opencode-supabase 0.0.7 → 0.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-supabase",
-  "version": "0.0.7",
+  "version": "0.1.0",
   "type": "module",
   "description": "OpenCode plugin for Supabase integration with server and TUI components",
   "license": "Apache-2.0",

package/src/server/auth-html.ts

@@ -68,6 +68,18 @@ const SHARED_STYLES = `
   .icon-error { background: #ef4444; color: #fff; }
   h1 { font-size: 20px; font-weight: 600; letter-spacing: -0.01em; text-align: center; }
   p { font-size: 16px; color: #EDEDED; text-align: center; line-height: 1.5; max-width: 280px; }
+  .prompt-label { font-size: 13px; color: #8b8b8b; text-align: center; }
+  .prompt-box {
+    width: 100%;
+    background: #1b1b1b;
+    border: 1px solid #2e2e2e;
+    border-radius: 10px;
+    padding: 12px 14px;
+    font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
+    font-size: 13px;
+    color: #EDEDED;
+    text-align: center;
+  }
   .footer { margin-top: 8px; line-height: 1.5; text-align: center; color: #666; font-size: 12px; }
   .footer a { color: #8b8b8b; text-decoration: underline; text-underline-offset: 2px; }
   .footer a:hover { color: #EDEDED; }
@@ -89,6 +101,8 @@ export const HTML_SUCCESS = `<!doctype html>
         <h1>Authorization Successful</h1>
       </div>
       <p>You can <strong>close this window</strong> and return to OpenCode.</p>
+      <div class="prompt-label">Try this next:</div>
+      <div class="prompt-box">list my Supabase projects</div>
       <div class="footer">Having troubles or found a bug?<br><a href="${REPO_URL}" target="_blank" rel="noopener">Report it on GitHub</a></div>
     </div>
     <script>setTimeout(function(){window.close()},2000)</script>
@@ -116,4 +130,4 @@ export function htmlError(message: string): string {
     </div>
   </body>
 </html>`;
-}
+}

package/src/server/auth.ts

@@ -1,6 +1,7 @@
 import { createConnection } from "node:net";
 import type { PluginInput, PluginOptions } from "@opencode-ai/plugin";
 
+import { formatAuthError } from "../shared/auth-errors.ts";
 import {
   BrokerClientError,
   type BrokerConfig,
@@ -11,7 +12,8 @@ import type { SupabaseLogger } from "../shared/log.ts";
 import { buildAuthorizeUrl, generatePKCE, generateState } from "../shared/oauth.ts";
 import type { FetchLike, SupabaseTokenResponse } from "../shared/types.ts";
 import { HTML_SUCCESS, htmlError } from "./auth-html.ts";
-import { writeSavedAuth } from "./store.ts";
+import { readSavedAuth, writeSavedAuth } from "./store.ts";
+import { NOT_CONNECTED_MESSAGE, disconnectSupabaseAuth, ensureSupabaseToolAuth } from "./tools.ts";
 
 const CALLBACK_PATH = "/auth/callback";
 const CALLBACK_TIMEOUT_MS = 5 * 60 * 1000;
@@ -32,9 +34,47 @@ type AuthDeps = {
   setCallbackTimeout?: typeof setTimeout;
 };
 
+type SupabaseAuthInput = Pick<PluginInput, "client" | "directory" | "serverUrl" | "worktree">;
+
+type SupabaseStatusInstructions =
+  | {
+      status: "connected";
+      checked: false;
+    }
+  | {
+      status: "disconnected";
+      checked: false;
+    }
+  | {
+      status: "refresh_required";
+      checked: true;
+    };
+
 let server: ReturnType<typeof Bun.serve> | undefined;
 let serverPort: number | undefined;
 const pendingAuths = new Map<string, PendingAuth>();
+const REFRESH_BUFFER_MS = 30_000;
+
+function isRefreshNeeded(expires: number) {
+  return expires <= Date.now() + REFRESH_BUFFER_MS;
+}
+
+function encodeStatusInstructions(status: SupabaseStatusInstructions) {
+  return JSON.stringify(status);
+}
+
+async function getStatusInstructions(input: Pick<SupabaseAuthInput, "directory" | "worktree">) {
+  const saved = await readSavedAuth(input);
+  if (!saved.auth) {
+    return encodeStatusInstructions({ status: "disconnected", checked: false });
+  }
+
+  if (!isRefreshNeeded(saved.auth.expires)) {
+    return encodeStatusInstructions({ status: "connected", checked: false });
+  }
+
+  return encodeStatusInstructions({ status: "refresh_required", checked: true });
+}
 
