stripe-experiment-sync 1.0.13 → 1.0.15-beta.1766078819

package/dist/chunk-5J4LJ44K.js

@@ -0,0 +1,400 @@
+import {
+  package_default
+} from "./chunk-TPFENIK3.js";
+
+// src/supabase/supabase.ts
+import { SupabaseManagementAPI } from "supabase-management-js";
+
+// raw-ts:/home/runner/work/sync-engine/sync-engine/packages/sync-engine/src/supabase/edge-functions/stripe-setup.ts
+var stripe_setup_default = "import { StripeSync, runMigrations, VERSION } from 'npm:stripe-experiment-sync'\nimport postgres from 'npm:postgres'\n\n// Helper to validate accessToken against Management API\nasync function validateAccessToken(projectRef: string, accessToken: string): Promise<boolean> {\n  // Try to fetch project details using the access token\n  // This validates that the token is valid for the management API\n  const url = `https://api.supabase.com/v1/projects/${projectRef}`\n  const response = await fetch(url, {\n    method: 'GET',\n    headers: {\n      Authorization: `Bearer ${accessToken}`,\n      'Content-Type': 'application/json',\n    },\n  })\n\n  // If we can successfully get the project, the token is valid\n  return response.ok\n}\n\n// Helper to delete edge function via Management API\nasync function deleteEdgeFunction(\n  projectRef: string,\n  functionSlug: string,\n  accessToken: string\n): Promise<void> {\n  const url = `https://api.supabase.com/v1/projects/${projectRef}/functions/${functionSlug}`\n  const response = await fetch(url, {\n    method: 'DELETE',\n    headers: {\n      Authorization: `Bearer ${accessToken}`,\n      'Content-Type': 'application/json',\n    },\n  })\n\n  if (!response.ok && response.status !== 404) {\n    const text = await response.text()\n    throw new Error(`Failed to delete function ${functionSlug}: ${response.status} ${text}`)\n  }\n}\n\n// Helper to delete secrets via Management API\nasync function deleteSecret(\n  projectRef: string,\n  secretName: string,\n  accessToken: string\n): Promise<void> {\n  const url = `https://api.supabase.com/v1/projects/${projectRef}/secrets`\n  const response = await fetch(url, {\n    method: 'DELETE',\n    headers: {\n      Authorization: `Bearer ${accessToken}`,\n      'Content-Type': 'application/json',\n    },\n    body: JSON.stringify([secretName]),\n  })\n\n  if (!response.ok && response.status !== 404) {\n    const text = await response.text()\n    console.warn(`Failed to delete secret ${secretName}: ${response.status} ${text}`)\n  }\n}\n\nDeno.serve(async (req) => {\n  // Extract project ref from SUPABASE_URL (format: https://{projectRef}.{base})\n  const supabaseUrl = Deno.env.get('SUPABASE_URL')\n  if (!supabaseUrl) {\n    return new Response(JSON.stringify({ error: 'SUPABASE_URL not set' }), {\n      status: 500,\n      headers: { 'Content-Type': 'application/json' },\n    })\n  }\n  const projectRef = new URL(supabaseUrl).hostname.split('.')[0]\n\n  // Validate access token for all requests\n  const authHeader = req.headers.get('Authorization')\n  if (!authHeader?.startsWith('Bearer ')) {\n    return new Response('Unauthorized', { status: 401 })\n  }\n\n  const accessToken = authHeader.substring(7) // Remove 'Bearer '\n  const isValid = await validateAccessToken(projectRef, accessToken)\n  if (!isValid) {\n    return new Response('Forbidden: Invalid access token for this project', { status: 403 })\n  }\n\n  // Handle GET requests for status\n  if (req.method === 'GET') {\n    const rawDbUrl = Deno.env.get('SUPABASE_DB_URL')\n    if (!rawDbUrl) {\n      return new Response(JSON.stringify({ error: 'SUPABASE_DB_URL not set' }), {\n        status: 500,\n        headers: { 'Content-Type': 'application/json' },\n      })\n    }\n\n    const dbUrl = rawDbUrl.replace(/[?&]sslmode=[^&]*/g, '').replace(/[?&]$/, '')\n    let sql\n\n    try {\n      sql = postgres(dbUrl, { max: 1, prepare: false })\n\n      // Query installation status from schema comment\n      const commentResult = await sql`\n        SELECT obj_description(oid, 'pg_namespace') as comment\n        FROM pg_namespace\n        WHERE nspname = 'stripe'\n      `\n\n      const comment = commentResult[0]?.comment || null\n      let installationStatus = 'not_installed'\n\n      if (comment && comment.includes('stripe-sync')) {\n        // Parse installation status from comment\n        if (comment.includes('installation:started')) {\n          installationStatus = 'installing'\n        } else if (comment.includes('installation:error')) {\n          installationStatus = 'error'\n        } else if (comment.includes('installed')) {\n          installationStatus = 'installed'\n        }\n      }\n\n      // Query sync runs (only if schema exists)\n      let syncStatus = []\n      if (comment) {\n        try {\n          syncStatus = await sql`\n            SELECT DISTINCT ON (account_id)\n              account_id, started_at, closed_at, status, error_message,\n              