feat: add auth verification for control plane and workers

[jumski]

Add authentication verification for Control Plane and Workers

This PR adds a comprehensive authentication plan for pgflow's Control Plane and Worker functions, ensuring sensitive operations are properly protected. Key changes include:

• Added PLAN_auth-verification.md detailing the authentication requirements and implementation approach
• Added PLAN_workers-start-command.md for a future CLI command to start workers with proper authentication
• Updated CLI to use --secret-key instead of --publishable-key for the compile command
• Modified tests to reflect the authentication changes
• Updated documentation to clarify authentication requirements

The authentication model requires a Supabase service_role/secret key to protect sensitive operations like flow enumeration, compilation, and worker execution. This aligns with Supabase's recommended practices for server-side operations.

For local development, the default anon key is used, while production deployments will require setting up a proper secret key as an Edge Function environment variable.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 15c01c6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes changesets to release 6 packages

Name	Type
pgflow	Minor
@pgflow/edge-worker	Minor
@pgflow/client	Minor
@pgflow/core	Minor
@pgflow/dsl	Minor
@pgflow/example-flows	Minor

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[jumski]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• chore: remove Deno dependency and update flow compilation docs #448
• feat: add auth verification for control plane and workers #444 👈 (View in Graphite)
• feat: add example worker and improve flow scaffolding #443
• refactor: standardize naming to camelCase for flow slugs and kebab-case for files #442
• add flows/ directory structure with namespace imports for ControlPlane.serve() #441
• refactor: simplify CLI install command with cleaner logs and single confirmation #440
• simplify CLI install command output formatting and show full paths #439
• fix: improve error handling for missing ControlPlane edge function #438
• refactor: consolidate flow registration in index.ts and remove flows.ts #437
• chore: remove outdated documentation files and add compile command tests #436
• docs: Add comprehensive guide for auto-compilation flow development and deployment strategies #253
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge:queue - adds this PR to the back of the merge queue
• hotfix:queue - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 15c01c6

Command	Status	Duration	Result
nx affected -t verify-exports --base=origin/mai...	✅ Succeeded	3s	View ↗
nx affected -t build --configuration=production...	✅ Succeeded	31s	View ↗
nx affected -t lint typecheck test --parallel -...	✅ Succeeded	3m 48s	View ↗
nx run edge-worker:e2e	✅ Succeeded	2m 31s	View ↗
nx run cli:e2e	✅ Succeeded	4s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-11-28 22:23:26 UTC

[graphite-app]

Critical bug: No default value provided for --secret-key option. The old code had DEFAULT_PUBLISHABLE_KEY as default, which was removed. When users run pgflow compile without the --secret-key flag, options.secretKey will be undefined, causing fetchFlowSQL() to send Authorization: Bearer undefined and apikey: undefined headers, breaking local development.

Fix:

const DEFAULT_ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0';

.addOption(
  new Option('--secret-key [key]', 'Supabase anon/service_role key')
    .default(DEFAULT_ANON_KEY)
    .hideHelp()
)

Suggested change

	.addOption(
	new Option('--secret-key [key]', 'Supabase anon/service_role key')
	.hideHelp()
	)
	.addOption(
	new Option('--secret-key [key]', 'Supabase anon/service_role key')
	.default('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0')
	.hideHelp()
	)

Spotted by Graphite Agent



Is this helpful? React 👍 or 👎 to let us know.

[github-actions]

🔍 Preview Deployment: Website

✅ Deployment successful!

🔗 Preview URL: https://pr-444.pgflow.pages.dev

📝 Details:

• Branch: 11-28-recommend_no-verify-jwt_for_now
• Commit: 43ef900ed13c6323a112b077cac7b642024aeb44
• View Logs

_Last updated: _

[graphite-app]

Merge activity

• Nov 28, 11:45 PM UTC: jumski added this pull request to the Graphite merge queue.
• Nov 28, 11:45 PM UTC: CI is running for this pull request on a draft pull request (#449) due to your merge queue CI optimization settings.
• Nov 28, 11:53 PM UTC: Merged by the Graphite merge queue via draft PR: #449.