npm - opencode-supabase - Versions diffs - 0.1.0 → 0.1.2-alpha.0 - Mend

opencode-supabase 0.1.0 → 0.1.2-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/skills/supabase-postgres-best-practices/references/security-privileges.md ADDED Viewed

@@ -0,0 +1,54 @@
+---
+title: Apply Principle of Least Privilege
+impact: MEDIUM
+impactDescription: Reduced attack surface, better audit trail
+tags: privileges, security, roles, permissions
+---
+## Apply Principle of Least Privilege
+Grant only the minimum permissions required. Never use superuser for application queries.
+**Incorrect (overly broad permissions):**
+```sql
+-- Application uses superuser connection
+-- Or grants ALL to application role
+grant all privileges on all tables in schema public to app_user;
+grant all privileges on all sequences in schema public to app_user;
+-- Any SQL injection becomes catastrophic
+-- drop table users; cascades to everything
+```
+**Correct (minimal, specific grants):**
+```sql
+-- Create role with no default privileges
+create role app_readonly nologin;
+-- Grant only SELECT on specific tables
+grant usage on schema public to app_readonly;
+grant select on public.products, public.categories to app_readonly;
+-- Create role for writes with limited scope
+create role app_writer nologin;
+grant usage on schema public to app_writer;
+grant select, insert, update on public.orders to app_writer;
+grant usage on sequence orders_id_seq to app_writer;
+-- No DELETE permission
+-- Login role inherits from these
+create role app_user login password 'xxx';
+grant app_writer to app_user;
+```
+Revoke public defaults:
+```sql
+-- Revoke default public access
+revoke all on schema public from public;
+revoke all on all tables in schema public from public;
+```
+Reference: [Roles and Privileges](https://supabase.com/blog/postgres-roles-and-privileges)

package/skills/supabase-postgres-best-practices/references/security-rls-basics.md ADDED Viewed

@@ -0,0 +1,50 @@
+---
+title: Enable Row Level Security for Multi-Tenant Data
+impact: CRITICAL
+impactDescription: Database-enforced tenant isolation, prevent data leaks
+tags: rls, row-level-security, multi-tenant, security
+---
+## Enable Row Level Security for Multi-Tenant Data
+Row Level Security (RLS) enforces data access at the database level, ensuring users only see their own data.
+**Incorrect (application-level filtering only):**
+```sql
+-- Relying only on application to filter
+select * from orders where user_id = $current_user_id;
+-- Bug or bypass means all data is exposed!
+select * from orders;  -- Returns ALL orders
+```
+**Correct (database-enforced RLS):**
+```sql
+-- Enable RLS on the table
+alter table orders enable row level security;
+-- Create policy for users to see only their orders
+create policy orders_user_policy on orders
+  for all
+  using (user_id = current_setting('app.current_user_id')::bigint);
+-- Force RLS even for table owners
+alter table orders force row level security;
+-- Set user context and query
+set app.current_user_id = '123';
+select * from orders;  -- Only returns orders for user 123
+```
+Policy for authenticated role:
+```sql
+create policy orders_user_policy on orders
+  for all
+  to authenticated
+  using (user_id = auth.uid());
+```
+Reference: [Row Level Security](https://supabase.com/docs/guides/database/postgres/row-level-security)

package/skills/supabase-postgres-best-practices/references/security-rls-performance.md ADDED Viewed