total_processed, total_objects, complete_count, error_count,\n              running_count, pending_count, triggered_by, max_concurrent\n            FROM stripe.sync_runs\n            ORDER BY account_id, started_at DESC\n          `\n        } catch (err) {\n          // Ignore errors if sync_runs view doesn't exist yet\n          console.warn('sync_runs query failed (may not exist yet):', err)\n        }\n      }\n\n      return new Response(\n        JSON.stringify({\n          package_version: VERSION,\n          installation_status: installationStatus,\n          sync_status: syncStatus,\n        }),\n        {\n          status: 200,\n          headers: {\n            'Content-Type': 'application/json',\n            'Cache-Control': 'no-cache, no-store, must-revalidate',\n          },\n        }\n      )\n    } catch (error) {\n      console.error('Status query error:', error)\n      return new Response(\n        JSON.stringify({\n          error: error.message,\n          package_version: VERSION,\n          installation_status: 'not_installed',\n        }),\n        {\n          status: 500,\n          headers: { 'Content-Type': 'application/json' },\n        }\n      )\n    } finally {\n      if (sql) await sql.end()\n    }\n  }\n\n  // Handle DELETE requests for uninstall\n  if (req.method === 'DELETE') {\n    let stripeSync = null\n    try {\n      // Get and validate database URL\n      const rawDbUrl = Deno.env.get('SUPABASE_DB_URL')\n      if (!rawDbUrl) {\n        throw new Error('SUPABASE_DB_URL environment variable is not set')\n      }\n      // Remove sslmode from connection string (not supported by pg in Deno)\n      const dbUrl = rawDbUrl.replace(/[?&]sslmode=[^&]*/g, '').replace(/[?&]$/, '')\n\n      // Stripe key is required for uninstall to delete webhooks\n      const stripeKey = Deno.env.get('STRIPE_SECRET_KEY')\n      if (!stripeKey) {\n        throw new Error('STRIPE_SECRET_KEY environment variable is required for uninstall')\n      }\n\n      // Step 1: Delete Stripe webhooks and clean up database\n      stripeSync = new StripeSync({\n        poolConfig: { connectionString: dbUrl, max: 2 },\n        stripeSecretKey: stripeKey,\n      })\n\n      // Delete all managed webhooks\n      const webhooks = await stripeSync.listManagedWebhooks()\n      for (const webhook of webhooks) {\n        try {\n          await stripeSync.deleteManagedWebhook(webhook.id)\n          console.log(`Deleted webhook: ${webhook.id}`)\n        } catch (err) {\n          console.warn(`Could not delete webhook ${webhook.id}:`, err)\n        }\n      }\n\n      // Unschedule pg_cron job\n      try {\n        await stripeSync.postgresClient.query(`\n          DO $$\n          BEGIN\n            IF EXISTS (SELECT 1 FROM cron.job WHERE jobname = 'stripe-sync-worker') THEN\n              PERFORM cron.unschedule('stripe-sync-worker');\n            END IF;\n          END $$;\n        `)\n      } catch (err) {\n        console.warn('Could not unschedule pg_cron job:', err)\n      }\n\n      // Delete vault secret\n      try {\n        await stripeSync.postgresClient.query(`\n          DELETE FROM vault.secrets\n          WHERE name = 'stripe_sync_worker_secret'\n        `)\n      } catch (err) {\n        console.warn('Could not delete vault secret:', err)\n      }\n\n      // Terminate connections holding locks on stripe schema\n      try {\n        await stripeSync.postgresClient.query(`\n          SELECT pg_terminate_backend(pid)\n          FROM pg_locks l\n          JOIN pg_class c ON l.relation = c.oid\n          JOIN pg_namespace n ON c.relnamespace = n.oid\n          WHERE n.nspname = 'stripe'\n            AND l.pid != pg_backend_pid()\n        `)\n      } catch (err) {\n        console.warn('Could not terminate connections:', err)\n      }\n\n      // Drop schema with retry\n      let dropAttempts = 0\n      const maxAttempts = 3\n      while (dropAttempts < maxAttempts) {\n        try {\n          await stripeSync.postgresClient.query('DROP SCHEMA IF EXISTS stripe CASCADE')\n          break // Success, exit loop\n        } catch (err) {\n          dropAttempts++\n          if (dropAttempts >= maxAttempts) {\n            throw new Error(\n              `Failed to drop schema after ${maxAttempts} attempts. ` +\n                `There may be active connections or locks on the stripe schema. ` +\n                `Error: ${err.message}`\n            )\n          }\n          // Wait 1 second before retrying\n          await new Promise((resolve) => setTimeout(resolve, 1000))\n        }\n      }\n\n      await stripeSync.postgresClient.pool.end()\n\n      // Step 2: Delete Supabase secrets\n      try {\n        await deleteSecret(projectRef, 'STRIPE_SECRET_KEY', accessToken)\n      } catch (err) {\n        console.warn('Could not delete STRIPE_SECRET_KEY secret:', err)\n      }\n\n      // Step 3: Delete Edge Functions\n      try {\n        await deleteEdgeFunction(projectRef, 'stripe-setup', accessToken)\n      } catch (err) {\n        console.warn('Could not delete stripe-setup function:', err)\n      }\n\n      try {\n        await deleteEdgeFunction(projectRef, 'stripe-webhook', accessToken)\n      } catch (err) {\n        console.warn('Could not delete stripe-webhook function:', err)\n      }\n\n      try {\n        await deleteEdgeFunction(projectRef, 'stripe-worker', accessToken)\n      } catch (err) {\n        console.warn('Could not delete stripe-worker function:', err)\n      }\n\n      return new Response(\n        JSON.stringify({\n          success: true,\n          message: 'Uninstall complete',\n        }),\n        {\n          status: 200,\n          headers: { 'Content-Type': 'application/json' },\n        }\n      )\n    } catch (error) {\n      console.error('Uninstall error:', error)\n      // Cleanup on error\n      if (stripeSync) {\n        try {\n          await stripeSync.postgresClient.pool.end()\n        } catch (cleanupErr) {\n          console.warn('Cleanup failed:', cleanupErr)\n        }\n      }\n      return new Response(JSON.stringify({ success: false, error: error.message }), {\n        status: 500,\n        headers: { 'Content-Type': 'application/json' },\n      })\n    }\n  }\n\n  // Handle POST requests for install\n  if (req.method !== 'POST') {\n    return new Response('Method not allowed', { status: 405 })\n  }\n\n  let stripeSync = null\n  try {\n    // Get and validate database URL\n    const rawDbUrl = Deno.env.get('SUPABASE_DB_URL')\n    if (!rawDbUrl) {\n      throw new Error('SUPABASE_DB_URL environment variable is not set')\n    }\n    // Remove sslmode from connection string (not supported by pg in Deno)\n    const dbUrl = rawDbUrl.replace(/[?&]sslmode=[^&]*/g, '').replace(/[?&]$/, '')\n\n    await runMigrations({ databaseUrl: dbUrl })\n\n    stripeSync = new StripeSync({\n      poolConfig: { connectionString: dbUrl, max: 2 }, // Need 2 for advisory lock + queries\n      stripeSecretKey: Deno.env.get('STRIPE_SECRET_KEY'),\n    })\n\n    // Release any stale advisory locks from previous timeouts\n    await stripeSync.postgresClient.query('SELECT pg_advisory_unlock_all()')\n\n    // Construct webhook URL from SUPABASE_URL (available in all Edge Functions)\n    const supabaseUrl = Deno.env.get('SUPABASE_URL')\n    if (!supabaseUrl) {\n      throw new Error('SUPABASE_URL environment variable is not set')\n    }\n    const webhookUrl = supabaseUrl + '/functions/v1/stripe-webhook'\n\n    const webhook = await stripeSync.findOrCreateManagedWebhook(webhookUrl)\n\n    await stripeSync.postgresClient.pool.end()\n\n    return new Response(\n      JSON.stringify({\n        success: true,\n        message: 'Setup complete',\n        webhookId: webhook.id,\n      }),\n      {\n        status: 200,\n        headers: { 'Content-Type': 'application/json' },\n      }\n    )\n  } catch (error) {\n    console.error('Setup error:', error)\n    // Cleanup on error\n    if (stripeSync) {\n      try {\n        await stripeSync.postgresClient.query('SELECT pg_advisory_unlock_all()')\n        await stripeSync.postgresClient.pool.end()\n      } catch (cleanupErr) {\n        console.warn('Cleanup failed:', cleanupErr)\n      }\n    }\n    return new Response(JSON.stringify({ success: false, error: error.message }), {\n      status: 500,\n      headers: { 'Content-Type': 'application/json' },\n    })\n  }\n})\n";
+
+// raw-ts:/home/runner/work/sync-engine/sync-engine/packages/sync-engine/src/supabase/edge-functions/stripe-webhook.ts
+var stripe_webhook_default = "import { StripeSync } from 'npm:stripe-experiment-sync'\n\nDeno.serve(async (req) => {\n  if (req.method !== 'POST') {\n    return new Response('Method not allowed', { status: 405 })\n  }\n\n  const sig = req.headers.get('stripe-signature')\n  if (!sig) {\n    return new Response('Missing stripe-signature header', { status: 400 })\n  }\n\n  const rawDbUrl = Deno.env.get('SUPABASE_DB_URL')\n  if (!rawDbUrl) {\n    return new Response(JSON.stringify({ error: 'SUPABASE_DB_URL not set' }), { status: 500 })\n  }\n  const dbUrl = rawDbUrl.replace(/[?&]sslmode=[^&]*/g, '').replace(/[?&]$/, '')\n\n  const stripeSync = new StripeSync({\n    poolConfig: { connectionString: dbUrl, max: 1 },\n    stripeSecretKey: Deno.env.get('STRIPE_SECRET_KEY')!,\n  })\n\n  try {\n    const rawBody = new Uint8Array(await req.arrayBuffer())\n    await stripeSync.processWebhook(rawBody, sig)\n    return new Response(JSON.stringify({ received: true }), {\n      status: 200,\n      headers: { 'Content-Type': 'application/json' },\n    })\n  } catch (error) {\n    console.error('Webhook processing error:', error)\n    const isSignatureError =\n      error.message?.includes('signature') || error.type === 'StripeSignatureVerificationError'\n    const status = isSignatureError ? 400 : 500\n    return new Response(JSON.stringify({ error: error.message }), {\n      status,\n      headers: { 'Content-Type': 'application/json' },\n    })\n  } finally {\n    await stripeSync.postgresClient.pool.end()\n  }\n})\n";
