chore: update supabase config, docs, deps, and security overrides

[gaboesquivel]

Summary by CodeRabbit

• New Features

  • Added a unified local DB "reset" command that runs reset, migrations, and seeding; added a seed script for idempotent data initialization.

• Documentation

  • Updated READMEs and ADRs with a clearer local Supabase/Postgres workflow and reset/migrate/seed guidance.

• Chores

  • Tightened dependency/version overrides and added React dev tooling and test runner config tweaks.
  • Pinned an external reference script to a stable version.

• Tests

  • Improved end-to-end auth test helper for more reliable login verification.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
basilic-fastify	Ready	Preview, Comment	Mar 23, 2026 10:38pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
basilic-docs	Ignored	Preview	Mar 23, 2026 10:38pm
basilic-next	Ignored	Preview	Mar 23, 2026 10:38pm

[coderabbitai]

Walkthrough

Introduces a unified local DB reset workflow (pnpm reset) that runs Supabase DB reset, applies Drizzle migrations, and runs a new idempotent seed script; updates Supabase config, docs, monorepo scripts/overrides, adds seed/migrate guidance, and adjusts React vitest config and dev deps.

Changes

Cohort / File(s)	Summary
API Reset & Seed apps/api/README.md, apps/api/package.json, apps/api/scripts/migrate.ts, apps/api/scripts/seed.ts	Added scripts/seed.ts (exported runSeed) and a unified reset script that runs supabase db reset, Drizzle migrations with RUN_PG_MIGRATE=true, then executes the seed. Updated migrate guidance text to reference pnpm reset.
Supabase config apps/api/supabase/config.toml, apps/api/drizzle.config.ts	Changed project_id to "basilic-api", disabled automatic [db.seed] seeding and removed sql_paths. Added top-file comment to drizzle.config.ts documenting migrations/schema ownership.
Monorepo scripts & overrides package.json, README.md	Added root reset script (pnpm --filter @repo/api reset) and updated pnpm.overrides (pins/updates for flatted, h3, socket.io-parser, undici, and next entry). Documented reset in README.
Documentation updates apps/docu/.../adrs/008-database.mdx, apps/docu/content/docs/architecture/api.mdx, apps/docu/content/docs/development/index.mdx, apps/docu/README.md, scripts/README.md	Documented the new pnpm reset workflow, clarified when migrations run (build vs dev), noted pnpm db:stop before switching Supabase instances, and updated setup guidance to reference ADR 008 and API README.
React test tooling packages/react/vitest.config.ts, packages/react/package.json	Enabled React Vite plugin and dev dependency @vitejs/plugin-react; adjusted Vite resolve settings (preserveSymlinks, dedupe) and added explicit react/react-dom aliases for Vitest.
API template & tests apps/api/src/routes/reference/template.ts, apps/api/test/swagger-login.e2e.spec.ts	Locked API reference script to a fixed version and added waitForReferenceAuthSettled test helper; updated magic-link URL construction and test wait logic.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer (CLI)
  participant Supabase as Supabase CLI
  participant DB as Local Postgres
  participant Drizzle as Drizzle Migrations
  participant Seed as scripts/seed.ts

  Dev->>Supabase: pnpm reset -> supabase db reset
  Supabase->>DB: recreate database
  Dev->>Drizzle: RUN_PG_MIGRATE=true pnpm db:migrate (uses DATABASE_URL)
  Drizzle->>DB: apply migrations
  Drizzle-->>Dev: migrations complete
  Dev->>Seed: node ... scripts/seed.ts (runSeed)
  Seed->>DB: connect and apply idempotent seed operations
  Seed-->>Dev: seed complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through configs, docs, and seed,
One pnpm reset to plant the seed,
Supabase sleeps, migrations run,
Data sown, the reset's done! 🌱

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title is overly broad and uses vague terminology. It mentions 'supabase config, docs, deps, and security overrides' as separate items, but the changeset's primary focus is refactoring database workflows (adding pnpm reset script, updating Supabase project_id, disabling seed in config, updating migration/seed scripts) and documentation updates. The title does not clearly communicate the main objective of consolidating database reset/migration/seeding workflows.	Use a more specific title that highlights the main change, such as 'refactor: consolidate database reset and migration workflow with pnpm reset' or 'chore: update database workflow and add pnpm reset command' to better communicate the primary intent.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch supa

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/docu/content/docs/adrs/008-database.mdx (1)

197-197: Consider removing hardcoded project_id.