@@ -0,0 +1,57 @@
+---
+title: Optimize RLS Policies for Performance
+impact: HIGH
+impactDescription: 5-10x faster RLS queries with proper patterns
+tags: rls, performance, security, optimization
+---
+## Optimize RLS Policies for Performance
+Poorly written RLS policies can cause severe performance issues. Use subqueries and indexes strategically.
+**Incorrect (function called for every row):**
+```sql
+create policy orders_policy on orders
+  using (auth.uid() = user_id);  -- auth.uid() called per row!
+-- With 1M rows, auth.uid() is called 1M times
+```
+**Correct (wrap functions in SELECT):**
+```sql
+create policy orders_policy on orders
+  using ((select auth.uid()) = user_id);  -- Called once, cached
+-- 100x+ faster on large tables
+```
+Use security definer functions for complex checks:
+```sql
+-- Create helper function (runs as definer, bypasses RLS)
+create or replace function is_team_member(team_id bigint)
+returns boolean
+language sql
+security definer
+set search_path = ''
+as $$
+  select exists (
+    select 1 from public.team_members
+    where team_id = $1 and user_id = (select auth.uid())
+  );
+$$;
+-- Use in policy (indexed lookup, not per-row check)
+create policy team_orders_policy on orders
+  using ((select is_team_member(team_id)));
+```
+Always add indexes on columns used in RLS policies:
+```sql
+create index orders_user_id_idx on orders (user_id);
+```
+Reference: [RLS Performance](https://supabase.com/docs/guides/database/postgres/row-level-security#rls-performance-recommendations)

package/src/server/index.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import type { Plugin } from "@opencode-ai/plugin";
 import { createServerLogWriter, createSupabaseLogger } from "../shared/log.ts";
 import { createSupabaseAuth } from "./auth.ts";
+import { registerSupabaseSkillPaths } from "./skills.ts";
 import { createSupabaseTools } from "./tools.ts";
 const server: Plugin = async (input, options) => {
@@ -10,6 +11,11 @@ const server: Plugin = async (input, options) => {
   });
   return {
+    config: async (config) => {
+      registerSupabaseSkillPaths(config, options, {
+        warn: (message, data) => logger.warn(message, data as Record<string, unknown>),
+      });
+    },
     auth: createSupabaseAuth(input, options, { logger }),
     tool: createSupabaseTools(input, options, { logger }),
   };

package/src/server/skills.ts ADDED Viewed

@@ -0,0 +1,84 @@
+import fs from "node:fs";
+import path from "node:path";
+export const BUNDLED_SUPABASE_SKILLS = [
+  "supabase",
+  "supabase-postgres-best-practices",
+] as const;
+export type BundledSupabaseSkill = (typeof BUNDLED_SUPABASE_SKILLS)[number];
+type Warn = (message: string, data?: unknown) => void;
+type ResolverDeps = {
+  warn?: Warn;
+};
+type RegisterDeps = ResolverDeps & {
+  skillsRoot?: string;
+  exists?: (path: string) => boolean;
+};
+type ConfigWithSkills = object & {
+  skills?: {
+    paths?: string[];
+  };
+};
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function pluginSkillsOption(options: unknown) {
+  if (!isRecord(options) || !("skills" in options)) return true;
+  return options.skills;
+}
+export function resolveEnabledSupabaseSkills(options: unknown, deps: ResolverDeps = {}) {
+  const value = pluginSkillsOption(options);
+  if (value === false) return [];
+  if (value === true || value === undefined) return [...BUNDLED_SUPABASE_SKILLS];
+  if (!isRecord(value)) {
+    deps.warn?.("invalid Supabase skills option; loading bundled skills", { value });
+    return [...BUNDLED_SUPABASE_SKILLS];
+  }
+  const known = new Set<string>(BUNDLED_SUPABASE_SKILLS);
+  for (const key of Object.keys(value)) {
+    if (!known.has(key)) {
+      deps.warn?.("unknown Supabase bundled skill option ignored", { skill: key });
+    }
+  }
+  return BUNDLED_SUPABASE_SKILLS.filter((skill) => value[skill] !== false);
+}
+export function defaultSkillsRoot() {
+  return path.resolve(path.dirname(new URL(import.meta.url).pathname), "../../skills");
+}
+export function registerSupabaseSkillPaths(
+  config: object,
+  options: unknown,
+  deps: RegisterDeps = {},
+) {
+  const configWithSkills = config as ConfigWithSkills;
+  const skillsRoot = deps.skillsRoot ?? defaultSkillsRoot();
+  const exists = deps.exists ?? fs.existsSync;
+  const enabled = resolveEnabledSupabaseSkills(options, deps);
+  configWithSkills.skills = configWithSkills.skills ?? {};
+  configWithSkills.skills.paths = configWithSkills.skills.paths ?? [];
+  for (const skill of enabled) {
+    const skillPath = path.join(skillsRoot, skill);
+    if (!exists(skillPath)) {
+      deps.warn?.("bundled Supabase skill directory not found", { skill, path: skillPath });
+      continue;
+    }
+    if (!configWithSkills.skills.paths.includes(skillPath)) {
+      configWithSkills.skills.paths.push(skillPath);
+    }
+  }
+}

