opencode-supabase 0.1.2-alpha.2 → 0.2.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-supabase",
-  "version": "0.1.2-alpha.2",
+  "version": "0.2.1",
   "type": "module",
   "description": "OpenCode plugin for Supabase integration with server and TUI components",
   "license": "Apache-2.0",

package/src/server/auth.ts

@@ -12,6 +12,7 @@ import type { SupabaseLogger } from "../shared/log.ts";
 import { buildAuthorizeUrl, generatePKCE, generateState } from "../shared/oauth.ts";
 import type { FetchLike, SupabaseTokenResponse } from "../shared/types.ts";
 import { HTML_SUCCESS, htmlError } from "./auth-html.ts";
+import type { SavedStateNotice } from "./store.ts";
 import { readSavedAuth, writeSavedAuth } from "./store.ts";
 import { NOT_CONNECTED_MESSAGE, disconnectSupabaseAuth, ensureSupabaseToolAuth } from "./tools.ts";
 
@@ -44,6 +45,7 @@ type SupabaseStatusInstructions =
   | {
       status: "disconnected";
       checked: false;
+      notice?: SavedStateNotice;
     }
   | {
       status: "refresh_required";
@@ -63,10 +65,14 @@ function encodeStatusInstructions(status: SupabaseStatusInstructions) {
   return JSON.stringify(status);
 }
 
-async function getStatusInstructions(input: Pick<SupabaseAuthInput, "directory" | "worktree">) {
-  const saved = await readSavedAuth(input);
+async function getStatusInstructions(input: Pick<SupabaseAuthInput, "directory" | "worktree">, deps: AuthDeps = {}) {
+  const saved = await readSavedAuth(input, { logger: deps.logger });
   if (!saved.auth) {
-    return encodeStatusInstructions({ status: "disconnected", checked: false });
+    return encodeStatusInstructions(
+      saved.notice
+        ? { status: "disconnected", checked: false, notice: saved.notice }
+        : { status: "disconnected", checked: false },
+    );
   }
 
   if (!isRefreshNeeded(saved.auth.expires)) {
@@ -360,7 +366,7 @@ export function createSupabaseAuth(
             };
           }
 
-          const instructions = await getStatusInstructions(input);
+          const instructions = await getStatusInstructions(input, deps);
           const status = JSON.parse(instructions) as SupabaseStatusInstructions;
 
           if (status.status !== "refresh_required") {

package/src/server/store.ts

@@ -1,21 +1,274 @@
-import { mkdir } from "node:fs/promises";
+import { randomUUID } from "node:crypto";
+import { mkdir, open, rename, unlink } from "node:fs/promises";
 import { dirname, join, relative, resolve, sep } from "node:path";
 import type { PluginInput } from "@opencode-ai/plugin";
 
+import type { SupabaseLogger } from "../shared/log.ts";
+
 type StoreInput = Pick<PluginInput, "directory" | "worktree">;
 
+type StoreDeps = {
+  now?: () => Date;
+  logger?: Pick<SupabaseLogger, "warn">;
+};
+
 export type SavedAuth = {
   access: string;
   refresh: string;
   expires: number;
 };
 
+export type SavedStateNotice = {
+  type: "auth_store_reset";
+  message: string;
+  backupPath: string;
+};
+
 export type SavedState = {
   version: 1;
   auth?: SavedAuth;
+  notice?: SavedStateNotice;
 };
 