 function callbackUrl(port: number) {
   return `http://localhost:${port}${CALLBACK_PATH}`;
@@ -181,19 +221,17 @@ async function ensureServer(
                 headers: { "Content-Type": "text/html" },
               });
             } catch (cause) {
-              const errorMessage = cause instanceof BrokerClientError
-                ? `Authorization failed: ${cause.message}`
-                : "Authorization failed";
+              const message = formatAuthError("exchange", cause);
 
               await deps.logger?.error("supabase auth failed", {
                 status: cause instanceof BrokerClientError ? cause.status : 400,
                 broker_error: cause instanceof BrokerClientError,
               });
 
-              pending.reject(cause instanceof Error ? cause : new Error(String(cause)));
+              pending.reject(cause instanceof Error ? cause : new Error(message));
               await stopServerIfIdle(deps.logger, "broker_exchange_failed");
 
-              return new Response(htmlError(errorMessage), {
+              return new Response(htmlError(message), {
                 status: cause instanceof BrokerClientError && cause.status >= 500 ? 502 : 400,
                 headers: { "Content-Type": "text/html" },
               });
@@ -269,7 +307,7 @@ function waitForCallback(
 }
 
 export function createSupabaseAuth(
-  input: Pick<PluginInput, "directory" | "worktree">,
+  input: SupabaseAuthInput,
   options?: PluginOptions,
   deps: AuthDeps = {},
 ) {
@@ -308,6 +346,56 @@ export function createSupabaseAuth(
           };
         },
       },
+      {
+        type: "oauth" as const,
+        label: "Supabase Status",
+        async authorize(inputs?: Record<string, string>) {
+          if (inputs?.action === "disconnect") {
+            await disconnectSupabaseAuth(input, { fetch: deps.fetch });
+            return {
+              url: "https://supabase.com/",
+              instructions: encodeStatusInstructions({ status: "disconnected", checked: false }),
+              method: "auto" as const,
+              callback: async () => ({ type: "failed" as const }),
+            };
+          }
+
+          const instructions = await getStatusInstructions(input);
+          const status = JSON.parse(instructions) as SupabaseStatusInstructions;
+
+          if (status.status !== "refresh_required") {
+            return {
+              url: "https://supabase.com/",
+              instructions,
+              method: "auto" as const,
+              callback: async () => ({ type: "failed" as const }),
+            };
+          }
+
+          return {
+            url: "https://supabase.com/",
+            instructions,
+            method: "auto" as const,
+            callback: async () => {
+              try {
+                const auth = await ensureSupabaseToolAuth(input, options, deps);
+                return {
+                  type: "success" as const,
+                  access: auth.access,
+                  refresh: auth.refresh,
+                  expires: auth.expires,
+                };
+              } catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                if (message === NOT_CONNECTED_MESSAGE) {
+                  return { type: "failed" as const };
+                }
+                throw error;
+              }
+            },
+          };
+        },
+      },
     ],
   };
 }

package/src/server/tools.ts

@@ -10,13 +10,19 @@ import {
 import { readSupabaseConfig } from "../shared/cfg.ts";
 import type { SupabaseLogger } from "../shared/log.ts";
 import type { FetchLike } from "../shared/types.ts";
-import { type SavedAuth, clearSavedAuth, readSavedAuth, writeSavedAuth } from "./store.ts";
+import { type SavedAuth, clearSavedAuth, getStoreFile, readSavedAuth, writeSavedAuth } from "./store.ts";
 
 type ToolDeps = {
   fetch?: FetchLike;
   logger?: SupabaseLogger;
 };
 
+type InFlightRefresh = {
+  promise: Promise<SavedAuth>;
+  syncedDirectories: Set<string>;
+  syncPromises: Map<string, Promise<void>>;
+};
+
 type HostAuthWriter = {
   set(input: {
     path: { id: string };
@@ -44,13 +50,35 @@ type SupabaseToolContext = Pick<
   "directory" | "worktree" | "abort" | "sessionID" | "messageID" | "agent" | "metadata" | "ask"
 >;
 
