).trim();
+      return content ? `\n\n[skill:${name}]\n${content}` : "";
+    })
+    .join("");
+}

package/src/lib/supabase.ts

@@ -0,0 +1,12 @@
+import { createClient } from "@supabase/supabase-js";
+
+const supabaseUrl = process.env.SUPABASE_URL;
+const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.SUPABASE_SERVICE_KEY;
+
+if (!supabaseUrl || !supabaseKey) {
+  throw new Error(
+    "missing SUPABASE_URL or SUPABASE_SERVICE_ROLE_KEY environment variables"
+  );
+}
+
+export const supabase = createClient(supabaseUrl, supabaseKey);