 const STORE_FILE = "supabase-auth.json";
+const AUTH_STORE_RESET_MESSAGE = "Supabase auth was reset because the local auth store was corrupted. Reconnect to continue.";
+const RECOVERY_LOCK_SUFFIX = ".recovering.lock";
+const RECOVERY_MAX_WAIT_MS = 5000;
+const RECOVERY_POLL_MS = 50;
+const RECOVERY_LOCK_STALE_MS = 10_000;
+const inFlightRecoveries = new Map<string, Promise<SavedState>>();
+
+type RecoveryLockMetadata = {
+  startedAt?: number;
+  token?: string;
+};
+
+type RecoveryLock = {
+  fd: import("node:fs/promises").FileHandle;
+  token: string;
+};
+
+async function readLockMetadata(lockPath: string): Promise<RecoveryLockMetadata> {
+  try {
+    const text = await Bun.file(lockPath).text();
+    return JSON.parse(text) as { startedAt?: number };
+  } catch {
+    return {};
+  }
+}
+
+async function isStaleLock(lockPath: string): Promise<boolean> {
+  const metadata = await readLockMetadata(lockPath);
+  if (typeof metadata.startedAt !== "number" || !Number.isFinite(metadata.startedAt)) return true;
+  return Date.now() - metadata.startedAt > RECOVERY_LOCK_STALE_MS;
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+function normalizeAuth(value: unknown): SavedAuth | undefined {
+  if (value === undefined) {
+    return undefined;
+  }
+
+  if (!isRecord(value)) {
+    throw new Error("Invalid Supabase auth store auth shape");
+  }
+
+  if (
+    typeof value.access !== "string" ||
+    typeof value.refresh !== "string" ||
+    typeof value.expires !== "number" ||
+    !Number.isFinite(value.expires)
+  ) {
+    throw new Error("Invalid Supabase auth store auth shape");
+  }
+
+  return {
+    access: value.access,
+    refresh: value.refresh,
+    expires: value.expires,
+  };
+}
+
+function normalizeNotice(value: unknown): SavedStateNotice | undefined {
+  if (value === undefined) {
+    return undefined;
+  }
+
+  if (!isRecord(value)) {
+    throw new Error("Invalid Supabase auth store notice shape");
+  }
+
+  if (
+    value.type !== "auth_store_reset" ||
+    typeof value.message !== "string" ||
+    typeof value.backupPath !== "string"
+  ) {
+    throw new Error("Invalid Supabase auth store notice shape");
+  }
+
+  return {
+    type: "auth_store_reset",
+    message: value.message,
+    backupPath: value.backupPath,
+  };
+}
+
+function normalizeState(value: unknown): SavedState {
+  if (!isRecord(value)) {
+    throw new Error("Invalid Supabase auth store shape");
+  }
+
+  if (value.version !== 1) {
+    throw new Error("Unsupported Supabase auth store version");
+  }
+
+  const auth = normalizeAuth(value.auth);
+  const notice = normalizeNotice(value.notice);
+
+  return {
+    version: 1,
+    ...(auth ? { auth } : {}),
+    ...(notice ? { notice } : {}),
+  };
+}
+
+async function backupFile(path: string, now: () => Date) {
+  const timestamp = now().toISOString().replace(/[:.]/g, "-");
+  let candidate = join(dirname(path), `supabase-auth.corrupt-${timestamp}.json`);
+  let counter = 1;
+  while (await Bun.file(candidate).exists()) {
+    candidate = join(dirname(path), `supabase-auth.corrupt-${timestamp}-${counter}.json`);
+    counter++;
+  }
+  return candidate;
+}
+
+async function writeState(path: string, state: SavedState): Promise<void> {
+  await mkdir(dirname(path), { recursive: true });
+  await Bun.write(path, JSON.stringify(state, null, 2));
+}
+
+async function acquireRecoveryLock(lockPath: string): Promise<RecoveryLock | undefined> {
+  async function tryCreate(): Promise<RecoveryLock | undefined> {
+    try {
+      const fd = await open(lockPath, "wx");
+      const token = randomUUID();
+      const metadata = JSON.stringify({ startedAt: Date.now(), token });
+      await fd.write(metadata, 0, "utf8");
+      return { fd, token };
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code === "EEXIST") {
+        return undefined;
+      }
+      throw error;
+    }
+  }
+
+  const lock = await tryCreate();
+  if (lock) return lock;
+
+  // Lock exists; check if stale and take over if so.
+  if (await isStaleLock(lockPath)) {
+    try {
+      await unlink(lockPath);
+    } catch {
+      // Another process may have already removed it.
+    }
+    return tryCreate();
+  }
+
+  return undefined;
+}
+
+async function releaseRecoveryLock(lock: RecoveryLock, lockPath: string): Promise<void> {
+  try {
+    await lock.fd.close();
+  } catch {}
+  try {
+    const metadata = await readLockMetadata(lockPath);
+    if (metadata.token === lock.token) {
+      await unlink(lockPath);
+    }
+  } catch {}
+}
+
+async function waitForRecoveredState(path: string, deps: StoreDeps): Promise<SavedState> {
+  const startedAt = Date.now();
+  while (Date.now() - startedAt < RECOVERY_MAX_WAIT_MS) {
+    try {
+      const text = await Bun.file(path).text();
+      return normalizeState(JSON.parse(text));
+    } catch {
+      // not ready yet
+    }
+    await new Promise((resolve) => setTimeout(resolve, RECOVERY_POLL_MS));
+  }
+  throw new Error("Supabase auth store recovery timed out waiting for another process");
+}
+
+async function recoverCorruptStoreOnce(path: string, error: unknown, deps: StoreDeps): Promise<SavedState> {
+  const existing = inFlightRecoveries.get(path);
+  if (existing) return existing;
+
+  const recovery = (async () => {
+    const lockPath = path + RECOVERY_LOCK_SUFFIX;
+    const lock = await acquireRecoveryLock(lockPath);
+    if (!lock) {
+      return waitForRecoveredState(path, deps);
+    }
+
+    try {
+      // Re-read under lock in case another process already fixed it.
+      try {
+        const text = await Bun.file(path).text();
+        const state = normalizeState(JSON.parse(text));
+        return state;
+      } catch {
+        // still corrupt or missing
+      }
+
+      const backupPath = await backupFile(path, deps.now ?? (() => new Date()));
+      const state: SavedState = {
+        version: 1,
+        notice: {
+          type: "auth_store_reset",
+          message: AUTH_STORE_RESET_MESSAGE,
+          backupPath,
+        },
+      };
+
+      await mkdir(dirname(path), { recursive: true });
+      try {
+        await rename(path, backupPath);
+      } catch (renameError) {
+        if ((renameError as NodeJS.ErrnoException).code === "ENOENT") {
+          // Store disappeared before we could back it up; write clean state directly.
+          await writeState(path, { version: 1 });
+          return { version: 1 } as SavedState;
+        }
+        throw renameError;
+      }
+      await writeState(path, state);
+      await deps.logger?.warn("supabase auth store reset", {
+        reason: error instanceof Error ? error.message : String(error),
+        path,
+        backupPath,
+      });
+
+      return state;
+    } finally {
+      await releaseRecoveryLock(lock, lockPath);
+    }
+  })().finally(() => {
+    inFlightRecoveries.delete(path);
+  });
+
+  inFlightRecoveries.set(path, recovery);
+  return recovery;
+}
 
