release(packages/nhost-js): 4.2.0

Co-authored-by: dbarrosop <dbarrosop@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,6 +7,8 @@ assignees: ''
 
 ---
 
+> **Note:** Bug reports that are clearly AI-generated will not be accepted and will be closed immediately. Please write your bug report in your own words.
+
 **Describe the bug**
 A clear and concise description of what the bug is.
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -7,6 +7,8 @@ assignees: ''
 
 ---
 
+> **Note:** Feature requests that are clearly AI-generated will not be accepted and will be closed immediately. Please write your feature request in your own words.
+
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -8,6 +8,8 @@
 
 --- Delete everything below this line before submitting your PR ---
 
+> **Note on AI-assisted contributions:** Contributions with the help of AI are permitted, but you are ultimately responsible for the quality of your submission and for ensuring it follows our contributing guidelines. **The PR description must be written in your own words and be clear and concise**. Please ensure you remove any superfluous code comments introduced by AI tools before submitting. PRs that clearly violate this rule will be closed without further review.
+
 ### PR title format
 
 The PR title must follow the following pattern:
@@ -22,6 +24,7 @@ Where `TYPE` is:
 
 Where `PKG` is:
 
+- `auth`: For changes to the Nhost Auth service
 - `ci`: For general changes to the build and/or CI/CD pipeline
 - `cli`: For changes to the Nhost CLI
 - `codegen`: For changes to the code generator
@@ -29,10 +32,11 @@ Where `PKG` is:
 - `deps`: For changes to dependencies
 - `docs`: For changes to the documentation
 - `examples`: For changes to the examples
+- `internal/lib`: For changes to Nhost's common libraries (internal)
 - `mintlify-openapi`: For changes to the Mintlify OpenAPI tool
 - `nhost-js`: For changes to the Nhost JavaScript SDK
 - `nixops`: For changes to the NixOps
-- `storage`: For changes to the Nhost Storage
+- `storage`: For changes to the Nhost Storage service
 
 Where `SUMMARY` is a short description of what the PR does.
 

.github/actions/validate-pr-title/action.yaml

@@ -17,7 +17,7 @@ runs:
 
         # Define valid types and packages
         VALID_TYPES="feat|fix|chore"
-        VALID_PKGS="ci|cli|codegen|dashboard|deps|docs|examples|mintlify-openapi|nhost-js|nixops|storage"
+        VALID_PKGS="auth|ci|cli|codegen|dashboard|deps|docs|examples|internal\/lib|mintlify-openapi|nhost-js|nixops|storage"
 
         # Check if title matches the pattern TYPE(PKG): SUMMARY
         if [[ ! "$PR_TITLE" =~ ^(${VALID_TYPES})\((${VALID_PKGS})\):\ .+ ]]; then
@@ -31,11 +31,11 @@ runs:
           echo "  - chore:  mark this pull request as a maintenance item"
           echo ""
           echo "Valid PKGs:"
-          echo "  - ci, cli, codegen, dashboard, deps, docs, examples,"
+          echo "  - auth, ci, cli, codegen, dashboard, deps, docs, examples,"
           echo "  - mintlify-openapi, nhost-js, nixops, storage"
           echo ""
           echo "Example: feat(cli): add new command for database migrations"
           exit 1
         fi
 
-        echo "✅ PR title is valid!"
+        echo "✅ PR title is valid!"

.github/workflows/auth_checks.yaml

@@ -0,0 +1,84 @@
+---
+name: "auth: check and build"
+on:
+  pull_request_target:
+    paths:
+      - '.github/workflows/auth_checks.yaml'
+      - '.github/workflows/wf_check.yaml'
+      - '.github/workflows/wf_build_artifacts.yaml'
+
+      # common build
+      - 'flake.nix'
+      - 'flake.lock'
+      - 'nixops/**'
+      - 'build/**'
+
+      # common go
+      - '.golangci.yaml'
+      - 'go.mod'
+      - 'go.sum'
+      - 'internal/lib/**'
+      - 'vendor/**'
+
+      # auth
+      - 'services/auth/**'
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || format('push-{0}', github.sha) }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  check-permissions:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo "github.event_name: ${{ github.event_name }}"
+          echo "github.event.pull_request.author_association: ${{ github.event.pull_request.author_association }}"
+      - name: "This task will run and fail if user has no permissions and label safe_to_test isn't present"
+        if: "github.event_name == 'pull_request_target' && ! ( contains(github.event.pull_request.labels.*.name, 'safe_to_test') || contains(fromJson('[\"OWNER\", \"MEMBER\", \"COLLABORATOR\"]'), github.event.pull_request.author_association) )"
+        run: |
+          exit 1
+
+  tests:
+    uses: ./.github/workflows/wf_check.yaml
+    needs:
+      - check-permissions
+    with:
+      NAME: auth
+      PATH: services/auth
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
+
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
+      NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
+      NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
+      NHOST_PAT: ${{ secrets.NHOST_PAT }}
+
+  build_artifacts:
+    uses: ./.github/workflows/wf_build_artifacts.yaml
+    needs:
+      - check-permissions
+    with:
+      NAME: auth
+      PATH: services/auth
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
+      VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
+      DOCKER: true
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
+      NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
+      NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
+
+  remove_label:
+    runs-on: ubuntu-latest
+    needs:
+      - check-permissions
+    steps:
+      - uses: actions-ecosystem/action-remove-labels@v1
+        with:
+          labels: |
+            safe_to_test
+    if: contains(github.event.pull_request.labels.*.name, 'safe_to_test')

.github/workflows/auth_wf_release.yaml

@@ -0,0 +1,60 @@
+---
+name: "auth: release"
+on:
+  workflow_call:
+    inputs:
+      GIT_REF:
+        required: true
+        type: string
+      VERSION:
+        required: true
+        type: string
+    secrets:
+      AWS_ACCOUNT_ID:
+        required: true
+      NIX_CACHE_PUB_KEY:
+        required: true
+      NIX_CACHE_PRIV_KEY:
+        required: true
+      DOCKER_USERNAME:
+        required: true
+      DOCKER_PASSWORD:
+        required: true
+
+jobs:
+  build_artifacts:
+    uses: ./.github/workflows/wf_build_artifacts.yaml
+    with:
+      NAME: auth
+      PATH: services/auth
+      GIT_REF: ${{ inputs.GIT_REF }}
+      VERSION: ${{ inputs.VERSION }}
+      DOCKER: true
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+      NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
+      NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
+
+  push-docker-hub:
+    uses: ./.github/workflows/wf_docker_push_image.yaml
+    needs:
+      - build_artifacts
+    with:
+      NAME: auth
+      PATH: services/auth
+      VERSION: ${{ inputs.VERSION }}
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+
+  push-docker-ecr:
+    uses: ./.github/workflows/wf_docker_push_image_ecr.yaml
+    needs:
+      - build_artifacts
+    with:
+      NAME: auth
+      PATH: services/auth
+      VERSION: ${{ inputs.VERSION }}
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+      CONTAINER_REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.eu-central-1.amazonaws.com

.github/workflows/ci_release.yaml

@@ -33,6 +33,20 @@ jobs:
         echo "version=$VERSION" >> $GITHUB_OUTPUT
         echo "Extracted project: $PROJECT, version: $VERSION"
 
+  auth:
+    needs: extract-project
+    if: needs.extract-project.outputs.project == 'auth'
+    uses: ./.github/workflows/auth_wf_release.yaml
+    with:
+      GIT_REF: ${{ github.sha }}
+      VERSION: ${{ needs.extract-project.outputs.version }}
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
+      NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
+      NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+
   cli:
     needs: extract-project
     if: needs.extract-project.outputs.project == 'cli'

.github/workflows/ci_update_changelog.yaml

@@ -13,7 +13,7 @@ jobs:
 
     strategy:
       matrix:
-        project: [cli, dashboard, packages/nhost-js, services/storage]
+        project: [cli, dashboard, packages/nhost-js, services/auth, services/storage]
 
     permissions:
       id-token: write
@@ -40,7 +40,7 @@ jobs:
         cd ${{ matrix.project }}
         TAG_NAME=$(make release-tag-name)
         VERSION=$(nix develop .\#cliff -c make changelog-next-version)
-        if git tag | grep -q "$TAG_NAME@$VERSION"; then
+        if git tag | grep -qx "$TAG_NAME@$VERSION"; then
           echo "Tag $TAG_NAME@$VERSION already exists, skipping release preparation"
         else
           echo "Tag $TAG_NAME@$VERSION does not exist, proceeding with release preparation"

.github/workflows/cli_checks.yaml

@@ -1,8 +1,7 @@
 ---
 name: "cli: check and build"
 on:
-  # pull_request_target:
-  pull_request:
+  pull_request_target:
     paths:
       - '.github/workflows/cli_checks.yaml'
       - '.github/workflows/wf_check.yaml'
@@ -50,7 +49,7 @@ jobs:
     with:
       NAME: cli
       PATH: cli
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -65,7 +64,7 @@ jobs:
     with:
       NAME: cli
       PATH: cli
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: true
     secrets:
@@ -81,7 +80,7 @@ jobs:
     with:
       NAME: cli
       PATH: cli
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}

.github/workflows/cli_wf_test_new_project.yaml

@@ -63,7 +63,7 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     - name: "Get artifacts"
-      uses: actions/download-artifact@v5
+      uses: actions/download-artifact@v6
       with:
         path: ~/artifacts
 

.github/workflows/codegen_checks.yaml

@@ -1,8 +1,7 @@
 ---
 name: "codegen: check and build"
 on:
-  # pull_request_target:
-  pull_request:
+  pull_request_target:
     paths:
       - '.github/workflows/wf_check.yaml'
       - '.github/workflows/codegen_checks.yaml'
@@ -48,7 +47,7 @@ jobs:
     with:
       NAME: codegen
       PATH: tools/codegen
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -62,7 +61,7 @@ jobs:
     with:
       NAME: codegen
       PATH: tools/codegen
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: false
     secrets:

.github/workflows/dashboard_checks.yaml

@@ -1,7 +1,7 @@
 ---
 name: "dashboard: check and build"
 on:
-  pull_request:
+  pull_request_target:
     paths:
       - '.github/workflows/wf_build_artifacts.yaml'
       - '.github/workflows/wf_check.yaml'
@@ -54,7 +54,7 @@ jobs:
       - check-permissions
     with:
       NAME: dashboard
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       ENVIRONMENT: preview
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -73,7 +73,7 @@ jobs:
     with:
       NAME: dashboard
       PATH: dashboard
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: true
       OS_MATRIX: '["blacksmith-2vcpu-ubuntu-2404"]'
@@ -91,7 +91,7 @@ jobs:
     with:
       NAME: dashboard
       PATH: dashboard
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
       NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
@@ -107,7 +107,7 @@ jobs:
     with:
       NAME: dashboard
       PATH: dashboard
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       NHOST_TEST_DASHBOARD_URL: ${{ needs.deploy-vercel.outputs.preview-url }}
       NHOST_TEST_PROJECT_NAME: ${{ vars.NHOST_TEST_PROJECT_NAME }}
       NHOST_TEST_ORGANIZATION_NAME: ${{ vars.NHOST_TEST_ORGANIZATION_NAME }}
@@ -126,8 +126,10 @@ jobs:
       NHOST_TEST_USER_EMAIL: ${{ secrets.NHOST_TEST_USER_EMAIL }}
       NHOST_TEST_USER_PASSWORD: ${{ secrets.NHOST_TEST_USER_PASSWORD }}
       NHOST_TEST_PROJECT_ADMIN_SECRET: ${{ secrets.NHOST_TEST_PROJECT_ADMIN_SECRET }}
-      NHOST_TEST_FREE_USER_EMAILS: ${{ secrets.NHOST_TEST_FREE_USER_EMAILS }}
+      NHOST_TEST_ONBOARDING_USER: ${{ secrets.NHOST_TEST_ONBOARDING_USER }}
       PLAYWRIGHT_REPORT_ENCRYPTION_KEY: ${{ secrets.PLAYWRIGHT_REPORT_ENCRYPTION_KEY }}
+      NHOST_TEST_STAGING_SUBDOMAIN: ${{ secrets.NHOST_TEST_STAGING_SUBDOMAIN }}
+      NHOST_TEST_STAGING_REGION: ${{ secrets.NHOST_TEST_STAGING_REGION }}
 
   remove_label:
     runs-on: ubuntu-latest

.github/workflows/dashboard_wf_e2e_staging.yaml

@@ -52,12 +52,16 @@ on:
         required: true
       NHOST_TEST_USER_PASSWORD:
         required: true
+      NHOST_TEST_ONBOARDING_USER:
+        required: true
       NHOST_TEST_PROJECT_ADMIN_SECRET:
         required: true
-      NHOST_TEST_FREE_USER_EMAILS:
-        required: true
       PLAYWRIGHT_REPORT_ENCRYPTION_KEY:
         required: true
+      NHOST_TEST_STAGING_SUBDOMAIN:
+        required: true
+      NHOST_TEST_STAGING_REGION:
+        required: true
 
 concurrency:
   group: dashboard-e2e-staging
@@ -77,7 +81,10 @@ env:
   NHOST_TEST_USER_EMAIL: ${{ secrets.NHOST_TEST_USER_EMAIL }}
   NHOST_TEST_USER_PASSWORD: ${{ secrets.NHOST_TEST_USER_PASSWORD }}
   NHOST_TEST_PROJECT_ADMIN_SECRET: ${{ secrets.NHOST_TEST_PROJECT_ADMIN_SECRET }}
-  NHOST_TEST_FREE_USER_EMAILS: ${{ secrets.NHOST_TEST_FREE_USER_EMAILS }}
+  NHOST_TEST_ONBOARDING_USER: ${{ secrets.NHOST_TEST_ONBOARDING_USER }}
+  NHOST_TEST_STAGING_SUBDOMAIN: ${{ secrets.NHOST_TEST_STAGING_SUBDOMAIN }}
+  NHOST_TEST_STAGING_REGION: ${{ secrets.NHOST_TEST_STAGING_REGION }}
+
 
 jobs:
   tests:
@@ -141,7 +148,7 @@ jobs:
         rm playwright-report.tar.gz
 
     - name: Upload encrypted Playwright report
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       if: failure()
       with:
         name: encrypted-playwright-report-${{ github.run_id }}

.github/workflows/dashboard_wf_release.yaml

@@ -88,6 +88,7 @@ jobs:
       - name: Bump version in source code
         run: |
           find cli -type f -exec sed -i 's/"nhost\/dashboard:[^"]*"/"nhost\/dashboard:${{ inputs.VERSION }}"/g' {} +
+          sed -i 's/nhost\/dashboard:[^)]*/nhost\/dashboard:${{ inputs.VERSION }}/g' docs/reference/cli/commands.mdx
 
       - name: "Create Pull Request"
         uses: peter-evans/create-pull-request@v7

.github/workflows/docs_checks.yaml

@@ -1,7 +1,7 @@
 ---
 name: "docs: check and build"
 on:
-  pull_request:
+  pull_request_target:
     paths:
       - '.github/workflows/wf_check.yaml'
       - '.github/workflows/dashboard_checks.yaml'
@@ -27,6 +27,13 @@ on:
 
       # nhost-js
       - packages/nhost-js/**
+
+      # apis
+      - 'services/auth/docs/openapi.yaml'
+      - 'services/storage/controller/openapi.yaml'
+
+      # cli
+      - cli/**
   push:
     branches:
       - main
@@ -55,7 +62,7 @@ jobs:
     with:
       NAME: docs
       PATH: docs
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
       NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}

.github/workflows/examples_demos_checks.yaml

@@ -1,8 +1,7 @@
 ---
 name: "examples/demos: check and build"
 on:
-  # pull_request_target:
-  pull_request:
+  pull_request_target:
     paths:
       - '.github/workflows/wf_check.yaml'
       - '.github/workflows/examples_demos_checks.yaml'
@@ -64,7 +63,7 @@ jobs:
     with:
       NAME: demos
       PATH: examples/demos
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -78,7 +77,7 @@ jobs:
     with:
       NAME: demos
       PATH: examples/demos
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: false
       OS_MATRIX: '["blacksmith-2vcpu-ubuntu-2404"]'

.github/workflows/examples_guides_checks.yaml

@@ -1,8 +1,7 @@
 ---
 name: "examples/guides: check and build"
 on:
-  # pull_request_target:
-  pull_request:
+  pull_request_target:
     paths:
       - '.github/workflows/wf_check.yaml'
       - '.github/workflows/examples_guides_checks.yaml'
@@ -64,7 +63,7 @@ jobs:
     with:
       NAME: guides
       PATH: examples/guides
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -78,7 +77,7 @@ jobs:
     with:
       NAME: guides
       PATH: examples/guides
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: false
       OS_MATRIX: '["blacksmith-2vcpu-ubuntu-2404"]'

.github/workflows/examples_tutorials_checks.yaml

@@ -1,8 +1,7 @@
 ---
 name: "examples/tutorials: check and build"
 on:
-  # pull_request_target:
-  pull_request:
+  pull_request_target:
     paths:
       - '.github/workflows/wf_check.yaml'
       - '.github/workflows/examples_tutorials_checks.yaml'
@@ -64,7 +63,7 @@ jobs:
     with:
       NAME: tutorials
       PATH: examples/tutorials
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -78,7 +77,7 @@ jobs:
     with:
       NAME: tutorials
       PATH: examples/tutorials
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: false
       OS_MATRIX: '["blacksmith-2vcpu-ubuntu-2404"]'

.github/workflows/gen_ai_review.yaml

@@ -1,7 +1,7 @@
 ---
 name: "gen: AI review"
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, reopened, ready_for_review]
   issue_comment:
 jobs:
@@ -16,11 +16,13 @@ jobs:
     steps:
       - name: PR Agent action step
         id: pragent
-        uses: Codium-ai/pr-agent@v0.30
+        uses: Codium-ai/pr-agent@v0.31
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           OPENAI_KEY: ${{ secrets.OPENAI_API_KEY }}
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
           config.model: ${{ vars.GEN_AI_MODEL }}
           config.model_turbo: $${{ vars.GEN_AI_MODEL_TURBO }}
+          config.max_model_tokens: 200000
+          config.custom_model_max_tokens: 200000
           ignore.glob: "['pnpm-lock.yaml','**/pnpm-lock.yaml', 'vendor/**','**/client_gen.go','**/models_gen.go','**/generated.go','**/*.gen.go']"

.github/workflows/gen_codeql-analysis.yml

@@ -26,7 +26,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -37,7 +37,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -51,4 +51,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4

.github/workflows/nhost-js_checks.yaml

@@ -1,8 +1,7 @@
 ---
 name: "nhost-js: check and build"
 on:
-  # pull_request_target:
-  pull_request:
+  pull_request_target:
     paths:
       - '.github/workflows/wf_check.yaml'
       - '.github/workflows/nhost-js_checks.yaml'
@@ -34,6 +33,10 @@ on:
 
       # nhost-js
       - 'packages/nhost-js/**'
+
+      # apis
+      - 'services/auth/docs/openapi.yaml'
+      - 'services/storage/controller/openapi.yaml'
   push:
     branches:
       - main
@@ -61,7 +64,7 @@ jobs:
     with:
       NAME: nhost-js
       PATH: packages/nhost-js
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -75,7 +78,7 @@ jobs:
     with:
       NAME: nhost-js
       PATH: packages/nhost-js
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: false
     secrets:

.github/workflows/nixops_checks.yaml

@@ -1,8 +1,7 @@
 ---
 name: "nixops: check and build"
 on:
-  # pull_request_target:
-  pull_request:
+  pull_request_target:
     paths:
       - '.github/workflows/wf_check.yaml'
       - '.github/workflows/nixops_checks.yaml'
@@ -40,7 +39,7 @@ jobs:
     with:
       NAME: nixops
       PATH: nixops
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -54,9 +53,9 @@ jobs:
     with:
       NAME: nixops
       PATH: nixops
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
-      DOCKER: false
+      DOCKER: true
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
       NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}

.github/workflows/nixops_wf_release.yaml

@@ -0,0 +1,35 @@
+---
+name: "nixops: release"
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'flake.lock'
+      - 'nixops/project.nix'
+
+jobs:
+  build_artifacts:
+    uses: ./.github/workflows/wf_build_artifacts.yaml
+    with:
+      NAME: nixops
+      PATH: nixops
+      GIT_REF: ${{ inputs.GIT_REF }}
+      VERSION: latest
+      DOCKER: true
+    secrets:
+      AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
+      NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
+      NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
+
+  push-docker:
+    uses: ./.github/workflows/wf_docker_push_image.yaml
+    needs:
+      - build_artifacts
+    with:
+      NAME: nixops
+      PATH: nixops
+      VERSION: latest
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}

.github/workflows/storage_checks.yaml

@@ -1,8 +1,7 @@
 ---
 name: "storage: check and build"
 on:
-  # pull_request_target:
-  pull_request:
+  pull_request_target:
     paths:
       - '.github/workflows/storage_checks.yaml'
       - '.github/workflows/wf_check.yaml'
@@ -18,6 +17,7 @@ on:
       - '.golangci.yaml'
       - 'go.mod'
       - 'go.sum'
+      - 'internal/lib/**'
       - 'vendor/**'
 
       # storage
@@ -49,7 +49,7 @@ jobs:
     with:
       NAME: storage
       PATH: services/storage
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -64,7 +64,7 @@ jobs:
     with:
       NAME: storage
       PATH: services/storage
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: true
     secrets:

.github/workflows/wf_build_artifacts.yaml

@@ -85,7 +85,7 @@ jobs:
         zip -r result.zip result
 
     - name: "Push artifact to artifact repository"
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: ${{ inputs.NAME }}-artifact-${{ steps.vars.outputs.ARCH }}-${{ steps.vars.outputs.VERSION }}
         path: ${{ inputs.PATH }}/result.zip
@@ -100,7 +100,7 @@ jobs:
       if: ${{ ( inputs.DOCKER ) }}
 
     - name: "Push docker image to artifact repository"
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: ${{ inputs.NAME }}-docker-image-${{ steps.vars.outputs.ARCH }}-${{ steps.vars.outputs.VERSION }}
         path: ${{ inputs.PATH }}/result

.github/workflows/wf_docker_push_image.yaml

@@ -44,7 +44,7 @@ jobs:
           echo "VERSION=$(make get-version VER=${{ inputs.VERSION }})" >> $GITHUB_OUTPUT
 
       - name: "Get artifacts"
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           path: ~/artifacts
 

.github/workflows/wf_docker_push_image_ecr.yaml

@@ -55,7 +55,7 @@ jobs:
           echo "VERSION=$(make get-version VER=${{ inputs.VERSION }})" >> $GITHUB_OUTPUT
 
       - name: "Get artifacts"
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           path: ~/artifacts
 

.golangci.yaml

@@ -7,6 +7,8 @@ linters:
   settings:
     funlen:
       lines: 65
+    wsl_v5:
+      allow-whole-block: true
   disable:
     - canonicalheader
     - depguard
@@ -30,6 +32,7 @@ linters:
       - linters:
           - funlen
           - ireturn
+          - goconst
         path: _test\.go
       - linters:
           - lll

CONTRIBUTING.md

@@ -16,6 +16,15 @@ Contributions are made to Nhost repos via Issues and Pull Requests (PRs). A few
 - We work hard to make sure issues are handled on time, but it could take a while to investigate the root cause depending on the impact. A friendly ping in the comment thread to the submitter or a contributor can help draw attention if your issue is blocking.
 - If you've never contributed before, see [the first-timer's guide](https://github.com/firstcontributions/first-contributions) for resources and tips on getting started.
 
