kctl-supa 0.6.3__py3-none-any.whl

kctl_supa/__init__.py

@@ -0,0 +1,3 @@
+"""Kodemeio Supabase CLI."""
+
+__version__ = "0.6.3"

kctl_supa/__main__.py

@@ -0,0 +1,5 @@
+"""Allow running as: python -m kctl_supa."""
+
+from kctl_supa.cli import _run
+
+_run()

kctl_supa/cli.py

@@ -0,0 +1,169 @@
+"""Main CLI entry point for kctl-supa."""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+import typer
+from kctl_lib import handle_cli_error
+
+from kctl_supa import __version__
+from kctl_supa.commands.advisors_cmd import app as advisors_app
+from kctl_supa.commands.auth_cmd import app as auth_app
+from kctl_supa.commands.backup_cmd import app as backup_app
+from kctl_supa.commands.config_cmd import app as config_app
+from kctl_supa.commands.cron_cmd import app as cron_app
+from kctl_supa.commands.dashboard_cmd import app as dashboard_app
+from kctl_supa.commands.db_cmd import app as db_app
+from kctl_supa.commands.deploy_cmd import app as deploy_app
+from kctl_supa.commands.doctor_cmd import app as doctor_app
+from kctl_supa.commands.functions_cmd import app as functions_app
+from kctl_supa.commands.health_cmd import app as health_app
+from kctl_supa.commands.integrations_cmd import app as integrations_app
+from kctl_supa.commands.logs_cmd import app as logs_app
+from kctl_supa.commands.maintenance_cmd import app as maintenance_app
+from kctl_supa.commands.migrate_cmd import app as migrate_app
+from kctl_supa.commands.monitor_cmd import app as monitor_app
+from kctl_supa.commands.publications_cmd import app as publications_app
+from kctl_supa.commands.queues_cmd import app as queues_app
+from kctl_supa.commands.realtime_cmd import app as realtime_app
+from kctl_supa.commands.security_cmd import app as security_app
+from kctl_supa.commands.settings_cmd import app as settings_app
+from kctl_supa.commands.skill_cmd import app as skill_app
+from kctl_supa.commands.status_cmd import app as status_app
+from kctl_supa.commands.storage_cmd import app as storage_app
+from kctl_supa.commands.upgrade_cmd import app as upgrade_app
+from kctl_supa.commands.vault_cmd import app as vault_app
+from kctl_supa.core.callbacks import AppContext
+from kctl_supa.core.exceptions import SupabaseError
+from kctl_lib.self_update import notify_if_outdated
+from kctl_lib.tui import add_tui_command
+
+
+def version_callback(value: bool) -> None:
+    if value:
+        typer.echo(f"kctl-supa {__version__}")
+        raise typer.Exit()
+
+
+app = typer.Typer(
+    name="kctl-supa",
+    help="Kodemeio Supabase CLI - manage self-hosted Supabase instances.",
+    no_args_is_help=True,
+    rich_markup_mode="rich",
+    pretty_exceptions_enable=False,
+)
+
+
+@app.callback()
+def main(
+    ctx: typer.Context,
+    json_output: Annotated[bool, typer.Option("--json", help="Output as JSON")] = False,
+    quiet: Annotated[bool, typer.Option("--quiet", "-q", help="Suppress info messages")] = False,
+    profile: Annotated[str | None, typer.Option("--profile", "-p", help="Config profile name")] = None,
+    url: Annotated[str | None, typer.Option("--url", help="Supabase URL override")] = None,
+    version: Annotated[
+        bool, typer.Option("--version", "-V", callback=version_callback, is_eager=True, help="Show version")
+    ] = False,
+) -> None:
+    """Kodemeio Supabase CLI."""
+    ctx.ensure_object(dict)
+    ctx.obj = AppContext(
+        json_mode=json_output,
+        quiet=quiet,
+        profile=profile,
+        url_override=url,
+    )
+    notify_if_outdated(ctx.obj.output, "kctl-supa", __version__)
+
+