package/src/tui/commands.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 export function createSupabaseCommand(openDialog: () => void) {
   return {
-    title: "Connect Supabase",
+    title: "Connect to Supabase",
     value: "supabase.connect",
     slash: { name: "supabase" },
     onSelect: openDialog,

package/src/tui/dialog.tsx CHANGED Viewed

@@ -1,5 +1,7 @@
 import type { TuiPluginApi } from "@opencode-ai/plugin/tui";
-import { createSignal } from "solid-js";
+import { RGBA, SyntaxStyle, TextAttributes } from "@opentui/core";
+import { createSignal, onCleanup } from "solid-js";
+import type { JSX } from "solid-js";
 import { formatAuthError } from "../shared/auth-errors.ts";
 import type { SupabaseLogger } from "../shared/log.ts";
@@ -13,9 +15,24 @@ type SupabaseDialogProps = {
     closed: boolean;
     dismissed?: boolean;
     preflightPromise?: Promise<void>;
+    onboardingPromptSent?: boolean;
+    chatSessionID?: string;
   };
 };
+const ONBOARDING_MESSAGE = `Supabase is connected.
+You can ask me about:
+- your organizations and projects
+- API keys for a project
+- available database regions
+- creating a new project
+Try this:
+list my Supabase projects`;
+const onboardedSessionIDsByApi = new WeakMap<TuiPluginApi, Set<string>>();
 type OAuthState =
   | { type: "checking_auth" }
   | { type: "idle" }
@@ -43,13 +60,115 @@ type AuthFlowContext = {
   api: TuiPluginApi;
   logger: SupabaseLogger;
   setState: (state: OAuthState) => void;
-  onSuccess: () => void;
+  onSuccess: () => void | Promise<void>;
 };
+const SPINNER_FRAMES = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+const FALLBACK_THEME = {
+  primary: RGBA.fromHex("#347d95"),
+  selectedListItemText: RGBA.fromHex("#ffffff"),
+  text: RGBA.fromHex("#f8f5ea"),
+  textMuted: RGBA.fromHex("#9f97aa"),
+  backgroundPanel: RGBA.fromHex("#f8f5ea"),
+  markdownText: RGBA.fromHex("#5f5875"),
+  markdownHeading: RGBA.fromHex("#5f5875"),
+  markdownLink: RGBA.fromHex("#347d95"),
+  markdownStrong: RGBA.fromHex("#5f5875"),
+  markdownEmph: RGBA.fromHex("#8a6f00"),
+  markdownCode: RGBA.fromHex("#2e7d32"),
+  markdownListItem: RGBA.fromHex("#347d95"),
+  markdownBlockQuote: RGBA.fromHex("#8a6f00"),
+};
+type DialogTheme = typeof FALLBACK_THEME;
 function getErrorMessage(error: unknown) {
   return error instanceof Error ? error.message : String(error);
 }
+function getDialogTheme(api: TuiPluginApi): DialogTheme {
+  return {
+    ...FALLBACK_THEME,
+    ...((api as { theme?: { current?: Partial<DialogTheme> } }).theme?.current ?? {}),
+  } as DialogTheme;
+}
+function createMarkdownSyntax(theme: DialogTheme) {
+  return SyntaxStyle.fromTheme([
+    { scope: ["markup.heading"], style: { foreground: theme.markdownHeading, bold: true } },
+    { scope: ["markup.bold", "markup.strong"], style: { foreground: theme.markdownStrong, bold: true } },
+    { scope: ["markup.italic"], style: { foreground: theme.markdownEmph, italic: true } },
+    { scope: ["markup.raw", "markup.raw.block", "markup.raw.inline"], style: { foreground: theme.markdownCode } },
+    { scope: ["markup.link", "markup.link.url"], style: { foreground: theme.markdownLink, underline: true } },
+    { scope: ["markup.list"], style: { foreground: theme.markdownListItem } },
+    { scope: ["markup.quote"], style: { foreground: theme.markdownBlockQuote, italic: true } },
+    { scope: ["conceal"], style: { foreground: theme.textMuted } },
+  ]);
+}
+function SpinnerLabel(props: { text: string; color: DialogTheme["textMuted"] }) {
+  const [frame, setFrame] = createSignal(0);
+  const interval = setInterval(() => {