+### AI-Assisted Contributions
+
+We have specific policies regarding AI-assisted contributions:
+
+- **Issues**: Bug reports and feature requests that are clearly AI-generated will not be accepted and will be closed immediately. Please write your issues in your own words to ensure they are clear, specific, and contain the necessary context.
+- **Pull Requests**: Contributions with the help of AI are permitted, but you are ultimately responsible for the quality of your submission and for ensuring it follows our contributing guidelines. The PR description must be written in your own words. Additionally, please remove any superfluous code comments introduced by AI tools before submitting. PRs that clearly violate this rule will be closed without further review.
+
+In all cases, contributors must ensure their submissions are thoughtful, well-tested, and meet the project's quality standards.
+
 ### Issues
 
 Issues should be used to report problems with Nhost, request a new feature, or discuss potential changes before a PR is created.
@@ -24,28 +33,20 @@ If you find an Issue that addresses the problem you're having, please add your r
 
 ### Pull Requests
 
-Please have a look at our [developers guide](https://github.com/nhost/nhost/blob/main/DEVELOPERS.md) to start coding!
-
 PRs to our libraries are always welcome and can be a quick way to get your fix or improvement slated for the next release. In general, PRs should:
 
-- Only fix/add the functionality in question **OR** address wide-spread whitespace/style issues, not both.
-- Add unit or integration tests for fixed or changed functionality (if a test suite exists).
-- Address a single concern in the least number of changed lines as possible.
-- Include documentation in the repo or on our [docs site](https://docs.nhost.io).
-- Be accompanied by a complete Pull Request template (loaded automatically when a PR is created).
+## Monorepo Structure
 
-For changes that address core functionality or require breaking changes (e.g., a major release), it's best to open an Issue to discuss your proposal first. This is not required but can save time creating and reviewing changes.
+This repository is a monorepo that contains multiple packages and applications. The structure is as follows:
 
-In general, we follow the ["fork-and-pull" Git workflow](https://github.com/susam/gitpr)
+- `cli` - The Nhost CLI
+- `dashboard` - The Nhost Dashboard
+- `docs` - Documentation
+- `examples` - Various example projects
+- `packages/nhost-js` - The Nhost JavaScript/TypeScript SDK
+- `services/auth` - Nhost Authentication service
+- `services/storage` - Nhost Storage service
+- `tools/codegen` - Internal code generation tool to build the SDK
+- `tools/mintlify-openapi` - Internal tool to generate reference documentation for Mintlify from an OpenAPI spec.
 
-1. Fork the repository to your own Github account
-2. Clone the project to your machine
-3. Create a branch locally with a succinct but descriptive name. All changes should be part of a branch and submitted as a pull request - your branches should be prefixed with one of:
-   - `bug/` for bug fixes
-   - `feat/` for features
-   - `chore/` for configuration changes
-   - `docs/` for documentation changes
-4. Commit changes to the branch
-5. Following any formatting and testing guidelines specific to this repo
-6. Push changes to your fork
-7. Open a PR in our repository and follow the PR template to review the changes efficiently.
+For details about those projects and how to contribute, please refer to their respective `README.md` and `CONTRIBUTING.md` files.

DEVELOPERS.md

@@ -1,100 +0,0 @@
-# Developer Guide
-
-## Requirements
-
-### Node.js v20 or later
-
-### [pnpm](https://pnpm.io/) package manager
-
-The easiest way to install `pnpm` if it's not installed on your machine yet is to use `npm`:
-
-```sh
-$ npm install -g pnpm
-```
-
-### [Nhost CLI](https://docs.nhost.io/platform/cli/local-development)
-
-- The CLI is primarily used for running the E2E tests
-- Please refer to the [installation guide](https://docs.nhost.io/platform/cli/local-development) if you have not installed it yet
-
-## File Structure
-
-The repository is organized as a monorepo, with the following structure (only relevant folders are shown):
-
-```
-assets/            # Assets used in the README
-config/            # Configuration files for the monorepo
-dashboard/         # Dashboard
-docs/              # Documentation website
-examples/          # Example projects
-packages/          # Core packages
-integrations/      # These are packages that rely on the core packages
-```
-
-## Get started
-
-### Installation
-
-First, clone this repository:
-
-```sh
-git clone https://github.com/nhost/nhost
-```
-
-Then, install the dependencies with `pnpm`:
-
-```sh
-$ cd nhost
-$ pnpm install
-```
-
-### Development
-
-Although package references are correctly updated on the fly for TypeScript, example projects and the dashboard won't see the changes because they are depending on the build output. To fix this, you can run packages in development mode.
-
-Running packages in development mode from the root folder is as simple as:
-
-```sh
-$ pnpm dev
-```
-
-Our packages are linked together using [PNPM's workspace](https://pnpm.io/workspaces) feature. Next.js and Vite automatically detect changes in the dependencies and rebuild everything, so the changes will be reflected in the examples and the dashboard.
-
-**Note:** It's possible that Next.js or Vite throw an error when you run `pnpm dev`. Restarting the process should fix it.
-
-### Use Examples
-
-Examples are a great way to test your changes in practice. Make sure you've `pnpm dev` running in your terminal and then run an example.
-
-Let's follow the instructions to run [react-apollo example](https://github.com/nhost/nhost/blob/main/examples/react-apollo/README.md).
-
-## Edit Documentation
-
-The easier way to contribute to our documentation is to go to the `docs` folder and follow the [instructions to start local development](https://github.com/nhost/nhost/blob/main/docs/README.md):
-
-```sh
-$ cd docs
-# not necessary if you've already done this step somewhere in the repository
-$ pnpm install
-$ pnpm start
-```
-
-## Run Test Suites
-
-### Unit Tests
-
-You can run the unit tests with the following command from the repository root:
-
-```sh
-$ pnpm test
-```
-
-### E2E Tests
-
-Each package that defines end-to-end tests embeds their own Nhost configuration, that will be automatically when running the tests. As a result, you must make sure you are not running the Nhost CLI before running the tests.
-
-You can run the e2e tests with the following command from the repository root:
-
-```sh
-$ pnpm e2e
-```

Makefile

@@ -0,0 +1,16 @@
+.PHONY: envrc-install
+envrc-install: ## Copy envrc.sample to all project folders
+	@for f in $$(find . -name "project.nix"); do \
+		echo "Copying envrc.sample to $$(dirname $$f)/.envrc"; \
+		cp ./envrc.sample $$(dirname $$f)/.envrc; \
+	done
+
+.PHONY: nixops-container-env
+nixops-container-env: ## Enter a NixOS container environment
+	docker run \
+		-it \
+		-v /var/run/docker.sock:/var/run/docker.sock \
+		-v ./:/build \
+		-w /build \
+		nixops:0.0.0-dev \
+			bash

README.md

@@ -12,7 +12,7 @@
 <span>&nbsp;&nbsp;•&nbsp;&nbsp;</span>
 <a href="https://nhost.io/blog">Blog</a>
 <span>&nbsp;&nbsp;•&nbsp;&nbsp;</span>
-<a href="https://twitter.com/nhost">Twitter</a>
+<a href="https://x.com/nhost">X</a>
 <span>&nbsp;&nbsp;•&nbsp;&nbsp;</span>
 <a href="https://nhost.io/discord">Discord</a>
 <span>&nbsp;&nbsp;•&nbsp;&nbsp;</span>
@@ -33,10 +33,10 @@ Nhost consists of open source software:
 
 - Database: [PostgreSQL](https://www.postgresql.org/)
 - Instant GraphQL API: [Hasura](https://hasura.io/)
-- Authentication: [Hasura Auth](https://github.com/nhost/hasura-auth/)
-- Storage: [Hasura Storage](https://github.com/nhost/hasura-storage)
+- Authentication: [Auth](https://github.com/nhost/nhost/tree/main/services/auth)
+- Storage: [Storage](https://github.com/nhost/nhost/tree/main/services/storage)
 - Serverless Functions: Node.js (JavaScript and TypeScript)
-- [Nhost CLI](https://docs.nhost.io/platform/cli/local-development) for local development
+- [Nhost CLI](https://github.com/nhost/nhost/tree/main/cli) for local development
 
 ## Architecture of Nhost
 
@@ -138,7 +138,7 @@ Here are some ways of contributing to making Nhost better:
 
 - **[Try out Nhost](https://docs.nhost.io)**, and think of ways to make the service better. Let us know here on GitHub.
 - Join our [Discord](https://discord.com/invite/9V7Qb2U) and connect with other members to share and learn from.
-- Send a pull request to any of our [open source repositories](https://github.com/nhost) on Github. Check our [contribution guide](https://github.com/nhost/nhost/blob/main/CONTRIBUTING.md) and our [developers guide](https://github.com/nhost/nhost/blob/main/DEVELOPERS.md) for more details about how to contribute. We're looking forward to your contribution!
+- Send a pull request to any of our [open source repositories](https://github.com/nhost) on Github. Check out our [contribution guide](https://github.com/nhost/nhost/blob/main/CONTRIBUTING.md) for more details about how to contribute. We're looking forward to your contribution!
 
 ### Contributors
 

audit-ci.jsonc

@@ -2,5 +2,7 @@
   // $schema provides code completion hints to IDEs.
   "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
   "moderate": true,
-  "allowlist": ["vue-template-compiler", { "id": "CVE-2025-48068", "path": "next" }]
-}
+  "allowlist": [
+    "GHSA-7mvr-c777-76hp" // https://github.com/advisories/GHSA-7mvr-c777-76hp Update package once Nix side is also updated
+  ]
+}

build/makefiles/general.makefile

@@ -54,6 +54,11 @@ get-version:  ## Return version
 	@echo $(VERSION)
 
 
+.PHONY: develop
+develop:  ## Start a nix develop shell
+	nix develop .\#$(NAME)
+
+
 .PHONY: _check-pre
 _check-pre:  ## Pre-checks before running nix flake check
 
@@ -105,6 +110,11 @@ build-docker-image:  ## Build docker container for native architecture
 		skopeo copy --insecure-policy dir:./result docker-daemon:$(NAME):$(VERSION)
 
 
+.PHONY: build-docker-image-import-bare
+build-docker-image-import-bare:
+	skopeo copy --insecure-policy dir:./result docker-daemon:$(NAME):$(VERSION)
+
+
 .PHONY: dev-env-up
 dev-env-up: _dev-env-build _dev-env-up ## Starts development environment
 

cli/CHANGELOG.md

@@ -1,7 +1,108 @@
+## [cli@1.34.7] - 2025-11-13
+
+### ⚙️ Miscellaneous Tasks
+
+- *(cli)* Bump nhost/dashboard to 2.42.0 (#3693)
+
+## [cli@1.34.6] - 2025-11-13
+
+### 🐛 Bug Fixes
+
+- *(cli)* Mcp: specify items type for arrays in tools (#3687)
+
+
+### ⚙️ Miscellaneous Tasks
+
+- *(cli)* Update bindings (#3689)
+
+## [cli@1.34.5] - 2025-11-06
+
+### ⚙️ Miscellaneous Tasks
+
+- *(nixops)* Bump go to 1.25.3 and nixpkgs due to CVEs (#3652)
+- *(cli)* Udpate certs and schema (#3675)
+- *(cli)* Bump nhost/dashboard to 2.41.0 (#3669)
+
 # Changelog
 
 All notable changes to this project will be documented in this file.
 
+## [cli@1.34.4] - 2025-10-28
+
+### 🐛 Bug Fixes
+
+- *(cli)* Update NEXT_PUBLIC_NHOST_HASURA_MIGRATIONS_API_URL correctly (#3643)
+
+## [cli@1.34.3] - 2025-10-27
+
+### ⚙️ Miscellaneous Tasks
+
+- *(cli)* Update schema (#3622)
+- *(cli)* Bump nhost/dashboard to 2.40.0 (#3629)
+
+## [cli@1.34.2] - 2025-10-20
+
+### ⚙️ Miscellaneous Tasks
+
+- *(cli)* Minor fix to download script when specifying version (#3602)
+- *(cli)* Update schema (#3613)
+
+## [cli@1.34.1] - 2025-10-13
+
+### 🐛 Bug Fixes
+
+- *(cli)* Remove references to mcp-nhost (#3575)
+- *(cli)* Workaround os.Rename issues when src and dst are on different partitions (#3599)
+
+
+### ⚙️ Miscellaneous Tasks
+
+- *(auth)* Change some references to deprecated hasura-auth (#3584)
+- *(docs)* Udpated README.md and CONTRIBUTING.md (#3587)
+
+## [cli@1.34.0] - 2025-10-09
+
+### 🚀 Features
+
+- *(cli)* Added mcp server functionality from mcp-nhost (#3550)
+- *(cli)* Mcp: move configuration to .nhost folder and integrate cloud credentials (#3555)
+- *(cli)* Mcp: added support for environment variables in the configuration (#3556)
+- *(cli)* MCP refactor and documentation prior to official release (#3571)
+
+
+### 🐛 Bug Fixes
+
+- *(dashboard)* Remove NODE_ENV from restricted env vars (#3573)
+
+
+### ⚙️ Miscellaneous Tasks
+
+- *(nixops)* Update nhost-cli (#3554)
+- *(cli)* Bump nhost/dashboard to 2.38.4 (#3539)
+
+## [cli@1.33.0] - 2025-10-02
+
+### 🚀 Features
+
+- *(cli)* Migrate from urfave/v2 to urfave/v3 (#3545)
+
+
+### 🐛 Bug Fixes
+
+- *(cli)* Disable tls on AUTH_SERVER_URL when auth uses custom port (#3549)
+- *(cli)* Fix breaking change in go-getter dependency (#3551)
+
+
+### ⚙️ Miscellaneous Tasks
+
+- *(cli)* Update certs (#3552)
+
+## [cli@1.32.2] - 2025-10-01
+
+### ⚙️ Miscellaneous Tasks
+
+- *(cli)* Remove hasura- prefix from auth/storage images (#3538)
+
 ## [cli@1.32.1] - 2025-09-29
 
 ### ⚙️ Miscellaneous Tasks

cli/CONTRIBUTING.md

@@ -0,0 +1,84 @@
+# Developer Guide
+
+## Requirements
+
+We use nix to manage the development environment, the build process and for running tests.
+
+### With Nix (Recommended)
+
+Run `nix develop \#cli` to get a complete development environment.
+
+### Without Nix
+
+Check `project.nix` (checkDeps, buildInputs, buildNativeInputs) for manual dependency installation. Alternatively, you can run `make nixops-container-env` in the root of the repository to enter a Docker container with nix and all dependencies pre-installed (note it is a large image).
+
+## Development Workflow
+
+### Running Tests
+
+**With Nix:**
+```bash
+make dev-env-up
+make check
+```
+
+**Without Nix:**
+```bash
+# Start development environment
+make dev-env-up
+
+# Lint Go code
+golangci-lint run ./...
+
+# Run tests
+go test -v ./...
+```
+
+### Formatting
+
+Format code before committing:
+```bash
+golines -w --base-formatter=gofumpt .
+```
+
+## Building
+
+### Local Build
+
+Build the project (output in `./result`):
+```bash
+make build
+```
+
+### Docker Image
+
+Build and import Docker image with skopeo:
+```bash
+make build-docker-image
+```
+
+If you run the command above inside the dockerized nixops-container-env and you get an error like:
+
+```
+FATA[0000] writing blob: io: read/write on closed pipe
+```
+
+then you need to run the following command outside of the container (needs skopeo installed on the host):
+
+```bash
+cd cli
+make build-docker-image-import-bare
+```
+
+### Multi-Platform Builds
+
+Build for multiple platforms (Darwin/Linux, ARM64/AMD64):
+```bash
+make build-multiplatform
+```
+
+This produces binaries for:
+- darwin/arm64
+- darwin/amd64
+- linux/arm64
+- linux/amd64

cli/README.md

@@ -12,9 +12,9 @@ It's recommended to use the Nhost CLI and the [Nhost GitHub Integration](https:/
 