Hardcoding project_id: basilic-api creates maintenance overhead if the project is renamed again. Consider referencing the config file location instead:

-For local Postgres via Supabase CLI (`project_id: basilic-api` in `apps/api/supabase/config.toml`):
+For local Postgres via Supabase CLI (see `project_id` in `apps/api/supabase/config.toml`):

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/docu/content/docs/adrs/008-database.mdx` at line 197, Remove the
hardcoded project_id value "project_id: basilic-api" and instead point readers
to the Supabase CLI configuration (the config.toml) or show a
placeholder/env-var (e.g., ${PROJECT_ID}) so the ADR references the config
location rather than a literal project name; update the line containing
"project_id: basilic-api" to either reference the config file location or use a
placeholder/env variable and add a short note on where to set it.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/api/README.md`:
- Around line 35-37: The README incorrectly claims "Seeding via Drizzle" while
no seed implementation exists; either update docs or add a proper Drizzle seed
flow: create a new seed script (e.g. scripts/seed.ts) that exports a seed
function and inserts required rows using your Drizzle client, add seed
configuration to drizzle.config.ts (or ensure the seed runner references the
seed file), update scripts/migrate.ts (or package.json scripts referenced by
pnpm db:reset-and-migrate) to invoke the seed runner after migrations, and then
update the README to accurately state whether seeding is automatic or manual;
reference drizzle.config.ts, scripts/migrate.ts, and the new scripts/seed.ts (or
the updated package.json script) when making changes.

---

Nitpick comments:
In `@apps/docu/content/docs/adrs/008-database.mdx`:
- Line 197: Remove the hardcoded project_id value "project_id: basilic-api" and
instead point readers to the Supabase CLI configuration (the config.toml) or
show a placeholder/env-var (e.g., ${PROJECT_ID}) so the ADR references the
config location rather than a literal project name; update the line containing
"project_id: basilic-api" to either reference the config file location or use a
placeholder/env variable and add a short note on where to set it.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4d642628-8d5d-4954-99ea-e31ad4633531

📥 Commits

Reviewing files that changed from the base of the PR and between f89bca4 and 97183fa.

⛔ Files ignored due to path filters (2)

• apps/web/.env.development is excluded by !**/.env*
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• apps/api/README.md
• apps/api/supabase/config.toml
• apps/docu/content/docs/adrs/008-database.mdx
• apps/docu/package.json
• apps/web/package.json
• package.json

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/api/package.json`:
- Line 38: The reset npm script ("reset") currently hardcodes DB credentials in
the DATABASE_URL; remove the inline "postgres:postgres@.../postgres" and instead
read DATABASE_URL from the environment (or a secure .env) at runtime: update the
"reset" script to reference the existing environment variable (or use a
mechanism like cross-env if needed) so no credentials are committed, and ensure
downstream commands (pnpm db:migrate and scripts/seed.ts) continue to rely on
process.env.DATABASE_URL rather than an inline URL.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 38c2f436-cc08-48ce-b656-f54e7c4cffa8

📥 Commits

Reviewing files that changed from the base of the PR and between 97183fa and 86b75ae.

📒 Files selected for processing (17)

• README.md
• apps/api/README.md
• apps/api/drizzle.config.ts
• apps/api/package.json
• apps/api/scripts/migrate.ts
• apps/api/scripts/seed.ts
• apps/api/supabase/config.toml
• apps/docu/README.md
• apps/docu/content/docs/adrs/008-database.mdx
• apps/docu/content/docs/architecture/api.mdx
• apps/docu/content/docs/development/index.mdx
• package.json
• packages/react/src/hooks/use-link-email.test.tsx
• packages/react/src/hooks/use-verify-link-wallet.test.tsx
• packages/react/src/hooks/use-verify-web3-auth.test.tsx
• packages/react/vitest.config.ts
• scripts/README.md

💤 Files with no reviewable changes (3)

• packages/react/src/hooks/use-link-email.test.tsx
• packages/react/src/hooks/use-verify-web3-auth.test.tsx
• packages/react/src/hooks/use-verify-link-wallet.test.tsx

✅ Files skipped from review due to trivial changes (8)

• apps/docu/README.md
• apps/api/drizzle.config.ts
• packages/react/vitest.config.ts
• scripts/README.md
• apps/docu/content/docs/architecture/api.mdx
• README.md
• apps/api/scripts/migrate.ts
• apps/docu/content/docs/development/index.mdx

🚧 Files skipped from review as they are similar to previous changes (3)

• apps/api/supabase/config.toml
• apps/api/README.md
• package.json

[coderabbitai]

♻️ Duplicate comments (1)

apps/api/package.json (1)

38-38: ⚠️ Potential issue | 🟠 Major

Remove inline DB credentials from the reset script.

Line 38 hardcodes postgres:postgres inside DATABASE_URL. Even for local-only values, this should come from env to avoid committed credentials and scanner noise.