-const NOT_CONNECTED_MESSAGE = "Supabase is not connected. Run /supabase first.";
+export type SupabaseAuthStatus =
+  | {
+      status: "connected";
+      auth: SavedAuth;
+      checked: boolean;
+    }
+  | {
+      status: "disconnected";
+      checked: boolean;
+    }
+  | {
+      status: "unknown";
+      checked: true;
+      message: string;
+    };
+
+export const NOT_CONNECTED_MESSAGE = "Supabase is not connected. Run /supabase first.";
 const REFRESH_BUFFER_MS = 30_000;
+const inFlightRefreshes = new Map<string, InFlightRefresh>();
 
 function isRefreshNeeded(auth: SavedAuth) {
   return auth.expires <= Date.now() + REFRESH_BUFFER_MS;
 }
 
+function isSameAuth(left: SavedAuth | undefined, right: SavedAuth | undefined) {
+  if (!left || !right) return left === right;
+  return left.access === right.access && left.refresh === right.refresh && left.expires === right.expires;
+}
+
 function generateRandomString(length: number) {
   const bytes = crypto.getRandomValues(new Uint8Array(length));
   return btoa(String.fromCharCode(...bytes))
@@ -169,55 +197,181 @@ async function clearHostAuth(
   }
 }
 
+async function syncHostAuthForDirectory(entry: InFlightRefresh, input: SupabaseToolInput, auth: SavedAuth) {
+  if (entry.syncedDirectories.has(input.directory)) {
+    return;
+  }
+
+  const existing = entry.syncPromises.get(input.directory);
+  if (existing) {
+    await existing.catch(() => undefined);
+    return;
+  }
+
+  const syncPromise = (async () => {
+    await setHostAuth(input, auth);
+    entry.syncedDirectories.add(input.directory);
+  })().finally(() => {
+    entry.syncPromises.delete(input.directory);
+  });
+
+  entry.syncPromises.set(input.directory, syncPromise);
+  await syncPromise.catch(() => undefined);
+}
+
+export async function disconnectSupabaseAuth(
+  input: SupabaseToolInput,
+  deps: Pick<ToolDeps, "fetch"> = {},
+) {
+  const fetchImpl = deps.fetch ?? fetch;
+  await clearSavedAuth(input);
+  inFlightRefreshes.delete(getStoreFile(input));
+  try {
+    await clearHostAuth(input, fetchImpl);
+  } catch {}
+}
+
+export async function getSupabaseAuthStatus(
+  input: SupabaseToolInput,
+  options?: PluginOptions,
+  deps: ToolDeps = {},
+): Promise<SupabaseAuthStatus> {
+  const saved = await readSavedAuth(input);
+  if (!saved.auth) {
+    return { status: "disconnected", checked: false };
+  }
+
+  if (!isRefreshNeeded(saved.auth)) {
+    return { status: "connected", auth: saved.auth, checked: false };
+  }
+
+  try {
+    const auth = await ensureSupabaseToolAuth(input, options, deps);
+    return { status: "connected", auth, checked: true };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message === NOT_CONNECTED_MESSAGE) {
+      return { status: "disconnected", checked: true };
+    }
+
+    return { status: "unknown", checked: true, message };
+  }
+}
+
 export async function ensureSupabaseToolAuth(
   input: SupabaseToolInput,
   options?: PluginOptions,
   deps: ToolDeps = {},
 ): Promise<SavedAuth> {
-  const fetchImpl = deps.fetch ?? fetch;
+  const refreshKey = getStoreFile(input);
   const saved = await readSavedAuth(input);
   if (!saved.auth) {
     throw new Error(NOT_CONNECTED_MESSAGE);
   }
 
+  const inFlight = inFlightRefreshes.get(refreshKey);
+  if (inFlight) {
+    const fetchImpl = deps.fetch ?? fetch;
+    try {
+      const auth = await inFlight.promise;
+      await syncHostAuthForDirectory(inFlight, input, auth);
+      return auth;
+    } catch (error) {
+      if ((error instanceof Error ? error.message : String(error)) === NOT_CONNECTED_MESSAGE) {
+        try {
+          await clearHostAuth(input, fetchImpl);
+        } catch {}
+      }
+      throw error;
+    }
+  }
+
   if (!isRefreshNeeded(saved.auth)) {
+    try {
+      await setHostAuth(input, saved.auth);
+    } catch {}
     return saved.auth;
   }
 
-  const config = readSupabaseConfig(options);
+  const refreshEntry: InFlightRefresh = {
+    promise: Promise.resolve({ access: "", refresh: "", expires: 0 }),
+    syncedDirectories: new Set<string>(),
+    syncPromises: new Map<string, Promise<void>>(),
+  };
+  const refreshPromise = (async () => {
+    const fetchImpl = deps.fetch ?? fetch;
+    const current = await readSavedAuth(input);
+    if (!current.auth) {
+      throw new Error(NOT_CONNECTED_MESSAGE);
+    }
 
