powerbase-cli 0.1.0__py3-none-any.whl

powerbase_cli/commands/parser.py

@@ -0,0 +1,114 @@
+from __future__ import annotations
+
+import argparse
+import sys
+
+from ..session import SessionError
+from ..transport import ApiError
+from .agent import register_agent_commands
+from .auth import register_auth_commands
+from .branch import register_branch_commands
+from .config_cmd import register_config_commands
+from .context import register_context_commands
+from .database import register_database_commands
+from .instance import register_instance_commands
+from .org import register_org_commands
+from .publish import register_publish_commands
+from .sandbox import register_sandbox_commands
+from .sql import register_sql_commands
+
+GLOBAL_OPTION_ARITY = {
+    "--config-dir": 1,
+    "--base-url": 1,
+    "--anon-key": 1,
+    "--ca-cert": 1,
+    "--insecure": 0,
+    "--json": 0,
+}
+
+
+def normalize_global_argv(argv: list[str] | None) -> list[str] | None:
+    if argv is None:
+        return None
+
+    global_args: list[str] = []
+    remaining_args: list[str] = []
+    i = 0
+    while i < len(argv):
+        token = argv[i]
+        arity = GLOBAL_OPTION_ARITY.get(token)
+        if arity is None:
+            remaining_args.append(token)
+            i += 1
+            continue
+
+        if arity == 1:
+            if i + 1 >= len(argv):
+                remaining_args.append(token)
+                i += 1
+                continue
+            global_args.append(token)
+            global_args.append(argv[i + 1])
+            i += 2
+            continue
+        global_args.append(token)
+        i += 1
+
+    return global_args + remaining_args
+
+
+def build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(
+        prog="powerbase",
+        description=(
+            "Operate Powerbase console workflows from the command line. "
+            "Default instance creation uses the managed Powerbase database flow; "
+            "`powerbase database ...` is the advanced bring-your-own-database path."
+        ),
+        epilog=(
+            "Important: values are resolved in this order: command flags, environment variables, "
+            "~/.config/powerbase files, then defaults."
+        ),
+    )
+    parser.add_argument("--config-dir", help="Override the config directory. Defaults to ~/.config/powerbase.")
+    parser.add_argument("--base-url", help="Console base URL. Overrides the built-in default console endpoint.")
+    parser.add_argument("--anon-key", help="Supabase anon key used for functions and auth requests. Overrides the built-in default.")
+    parser.add_argument(
+        "--ca-cert",
+        dest="ca_cert_file",
+        help="Path to a CA certificate PEM file to trust for HTTPS requests.",
+    )
+    parser.add_argument(
+        "--insecure",
+        action="store_true",
+        help="Disable TLS certificate verification for HTTPS requests. Use only for testing with self-signed certs.",
+    )
+    parser.add_argument("--json", action="store_true", help="Print JSON output.")
+
+    subparsers = parser.add_subparsers(dest="command")
+    register_auth_commands(subparsers)
+    register_config_commands(subparsers)
+    register_context_commands(subparsers)
+    register_org_commands(subparsers)
+    register_database_commands(subparsers)
+    register_instance_commands(subparsers)
+    register_branch_commands(subparsers)
+    register_sql_commands(subparsers)
+    register_publish_commands(subparsers)
+    register_sandbox_commands(subparsers)
+    register_agent_commands(subparsers)
+    return parser
+
+
+def main(argv: list[str] | None = None) -> int:
+    parser = build_parser()
+    raw_argv = sys.argv[1:] if argv is None else argv
+    args = parser.parse_args(normalize_global_argv(raw_argv))
+    if not hasattr(args, "handler"):
+        parser.print_help()
+        return 0
+    try:
+        return int(args.handler(args) or 0)
+    except (ApiError, SessionError, RuntimeError) as exc:
+        print(f"Error: {exc}", file=sys.stderr)
+        return 1