 - [Nhost Dashboard](https://github.com/nhost/nhost/tree/main/dashboard)
 - [Postgres Database](https://www.postgresql.org/)
-- [Hasura's GraphQL Engine](https://github.com/hasura/graphql-engine)
-- [Hasura Auth](https://github.com/nhost/hasura-auth)
-- [Hasura Storage](https://github.com/nhost/hasura-storage)
+- [GraphQL Engine](https://github.com/hasura/graphql-engine)
+- [Auth](https://github.com/nhost/nhost/main/auth)
+- [Storage](https://github.com/nhost/nhost/main/storage)
 - [Nhost Serverless Functions](https://github.com/nhost/functions)
 - [Minio S3](https://github.com/minio/minio)
 - [Mailhog](https://github.com/mailhog/MailHog)
@@ -51,11 +51,18 @@ nhost up
 nhost up --ui nhost
 ```
 
+## MCP Server
+
+The Nhost cli ships with an MCP server that lets you interact with your Nhost projects through AI assistants using the Model Context Protocol. It provides secure, controlled access to your GraphQL data, project configuration, and documentation—with granular permissions that let you specify exactly which queries and mutations an LLM can execute. For development, it streamlines your workflow by enabling AI-assisted schema management, metadata changes, and migrations, while providing direct access to your GraphQL schema for intelligent query building.
+
+You can read more about the MCP server in the [MCP Server documentation](https://docs.nhost.io/platform/cli/mcp/overview).
+
 ## Documentation
 
 - [Get started with Nhost CLI (longer version)](https://docs.nhost.io/platform/overview/get-started-with-nhost-cli)
 - [Nhost CLI](https://docs.nhost.io/platform/cli)
 - [Reference](https://docs.nhost.io/reference/cli)
+- [MCP Server](https://docs.nhost.io/platform/cli/mcp/overview)
 
 ## Build from Source
 

cli/clienv/clienv.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/nhost/nhost/cli/nhostclient"
 	"github.com/nhost/nhost/cli/nhostclient/graphql"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func sanitizeName(name string) string {
@@ -55,28 +55,28 @@ func New(
 	}
 }
 
-func FromCLI(cCtx *cli.Context) *CliEnv {
+func FromCLI(cmd *cli.Command) *CliEnv {
 	cwd, err := os.Getwd()
 	if err != nil {
 		panic(err)
 	}
 
 	return &CliEnv{
-		stdout: cCtx.App.Writer,
-		stderr: cCtx.App.ErrWriter,
+		stdout: cmd.Writer,
+		stderr: cmd.ErrWriter,
 		Path: NewPathStructure(
 			cwd,
-			cCtx.String(flagRootFolder),
-			cCtx.String(flagDotNhostFolder),
-			cCtx.String(flagNhostFolder),
+			cmd.String(flagRootFolder),
+			cmd.String(flagDotNhostFolder),
+			cmd.String(flagNhostFolder),
 		),
-		authURL:        cCtx.String(flagAuthURL),
-		graphqlURL:     cCtx.String(flagGraphqlURL),
-		branch:         cCtx.String(flagBranch),
-		projectName:    sanitizeName(cCtx.String(flagProjectName)),
+		authURL:        cmd.String(flagAuthURL),
+		graphqlURL:     cmd.String(flagGraphqlURL),
+		branch:         cmd.String(flagBranch),
+		projectName:    sanitizeName(cmd.String(flagProjectName)),
 		nhclient:       nil,
 		nhpublicclient: nil,
-		localSubdomain: cCtx.String(flagLocalSubdomain),
+		localSubdomain: cmd.String(flagLocalSubdomain),
 	}
 }
 

cli/clienv/flags.go

@@ -6,7 +6,7 @@ import (
 	"path/filepath"
 
 	"github.com/go-git/go-git/v5"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -53,42 +53,42 @@ func Flags() ([]cli.Flag, error) {
 		&cli.StringFlag{ //nolint:exhaustruct
 			Name:    flagAuthURL,
 			Usage:   "Nhost auth URL",
-			EnvVars: []string{"NHOST_CLI_AUTH_URL"},
+			Sources: cli.EnvVars("NHOST_CLI_AUTH_URL"),
 			Value:   "https://otsispdzcwxyqzbfntmj.auth.eu-central-1.nhost.run/v1",
 			Hidden:  true,
 		},
 		&cli.StringFlag{ //nolint:exhaustruct
 			Name:    flagGraphqlURL,
 			Usage:   "Nhost GraphQL URL",
-			EnvVars: []string{"NHOST_CLI_GRAPHQL_URL"},
+			Sources: cli.EnvVars("NHOST_CLI_GRAPHQL_URL"),
 			Value:   "https://otsispdzcwxyqzbfntmj.graphql.eu-central-1.nhost.run/v1",
 			Hidden:  true,
 		},
 		&cli.StringFlag{ //nolint:exhaustruct
 			Name:    flagBranch,
 			Usage:   "Git branch name. If not set, it will be detected from the current git repository. This flag is used to dynamically create docker volumes for each branch. If you want to have a static volume name or if you are not using git, set this flag to a static value.", //nolint:lll
-			EnvVars: []string{"BRANCH"},
+			Sources: cli.EnvVars("BRANCH"),
 			Value:   branch,
 			Hidden:  false,
 		},
 		&cli.StringFlag{ //nolint:exhaustruct
 			Name:     flagRootFolder,
 			Usage:    "Root folder of project\n\t",
-			EnvVars:  []string{"NHOST_ROOT_FOLDER"},
+			Sources:  cli.EnvVars("NHOST_ROOT_FOLDER"),
 			Value:    workingDir,
 			Category: "Project structure",
 		},
 		&cli.StringFlag{ //nolint:exhaustruct
 			Name:     flagDotNhostFolder,
 			Usage:    "Path to .nhost folder\n\t",
-			EnvVars:  []string{"NHOST_DOT_NHOST_FOLDER"},
+			Sources:  cli.EnvVars("NHOST_DOT_NHOST_FOLDER"),
 			Value:    dotNhostFolder,
 			Category: "Project structure",
 		},
 		&cli.StringFlag{ //nolint:exhaustruct
 			Name:     flagNhostFolder,
 			Usage:    "Path to nhost folder\n\t",
-			EnvVars:  []string{"NHOST_NHOST_FOLDER"},
+			Sources:  cli.EnvVars("NHOST_NHOST_FOLDER"),
 			Value:    nhostFolder,
 			Category: "Project structure",
 		},
@@ -96,13 +96,13 @@ func Flags() ([]cli.Flag, error) {
 			Name:    flagProjectName,
 			Usage:   "Project name",
 			Value:   filepath.Base(fullWorkingDir),
-			EnvVars: []string{"NHOST_PROJECT_NAME"},
+			Sources: cli.EnvVars("NHOST_PROJECT_NAME"),
 		},
 		&cli.StringFlag{ //nolint:exhaustruct
 			Name:    flagLocalSubdomain,
 			Usage:   "Local subdomain to reach the development environment",
 			Value:   "local",
-			EnvVars: []string{"NHOST_LOCAL_SUBDOMAIN"},
+			Sources: cli.EnvVars("NHOST_LOCAL_SUBDOMAIN"),
 		},
 	}, nil
 }

cli/clienv/wf_session.go

@@ -29,3 +29,12 @@ func (ce *CliEnv) LoadSession(
 
 	return session, nil
 }
+
+func (ce *CliEnv) Credentials() (credentials.Credentials, error) {
+	var creds credentials.Credentials
+	if err := UnmarshalFile(ce.Path.AuthFile(), &creds, json.Unmarshal); err != nil {
+		return credentials.Credentials{}, err
+	}
+
+	return creds, nil
+}

cli/cmd/config/apply.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandApply() *cli.Command {
@@ -22,38 +22,42 @@ func CommandApply() *cli.Command {
 				Name:     flagSubdomain,
 				Usage:    "Subdomain of the Nhost project to apply configuration to. Defaults to linked project",
 				Required: true,
-				EnvVars:  []string{"NHOST_SUBDOMAIN"},
+				Sources:  cli.EnvVars("NHOST_SUBDOMAIN"),
 			},
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:    flagYes,
 				Usage:   "Skip confirmation",
-				EnvVars: []string{"NHOST_YES"},
+				Sources: cli.EnvVars("NHOST_YES"),
 			},
 		},
 	}
 }
 
-func commandApply(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandApply(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	proj, err := ce.GetAppInfo(cCtx.Context, cCtx.String(flagSubdomain))
+	proj, err := ce.GetAppInfo(ctx, cmd.String(flagSubdomain))
 	if err != nil {
-		return fmt.Errorf("failed to get app info: %w", err)
+		return cli.Exit(fmt.Sprintf("Failed to get app info: %v", err), 1)
 	}
 
 	ce.Infoln("Validating configuration...")
 
 	cfg, _, err := ValidateRemote(
-		cCtx.Context,
+		ctx,
 		ce,
 		proj.GetSubdomain(),
 		proj.GetID(),
 	)
 	if err != nil {
-		return err
+		return cli.Exit(err.Error(), 1)
 	}
 
-	return Apply(cCtx.Context, ce, proj.ID, cfg, cCtx.Bool(flagYes))
+	if err := Apply(ctx, ce, proj.ID, cfg, cmd.Bool(flagYes)); err != nil {
+		return cli.Exit(err.Error(), 1)
+	}
+
+	return nil
 }
 
 func Apply(

cli/cmd/config/config.go

@@ -1,6 +1,6 @@
 package config
 
-import "github.com/urfave/cli/v2"
+import "github.com/urfave/cli/v3"
 
 const flagSubdomain = "subdomain"
 
@@ -9,7 +9,7 @@ func Command() *cli.Command {
 		Name:    "config",
 		Aliases: []string{},
 		Usage:   "Perform config operations",
-		Subcommands: []*cli.Command{
+		Commands: []*cli.Command{
 			CommandDefault(),
 			CommandExample(),
 			CommandApply(),

cli/cmd/config/default.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"context"
 	"fmt"
 	"os"
 
@@ -8,7 +9,7 @@ import (
 	"github.com/nhost/nhost/cli/project"
 	"github.com/nhost/nhost/cli/project/env"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandDefault() *cli.Command {
@@ -21,8 +22,8 @@ func CommandDefault() *cli.Command {
 	}
 }
 
-func commandDefault(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandDefault(_ context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	if err := os.MkdirAll(ce.Path.NhostFolder(), 0o755); err != nil { //nolint:mnd
 		return fmt.Errorf("failed to create nhost folder: %w", err)

cli/cmd/config/edit.go

@@ -13,7 +13,7 @@ import (
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 	"github.com/wI2L/jsondiff"
 )
 
@@ -31,13 +31,13 @@ func CommandEdit() *cli.Command {
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagSubdomain,
 				Usage:   "If specified, edit this subdomain's overlay, otherwise edit base configuation",
-				EnvVars: []string{"NHOST_SUBDOMAIN"},
+				Sources: cli.EnvVars("NHOST_SUBDOMAIN"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagEditor,
 				Usage:   "Editor to use",
 				Value:   "vim",
-				EnvVars: []string{"EDITOR"},
+				Sources: cli.EnvVars("EDITOR"),
 			},
 		},
 	}
@@ -139,11 +139,11 @@ func GenerateJSONPatch(origfilepath, newfilepath, dst string) error {
 	return nil
 }
 
-func edit(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func edit(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	if cCtx.String(flagSubdomain) == "" {
-		if err := EditFile(cCtx.Context, cCtx.String(flagEditor), ce.Path.NhostToml()); err != nil {
+	if cmd.String(flagSubdomain) == "" {
+		if err := EditFile(ctx, cmd.String(flagEditor), ce.Path.NhostToml()); err != nil {
 			return fmt.Errorf("failed to edit config: %w", err)
 		}
 
@@ -163,17 +163,17 @@ func edit(cCtx *cli.Context) error {
 	tmpfileName := filepath.Join(tmpdir, "nhost.toml")
 
 	if err := CopyConfig[model.ConfigConfig](
-		ce.Path.NhostToml(), tmpfileName, ce.Path.Overlay(cCtx.String(flagSubdomain)),
+		ce.Path.NhostToml(), tmpfileName, ce.Path.Overlay(cmd.String(flagSubdomain)),
 	); err != nil {
 		return fmt.Errorf("failed to copy config: %w", err)
 	}
 
-	if err := EditFile(cCtx.Context, cCtx.String(flagEditor), tmpfileName); err != nil {
+	if err := EditFile(ctx, cmd.String(flagEditor), tmpfileName); err != nil {
 		return fmt.Errorf("failed to edit config: %w", err)
 	}
 
 	if err := GenerateJSONPatch(
-		ce.Path.NhostToml(), tmpfileName, ce.Path.Overlay(cCtx.String(flagSubdomain)),
+		ce.Path.NhostToml(), tmpfileName, ce.Path.Overlay(cmd.String(flagSubdomain)),
 	); err != nil {
 		return fmt.Errorf("failed to generate json patch: %w", err)
 	}

cli/cmd/config/example.go

@@ -1,13 +1,14 @@
 package config
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/be/services/mimir/schema"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandExample() *cli.Command {
@@ -22,8 +23,8 @@ func CommandExample() *cli.Command {
 
 func ptr[T any](v T) *T { return &v }
 
-func commandExample(cCtx *cli.Context) error { //nolint:funlen,maintidx
-	ce := clienv.FromCLI(cCtx)
+func commandExample(_ context.Context, cmd *cli.Command) error { //nolint:funlen,maintidx
+	ce := clienv.FromCLI(cmd)
 
 	//nolint:mnd
 	cfg := model.ConfigConfig{

cli/cmd/config/pull.go

@@ -13,7 +13,7 @@ import (
 	"github.com/nhost/nhost/cli/project/env"
 	"github.com/nhost/nhost/cli/system"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -36,21 +36,21 @@ func CommandPull() *cli.Command {
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagSubdomain,
 				Usage:   "Pull this subdomain's configuration. Defaults to linked project",
-				EnvVars: []string{"NHOST_SUBDOMAIN"},
+				Sources: cli.EnvVars("NHOST_SUBDOMAIN"),
 			},
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:    flagYes,
 				Usage:   "Skip confirmation",
-				EnvVars: []string{"NHOST_YES"},
+				Sources: cli.EnvVars("NHOST_YES"),
 			},
 		},
 	}
 }
 
-func commandPull(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandPull(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	skipConfirmation := cCtx.Bool(flagYes)
+	skipConfirmation := cmd.Bool(flagYes)
 
 	if !skipConfirmation {
 		if err := verifyFile(ce, ce.Path.NhostToml()); err != nil {
@@ -66,12 +66,12 @@ func commandPull(cCtx *cli.Context) error {
 		}
 	}
 
-	proj, err := ce.GetAppInfo(cCtx.Context, cCtx.String(flagSubdomain))
+	proj, err := ce.GetAppInfo(ctx, cmd.String(flagSubdomain))
 	if err != nil {
 		return fmt.Errorf("failed to get app info: %w", err)
 	}
 
-	_, err = Pull(cCtx.Context, ce, proj, writeSecrets)
+	_, err = Pull(ctx, ce, proj, writeSecrets)
 
 	return err
 }

cli/cmd/config/show.go

@@ -1,13 +1,14 @@
 package config
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/project/env"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandShow() *cli.Command {
@@ -21,14 +22,14 @@ func CommandShow() *cli.Command {
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagSubdomain,
 				Usage:   "Show this subdomain's rendered configuration. Defaults to base configuration",
-				EnvVars: []string{"NHOST_SUBDOMAIN"},
+				Sources: cli.EnvVars("NHOST_SUBDOMAIN"),
 			},
 		},
 	}
 }
 
-func commandShow(c *cli.Context) error {
-	ce := clienv.FromCLI(c)
+func commandShow(_ context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	var secrets model.Secrets
 	if err := clienv.UnmarshalFile(ce.Path.Secrets(), &secrets, env.Unmarshal); err != nil {
@@ -38,7 +39,7 @@ func commandShow(c *cli.Context) error {
 		)
 	}
 
-	cfg, err := Validate(ce, c.String(flagSubdomain), secrets)
+	cfg, err := Validate(ce, cmd.String(flagSubdomain), secrets)
 	if err != nil {
 		return err
 	}

cli/cmd/config/validate.go

@@ -13,7 +13,7 @@ import (
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/project/env"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 	jsonpatch "gopkg.in/evanphx/json-patch.v5"
 )
 
@@ -27,24 +27,24 @@ func CommandValidate() *cli.Command {
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagSubdomain,
 				Usage:   "Validate this subdomain's configuration. Defaults to linked project",
-				EnvVars: []string{"NHOST_SUBDOMAIN"},
+				Sources: cli.EnvVars("NHOST_SUBDOMAIN"),
 			},
 		},
 	}
 }
 
-func commandValidate(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandValidate(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	subdomain := cCtx.String(flagSubdomain)
+	subdomain := cmd.String(flagSubdomain)
 	if subdomain != "" && subdomain != "local" {
-		proj, err := ce.GetAppInfo(cCtx.Context, cCtx.String(flagSubdomain))
+		proj, err := ce.GetAppInfo(ctx, cmd.String(flagSubdomain))
 		if err != nil {
 			return fmt.Errorf("failed to get app info: %w", err)
 		}
 
 		_, _, err = ValidateRemote(
-			cCtx.Context,
+			ctx,
 			ce,
 			proj.GetSubdomain(),
 			proj.GetID(),

cli/cmd/configserver/configserver.go

@@ -9,7 +9,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/nhost/be/services/mimir/graph"
 	cors "github.com/rs/cors/wrapper/gin"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -48,27 +48,27 @@ func Command() *cli.Command {
 				Name:     enablePlaygroundFlag,
 				Usage:    "enable graphql playground (under /v1)",
 				Category: "server",
-				EnvVars:  []string{"ENABLE_PLAYGROUND"},
+				Sources:  cli.EnvVars("ENABLE_PLAYGROUND"),
 			},
 			&cli.StringFlag{ //nolint: exhaustruct
 				Name:     storageLocalConfigPath,
 				Usage:    "Path to the local mimir config file",
 				Value:    "/tmp/root/nhost/nhost.toml",
 				Category: "plugins",
-				EnvVars:  []string{"STORAGE_LOCAL_CONFIG_PATH"},
+				Sources:  cli.EnvVars("STORAGE_LOCAL_CONFIG_PATH"),
 			},
 			&cli.StringFlag{ //nolint: exhaustruct
 				Name:     storageLocalSecretsPath,
 				Usage:    "Path to the local mimir secrets file",
 				Value:    "/tmp/root/.secrets",
 				Category: "plugins",
-				EnvVars:  []string{"STORAGE_LOCAL_SECRETS_PATH"},
+				Sources:  cli.EnvVars("STORAGE_LOCAL_SECRETS_PATH"),
 			},
 			&cli.StringSliceFlag{ //nolint: exhaustruct
 				Name:     storageLocalRunServicesPath,
 				Usage:    "Path to the local mimir run services files",
 				Category: "plugins",
-				EnvVars:  []string{"STORAGE_LOCAL_RUN_SERVICES_PATH"},
+				Sources:  cli.EnvVars("STORAGE_LOCAL_RUN_SERVICES_PATH"),
 			},
 		},
 		Action: serve,
@@ -103,14 +103,14 @@ func runServicesFiles(runServices ...string) map[string]string {
 	return m
 }
 
-func serve(cCtx *cli.Context) error {
-	logger := getLogger(cCtx.Bool(debugFlag), cCtx.Bool(logFormatJSONFlag))
-	logger.Info(cCtx.App.Name + " v" + cCtx.App.Version)
-	logFlags(logger, cCtx)
+func serve(_ context.Context, cmd *cli.Command) error {
+	logger := getLogger(cmd.Bool(debugFlag), cmd.Bool(logFormatJSONFlag))
+	logger.Info(cmd.Root().Name + " v" + cmd.Root().Version)
+	logFlags(logger, cmd)
 
-	configFile := cCtx.String(storageLocalConfigPath)
-	secretsFile := cCtx.String(storageLocalSecretsPath)
-	runServices := runServicesFiles(cCtx.StringSlice(storageLocalRunServicesPath)...)
+	configFile := cmd.String(storageLocalConfigPath)
+	secretsFile := cmd.String(storageLocalSecretsPath)
+	runServices := runServicesFiles(cmd.StringSlice(storageLocalRunServicesPath)...)
 
 	st := NewLocal(configFile, secretsFile, runServices)
 
@@ -131,13 +131,13 @@ func serve(cCtx *cli.Context) error {
 		resolver,
 		dummyMiddleware,
 		dummyMiddleware2,
-		cCtx.Bool(enablePlaygroundFlag),
-		cCtx.App.Version,
+		cmd.Bool(enablePlaygroundFlag),
+		cmd.Root().Version,
 		[]graphql.FieldMiddleware{},
 		gin.Recovery(),
 		cors.Default(),
 	)
-	if err := r.Run(cCtx.String(bindFlag)); err != nil {
+	if err := r.Run(cmd.String(bindFlag)); err != nil {
 		return fmt.Errorf("failed to run gin: %w", err)
 	}
 