-  try {
-    const refreshed = await refreshTokenThroughBroker(
-      { baseUrl: config.brokerBaseUrl },
-      { refresh_token: saved.auth.refresh },
-      deps.fetch,
-      deps.logger,
-    );
+    if (!isRefreshNeeded(current.auth)) {
+      return current.auth;
+    }
+
+    const config = readSupabaseConfig(options);
 
-    const nextAuth: SavedAuth = {
-      access: refreshed.access_token,
-      refresh: refreshed.refresh_token,
-      expires: Date.now() + (refreshed.expires_in ?? 3600) * 1000,
-    };
-    await writeSavedAuth(input, nextAuth);
     try {
-      await setHostAuth(input, nextAuth);
-    } catch {}
-    return nextAuth;
-  } catch (error) {
-    if (error instanceof BrokerClientError && (error.status === 401 || error.status === 400)) {
-      await clearSavedAuth(input);
-      try {
-        await clearHostAuth(input, fetchImpl);
-      } catch {}
-      throw new Error(NOT_CONNECTED_MESSAGE);
-    }
+      const refreshed = await refreshTokenThroughBroker(
+        { baseUrl: config.brokerBaseUrl },
+        { refresh_token: current.auth.refresh },
+        deps.fetch,
+        deps.logger,
+      );
 
-    if (error instanceof BrokerClientError) {
-      throw new Error(`Supabase auth refresh failed: ${error.message}`);
+      const nextAuth: SavedAuth = {
+        access: refreshed.access_token,
+        refresh: refreshed.refresh_token,
+        expires: Date.now() + (refreshed.expires_in ?? 3600) * 1000,
+      };
+
+      const latest = await readSavedAuth(input);
+      if (!latest.auth) {
+        throw new Error(NOT_CONNECTED_MESSAGE);
+      }
+
+      if (!isSameAuth(latest.auth, current.auth)) {
+        return latest.auth;
+      }
+
+      await writeSavedAuth(input, nextAuth);
+      return nextAuth;
+    } catch (error) {
+      if (error instanceof BrokerClientError && (error.status === 401 || error.status === 400)) {
+        const latest = await readSavedAuth(input);
+        if (!isSameAuth(latest.auth, current.auth)) {
+          if (latest.auth) {
+            return latest.auth;
+          }
+          throw new Error(NOT_CONNECTED_MESSAGE);
+        }
+
+        await clearSavedAuth(input);
+        try {
+          await clearHostAuth(input, fetchImpl);
+        } catch {}
+        throw new Error(NOT_CONNECTED_MESSAGE);
+      }
+
+      if (error instanceof BrokerClientError) {
+        throw new Error(`Supabase auth refresh failed: ${error.message}`);
+      }
+      throw error;
     }
-    throw error;
-  }
+  })();
+  refreshEntry.promise = refreshPromise
+    .then(async (auth) => {
+      await syncHostAuthForDirectory(refreshEntry, input, auth);
+      return auth;
+    })
+    .finally(() => {
+      if (inFlightRefreshes.get(refreshKey)?.promise === refreshEntry.promise) {
+      inFlightRefreshes.delete(refreshKey);
+      }
+    });
+
+  inFlightRefreshes.set(refreshKey, refreshEntry);
+  return refreshEntry.promise;
 }
 
 export function createSupabaseTools(
@@ -256,6 +410,23 @@ export function createSupabaseTools(
         );
       },
     }),
+    supabase_list_regions: tool({
+      description: "List all available database regions for creating a Supabase project in a specific organization.",
+      args: {
+        organization_slug: tool.schema.string().describe("Organization slug to list regions for"),
+      },
+      async execute(args, _context: SupabaseToolContext) {
+        return executeSupabaseGet(
+          input,
+          options,
+          deps,
+          "supabase_list_regions",
+          _context,
+          `/projects/available-regions?organization_slug=${encodeURIComponent(args.organization_slug)}`,
+          "list regions",
+        );
+      },
+    }),
     supabase_get_project_api_keys: tool({
       description: "Get the API keys for a Supabase project.",
       args: {

