fix(cli): fail on unreadable project .env files in test db config

loadProjectEnv swallowed every .env read error as None, but Go's loadEnvIfExists
ignores only os.ErrNotExist and returns other I/O errors, aborting before env()
expansion. An unreadable .env (e.g. permissions) could make test db --local
reject a valid env-backed port or use the wrong password while hiding the real
error. Distinguish NotFound (skip) from other read errors (fail with
LegacyDbConfigLoadError), matching the config.toml read path.

Author: Coly010

apps/cli/src/legacy/shared/legacy-db-config.toml-read.ts

@@ -109,8 +109,10 @@ const DEFAULT_SUPABASE_ENV = "development";
  * `.env.<env>`, then `.env` via `godotenv.Load`, which never overrides a value
  * already set. So the shell environment wins over the files, the `supabase/`
  * directory wins over the repo root, and earlier filenames win within a
- * directory. A malformed `.env` aborts (Go returns the parse error); the path is
- * named without leaking file contents (CWE-209-safe).
+ * directory. A malformed `.env` — or one that exists but cannot be read —
+ * aborts: Go's `loadEnvIfExists` swallows only `os.ErrNotExist` and returns
+ * every other error. The path is named without leaking file contents
+ * (CWE-209-safe).
  */
 const loadProjectEnv = Effect.fnUntraced(function* (
   fs: FileSystem.FileSystem,
@@ -126,9 +128,21 @@ const loadProjectEnv = Effect.fnUntraced(function* (
   const loaded: Record<string, string> = {};
   for (const dir of dirs) {
     for (const name of filenames) {
-      const content = yield* fs
-        .readFileString(path.join(dir, name))
-        .pipe(Effect.map(Option.some<string>), Effect.orElseSucceed(Option.none<string>));
+      // Go's loadEnvIfExists ignores only os.ErrNotExist; any other read error
+      // aborts rather than silently skipping the file (which would hide a broken
+      // env-backed config). Effect surfaces "not found" as a NotFound PlatformError.
+      const content = yield* fs.readFileString(path.join(dir, name)).pipe(
+        Effect.map(Option.some<string>),
+        Effect.catchTag("PlatformError", (error) =>
+          error.reason._tag === "NotFound"
+            ? Effect.succeed(Option.none<string>())
+            : Effect.fail(
+                new LegacyDbConfigLoadError({
+                  message: `failed to read environment file: ${name}`,
+                }),
+              ),
+        ),
+      );
       if (Option.isNone(content)) continue;
       let parsed: Record<string, string>;
       try {

apps/cli/src/legacy/shared/legacy-db-config.toml-read.unit.test.ts

@@ -266,6 +266,26 @@ describe("legacyReadDbToml", () => {
     );
   });
 
+  it.effect("fails when a project .env file exists but cannot be read", () => {
+    // Go's loadEnvIfExists swallows only os.ErrNotExist; any other read error
+    // aborts rather than hiding a broken env-backed config. A directory at the
+    // .env path yields a non-NotFound read error.
+    const dir = withConfig(["[db]", "port = 5000", ""].join("\n"));
+    mkdirSync(join(dir, "supabase", ".env"), { recursive: true });
+    return read(dir).pipe(
+      Effect.exit,
+      Effect.tap((exit) =>
+        Effect.sync(() => {
+          expect(Exit.isFailure(exit)).toBe(true);
+          if (Exit.isFailure(exit)) {
+            expect(JSON.stringify(exit.cause)).toContain("failed to read environment file");
+          }
+          rmSync(dir, { recursive: true, force: true });
+        }),
+      ),
+    );
+  });
+
   it.effect("ignores a [db.pooler] connection_string in config.toml (Go reads .temp only)", () => {
     // The Go config field is tagged `toml:"-"`, so a connection_string in config.toml
     // is never honored; only supabase/.temp/pooler-url counts.