+    setFrame((index) => (index + 1) % SPINNER_FRAMES.length);
+  }, 80).unref();
+  onCleanup(() => clearInterval(interval));
+  return (
+    <box flexDirection="row" gap={1}>
+      <text fg={props.color}>{SPINNER_FRAMES[frame()]}</text>
+      <text fg={props.color}>{props.text}</text>
+    </box>
+  );
+}
+function SupabaseSpinnerDialog(props: {
+  api: TuiPluginApi;
+  title: string;
+  status: string;
+  body?: string;
+  dismissible?: boolean;
+  size?: "medium" | "large" | "xlarge";
+  onClose: () => void;
+}): JSX.Element {
+  const theme = getDialogTheme(props.api);
+  const syntax = createMarkdownSyntax(theme);
+  props.api.ui.dialog.setSize(props.size ?? "medium");
+  return Object.assign(() => (
+    <box paddingLeft={2} paddingRight={2} gap={1} paddingBottom={1}>
+      <box flexDirection="row" justifyContent="space-between">
+        <text attributes={TextAttributes.BOLD} fg={theme.text}>
+          {props.title}
+        </text>
+        {props.dismissible ? (
+          <text fg={theme.textMuted} onMouseUp={props.onClose}>
+            esc
+          </text>
+        ) : (
+          <text fg={theme.textMuted}> </text>
+        )}
+      </box>
+      <box paddingTop={1} paddingBottom={props.body ? 0 : 1}>
+        <SpinnerLabel text={props.status} color={theme.textMuted} />
+      </box>
+      {props.body ? (
+        <box paddingBottom={props.dismissible ? 0 : 1}>
+          <markdown content={props.body} syntaxStyle={syntax} fg={theme.markdownText} bg={theme.backgroundPanel} />
+        </box>
+      ) : undefined}
+      {props.dismissible ? (
+        <box flexDirection="row" justifyContent="flex-end" paddingTop={1}>
+          <box paddingLeft={3} paddingRight={3} backgroundColor={theme.primary} onMouseUp={props.onClose}>
+            <text fg={theme.selectedListItemText}>Dismiss</text>
+          </box>
+        </box>
+      ) : undefined}
+    </box>
+  ), { onClose: props.dismissible ? props.onClose : () => undefined });
+}
 function parseAuthStatus(instructions: string): AuthStatus {
   const parsed = JSON.parse(instructions) as Partial<AuthStatus>;
   if (
@@ -74,6 +193,71 @@ async function openBrowser(url: string, logger: SupabaseLogger) {
   }
 }
+async function ensureChatSession(api: TuiPluginApi) {
+  const currentRoute = api.route.current;
+  let sessionID =
+    currentRoute.name === "session" ? (currentRoute.params as { sessionID?: string } | undefined)?.sessionID : undefined;
+  if (!sessionID && currentRoute.name === "home") {
+    const response = await api.client.session.create({});
+    sessionID = (response.data as { id?: string } | undefined)?.id;
+    if (sessionID) {
+      api.route.navigate("session", { sessionID });
+    }
+  }
+  return sessionID;
+}
+async function injectOnboardingPrompt(
+  api: TuiPluginApi,
+  logger: SupabaseLogger,
+  lifecycle: NonNullable<SupabaseDialogProps["lifecycle"]>,
+) {
+  if (lifecycle.onboardingPromptSent) {
+    return;
+  }
+  if (!lifecycle.chatSessionID) {
+    await logger.warn("supabase onboarding prompt skipped", {
+      reason: "missing_session",
+    });
+    return;
+  }
+  const sessionID = lifecycle.chatSessionID;
+  const onboardedSessionIDs = onboardedSessionIDsByApi.get(api) ?? new Set<string>();
+  onboardedSessionIDsByApi.set(api, onboardedSessionIDs);
+  if (onboardedSessionIDs.has(sessionID)) {
+    lifecycle.onboardingPromptSent = true;
+    return;
+  }
+  lifecycle.onboardingPromptSent = true;
+  onboardedSessionIDs.add(sessionID);
+  try {
+    await api.client.session.promptAsync({
+      sessionID,
+      noReply: true,
+      parts: [
+        {
+          type: "text",