package/src/shared/auth-errors.ts

@@ -0,0 +1,47 @@
+export type AuthErrorStage = "start" | "callback" | "exchange" | "unknown";
+
+const FALLBACKS: Record<AuthErrorStage, string> = {
+  start: "Failed to start OAuth authorization",
+  callback: "OAuth callback failed",
+  exchange: "Authorization failed",
+  unknown: "Authorization failed",
+};
+
+function getObjectMessage(value: unknown): string | undefined {
+  if (!value || typeof value !== "object") return undefined;
+
+  if ("message" in value) {
+    const message = (value as { message: unknown }).message;
+    if (typeof message === "string") return message || undefined;
+  }
+
+  return undefined;
+}
+
+function extractErrorMessage(error: unknown): string | undefined {
+  if (error instanceof Error) return error.message || undefined;
+  if (typeof error === "string") return error || undefined;
+  const message = getObjectMessage(error);
+  if (message) return message;
+
+  if (error && typeof error === "object") {
+    const dataMessage = getObjectMessage((error as { data?: unknown }).data);
+    if (dataMessage) return dataMessage;
+
+    const nestedData = (error as { data?: { data?: unknown } }).data?.data;
+    const nestedDataMessage = getObjectMessage(nestedData);
+    if (nestedDataMessage) return nestedDataMessage;
+
+    const firstError = Array.isArray((error as { errors?: unknown }).errors)
+      ? (error as { errors: unknown[] }).errors[0]
+      : undefined;
+    const firstErrorMessage = getObjectMessage(firstError);
+    if (firstErrorMessage) return firstErrorMessage;
+  }
+
+  return undefined;
+}
+
+export function formatAuthError(stage: AuthErrorStage, error: unknown): string {
+  return extractErrorMessage(error) || FALLBACKS[stage];
+}

package/src/tui/dialog.tsx

@@ -1,24 +1,32 @@
 import type { TuiPluginApi } from "@opencode-ai/plugin/tui";
 import { createSignal } from "solid-js";
 
+import { formatAuthError } from "../shared/auth-errors.ts";
 import type { SupabaseLogger } from "../shared/log.ts";
 
 type SupabaseDialogProps = {
   api: TuiPluginApi;
   onClose: () => void;
   logger: SupabaseLogger;
+  initialState?: OAuthState;
+  lifecycle?: {
+    closed: boolean;
+    dismissed?: boolean;
+    preflightPromise?: Promise<void>;
+  };
 };
 
 type OAuthState =
+  | { type: "checking_auth" }
   | { type: "idle" }
+  | { type: "already_connected" }
   | { type: "authorizing"; url: string }
   | { type: "waiting_callback"; url: string }
   | { type: "success" }
-  | { type: "error"; message: string };
+  | { type: "unknown"; message: string }
+  | { type: "error"; message: string; url?: string };
 
-// API response types
-type ApiError = { message?: string; [key: string]: unknown };
-type ApiResponse<T> = { data?: T; error?: ApiError };
+type ApiResponse<T> = { data?: T; error?: unknown };
 
 type AuthData = {
   url: string;
@@ -26,144 +34,365 @@ type AuthData = {
   method: string;
 };
 
-export function SupabaseDialog(props: SupabaseDialogProps) {
-  const [state, setState] = createSignal<OAuthState>({ type: "idle" });
+type AuthStatus =
+  | { status: "connected"; checked: boolean }
+  | { status: "disconnected"; checked: boolean }
+  | { status: "refresh_required"; checked: true };
+
+type AuthFlowContext = {
+  api: TuiPluginApi;
+  logger: SupabaseLogger;
+  setState: (state: OAuthState) => void;
+  onSuccess: () => void;
+};
+
+function getErrorMessage(error: unknown) {
+  return error instanceof Error ? error.message : String(error);
+}
+
+function parseAuthStatus(instructions: string): AuthStatus {
+  const parsed = JSON.parse(instructions) as Partial<AuthStatus>;
+  if (
+    parsed.status === "connected" ||
+    parsed.status === "disconnected" ||
+    parsed.status === "refresh_required"
+  ) {
+    return parsed as AuthStatus;
+  }
+
+  throw new Error("Invalid Supabase auth status response");
+}
+
+async function openBrowser(url: string, logger: SupabaseLogger) {
+  try {
+    const open = await import("open");
+    await open.default(url);
+  } catch (error) {
+    await logger.warn("supabase browser open failed", {
+      message: getErrorMessage(error),
+    });
+  }
+}
+
+export async function runAuthFlow(context: AuthFlowContext) {
+  let authURL: string | undefined;
+  let completed = false;
+
+  try {
+    await context.logger.info("supabase auth started", {
+      phase: "authorize",
+    });
+    context.setState({ type: "authorizing", url: "" });
+
+    const authResponse = (await context.api.client.provider.oauth.authorize({
+      providerID: "supabase",
+      method: 0,
+    })) as ApiResponse<AuthData>;
+
+    if (authResponse.error) {
+      throw new Error(formatAuthError("start", authResponse.error));
+    }
+
+    const authData = authResponse.data;
+    if (!authData?.url) {
+      throw new Error("Invalid OAuth authorization response");
+    }
+
+    const { url, method } = authData;
+    authURL = url;
+    const safeUrl = new URL(url);
+    context.setState({ type: "authorizing", url });
+
+    await context.logger.debug("supabase auth authorize response received", {
+      method,
+      url_origin: safeUrl.origin,
+      url_path: safeUrl.pathname,
+    });
+
+    if (method === "auto") {
+      await openBrowser(url, context.logger);
+    }
+
+    context.setState({ type: "waiting_callback", url });
+    await context.logger.debug("supabase auth waiting for callback");
+
+    const callbackResponse = (await context.api.client.provider.oauth.callback({
+      providerID: "supabase",
+      method: 0,
+    })) as ApiResponse<boolean>;
+
+    if (callbackResponse.error) {
+      throw new Error(formatAuthError("callback", callbackResponse.error));
+    }
+
+    if (callbackResponse.data !== true) {
+      throw new Error("OAuth authorization was denied");
+    }
 
