fix(cli): read linked DB password from project .env files

resolveLinked read SUPABASE_DB_PASSWORD only from process.env, but Go's
loadNestedEnv populates the environment from supabase/.env* (and root .env*)
before viper.GetString("DB_PASSWORD"), so a password defined only in a project
.env was invisible and the linked path tried to mint a temp login role
(requiring Management API auth) instead. Resolve the password from the shell env
or the loaded project .env (legacyLoadProjectEnv, exported), with the shell
value still winning via its no-override map.

Author: Coly010

apps/cli/src/legacy/shared/legacy-db-config.layer.ts

@@ -28,7 +28,7 @@ import {
   redactLegacyConnectionString,
 } from "./legacy-db-config.parse.ts";
 import { LegacyDbConfigResolver, type LegacyDbConfigError } from "./legacy-db-config.service.ts";
-import { legacyReadDbToml } from "./legacy-db-config.toml-read.ts";
+import { legacyLoadProjectEnv, legacyReadDbToml } from "./legacy-db-config.toml-read.ts";
 import type { LegacyDbConfigFlags } from "./legacy-db-config.types.ts";
 import { LegacyDebugLogger } from "./legacy-debug-logger.service.ts";
 import { legacyGetHostname } from "./legacy-hostname.ts";
@@ -276,8 +276,13 @@ export const legacyDbConfigLayer = Layer.effect(
     ): Effect.Effect<LegacyPgConnInput, LegacyDbConfigError, LegacyPlatformApi> =>
       Effect.gen(function* () {
         // Read lazily (per invocation) rather than at layer build, so tests and
-        // env-substitution see the current value. Go: viper `DB_PASSWORD`.
-        const dbPassword = process.env["SUPABASE_DB_PASSWORD"] ?? "";
+        // env-substitution see the current value. Go reads viper `DB_PASSWORD`
+        // after `loadNestedEnv` has populated the environment from the project
+        // `.env*` files, so honor those too — `legacyLoadProjectEnv`'s map already
+        // excludes keys present in the shell env, so the shell value still wins.
+        const projectEnv = yield* legacyLoadProjectEnv(fs, path, cliConfig.workdir);
+        const dbPassword =
+          process.env["SUPABASE_DB_PASSWORD"] ?? projectEnv["SUPABASE_DB_PASSWORD"] ?? "";
         const host = `db.${ref}.${cliConfig.projectHost}`;
         const base: LegacyPgConnInput = {
           host,

apps/cli/src/legacy/shared/legacy-db-config.toml-read.ts

@@ -114,7 +114,7 @@ const DEFAULT_SUPABASE_ENV = "development";
  * every other error. The path is named without leaking file contents
  * (CWE-209-safe).
  */
-const loadProjectEnv = Effect.fnUntraced(function* (
+export const legacyLoadProjectEnv = Effect.fnUntraced(function* (
   fs: FileSystem.FileSystem,
   path: Path.Path,
   workdir: string,
@@ -225,7 +225,7 @@ export const legacyReadDbToml = Effect.fnUntraced(function* (
 
   // Resolve `env(VAR)` against the shell env first, then the project `.env` files
   // (Go's `loadNestedEnv` populates the process env before `LoadEnvHook`).
-  const projectEnv = yield* loadProjectEnv(fs, path, workdir);
+  const projectEnv = yield* legacyLoadProjectEnv(fs, path, workdir);
   const lookup: EnvLookup = (name) => process.env[name] ?? projectEnv[name];
 
   // Go's loader enables viper `SetEnvPrefix("SUPABASE")` + `EnvKeyReplacer(".",

apps/cli/src/legacy/shared/legacy-db-config.toml-read.unit.test.ts

@@ -5,7 +5,7 @@ import { BunServices } from "@effect/platform-bun";
 import { describe, expect, it } from "@effect/vitest";
 import { Effect, Exit, FileSystem, Option, Path } from "effect";
 
-import { legacyReadDbToml } from "./legacy-db-config.toml-read.ts";
+import { legacyLoadProjectEnv, legacyReadDbToml } from "./legacy-db-config.toml-read.ts";
 
 function withConfig(content: string | undefined, poolerUrl?: string) {
   const dir = mkdtempSync(join(tmpdir(), "legacy-db-toml-"));
@@ -27,6 +27,13 @@ const read = (workdir: string) =>
     return yield* legacyReadDbToml(fs, path, workdir);
   }).pipe(Effect.provide(BunServices.layer));
 
+const loadEnv = (workdir: string) =>
+  Effect.gen(function* () {
+    const fs = yield* FileSystem.FileSystem;
+    const path = yield* Path.Path;
+    return yield* legacyLoadProjectEnv(fs, path, workdir);
+  }).pipe(Effect.provide(BunServices.layer));
+
 describe("legacyReadDbToml", () => {
   it.effect("returns defaults when config.toml is absent", () => {
     const dir = withConfig(undefined);
@@ -334,6 +341,26 @@ describe("legacyReadDbToml", () => {
     );
   });
 
+  it.effect(
+    "legacyLoadProjectEnv surfaces SUPABASE_DB_PASSWORD from .env (linked-path source)",
+    () => {
+      // The --linked resolver reads SUPABASE_DB_PASSWORD via this map, so a value
+      // defined only in supabase/.env must be visible (Go's loadNestedEnv parity).
+      delete process.env["SUPABASE_DB_PASSWORD"];
+      const dir = mkdtempSync(join(tmpdir(), "legacy-db-toml-"));
+      mkdirSync(join(dir, "supabase"), { recursive: true });
+      writeFileSync(join(dir, "supabase", ".env"), "SUPABASE_DB_PASSWORD=from-dotenv\n");
+      return loadEnv(dir).pipe(
+        Effect.tap((env) =>
+          Effect.sync(() => {
+            expect(env["SUPABASE_DB_PASSWORD"]).toBe("from-dotenv");
+            rmSync(dir, { recursive: true, force: true });
+          }),
+        ),
+      );
+    },
+  );
+
   it.effect("ignores a [db.pooler] connection_string in config.toml (Go reads .temp only)", () => {
     // The Go config field is tagged `toml:"-"`, so a connection_string in config.toml
     // is never honored; only supabase/.temp/pooler-url counts.