feat: Add local instance management to consolidate supascale.sh functionality

[michaelruelas]

This commit implements Recommendation #1 from the strategic review: consolidating the dual-tool architecture by absorbing supascale.sh functionality into supactl.

Strategic Impact

Previously, supactl and supascale.sh were separate tools with divergent codebases:

• supactl: Go-based API client for remote server management
• supascale.sh: 744-line bash script for local Docker management

This split created technical debt, divided engineering effort, and provided an inconsistent user experience. The new supactl local command group unifies both use cases into a single binary.

Implementation

New Package: internal/local/

• types.go: Data structures for projects, ports, and database
• config.go: JSON database management (~/.supascale_database.json)
• secrets.go: Cryptographically secure password and JWT generation
• files.go: Automated configuration file updates (.env, docker-compose.yml)
• docker.go: Docker Compose operation wrappers
• supabase.go: High-level project setup orchestration

New Commands: cmd/local*.go

• local.go: Parent command with shared utilities
• local_add.go: Create new local instance with full automation
• local_list.go: Display all local projects and ports
• local_start.go: Start Docker Compose services
• local_stop.go: Stop and cleanup Docker resources
• local_remove.go: Remove from database (preserves files)

Features

✅ Cross-platform support (Linux, macOS, Windows) vs. bash's Unix-only ✅ Secure secret generation using crypto/rand
✅ Automated JWT token generation with HS256 signing ✅ Intelligent port allocation (54321 base + 1000 increments) ✅ Project-specific Docker container naming to avoid conflicts ✅ Comprehensive error handling with user-friendly messages ✅ Full test coverage (18 test cases, 100% pass rate) ✅ Compatible with existing supascale.sh database format

User Experience

Before:

./supascale.sh add my-project   # Bash script, Unix only

After:

supactl local add my-project    # Single binary, cross-platform

Benefits

1. Unified Tooling: One binary for both remote and local management
2. Consistent UX: Same command patterns and error handling
3. Better Maintainability: Single codebase, single CI/CD pipeline
4. Graduation Path: Users can start local and scale to server mode
5. Cross-Platform: Windows support previously unavailable

Documentation Updates

• Updated README.md to position supactl as unified tool
• Added comprehensive internal/local/ documentation to CLAUDE.md
• Marked supascale.sh as legacy (maintained for compatibility)

Testing

All tests pass:

ok  	github.com/qubitquilt/supactl/internal/local	0.026s

Test coverage includes:

• Database operations (load, save, CRUD)
• Secret generation (passwords, encryption keys, JWTs)
• Project ID validation
• File permission checks (Unix)

[gemini-code-assist]

Summary of Changes

Hello @michaelruelas, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the supactl CLI by integrating local Supabase instance management capabilities, previously handled by a separate bash script. This strategic move unifies the user experience, reduces technical debt, and broadens platform compatibility. Users can now manage both remote and local Supabase deployments through a single, Go-based binary, benefiting from automated setup, secure credential generation, and streamlined Docker Compose operations.

Highlights

• Unified Tooling: The pull request consolidates the functionality of the separate supascale.sh bash script directly into the supactl binary, eliminating a dual-tool architecture and providing a single, consistent CLI for both remote and local Supabase instance management.
• New supactl local Command Group: A new local command group has been introduced to supactl, offering commands like add, list, start, stop, and remove for direct management of Supabase instances on a local machine using Docker.
• Cross-Platform Local Management: The new local management features are built with Go, providing native cross-platform support for Linux, macOS, and Windows, a significant improvement over the Unix-only supascale.sh.
• Automated Secure Setup: The local add command automates the setup of new Supabase instances, including cloning the Supabase repository, generating cryptographically secure passwords and HS256 JWT tokens, and intelligently allocating unique ports to avoid conflicts.
• Configuration Management: The changes include automated updates to .env, docker-compose.yml, and config.toml files to integrate generated secrets, assigned ports, and project-specific Docker container naming.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is a major feature addition, integrating the functionality of supascale.sh into supactl as the local command group. The implementation is comprehensive, covering command-line interfaces, configuration, secret management, file manipulation, and Docker orchestration. The code is well-structured and includes a good set of tests. My review focuses on improving cross-platform compatibility, security practices, and maintainability. I've identified a couple of high-severity issues related to incorrect user-facing information and non-portable code, along with several medium-severity suggestions to enhance robustness and reduce code duplication.