 // Use worktree only when it is non-root and directory is equal to or inside it;
 // otherwise fall back to the session directory.
@@ -46,32 +299,38 @@ export function file(input: StoreInput): string {
   return join(root, ".opencode", STORE_FILE);
 }
 
-export async function read(input: StoreInput): Promise<SavedState> {
-  const authFile = Bun.file(file(input));
+export async function read(input: StoreInput, deps: StoreDeps = {}): Promise<SavedState> {
+  const path = file(input);
+  const authFile = Bun.file(path);
   if (!(await authFile.exists())) {
+    const lockPath = path + RECOVERY_LOCK_SUFFIX;
+    if ((await Bun.file(lockPath).exists()) && !(await isStaleLock(lockPath))) {
+      return waitForRecoveredState(path, deps);
+    }
     return { version: 1 };
   }
 
-  const parsed = JSON.parse(await authFile.text()) as SavedState;
-  if (parsed.version !== 1) {
-    throw new Error("Unsupported Supabase auth store version");
+  try {
+    return normalizeState(JSON.parse(await authFile.text()));
+  } catch (error) {
+    return recoverCorruptStoreOnce(path, error, deps);
   }
-  return parsed.auth ? { version: 1, auth: parsed.auth } : { version: 1 };
 }
 
 export async function write(input: StoreInput, auth: SavedAuth): Promise<void> {
-  const path = file(input);
-  await mkdir(dirname(path), { recursive: true });
-  await Bun.write(path, JSON.stringify({ version: 1, auth }, null, 2));
+  await writeState(file(input), { version: 1, auth });
+}
+
+export async function writeNotice(input: StoreInput, notice: SavedStateNotice): Promise<void> {
+  await writeState(file(input), { version: 1, notice });
 }
 
