dnywh
diff --git a/‎README.md‎
Lines changed: 4 additions & 1 deletion b/‎README.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎docs/supabase-local-first.md‎
Lines changed: 9 additions & 3 deletions b/‎docs/supabase-local-first.md‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎next.config.js‎
Lines changed: 6 additions & 0 deletions b/‎next.config.js‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 0 deletions b/‎package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/utils/listingUtils.js‎
Lines changed: 3 additions & 1 deletion b/‎src/utils/listingUtils.js‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎supabase/config.toml‎
Lines changed: 3 additions & 0 deletions b/‎supabase/config.toml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎supabase/migrations/20251026060000_baseline_schema.sql‎
Lines changed: 0 additions & 35 deletions b/‎supabase/migrations/20251026060000_baseline_schema.sql‎
Lines changed: 0 additions & 35 deletions
diff --git a/‎supabase/migrations/20260408103800_backfill_storage_object_policies.sql‎
Lines changed: 202 additions & 0 deletions b/‎supabase/migrations/20260408103800_backfill_storage_object_policies.sql‎
Lines changed: 202 additions & 0 deletions
@@ -145,7 +145,10 @@ Use local Studio, `psql`, or the hosted Supabase dashboard for browsing rows and
 
 - Bucket configuration lives in `supabase/config.toml`
 - Local reset data lives in `supabase/seed.sql`
-- Local placeholder static assets live in `supabase/storage/static/`
+- Local bucket objects live in `supabase/storage/`
+- Local bucket policies are backfilled via SQL migrations so local uploads behave like the hosted project
+- `npm run supabase:reset` rebuilds the database and re-uploads seeded local media
+- `npm run supabase:seed-buckets` re-uploads local bucket media without resetting the database
 
 Keep all local and preview data sanitized. Do not export or commit production data.
 
 
@@ -34,6 +34,7 @@ What this does:
 - A PR branch that changes `supabase/**` gets its own Supabase preview branch.
 - That preview branch runs migrations and bucket config from Git.
 - Seed data comes from `supabase/seed.sql`, not from production data.
+- Local bucket objects come from `supabase/storage/`, not from production storage.
 