powerbase_cli/commands/publish.py

@@ -0,0 +1,44 @@
+from __future__ import annotations
+
+import argparse
+
+from .shared import build_api, render_output, require_instance
+
+
+def handle_publish_diff(args: argparse.Namespace) -> int:
+    _, _, context, _, api = build_api(args)
+    instance_id = require_instance(args.instance_id, context)
+    render_output(args, api.publish_diff(instance_id, args.target))
+    return 0
+
+
+def handle_publish_run(args: argparse.Namespace) -> int:
+    _, _, context, _, api = build_api(args)
+    instance_id = require_instance(args.instance_id, context)
+    sql = args.sql
+    if not sql:
+        diff = api.publish_diff(instance_id, args.target)
+        sql = diff.get("sql") or ""
+    events = list(api.publish_run(instance_id, sql, args.target))
+    render_output(args, {"events": events})
+    return 0
+
+
+def register_publish_commands(subparsers: argparse._SubParsersAction[argparse.ArgumentParser]) -> None:
+    publish = subparsers.add_parser("publish", help="Publish commands.", description="Generate diffs and publish an instance.")
+    publish_sub = publish.add_subparsers(dest="publish_command")
+    p = publish_sub.add_parser("diff", help="Show publish diff.", description="Generate publish diff for the current instance.")
+    p.add_argument("--instance-id", help="Instance ID. Falls back to context.json.")
+    p.add_argument("--target", default="prod", help="Publish target. Default: prod")
+    p.set_defaults(handler=handle_publish_diff)
+    p = publish_sub.add_parser(
+        "run",
+        help="Run publish flow.",
+        description=(
+            "Publish the current instance. If --sql is omitted, the command first runs publish diff and uses its SQL."
+        ),
+    )
+    p.add_argument("--instance-id", help="Instance ID. Falls back to context.json.")
+    p.add_argument("--target", default="prod", help="Publish target. Default: prod")
+    p.add_argument("--sql", help="Optional SQL to execute directly instead of deriving it from diff.")
+    p.set_defaults(handler=handle_publish_run)

powerbase_cli/commands/sandbox.py

@@ -0,0 +1,90 @@
+from __future__ import annotations
+
+import argparse
+
+from .shared import build_api, render_output, require_instance
+
+
+def handle_files_list(args: argparse.Namespace) -> int:
+    _, _, context, _, api = build_api(args)
+    render_output(args, api.sandbox_files_list(require_instance(args.instance_id, context), args.path, args.include_hidden))
+    return 0
+
+
+def handle_files_tree(args: argparse.Namespace) -> int:
+    _, _, context, _, api = build_api(args)
+    render_output(args, api.sandbox_files_tree(require_instance(args.instance_id, context), args.root, args.max_depth))
+    return 0
+
+
+def handle_files_read(args: argparse.Namespace) -> int:
+    _, _, context, _, api = build_api(args)
+    render_output(args, api.sandbox_files_read(require_instance(args.instance_id, context), args.path))
+    return 0
+
+
+def handle_files_create_file(args: argparse.Namespace) -> int:
+    _, _, context, _, api = build_api(args)
+    render_output(args, api.sandbox_files_create_file(require_instance(args.instance_id, context), args.path, args.content or ""))
+    return 0
+
+
+def handle_files_create_folder(args: argparse.Namespace) -> int:
+    _, _, context, _, api = build_api(args)
+    render_output(args, api.sandbox_files_create_folder(require_instance(args.instance_id, context), args.path))
+    return 0
+
+