+_P_ADMIN = "Admin & Config"
+app.add_typer(config_app, name="config", rich_help_panel=_P_ADMIN)
+app.add_typer(security_app, name="security", rich_help_panel=_P_ADMIN)
+app.add_typer(doctor_app, name="doctor", rich_help_panel=_P_ADMIN)
+app.add_typer(vault_app, name="vault", rich_help_panel=_P_ADMIN)
+app.add_typer(integrations_app, name="integrations", rich_help_panel=_P_ADMIN)
+app.add_typer(settings_app, name="settings", rich_help_panel=_P_ADMIN)
+
+_P_SERVICES = "Services"
+app.add_typer(health_app, name="health", rich_help_panel=_P_SERVICES)
+app.add_typer(status_app, name="status", rich_help_panel=_P_SERVICES)
+app.add_typer(dashboard_app, name="dashboard", rich_help_panel=_P_SERVICES)
+app.add_typer(monitor_app, name="monitor", rich_help_panel=_P_SERVICES)
+app.add_typer(advisors_app, name="advisors", rich_help_panel=_P_SERVICES)
+
+_P_DATABASE = "Database"
+app.add_typer(db_app, name="db", rich_help_panel=_P_DATABASE)
+app.add_typer(backup_app, name="backup", rich_help_panel=_P_DATABASE)
+app.add_typer(maintenance_app, name="maintenance", rich_help_panel=_P_DATABASE)
+app.add_typer(migrate_app, name="migrate", rich_help_panel=_P_DATABASE)
+app.add_typer(cron_app, name="cron", rich_help_panel=_P_DATABASE)
+app.add_typer(queues_app, name="queues", rich_help_panel=_P_DATABASE)
+
+_P_AUTH = "Auth & Users"
+app.add_typer(auth_app, name="auth", rich_help_panel=_P_AUTH)
+
+_P_STORAGE = "Storage & Files"
+app.add_typer(storage_app, name="storage", rich_help_panel=_P_STORAGE)
+
+_P_RT = "Realtime & Functions"
+app.add_typer(realtime_app, name="realtime", rich_help_panel=_P_RT)
+app.add_typer(functions_app, name="functions", rich_help_panel=_P_RT)
+app.add_typer(publications_app, name="publications", rich_help_panel=_P_RT)
+
+_P_OPS = "Operations"
+app.add_typer(logs_app, name="logs", rich_help_panel=_P_OPS)
+app.add_typer(deploy_app, name="deploy", rich_help_panel=_P_OPS)
+app.add_typer(upgrade_app, name="upgrade", rich_help_panel=_P_OPS)
+
+app.add_typer(skill_app, name="skill", hidden=True)
+add_tui_command(app, service_key="supa", version=__version__)
+
+
+@app.command("self-update")
+def self_update_cmd(ctx: typer.Context) -> None:
+    """Check for updates and upgrade kctl-supa."""
+    actx = ctx.obj
+    out = actx.output
+    from kctl_lib.self_update import check_update
+    from kctl_lib.self_update import update as do_update
+
+    latest = check_update("kctl-supa", __version__)
+    if latest:
+        out.info(f"Updating to {latest}...")
+        do_update("kctl-supa")
+        out.success(f"Updated to {latest}")
+    else:
+        out.success("Already up to date")
+
+
+@app.command()
+def completions(
+    shell: Annotated[str, typer.Argument(help="Shell type: zsh, bash, fish")] = "zsh",
+    install: Annotated[bool, typer.Option("--install", help="Install completions")] = False,
+) -> None:
+    """Generate or install shell completions."""
+    from kctl_lib.completions import get_completion_script, install_completions
+
+    if install:
+        path = install_completions("kctl-supa", shell)
+        if path:
+            typer.echo(f"Completions installed to {path}")
+        else:
+            typer.echo(f"Could not install completions for {shell}", err=True)
+            raise typer.Exit(code=1)
+    else:
+        script = get_completion_script("kctl-supa", shell)
+        typer.echo(script)
+
+
+def _run() -> None:
+    """Entry point with error handling."""
+    try:
+        app()
+    except SupabaseError as e:
+        handle_cli_error(e)
+
+
+if __name__ == "__main__":
+    _run()

