Automic Vault Fork Notes

This repository is the Automic Vault fork of Supabase CLI.

Automic Vault is a macOS-first secret and execution control system that keeps sensitive credentials behind explicit human approval in the Automic Vault GUI app instead of exposing them directly to terminal tools.

This fork currently adds the following behavior on top of upstream supabase/cli:

• An isotope:supabase package recipe that builds and signs both the Bun/TypeScript supabase launcher and the Go supabase-go helper.
• Direct macOS Keychain access from the signed supabase-go binary instead of github.com/zalando/go-keyring shelling out to /usr/bin/security, so Keychain trust is attached to the Supabase executable.
• A macOS-only automicvault Go build tag for the secure credential backend, while default upstream builds continue to use go-keyring.
• A hazard detector for insecure Supabase CLI installs, including the plaintext fallback token at ~/.supabase/access-token and Keychain ACLs that allow /usr/bin/security to read Supabase secrets.
• A hidden supabase-go av-migrate command used by the Automic Vault isotope migration hook to rewrite insecure Keychain items and move fallback access tokens into the signed Supabase credential backend.
• Test seams that keep the credential tests deterministic without touching the user's real Keychain.

The remainder of this README is the original upstream Supabase CLI README.

---

Develop locally and deploy to the Supabase Platform from your terminal.

Supabase CLI brings the Supabase Platform to your terminal. Run the full local stack, manage database migrations, deploy Edge Functions, generate types, and automate project workflows.

Installation

# YOLO
curl -fsSL https://raw.githubusercontent.com/supabase/cli/main/install | bash

# npm
npm install -D supabase                   # or bun/pnpm/yarn add -D supabase
npm install -D supabase@beta              # beta channel

# macOS and Linux
brew install supabase/tap/supabase        # always up to date
brew install supabase                     # official formula, may be delayed
brew install supabase/tap/supabase-beta   # beta channel

# Windows
scoop bucket add supabase https://github.com/supabase/scoop-bucket.git
scoop install supabase
scoop install supabase-beta               # beta channel

# Linux packages
# Download .apk, .deb, .rpm, or .pkg.tar.zst from GitHub Releases.

Linux packages are available from Releases. Community-maintained packages are also available through pkgx and Nixpkgs.

Start Local Development

Create a Supabase workspace and start the local stack:

supabase init
supabase start
supabase status

The local stack includes Postgres, Auth, Realtime, Storage, Edge Functions, and the Supabase APIs.

Start from a template:

supabase bootstrap

Link A Project

Connect your local workspace to a hosted Supabase project:

supabase login
supabase link

Manage Your Database

Create migrations, compare schemas, and apply changes locally or to your linked project:

supabase migration new create_profiles
supabase db diff
supabase db push
supabase db reset

Deploy Edge Functions

Build, serve, and deploy functions from the same project workspace:

supabase functions new hello-world
supabase functions serve
supabase functions deploy hello-world

Generate Types

Generate TypeScript types from your local database or linked project:

supabase gen types --local
supabase gen types --linked

Reference

Use --help on any command to explore flags and examples:

supabase db --help
supabase functions deploy --help

• CLI reference
• Local development guide
• Supabase docs

Developing

This repository is a pnpm monorepo. The published package lives in apps/cli.

pnpm install
cd apps/cli

pnpm dev:next -- --help
pnpm check:all
pnpm test:core

Useful source entry points:

Path	Purpose
apps/cli	TypeScript/Bun CLI package
apps/cli-go	Go CLI source used by the legacy shell
packages/stack	Local Supabase stack runtime
packages/config	Config schema and generated types
packages/api	Typed Supabase Management API client

After a fresh clone, install the reference repositories used for agent and developer inspection:

pnpm repos:install

Contributing

We love focused pull requests with a clear problem, a small surface area, and tests that match the user-facing behavior. Before opening a PR, run the checks for the workspace you touched.

pnpm check:all
pnpm test

PR titles must use conventional commits, for example:

fix(cli): handle linked projects without cached service versions

License

Supabase CLI packages are released under the MIT license.