cli/cmd/configserver/logger.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func getLogger(debug bool, formatJSON bool) *logrus.Logger {
@@ -29,15 +29,15 @@ func getLogger(debug bool, formatJSON bool) *logrus.Logger {
 	return logger
 }
 
-func logFlags(logger logrus.FieldLogger, cCtx *cli.Context) {
+func logFlags(logger logrus.FieldLogger, cmd *cli.Command) {
 	fields := logrus.Fields{}
 
-	for _, flag := range cCtx.App.Flags {
+	for _, flag := range cmd.Root().Flags {
 		name := flag.Names()[0]
-		fields[name] = cCtx.Generic(name)
+		fields[name] = cmd.Value(name)
 	}
 
-	for _, flag := range cCtx.Command.Flags {
+	for _, flag := range cmd.Flags {
 		name := flag.Names()[0]
 		if strings.Contains(name, "pass") ||
 			strings.Contains(name, "token") ||
@@ -47,7 +47,7 @@ func logFlags(logger logrus.FieldLogger, cCtx *cli.Context) {
 			continue
 		}
 
-		fields[name] = cCtx.Generic(name)
+		fields[name] = cmd.Value(name)
 	}
 
 	logger.WithFields(fields).Info("started with settings")

cli/cmd/deployments/deployments.go

@@ -1,6 +1,6 @@
 package deployments
 
-import "github.com/urfave/cli/v2"
+import "github.com/urfave/cli/v3"
 
 const flagSubdomain = "subdomain"
 
@@ -9,7 +9,7 @@ func commonFlags() []cli.Flag {
 		&cli.StringFlag{ //nolint:exhaustruct
 			Name:    flagSubdomain,
 			Usage:   "Project's subdomain to operate on, defaults to linked project",
-			EnvVars: []string{"NHOST_SUBDOMAIN"},
+			Sources: cli.EnvVars("NHOST_SUBDOMAIN"),
 		},
 	}
 }
@@ -19,7 +19,7 @@ func Command() *cli.Command {
 		Name:    "deployments",
 		Aliases: []string{},
 		Usage:   "Manage deployments",
-		Subcommands: []*cli.Command{
+		Commands: []*cli.Command{
 			CommandList(),
 			CommandLogs(),
 			CommandNew(),

cli/cmd/deployments/list.go

@@ -1,12 +1,13 @@
 package deployments
 
 import (
+	"context"
 	"fmt"
 	"time"
 
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/nhostclient/graphql"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandList() *cli.Command {
@@ -77,21 +78,21 @@ func printDeployments(ce *clienv.CliEnv, deployments []*graphql.ListDeployments_
 	ce.Println("%s", clienv.Table(id, date, duration, status, user, ref, message))
 }
 
-func commandList(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandList(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	proj, err := ce.GetAppInfo(cCtx.Context, cCtx.String(flagSubdomain))
+	proj, err := ce.GetAppInfo(ctx, cmd.String(flagSubdomain))
 	if err != nil {
 		return fmt.Errorf("failed to get app info: %w", err)
 	}
 
-	cl, err := ce.GetNhostClient(cCtx.Context)
+	cl, err := ce.GetNhostClient(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get nhost client: %w", err)
 	}
 
 	deployments, err := cl.ListDeployments(
-		cCtx.Context,
+		ctx,
 		proj.ID,
 	)
 	if err != nil {

cli/cmd/deployments/logs.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/nhostclient"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -101,28 +101,28 @@ func showLogsFollow(
 	}
 }
 
-func commandLogs(cCtx *cli.Context) error {
-	deploymentID := cCtx.Args().First()
+func commandLogs(ctx context.Context, cmd *cli.Command) error {
+	deploymentID := cmd.Args().First()
 	if deploymentID == "" {
 		return errors.New("deployment_id is required") //nolint:err113
 	}
 
-	ce := clienv.FromCLI(cCtx)
+	ce := clienv.FromCLI(cmd)
 
-	cl, err := ce.GetNhostClient(cCtx.Context)
+	cl, err := ce.GetNhostClient(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get nhost client: %w", err)
 	}
 
-	if cCtx.Bool(flagFollow) {
-		ctx, cancel := context.WithTimeout(cCtx.Context, cCtx.Duration(flagTimeout))
+	if cmd.Bool(flagFollow) {
+		ctxWithTimeout, cancel := context.WithTimeout(ctx, cmd.Duration(flagTimeout))
 		defer cancel()
 
-		if _, err := showLogsFollow(ctx, ce, cl, deploymentID); err != nil {
+		if _, err := showLogsFollow(ctxWithTimeout, ce, cl, deploymentID); err != nil {
 			return err
 		}
 	} else {
-		if err := showLogsSimple(cCtx.Context, ce, cl, deploymentID); err != nil {
+		if err := showLogsSimple(ctx, ce, cl, deploymentID); err != nil {
 			return err
 		}
 	}

cli/cmd/deployments/new.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/nhostclient/graphql"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -40,7 +40,7 @@ func CommandNew() *cli.Command {
 				&cli.StringFlag{ //nolint:exhaustruct
 					Name:     flagRef,
 					Usage:    "Git reference",
-					EnvVars:  []string{"GITHUB_SHA"},
+					Sources:  cli.EnvVars("GITHUB_SHA"),
 					Required: true,
 				},
 				&cli.StringFlag{ //nolint:exhaustruct
@@ -51,7 +51,7 @@ func CommandNew() *cli.Command {
 				&cli.StringFlag{ //nolint:exhaustruct
 					Name:     flagUser,
 					Usage:    "Commit user name",
-					EnvVars:  []string{"GITHUB_ACTOR"},
+					Sources:  cli.EnvVars("GITHUB_ACTOR"),
 					Required: true,
 				},
 				&cli.StringFlag{ //nolint:exhaustruct
@@ -67,28 +67,28 @@ func ptr[i any](v i) *i {
 	return &v
 }
 
-func commandNew(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandNew(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	cl, err := ce.GetNhostClient(cCtx.Context)
+	cl, err := ce.GetNhostClient(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get nhost client: %w", err)
 	}
 
-	proj, err := ce.GetAppInfo(cCtx.Context, cCtx.String(flagSubdomain))
+	proj, err := ce.GetAppInfo(ctx, cmd.String(flagSubdomain))
 	if err != nil {
 		return fmt.Errorf("failed to get app info: %w", err)
 	}
 
 	resp, err := cl.InsertDeployment(
-		cCtx.Context,
+		ctx,
 		graphql.DeploymentsInsertInput{
 			App:                 nil,
 			AppID:               ptr(proj.ID),
-			CommitMessage:       ptr(cCtx.String(flagMessage)),
-			CommitSha:           ptr(cCtx.String(flagRef)),
-			CommitUserAvatarURL: ptr(cCtx.String(flagUserAvatarURL)),
-			CommitUserName:      ptr(cCtx.String(flagUser)),
+			CommitMessage:       ptr(cmd.String(flagMessage)),
+			CommitSha:           ptr(cmd.String(flagRef)),
+			CommitUserAvatarURL: ptr(cmd.String(flagUserAvatarURL)),
+			CommitUserName:      ptr(cmd.String(flagUser)),
 			DeploymentStatus:    ptr("SCHEDULED"),
 		},
 	)
@@ -98,13 +98,13 @@ func commandNew(cCtx *cli.Context) error {
 
 	ce.Println("Deployment created: %s", resp.InsertDeployment.ID)
 
-	if cCtx.Bool(flagFollow) {
+	if cmd.Bool(flagFollow) {
 		ce.Println("")
 
-		ctx, cancel := context.WithTimeout(cCtx.Context, cCtx.Duration(flagTimeout))
+		ctxWithTimeout, cancel := context.WithTimeout(ctx, cmd.Duration(flagTimeout))
 		defer cancel()
 
-		status, err := showLogsFollow(ctx, ce, cl, resp.InsertDeployment.ID)
+		status, err := showLogsFollow(ctxWithTimeout, ce, cl, resp.InsertDeployment.ID)
 		if err != nil {
 			return fmt.Errorf("error streaming logs: %w", err)
 		}

cli/cmd/dev/cloud.go

@@ -15,7 +15,7 @@ import (
 	"github.com/nhost/nhost/cli/cmd/software"
 	"github.com/nhost/nhost/cli/dockercompose"
 	"github.com/nhost/nhost/cli/nhostclient/graphql"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -34,19 +34,19 @@ func CommandCloud() *cli.Command {
 				Name:    flagHTTPPort,
 				Usage:   "HTTP port to listen on",
 				Value:   defaultHTTPPort,
-				EnvVars: []string{"NHOST_HTTP_PORT"},
+				Sources: cli.EnvVars("NHOST_HTTP_PORT"),
 			},
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:    flagDisableTLS,
 				Usage:   "Disable TLS",
 				Value:   false,
-				EnvVars: []string{"NHOST_DISABLE_TLS"},
+				Sources: cli.EnvVars("NHOST_DISABLE_TLS"),
 			},
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:    flagApplySeeds,
 				Usage:   "Apply seeds. If the .nhost folder does not exist, seeds will be applied regardless of this flag",
 				Value:   false,
-				EnvVars: []string{"NHOST_APPLY_SEEDS"},
+				Sources: cli.EnvVars("NHOST_APPLY_SEEDS"),
 			},
 			&cli.UintFlag{ //nolint:exhaustruct
 				Name:  flagsHasuraConsolePort,
@@ -56,42 +56,42 @@ func CommandCloud() *cli.Command {
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagDashboardVersion,
 				Usage:   "Dashboard version to use",
-				Value:   "nhost/dashboard:2.33.0",
-				EnvVars: []string{"NHOST_DASHBOARD_VERSION"},
+				Value:   "nhost/dashboard:2.42.0",
+				Sources: cli.EnvVars("NHOST_DASHBOARD_VERSION"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagConfigserverImage,
 				Hidden:  true,
 				Value:   "",
-				EnvVars: []string{"NHOST_CONFIGSERVER_IMAGE"},
+				Sources: cli.EnvVars("NHOST_CONFIGSERVER_IMAGE"),
 			},
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:    flagDownOnError,
 				Usage:   "Skip confirmation",
-				EnvVars: []string{"NHOST_YES"},
+				Sources: cli.EnvVars("NHOST_YES"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagCACertificates,
 				Usage:   "Mounts and everrides path to CA certificates in the containers",
-				EnvVars: []string{"NHOST_CA_CERTIFICATES"},
+				Sources: cli.EnvVars("NHOST_CA_CERTIFICATES"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagSubdomain,
 				Usage:   "Project's subdomain to operate on, defaults to linked project",
-				EnvVars: []string{"NHOST_SUBDOMAIN"},
+				Sources: cli.EnvVars("NHOST_SUBDOMAIN"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:     flagPostgresURL,
 				Usage:    "Postgres URL",
 				Required: true,
-				EnvVars:  []string{"NHOST_POSTGRES_URL"},
+				Sources:  cli.EnvVars("NHOST_POSTGRES_URL"),
 			},
 		},
 	}
 }
 
-func commandCloud(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandCloud(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	if !clienv.PathExists(ce.Path.NhostToml()) {
 		return errors.New( //nolint:err113
@@ -105,38 +105,38 @@ func commandCloud(cCtx *cli.Context) error {
 		)
 	}
 
-	proj, err := ce.GetAppInfo(cCtx.Context, cCtx.String(flagSubdomain))
+	proj, err := ce.GetAppInfo(ctx, cmd.String(flagSubdomain))
 	if err != nil {
 		return fmt.Errorf("failed to get app info: %w", err)
 	}
 
-	configserverImage := cCtx.String(flagConfigserverImage)
+	configserverImage := cmd.String(flagConfigserverImage)
 	if configserverImage == "" {
-		configserverImage = "nhost/cli:" + cCtx.App.Version
+		configserverImage = "nhost/cli:" + cmd.Root().Version
 	}
 
-	applySeeds := cCtx.Bool(flagApplySeeds)
+	applySeeds := cmd.Bool(flagApplySeeds)
 
 	return Cloud(
-		cCtx.Context,
+		ctx,
 		ce,
-		cCtx.App.Version,
-		cCtx.Uint(flagHTTPPort),
-		!cCtx.Bool(flagDisableTLS),
+		cmd.Root().Version,
+		cmd.Uint(flagHTTPPort),
+		!cmd.Bool(flagDisableTLS),
 		applySeeds,
 		dockercompose.ExposePorts{
-			Auth:      cCtx.Uint(flagAuthPort),
-			Storage:   cCtx.Uint(flagStoragePort),
-			Graphql:   cCtx.Uint(flagsHasuraPort),
-			Console:   cCtx.Uint(flagsHasuraConsolePort),
-			Functions: cCtx.Uint(flagsFunctionsPort),
+			Auth:      cmd.Uint(flagAuthPort),
+			Storage:   cmd.Uint(flagStoragePort),
+			Graphql:   cmd.Uint(flagsHasuraPort),
+			Console:   cmd.Uint(flagsHasuraConsolePort),
+			Functions: cmd.Uint(flagsFunctionsPort),
 		},
-		cCtx.String(flagDashboardVersion),
+		cmd.String(flagDashboardVersion),
 		configserverImage,
-		cCtx.String(flagCACertificates),
-		cCtx.Bool(flagDownOnError),
+		cmd.String(flagCACertificates),
+		cmd.Bool(flagDownOnError),
 		proj,
-		cCtx.String(flagPostgresURL),
+		cmd.String(flagPostgresURL),
 	)
 }
 

cli/cmd/dev/compose.go

@@ -1,9 +1,11 @@
 package dev
 
 import (
+	"context"
+
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/dockercompose"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandCompose() *cli.Command {
@@ -17,9 +19,9 @@ func CommandCompose() *cli.Command {
 	}
 }
 
-func commandCompose(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandCompose(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 	dc := dockercompose.New(ce.Path.WorkingDir(), ce.Path.DockerCompose(), ce.ProjectName())
 
-	return dc.Wrapper(cCtx.Context, cCtx.Args().Slice()...) //nolint:wrapcheck
+	return dc.Wrapper(ctx, cmd.Args().Slice()...) //nolint:wrapcheck
 }

cli/cmd/dev/dev.go

@@ -1,13 +1,13 @@
 package dev
 
-import "github.com/urfave/cli/v2"
+import "github.com/urfave/cli/v3"
 
 func Command() *cli.Command {
 	return &cli.Command{ //nolint:exhaustruct
 		Name:    "dev",
 		Aliases: []string{},
 		Usage:   "Operate local development environment",
-		Subcommands: []*cli.Command{
+		Commands: []*cli.Command{
 			CommandCompose(),
 			CommandHasura(),
 		},

cli/cmd/dev/down.go

@@ -1,9 +1,11 @@
 package dev
 
 import (
+	"context"
+
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/dockercompose"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -26,12 +28,12 @@ func CommandDown() *cli.Command {
 	}
 }
 
-func commandDown(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandDown(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	dc := dockercompose.New(ce.Path.WorkingDir(), ce.Path.DockerCompose(), ce.ProjectName())
 
-	if err := dc.Stop(cCtx.Context, cCtx.Bool(flagVolumes)); err != nil {
+	if err := dc.Stop(ctx, cmd.Bool(flagVolumes)); err != nil {
 		ce.Warnln("failed to stop Nhost development environment: %s", err)
 	}
 

cli/cmd/dev/hasura.go

@@ -1,13 +1,14 @@
 package dev
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/dockercompose"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandHasura() *cli.Command {
@@ -21,8 +22,8 @@ func CommandHasura() *cli.Command {
 	}
 }
 
-func commandHasura(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandHasura(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	cfg := &model.ConfigConfig{} //nolint:exhaustruct
 	if err := clienv.UnmarshalFile(ce.Path.NhostToml(), cfg, toml.Unmarshal); err != nil {
@@ -32,10 +33,10 @@ func commandHasura(cCtx *cli.Context) error {
 	docker := dockercompose.NewDocker()
 
 	return docker.HasuraWrapper( //nolint:wrapcheck
-		cCtx.Context,
+		ctx,
 		ce.LocalSubdomain(),
 		ce.Path.NhostFolder(),
 		*cfg.Hasura.Version,
-		cCtx.Args().Slice()...,
+		cmd.Args().Slice()...,
 	)
 }

cli/cmd/dev/logs.go

@@ -1,9 +1,11 @@
 package dev
 
 import (
+	"context"
+
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/dockercompose"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandLogs() *cli.Command {
@@ -17,12 +19,12 @@ func CommandLogs() *cli.Command {
 	}
 }
 
-func commandLogs(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandLogs(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	dc := dockercompose.New(ce.Path.WorkingDir(), ce.Path.DockerCompose(), ce.ProjectName())
 
-	if err := dc.Logs(cCtx.Context, cCtx.Args().Slice()...); err != nil {
+	if err := dc.Logs(ctx, cmd.Args().Slice()...); err != nil {
 		ce.Warnln("%s", err)
 	}
 

cli/cmd/dev/up.go

@@ -19,7 +19,7 @@ import (
 	"github.com/nhost/nhost/cli/cmd/software"
 	"github.com/nhost/nhost/cli/dockercompose"
 	"github.com/nhost/nhost/cli/project/env"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func deptr[T any](t *T) T { //nolint:ireturn
@@ -63,25 +63,25 @@ func CommandUp() *cli.Command { //nolint:funlen
 				Name:    flagHTTPPort,
 				Usage:   "HTTP port to listen on",
 				Value:   defaultHTTPPort,
-				EnvVars: []string{"NHOST_HTTP_PORT"},
+				Sources: cli.EnvVars("NHOST_HTTP_PORT"),
 			},
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:    flagDisableTLS,
 				Usage:   "Disable TLS",
 				Value:   false,
-				EnvVars: []string{"NHOST_DISABLE_TLS"},
+				Sources: cli.EnvVars("NHOST_DISABLE_TLS"),
 			},
 			&cli.UintFlag{ //nolint:exhaustruct
 				Name:    flagPostgresPort,
 				Usage:   "Postgres port to listen on",
 				Value:   defaultPostgresPort,
-				EnvVars: []string{"NHOST_POSTGRES_PORT"},
+				Sources: cli.EnvVars("NHOST_POSTGRES_PORT"),
 			},
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:    flagApplySeeds,
 				Usage:   "Apply seeds. If the .nhost folder does not exist, seeds will be applied regardless of this flag",
 				Value:   false,
-				EnvVars: []string{"NHOST_APPLY_SEEDS"},
+				Sources: cli.EnvVars("NHOST_APPLY_SEEDS"),
 			},
 			&cli.UintFlag{ //nolint:exhaustruct
 				Name:  flagAuthPort,
@@ -111,39 +111,39 @@ func CommandUp() *cli.Command { //nolint:funlen
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagDashboardVersion,
 				Usage:   "Dashboard version to use",
-				Value:   "nhost/dashboard:2.33.0",
-				EnvVars: []string{"NHOST_DASHBOARD_VERSION"},
+				Value:   "nhost/dashboard:2.42.0",
+				Sources: cli.EnvVars("NHOST_DASHBOARD_VERSION"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagConfigserverImage,
 				Hidden:  true,
 				Value:   "",
-				EnvVars: []string{"NHOST_CONFIGSERVER_IMAGE"},
+				Sources: cli.EnvVars("NHOST_CONFIGSERVER_IMAGE"),
 			},
 			&cli.StringSliceFlag{ //nolint:exhaustruct
 				Name:    flagRunService,
 				Usage:   "Run service to add to the development environment. Can be passed multiple times. Comma-separated values are also accepted. Format: /path/to/run-service.toml[:overlay_name]", //nolint:lll
-				EnvVars: []string{"NHOST_RUN_SERVICE"},
+				Sources: cli.EnvVars("NHOST_RUN_SERVICE"),
 			},
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:    flagDownOnError,
 				Usage:   "Skip confirmation",
-				EnvVars: []string{"NHOST_YES"},
+				Sources: cli.EnvVars("NHOST_YES"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagCACertificates,
 				Usage:   "Mounts and everrides path to CA certificates in the containers",
-				EnvVars: []string{"NHOST_CA_CERTIFICATES"},
+				Sources: cli.EnvVars("NHOST_CA_CERTIFICATES"),
 			},
 		},
-		Subcommands: []*cli.Command{
+		Commands: []*cli.Command{
 			CommandCloud(),
 		},
 	}
 }
 
-func commandUp(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandUp(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	// projname to be root directory
 
@@ -159,33 +159,33 @@ func commandUp(cCtx *cli.Context) error {
 		)
 	}
 
-	configserverImage := cCtx.String(flagConfigserverImage)
+	configserverImage := cmd.String(flagConfigserverImage)
 	if configserverImage == "" {
-		configserverImage = "nhost/cli:" + cCtx.App.Version