-  const startOAuth = async () => {
+    await context.logger.info("supabase auth completed", {
+      status: "success",
+    });
+    context.setState({ type: "success" });
+    completed = true;
+  } catch (error) {
+    const message = formatAuthError("unknown", error);
+    await context.logger.error("supabase auth failed", {
+      message,
+    });
+    context.setState({ type: "error", message, url: authURL });
+    return;
+  }
+
+  if (completed) {
     try {
-      await props.logger.info("supabase auth started", {
-        phase: "authorize",
+      context.onSuccess();
+    } catch (error) {
+      await context.logger.error("supabase auth success handler failed", {
+        message: getErrorMessage(error),
       });
-      setState({ type: "authorizing", url: "" });
+    }
+  }
+}
 
-      // Start OAuth authorization
-      const authResponse = (await props.api.client.provider.oauth.authorize({
-        providerID: "supabase",
-        method: 0,
-      })) as unknown as ApiResponse<AuthData>;
-
-      // Handle the response shape from the plugin API
-      if (authResponse.error) {
-        throw new Error(
-          authResponse.error.message || "Failed to start OAuth authorization",
-        );
-      }
+export async function runAuthPreflight(context: Pick<AuthFlowContext, "api" | "logger" | "setState">) {
+  context.setState({ type: "checking_auth" });
 
-      const authData = authResponse.data;
+  try {
+    const authResponse = (await context.api.client.provider.oauth.authorize({
+      providerID: "supabase",
+      method: 1,
+    })) as ApiResponse<AuthData>;
 
-      if (!authData?.url) {
-        throw new Error("Invalid OAuth authorization response");
-      }
+    if (authResponse.error) {
+      throw new Error(formatAuthError("start", authResponse.error));
+    }
 
-      const { url, method } = authData;
-      const safeUrl = new URL(url);
-      setState({ type: "authorizing", url });
+    const instructions = authResponse.data?.instructions;
+    if (!instructions) {
+      throw new Error("Invalid Supabase auth status response");
+    }
 
-      await props.logger.debug("supabase auth authorize response received", {
-        method,
-        url_origin: safeUrl.origin,
-        url_path: safeUrl.pathname,
-      });
+    const status = parseAuthStatus(instructions);
+    if (status.status === "connected") {
+      context.setState({ type: "already_connected" });
+      return;
+    }
 
-      // Attempt to open browser automatically
-      if (method === "auto") {
-        try {
-          const open = await import("open");
-          await open.default(url);
-        } catch {
-          await props.logger.warn("supabase browser open failed");
-          // Browser auto-open failed, user can click the URL manually
-        }
-      }
+    if (status.status === "disconnected") {
+      context.setState({ type: "idle" });
+      return;
+    }
 
-      setState({ type: "waiting_callback", url });
-      await props.logger.debug("supabase auth waiting for callback");
+    const callbackResponse = (await context.api.client.provider.oauth.callback({
+      providerID: "supabase",
+      method: 1,
+    })) as ApiResponse<boolean>;
 
-      // Wait for callback
-      const callbackResponse = (await props.api.client.provider.oauth.callback({
-        providerID: "supabase",
-        method: 0,
-      })) as unknown as ApiResponse<boolean>;
+    if (callbackResponse.error) {
+      throw new Error(formatAuthError("callback", callbackResponse.error));
+    }
 