[gemini-code-assist]

The command hostname -I is specific to some Linux distributions and will fail on macOS and Windows, which this tool is intended to support. This will cause the IP address to always fall back to localhost, which might not be the desired behavior in all network setups (e.g., accessing from a VM). To ensure cross-platform compatibility, it's better to use Go's net package to programmatically find a suitable non-loopback IPv4 address. Note that this will require adding "net" to your imports.

foundIP:
	ifaces, err := net.Interfaces()
	if err == nil {
		for _, i := range ifaces {
			addrs, err := i.Addrs()
			if err != nil {
				continue
			}
			for _, addr := range addrs {
				var ip net.IP
				switch v := addr.(type) {
				case *net.IPNet:
					ip = v.IP
				case *net.IPAddr:
					ip = v.IP
				}
				if ip == nil || ip.IsLoopback() {
					continue
				}
				ip = ip.To4()
				if ip == nil {
					continue // not an ipv4 address
				}
				hostIP = ip.String()
				break foundIP
			}
		}
	}

[gemini-code-assist]

The success message provides a database connection URL with a hardcoded password postgres. However, the local add command generates a secure, random password for the database and saves it in the .env file. This message is misleading and will cause connection failures. The message should instruct the user to use the password from the .env file. The placeholder [YOUR-POSTGRES-PASSWORD] makes it clear that they need to substitute a value.

Suggested change

	fmt.Printf(" DB URL: postgresql://postgres:postgres@%s:%d/postgres\n", hostIP, project.Ports.DB)
	fmt.Printf(" DB URL: postgresql://postgres:[YOUR-POSTGRES-PASSWORD]@%s:%d/postgres\n", hostIP, project.Ports.DB)

[gemini-code-assist]

Printing sensitive information like POSTGRES_PASSWORD, VAULT_ENC_KEY, and JWT_SECRET directly to the console can be a security risk, especially if the command's output is logged or shared. While convenient, it's safer to minimize secret exposure. It's great that you're already pointing the user to the .env file. I suggest only printing the dashboard password (which is needed for the first login to the UI) and referring to the file for all other secrets.

Suggested change

	fmt.Println("Generated credentials:")
	fmt.Printf(" DASHBOARD_USERNAME: supabase\n")
	fmt.Printf(" DASHBOARD_PASSWORD: %s\n", secrets.DashboardPassword)
	fmt.Printf(" POSTGRES_PASSWORD: %s\n", secrets.PostgresPassword)
	fmt.Printf(" VAULT_ENC_KEY: %s\n", secrets.VaultEncKey)
	fmt.Printf(" JWT_SECRET: %s\n", secrets.JWTSecret)
	fmt.Println()
	fmt.Println("Generated JWT keys:")
	fmt.Printf(" ANON_KEY: %s\n", secrets.AnonKey)
	fmt.Printf(" SERVICE_ROLE_KEY: %s\n", secrets.ServiceRoleKey)
	fmt.Println("Generated credentials:")
	fmt.Printf(" DASHBOARD_USERNAME: supabase\n")
	fmt.Printf(" DASHBOARD_PASSWORD: %s\n", secrets.DashboardPassword)
	fmt.Println()
	fmt.Println("Other generated secrets (e.g., POSTGRES_PASSWORD, JWT_SECRET, API keys) have been saved to the .env file.")

[gemini-code-assist]

This block of code for finding a project and printing an error with a list of available projects is duplicated across local_remove.go, local_start.go, and local_stop.go. To improve maintainability and reduce redundancy, this logic could be extracted into a shared helper function in cmd/local.go, for example getProjectOrExit(db *local.Database, projectID string) *local.Project.

[gemini-code-assist]

Manually parsing and updating the config.toml file by iterating through lines and tracking sections is fragile. It can easily break if the file's formatting, comments, or structure changes in future Supabase versions. Using a dedicated TOML library (like github.com/BurntSushi/toml) to unmarshal, modify, and marshal the data would be much more robust and maintainable.

[gemini-code-assist]

The current implementation for generating random characters, b[i] = charset[int(b[i])%len(charset)], introduces a slight modulo bias because the number of possible byte values (256) is not an even multiple of the charset length (62). This makes some characters slightly more likely to appear than others. While the security impact is minor for this use case, it's a good practice to use a cryptographically unbiased method. The crypto/rand.Int function is designed for this purpose and provides a uniform selection. Note that this requires importing the math/big package.

for i := range b {
    n, err := rand.Int(rand.Reader, big.NewInt(int64(len(charset))))
    if err != nil {
        return "", fmt.Errorf("failed to generate random index: %w", err)
    }
    b[i] = charset[n.Int64()]
}

[michaelruelas]

/gemini review

[gemini-code-assist]

Code Review

This pull request is a significant improvement, consolidating the functionality of supascale.sh into the main supactl binary. The introduction of the internal/local package and the supactl local command group is well-structured and provides a unified user experience. The code is generally robust, with good error handling and cleanup logic, especially in SetupProject. I've provided several suggestions to enhance portability, robustness, and security, primarily by replacing manual file/string manipulation with standard libraries and improving the cryptographic primitives. Overall, this is a fantastic feature addition.