+
+// raw-ts:/home/runner/work/sync-engine/sync-engine/packages/sync-engine/src/supabase/edge-functions/stripe-worker.ts
+var stripe_worker_default = "/**\n * Stripe Sync Worker\n *\n * Triggered by pg_cron at a configurable interval (default: 60 seconds). Uses pgmq for durable work queue.\n *\n * Flow:\n * 1. Read batch of messages from pgmq (qty=10, vt=60s)\n * 2. If queue empty: enqueue all objects (continuous sync)\n * 3. Process messages in parallel (Promise.all):\n *    - processNext(object)\n *    - Delete message on success\n *    - Re-enqueue if hasMore\n * 4. Return results summary\n *\n * Concurrency:\n * - Multiple workers can run concurrently via overlapping pg_cron triggers.\n * - Each worker processes its batch of messages in parallel (Promise.all).\n * - pgmq visibility timeout prevents duplicate message reads across workers.\n * - processNext() is idempotent (uses internal cursor tracking), so duplicate\n *   processing on timeout/crash is safe.\n */\n\nimport { StripeSync } from 'npm:stripe-experiment-sync'\nimport postgres from 'npm:postgres'\n\nconst QUEUE_NAME = 'stripe_sync_work'\nconst VISIBILITY_TIMEOUT = 60 // seconds\nconst BATCH_SIZE = 10\n\nDeno.serve(async (req) => {\n  const authHeader = req.headers.get('Authorization')\n  if (!authHeader?.startsWith('Bearer ')) {\n    return new Response('Unauthorized', { status: 401 })\n  }\n\n  const token = authHeader.substring(7) // Remove 'Bearer '\n\n  const rawDbUrl = Deno.env.get('SUPABASE_DB_URL')\n  if (!rawDbUrl) {\n    return new Response(JSON.stringify({ error: 'SUPABASE_DB_URL not set' }), { status: 500 })\n  }\n  const dbUrl = rawDbUrl.replace(/[?&]sslmode=[^&]*/g, '').replace(/[?&]$/, '')\n\n  let sql\n  let stripeSync\n\n  try {\n    sql = postgres(dbUrl, { max: 1, prepare: false })\n  } catch (error) {\n    return new Response(\n      JSON.stringify({\n        error: 'Failed to create postgres connection',\n        details: error.message,\n        stack: error.stack,\n      }),\n      { status: 500, headers: { 'Content-Type': 'application/json' } }\n    )\n  }\n\n  try {\n    // Validate that the token matches the unique worker secret stored in vault\n    const vaultResult = await sql`\n      SELECT decrypted_secret\n      FROM vault.decrypted_secrets\n      WHERE name = 'stripe_sync_worker_secret'\n    `\n\n    if (vaultResult.length === 0) {\n      await sql.end()\n      return new Response('Worker secret not configured in vault', { status: 500 })\n    }\n\n    const storedSecret = vaultResult[0].decrypted_secret\n    if (token !== storedSecret) {\n      await sql.end()\n      return new Response('Forbidden: Invalid worker secret', { status: 403 })\n    }\n\n    stripeSync = new StripeSync({\n      poolConfig: { connectionString: dbUrl, max: 1 },\n      stripeSecretKey: Deno.env.get('STRIPE_SECRET_KEY')!,\n      enableSigma: (Deno.env.get('ENABLE_SIGMA') ?? 'false') === 'true',\n    })\n  } catch (error) {\n    await sql.end()\n    return new Response(\n      JSON.stringify({\n        error: 'Failed to create StripeSync',\n        details: error.message,\n        stack: error.stack,\n      }),\n      { status: 500, headers: { 'Content-Type': 'application/json' } }\n    )\n  }\n\n  try {\n    // Read batch of messages from queue\n    const messages = await sql`\n      SELECT * FROM pgmq.read(${QUEUE_NAME}::text, ${VISIBILITY_TIMEOUT}::int, ${BATCH_SIZE}::int)\n    `\n\n    // If queue empty, enqueue all objects for continuous sync\n    if (messages.length === 0) {\n      // Create sync run to make enqueued work visible (status='pending')\n      const { objects } = await stripeSync.joinOrCreateSyncRun('worker')\n      const msgs = objects.map((object) => JSON.stringify({ object }))\n\n      await sql`\n        SELECT pgmq.send_batch(\n          ${QUEUE_NAME}::text,\n          ${sql.array(msgs)}::jsonb[]\n        )\n      `\n\n      return new Response(JSON.stringify({ enqueued: objects.length, objects }), {\n        status: 200,\n        headers: { 'Content-Type': 'application/json' },\n      })\n    }\n\n    // Process messages in parallel\n    const results = await Promise.all(\n      messages.map(async (msg) => {\n        const { object } = msg.message as { object: string }\n\n        try {\n          const result = await stripeSync.processNext(object)\n\n          // Delete message on success (cast to bigint to disambiguate overloaded function)\n          await sql`SELECT pgmq.delete(${QUEUE_NAME}::text, ${msg.msg_id}::bigint)`\n\n          // Re-enqueue if more pages\n          if (result.hasMore) {\n            await sql`SELECT pgmq.send(${QUEUE_NAME}::text, ${sql.json({ object })}::jsonb)`\n          }\n\n          return { object, ...result }\n        } catch (error) {\n          // Log error but continue to next message\n          // Message will become visible again after visibility timeout\n          console.error(`Error processing ${object}:`, error)\n          return {\n            object,\n            processed: 0,\n            hasMore: false,\n            error: error.message,\n            stack: error.stack,\n          }\n        }\n      })\n    )\n\n    return new Response(JSON.stringify({ results }), {\n      status: 200,\n      headers: { 'Content-Type': 'application/json' },\n    })\n  } catch (error) {\n    console.error('Worker error:', error)\n    return new Response(JSON.stringify({ error: error.message, stack: error.stack }), {\n      status: 500,\n      headers: { 'Content-Type': 'application/json' },\n    })\n  } finally {\n    if (sql) await sql.end()\n    if (stripeSync) await stripeSync.postgresClient.pool.end()\n  }\n})\n";
+
+// src/supabase/edge-function-code.ts
+var setupFunctionCode = stripe_setup_default;
+var webhookFunctionCode = stripe_webhook_default;
+var workerFunctionCode = stripe_worker_default;
+
+// src/supabase/supabase.ts
+var STRIPE_SCHEMA_COMMENT_PREFIX = "stripe-sync";
+var INSTALLATION_STARTED_SUFFIX = "installation:started";
+var INSTALLATION_ERROR_SUFFIX = "installation:error";
+var INSTALLATION_INSTALLED_SUFFIX = "installed";
+var SupabaseSetupClient = class {
+  api;
+  projectRef;
+  projectBaseUrl;
+  accessToken;
+  constructor(options) {
+    this.api = new SupabaseManagementAPI({
+      accessToken: options.accessToken,
+      baseUrl: options.managementApiBaseUrl
+    });
+    this.projectRef = options.projectRef;
+    this.projectBaseUrl = options.projectBaseUrl || process.env.SUPABASE_BASE_URL || "supabase.co";
+    this.accessToken = options.accessToken;
+  }
+  /**
+   * Validate that the project exists and we have access
+   */
+  async validateProject() {
+    const projects = await this.api.getProjects();
+    const project = projects?.find((p) => p.id === this.projectRef);
+    if (!project) {
+      throw new Error(`Project ${this.projectRef} not found or you don't have access`);
+    }
+    return {
+      id: project.id,
+      name: project.name,
+      region: project.region
+    };
+  }
+  /**
+   * Deploy an Edge Function
+   */
+  async deployFunction(name, code, verifyJwt = false) {
+    const functions = await this.api.listFunctions(this.projectRef);
+    const exists = functions?.some((f) => f.slug === name);
+    if (exists) {
+      await this.api.updateFunction(this.projectRef, name, {
+        body: code,
+        verify_jwt: verifyJwt
+      });
+    } else {
+      await this.api.createFunction(this.projectRef, {
+        slug: name,
+        name,
+        body: code,
+        verify_jwt: verifyJwt
+      });
+    }
+  }
+  /**
+   * Set secrets for Edge Functions
+   */
+  async setSecrets(secrets) {
+    await this.api.createSecrets(this.projectRef, secrets);
+  }
+  /**
+   * Run SQL against the database
+   */
+  async runSQL(sql) {
+    return await this.api.runQuery(this.projectRef, sql);
+  }
+  /**
+   * Setup pg_cron job to invoke worker function
+   * @param intervalSeconds - How often to run the worker (default: 60 seconds)
+   */
+  async setupPgCronJob(intervalSeconds = 60) {
+    if (!Number.isInteger(intervalSeconds) || intervalSeconds < 1) {
+      throw new Error(`Invalid interval: ${intervalSeconds}. Must be a positive integer.`);
+    }
+    let schedule;
+    if (intervalSeconds < 60) {
+      schedule = `${intervalSeconds} seconds`;
+    } else if (intervalSeconds % 60 === 0) {
+      const minutes = intervalSeconds / 60;
+      if (minutes < 60) {
+        schedule = `*/${minutes} * * * *`;
+      } else {
+        throw new Error(
+          `Invalid interval: ${intervalSeconds}. Intervals >= 3600 seconds (1 hour) are not supported. Use a value between 1-3599 seconds.`
+        );
+      }
+    } else {
+      throw new Error(
+        `Invalid interval: ${intervalSeconds}. Must be either 1-59 seconds or a multiple of 60 (e.g., 60, 120, 180).`
+      );
+    }
+    const workerSecret = crypto.randomUUID();
+    const escapedWorkerSecret = workerSecret.replace(/'/g, "''");
+    const sql = `
+      -- Enable extensions
+      CREATE EXTENSION IF NOT EXISTS pg_cron;
+      CREATE EXTENSION IF NOT EXISTS pg_net;
+      CREATE EXTENSION IF NOT EXISTS pgmq;
+
+      -- Create pgmq queue for sync work (idempotent)
+      SELECT pgmq.create('stripe_sync_work')
+      WHERE NOT EXISTS (
+        SELECT 1 FROM pgmq.list_queues() WHERE queue_name = 'stripe_sync_work'
+      );
+
+      -- Store unique worker secret in vault for pg_cron to use