 export async function clear(input: StoreInput): Promise<void> {
-  const path = file(input);
-  await mkdir(dirname(path), { recursive: true });
-  await Bun.write(path, JSON.stringify({ version: 1 }, null, 2));
+  await writeState(file(input), { version: 1 });
 }
 
 export const getStoreFile = file;
 export const readSavedAuth = read;
 export const writeSavedAuth = write;
+export const writeSavedAuthNotice = writeNotice;
 export const clearSavedAuth = clear;

package/src/server/tools.ts

@@ -10,11 +10,19 @@ import {
 import { readSupabaseConfig } from "../shared/cfg.ts";
 import type { SupabaseLogger } from "../shared/log.ts";
 import type { FetchLike } from "../shared/types.ts";
-import { type SavedAuth, clearSavedAuth, getStoreFile, readSavedAuth, writeSavedAuth } from "./store.ts";
+import {
+  type SavedAuth,
+  type SavedStateNotice,
+  clearSavedAuth,
+  getStoreFile,
+  readSavedAuth,
+  writeSavedAuth,
+} from "./store.ts";
 
 type ToolDeps = {
   fetch?: FetchLike;
   logger?: SupabaseLogger;
+  now?: () => Date;
 };
 
 type InFlightRefresh = {
@@ -59,6 +67,7 @@ export type SupabaseAuthStatus =
   | {
       status: "disconnected";
       checked: boolean;
+      notice?: SavedStateNotice;
     }
   | {
       status: "unknown";
@@ -70,6 +79,18 @@ export const NOT_CONNECTED_MESSAGE = "Supabase is not connected. Run /supabase f
 const REFRESH_BUFFER_MS = 30_000;
 const inFlightRefreshes = new Map<string, InFlightRefresh>();
 
+function formatAuthNoticeForTool(notice: SavedStateNotice) {
+  return `${notice.message.replace(". Reconnect to continue.", ".")}\n\nThe corrupted file was preserved here:\n${notice.backupPath}\n\nRun /supabase to reconnect, then retry this tool.`;
+}
+
+async function throwAuthNotice(input: SupabaseToolInput, notice: SavedStateNotice, deps: ToolDeps): Promise<never> {
+  const fetchImpl = deps.fetch ?? fetch;
+  try {
+    await clearHostAuth(input, fetchImpl);
+  } catch {}
+  throw new Error(formatAuthNoticeForTool(notice));
+}
+
 function isRefreshNeeded(auth: SavedAuth) {
   return auth.expires <= Date.now() + REFRESH_BUFFER_MS;
 }
@@ -236,9 +257,11 @@ export async function getSupabaseAuthStatus(
   options?: PluginOptions,
   deps: ToolDeps = {},
 ): Promise<SupabaseAuthStatus> {
-  const saved = await readSavedAuth(input);
+  const saved = await readSavedAuth(input, { logger: deps.logger, now: deps.now });
   if (!saved.auth) {
-    return { status: "disconnected", checked: false };
+    return saved.notice
+      ? { status: "disconnected", checked: false, notice: saved.notice }
+      : { status: "disconnected", checked: false };
   }
 
   if (!isRefreshNeeded(saved.auth)) {
@@ -249,6 +272,11 @@ export async function getSupabaseAuthStatus(
     const auth = await ensureSupabaseToolAuth(input, options, deps);
     return { status: "connected", auth, checked: true };
   } catch (error) {
+    const latest = await readSavedAuth(input, { logger: deps.logger, now: deps.now });
+    if (!latest.auth && latest.notice) {
+      return { status: "disconnected", checked: true, notice: latest.notice };
+    }
+
     const message = error instanceof Error ? error.message : String(error);
     if (message === NOT_CONNECTED_MESSAGE) {
       return { status: "disconnected", checked: true };
@@ -264,8 +292,11 @@ export async function ensureSupabaseToolAuth(
   deps: ToolDeps = {},
 ): Promise<SavedAuth> {
   const refreshKey = getStoreFile(input);
-  const saved = await readSavedAuth(input);
+  const saved = await readSavedAuth(input, { logger: deps.logger, now: deps.now });
   if (!saved.auth) {
+    if (saved.notice) {
+      await throwAuthNotice(input, saved.notice, deps);
+    }
     throw new Error(NOT_CONNECTED_MESSAGE);
   }
 
