import { createClient, SupabaseClient } from '@supabase/supabase-js';

function getUrl() {
  return process.env.NEXT_PUBLIC_SUPABASE_URL!;
}

function getAnonKey() {
  return process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
}

// Client-side (browser) — uses anon key, respects RLS
// Lazy-initialized to allow env vars to be set before first use
let _supabase: SupabaseClient | null = null;
export const supabase = new Proxy({} as SupabaseClient, {
  get(_target, prop) {
    if (!_supabase) {
      _supabase = createClient(getUrl(), getAnonKey());
    }
    return (_supabase as unknown as Record<string, unknown>)[prop as string];
  },
});

// Server-side — uses service_role key, bypasses RLS
export function getSupabaseAdmin() {
  const serviceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
  if (!serviceRoleKey) throw new Error('SUPABASE_SERVICE_ROLE_KEY is not set');
  return createClient(getUrl(), serviceRoleKey, {
    auth: { persistSession: false },
  });
}