+def handle_files_upload(args: argparse.Namespace) -> int:
+    _, _, context, _, api = build_api(args)
+    render_output(args, api.sandbox_files_upload(require_instance(args.instance_id, context), args.source, args.target_path))
+    return 0
+
+
+def handle_files_delete(args: argparse.Namespace) -> int:
+    _, _, context, _, api = build_api(args)
+    render_output(args, api.sandbox_files_delete(require_instance(args.instance_id, context), args.path))
+    return 0
+
+
+def register_sandbox_commands(subparsers: argparse._SubParsersAction[argparse.ArgumentParser]) -> None:
+    sandbox = subparsers.add_parser("sandbox", help="Sandbox commands.", description="Read or modify sandbox files.")
+    sandbox_sub = sandbox.add_subparsers(dest="sandbox_command")
+    files = sandbox_sub.add_parser("files", help="Sandbox file commands.", description="Read or modify sandbox files.")
+    files_sub = files.add_subparsers(dest="files_command")
+    p = files_sub.add_parser("list", help="List a directory.", description="List sandbox files at one path.")
+    p.add_argument("--instance-id", help="Instance ID. Falls back to context.json.")
+    p.add_argument("--path", default="/", help="Sandbox path, such as /src")
+    p.add_argument("--include-hidden", action="store_true", help="Include hidden files.")
+    p.set_defaults(handler=handle_files_list)
+    p = files_sub.add_parser("tree", help="Show file tree.", description="Show a sandbox directory tree.")
+    p.add_argument("--instance-id", help="Instance ID. Falls back to context.json.")
+    p.add_argument("--root", default="/", help="Sandbox root path.")
+    p.add_argument("--max-depth", type=int, default=3, help="Maximum depth to fetch. Default: 3")
+    p.set_defaults(handler=handle_files_tree)
+    p = files_sub.add_parser("read", help="Read one file.", description="Read one sandbox file path.")
+    p.add_argument("--instance-id", help="Instance ID. Falls back to context.json.")
+    p.add_argument("path", help="Sandbox file path, such as /src/app.tsx")
+    p.set_defaults(handler=handle_files_read)
+    p = files_sub.add_parser("create-file", help="Create a file.", description="Create a sandbox file at one path.")
+    p.add_argument("--instance-id", help="Instance ID. Falls back to context.json.")
+    p.add_argument("path")
+    p.add_argument("--content", default="", help="Initial file content.")
+    p.set_defaults(handler=handle_files_create_file)
+    p = files_sub.add_parser("create-folder", help="Create a folder.", description="Create a sandbox folder at one path.")
+    p.add_argument("--instance-id", help="Instance ID. Falls back to context.json.")
+    p.add_argument("path")
+    p.set_defaults(handler=handle_files_create_folder)
+    p = files_sub.add_parser(
+        "upload",
+        help="Upload a local file.",
+        description="Upload a local file into the sandbox. target-path is the destination directory.",
+    )
+    p.add_argument("--instance-id", help="Instance ID. Falls back to context.json.")
+    p.add_argument("source", help="Local source file path.")
+    p.add_argument("--target-path", default="/", help="Sandbox destination directory.")
+    p.set_defaults(handler=handle_files_upload)
+    p = files_sub.add_parser("delete", help="Delete a sandbox path.", description="Delete a sandbox file or folder.")
+    p.add_argument("--instance-id", help="Instance ID. Falls back to context.json.")
+    p.add_argument("path")
+    p.set_defaults(handler=handle_files_delete)