 ### 2. Require the Supabase PR Check in GitHub
 
@@ -78,6 +79,7 @@ npm install
 cp .env.example .env.local
 npm run supabase:start
 npm run supabase:reset
+npm run supabase:seed-buckets
 npm run supabase:env
 ```
 
@@ -117,10 +119,13 @@ The seed also creates:
 - 3 public listings
 - 1 chat thread
 - 2 chat messages
+- seeded profile avatars and listing photos in local Supabase Storage
 - a sample static bucket object at `static/promo-kit.zip`
 
 The demo data is synthetic and safe to keep in Git.
 
+When `NEXT_PUBLIC_SUPABASE_URL` points at `http://127.0.0.1:54331`, avatar and listing-photo uploads also go to the local Supabase buckets rather than production.
+
 ## Fresh Computer Setup
 
 Use this when setting up Peels on a new machine.
@@ -158,9 +163,10 @@ npm run dev
 2. Make schema changes locally.
 3. Add or edit SQL migrations under `supabase/migrations/`.
 4. Rebuild from scratch with `npm run supabase:reset`.
-5. Run `npm run dev`.
-6. Test the flow locally.
-7. Commit app and migration changes together.
+5. Re-upload only local bucket media with `npm run supabase:seed-buckets` when you do not need a full DB reset.
+6. Run `npm run dev`.
+7. Test the flow locally.
+8. Commit app and migration changes together.
 
 Use local Studio, `psql`, or the hosted dashboard for browsing rows. Use the CLI for schema lifecycle.
 
 
@@ -57,6 +57,11 @@ const uniqueStorageRemotePatterns = storageRemotePatterns.filter(
     )
 );
 
+const shouldAllowLocalStorageImages =
+  process.env.NEXT_PUBLIC_SUPABASE_URL?.includes("127.0.0.1") ||
+  process.env.NEXT_PUBLIC_SUPABASE_URL?.includes("localhost") ||
+  false;
+
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   // Configure `pageExtensions` to include markdown and MDX files
@@ -69,6 +74,7 @@ const nextConfig = {
     // https://nextjs.org/docs/app/api-reference/components/image#caching-behavior
     // Can be safetly increased as all user-generated imagery use uniques slugs
     minimumCacheTTL: 2678400, // 31 days (default value is `60`, i.e. one minute)
+    dangerouslyAllowLocalIP: shouldAllowLocalStorageImages,
     // Define where remote images can be pulled from
     remotePatterns: uniqueStorageRemotePatterns,
   },
 
@@ -10,6 +10,7 @@
     "supabase:status": "supabase status",
     "supabase:env": "supabase status -o env",
     "supabase:reset": "supabase db reset",
+    "supabase:seed-buckets": "supabase seed buckets --yes",
     "supabase:diff": "supabase db diff",
     "format": "prettier --write .",
     "format:check": "prettier --check ."
 
@@ -27,9 +27,11 @@ export function getListingAvatar(listing, user) {
 
   // For demo listings, return path to public demo folder
   if (listing?.is_demo) {
+    const demoAvatarFilename = listing?.avatar?.split("/").pop();
+
     return {
       isDemo: true, // New flag to indicate demo image
-      path: `/avatars/demo/${listing?.avatar}`,
+      path: `/avatars/demo/${demoAvatarFilename}`,
       alt: `${listing?.name}’s avatar`,
     };
   }
 
@@ -91,16 +91,19 @@ file_size_limit = "50MiB"
 public = true
 file_size_limit = "10MiB"
 allowed_mime_types = ["image/png", "image/jpeg", "image/webp"]
+objects_path = "./storage/avatars"
 
 [storage.buckets.listing_avatars]
 public = true
 file_size_limit = "10MiB"
 allowed_mime_types = ["image/png", "image/jpeg", "image/webp"]
+objects_path = "./storage/listing_avatars"
 
 [storage.buckets.listing_photos]
 public = true
 file_size_limit = "50MiB"
 allowed_mime_types = ["image/png", "image/jpeg", "image/webp"]
+objects_path = "./storage/listing_photos"
 
 [storage.buckets.static]
 public = true
 
@@ -147,34 +147,6 @@ $$;
 ALTER FUNCTION "public"."count_verified_users_with_listings"() OWNER TO "postgres";
 
 
-CREATE OR REPLACE FUNCTION "public"."delete_storage_object"("bucket" "text", "object" "text") RETURNS "record"
-    LANGUAGE "plpgsql" SECURITY DEFINER
-    AS $$
-DECLARE
-  -- Local bootstrap should call the local Supabase gateway, not production.
-  project_url text := 'http://kong:8000';
-  service_role_key text := 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU';
-  url text := project_url || '/storage/v1/object/' || bucket || '/' || object;
-  response record;  -- Use a record to capture the response
-BEGIN
-  SELECT
-      result.status::int, result.content::text
-  INTO response
-  FROM extensions.http((
-    'DELETE',
-    url,
-    ARRAY[extensions.http_header('authorization', 'Bearer ' || service_role_key)],
-    NULL,
-    NULL)::extensions.http_request) AS result;
-
-  RETURN (response.status, response.content);  -- Return the status and content as a record
-END;
-$$;
-
-
-ALTER FUNCTION "public"."delete_storage_object"("bucket" "text", "object" "text") OWNER TO "postgres";
-
-
 CREATE OR REPLACE FUNCTION "public"."generate_unique_slug"() RETURNS "text"
     LANGUAGE "plpgsql"
     AS $$
@@ -811,12 +783,6 @@ GRANT ALL ON FUNCTION "public"."count_verified_users_with_listings"() TO "servic
 
 
 
-GRANT ALL ON FUNCTION "public"."delete_storage_object"("bucket" "text", "object" "text") TO "anon";