+		configserverImage = "nhost/cli:" + cmd.Root().Version
 	}
 
-	applySeeds := cCtx.Bool(flagApplySeeds) || !clienv.PathExists(ce.Path.DotNhostFolder())
+	applySeeds := cmd.Bool(flagApplySeeds) || !clienv.PathExists(ce.Path.DotNhostFolder())
 
 	return Up(
-		cCtx.Context,
+		ctx,
 		ce,
-		cCtx.App.Version,
-		cCtx.Uint(flagHTTPPort),
-		!cCtx.Bool(flagDisableTLS),
-		cCtx.Uint(flagPostgresPort),
+		cmd.Root().Version,
+		cmd.Uint(flagHTTPPort),
+		!cmd.Bool(flagDisableTLS),
+		cmd.Uint(flagPostgresPort),
 		applySeeds,
 		dockercompose.ExposePorts{
-			Auth:      cCtx.Uint(flagAuthPort),
-			Storage:   cCtx.Uint(flagStoragePort),
-			Graphql:   cCtx.Uint(flagsHasuraPort),
-			Console:   cCtx.Uint(flagsHasuraConsolePort),
-			Functions: cCtx.Uint(flagsFunctionsPort),
+			Auth:      cmd.Uint(flagAuthPort),
+			Storage:   cmd.Uint(flagStoragePort),
+			Graphql:   cmd.Uint(flagsHasuraPort),
+			Console:   cmd.Uint(flagsHasuraConsolePort),
+			Functions: cmd.Uint(flagsFunctionsPort),
 		},
-		cCtx.String(flagDashboardVersion),
+		cmd.String(flagDashboardVersion),
 		configserverImage,
-		cCtx.String(flagCACertificates),
-		cCtx.StringSlice(flagRunService),
-		cCtx.Bool(flagDownOnError),
+		cmd.String(flagCACertificates),
+		cmd.StringSlice(flagRunService),
+		cmd.Bool(flagDownOnError),
 	)
 }
 

cli/cmd/dockercredentials/configure.go

@@ -8,7 +8,7 @@ import (
 	"os/exec"
 
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -35,13 +35,13 @@ func CommandConfigure() *cli.Command {
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagDockerConfig,
 				Usage:   "Path to docker config file",
-				EnvVars: []string{"DOCKER_CONFIG"},
+				Sources: cli.EnvVars("DOCKER_CONFIG"),
 				Value:   home + "/.docker/config.json",
 			},
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:    flagNoInteractive,
 				Usage:   "Do not prompt for confirmation",
-				EnvVars: []string{"NO_INTERACTIVE"},
+				Sources: cli.EnvVars("NO_INTERACTIVE"),
 				Value:   false,
 			},
 		},
@@ -140,21 +140,21 @@ func configureDocker(dockerConfig string) error {
 	return nil
 }
 
-func actionConfigure(c *cli.Context) error {
-	ce := clienv.FromCLI(c)
+func actionConfigure(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	if err := writeScript(c.Context, ce); err != nil {
+	if err := writeScript(ctx, ce); err != nil {
 		return err
 	}
 
-	if c.Bool(flagNoInteractive) {
-		return configureDocker(c.String(flagDockerConfig))
+	if cmd.Bool(flagNoInteractive) {
+		return configureDocker(cmd.String(flagDockerConfig))
 	}
 
 	//nolint:lll
 	ce.PromptMessage(
 		"I am about to configure docker to authenticate with Nhost's registry. This will modify your docker config file on %s. Should I continue? [y/N] ",
-		c.String(flagDockerConfig),
+		cmd.String(flagDockerConfig),
 	)
 
 	v, err := ce.PromptInput(false)
@@ -163,7 +163,7 @@ func actionConfigure(c *cli.Context) error {
 	}
 
 	if v == "y" || v == "Y" {
-		return configureDocker(c.String(flagDockerConfig))
+		return configureDocker(cmd.String(flagDockerConfig))
 	}
 
 	return nil

cli/cmd/dockercredentials/docker.go

@@ -1,13 +1,13 @@
 package dockercredentials
 
-import "github.com/urfave/cli/v2"
+import "github.com/urfave/cli/v3"
 
 func Command() *cli.Command {
 	return &cli.Command{ //nolint:exhaustruct
 		Name:    "docker-credentials",
 		Aliases: []string{},
 		Usage:   "Perform docker-credentials operations",
-		Subcommands: []*cli.Command{
+		Commands: []*cli.Command{
 			CommandGet(),
 			CommandErase(),
 			CommandStore(),

cli/cmd/dockercredentials/erase.go

@@ -1,7 +1,9 @@
 package dockercredentials
 
 import (
-	"github.com/urfave/cli/v2"
+	"context"
+
+	"github.com/urfave/cli/v3"
 )
 
 func CommandErase() *cli.Command {
@@ -14,7 +16,7 @@ func CommandErase() *cli.Command {
 	}
 }
 
-func actionErase(c *cli.Context) error {
-	_, _ = c.App.Writer.Write([]byte("Please, use the nhost CLI to logout\n"))
+func actionErase(_ context.Context, cmd *cli.Command) error {
+	_, _ = cmd.Root().Writer.Write([]byte("Please, use the nhost CLI to logout\n"))
 	return nil
 }

cli/cmd/dockercredentials/get.go

@@ -8,7 +8,7 @@ import (
 	"os"
 
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -26,14 +26,14 @@ func CommandGet() *cli.Command {
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagAuthURL,
 				Usage:   "Nhost auth URL",
-				EnvVars: []string{"NHOST_CLI_AUTH_URL"},
+				Sources: cli.EnvVars("NHOST_CLI_AUTH_URL"),
 				Value:   "https://otsispdzcwxyqzbfntmj.auth.eu-central-1.nhost.run/v1",
 				Hidden:  true,
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagGraphqlURL,
 				Usage:   "Nhost GraphQL URL",
-				EnvVars: []string{"NHOST_CLI_GRAPHQL_URL"},
+				Sources: cli.EnvVars("NHOST_CLI_GRAPHQL_URL"),
 				Value:   "https://otsispdzcwxyqzbfntmj.graphql.eu-central-1.nhost.run/v1",
 				Hidden:  true,
 			},
@@ -69,15 +69,15 @@ type response struct {
 	Secret    string `json:"Secret"`
 }
 
-func actionGet(c *cli.Context) error {
-	scanner := bufio.NewScanner(c.App.Reader)
+func actionGet(ctx context.Context, cmd *cli.Command) error {
+	scanner := bufio.NewScanner(cmd.Root().Reader)
 
 	var input string
 	for scanner.Scan() {
 		input += scanner.Text()
 	}
 
-	token, err := getToken(c.Context, c.String(flagAuthURL), c.String(flagGraphqlURL))
+	token, err := getToken(ctx, cmd.String(flagAuthURL), cmd.String(flagGraphqlURL))
 	if err != nil {
 		return err
 	}
@@ -91,7 +91,7 @@ func actionGet(c *cli.Context) error {
 		return fmt.Errorf("failed to marshal response: %w", err)
 	}
 
-	if _, err = c.App.Writer.Write(b); err != nil {
+	if _, err = cmd.Root().Writer.Write(b); err != nil {
 		return fmt.Errorf("failed to write response: %w", err)
 	}
 

cli/cmd/dockercredentials/store.go

@@ -1,7 +1,9 @@
 package dockercredentials
 
 import (
-	"github.com/urfave/cli/v2"
+	"context"
+
+	"github.com/urfave/cli/v3"
 )
 
 func CommandStore() *cli.Command {
@@ -14,7 +16,7 @@ func CommandStore() *cli.Command {
 	}
 }
 
-func actionStore(c *cli.Context) error {
-	_, _ = c.App.Writer.Write([]byte("Please, use the nhost CLI to login\n"))
+func actionStore(_ context.Context, cmd *cli.Command) error {
+	_, _ = cmd.Root().Writer.Write([]byte("Please, use the nhost CLI to login\n"))
 	return nil
 }

cli/cmd/mcp/config/config.go

@@ -0,0 +1,92 @@
+package config
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/nhost/nhost/cli/mcp/config"
+	"github.com/pelletier/go-toml/v2"
+	"github.com/urfave/cli/v3"
+)
+
+const (
+	flagConfirm = "confirm"
+)
+
+func Command() *cli.Command {
+	return &cli.Command{ //nolint:exhaustruct
+		Name:  "config",
+		Usage: "Generate and save configuration file",
+		Flags: []cli.Flag{
+			&cli.BoolFlag{ //nolint:exhaustruct
+				Name:    flagConfirm,
+				Usage:   "Skip confirmation prompt",
+				Value:   false,
+				Sources: cli.EnvVars("CONFIRM"),
+			},
+		},
+		Commands: []*cli.Command{
+			{
+				Name:   "dump",
+				Usage:  "Dump the configuration to stdout for verification",
+				Flags:  []cli.Flag{},
+				Action: actionDump,
+			},
+		},
+		Action: action,
+	}
+}
+
+//nolint:forbidigo
+func action(_ context.Context, cmd *cli.Command) error {
+	cfg, err := config.RunWizard()
+	if err != nil {
+		return cli.Exit(fmt.Sprintf("failed to run wizard: %s", err), 1)
+	}
+
+	tomlData, err := toml.Marshal(cfg)
+	if err != nil {
+		return cli.Exit(fmt.Sprintf("failed to marshal config: %s", err), 1)
+	}
+
+	fmt.Println("Configuration Preview:")
+	fmt.Println("---------------------")
+	fmt.Println(string(tomlData))
+	fmt.Println()
+
+	filePath := config.GetConfigPath(cmd)
+	fmt.Printf("Save configuration to %s?\n", filePath)
+	fmt.Print("Proceed? (y/N): ")
+
+	var confirm string
+	if _, err := fmt.Scanln(&confirm); err != nil {
+		return cli.Exit(fmt.Sprintf("failed to read input: %s", err), 1)
+	}
+
+	if confirm != "y" && confirm != "Y" {
+		fmt.Println("Operation cancelled.")
+		return nil
+	}
+
+	dir := filepath.Dir(filePath)
+	if err := os.MkdirAll(dir, 0o755); err != nil { //nolint:mnd
+		return fmt.Errorf("failed to create config directory: %w", err)
+	}
+
+	data, err := toml.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("failed to marshal config: %w", err)
+	}
+
+	if err := os.WriteFile(filePath, data, 0o600); err != nil { //nolint:mnd
+		return fmt.Errorf("failed to write config file: %w", err)
+	}
+
+	fmt.Println("\nConfiguration saved successfully!")
+	fmt.Println("Note: Review the documentation for additional configuration options,")
+	fmt.Println("      especially for fine-tuning LLM access permissions.")
+
+	return nil
+}

cli/cmd/mcp/config/dump.go

@@ -0,0 +1,35 @@
+package config
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/nhost/nhost/cli/mcp/config"
+	"github.com/pelletier/go-toml/v2"
+	"github.com/urfave/cli/v3"
+)
+
+func actionDump(_ context.Context, cmd *cli.Command) error {
+	configPath := config.GetConfigPath(cmd)
+	if configPath == "" {
+		return cli.Exit("config file path is required", 1)
+	}
+
+	cfg, err := config.Load(configPath)
+	if err != nil {
+		fmt.Println("Please, run `nhost mcp config` to configure the service.") //nolint:forbidigo
+		return cli.Exit("failed to load config file "+err.Error(), 1)
+	}
+
+	b, err := toml.Marshal(cfg)
+	if err != nil {
+		return cli.Exit("failed to marshal config file "+err.Error(), 1)
+	}
+
+	fmt.Println("Configuration Preview:") //nolint:forbidigo
+	fmt.Println("---------------------")  //nolint:forbidigo
+	fmt.Println(string(b))                //nolint:forbidigo
+	fmt.Println()                         //nolint:forbidigo
+
+	return nil
+}

cli/cmd/mcp/gen/gen.go

@@ -0,0 +1,117 @@
+package gen
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/nhost/nhost/cli/mcp/graphql"
+	"github.com/nhost/nhost/cli/mcp/nhost/auth"
+	"github.com/urfave/cli/v3"
+)
+
+const (
+	flagNhostAuthURL    = "nhost-auth-url"
+	flagNhostGraphqlURL = "nhost-graphql-url"
+	flagNhostPAT        = "nhost-pat"
+	flagWithMutations   = "with-mutations"
+)
+
+func Command() *cli.Command {
+	return &cli.Command{ //nolint:exhaustruct
+		Name:  "gen",
+		Usage: "Generate GraphQL schema for Nhost Cloud",
+		Flags: []cli.Flag{
+			&cli.StringFlag{ //nolint:exhaustruct
+				Name:    flagNhostAuthURL,
+				Usage:   "Nhost auth URL",
+				Hidden:  true,
+				Value:   "https://otsispdzcwxyqzbfntmj.auth.eu-central-1.nhost.run/v1",
+				Sources: cli.EnvVars("NHOST_AUTH_URL"),
+			},
+			&cli.StringFlag{ //nolint:exhaustruct
+				Name:    flagNhostGraphqlURL,
+				Usage:   "Nhost GraphQL URL",
+				Hidden:  true,
+				Value:   "https://otsispdzcwxyqzbfntmj.graphql.eu-central-1.nhost.run/v1",
+				Sources: cli.EnvVars("NHOST_GRAPHQL_URL"),
+			},
+			&cli.StringFlag{ //nolint:exhaustruct
+				Name:     flagNhostPAT,
+				Usage:    "Personal Access Token",
+				Required: true,
+				Sources:  cli.EnvVars("NHOST_PAT"),
+			},
+			&cli.BoolFlag{ //nolint:exhaustruct
+				Name:    flagWithMutations,
+				Usage:   "Include mutations in the generated schema",
+				Value:   false,
+				Sources: cli.EnvVars("WITH_MUTATIONS"),
+			},
+		},
+		Action: action,
+	}
+}
+
+func action(ctx context.Context, cmd *cli.Command) error {
+	interceptor, err := auth.WithPAT(
+		cmd.String(flagNhostAuthURL), cmd.String(flagNhostPAT),
+	)
+	if err != nil {
+		return cli.Exit(err.Error(), 1)
+	}
+
+	var introspection graphql.ResponseIntrospection
+	if err := graphql.Query(
+		ctx,
+		cmd.String(flagNhostGraphqlURL),
+		graphql.IntrospectionQuery,
+		nil,
+		&introspection,
+		nil,
+		nil,
+		interceptor,
+	); err != nil {
+		return cli.Exit(err.Error(), 1)
+	}
+
+	filter := graphql.Filter{
+		AllowQueries: []graphql.Queries{
+			{
+				Name:           "organizations",
+				DisableNesting: true,
+			},
+			{
+				Name:           "organization",
+				DisableNesting: true,
+			},
+			{
+				Name:           "app",
+				DisableNesting: true,
+			},
+			{
+				Name:           "apps",
+				DisableNesting: true,
+			},
+			{
+				Name:           "config",
+				DisableNesting: false,
+			},
+		},
+		AllowMutations: []graphql.Queries{},
+	}
+
+	if cmd.Bool(flagWithMutations) {
+		filter.AllowMutations = []graphql.Queries{
+			{
+				Name:           "updateConfig",
+				DisableNesting: false,
+			},
+		}
+	}
+
+	schema := graphql.ParseSchema(introspection, filter)
+
+	fmt.Print(schema) //nolint:forbidigo
+
+	return nil
+}

cli/cmd/mcp/mcp.go

@@ -0,0 +1,33 @@
+package mcp
+
+import (
+	"github.com/nhost/nhost/cli/cmd/mcp/config"
+	"github.com/nhost/nhost/cli/cmd/mcp/gen"
+	"github.com/nhost/nhost/cli/cmd/mcp/start"
+	"github.com/urfave/cli/v3"
+)
+
+const (
+	flagConfigFile = "config-file"
+)
+
+func Command() *cli.Command {
+	return &cli.Command{ //nolint:exhaustruct
+		Name:    "mcp",
+		Aliases: []string{},
+		Usage:   "Model Context Protocol (MCP) related commands",
+		Flags: []cli.Flag{
+			&cli.StringFlag{ //nolint:exhaustruct
+				Name:    flagConfigFile,
+				Usage:   "Configuration file path. Defaults to $NHOST_DOT_NHOST_FOLDER/nhost-mcp.toml",
+				Value:   "",
+				Sources: cli.EnvVars("NHOST_MCP_CONFIG_FILE"),
+			},
+		},
+		Commands: []*cli.Command{
+			config.Command(),
+			start.Command(),
+			gen.Command(),
+		},
+	}
+}

cli/cmd/mcp/mcp_test.go

@@ -0,0 +1,403 @@
+package mcp_test
+
+import (
+	"bytes"
+	"context"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/mark3labs/mcp-go/client"
+	"github.com/mark3labs/mcp-go/client/transport"
+	"github.com/mark3labs/mcp-go/mcp"
+	nhostmcp "github.com/nhost/nhost/cli/cmd/mcp"
+	"github.com/nhost/nhost/cli/cmd/mcp/start"
+	"github.com/nhost/nhost/cli/cmd/user"
+	"github.com/nhost/nhost/cli/mcp/resources"
+	"github.com/nhost/nhost/cli/mcp/tools/cloud"
+	"github.com/nhost/nhost/cli/mcp/tools/docs"
+	"github.com/nhost/nhost/cli/mcp/tools/project"
+	"github.com/nhost/nhost/cli/mcp/tools/schemas"
+)
+
+func ptr[T any](v T) *T {
+	return &v
+}
+
+func TestStart(t *testing.T) { //nolint:cyclop,maintidx,paralleltest
+	loginCmd := user.CommandLogin()
+	mcpCmd := nhostmcp.Command()
+
+	buf := bytes.NewBuffer(nil)
+	mcpCmd.Writer = buf
+
+	go func() {
+		t.Setenv("HOME", t.TempDir())
+
+		if err := loginCmd.Run(
+			context.Background(),
+			[]string{
+				"main",
+				"--pat=user-pat",
+			},
+		); err != nil {
+			panic(err)
+		}
+
+		if err := mcpCmd.Run(
+			context.Background(),
+			[]string{
+				"main",
+				"start",
+				"--bind=:9000",
+				"--config-file=testdata/sample.toml",
+			},
+		); err != nil {
+			panic(err)
+		}
+	}()
+
+	time.Sleep(time.Second)
+
+	transportClient, err := transport.NewSSE("http://localhost:9000/sse")
+	if err != nil {
+		t.Fatalf("failed to create transport client: %v", err)
+	}
+
+	mcpClient := client.NewClient(transportClient)
+
+	if err := mcpClient.Start(t.Context()); err != nil {
+		t.Fatalf("failed to start mcp client: %v", err)
+	}
+	defer mcpClient.Close()
+
+	initRequest := mcp.InitializeRequest{} //nolint:exhaustruct
+	initRequest.Params.ProtocolVersion = mcp.LATEST_PROTOCOL_VERSION
+	initRequest.Params.ClientInfo = mcp.Implementation{
+		Name:    "example-client",
+		Version: "1.0.0",
+	}
+
+	res, err := mcpClient.Initialize(
+		context.Background(),
+		initRequest,
+	)
+	if err != nil {
+		t.Fatalf("failed to initialize mcp client: %v", err)
+	}
+
+	if diff := cmp.Diff(
+		res,
+		//nolint:tagalign
+		&mcp.InitializeResult{
+			ProtocolVersion: "2025-06-18",
+			Capabilities: mcp.ServerCapabilities{
+				Elicitation:  nil,
+				Experimental: nil,
+				Logging:      nil,
+				Prompts:      nil,
+				Resources: &struct {
+					Subscribe   bool "json:\"subscribe,omitempty\""
+					ListChanged bool "json:\"listChanged,omitempty\""
+				}{
+					Subscribe:   false,
+					ListChanged: false,
+				},
+				Sampling: nil,
+				Tools: &struct {
+					ListChanged bool "json:\"listChanged,omitempty\""
+				}{
+					ListChanged: true,
+				},
+			},
+			ServerInfo: mcp.Implementation{
+				Name:    "mcp",
+				Version: "",
+			},
+			Instructions: start.ServerInstructions + `
+
+Configured projects:
+- local (local): Local development project running via the Nhost CLI
+- asdasdasdasdasd (eu-central-1): Staging project for my awesome app
+- qweqweqweqweqwe (us-east-1): Production project for my awesome app
+
+The following resources are available:
+
+- schema://nhost-cloud: Schema to interact with the Nhost Cloud. Projects are equivalent
+to apps in the schema. IDs are typically uuids.
+- schema://graphql-management: GraphQL's management schema for an Nhost project.
+This tool is useful to properly understand how manage hasura metadata, migrations,
+permissions, remote schemas, etc.
+- schema://nhost.toml: Cuelang schema for the nhost.toml configuration file. Run nhost
+config validate after making changes to your nhost.toml file to ensure it is valid.
+`,
+			Result: mcp.Result{
+				Meta: nil,
+			},
+		},
+	); diff != "" {
+		t.Errorf("ServerInfo mismatch (-want +got):\n%s", diff)
+	}
+
+	tools, err := mcpClient.ListTools(
+		context.Background(),
+		mcp.ListToolsRequest{}, //nolint:exhaustruct
+	)
+	if err != nil {
+		t.Fatalf("failed to list tools: %v", err)
+	}
+
+	if diff := cmp.Diff(
+		tools,
+		//nolint:exhaustruct,lll
+		&mcp.ListToolsResult{
+			Tools: []mcp.Tool{
+				{
+					Name:        "cloud-graphql-query",
+					Description: cloud.ToolGraphqlQueryInstructions,
+					InputSchema: mcp.ToolInputSchema{
+						Type: "object",
+						Properties: map[string]any{
+							"query": map[string]any{
+								"description": "graphql query to perform",
+								"type":        "string",
+							},
+							"variables": map[string]any{
+								"description": "variables to use in the query",
+								"type":        "string",
+							},
+						},
+						Required: []string{"query"},
+					},
+					Annotations: mcp.ToolAnnotation{
+						Title:           "Perform GraphQL Query on Nhost Cloud Platform",