kctl_supa/commands/__init__.py

@@ -0,0 +1 @@
+"""CLI command modules for kctl-supa."""

kctl_supa/commands/advisors_cmd.py

@@ -0,0 +1,239 @@
+"""Security and performance advisor commands for kctl-supa."""
+
+from __future__ import annotations
+
+import typer
+from rich import print as rprint
+from rich.table import Table
+
+from kctl_supa.core.callbacks import AppContext
+from kctl_supa.core.docker import DockerOps
+from kctl_supa.core.exceptions import DockerError
+
+app = typer.Typer(help="Security and performance advisors.")
+
+
+def _get_docker(actx: AppContext) -> DockerOps:
+    return DockerOps(actx.config)
+
+
+def _run_psql(actx: AppContext, query: str) -> str:
+    out = actx.output
+    try:
+        docker = _get_docker(actx)
+        result = docker.psql(query)
+        docker.close()
+        return result
+    except DockerError as exc:
+        out.error(str(exc))
+        raise typer.Exit(1) from exc
+
+
+def _extract_last_value(raw: str) -> str:
+    lines = [line.strip() for line in raw.splitlines() if line.strip()]
+    return lines[-1] if lines else "N/A"
+
+
+@app.command()
+def security(ctx: typer.Context) -> None:
+    """Security audit: tables without RLS, public schemas, superuser roles."""
+    actx: AppContext = ctx.obj
+
+    docker = _get_docker(actx)
+    checks: list[tuple[str, str, str]] = []
+
+    try:
+        no_rls = docker.psql(
+            "SELECT count(*) FROM pg_tables "
+            "WHERE schemaname = 'public' AND tablename NOT IN ("
+            "SELECT DISTINCT tablename FROM pg_policies WHERE schemaname = 'public'"
+            ")",
+        )
+        val = _extract_last_value(no_rls)
+        n = int(val) if val.isdigit() else 0
+        checks.append(("Tables without RLS", val, "[red]WARN[/red]" if n > 0 else "[green]OK[/green]"))
+    except DockerError:
+        checks.append(("Tables without RLS", "error", "[red]ERROR[/red]"))
+
+    try:
+        superusers = docker.psql("SELECT count(*) FROM pg_roles WHERE rolsuper = true")
+        val = _extract_last_value(superusers)
+        checks.append(("Superuser roles", val, "[yellow]INFO[/yellow]"))
+    except DockerError:
+        checks.append(("Superuser roles", "error", "[red]ERROR[/red]"))
+
+    try:
+        exposed = docker.psql(
+            "SELECT count(*) FROM information_schema.tables WHERE table_schema = 'public'",
+        )
+        val = _extract_last_value(exposed)
+        checks.append(("Public schema tables", val, "[yellow]INFO[/yellow]"))
+    except DockerError:
+        checks.append(("Public schema tables", "error", "[red]ERROR[/red]"))
+
+    docker.close()
+
+    table = Table(title="Security Advisor", show_header=True, header_style="bold cyan")
+    table.add_column("Check", style="cyan")
+    table.add_column("Value")
+    table.add_column("Status")
+    for check_name, value, status in checks:
+        table.add_row(check_name, value, status)
+    rprint(table)
+
+
+@app.command()
+def performance(ctx: typer.Context) -> None:
+    """Performance advisor: cache hit ratio, unused indexes, table bloat."""
+    actx: AppContext = ctx.obj
+
+    docker = _get_docker(actx)
+    checks: list[tuple[str, str, str]] = []
+
+    try:
+        cache = docker.psql(
+            "SELECT round(100.0 * sum(blks_hit) / nullif(sum(blks_hit) + sum(blks_read), 0), 2) FROM pg_stat_database",
+        )
+        val = _extract_last_value(cache)
+        try:
+            pct = float(val)
+        except ValueError:
+            pct = 0
+        status = "[green]OK[/green]" if pct >= 99 else "[yellow]WARN[/yellow]" if pct >= 95 else "[red]LOW[/red]"
+        checks.append(("Cache hit ratio", f"{val}%", status))
+    except DockerError:
+        checks.append(("Cache hit ratio", "error", "[red]ERROR[/red]"))
+
+    try:
+        unused = docker.psql(
+            "SELECT count(*) FROM pg_stat_user_indexes WHERE idx_scan = 0",
+        )
+        val = _extract_last_value(unused)
+        n = int(val) if val.isdigit() else 0
+        status = "[green]OK[/green]" if n == 0 else "[yellow]WARN[/yellow]"
+        checks.append(("Unused indexes", val, status))
+    except DockerError:
+        checks.append(("Unused indexes", "error", "[red]ERROR[/red]"))
+
+    try:
+        dead = docker.psql(
+            "SELECT sum(n_dead_tup) FROM pg_stat_user_tables",
+        )
+        val = _extract_last_value(dead)
+        try:
+            n = int(val)
+        except ValueError:
+            n = 0
+        status = "[green]OK[/green]" if n < 10000 else "[yellow]WARN[/yellow]" if n < 100000 else "[red]HIGH[/red]"
+        checks.append(("Dead tuples", val, status))
+    except DockerError:
+        checks.append(("Dead tuples", "error", "[red]ERROR[/red]"))
+
+    docker.close()
+
+    table = Table(title="Performance Advisor", show_header=True, header_style="bold cyan")
+    table.add_column("Check", style="cyan")
+    table.add_column("Value")
+    table.add_column("Status")
+    for check_name, value, status in checks:
+        table.add_row(check_name, value, status)
+    rprint(table)
+
+
+@app.command()
+def queries(ctx: typer.Context) -> None:
+    """Query performance: top queries by total time (requires pg_stat_statements)."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+    check = _run_psql(actx, "SELECT count(*) FROM pg_extension WHERE extname = 'pg_stat_statements'")
+    if check.strip().splitlines()[-1].strip() == "0":
+        out.warn("pg_stat_statements not installed. Enable it: CREATE EXTENSION pg_stat_statements;")
+        return
+    result = _run_psql(
+        actx,
+        "SELECT calls, round(total_exec_time::numeric, 2) AS total_ms, "
+        "round(mean_exec_time::numeric, 2) AS mean_ms, "
+        "left(query, 80) AS query "
+        "FROM pg_stat_statements ORDER BY total_exec_time DESC LIMIT 20",
+    )
+    typer.echo(result)
+
+
+@app.command(name="indexes")
+def index_advisor(ctx: typer.Context) -> None:
+    """Index advisor: unused indexes and sequential scan ratios."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    out.info("Unused indexes (0 scans):")
+    unused = _run_psql(
+        actx,
+        "SELECT schemaname, relname AS table, indexrelname AS index, "
+        "pg_size_pretty(pg_relation_size(indexrelid)) AS size "
+        "FROM pg_stat_user_indexes WHERE idx_scan = 0 "
+        "ORDER BY pg_relation_size(indexrelid) DESC",
+    )
+    typer.echo(unused)
+
+    out.info("Tables with high sequential scan ratio:")
+    seq_ratio = _run_psql(
+        actx,
+        "SELECT schemaname, relname AS table, "
+        "seq_scan, idx_scan, "
+        "CASE WHEN seq_scan + idx_scan > 0 "
+        "THEN round(100.0 * seq_scan / (seq_scan + idx_scan), 1) ELSE 0 END AS seq_pct "
+        "FROM pg_stat_user_tables "
+        "WHERE seq_scan + idx_scan > 100 "
+        "ORDER BY seq_pct DESC LIMIT 20",
+    )
+    typer.echo(seq_ratio)
+
+
+@app.command(name="rls-audit")
+def rls_audit(ctx: typer.Context) -> None:
+    """RLS audit: tables without policies, permissive gaps, role coverage."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    docker = _get_docker(actx)
+
+    out.info("Tables WITHOUT any RLS policy (exposed to anon/authenticated):")
+    no_policy = docker.psql(
+        "SELECT schemaname, tablename, rowsecurity "
+        "FROM pg_tables "
+        "WHERE schemaname IN ('public', 'storage') "
+        "AND tablename NOT IN (SELECT DISTINCT tablename FROM pg_policies WHERE schemaname = pg_tables.schemaname) "
+        "ORDER BY schemaname, tablename",
+    )
+    typer.echo(no_policy)
+
+    out.info("Tables with RLS DISABLED (bypasses all policies):")
+    rls_disabled = docker.psql(
+        "SELECT n.nspname AS schema, c.relname AS table "
+        "FROM pg_class c JOIN pg_namespace n ON c.relnamespace = n.oid "
+        "WHERE c.relkind = 'r' AND NOT c.relrowsecurity "
+        "AND n.nspname IN ('public', 'storage') "
+        "ORDER BY n.nspname, c.relname",
+    )
+    typer.echo(rls_disabled)
+
+    out.info("All RLS policies (schema, table, policy, roles, command):")
+    all_policies = docker.psql(
+        "SELECT schemaname, tablename, policyname, permissive, roles, cmd "
+        "FROM pg_policies "
+        "WHERE schemaname IN ('public', 'storage', 'auth') "
+        "ORDER BY schemaname, tablename, policyname",
+    )
+    typer.echo(all_policies)
+
+    out.info("Tables with FORCE ROW SECURITY (applies to table owner too):")
+    forced = docker.psql(
+        "SELECT n.nspname AS schema, c.relname AS table "
+        "FROM pg_class c JOIN pg_namespace n ON c.relnamespace = n.oid "
+        "WHERE c.relkind = 'r' AND c.relforcerowsecurity "
+        "AND n.nspname IN ('public', 'storage') "
+        "ORDER BY n.nspname, c.relname",
+    )
+    typer.echo(forced)
+
+    docker.close()