+          text: ONBOARDING_MESSAGE,
+          ignored: true,
+        },
+      ],
+    });
+  } catch (error) {
+    lifecycle.onboardingPromptSent = false;
+    onboardedSessionIDs.delete(sessionID);
+    await logger.warn("supabase onboarding prompt failed", {
+      message: getErrorMessage(error),
+    });
+  }
+}
 export async function runAuthFlow(context: AuthFlowContext) {
   let authURL: string | undefined;
   let completed = false;
@@ -145,7 +329,7 @@ export async function runAuthFlow(context: AuthFlowContext) {
   if (completed) {
     try {
-      context.onSuccess();
+      await context.onSuccess();
     } catch (error) {
       await context.logger.error("supabase auth success handler failed", {
         message: getErrorMessage(error),
@@ -227,7 +411,6 @@ export function SupabaseDialog(props: SupabaseDialogProps) {
     if (nextState.type === "success") {
       if (lifecycle.dismissed) {
-        // User dismissed waiting dialog; stay silent
         return;
       }
       props.api.ui.dialog.replace(() =>
@@ -249,15 +432,29 @@ export function SupabaseDialog(props: SupabaseDialogProps) {
     );
   };
-  const startOAuth = () =>
-    runAuthFlow({
+  const startOAuth = async () => {
+    lifecycle.dismissed = false;
+    if (!lifecycle.chatSessionID) {
+      lifecycle.chatSessionID = await ensureChatSession(props.api);
+    }
+    return runAuthFlow({
       api: props.api,
       logger: props.logger,
       setState,
       onSuccess: () => {
-        // Success dialog handles user-facing confirmation
+        if (lifecycle.dismissed) {
+          props.api.ui.toast({ message: "Supabase connected" });
+          return;
+        }
+        if (lifecycle.closed) {
+          return;
+        }
+        return injectOnboardingPrompt(props.api, props.logger, lifecycle);
       },
     });
+  };
   const retryPreflight = () => {
     if (lifecycle.preflightPromise) {
@@ -282,6 +479,7 @@ export function SupabaseDialog(props: SupabaseDialogProps) {
         method: 1,
         inputs: { action: "disconnect" },
       });
+      props.api.ui.toast({ message: "Disconnected from Supabase" });
       closeDialog();
     } catch (error) {
       await props.logger.warn("supabase disconnect failed", {
@@ -304,18 +502,19 @@ export function SupabaseDialog(props: SupabaseDialogProps) {
       void retryPreflight();
     });
-    return props.api.ui.DialogAlert({
-      title: "Connect Supabase",
-      message: "Checking Supabase connection...",
-      onConfirm: () => closeDialog(true),
+    return SupabaseSpinnerDialog({
+      api: props.api,
+      title: "Connect to Supabase",
+      status: "Checking Supabase connection...",
+      body: "No action needed. This should only take a few seconds.",
+      onClose: () => undefined,
     });
   }
   if (currentState.type === "idle") {
     return props.api.ui.DialogConfirm({
-      title: "Connect Supabase",
-      message:
-        "This will open a browser window to authorize OpenCode to access your Supabase account. Continue?",
+      title: "Connect your Supabase account",
+      message: "Open your browser to authorize OpenCode to access your Supabase account.",
       onConfirm: startOAuth,
       onCancel: closeDialog,
     });
@@ -323,25 +522,36 @@ export function SupabaseDialog(props: SupabaseDialogProps) {
   if (currentState.type === "authorizing") {
     if (!currentState.url) {
-    return props.api.ui.DialogAlert({
-      title: "Connect Supabase",
-      message: "Starting authorization...",
-      onConfirm: () => closeDialog(true),
-    });
+      return SupabaseSpinnerDialog({