powerbase_cli/commands/shared.py

@@ -0,0 +1,152 @@
+from __future__ import annotations
+
+import argparse
+import json
+from dataclasses import asdict
+from datetime import datetime, timezone
+from typing import Any
+
+from ..api import PowerbaseApi
+from ..config import (
+    BUNDLED_CA_CERT_SENTINEL,
+    DEFAULT_ANON_KEY,
+    DEFAULT_BASE_URL,
+    AppConfig,
+    AuthSession,
+    AuthState,
+    ConfigStore,
+    ContextState,
+    load_bundled_ca_cert,
+    merge_config_with_env,
+    merge_context_with_env,
+)
+from ..session import SessionManager
+from ..transport import PowerbaseTransport
+
+
+def now_iso() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def build_store(args: argparse.Namespace) -> ConfigStore:
+    return ConfigStore(base_dir=args.config_dir)
+
+
+def resolve_config(args: argparse.Namespace, store: ConfigStore) -> AppConfig:
+    config = merge_config_with_env(store.load_config())
+    saved_auth = store.load_auth()
+    explicit_ca_cert_file = getattr(args, "ca_cert_file", None) or config.ca_cert_file
+    return AppConfig(
+        base_url=args.base_url or config.base_url or (saved_auth.base_url if saved_auth else None) or DEFAULT_BASE_URL,
+        anon_key=args.anon_key or config.anon_key or (saved_auth.anon_key if saved_auth else None) or DEFAULT_ANON_KEY,
+        output="json" if args.json else config.output,
+        tls_insecure=bool(getattr(args, "insecure", False) or config.tls_insecure),
+        # Keep explicit CA settings first. The bundled test CA is only the final fallback for the
+        # current self-signed test environment and should be removed once the deployment uses a
+        # publicly trusted certificate.
+        ca_cert_file=explicit_ca_cert_file or (BUNDLED_CA_CERT_SENTINEL if load_bundled_ca_cert() else None),
+    )
+
+
+def resolve_context(store: ConfigStore) -> ContextState:
+    return merge_context_with_env(store.load_context())
+
+
+def build_api(args: argparse.Namespace) -> tuple[ConfigStore, AppConfig, ContextState, SessionManager, PowerbaseApi]:
+    store = build_store(args)
+    config = resolve_config(args, store)
+    context = resolve_context(store)
+    session_manager = SessionManager(
+        store,
+        config.base_url,
+        config.anon_key,
+        tls_insecure=config.tls_insecure,
+        ca_cert_file=config.ca_cert_file,
+    )
+    api = PowerbaseApi(PowerbaseTransport(config, session_manager))
+    return store, config, context, session_manager, api
+
+
+def render_output(args: argparse.Namespace, data: Any) -> None:
+    if isinstance(data, str):
+        print(data)
+        return
+    print(json.dumps(data, indent=2, ensure_ascii=False))
+
+
+def require_instance(instance_id: str | None, context: ContextState) -> str:
+    resolved = instance_id or context.instance_id
+    if not resolved:
+        raise RuntimeError(
+            "instance_id is required. Pass --instance-id or set one with `powerbase context use-instance`."
+        )
+    return resolved
+
+
+def resolve_branch(branch: str | None, context: ContextState) -> str | None:
+    return branch or context.branch
+
+
+def load_sql(sql: str | None, sql_file: str | None) -> str:
+    if sql_file:
+        return open(sql_file, "r", encoding="utf-8").read()
+    if not sql:
+        raise RuntimeError("SQL is required. Pass --sql or --sql-file.")
+    if sql.startswith("@"):
+        return open(sql[1:], "r", encoding="utf-8").read()
+    return sql
+
+
+def load_text(value: str | None, file_path: str | None, *, required_message: str) -> str:
+    if file_path:
+        return open(file_path, "r", encoding="utf-8").read()
+    if value:
+        if value.startswith("@"):
+            return open(value[1:], "r", encoding="utf-8").read()
+        return value
+    raise RuntimeError(required_message)
+
+
+def load_json_document(file_path: str) -> dict[str, Any]:
+    with open(file_path, "r", encoding="utf-8") as fh:
+        data = json.load(fh)
+    if not isinstance(data, dict):
+        raise RuntimeError("JSON document must be an object.")
+    return data
+
+
+def parse_json_specs(raw_values: list[str] | None, *, label: str) -> list[dict[str, Any]]:
+    parsed: list[dict[str, Any]] = []
+    for raw in raw_values or []:
+        try:
+            item = json.loads(raw)
+        except json.JSONDecodeError as exc:
+            raise RuntimeError(f"Invalid {label} JSON: {raw}") from exc
+        if not isinstance(item, dict):
+            raise RuntimeError(f"Each {label} must be a JSON object.")
+        parsed.append(item)
+    return parsed
+
+
+__all__ = [
+    "AppConfig",
+    "AuthSession",
+    "AuthState",
+    "ConfigStore",
+    "ContextState",
+    "PowerbaseApi",
+    "SessionManager",
+    "asdict",
+    "build_api",
+    "build_store",
+    "load_json_document",
+    "load_sql",
+    "load_text",
+    "now_iso",
+    "parse_json_specs",
+    "render_output",
+    "require_instance",
+    "resolve_branch",
+    "resolve_config",
+    "resolve_context",
+]

powerbase_cli/commands/sql.py

@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+import argparse
+
+from .shared import build_api, load_sql, render_output, require_instance, resolve_branch
+
+
+def handle_sql_run(args: argparse.Namespace) -> int:
+    _, _, context, _, api = build_api(args)
+    instance_id = require_instance(args.instance_id, context)
+    branch = resolve_branch(args.branch_name, context) or "main"
+    sql = load_sql(args.sql, args.sql_file)
+    render_output(args, api.run_sql(instance_id, sql, branch))
+    return 0
+
+
+def register_sql_commands(subparsers: argparse._SubParsersAction[argparse.ArgumentParser]) -> None:
+    sql = subparsers.add_parser("sql", help="Run SQL.", description="Run SQL against an instance branch.")
+    sql_sub = sql.add_subparsers(dest="sql_command")
+    p = sql_sub.add_parser(
+        "run",
+        help="Run SQL.",
+        description=(
+            "Run SQL against the current instance. Pass --sql directly, or use --sql-file. "
+            "If you omit --instance-id, the saved context instance_id is used."
+        ),
+    )
+    p.add_argument("--instance-id", help="Instance ID. Falls back to context.json.")
+    p.add_argument("--branch", dest="branch_name", help="Branch slug. Falls back to context.json or main.")
+    p.add_argument("--sql", help="Inline SQL string. Prefix with @ to load from a file.")
+    p.add_argument("--sql-file", help="Path to a SQL file.")
+    p.set_defaults(handler=handle_sql_run)