🔧 Proposed fix

-    "reset": "supabase db reset && RUN_PG_MIGRATE=true DATABASE_URL=\"postgresql://postgres:postgres@127.0.0.1:54322/postgres\" sh -c 'pnpm db:migrate && node --import tsx scripts/seed.ts'",
+    "reset": "supabase db reset && sh -c ': \"${DATABASE_URL:?Set DATABASE_URL}\" && RUN_PG_MIGRATE=true pnpm db:migrate && node --import tsx scripts/seed.ts'",

As per coding guidelines, “Validate env vars with t3-oss and prefer app-local env (apps/api/lib/env.ts) with defaults over scattered global constants.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/api/package.json` at line 38, The "reset" npm script in package.json
currently embeds DB creds in the DATABASE_URL string; remove the hardcoded
credentials and wire the script to use the validated env value from your
app-local env (apps/api/lib/env.ts) or a DATABASE_URL environment variable
instead. Update the "reset" script (the "reset" entry in package.json) to
reference process env rather than inline credentials and ensure
apps/api/lib/env.ts (t3-oss validation) provides a safe default for local dev,
then run pnpm db:migrate and node --import tsx scripts/seed.ts using that env
value so no credentials are committed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@apps/api/package.json`:
- Line 38: The "reset" npm script in package.json currently embeds DB creds in
the DATABASE_URL string; remove the hardcoded credentials and wire the script to
use the validated env value from your app-local env (apps/api/lib/env.ts) or a
DATABASE_URL environment variable instead. Update the "reset" script (the
"reset" entry in package.json) to reference process env rather than inline
credentials and ensure apps/api/lib/env.ts (t3-oss validation) provides a safe
default for local dev, then run pnpm db:migrate and node --import tsx
scripts/seed.ts using that env value so no credentials are committed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2a51cdd2-5daa-4603-bcc6-9d5fbc65d340

📥 Commits

Reviewing files that changed from the base of the PR and between 86b75ae and 3134fc0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !**/pnpm-lock.yaml

📒 Files selected for processing (15)

• README.md
• apps/api/README.md
• apps/api/drizzle.config.ts
• apps/api/package.json
• apps/api/scripts/migrate.ts
• apps/api/scripts/seed.ts
• apps/api/supabase/config.toml
• apps/docu/README.md
• apps/docu/content/docs/adrs/008-database.mdx
• apps/docu/content/docs/architecture/api.mdx
• apps/docu/content/docs/development/index.mdx
• package.json
• packages/react/package.json
• packages/react/vitest.config.ts
• scripts/README.md

✅ Files skipped from review due to trivial changes (10)

• packages/react/package.json
• apps/docu/README.md
• apps/api/drizzle.config.ts
• apps/docu/content/docs/architecture/api.mdx
• scripts/README.md
• README.md
• apps/api/scripts/migrate.ts
• apps/docu/content/docs/development/index.mdx
• apps/api/README.md
• apps/docu/content/docs/adrs/008-database.mdx

🚧 Files skipped from review as they are similar to previous changes (2)

• apps/api/supabase/config.toml
• apps/api/scripts/seed.ts

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/api/test/swagger-login.e2e.spec.ts (1)

26-28: Use explicit Page type from @playwright/test instead of ReturnType<typeof test>['page'].

Lines 10 and 27 use ReturnType<typeof test>['page'] for helper function parameters. Import type { Page } from '@playwright/test' directly—it's more readable and idiomatic in Playwright tests.

import type { Page } from '@playwright/test'

Then replace both instances with the Page type.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/api/test/swagger-login.e2e.spec.ts` around lines 26 - 28, Replace the
non-idiomatic parameter typing that uses ReturnType<typeof test>['page'] with
Playwright's explicit Page type: add import type { Page } from
'@playwright/test' at the top of the file and update the helper function
signatures (e.g., waitForReferenceAuthSettled and the other helper at the top of
the file) to accept page: Page instead of ReturnType<typeof test>['page'].

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/api/test/swagger-login.e2e.spec.ts`:
- Around line 33-39: The page.evaluate callback that currently checks
localStorage.getItem('scalar-token') and that u.pathname === '/reference' only
asserts that the 'token' query param is removed; update the assertion inside the
page.evaluate (the function using new URL(window.location.href) and
u.searchParams.has('token')) to also verify that 'verificationId' has been
removed (i.e., ensure both !u.searchParams.has('token') and
!u.searchParams.has('verificationId')) so the callback URL cleanup is fully
validated.

---

Nitpick comments:
In `@apps/api/test/swagger-login.e2e.spec.ts`:
- Around line 26-28: Replace the non-idiomatic parameter typing that uses
ReturnType<typeof test>['page'] with Playwright's explicit Page type: add import
type { Page } from '@playwright/test' at the top of the file and update the
helper function signatures (e.g., waitForReferenceAuthSettled and the other
helper at the top of the file) to accept page: Page instead of ReturnType<typeof
test>['page'].

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9950ded5-e223-4d37-8bdd-6eb8477bdd05

📥 Commits

Reviewing files that changed from the base of the PR and between 3134fc0 and 018edf6.

📒 Files selected for processing (2)

• apps/api/src/routes/reference/template.ts
• apps/api/test/swagger-login.e2e.spec.ts

✅ Files skipped from review due to trivial changes (1)

• apps/api/src/routes/reference/template.ts