kctl_supa/commands/auth_cmd.py

@@ -0,0 +1,276 @@
+"""Authentication and user management commands for kctl-supa.
+
+Authentication and user management.
+"""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+import typer
+from rich import print as rprint
+from rich.table import Table
+
+from kctl_supa.core.callbacks import AppContext
+from kctl_supa.core.client import SupabaseClient
+from kctl_supa.core.docker import DockerOps
+from kctl_supa.core.exceptions import DockerError, SupabaseError
+
+app = typer.Typer(help="Authentication and user management.")
+
+
+def _get_client(actx: AppContext) -> SupabaseClient:
+    cfg = actx.config
+    return SupabaseClient(base_url=cfg.url, service_role_key=cfg.service_role_key, anon_key=cfg.anon_key)
+
+
+def _get_docker(actx: AppContext) -> DockerOps:
+    return DockerOps(actx.config)
+
+
+@app.command(name="list")
+def list_users(
+    ctx: typer.Context,
+    page: Annotated[int, typer.Option("--page", help="Page number")] = 1,
+    per_page: Annotated[int, typer.Option("--per-page", help="Users per page")] = 50,
+) -> None:
+    """List users."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    try:
+        client = _get_client(actx)
+        result = client.auth_list_users(page=page, per_page=per_page)
+        client.close()
+    except SupabaseError as exc:
+        out.error(str(exc))
+        raise typer.Exit(1) from exc
+
+    users = result if isinstance(result, list) else result.get("users", [])
+
+    if not users:
+        out.warn("No users found.")
+        return
+
+    table = Table(title=f"Auth Users (page {page})", show_header=True, header_style="bold cyan")
+    table.add_column("ID", style="dim")
+    table.add_column("Email", style="cyan")
+    table.add_column("Created At")
+    table.add_column("Confirmed")
+
+    for user in users:
+        uid = user.get("id", "")
+        email = user.get("email", "")
+        created = user.get("created_at", "")[:19] if user.get("created_at") else ""
+        confirmed = "[green]yes[/green]" if user.get("email_confirmed_at") else "[red]no[/red]"
+        table.add_row(uid, email, created, confirmed)
+
+    rprint(table)
+
+
+@app.command()
+def get(
+    ctx: typer.Context,
+    user_id: Annotated[str, typer.Argument(help="User ID")],
+) -> None:
+    """Get user details by ID."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    try:
+        client = _get_client(actx)
+        user = client.auth_get_user(user_id)
+        client.close()
+    except SupabaseError as exc:
+        out.error(str(exc))
+        raise typer.Exit(1) from exc
+
+    out.kv("ID", user.get("id", ""))
+    out.kv("Email", user.get("email", ""))
+    out.kv("Phone", user.get("phone", "") or "[dim]not set[/dim]")
+    out.kv("Created", user.get("created_at", "")[:19])
+    out.kv("Updated", user.get("updated_at", "")[:19])
+    out.kv("Email confirmed", "yes" if user.get("email_confirmed_at") else "no")
+    out.kv("Role", user.get("role", ""))
+    ban_duration = user.get("ban_duration")
+    if ban_duration and ban_duration != "none":
+        out.kv("Banned", f"[red]yes ({ban_duration})[/red]")
+    else:
+        out.kv("Banned", "no")
+
+
+@app.command()
+def create(
+    ctx: typer.Context,
+    email: Annotated[str, typer.Option("--email", help="User email", prompt=True)],
+    password: Annotated[str, typer.Option("--password", help="User password", prompt=True, hide_input=True)],
+) -> None:
+    """Create a new user."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    try:
+        client = _get_client(actx)
+        user = client.auth_create_user(email=email, password=password)
+        client.close()
+    except SupabaseError as exc:
+        out.error(str(exc))
+        raise typer.Exit(1) from exc
+
+    out.success(f"User created: {user.get('id')}")
+    out.kv("Email", email)
+
+
+@app.command()
+def delete(
+    ctx: typer.Context,
+    user_id: Annotated[str, typer.Argument(help="User ID to delete")],
+    confirm: Annotated[bool, typer.Option("--confirm", help="Skip confirmation prompt")] = False,
+) -> None:
+    """Delete a user."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    if not confirm:
+        if not typer.confirm(f"Delete user '{user_id}'?"):
+            raise typer.Exit(0)
+
+    try:
+        client = _get_client(actx)
+        client.auth_delete_user(user_id)
+        client.close()
+    except SupabaseError as exc:
+        out.error(str(exc))
+        raise typer.Exit(1) from exc
+
+    out.success(f"User '{user_id}' deleted")
+
+
+@app.command()
+def ban(
+    ctx: typer.Context,
+    user_id: Annotated[str, typer.Argument(help="User ID to ban")],
+) -> None:
+    """Ban a user."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    try:
+        client = _get_client(actx)
+        client.auth_update_user(user_id, ban_duration="876600h")
+        client.close()
+    except SupabaseError as exc:
+        out.error(str(exc))
+        raise typer.Exit(1) from exc
+
+    out.success(f"User '{user_id}' banned")
+
+
+@app.command()
+def unban(
+    ctx: typer.Context,
+    user_id: Annotated[str, typer.Argument(help="User ID to unban")],
+) -> None:
+    """Unban a user."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    try:
+        client = _get_client(actx)
+        client.auth_update_user(user_id, ban_duration="none")
+        client.close()
+    except SupabaseError as exc:
+        out.error(str(exc))
+        raise typer.Exit(1) from exc
+
+    out.success(f"User '{user_id}' unbanned")
+
+
+@app.command()
+def stats(ctx: typer.Context) -> None:
+    """Show auth user statistics."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    try:
+        docker = _get_docker(actx)
+        total = docker.psql("SELECT count(*) FROM auth.users")
+        confirmed = docker.psql("SELECT count(*) FROM auth.users WHERE email_confirmed_at IS NOT NULL")
+        banned = docker.psql("SELECT count(*) FROM auth.users WHERE banned_until IS NOT NULL AND banned_until > now()")
+        docker.close()
+    except DockerError as exc:
+        out.error(str(exc))
+        raise typer.Exit(1) from exc
+
+    def _extract_count(raw: str) -> str:
+        for line in raw.splitlines():
+            line = line.strip()
+            if line.isdigit():
+                return line
+        return raw.strip()
+
+    out.kv("Total users", _extract_count(total))
+    out.kv("Confirmed", _extract_count(confirmed))
+    out.kv("Banned", _extract_count(banned))
+
+
+@app.command()
+def providers(ctx: typer.Context) -> None:
+    """List configured auth providers."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    try:
+        docker = _get_docker(actx)
+        result = docker.docker_exec(
+            "auth",
+            "env | grep -i 'GOTRUE_EXTERNAL_' | sort",
+        )
+        docker.close()
+    except DockerError as exc:
+        out.error(str(exc))
+        raise typer.Exit(1) from exc
+
+    if not result.strip():
+        out.warn("No external providers configured.")
+        return
+
+    table = Table(title="Auth Providers", show_header=True, header_style="bold cyan")
+    table.add_column("Provider", style="cyan")
+    table.add_column("Status")
+
+    seen: set[str] = set()
+    for line in result.splitlines():
+        line = line.strip()
+        if "ENABLED" in line:
+            parts = line.split("=", 1)
+            var_name = parts[0]
+            enabled = parts[1].strip().lower() == "true" if len(parts) > 1 else False
+            provider = var_name.replace("GOTRUE_EXTERNAL_", "").replace("_ENABLED", "").lower()
+            if provider not in seen:
+                seen.add(provider)
+                status = "[green]enabled[/green]" if enabled else "[dim]disabled[/dim]"
+                table.add_row(provider, status)
+
+    rprint(table)
+
+
+@app.command()
+def policies(ctx: typer.Context) -> None:
+    """List RLS policies on auth schema tables."""
+    actx: AppContext = ctx.obj
+    out = actx.output
+
+    try:
+        docker = _get_docker(actx)
+        result = docker.psql(
+            "SELECT tablename, policyname, permissive, roles, cmd, qual "
+            "FROM pg_policies WHERE schemaname = 'auth' "
+            "ORDER BY tablename, policyname",
+        )
+        docker.close()
+    except DockerError as exc:
+        out.error(str(exc))
+        raise typer.Exit(1) from exc
+
+    typer.echo(result)