powerbase_cli/config.py

@@ -0,0 +1,239 @@
+from __future__ import annotations
+
+import importlib.resources
+import json
+import os
+from dataclasses import asdict, dataclass
+from pathlib import Path
+from typing import Any
+
+try:
+    import tomllib
+except ModuleNotFoundError:  # pragma: no cover
+    tomllib = None  # type: ignore[assignment]
+
+DEFAULT_BASE_URL = "https://console.6.12.235.165.nip.io"
+DEFAULT_ANON_KEY = "reallyreallyreallyreallyverysafe"
+# This bundled CA is only for the self-signed test deployment so `pip install powerbase-cli`
+# can work out of the box. Remove it after the deployed console switches to a publicly trusted
+# TLS certificate, then delete the bundled PEM file and its package-data entry as well.
+BUNDLED_CA_CERT_SENTINEL = "<bundled test CA>"
+BUNDLED_CA_CERT_RESOURCE = "certs/powerbase-test-ca.pem"
+
+
+def default_config_dir() -> Path:
+    env_dir = os.environ.get("POWERBASE_CONFIG_DIR")
+    if env_dir:
+        return Path(env_dir).expanduser()
+    return Path.home() / ".config" / "powerbase"
+
+
+@dataclass
+class AppConfig:
+    base_url: str | None = DEFAULT_BASE_URL
+    anon_key: str | None = DEFAULT_ANON_KEY
+    output: str = "text"
+    tls_insecure: bool = False
+    ca_cert_file: str | None = None
+
+
+@dataclass
+class AuthSession:
+    access_token: str
+    refresh_token: str | None = None
+    token_type: str = "bearer"
+    expires_at: int | None = None
+
+
+@dataclass
+class AuthState:
+    source: str
+    session: AuthSession
+    base_url: str | None = None
+    anon_key: str | None = None
+    user: dict[str, Any] | None = None
+    updated_at: str | None = None
+
+
+@dataclass
+class ContextState:
+    instance_id: str | None = None
+    org_id: str | None = None
+    branch: str | None = None
+    updated_at: str | None = None
+
+
+def _as_path(path: str | Path | None) -> Path:
+    if path is None:
+        return default_config_dir()
+    return Path(path).expanduser()
+
+
+def env_flag(name: str) -> bool:
+    value = os.environ.get(name)
+    if value is None:
+        return False
+    return value.strip().lower() in {"1", "true", "yes", "on"}
+
+
+def load_bundled_ca_cert() -> str | None:
+    # The PEM contents are loaded at runtime so test builds can trust the packaged self-signed CA
+    # without asking end users to pass `--ca-cert`. Once the server uses a trusted certificate,
+    # this helper and its callers can be removed.
+    try:
+        resource = importlib.resources.files("powerbase_cli").joinpath(BUNDLED_CA_CERT_RESOURCE)
+        if not resource.is_file():
+            return None
+        return resource.read_text(encoding="utf-8")
+    except (FileNotFoundError, ModuleNotFoundError):
+        return None
+
+
+class ConfigStore:
+    def __init__(self, base_dir: str | Path | None = None) -> None:
+        self.base_dir = _as_path(base_dir)
+        self.config_path = self.base_dir / "config.toml"
+        self.auth_path = self.base_dir / "auth.json"
+        self.context_path = self.base_dir / "context.json"
+
+    def ensure_base_dir(self) -> None:
+        self.base_dir.mkdir(parents=True, exist_ok=True)
+
+    def load_config(self) -> AppConfig:
+        if not self.config_path.exists():
+            return AppConfig(base_url=None, anon_key=None)
+        if tomllib is None:
+            raise RuntimeError("tomllib is required to read config.toml")
+        data = tomllib.loads(self.config_path.read_text(encoding="utf-8"))
+        return AppConfig(
+            base_url=data.get("base_url"),
+            anon_key=data.get("anon_key"),
+            output=data.get("output", "text"),
+            tls_insecure=bool(data.get("tls_insecure", False)),
+            ca_cert_file=data.get("ca_cert_file"),
+        )
+
+    def save_config(self, config: AppConfig) -> None:
+        self.ensure_base_dir()
+        lines = []
+        if config.base_url and config.base_url != DEFAULT_BASE_URL:
+            lines.append(f'base_url = "{config.base_url}"')
+        if config.anon_key and config.anon_key != DEFAULT_ANON_KEY:
+            lines.append(f'anon_key = "{config.anon_key}"')
+        if config.output:
+            lines.append(f'output = "{config.output}"')
+        if config.tls_insecure:
+            lines.append("tls_insecure = true")
+        if config.ca_cert_file:
+            lines.append(f'ca_cert_file = "{config.ca_cert_file}"')