-GRANT ALL ON FUNCTION "public"."delete_storage_object"("bucket" "text", "object" "text") TO "authenticated";
-GRANT ALL ON FUNCTION "public"."delete_storage_object"("bucket" "text", "object" "text") TO "service_role";
-
-
-
 GRANT ALL ON FUNCTION "public"."generate_unique_slug"() TO "anon";
 GRANT ALL ON FUNCTION "public"."generate_unique_slug"() TO "authenticated";
 GRANT ALL ON FUNCTION "public"."generate_unique_slug"() TO "service_role";
@@ -944,4 +910,3 @@ ALTER DEFAULT PRIVILEGES FOR ROLE "postgres" IN SCHEMA "public" GRANT SELECT,INS
 ALTER DEFAULT PRIVILEGES FOR ROLE "postgres" IN SCHEMA "public" GRANT SELECT,INSERT,REFERENCES,DELETE,TRIGGER,TRUNCATE,UPDATE ON TABLES TO "authenticated";
 ALTER DEFAULT PRIVILEGES FOR ROLE "postgres" IN SCHEMA "public" GRANT SELECT,INSERT,REFERENCES,DELETE,TRIGGER,TRUNCATE,UPDATE ON TABLES TO "service_role";
 
-
@@ -0,0 +1,202 @@
+begin;
+
+-- Backfill Storage RLS policies that already exist in the hosted project but
+-- were not captured in the initial public-schema baseline pull.
+
+do $$
+begin
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Allow authenticated changes 1oj01fe_0'
+  ) then
+    execute $policy$
+      create policy "Allow authenticated changes 1oj01fe_0"
+      on storage.objects
+      for update
+      to authenticated
+      using ((bucket_id = 'avatars') and (auth.role() = 'authenticated'))
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Allow authenticated changes 1oj01fe_1'
+  ) then
+    execute $policy$
+      create policy "Allow authenticated changes 1oj01fe_1"
+      on storage.objects
+      for insert
+      to authenticated
+      with check ((bucket_id = 'avatars') and (auth.role() = 'authenticated'))
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Allow authenticated deletes 1oj01fe_0'
+  ) then
+    execute $policy$
+      create policy "Allow authenticated deletes 1oj01fe_0"
+      on storage.objects
+      for delete
+      to authenticated
+      using ((bucket_id = 'avatars') and (auth.role() = 'authenticated'))
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Allow authenticated list 1oj01fe_0'
+  ) then
+    execute $policy$
+      create policy "Allow authenticated list 1oj01fe_0"
+      on storage.objects
+      for select
+      to authenticated
+      using (bucket_id = 'avatars')
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Anyone can view listing avatars'
+  ) then
+    execute $policy$
+      create policy "Anyone can view listing avatars"
+      on storage.objects
+      for select
+      using (bucket_id = 'listing_avatars')
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Anyone can view listing photos'
+  ) then
+    execute $policy$
+      create policy "Anyone can view listing photos"
+      on storage.objects
+      for select
+      using (bucket_id = 'listing_photos')
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Users can delete their own listing avatars'
+  ) then
+    execute $policy$
+      create policy "Users can delete their own listing avatars"
+      on storage.objects
+      for delete
+      to authenticated
+      using (bucket_id = 'listing_avatars')
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Users can delete their own listing photos'
+  ) then
+    execute $policy$
+      create policy "Users can delete their own listing photos"
+      on storage.objects
+      for delete
+      to authenticated
+      using (bucket_id = 'listing_photos')
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Users can update their own listing avatars'
+  ) then
+    execute $policy$
+      create policy "Users can update their own listing avatars"
+      on storage.objects
+      for update
+      to authenticated
+      using (bucket_id = 'listing_avatars')
+      with check (auth.role() = 'authenticated')
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Users can update their own listing photos'
+  ) then
+    execute $policy$
+      create policy "Users can update their own listing photos"
+      on storage.objects
+      for update
+      to authenticated
+      using (bucket_id = 'listing_photos')
+      with check (auth.role() = 'authenticated')
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Users can upload their own listing avatars'
+  ) then
+    execute $policy$
+      create policy "Users can upload their own listing avatars"
+      on storage.objects
+      for insert
+      to authenticated
+      with check ((bucket_id = 'listing_avatars') and (auth.role() = 'authenticated'))
+    $policy$;
+  end if;
+
+  if not exists (
+    select 1
+    from pg_policies
+    where schemaname = 'storage'
+      and tablename = 'objects'
+      and policyname = 'Users can upload their own listing photos'
+  ) then
+    execute $policy$
+      create policy "Users can upload their own listing photos"
+      on storage.objects
+      for insert
+      to authenticated
+      with check ((bucket_id = 'listing_photos') and (auth.role() = 'authenticated'))
+    $policy$;
+  end if;
+end
+$$;
+
+commit;