+      -- Delete existing secret if it exists, then create new one
+      DELETE FROM vault.secrets WHERE name = 'stripe_sync_worker_secret';
+      SELECT vault.create_secret('${escapedWorkerSecret}', 'stripe_sync_worker_secret');
+
+      -- Delete existing jobs if they exist
+      SELECT cron.unschedule('stripe-sync-worker') WHERE EXISTS (
+        SELECT 1 FROM cron.job WHERE jobname = 'stripe-sync-worker'
+      );
+      SELECT cron.unschedule('stripe-sync-scheduler') WHERE EXISTS (
+        SELECT 1 FROM cron.job WHERE jobname = 'stripe-sync-scheduler'
+      );
+
+      -- Create job to invoke worker at configured interval
+      -- Worker reads from pgmq, enqueues objects if empty, and processes sync work
+      SELECT cron.schedule(
+        'stripe-sync-worker',
+        '${schedule}',
+        $$
+        SELECT net.http_post(
+          url := 'https://${this.projectRef}.${this.projectBaseUrl}/functions/v1/stripe-worker',
+          headers := jsonb_build_object(
+            'Authorization', 'Bearer ' || (SELECT decrypted_secret FROM vault.decrypted_secrets WHERE name = 'stripe_sync_worker_secret')
+          )
+        )
+        $$
+      );
+    `;
+    await this.runSQL(sql);
+  }
+  /**
+   * Get the webhook URL for this project
+   */
+  getWebhookUrl() {
+    return `https://${this.projectRef}.${this.projectBaseUrl}/functions/v1/stripe-webhook`;
+  }
+  /**
+   * Get the anon key for this project (needed for Realtime subscriptions)
+   */
+  async getAnonKey() {
+    const apiKeys = await this.api.getProjectApiKeys(this.projectRef);
+    const anonKey = apiKeys?.find((k) => k.name === "anon");
+    if (!anonKey) {
+      throw new Error("Could not find anon API key");
+    }
+    return anonKey.api_key;
+  }
+  /**
+   * Get the project URL
+   */
+  getProjectUrl() {
+    return `https://${this.projectRef}.${this.projectBaseUrl}`;
+  }
+  /**
+   * Invoke an Edge Function
+   */
+  async invokeFunction(name, bearerToken) {
+    const url = `https://${this.projectRef}.${this.projectBaseUrl}/functions/v1/${name}`;
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${bearerToken}`,
+        "Content-Type": "application/json"
+      }
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      return { success: false, error: `${response.status}: ${text}` };
+    }
+    const result = await response.json();
+    if (result.success === false) {
+      return { success: false, error: result.error };
+    }
+    return { success: true };
+  }
+  /**
+   * Check if stripe-sync is installed in the database.
+   *
+   * Uses the Supabase Management API to run SQL queries.
+   * Uses duck typing (schema + migrations table) combined with comment validation.
+   * Throws error for legacy installations to prevent accidental corruption.
+   *
+   * @param schema The schema name to check (defaults to 'stripe')
+   * @returns true if properly installed with comment marker, false if not installed
+   * @throws Error if legacy installation detected (schema exists without comment)
+   */
+  async isInstalled(schema = "stripe") {
+    try {
+      const schemaCheck = await this.runSQL(
+        `SELECT EXISTS (
+          SELECT 1 FROM information_schema.schemata
+          WHERE schema_name = '${schema}'
+        ) as schema_exists`
+      );
+      const schemaExists = schemaCheck[0]?.rows?.[0]?.schema_exists === true;
+      if (!schemaExists) {
+        return false;
+      }
+      const migrationsCheck = await this.runSQL(
+        `SELECT EXISTS (
+          SELECT 1 FROM information_schema.tables
+          WHERE table_schema = '${schema}' AND table_name IN ('migrations', '_migrations')
+        ) as table_exists`
+      );
+      const migrationsTableExists = migrationsCheck[0]?.rows?.[0]?.table_exists === true;
+      if (!migrationsTableExists) {
+        return false;
+      }
+      const commentCheck = await this.runSQL(
+        `SELECT obj_description(oid, 'pg_namespace') as comment
+         FROM pg_namespace
+         WHERE nspname = '${schema}'`
+      );
+      const comment = commentCheck[0]?.rows?.[0]?.comment;
+      if (!comment || !comment.includes(STRIPE_SCHEMA_COMMENT_PREFIX)) {
+        throw new Error(
+          `Legacy installation detected: Schema '${schema}' and migrations table exist, but missing stripe-sync comment marker. This may be a legacy installation or manually created schema. Please contact support or manually drop the schema before proceeding.`
+        );
+      }
+      if (comment.includes(INSTALLATION_STARTED_SUFFIX)) {
+        return false;
+      }
+      if (comment.includes(INSTALLATION_ERROR_SUFFIX)) {
+        throw new Error(
+          `Installation failed: Schema '${schema}' exists but installation encountered an error. Comment: ${comment}. Please uninstall and install again.`
+        );
+      }
+      return true;
+    } catch (error) {