-      if (callbackResponse.error) {
-        throw new Error(
-          callbackResponse.error.message || "OAuth callback failed",
-        );
-      }
+    if (callbackResponse.data === true) {
+      context.setState({ type: "already_connected" });
+      return;
+    }
 
-      const callbackSucceeded = callbackResponse.data === true;
+    context.setState({ type: "idle" });
+  } catch (error) {
+    context.setState({
+      type: "unknown",
+      message: formatAuthError("unknown", error),
+    });
+  }
+}
 
-      if (callbackSucceeded) {
-        await props.logger.info("supabase auth completed", {
-          status: "success",
-        });
-        setState({ type: "success" });
-        props.api.ui.toast({
-          variant: "success",
-          message:
-            "Connected to Supabase! Tools are ready to use. Ask your agent about supabase.",
-        });
-        props.onClose();
-      } else {
-        throw new Error("OAuth authorization was denied");
+export function SupabaseDialog(props: SupabaseDialogProps) {
+  const lifecycle = props.lifecycle ?? { closed: false };
+  const [state, setStateSignal] = createSignal<OAuthState>(props.initialState ?? { type: "checking_auth" });
+
+  const closeDialog = (dismissed = false) => {
+    lifecycle.closed = true;
+    if (dismissed) {
+      lifecycle.dismissed = true;
+    }
+    props.onClose();
+  };
+
+  const setState = (nextState: OAuthState) => {
+    if (lifecycle.closed) {
+      return;
+    }
+
+    setStateSignal(nextState);
+
+    if (nextState.type === "success") {
+      if (lifecycle.dismissed) {
+        // User dismissed waiting dialog; stay silent
+        return;
       }
+      props.api.ui.dialog.replace(() =>
+        SupabaseDialog({
+          ...props,
+          initialState: nextState,
+          lifecycle,
+        }),
+      );
+      return;
+    }
+
+    props.api.ui.dialog.replace(() =>
+      SupabaseDialog({
+        ...props,
+        initialState: nextState,
+        lifecycle,
+      }),
+    );
+  };
+
+  const startOAuth = () =>
+    runAuthFlow({
+      api: props.api,
+      logger: props.logger,
+      setState,
+      onSuccess: () => {
+        // Success dialog handles user-facing confirmation
+      },
+    });
+
+  const retryPreflight = () => {
+    if (lifecycle.preflightPromise) {
+      return lifecycle.preflightPromise;
+    }
+
+    lifecycle.preflightPromise = runAuthPreflight({
+      api: props.api,
+      logger: props.logger,
+      setState,
+    }).finally(() => {
+      lifecycle.preflightPromise = undefined;
+    });
+
+    return lifecycle.preflightPromise;
+  };
+
+  const disconnect = async () => {
+    try {
+      await props.api.client.provider.oauth.authorize({
+        providerID: "supabase",
+        method: 1,
+        inputs: { action: "disconnect" },
+      });
+      closeDialog();
     } catch (error) {
-      const message =
-        error instanceof Error ? error.message : "Authorization failed";
-      await props.logger.error("supabase auth failed", {
-        message,
+      await props.logger.warn("supabase disconnect failed", {
+        message: getErrorMessage(error),
       });
-      setState({ type: "error", message });
-      props.api.ui.toast({
-        variant: "error",
-        message: `Supabase authorization failed: ${message}`,
+      setState({
+        type: "unknown",
+        message: `Couldn't disconnect from Supabase right now. ${formatAuthError("unknown", error)}`,
       });
-      props.onClose();
     }
   };
 
   const currentState = state();
 
+  if (currentState.type === "checking_auth") {
+    queueMicrotask(() => {
+      if (lifecycle.closed || lifecycle.preflightPromise) {
+        return;
+      }
+      void retryPreflight();
+    });
+
+    return props.api.ui.DialogAlert({
+      title: "Connect Supabase",
+      message: "Checking Supabase connection...",
+      onConfirm: () => closeDialog(true),
+    });
+  }
+
   if (currentState.type === "idle") {
     return props.api.ui.DialogConfirm({
       title: "Connect Supabase",
       message:
         "This will open a browser window to authorize OpenCode to access your Supabase account. Continue?",
       onConfirm: startOAuth,
-      onCancel: props.onClose,
+      onCancel: closeDialog,
     });
   }
 