@@ -281,6 +312,13 @@ export async function ensureSupabaseToolAuth(
         try {
           await clearHostAuth(input, fetchImpl);
         } catch {}
+      } else {
+        const latest = await readSavedAuth(input, { logger: deps.logger, now: deps.now });
+        if (!latest.auth && latest.notice) {
+          try {
+            await clearHostAuth(input, fetchImpl);
+          } catch {}
+        }
       }
       throw error;
     }
@@ -300,8 +338,11 @@ export async function ensureSupabaseToolAuth(
   };
   const refreshPromise = (async () => {
     const fetchImpl = deps.fetch ?? fetch;
-    const current = await readSavedAuth(input);
+    const current = await readSavedAuth(input, { logger: deps.logger, now: deps.now });
     if (!current.auth) {
+      if (current.notice) {
+        await throwAuthNotice(input, current.notice, deps);
+      }
       throw new Error(NOT_CONNECTED_MESSAGE);
     }
 
@@ -325,8 +366,11 @@ export async function ensureSupabaseToolAuth(
         expires: Date.now() + (refreshed.expires_in ?? 3600) * 1000,
       };
 
-      const latest = await readSavedAuth(input);
+      const latest = await readSavedAuth(input, { logger: deps.logger, now: deps.now });
       if (!latest.auth) {
+        if (latest.notice) {
+          await throwAuthNotice(input, latest.notice, deps);
+        }
         throw new Error(NOT_CONNECTED_MESSAGE);
       }
 
@@ -337,23 +381,26 @@ export async function ensureSupabaseToolAuth(
       await writeSavedAuth(input, nextAuth);
       return nextAuth;
     } catch (error) {
-      if (error instanceof BrokerClientError && (error.status === 401 || error.status === 400)) {
-        const latest = await readSavedAuth(input);
+      if (error instanceof BrokerClientError) {
+        const latest = await readSavedAuth(input, { logger: deps.logger, now: deps.now });
         if (!isSameAuth(latest.auth, current.auth)) {
           if (latest.auth) {
             return latest.auth;
           }
+          if (latest.notice) {
+            await throwAuthNotice(input, latest.notice, deps);
+          }
           throw new Error(NOT_CONNECTED_MESSAGE);
         }
 
-        await clearSavedAuth(input);
-        try {
-          await clearHostAuth(input, fetchImpl);
-        } catch {}
-        throw new Error(NOT_CONNECTED_MESSAGE);
-      }
+        if (error.code === "unauthorized") {
+          await clearSavedAuth(input);
+          try {
+            await clearHostAuth(input, fetchImpl);
+          } catch {}
+          throw new Error(NOT_CONNECTED_MESSAGE);
+        }
 
-      if (error instanceof BrokerClientError) {
         throw new Error(`Supabase auth refresh failed: ${error.message}`);
       }
       throw error;
@@ -366,7 +413,7 @@ export async function ensureSupabaseToolAuth(
     })
     .finally(() => {
       if (inFlightRefreshes.get(refreshKey)?.promise === refreshEntry.promise) {
-      inFlightRefreshes.delete(refreshKey);
+        inFlightRefreshes.delete(refreshKey);
       }
     });
 

package/src/tui/dialog.tsx

@@ -37,6 +37,7 @@ type OAuthState =
   | { type: "checking_auth" }
   | { type: "idle" }
   | { type: "already_connected" }
+  | { type: "notice"; notice: AuthNotice }
   | { type: "authorizing"; url: string }
   | { type: "waiting_callback"; url: string }
   | { type: "success" }
@@ -53,9 +54,15 @@ type AuthData = {
 
 type AuthStatus =
   | { status: "connected"; checked: boolean }
-  | { status: "disconnected"; checked: boolean }
+  | { status: "disconnected"; checked: boolean; notice?: AuthNotice }
   | { status: "refresh_required"; checked: true };
 