+						ReadOnlyHint:    ptr(false),
+						DestructiveHint: ptr(true),
+						IdempotentHint:  ptr(false),
+						OpenWorldHint:   ptr(true),
+					},
+				},
+				{
+					Name:        "get-schema",
+					Description: schemas.ToolGetGraphqlSchemaInstructions,
+					InputSchema: mcp.ToolInputSchema{
+						Type: "object",
+						Properties: map[string]any{
+							"role": map[string]any{
+								"description": string("role to use when executing queries. Keep in mind the schema depends on the role so if you retrieved the schema for a different role previously retrieve it for this role beforehand as it might differ"),
+								"type":        string("string"),
+							},
+							"subdomain": map[string]any{
+								"description": string("Project to get the GraphQL schema for. Required when service is `project`"),
+								"enum":        []any{string("local"), string("asdasdasdasdasd"), string("qweqweqweqweqwe")},
+								"type":        string("string"),
+							},
+							"mutations": map[string]any{
+								"description": string("list of mutations to fetch"),
+								"type":        string("array"),
+								"items":       map[string]any{"type": string("string")},
+							},
+							"queries": map[string]any{
+								"description": string("list of queries to fetch"),
+								"type":        string("array"),
+								"items":       map[string]any{"type": string("string")},
+							},
+							"summary": map[string]any{
+								"default":     bool(true),
+								"description": string("only return a summary of the schema"),
+								"type":        string("boolean"),
+							},
+						},
+						Required: []string{"role", "subdomain"},
+					},
+					Annotations: mcp.ToolAnnotation{
+						Title:           "Get GraphQL/API schema for various services",
+						ReadOnlyHint:    ptr(true),
+						DestructiveHint: ptr(false),
+						IdempotentHint:  ptr(true),
+						OpenWorldHint:   ptr(true),
+					},
+				},
+				{
+					Name:        "graphql-query",
+					Description: project.ToolGraphqlQueryInstructions,
+					InputSchema: mcp.ToolInputSchema{
+						Type: "object",
+						Properties: map[string]any{
+							"query": map[string]any{
+								"description": "graphql query to perform",
+								"type":        "string",
+							},
+							"subdomain": map[string]any{
+								"description": "Project to perform the GraphQL query against",
+								"type":        "string",
+								"enum": []any{
+									string("local"),
+									string("asdasdasdasdasd"),
+									string("qweqweqweqweqwe"),
+								},
+							},
+							"role": map[string]any{
+								"description": "role to use when executing queries. Keep in mind the schema depends on the role so if you retrieved the schema for a different role previously retrieve it for this role beforehand as it might differ",
+								"type":        "string",
+							},
+							"userId": map[string]any{
+								"description": string("Overrides X-Hasura-User-Id in the GraphQL query/mutation. Credentials must allow it (i.e. admin secret must be in use)"),
+								"type":        string("string"),
+							},
+							"variables": map[string]any{
+								"description": "variables to use in the query",
+								"type":        "string",
+							},
+						},
+						Required: []string{"query", "subdomain", "role"},
+					},
+					Annotations: mcp.ToolAnnotation{
+						Title:           "Perform GraphQL Query on Nhost Project running on Nhost Cloud",
+						ReadOnlyHint:    ptr(false),
+						DestructiveHint: ptr(true),
+						IdempotentHint:  ptr(false),
+						OpenWorldHint:   ptr(true),
+					},
+				},
+				{
+					Name:        "manage-graphql",
+					Description: project.ToolManageGraphqlInstructions,
+					InputSchema: mcp.ToolInputSchema{
+						Type: "object",
+						Properties: map[string]any{
+							"body": map[string]any{
+								"description": "The body for the HTTP request",
+								"type":        "string",
+							},
+							"path": map[string]any{
+								"description": "The path for the HTTP request",
+								"type":        "string",
+							},
+							"subdomain": map[string]any{
+								"description": "Project to perform the GraphQL management operation against",
+								"type":        "string",
+								"enum": []any{
+									string("local"),
+									string("asdasdasdasdasd"),
+									string("qweqweqweqweqwe"),
+								},
+							},
+						},
+						Required: []string{"subdomain", "path", "body"},
+					},
+					Annotations: mcp.ToolAnnotation{
+						Title:           "Manage GraphQL's Metadata on an Nhost Development Project",
+						ReadOnlyHint:    ptr(false),
+						DestructiveHint: ptr(true),
+						IdempotentHint:  ptr(true),
+						OpenWorldHint:   ptr(true),
+					},
+				},
+				{
+					Name:        "search",
+					Description: docs.ToolSearchInstructions,
+					InputSchema: mcp.ToolInputSchema{
+						Type: "object",
+						Properties: map[string]any{
+							"query": map[string]any{
+								"description": string("The search query"),
+								"type":        string("string"),
+							},
+						},
+						Required: []string{"query"},
+					},
+					Annotations: mcp.ToolAnnotation{
+						Title:           "Search Nhost Docs",
+						ReadOnlyHint:    ptr(true),
+						IdempotentHint:  ptr(true),
+						DestructiveHint: ptr(false),
+						OpenWorldHint:   ptr(true),
+					},
+				},
+			},
+		},
+		cmpopts.SortSlices(func(a, b mcp.Tool) bool {
+			return a.Name < b.Name
+		}),
+	); diff != "" {
+		t.Errorf("ListToolsResult mismatch (-want +got):\n%s", diff)
+	}
+
+	resourceList, err := mcpClient.ListResources(
+		context.Background(),
+		mcp.ListResourcesRequest{}, //nolint:exhaustruct
+	)
+	if err != nil {
+		t.Fatalf("failed to list resources: %v", err)
+	}
+
+	if diff := cmp.Diff(
+		resourceList,
+		//nolint:exhaustruct
+		&mcp.ListResourcesResult{
+			Resources: []mcp.Resource{
+				{
+					Annotated: mcp.Annotated{
+						Annotations: &mcp.Annotations{
+							Audience: []mcp.Role{"agent"},
+							Priority: 9,
+						},
+					},
+					URI:         "schema://graphql-management",
+					Name:        "graphql-management",
+					Description: resources.GraphqlManagementDescription,
+					MIMEType:    "text/plain",
+				},
+
+				{
+					Annotated: mcp.Annotated{
+						Annotations: &mcp.Annotations{
+							Audience: []mcp.Role{"agent"},
+							Priority: 9,
+						},
+					},
+					URI:         "schema://nhost-cloud",
+					Name:        "nhost-cloud",
+					Description: resources.CloudDescription,
+					MIMEType:    "text/plain",
+				},
+				{
+					Annotated: mcp.Annotated{
+						Annotations: &mcp.Annotations{
+							Audience: []mcp.Role{"agent"},
+							Priority: 9,
+						},
+					},
+					URI:         "schema://nhost.toml",
+					Name:        "nhost.toml",
+					Description: resources.NhostTomlResourceDescription,
+					MIMEType:    "text/plain",
+				},
+			},
+		},
+	); diff != "" {
+		t.Errorf("ListResourcesResult mismatch (-want +got):\n%s", diff)
+	}
+
+	if res.Capabilities.Prompts != nil {
+		prompts, err := mcpClient.ListPrompts(
+			context.Background(),
+			mcp.ListPromptsRequest{}, //nolint:exhaustruct
+		)
+		if err != nil {
+			t.Fatalf("failed to list prompts: %v", err)
+		}
+
+		if diff := cmp.Diff(
+			prompts,
+			//nolint:exhaustruct
+			&mcp.ListPromptsResult{
+				Prompts: []mcp.Prompt{},
+			},
+		); diff != "" {
+			t.Errorf("ListPromptsResult mismatch (-want +got):\n%s", diff)
+		}
+	}
+}

cli/cmd/mcp/start/start.go

@@ -0,0 +1,208 @@
+package start
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/mark3labs/mcp-go/server"
+	"github.com/nhost/nhost/cli/clienv"
+	"github.com/nhost/nhost/cli/mcp/config"
+	"github.com/nhost/nhost/cli/mcp/nhost/auth"
+	"github.com/nhost/nhost/cli/mcp/resources"
+	"github.com/nhost/nhost/cli/mcp/tools/cloud"
+	"github.com/nhost/nhost/cli/mcp/tools/docs"
+	"github.com/nhost/nhost/cli/mcp/tools/project"
+	"github.com/nhost/nhost/cli/mcp/tools/schemas"
+	"github.com/urfave/cli/v3"
+)
+
+const (
+	flagNhostAuthURL    = "nhost-auth-url"
+	flagNhostGraphqlURL = "nhost-graphql-url"
+	flagBind            = "bind"
+)
+
+const (
+	// this seems to be largely ignored by clients, or at least by cursor.
+	// we also need to look into roots and resources as those might be helpful.
+	ServerInstructions = `
+This is an MCP server to interact with the Nhost Cloud and with Nhost projects.
+
+Important notes to anyone using this MCP server. Do not use this MCP server without
+following these instructions:
+
+1. Make sure you are clear on which environment the user wants to operate against.
+2. Before attempting to call any tool, always make sure you list resources, roots, and
+   resource templates to understand what is available.
+3. Apps and projects are the same and while users may talk about projects in Nhost's GraphQL
+   api those are referred as apps.
+4. If you have an error querying the GraphQL API, please check the schema again. The schema may
+   have changed and the query you are using may be invalid.
+5. Always follow the instructions provided by each tool. If you need to deviate from these
+   instructions, please, confirm with the user before doing so.
+`
+)
+
+func Command() *cli.Command {
+	return &cli.Command{ //nolint:exhaustruct
+		Name:  "start",
+		Usage: "Starts the MCP server",
+		Flags: []cli.Flag{
+			&cli.StringFlag{ //nolint:exhaustruct
+				Name:     flagNhostAuthURL,
+				Usage:    "Nhost auth URL",
+				Hidden:   true,
+				Value:    "https://otsispdzcwxyqzbfntmj.auth.eu-central-1.nhost.run/v1",
+				Category: "Cloud Platform",
+				Sources:  cli.EnvVars("NHOST_AUTH_URL"),
+			},
+			&cli.StringFlag{ //nolint:exhaustruct
+				Name:     flagNhostGraphqlURL,
+				Usage:    "Nhost GraphQL URL",
+				Hidden:   true,
+				Value:    "https://otsispdzcwxyqzbfntmj.graphql.eu-central-1.nhost.run/v1",
+				Category: "Cloud Platform",
+				Sources:  cli.EnvVars("NHOST_GRAPHQL_URL"),
+			},
+			&cli.StringFlag{ //nolint:exhaustruct
+				Name:     flagBind,
+				Usage:    "Bind address in the form $host:$port. If omitted use stdio",
+				Required: false,
+				Category: "General",
+				Sources:  cli.EnvVars("BIND"),
+			},
+		},
+		Action: action,
+	}
+}
+
+func action(ctx context.Context, cmd *cli.Command) error {
+	cfg, err := getConfig(cmd)
+	if err != nil {
+		return err
+	}
+
+	ServerInstructions := ServerInstructions
+	ServerInstructions += "\n\n"
+	ServerInstructions += cfg.Projects.Instructions()
+	ServerInstructions += "\n"
+	ServerInstructions += resources.Instructions()
+
+	mcpServer := server.NewMCPServer(
+		cmd.Root().Name,
+		cmd.Root().Version,
+		server.WithInstructions(ServerInstructions),
+	)
+
+	if err := resources.Register(cfg, mcpServer); err != nil {
+		return cli.Exit(fmt.Sprintf("failed to register resources: %s", err), 1)
+	}
+
+	if cfg.Cloud != nil {
+		if err := registerCloud(
+			cmd,
+			mcpServer,
+			cfg,
+			cmd.String(flagNhostAuthURL),
+			cmd.String(flagNhostGraphqlURL),
+		); err != nil {
+			return cli.Exit(fmt.Sprintf("failed to register cloud tools: %s", err), 1)
+		}
+	}
+
+	if len(cfg.Projects) > 0 {
+		if err := registerProjectTool(mcpServer, cfg); err != nil {
+			return cli.Exit(fmt.Sprintf("failed to register project tools: %s", err), 1)
+		}
+	}
+
+	resources := schemas.NewTool(cfg)
+	resources.Register(mcpServer)
+
+	d, err := docs.NewTool(ctx)
+	if err != nil {
+		return cli.Exit(fmt.Sprintf("failed to initialize docs tools: %s", err), 1)
+	}
+
+	d.Register(mcpServer)
+
+	return start(mcpServer, cmd.String(flagBind))
+}
+
+func getConfig(cmd *cli.Command) (*config.Config, error) {
+	configPath := config.GetConfigPath(cmd)
+	if configPath == "" {
+		return nil, cli.Exit("config file path is required", 1)
+	}
+
+	cfg, err := config.Load(configPath)
+	if err != nil {
+		fmt.Println("Please, run `nhost mcp config` to configure the service.") //nolint:forbidigo
+		return nil, cli.Exit("failed to load config file "+err.Error(), 1)
+	}
+
+	return cfg, nil
+}
+
+func registerCloud(
+	cmd *cli.Command,
+	mcpServer *server.MCPServer,
+	cfg *config.Config,
+	authURL string,
+	graphqlURL string,
+) error {
+	ce := clienv.FromCLI(cmd)
+
+	creds, err := ce.Credentials()
+	if err != nil {
+		return fmt.Errorf("failed to load credentials: %w", err)
+	}
+
+	interceptor, err := auth.WithPAT(
+		authURL,
+		creds.PersonalAccessToken,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create PAT interceptor: %w", err)
+	}
+
+	cloudTool := cloud.NewTool(
+		graphqlURL, cfg.Cloud.EnableMutations, interceptor,
+	)
+
+	if err := cloudTool.Register(mcpServer); err != nil {
+		return fmt.Errorf("failed to register tools: %w", err)
+	}
+
+	return nil
+}
+
+func registerProjectTool(
+	mcpServer *server.MCPServer,
+	cfg *config.Config,
+) error {
+	projectTool := project.NewTool(cfg)
+	if err := projectTool.Register(mcpServer); err != nil {
+		return fmt.Errorf("failed to register tool: %w", err)
+	}
+
+	return nil
+}
+
+func start(
+	mcpServer *server.MCPServer,
+	bind string,
+) error {
+	if bind != "" {
+		sseServer := server.NewSSEServer(mcpServer, server.WithBaseURL(bind))
+		if err := sseServer.Start(bind); err != nil {
+			return cli.Exit(fmt.Sprintf("failed to serve tcp: %v", err), 1)
+		}
+	} else {
+		if err := server.ServeStdio(mcpServer); err != nil {
+			return cli.Exit(fmt.Sprintf("failed to serve stdio: %v", err), 1)
+		}
+	}
+
+	return nil
+}

cli/cmd/mcp/testdata/sample.toml

@@ -0,0 +1,29 @@
+[cloud]
+enable_mutations = true
+
+[[projects]]
+subdomain = 'local'
+region = 'local'
+description = 'Local development project running via the Nhost CLI'
+admin_secret = 'nhost-admin-secret'
+manage_metadata = true
+allow_queries = ['*']
+allow_mutations = ['*']
+
+[[projects]]
+subdomain = 'asdasdasdasdasd'
+region = 'eu-central-1'
+description = 'Staging project for my awesome app'
+manage_metadata = false
+admin_secret = 'your-admin-secret-1'
+allow_queries = ['*']
+allow_mutations = ['*']
+
+[[projects]]
+subdomain = 'qweqweqweqweqwe'
+region = 'us-east-1'
+description = 'Production project for my awesome app'
+manage_metadata = false
+pat = 'pat-for-qweqweqweqweqwe'
+allow_queries = ['getComments']
+allow_mutations = ['insertComment', 'updateComment', 'deleteComment']

cli/cmd/project/init.go

@@ -9,12 +9,12 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/hashicorp/go-getter"
+	"github.com/hashicorp/go-getter/v2"
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/cmd/config"
 	"github.com/nhost/nhost/cli/dockercompose"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 	"gopkg.in/yaml.v3"
 )
 
@@ -75,14 +75,14 @@ func CommandInit() *cli.Command {
 				Name:    flagRemote,
 				Usage:   "Initialize pulling configuration, migrations and metadata from the linked project",
 				Value:   false,
-				EnvVars: []string{"NHOST_REMOTE"},
+				Sources: cli.EnvVars("NHOST_REMOTE"),
 			},
 		},
 	}
 }
 
-func commandInit(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandInit(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	if clienv.PathExists(ce.Path.NhostFolder()) {
 		return errors.New("nhost folder already exists") //nolint:err113
@@ -98,12 +98,12 @@ func commandInit(cCtx *cli.Context) error {
 		return fmt.Errorf("failed to initialize configuration: %w", err)
 	}
 
-	if cCtx.Bool(flagRemote) {
-		if err := InitRemote(cCtx.Context, ce); err != nil {
+	if cmd.Bool(flagRemote) {
+		if err := InitRemote(ctx, ce); err != nil {
 			return fmt.Errorf("failed to initialize remote project: %w", err)
 		}
 	} else {
-		if err := initInit(cCtx.Context, ce.Path); err != nil {
+		if err := initInit(ctx, ce.Path); err != nil {
 			return fmt.Errorf("failed to initialize project: %w", err)
 		}
 	}
@@ -129,17 +129,12 @@ func initInit(
 		return err
 	}
 
-	getclient := &getter.Client{ //nolint:exhaustruct
-		Ctx:  ctx,
-		Src:  "github.com/nhost/hasura-auth/email-templates",
-		Dst:  "nhost/emails",
-		Mode: getter.ClientModeAny,
-		Detectors: []getter.Detector{
-			&getter.GitHubDetector{},
-		},
-	}
-
-	if err := getclient.Get(); err != nil {
+	getclient := &getter.Client{}                    //nolint:exhaustruct
+	if _, err := getclient.Get(ctx, &getter.Request{ //nolint:exhaustruct
+		Src:             "git::https://github.com/nhost/nhost.git//services/auth/email-templates",
+		Dst:             "nhost/emails",
+		DisableSymlinks: true,
+	}); err != nil {
 		return fmt.Errorf("failed to download email templates: %w", err)
 	}
 

cli/cmd/project/link.go

@@ -1,11 +1,12 @@
 package project
 
 import (
+	"context"
 	"fmt"
 	"os"
 
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandLink() *cli.Command {
@@ -18,14 +19,14 @@ func CommandLink() *cli.Command {
 	}
 }
 
-func commandLink(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandLink(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	if err := os.MkdirAll(ce.Path.DotNhostFolder(), 0o755); err != nil { //nolint:mnd
 		return fmt.Errorf("failed to create .nhost folder: %w", err)
 	}
 
-	_, err := ce.Link(cCtx.Context)
+	_, err := ce.Link(ctx)
 
 	return err //nolint:wrapcheck
 }

cli/cmd/project/list.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandList() *cli.Command {
@@ -18,9 +18,9 @@ func CommandList() *cli.Command {
 	}
 }
 
-func commandList(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
-	return List(cCtx.Context, ce)
+func commandList(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
+	return List(ctx, ce)
 }
 
 func List(ctx context.Context, ce *clienv.CliEnv) error {

cli/cmd/run/config_deploy.go

@@ -1,13 +1,14 @@
 package run
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/nhostclient/graphql"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandConfigDeploy() *cli.Command {
@@ -23,13 +24,13 @@ func CommandConfigDeploy() *cli.Command {
 				Usage:    "Service configuration file",
 				Value:    "nhost-run-service.toml",