   if (currentState.type === "authorizing") {
+    if (!currentState.url) {
     return props.api.ui.DialogAlert({
       title: "Connect Supabase",
-      message: currentState.url
-        ? `Opening browser to authorize Supabase...\n\nIf the browser doesn't open automatically, visit:\n${currentState.url}`
-        : "Starting authorization...",
-      onConfirm: props.onClose,
+      message: "Starting authorization...",
+      onConfirm: () => closeDialog(true),
+    });
+    }
+
+    return props.api.ui.DialogAlert({
+      title: "Connect Supabase",
+      message: `Complete authorization in your browser.\n\nIf the browser did not open, visit:\n${currentState.url}\n\nWaiting for authorization...`,
+      onConfirm: () => closeDialog(true),
     });
   }
 
   if (currentState.type === "waiting_callback") {
     return props.api.ui.DialogAlert({
       title: "Connect Supabase",
-      message: `Waiting for authorization in your browser...\n\nIf you need to complete authorization manually, visit:\n${currentState.url}`,
-      onConfirm: props.onClose,
+      message: `Complete authorization in your browser.\n\nIf the browser did not open, visit:\n${currentState.url}\n\nWaiting for authorization...`,
+      onConfirm: () => closeDialog(true),
     });
   }
 
   if (currentState.type === "error") {
-    return props.api.ui.DialogAlert({
+    return props.api.ui.DialogConfirm({
       title: "Authorization Failed",
-      message: currentState.message,
-      onConfirm: props.onClose,
+      message: currentState.url
+        ? `${currentState.message}\n\nIf you need to retry manually, visit:\n${currentState.url}`
+        : currentState.message,
+      onConfirm: async () => {
+        await startOAuth();
+      },
+      onCancel: closeDialog,
     });
   }
 
-  // Success state (should close immediately via onClose)
-  return props.api.ui.DialogAlert({
-    title: "Connected",
-    message: "Successfully connected to Supabase.",
-    onConfirm: props.onClose,
+  if (currentState.type === "already_connected") {
+    return props.api.ui.DialogConfirm({
+      title: "Already connected to Supabase",
+      message: "Your saved Supabase login is ready to use. Continue to close this dialog, or disconnect to sign out.",
+      onConfirm: closeDialog,
+      onCancel: disconnect,
+      label: "Disconnect",
+    } as import("./opencode-runtime-extensions.ts").DialogConfirmWithLabel);
+  }
+
+  if (currentState.type === "unknown") {
+    return props.api.ui.DialogConfirm({
+      title: "Supabase connection status unknown",
+      message: `${currentState.message}\n\nConfirm to retry, or cancel to continue without changing saved auth.`,
+      onConfirm: retryPreflight,
+      onCancel: closeDialog,
+    });
+  }
+
+  return props.api.ui.DialogConfirm({
+    title: "Connected to Supabase",
+    message:
+      "Your account is ready. Try asking:\n\n  list my Supabase projects\n  list my Supabase organizations\n  for organization <name>, list available regions\n\nRun an example?",
+    onConfirm: async () => {
+      try {
+        await props.api.client.tui.appendPrompt({
+          text: "list my Supabase projects",
+        });
+      } catch (error) {
+        await props.logger.warn("supabase append prompt failed", {
+          message: getErrorMessage(error),
+        });
+      }
+      closeDialog();
+    },
+    onCancel: closeDialog,
   });
 }

package/src/tui/index.tsx

@@ -11,7 +11,15 @@ const tui: TuiPlugin = async (api) => {
 
   api.command.register(() => [
     createSupabaseCommand(() => {
-      api.ui.dialog.replace(() => SupabaseDialog({ api, logger, onClose: () => api.ui.dialog.clear() }));
+      const lifecycle = { closed: false };
+      api.ui.dialog.replace(() =>
+        SupabaseDialog({
+          api,
+          logger,
+          lifecycle,
+          onClose: () => api.ui.dialog.clear(),
+        }),
+      );
     }),
   ]);
 };

package/src/tui/opencode-runtime-extensions.ts

@@ -0,0 +1,10 @@
+// OpenCode host supports `label` on DialogConfirm since ~Mar 2026
+// (commit e2d03ce38 in opencode repo: interactive update flow for non-patch releases).
+// The @opencode-ai/plugin SDK types (up to 1.14.24) never declared it.
+// This module patches the gap locally until the SDK catches up.
+
+import type { TuiDialogConfirmProps } from "@opencode-ai/plugin/tui";
+
+export type DialogConfirmWithLabel = TuiDialogConfirmProps & {
+  label?: string;
+};