+      if (error instanceof Error && (error.message.includes("Legacy installation detected") || error.message.includes("Installation failed"))) {
+        throw error;
+      }
+      return false;
+    }
+  }
+  /**
+   * Update installation progress comment on the stripe schema
+   */
+  async updateInstallationComment(message) {
+    const escapedMessage = message.replace(/'/g, "''");
+    await this.runSQL(`COMMENT ON SCHEMA stripe IS '${escapedMessage}'`);
+  }
+  /**
+   * Delete an Edge Function
+   */
+  async deleteFunction(name) {
+    try {
+      await this.api.deleteFunction(this.projectRef, name);
+    } catch (err) {
+      console.warn(`Could not delete function ${name}:`, err);
+    }
+  }
+  /**
+   * Delete a secret
+   */
+  async deleteSecret(name) {
+    try {
+      await this.api.deleteSecrets(this.projectRef, [name]);
+    } catch (err) {
+      console.warn(`Could not delete secret ${name}:`, err);
+    }
+  }
+  /**
+   * Uninstall stripe-sync from a Supabase project
+   * Invokes the stripe-setup edge function's DELETE endpoint which handles cleanup
+   */
+  async uninstall() {
+    try {
+      const url = `https://${this.projectRef}.${this.projectBaseUrl}/functions/v1/stripe-setup`;
+      const response = await fetch(url, {
+        method: "DELETE",
+        headers: {
+          Authorization: `Bearer ${this.accessToken}`,
+          "Content-Type": "application/json"
+        }
+      });
+      if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Uninstall failed: ${response.status} ${text}`);
+      }
+      const result = await response.json();
+      if (result.success === false) {
+        throw new Error(`Uninstall failed: ${result.error}`);
+      }
+    } catch (error) {
+      throw new Error(`Uninstall failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  /**
+   * Inject package version into Edge Function code
+   */
+  injectPackageVersion(code, version) {
+    if (version === "latest") {
+      return code;
+    }
+    return code.replace(
+      /from ['"]npm:stripe-experiment-sync['"]/g,
+      `from 'npm:stripe-experiment-sync@${version}'`
+    );
+  }
+  async install(stripeKey, packageVersion, workerIntervalSeconds) {
+    const trimmedStripeKey = stripeKey.trim();
+    if (!trimmedStripeKey.startsWith("sk_") && !trimmedStripeKey.startsWith("rk_")) {
+      throw new Error('Stripe key should start with "sk_" or "rk_"');
+    }
+    const version = packageVersion || "latest";
+    try {
+      await this.validateProject();
+      await this.runSQL(`CREATE SCHEMA IF NOT EXISTS stripe`);
+      await this.updateInstallationComment(
+        `${STRIPE_SCHEMA_COMMENT_PREFIX} v${package_default.version} ${INSTALLATION_STARTED_SUFFIX}`
+      );
+      const versionedSetup = this.injectPackageVersion(setupFunctionCode, version);
+      const versionedWebhook = this.injectPackageVersion(webhookFunctionCode, version);
+      const versionedWorker = this.injectPackageVersion(workerFunctionCode, version);
+      await this.deployFunction("stripe-setup", versionedSetup, false);
+      await this.deployFunction("stripe-webhook", versionedWebhook, false);
+      await this.deployFunction("stripe-worker", versionedWorker, false);
+      await this.setSecrets([{ name: "STRIPE_SECRET_KEY", value: trimmedStripeKey }]);
+      const setupResult = await this.invokeFunction("stripe-setup", this.accessToken);
+      if (!setupResult.success) {
+        throw new Error(`Setup failed: ${setupResult.error}`);
+      }
+      await this.setupPgCronJob(workerIntervalSeconds);
+      await this.updateInstallationComment(
+        `${STRIPE_SCHEMA_COMMENT_PREFIX} v${package_default.version} ${INSTALLATION_INSTALLED_SUFFIX}`
+      );
+    } catch (error) {
+      await this.updateInstallationComment(
+        `${STRIPE_SCHEMA_COMMENT_PREFIX} v${package_default.version} ${INSTALLATION_ERROR_SUFFIX} - ${error instanceof Error ? error.message : String(error)}`
+      );
+      throw error;
+    }
+  }
+};
+async function install(params) {
+  const {
+    supabaseAccessToken,
+    supabaseProjectRef,
+    stripeKey,
+    packageVersion,
+    workerIntervalSeconds
+  } = params;
+  const client = new SupabaseSetupClient({
+    accessToken: supabaseAccessToken,
+    projectRef: supabaseProjectRef,
+    projectBaseUrl: params.baseProjectUrl,
+    managementApiBaseUrl: params.baseManagementApiUrl
+  });
+  await client.install(stripeKey, packageVersion, workerIntervalSeconds);
+}
+async function uninstall(params) {
+  const { supabaseAccessToken, supabaseProjectRef } = params;
+  const client = new SupabaseSetupClient({
+    accessToken: supabaseAccessToken,
+    projectRef: supabaseProjectRef,
+    projectBaseUrl: params.baseProjectUrl,
+    managementApiBaseUrl: params.baseManagementApiBaseUrl
+  });
+  await client.uninstall();
+}
+
+export {
+  setupFunctionCode,