 				Required: true,
-				EnvVars:  []string{"NHOST_RUN_SERVICE_CONFIG"},
+				Sources:  cli.EnvVars("NHOST_RUN_SERVICE_CONFIG"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:     flagServiceID,
 				Usage:    "Service ID to update. Applies overlay of the same name",
 				Required: true,
-				EnvVars:  []string{"NHOST_RUN_SERVICE_ID"},
+				Sources:  cli.EnvVars("NHOST_RUN_SERVICE_ID"),
 			},
 		},
 	}
@@ -49,23 +50,23 @@ func transform[T, V any](t *T) (*V, error) {
 	return &v, nil
 }
 
-func commandConfigDeploy(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandConfigDeploy(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	cl, err := ce.GetNhostClient(cCtx.Context)
+	cl, err := ce.GetNhostClient(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get nhost client: %w", err)
 	}
 
-	secrets, appID, err := getRemoteSecrets(cCtx.Context, cl, cCtx.String(flagServiceID))
+	secrets, appID, err := getRemoteSecrets(ctx, cl, cmd.String(flagServiceID))
 	if err != nil {
 		return err
 	}
 
 	cfg, err := Validate(
 		ce,
-		cCtx.String(flagConfig),
-		cCtx.String(flagServiceID),
+		cmd.String(flagConfig),
+		cmd.String(flagServiceID),
 		secrets,
 		true,
 	)
@@ -81,9 +82,9 @@ func commandConfigDeploy(cCtx *cli.Context) error {
 	}
 
 	if _, err := cl.ReplaceRunServiceConfig(
-		cCtx.Context,
+		ctx,
 		appID,
-		cCtx.String(flagServiceID),
+		cmd.String(flagServiceID),
 		*replaceConfig,
 	); err != nil {
 		return fmt.Errorf("failed to replace service config: %w", err)

cli/cmd/run/config_edit.go

@@ -1,6 +1,7 @@
 package run
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -8,7 +9,7 @@ import (
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/cmd/config"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const flagEditor = "editor"
@@ -25,31 +26,31 @@ func CommandConfigEdit() *cli.Command {
 				Usage:    "Service configuration file",
 				Value:    "nhost-run-service.toml",
 				Required: true,
-				EnvVars:  []string{"NHOST_RUN_SERVICE_CONFIG"},
+				Sources:  cli.EnvVars("NHOST_RUN_SERVICE_CONFIG"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagEditor,
 				Usage:   "Editor to use",
 				Value:   "vim",
-				EnvVars: []string{"EDITOR"},
+				Sources: cli.EnvVars("EDITOR"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagOverlayName,
 				Usage:   "If specified, apply this overlay",
-				EnvVars: []string{"NHOST_RUN_SERVICE_ID", "NHOST_SERVICE_OVERLAY_NAME"},
+				Sources: cli.EnvVars("NHOST_RUN_SERVICE_ID", "NHOST_SERVICE_OVERLAY_NAME"),
 			},
 		},
 		Action: commandConfigEdit,
 	}
 }
 
-func commandConfigEdit(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandConfigEdit(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	overlayName := cCtx.String(flagOverlayName)
+	overlayName := cmd.String(flagOverlayName)
 	if overlayName == "" {
 		if err := config.EditFile(
-			cCtx.Context, cCtx.String(flagEditor), cCtx.String(flagConfig),
+			ctx, cmd.String(flagEditor), cmd.String(flagConfig),
 		); err != nil {
 			return fmt.Errorf("failed to edit config: %w", err)
 		}
@@ -58,7 +59,7 @@ func commandConfigEdit(cCtx *cli.Context) error {
 	}
 
 	if err := os.MkdirAll(ce.Path.RunServiceOverlaysFolder(
-		cCtx.String(flagConfig),
+		cmd.String(flagConfig),
 	), 0o755); err != nil { //nolint:mnd
 		return fmt.Errorf("failed to create json patches directory: %w", err)
 	}
@@ -72,21 +73,21 @@ func commandConfigEdit(cCtx *cli.Context) error {
 	tmpfileName := filepath.Join(tmpdir, "nhost.toml")
 
 	if err := config.CopyConfig[model.ConfigRunServiceConfig](
-		cCtx.String(flagConfig),
+		cmd.String(flagConfig),
 		tmpfileName,
-		ce.Path.RunServiceOverlay(cCtx.String(flagConfig), overlayName),
+		ce.Path.RunServiceOverlay(cmd.String(flagConfig), overlayName),
 	); err != nil {
 		return fmt.Errorf("failed to copy config: %w", err)
 	}
 
-	if err := config.EditFile(cCtx.Context, cCtx.String(flagEditor), tmpfileName); err != nil {
+	if err := config.EditFile(ctx, cmd.String(flagEditor), tmpfileName); err != nil {
 		return fmt.Errorf("failed to edit config: %w", err)
 	}
 
 	if err := config.GenerateJSONPatch(
-		cCtx.String(flagConfig),
+		cmd.String(flagConfig),
 		tmpfileName,
-		ce.Path.RunServiceOverlay(cCtx.String(flagConfig), overlayName),
+		ce.Path.RunServiceOverlay(cmd.String(flagConfig), overlayName),
 	); err != nil {
 		return fmt.Errorf("failed to generate json patch: %w", err)
 	}

cli/cmd/run/config_edit_image.go

@@ -1,12 +1,13 @@
 package run
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const flagImage = "image"
@@ -22,29 +23,29 @@ func CommandConfigEditImage() *cli.Command {
 				Aliases: []string{},
 				Usage:   "Service configuration file",
 				Value:   "nhost-run-service.toml",
-				EnvVars: []string{"NHOST_RUN_SERVICE_CONFIG"},
+				Sources: cli.EnvVars("NHOST_RUN_SERVICE_CONFIG"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:     flagImage,
 				Aliases:  []string{},
 				Usage:    "Image to use",
 				Required: true,
-				EnvVars:  []string{"NHOST_RUN_SERVICE_IMAGE"},
+				Sources:  cli.EnvVars("NHOST_RUN_SERVICE_IMAGE"),
 			},
 		},
 		Action: commandConfigEditImage,
 	}
 }
 
-func commandConfigEditImage(cCtx *cli.Context) error {
+func commandConfigEditImage(_ context.Context, cmd *cli.Command) error {
 	var cfg model.ConfigRunServiceConfig
-	if err := clienv.UnmarshalFile(cCtx.String(flagConfig), &cfg, toml.Unmarshal); err != nil {
+	if err := clienv.UnmarshalFile(cmd.String(flagConfig), &cfg, toml.Unmarshal); err != nil {
 		return fmt.Errorf("failed to unmarshal config: %w", err)
 	}
 
-	cfg.Image.Image = cCtx.String(flagImage)
+	cfg.Image.Image = cmd.String(flagImage)
 
-	if err := clienv.MarshalFile(cfg, cCtx.String(flagConfig), toml.Marshal); err != nil {
+	if err := clienv.MarshalFile(cfg, cmd.String(flagConfig), toml.Marshal); err != nil {
 		return fmt.Errorf("failed to marshal config: %w", err)
 	}
 

cli/cmd/run/config_example.go

@@ -1,13 +1,14 @@
 package run
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/be/services/mimir/schema"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func ptr[T any](v T) *T {
@@ -24,8 +25,8 @@ func CommandConfigExample() *cli.Command {
 	}
 }
 
-func commandConfigExample(cCtx *cli.Context) error { //nolint:funlen
-	ce := clienv.FromCLI(cCtx)
+func commandConfigExample(_ context.Context, cmd *cli.Command) error { //nolint:funlen
+	ce := clienv.FromCLI(cmd)
 
 	//nolint:mnd
 	cfg := &model.ConfigRunServiceConfig{

cli/cmd/run/config_pull.go

@@ -1,13 +1,14 @@
 package run
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const flagServiceID = "service-id"
@@ -23,36 +24,36 @@ func CommandConfigPull() *cli.Command {
 				Aliases: []string{},
 				Usage:   "Service configuration file",
 				Value:   "nhost-run-service.toml",
-				EnvVars: []string{"NHOST_RUN_SERVICE_CONFIG"},
+				Sources: cli.EnvVars("NHOST_RUN_SERVICE_CONFIG"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:     flagServiceID,
 				Usage:    "Service ID to update",
 				Required: true,
-				EnvVars:  []string{"NHOST_RUN_SERVICE_ID"},
+				Sources:  cli.EnvVars("NHOST_RUN_SERVICE_ID"),
 			},
 		},
 		Action: commandConfigPull,
 	}
 }
 
-func commandConfigPull(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandConfigPull(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	cl, err := ce.GetNhostClient(cCtx.Context)
+	cl, err := ce.GetNhostClient(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get nhost client: %w", err)
 	}
 
-	appID, err := getAppIDFromServiceID(cCtx.Context, cl, cCtx.String(flagServiceID))
+	appID, err := getAppIDFromServiceID(ctx, cl, cmd.String(flagServiceID))
 	if err != nil {
 		return err
 	}
 
 	resp, err := cl.GetRunServiceConfigRawJSON(
-		cCtx.Context,
+		ctx,
 		appID,
-		cCtx.String(flagServiceID),
+		cmd.String(flagServiceID),
 		false,
 	)
 	if err != nil {
@@ -64,7 +65,7 @@ func commandConfigPull(cCtx *cli.Context) error {
 		return fmt.Errorf("failed to unmarshal config: %w", err)
 	}
 
-	if err := clienv.MarshalFile(v, cCtx.String(flagConfig), toml.Marshal); err != nil {
+	if err := clienv.MarshalFile(v, cmd.String(flagConfig), toml.Marshal); err != nil {
 		return fmt.Errorf("failed to save config to file: %w", err)
 	}
 

cli/cmd/run/config_show.go

@@ -1,13 +1,14 @@
 package run
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/project/env"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandConfigShow() *cli.Command {
@@ -23,19 +24,19 @@ func CommandConfigShow() *cli.Command {
 				Aliases: []string{},
 				Usage:   "Service configuration file",
 				Value:   "nhost-run-service.toml",
-				EnvVars: []string{"NHOST_RUN_SERVICE_CONFIG"},
+				Sources: cli.EnvVars("NHOST_RUN_SERVICE_CONFIG"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagOverlayName,
 				Usage:   "If specified, apply this overlay",
-				EnvVars: []string{"NHOST_RUN_SERVICE_ID", "NHOST_SERVICE_OVERLAY_NAME"},
+				Sources: cli.EnvVars("NHOST_RUN_SERVICE_ID", "NHOST_SERVICE_OVERLAY_NAME"),
 			},
 		},
 	}
 }
 
-func commandConfigShow(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandConfigShow(_ context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	var secrets model.Secrets
 	if err := clienv.UnmarshalFile(ce.Path.Secrets(), &secrets, env.Unmarshal); err != nil {
@@ -47,8 +48,8 @@ func commandConfigShow(cCtx *cli.Context) error {
 
 	cfg, err := Validate(
 		ce,
-		cCtx.String(flagConfig),
-		cCtx.String(flagOverlayName),
+		cmd.String(flagConfig),
+		cmd.String(flagOverlayName),
 		secrets,
 		false,
 	)

cli/cmd/run/config_validate.go

@@ -15,7 +15,7 @@ import (
 	"github.com/nhost/nhost/cli/nhostclient/graphql"
 	"github.com/nhost/nhost/cli/project/env"
 	"github.com/pelletier/go-toml/v2"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -35,17 +35,17 @@ func CommandConfigValidate() *cli.Command {
 				Aliases: []string{},
 				Usage:   "Service configuration file",
 				Value:   "nhost-run-service.toml",
-				EnvVars: []string{"NHOST_RUN_SERVICE_CONFIG"},
+				Sources: cli.EnvVars("NHOST_RUN_SERVICE_CONFIG"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagOverlayName,
 				Usage:   "If specified, apply this overlay",
-				EnvVars: []string{"NHOST_SERVICE_OVERLAY_NAME"},
+				Sources: cli.EnvVars("NHOST_SERVICE_OVERLAY_NAME"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagServiceID,
 				Usage:   "If specified, apply this overlay and remote secrets for this service",
-				EnvVars: []string{"NHOST_RUN_SERVICE_ID"},
+				Sources: cli.EnvVars("NHOST_RUN_SERVICE_ID"),
 			},
 		},
 	}
@@ -157,35 +157,35 @@ func getRemoteSecrets(
 	return respToSecrets(secretsResp.GetAppSecrets()), appID, nil
 }
 
-func commandConfigValidate(cCtx *cli.Context) error {
+func commandConfigValidate(ctx context.Context, cmd *cli.Command) error {
 	var (
 		overlayName string
 		serviceID   string
 	)
 
 	switch {
-	case cCtx.String(flagServiceID) != "" && cCtx.String(flagOverlayName) != "":
+	case cmd.String(flagServiceID) != "" && cmd.String(flagOverlayName) != "":
 		return errors.New("cannot specify both service id and overlay name") //nolint:err113
-	case cCtx.String(flagServiceID) != "":
-		serviceID = cCtx.String(flagServiceID)
+	case cmd.String(flagServiceID) != "":
+		serviceID = cmd.String(flagServiceID)
 		overlayName = serviceID
-	case cCtx.String(flagOverlayName) != "":
-		overlayName = cCtx.String(flagOverlayName)
+	case cmd.String(flagOverlayName) != "":
+		overlayName = cmd.String(flagOverlayName)
 	}
 
-	ce := clienv.FromCLI(cCtx)
+	ce := clienv.FromCLI(cmd)
 
 	var secrets model.Secrets
 
 	ce.Infoln("Getting secrets...")
 
 	if serviceID != "" {
-		cl, err := ce.GetNhostClient(cCtx.Context)
+		cl, err := ce.GetNhostClient(ctx)
 		if err != nil {
 			return fmt.Errorf("failed to get nhost client: %w", err)
 		}
 
-		secrets, _, err = getRemoteSecrets(cCtx.Context, cl, serviceID)
+		secrets, _, err = getRemoteSecrets(ctx, cl, serviceID)
 		if err != nil {
 			return err
 		}
@@ -202,7 +202,7 @@ func commandConfigValidate(cCtx *cli.Context) error {
 
 	if _, err := Validate(
 		ce,
-		cCtx.String(flagConfig),
+		cmd.String(flagConfig),
 		overlayName,
 		secrets,
 		false,

cli/cmd/run/dev.go

@@ -1,13 +1,14 @@
 package run
 
 import (
+	"context"
 	"fmt"
 	"regexp"
 
 	"github.com/nhost/be/services/mimir/model"
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/project/env"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -28,17 +29,17 @@ func CommandEnv() *cli.Command {
 				Aliases: []string{},
 				Usage:   "Service configuration file",
 				Value:   "nhost-run-service.toml",
-				EnvVars: []string{"NHOST_RUN_SERVICE_CONFIG"},
+				Sources: cli.EnvVars("NHOST_RUN_SERVICE_CONFIG"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagOverlayName,
 				Usage:   "If specified, apply this overlay",
-				EnvVars: []string{"NHOST_RUN_SERVICE_ID", "NHOST_SERVICE_OVERLAY_NAME"},
+				Sources: cli.EnvVars("NHOST_RUN_SERVICE_ID", "NHOST_SERVICE_OVERLAY_NAME"),
 			},
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:    flagDevPrependExport,
 				Usage:   "Prepend 'export' to each line",
-				EnvVars: []string{"NHOST_RuN_SERVICE_ENV_PREPEND_EXPORT"},
+				Sources: cli.EnvVars("NHOST_RuN_SERVICE_ENV_PREPEND_EXPORT"),
 			},
 		},
 	}
@@ -49,8 +50,8 @@ func escape(s string) string {
 	return re.ReplaceAllString(s, "\\$0")
 }
 
-func commandConfigDev(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandConfigDev(_ context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	var secrets model.Secrets
 	if err := clienv.UnmarshalFile(ce.Path.Secrets(), &secrets, env.Unmarshal); err != nil {
@@ -62,8 +63,8 @@ func commandConfigDev(cCtx *cli.Context) error {
 
 	cfg, err := Validate(
 		ce,
-		cCtx.String(flagConfig),
-		cCtx.String(flagOverlayName),
+		cmd.String(flagConfig),
+		cmd.String(flagOverlayName),
 		secrets,
 		false,
 	)
@@ -73,7 +74,7 @@ func commandConfigDev(cCtx *cli.Context) error {
 
 	for _, v := range cfg.GetEnvironment() {
 		value := escape(v.Value)
-		if cCtx.Bool(flagDevPrependExport) {
+		if cmd.Bool(flagDevPrependExport) {
 			ce.Println("export %s=\"%s\"", v.Name, value)
 		} else {
 			ce.Println("%s=\"%s\"", v.Name, value)

cli/cmd/run/run.go

@@ -1,13 +1,13 @@
 package run
 
-import "github.com/urfave/cli/v2"
+import "github.com/urfave/cli/v3"
 
 func Command() *cli.Command {
 	return &cli.Command{ //nolint:exhaustruct
 		Name:    "run",
 		Aliases: []string{},
 		Usage:   "Perform operations on Nhost Run",
-		Subcommands: []*cli.Command{
+		Commands: []*cli.Command{
 			CommandConfigShow(),
 			CommandConfigDeploy(),
 			CommandConfigEdit(),

cli/cmd/secrets/create.go

@@ -1,11 +1,12 @@
 package secrets //nolint:dupl
 
 import (
+	"context"
 	"errors"
 	"fmt"
 
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandCreate() *cli.Command {
@@ -19,28 +20,28 @@ func CommandCreate() *cli.Command {
 	}
 }
 
-func commandCreate(cCtx *cli.Context) error {
-	if cCtx.NArg() != 2 { //nolint:mnd
+func commandCreate(ctx context.Context, cmd *cli.Command) error {
+	if cmd.NArg() != 2 { //nolint:mnd
 		return errors.New("invalid number of arguments") //nolint:err113
 	}
 
-	ce := clienv.FromCLI(cCtx)
+	ce := clienv.FromCLI(cmd)
 
-	proj, err := ce.GetAppInfo(cCtx.Context, cCtx.String(flagSubdomain))
+	proj, err := ce.GetAppInfo(ctx, cmd.String(flagSubdomain))
 	if err != nil {
 		return fmt.Errorf("failed to get app info: %w", err)
 	}
 
-	cl, err := ce.GetNhostClient(cCtx.Context)
+	cl, err := ce.GetNhostClient(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get nhost client: %w", err)
 	}
 
 	if _, err := cl.CreateSecret(
-		cCtx.Context,
+		ctx,
 		proj.ID,
-		cCtx.Args().Get(0),
-		cCtx.Args().Get(1),
+		cmd.Args().Get(0),
+		cmd.Args().Get(1),
 	); err != nil {
 		return fmt.Errorf("failed to create secret: %w", err)
 	}

cli/cmd/secrets/delete.go

@@ -1,11 +1,12 @@
 package secrets
 
 import (
+	"context"
 	"errors"
 	"fmt"
 
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandDelete() *cli.Command {
@@ -19,27 +20,27 @@ func CommandDelete() *cli.Command {
 	}
 }
 
-func commandDelete(cCtx *cli.Context) error {
-	if cCtx.NArg() != 1 {
+func commandDelete(ctx context.Context, cmd *cli.Command) error {
+	if cmd.NArg() != 1 {
 		return errors.New("invalid number of arguments") //nolint:err113
 	}
 
-	ce := clienv.FromCLI(cCtx)
+	ce := clienv.FromCLI(cmd)
 
-	proj, err := ce.GetAppInfo(cCtx.Context, cCtx.String(flagSubdomain))
+	proj, err := ce.GetAppInfo(ctx, cmd.String(flagSubdomain))
 	if err != nil {
 		return fmt.Errorf("failed to get app info: %w", err)
 	}
 
-	cl, err := ce.GetNhostClient(cCtx.Context)
+	cl, err := ce.GetNhostClient(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get nhost client: %w", err)
 	}
 
 	if _, err := cl.DeleteSecret(
-		cCtx.Context,
+		ctx,
 		proj.ID,
-		cCtx.Args().Get(0),
+		cmd.Args().Get(0),
 	); err != nil {
 		return fmt.Errorf("failed to delete secret: %w", err)
 	}

cli/cmd/secrets/list.go

@@ -1,10 +1,11 @@
 package secrets
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandList() *cli.Command {
@@ -17,21 +18,21 @@ func CommandList() *cli.Command {
 	}
 }
 
-func commandList(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandList(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
-	proj, err := ce.GetAppInfo(cCtx.Context, cCtx.String(flagSubdomain))
+	proj, err := ce.GetAppInfo(ctx, cmd.String(flagSubdomain))
 	if err != nil {
 		return fmt.Errorf("failed to get app info: %w", err)
 	}
 
-	cl, err := ce.GetNhostClient(cCtx.Context)
+	cl, err := ce.GetNhostClient(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get nhost client: %w", err)
 	}
 
 	secrets, err := cl.GetSecrets(
-		cCtx.Context,
+		ctx,
 		proj.ID,
 	)
 	if err != nil {

cli/cmd/secrets/secrets.go

@@ -1,6 +1,6 @@
 package secrets
 