+type AuthNotice = {
+  type: "auth_store_reset";
+  message: string;
+  backupPath: string;
+};
+
 type AuthFlowContext = {
   api: TuiPluginApi;
   logger: SupabaseLogger;
@@ -169,19 +176,72 @@ function SupabaseSpinnerDialog(props: {
   ), { onClose: props.dismissible ? props.onClose : () => undefined });
 }
 
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+function parseAuthNotice(value: unknown): AuthNotice | undefined {
+  if (!isRecord(value)) {
+    return undefined;
+  }
+
+  if (value.type === "auth_store_reset" && typeof value.message === "string" && typeof value.backupPath === "string") {
+    return {
+      type: "auth_store_reset",
+      message: value.message,
+      backupPath: value.backupPath,
+    };
+  }
+
+  return undefined;
+}
+
 function parseAuthStatus(instructions: string): AuthStatus {
   const parsed = JSON.parse(instructions) as Partial<AuthStatus>;
   if (
     parsed.status === "connected" ||
-    parsed.status === "disconnected" ||
     parsed.status === "refresh_required"
   ) {
     return parsed as AuthStatus;
   }
 
+  if (parsed.status === "disconnected") {
+    return {
+      status: "disconnected",
+      checked: parsed.checked === true,
+      notice: parseAuthNotice(parsed.notice),
+    };
+  }
+
   throw new Error("Invalid Supabase auth status response");
 }
 
+function noticeMessage(notice: AuthNotice) {
+  return `The local Supabase auth file was corrupted, so auth was reset.\n\nThe corrupted file was preserved here:\n${notice.backupPath}\n\nReconnect to continue.`;
+}
+
+async function checkNoticeAfterCallback(context: Pick<AuthFlowContext, "api" | "setState">): Promise<boolean> {
+  try {
+    const authResponse = (await context.api.client.provider.oauth.authorize({
+      providerID: "supabase",
+      method: 1,
+    })) as ApiResponse<AuthData>;
+
+    if (authResponse.error || !authResponse.data?.instructions) {
+      return false;
+    }
+
+    const status = parseAuthStatus(authResponse.data.instructions);
+    if (status.status === "disconnected" && status.notice) {
+      context.setState({ type: "notice", notice: status.notice });
+      return true;
+    }
+  } catch {
+    // ignore secondary errors
+  }
+  return false;
+}
+
 async function openBrowser(url: string, logger: SupabaseLogger) {
   try {
     const open = await import("open");
@@ -363,6 +423,11 @@ export async function runAuthPreflight(context: Pick<AuthFlowContext, "api" | "l
     }
 
     if (status.status === "disconnected") {
+      if (status.notice) {
+        context.setState({ type: "notice", notice: status.notice });
+        return;
+      }
+
       context.setState({ type: "idle" });
       return;
     }
@@ -373,6 +438,7 @@ export async function runAuthPreflight(context: Pick<AuthFlowContext, "api" | "l
     })) as ApiResponse<boolean>;
 
     if (callbackResponse.error) {
+      if (await checkNoticeAfterCallback(context)) return;
       throw new Error(formatAuthError("callback", callbackResponse.error));
     }
 
@@ -381,8 +447,10 @@ export async function runAuthPreflight(context: Pick<AuthFlowContext, "api" | "l
       return;
     }
 
+    if (await checkNoticeAfterCallback(context)) return;
     context.setState({ type: "idle" });
   } catch (error) {
+    if (await checkNoticeAfterCallback(context)) return;
     context.setState({
       type: "unknown",
       message: formatAuthError("unknown", error),
@@ -520,6 +588,15 @@ export function SupabaseDialog(props: SupabaseDialogProps) {
     });
   }
 
+  if (currentState.type === "notice") {
+    return props.api.ui.DialogConfirm({
+      title: "Supabase auth reset",
+      message: noticeMessage(currentState.notice),
+      onConfirm: startOAuth,
+      onCancel: closeDialog,
+    });
+  }
+
   if (currentState.type === "authorizing") {
     if (!currentState.url) {
       return SupabaseSpinnerDialog({