[gemini-code-assist]

Manually parsing and modifying the config.toml file by iterating through lines and tracking sections is very fragile and error-prone. This approach can easily break if the TOML file's structure, comments, or spacing changes in future versions of Supabase.

A much more robust and maintainable solution would be to use a dedicated TOML parsing library, such as github.com/BurntSushi/toml. This would allow you to unmarshal the file into a struct, modify the values safely, and then marshal it back to a file, preserving the structure and comments where possible. This would prevent future maintenance issues.

[gemini-code-assist]

Manually implementing JWT generation is strongly discouraged as it's easy to make subtle mistakes that can have significant security implications. For example, in your base64URLEncode helper, the call to strings.TrimRight is redundant because base64.RawURLEncoding already omits padding.

It is much safer and more maintainable to use a well-vetted library like github.com/golang-jwt/jwt. This abstracts away the complexities of token creation, encoding, and signing, ensuring compliance with the JWT standard and reducing the risk of implementation errors.

[gemini-code-assist]

This helper function has the side effect of terminating the application with os.Exit(1). This makes the function difficult to test and reuse. It's better practice for helper functions to return an error to the caller. The Run function of the Cobra command can then decide how to handle the error, such as printing a message and exiting. This separates logic from application flow control.

func getLocalDatabase() (*local.Database, error) {
	db, err := local.LoadDatabase()
	if err != nil {
		return nil, fmt.Errorf("loading local database: %w", err)
	}
	return db, nil
}

[gemini-code-assist]

Similar to getLocalDatabase, this function's use of os.Exit(1) makes it untestable and tightly coupled to the command's execution context. By returning an error, you can write unit tests to verify the Docker checks and allow the calling command to handle the failure more gracefully. This improves modularity and maintainability.

[gemini-code-assist]

The call to db.GetProject(projectID) is redundant because the db object, which is a pointer, is already updated within local.SetupProject. To make the code more efficient and cleaner, you could modify local.SetupProject to return the newly created *Project instance along with the secrets.

In internal/local/supabase.go, you could change the signature of SetupProject:

// from
func SetupProject(projectID, directory string, db *Database) (*Secrets, error)
// to
func SetupProject(projectID, directory string, db *Database) (*Project, *Secrets, error)

And then return project, secrets, nil on success.

With that change, you can refactor this block to:

Suggested change

	secrets, err := local.SetupProject(projectID, directory, db)
	if err != nil {
	fmt.Fprintf(os.Stderr, "Error: %v\n", err)
	os.Exit(1)
	}
	// Get the project details for port information
	project, err := db.GetProject(projectID)
	if err != nil {
	fmt.Fprintf(os.Stderr, "Error: %v\n", err)
	os.Exit(1)
	}
	project, secrets, err := local.SetupProject(projectID, directory, db)
	if err != nil {
	fmt.Fprintf(os.Stderr, "Error: %v\n", err)
	os.Exit(1)
	}

[gemini-code-assist]

The command hostname -I is not portable and will fail on non-Linux systems like macOS and Windows. While the fallback to localhost is good, you can achieve a more reliable and portable result by using Go's native net package to find a non-loopback IP address. This avoids shelling out to an external command and improves cross-platform compatibility.

Suggested change

	if output, err := exec.Command("hostname", "-I").Output(); err == nil {
	if len(output) > 0 {
	// Take first IP
	for i, b := range output {
	if b == ' ' || b == '\n' {
	hostIP = string(output[:i])
	break
	}
	}
	}
	}
	addrs, err := net.InterfaceAddrs()
	if err == nil {
	for _, address := range addrs {
	if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
	if ipnet.IP.To4() != nil {
	hostIP = ipnet.IP.String()
	break
	}
	}
	}
	}

[gemini-code-assist]

The use of the modulo operator (%) on a random byte to select a character from the charset introduces a slight bias. Since the size of the charset (62) does not evenly divide the number of possible byte values (256), some characters will be slightly more likely to be chosen than others.

While the security impact is minor for this use case, for cryptographic best practices, it's better to use a method that produces a uniform distribution. A simpler, yet still cryptographically secure approach, is to generate a sufficient number of random bytes and then Base64 encode them.

func GeneratePassword(length int) (string, error) {
	// For a 40-char password, 30 random bytes base64-encoded is ~40 chars.
	// For a 32-char key, 24 random bytes is sufficient.
	numBytes := (length * 3) / 4
	b := make([]byte, numBytes)
	if _, err := rand.Read(b); err != nil {
		return "", fmt.Errorf("failed to generate random bytes: %w", err)
	}
	return base64.RawURLEncoding.EncodeToString(b), nil
}