+        api: props.api,
+        title: "Connect to Supabase",
+        status: "Starting authorization...",
+        body: "Opening your browser. You can close this dialog; auth completes only after browser approval.",
+        dismissible: true,
+        onClose: () => closeDialog(true),
+      });
     }
-    return props.api.ui.DialogAlert({
-      title: "Connect Supabase",
-      message: `Complete authorization in your browser.\n\nIf the browser did not open, visit:\n${currentState.url}\n\nWaiting for authorization...`,
-      onConfirm: () => closeDialog(true),
+    return SupabaseSpinnerDialog({
+      api: props.api,
+      title: "Connect to Supabase",
+      status: "Waiting for browser authorization...",
+      body: `Complete authorization in your browser.\n\nIf the browser did not open, visit:\n${currentState.url}\n\nYou can close this dialog; auth completes only after browser approval.`,
+      dismissible: true,
+      size: "large",
+      onClose: () => closeDialog(true),
     });
   }
   if (currentState.type === "waiting_callback") {
-    return props.api.ui.DialogAlert({
-      title: "Connect Supabase",
-      message: `Complete authorization in your browser.\n\nIf the browser did not open, visit:\n${currentState.url}\n\nWaiting for authorization...`,
-      onConfirm: () => closeDialog(true),
+    return SupabaseSpinnerDialog({
+      api: props.api,
+      title: "Connect to Supabase",
+      status: "Waiting for browser authorization...",
+      body: `Complete authorization in your browser.\n\nIf the browser did not open, visit:\n${currentState.url}\n\nYou can close this dialog; auth completes only after browser approval.`,
+      dismissible: true,
+      size: "large",
+      onClose: () => closeDialog(true),
     });
   }
@@ -360,9 +570,15 @@ export function SupabaseDialog(props: SupabaseDialogProps) {
   if (currentState.type === "already_connected") {
     return props.api.ui.DialogConfirm({
-      title: "Already connected to Supabase",
-      message: "Your saved Supabase login is ready to use. Continue to close this dialog, or disconnect to sign out.",
-      onConfirm: closeDialog,
+      title: "You're all set",
+      message: "Your Supabase account is connected and ready to go.\n\nClose this dialog to continue, or disconnect to sign out.",
+      onConfirm: async () => {
+        if (!lifecycle.chatSessionID) {
+          lifecycle.chatSessionID = await ensureChatSession(props.api);
+        }
+        await injectOnboardingPrompt(props.api, props.logger, lifecycle);
+        closeDialog();
+      },
       onCancel: disconnect,
       label: "Disconnect",
     } as import("./opencode-runtime-extensions.ts").DialogConfirmWithLabel);
@@ -377,22 +593,9 @@ export function SupabaseDialog(props: SupabaseDialogProps) {
     });
   }
-  return props.api.ui.DialogConfirm({
+  return props.api.ui.DialogAlert({
     title: "Connected to Supabase",
-    message:
-      "Your account is ready. Try asking:\n\n  list my Supabase projects\n  list my Supabase organizations\n  for organization <name>, list available regions\n\nRun an example?",
-    onConfirm: async () => {
-      try {
-        await props.api.client.tui.appendPrompt({
-          text: "list my Supabase projects",
-        });
-      } catch (error) {
-        await props.logger.warn("supabase append prompt failed", {
-          message: getErrorMessage(error),
-        });
-      }
-      closeDialog();
-    },
-    onCancel: closeDialog,
+    message: "Your account is ready. Close this dialog and ask me to list your Supabase projects.",
+    onConfirm: closeDialog,
   });
 }