+        self.config_path.write_text("\n".join(lines) + ("\n" if lines else ""), encoding="utf-8")
+
+    def load_auth(self) -> AuthState | None:
+        if not self.auth_path.exists():
+            return None
+        data = json.loads(self.auth_path.read_text(encoding="utf-8"))
+        session_data = data.get("session") or {
+            "access_token": data.get("access_token"),
+            "refresh_token": data.get("refresh_token"),
+            "token_type": data.get("token_type", "bearer"),
+            "expires_at": data.get("expires_at"),
+        }
+        if not session_data.get("access_token"):
+            return None
+        return AuthState(
+            source=data.get("source", "file"),
+            base_url=data.get("base_url"),
+            anon_key=data.get("anon_key"),
+            session=AuthSession(
+                access_token=session_data["access_token"],
+                refresh_token=session_data.get("refresh_token"),
+                token_type=session_data.get("token_type", "bearer"),
+                expires_at=session_data.get("expires_at"),
+            ),
+            user=data.get("user"),
+            updated_at=data.get("updated_at"),
+        )
+
+    def save_auth(self, auth: AuthState) -> None:
+        self.ensure_base_dir()
+        payload = {
+            "version": 1,
+            "source": auth.source,
+            "base_url": auth.base_url,
+            "anon_key": auth.anon_key,
+            "session": asdict(auth.session),
+            "user": auth.user,
+            "updated_at": auth.updated_at,
+        }
+        self.auth_path.write_text(json.dumps(payload, indent=2) + "\n", encoding="utf-8")
+
+    def clear_auth(self) -> None:
+        if self.auth_path.exists():
+            self.auth_path.unlink()
+
+    def load_context(self) -> ContextState:
+        if not self.context_path.exists():
+            return ContextState()
+        data = json.loads(self.context_path.read_text(encoding="utf-8"))
+        return ContextState(
+            instance_id=data.get("instance_id"),
+            org_id=data.get("org_id"),
+            branch=data.get("branch"),
+            updated_at=data.get("updated_at"),
+        )
+
+    def save_context(self, context: ContextState) -> None:
+        self.ensure_base_dir()
+        self.context_path.write_text(json.dumps(asdict(context), indent=2) + "\n", encoding="utf-8")
+
+    def clear_context(self, *, instance: bool = False, org: bool = False, branch: bool = False) -> ContextState:
+        context = self.load_context()
+        if not any([instance, org, branch]):
+            context = ContextState()
+        else:
+            if instance:
+                context.instance_id = None
+            if org:
+                context.org_id = None
+            if branch:
+                context.branch = None
+        self.save_context(context)
+        return context
+
+
+def env_auth_state() -> AuthState | None:
+    access_token = os.environ.get("POWERBASE_ACCESS_TOKEN")
+    if not access_token:
+        return None
+    refresh_token = os.environ.get("POWERBASE_REFRESH_TOKEN")
+    expires_at_raw = os.environ.get("POWERBASE_EXPIRES_AT")
+    expires_at = int(expires_at_raw) if expires_at_raw and expires_at_raw.isdigit() else None
+    return AuthState(
+        source="env",
+        base_url=os.environ.get("POWERBASE_BASE_URL"),
+        anon_key=os.environ.get("POWERBASE_ANON_KEY"),
+        session=AuthSession(
+            access_token=access_token,
+            refresh_token=refresh_token,
+            expires_at=expires_at,
+        ),
+    )
+
+
+def merge_config_with_env(config: AppConfig) -> AppConfig:
+    return AppConfig(
+        base_url=os.environ.get("POWERBASE_BASE_URL") or config.base_url,
+        anon_key=os.environ.get("POWERBASE_ANON_KEY") or config.anon_key,
+        output=os.environ.get("POWERBASE_OUTPUT") or config.output,
+        tls_insecure=env_flag("POWERBASE_TLS_INSECURE") or config.tls_insecure,
+        ca_cert_file=os.environ.get("POWERBASE_CA_CERT_FILE") or config.ca_cert_file,
+    )
+
+
+def merge_context_with_env(context: ContextState) -> ContextState:
+    return ContextState(
+        instance_id=os.environ.get("POWERBASE_INSTANCE_ID") or context.instance_id,
+        org_id=os.environ.get("POWERBASE_ORG_ID") or context.org_id,
+        branch=os.environ.get("POWERBASE_BRANCH") or context.branch,
+        updated_at=context.updated_at,
+    )