+  webhookFunctionCode,
+  workerFunctionCode,
+  STRIPE_SCHEMA_COMMENT_PREFIX,
+  INSTALLATION_STARTED_SUFFIX,
+  INSTALLATION_ERROR_SUFFIX,
+  INSTALLATION_INSTALLED_SUFFIX,
+  SupabaseSetupClient,
+  install,
+  uninstall
+};

package/dist/{chunk-5SS5ZEQF.js → chunk-7G2ZYKBP.js}

@@ -2,11 +2,11 @@ import {
   StripeSync,
   createStripeWebSocketClient,
   runMigrations
-} from "./chunk-2GSABFXH.js";
+} from "./chunk-ENHIM76M.js";
 import {
   install,
   uninstall
-} from "./chunk-O2N4AEQS.js";
+} from "./chunk-5J4LJ44K.js";
 
 // src/cli/config.ts
 import dotenv from "dotenv";
@@ -18,6 +18,7 @@ async function loadConfig(options) {
   config.stripeApiKey = options.stripeKey || process.env.STRIPE_API_KEY || "";
   config.ngrokAuthToken = options.ngrokToken || process.env.NGROK_AUTH_TOKEN || "";
   config.databaseUrl = options.databaseUrl || process.env.DATABASE_URL || "";
+  config.enableSigma = options.enableSigma ?? (process.env.ENABLE_SIGMA !== void 0 ? process.env.ENABLE_SIGMA === "true" : void 0);
   const questions = [];
   if (!config.stripeApiKey) {
     questions.push({
@@ -29,8 +30,8 @@ async function loadConfig(options) {
         if (!input || input.trim() === "") {
           return "Stripe API key is required";
         }
-        if (!input.startsWith("sk_")) {
-          return 'Stripe API key should start with "sk_"';
+        if (!input.startsWith("sk_") && !input.startsWith("rk_")) {
+          return 'Stripe API key should start with "sk_" or "rk_"';
         }
         return true;
       }
@@ -53,11 +54,22 @@ async function loadConfig(options) {
       }
     });
   }
+  if (config.enableSigma === void 0) {
+    questions.push({
+      type: "confirm",
+      name: "enableSigma",
+      message: "Enable Sigma sync? (Requires Sigma access in Stripe API key)",
+      default: false
+    });
+  }
   if (questions.length > 0) {
-    console.log(chalk.yellow("\nMissing required configuration. Please provide:"));
+    console.log(chalk.yellow("\nMissing configuration. Please provide:"));
     const answers = await inquirer.prompt(questions);
     Object.assign(config, answers);
   }
+  if (config.enableSigma === void 0) {
+    config.enableSigma = false;
+  }
   return config;
 }
 
@@ -117,7 +129,9 @@ var VALID_SYNC_OBJECTS = [
   "credit_note",
   "early_fraud_warning",
   "refund",
-  "checkout_sessions"
+  "checkout_sessions",
+  "subscription_item_change_events_v2_beta",
+  "exchange_rates_from_usd"
 ];
 async function backfillCommand(options, entityName) {
   let stripeSync = null;
@@ -146,8 +160,8 @@ async function backfillCommand(options, entityName) {
             if (!input || input.trim() === "") {
               return "Stripe API key is required";
             }
-            if (!input.startsWith("sk_")) {
-              return 'Stripe API key should start with "sk_"';
+            if (!input.startsWith("sk_") && !input.startsWith("rk_")) {
+              return 'Stripe API key should start with "sk_" or "rk_"';
             }
             return true;
           }
@@ -204,6 +218,7 @@ async function backfillCommand(options, entityName) {
     stripeSync = new StripeSync({
       databaseUrl: config.databaseUrl,
       stripeSecretKey: config.stripeApiKey,
+      enableSigma: process.env.ENABLE_SIGMA === "true",
       stripeApiVersion: process.env.STRIPE_API_VERSION || "2020-08-27",
       autoExpandLists: process.env.AUTO_EXPAND_LISTS === "true",
       backfillRelatedEntities: process.env.BACKFILL_RELATED_ENTITIES !== "false",
@@ -342,7 +357,7 @@ Cleaning up... (signal: ${signal || "manual"})`));
   process.on("SIGTERM", () => cleanup("SIGTERM"));
   try {
     const config = await loadConfig(options);
-    const useWebSocketMode = !config.ngrokAuthToken;
+    const useWebSocketMode = process.env.USE_WEBSOCKET === "true" || !config.ngrokAuthToken;
     const modeLabel = useWebSocketMode ? "WebSocket" : "Webhook (ngrok)";
     console.log(chalk3.blue(`
 Mode: ${modeLabel}`));
@@ -367,6 +382,7 @@ Mode: ${modeLabel}`));
     stripeSync = new StripeSync({
       databaseUrl: config.databaseUrl,
       stripeSecretKey: config.stripeApiKey,
+      enableSigma: config.enableSigma,
       stripeApiVersion: process.env.STRIPE_API_VERSION || "2020-08-27",
       autoExpandLists: process.env.AUTO_EXPAND_LISTS === "true",
       backfillRelatedEntities: process.env.BACKFILL_RELATED_ENTITIES !== "false",
@@ -514,7 +530,8 @@ async function installCommand(options) {
           mask: "*",
           validate: (input) => {
             if (!input.trim()) return "Stripe key is required";
-            if (!input.startsWith("sk_")) return 'Stripe key should start with "sk_"';
+            if (!input.startsWith("sk_") && !input.startsWith("rk_"))
+              return 'Stripe key should start with "sk_" or "rk_"';
             return true;
           }
         });