-import "github.com/urfave/cli/v2"
+import "github.com/urfave/cli/v3"
 
 const flagSubdomain = "subdomain"
 
@@ -9,7 +9,7 @@ func commonFlags() []cli.Flag {
 		&cli.StringFlag{ //nolint:exhaustruct
 			Name:    flagSubdomain,
 			Usage:   "Project's subdomain to operate on, defaults to linked project",
-			EnvVars: []string{"NHOST_SUBDOMAIN"},
+			Sources: cli.EnvVars("NHOST_SUBDOMAIN"),
 		},
 	}
 }
@@ -19,7 +19,7 @@ func Command() *cli.Command {
 		Name:    "secrets",
 		Aliases: []string{},
 		Usage:   "Manage secrets",
-		Subcommands: []*cli.Command{
+		Commands: []*cli.Command{
 			CommandCreate(),
 			CommandDelete(),
 			CommandList(),

cli/cmd/secrets/update.go

@@ -1,11 +1,12 @@
 package secrets //nolint:dupl
 
 import (
+	"context"
 	"errors"
 	"fmt"
 
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandUpdate() *cli.Command {
@@ -19,28 +20,28 @@ func CommandUpdate() *cli.Command {
 	}
 }
 
-func commandUpdate(cCtx *cli.Context) error {
-	if cCtx.NArg() != 2 { //nolint:mnd
+func commandUpdate(ctx context.Context, cmd *cli.Command) error {
+	if cmd.NArg() != 2 { //nolint:mnd
 		return errors.New("invalid number of arguments") //nolint:err113
 	}
 
-	ce := clienv.FromCLI(cCtx)
+	ce := clienv.FromCLI(cmd)
 
-	proj, err := ce.GetAppInfo(cCtx.Context, cCtx.String(flagSubdomain))
+	proj, err := ce.GetAppInfo(ctx, cmd.String(flagSubdomain))
 	if err != nil {
 		return fmt.Errorf("failed to get app info: %w", err)
 	}
 
-	cl, err := ce.GetNhostClient(cCtx.Context)
+	cl, err := ce.GetNhostClient(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get nhost client: %w", err)
 	}
 
 	if _, err := cl.UpdateSecret(
-		cCtx.Context,
+		ctx,
 		proj.ID,
-		cCtx.Args().Get(0),
-		cCtx.Args().Get(1),
+		cmd.Args().Get(0),
+		cmd.Args().Get(1),
 	); err != nil {
 		return fmt.Errorf("failed to update secret: %w", err)
 	}

cli/cmd/software/software.go

@@ -1,6 +1,6 @@
 package software
 
-import "github.com/urfave/cli/v2"
+import "github.com/urfave/cli/v3"
 
 const (
 	devVersion = "dev"
@@ -11,7 +11,7 @@ func Command() *cli.Command {
 		Name:    "sw",
 		Aliases: []string{},
 		Usage:   "Perform software management operations",
-		Subcommands: []*cli.Command{
+		Commands: []*cli.Command{
 			CommandUninstall(),
 			CommandUpgrade(),
 			CommandVersion(),

cli/cmd/software/uninstall.go

@@ -1,11 +1,12 @@
 package software
 
 import (
+	"context"
 	"fmt"
 	"os"
 
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -22,29 +23,29 @@ func CommandUninstall() *cli.Command {
 			&cli.BoolFlag{ //nolint:exhaustruct
 				Name:        forceFlag,
 				Usage:       "Force uninstall without confirmation",
-				EnvVars:     []string{"NHOST_FORCE_UNINSTALL"},
+				Sources:     cli.EnvVars("NHOST_FORCE_UNINSTALL"),
 				DefaultText: "false",
 			},
 		},
 	}
 }
 
-func commandUninstall(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandUninstall(_ context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	path, err := os.Executable()
 	if err != nil {
 		return fmt.Errorf("failed to find installed CLI: %w", err)
 	}
 
-	if cCtx.App.Version == devVersion || cCtx.App.Version == "" {
+	if cmd.Root().Version == devVersion || cmd.Root().Version == "" {
 		// we fake it in dev mode
 		path = "/tmp/nhost"
 	}
 
 	ce.Infoln("Found Nhost cli in %s", path)
 
-	if !cCtx.Bool(forceFlag) {
+	if !cmd.Bool(forceFlag) {
 		ce.PromptMessage("Are you sure you want to uninstall Nhost CLI? [y/N] ")
 
 		resp, err := ce.PromptInput(false)

cli/cmd/software/upgrade.go

@@ -1,14 +1,18 @@
 package software
 
 import (
+	"context"
+	"errors"
 	"fmt"
+	"io"
 	"os"
 	"runtime"
 	"strings"
+	"syscall"
 
 	"github.com/nhost/nhost/cli/clienv"
 	"github.com/nhost/nhost/cli/software"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandUpgrade() *cli.Command {
@@ -20,12 +24,12 @@ func CommandUpgrade() *cli.Command {
 	}
 }
 
-func commandUpgrade(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandUpgrade(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	mgr := software.NewManager()
 
-	releases, err := mgr.GetReleases(cCtx.Context, cCtx.App.Version)
+	releases, err := mgr.GetReleases(ctx, cmd.Root().Version)
 	if err != nil {
 		return fmt.Errorf("failed to get releases: %w", err)
 	}
@@ -36,7 +40,7 @@ func commandUpgrade(cCtx *cli.Context) error {
 	}
 
 	latest := releases[0]
-	if latest.TagName == cCtx.App.Version {
+	if latest.TagName == cmd.Root().Version {
 		ce.Infoln("You have the latest version. Hurray!")
 		return nil
 	}
@@ -71,28 +75,28 @@ func commandUpgrade(cCtx *cli.Context) error {
 	defer os.Remove(tmpFile.Name())
 	defer tmpFile.Close()
 
-	if err := mgr.DownloadAsset(cCtx.Context, url, tmpFile); err != nil {
+	if err := mgr.DownloadAsset(ctx, url, tmpFile); err != nil {
 		return fmt.Errorf("failed to download asset: %w", err)
 	}
 
-	return install(cCtx, ce, tmpFile.Name())
+	return install(cmd, ce, tmpFile.Name())
 }
 
-func install(cCtx *cli.Context, ce *clienv.CliEnv, tmpFile string) error {
+func install(cmd *cli.Command, ce *clienv.CliEnv, tmpFile string) error {
 	curBin, err := os.Executable()
 	if err != nil {
 		return fmt.Errorf("failed to find installed CLI: %w", err)
 	}
 
-	if cCtx.App.Version == devVersion || cCtx.App.Version == "" {
+	if cmd.Root().Version == devVersion || cmd.Root().Version == "" {
 		// we are in dev mode, we fake curBin for testing
 		curBin = "/tmp/nhost"
 	}
 
 	ce.Infoln("Copying to %s...", curBin)
 
-	if err := os.Rename(tmpFile, curBin); err != nil {
-		return fmt.Errorf("failed to rename %s to %s: %w", tmpFile, curBin, err)
+	if err := moveOrCopyFile(tmpFile, curBin); err != nil {
+		return fmt.Errorf("failed to move %s to %s: %w", tmpFile, curBin, err)
 	}
 
 	ce.Infoln("Setting permissions...")
@@ -103,3 +107,55 @@ func install(cCtx *cli.Context, ce *clienv.CliEnv, tmpFile string) error {
 
 	return nil
 }
+
+func moveOrCopyFile(src, dst string) error {
+	if err := os.Rename(src, dst); err != nil {
+		var linkErr *os.LinkError
+		// this happens when moving across different filesystems
+		if errors.As(err, &linkErr) && errors.Is(linkErr.Err, syscall.EXDEV) {
+			if err := hardMove(src, dst); err != nil {
+				return fmt.Errorf("failed to hard move: %w", err)
+			}
+
+			return nil
+		}
+
+		return fmt.Errorf("failed to rename: %w", err)
+	}
+
+	return nil
+}
+
+func hardMove(src, dst string) error {
+	srcFile, err := os.Open(src)
+	if err != nil {
+		return fmt.Errorf("failed to open source file: %w", err)
+	}
+	defer srcFile.Close()
+
+	dstFile, err := os.Create(dst)
+	if err != nil {
+		return fmt.Errorf("failed to create destination file: %w", err)
+	}
+	defer dstFile.Close()
+
+	if _, err := io.Copy(dstFile, srcFile); err != nil {
+		return fmt.Errorf("failed to copy file contents: %w", err)
+	}
+
+	fi, err := os.Stat(src)
+	if err != nil {
+		return fmt.Errorf("failed to stat source file: %w", err)
+	}
+
+	err = os.Chmod(dst, fi.Mode())
+	if err != nil {
+		return fmt.Errorf("failed to set file permissions: %w", err)
+	}
+
+	if err := os.Remove(src); err != nil {
+		return fmt.Errorf("failed to remove source file: %w", err)
+	}
+
+	return nil
+}

cli/cmd/software/version.go

@@ -12,7 +12,7 @@ import (
 	"github.com/nhost/nhost/cli/nhostclient/graphql"
 	"github.com/nhost/nhost/cli/project/env"
 	"github.com/nhost/nhost/cli/software"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 func CommandVersion() *cli.Command {
@@ -111,11 +111,11 @@ func CheckVersions(
 
 	checkServiceVersion(
 		ce, graphql.SoftwareTypeEnumAuth, *cfg.GetAuth().GetVersion(), swv,
-		"https://github.com/nhost/hasura-auth/releases",
+		"https://github.com/nhost/nhost/releases",
 	)
 	checkServiceVersion(
 		ce, graphql.SoftwareTypeEnumStorage, *cfg.GetStorage().GetVersion(), swv,
-		"https://github.com/nhost/hasura-storage/releases",
+		"https://github.com/nhost/nhost/releases",
 	)
 	checkServiceVersion(
 		ce, graphql.SoftwareTypeEnumPostgreSQL, *cfg.GetPostgres().GetVersion(), swv,
@@ -132,8 +132,8 @@ func CheckVersions(
 	return checkCLIVersion(ctx, ce, appVersion)
 }
 
-func commandVersion(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandVersion(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 
 	var (
 		cfg *model.ConfigConfig
@@ -157,5 +157,5 @@ func commandVersion(cCtx *cli.Context) error {
 		ce.Warnln("🟡 No Nhost project found")
 	}
 
-	return CheckVersions(cCtx.Context, ce, cfg, cCtx.App.Version)
+	return CheckVersions(ctx, ce, cfg, cmd.Root().Version)
 }

cli/cmd/user/login.go

@@ -1,8 +1,10 @@
 package user
 
 import (
+	"context"
+
 	"github.com/nhost/nhost/cli/clienv"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v3"
 )
 
 const (
@@ -21,26 +23,26 @@ func CommandLogin() *cli.Command {
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagPAT,
 				Usage:   "Use this Personal Access Token instead of generating a new one with your email/password",
-				EnvVars: []string{"NHOST_PAT"},
+				Sources: cli.EnvVars("NHOST_PAT"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagEmail,
 				Usage:   "Email address",
-				EnvVars: []string{"NHOST_EMAIL"},
+				Sources: cli.EnvVars("NHOST_EMAIL"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagPassword,
 				Usage:   "Password",
-				EnvVars: []string{"NHOST_PASSWORD"},
+				Sources: cli.EnvVars("NHOST_PASSWORD"),
 			},
 		},
 	}
 }
 
-func commandLogin(cCtx *cli.Context) error {
-	ce := clienv.FromCLI(cCtx)
+func commandLogin(ctx context.Context, cmd *cli.Command) error {
+	ce := clienv.FromCLI(cmd)
 	_, err := ce.Login(
-		cCtx.Context, cCtx.String(flagPAT), cCtx.String(flagEmail), cCtx.String(flagPassword),
+		ctx, cmd.String(flagPAT), cmd.String(flagEmail), cmd.String(flagPassword),
 	)
 
 	return err //nolint:wrapcheck

cli/dockercompose/auth.go

@@ -41,13 +41,13 @@ func auth( //nolint:funlen
 	envars, err := appconfig.HasuraAuthEnv(
 		cfg,
 		"http://graphql:8080/v1/graphql",
-		URL(subdomain, "auth", httpPort, useTLS)+"/v1",
+		URL(subdomain, "auth", httpPort, useTLS && exposePort == 0)+"/v1",
 		"postgres://nhost_hasura@postgres:5432/local",
 		"postgres://nhost_auth_admin@postgres:5432/local",
 		&model.ConfigSmtp{
 			User:     "user",
 			Password: "password",
-			Sender:   "hasura-auth@example.com",
+			Sender:   "auth@example.com",
 			Host:     "mailhog",
 			Port:     1025, //nolint:mnd
 			Secure:   false,
@@ -56,6 +56,7 @@ func auth( //nolint:funlen
 		false,
 		false,
 		"00000000-0000-0000-0000-000000000000",
+		"5181f67e2844e4b60d571fa346cac9c37fc00d1ff519212eae6cead138e639ba",
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get hasura env vars: %w", err)
@@ -67,7 +68,7 @@ func auth( //nolint:funlen
 	}
 
 	svc := &Service{
-		Image: "nhost/hasura-auth:" + *cfg.Auth.Version,
+		Image: "nhost/auth:" + *cfg.Auth.Version,
 		DependsOn: map[string]DependsOn{
 			"graphql": {
 				Condition: "service_healthy",

cli/dockercompose/auth_test.go

@@ -10,7 +10,7 @@ import (
 func expectedAuth() *Service {
 	//nolint:lll
 	return &Service{
-		Image:   "nhost/hasura-auth:0.31.0",
+		Image:   "nhost/auth:0.31.0",
 		Command: nil,
 		DependsOn: map[string]DependsOn{
 			"graphql":  {Condition: "service_healthy"},
@@ -33,6 +33,7 @@ func expectedAuth() *Service {
 			"AUTH_DISABLE_SIGNUP":                       "false",
 			"AUTH_EMAIL_PASSWORDLESS_ENABLED":           "true",
 			"AUTH_EMAIL_SIGNIN_EMAIL_VERIFIED_REQUIRED": "true",
+			"AUTH_ENCRYPTION_KEY":                       "5181f67e2844e4b60d571fa346cac9c37fc00d1ff519212eae6cead138e639ba",
 			"AUTH_GRAVATAR_DEFAULT":                     "gravatarDefault",
 			"AUTH_GRAVATAR_ENABLED":                     "true",
 			"AUTH_GRAVATAR_RATING":                      "gravatarRating",
@@ -52,6 +53,7 @@ func expectedAuth() *Service {
 			"AUTH_PROVIDER_APPLE_ENABLED":               "true",
 			"AUTH_PROVIDER_APPLE_KEY_ID":                "appleKeyId",
 			"AUTH_PROVIDER_APPLE_PRIVATE_KEY":           "applePrivateKey",
+			"AUTH_PROVIDER_APPLE_SCOPE":                 "",
 			"AUTH_PROVIDER_APPLE_TEAM_ID":               "appleTeamId",
 			"AUTH_PROVIDER_AZUREAD_CLIENT_ID":           "azureadClientId",
 			"AUTH_PROVIDER_AZUREAD_CLIENT_SECRET":       "azureadClientSecret",
@@ -74,9 +76,12 @@ func expectedAuth() *Service {
 			"AUTH_PROVIDER_FACEBOOK_CLIENT_SECRET":      "facebookClientSecret",
 			"AUTH_PROVIDER_FACEBOOK_ENABLED":            "true",
 			"AUTH_PROVIDER_FACEBOOK_SCOPE":              "email",
+			"AUTH_PROVIDER_GITHUB_AUDIENCE":             "audience",
 			"AUTH_PROVIDER_GITHUB_CLIENT_ID":            "githubClientId",
 			"AUTH_PROVIDER_GITHUB_CLIENT_SECRET":        "githubClientSecret",
 			"AUTH_PROVIDER_GITHUB_ENABLED":              "true",
+			"AUTH_PROVIDER_GITHUB_SCOPE":                "user:email",
+			"AUTH_PROVIDER_GITLAB_AUDIENCE":             "audience",
 			"AUTH_PROVIDER_GITLAB_CLIENT_ID":            "gitlabClientId",
 			"AUTH_PROVIDER_GITLAB_CLIENT_SECRET":        "gitlabClientSecret",
 			"AUTH_PROVIDER_GITLAB_ENABLED":              "true",
@@ -96,6 +101,7 @@ func expectedAuth() *Service {
 			"AUTH_PROVIDER_SPOTIFY_CLIENT_SECRET":       "spotifyClientSecret",
 			"AUTH_PROVIDER_SPOTIFY_ENABLED":             "true",
 			"AUTH_PROVIDER_SPOTIFY_SCOPE":               "user-read-email",
+			"AUTH_PROVIDER_STRAVA_AUDIENCE":             "audience",
 			"AUTH_PROVIDER_STRAVA_CLIENT_ID":            "stravaClientId",
 			"AUTH_PROVIDER_STRAVA_CLIENT_SECRET":        "stravaClientSecret",
 			"AUTH_PROVIDER_STRAVA_ENABLED":              "true",
@@ -132,7 +138,7 @@ func expectedAuth() *Service {
 			"AUTH_RATE_LIMIT_SMS_INTERVAL":              "5m",
 			"AUTH_REFRESH_TOKEN_EXPIRES_IN":             "99",
 			"AUTH_REQUIRE_ELEVATED_CLAIM":               "required",
-			"AUTH_SERVER_URL":                           "http://dev.auth.local.nhost.run:1336/v1",
+			"AUTH_SERVER_URL":                           "https://dev.auth.local.nhost.run:1336/v1",
 			"AUTH_SMS_PASSWORDLESS_ENABLED":             "true",
 			"AUTH_SMS_PROVIDER":                         "twilio",
 			"AUTH_SMS_TWILIO_ACCOUNT_SID":               "smsAccountSid",
@@ -143,7 +149,7 @@ func expectedAuth() *Service {
 			"AUTH_SMTP_PASS":                            "password",
 			"AUTH_SMTP_PORT":                            "1025",
 			"AUTH_SMTP_SECURE":                          "false",
-			"AUTH_SMTP_SENDER":                          "hasura-auth@example.com",
+			"AUTH_SMTP_SENDER":                          "auth@example.com",
 			"AUTH_SMTP_USER":                            "user",
 			"AUTH_USER_DEFAULT_ALLOWED_ROLES":           "user,admin",
 			"AUTH_USER_DEFAULT_ROLE":                    "user",
@@ -186,7 +192,7 @@ func expectedAuth() *Service {
 			"traefik.http.routers.auth.entrypoints":               "web",
 			"traefik.http.routers.auth.rule":                      "(HostRegexp(`^.+\\.auth\\.local\\.nhost\\.run$`) || Host(`local.auth.nhost.run`))",
 			"traefik.http.routers.auth.service":                   "auth",
-			"traefik.http.routers.auth.tls":                       "false",
+			"traefik.http.routers.auth.tls":                       "true",
 			"traefik.http.services.auth.loadbalancer.server.port": "4000",
 		},
 		Ports:   nil,
@@ -216,7 +222,7 @@ func TestAuth(t *testing.T) {
 		{
 			name:       "default",
 			cfg:        getConfig,
-			useTlS:     false,
+			useTlS:     true,
 			exposePort: 0,
 			expected:   expectedAuth,
 		},
@@ -227,11 +233,11 @@ func TestAuth(t *testing.T) {
 				cfg.Auth.Version = ptr("0.21.3")
 				return cfg
 			},
-			useTlS:     false,
+			useTlS:     true,
 			exposePort: 0,
 			expected: func() *Service {
 				svc := expectedAuth()
-				svc.Image = "nhost/hasura-auth:0.21.3"
+				svc.Image = "nhost/auth:0.21.3"
 				svc.Labels["traefik.http.middlewares.replace-auth.replacepathregex.regex"] = "/v1(/|$$)(.*)"
 				svc.Labels["traefik.http.middlewares.replace-auth.replacepathregex.replacement"] = "/$$2"
 				svc.Labels["traefik.http.routers.auth.middlewares"] = "replace-auth"
@@ -243,7 +249,7 @@ func TestAuth(t *testing.T) {
 		{
 			name:       "custom port",
 			cfg:        getConfig,
-			useTlS:     false,
+			useTlS:     true,
 			exposePort: 8080,
 			expected: func() *Service {
 				svc := expectedAuth()

cli/dockercompose/compose.go

@@ -250,7 +250,7 @@ func traefik(subdomain, projectName string, port uint, dotnhostfolder string) (*
 	}
 
 	return &Service{
-		Image:      "traefik:v3.1",
+		Image:      "traefik:v3.6",
 		DependsOn:  nil,
 		EntryPoint: nil,
 		Command: []string{
@@ -344,7 +344,7 @@ func dashboard(
 				subdomain, "hasura", httpPort, useTLS,
 			) + "/console",
 			"NEXT_PUBLIC_NHOST_HASURA_MIGRATIONS_API_URL": URL(
-				subdomain, "hasura", httpPort, useTLS),
+				subdomain, "hasura", httpPort, useTLS) + "/apis/migrate",
 			"NEXT_PUBLIC_NHOST_STORAGE_URL": URL(
 				subdomain, "storage", httpPort, useTLS) + "/v1",
 		},
@@ -459,7 +459,7 @@ func mailhog(subdomain, volumeName string, useTLS bool) *Service {
 			"SMTP_PASS":   "password",
 			"SMTP_PORT":   "1025",
 			"SMTP_SECURE": "false",
-			"SMTP_SENDER": "hasura-auth@example.com",
+			"SMTP_SENDER": "auth@example.com",
 			"SMTP_USER":   "user",
 		},
 		ExtraHosts:  extraHosts(subdomain),

cli/dockercompose/storage.go

@@ -49,7 +49,7 @@ func storage( //nolint:funlen
 	}
 
 	return &Service{
-		Image: "nhost/hasura-storage:" + *cfg.GetStorage().GetVersion(),
+		Image: "nhost/storage:" + *cfg.GetStorage().GetVersion(),
 		DependsOn: map[string]DependsOn{
 			"minio": {
 				Condition: "service_started",

cli/dockercompose/storage_test.go

@@ -9,7 +9,7 @@ import (
 
 func expectedStorage() *Service {
 	return &Service{
-		Image: "nhost/hasura-storage:0.2.5",
+		Image: "nhost/storage:0.2.5",
 		DependsOn: map[string]DependsOn{
 			"graphql":  {Condition: "service_healthy"},
 			"minio":    {Condition: "service_started"},