garrytan
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 35 additions & 2 deletions b/‎CHANGELOG.md‎
Lines changed: 35 additions & 2 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 14 additions & 1 deletion b/‎CLAUDE.md‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎VERSION‎
Lines changed: 1 addition & 1 deletion b/‎VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bin/gstack-community-dashboard‎
Lines changed: 35 additions & 43 deletions b/‎bin/gstack-community-dashboard‎
Lines changed: 35 additions & 43 deletions
diff --git a/‎bin/gstack-telemetry-log‎
Lines changed: 20 additions & 9 deletions b/‎bin/gstack-telemetry-log‎
Lines changed: 20 additions & 9 deletions
diff --git a/‎bin/gstack-telemetry-sync‎
Lines changed: 26 additions & 16 deletions b/‎bin/gstack-telemetry-sync‎
Lines changed: 26 additions & 16 deletions
diff --git a/‎bin/gstack-update-check‎
Lines changed: 7 additions & 10 deletions b/‎bin/gstack-update-check‎
Lines changed: 7 additions & 10 deletions
diff --git a/‎browse/dist/browse‎
-58.1 MB b/‎browse/dist/browse‎
-58.1 MB
@@ -15,3 +15,4 @@ bun.lock
 .env.local
 .env.*
 !.env.example
+supabase/.temp/
@@ -1,10 +1,43 @@
 # Changelog
 
-## [0.11.14.1] - 2026-03-24
+## [0.11.16.1] - 2026-03-24 — Installation ID Privacy Fix
+
+### Fixed
+
+- **Installation IDs are now random UUIDs instead of hostname hashes.** The old `SHA-256(hostname+username)` approach meant anyone who knew your machine identity could compute your installation ID. Now uses a random UUID stored in `~/.gstack/installation-id` — not derivable from any public input, rotatable by deleting the file.
+- **RLS verification script handles edge cases.** `verify-rls.sh` now correctly treats INSERT success as expected (kept for old client compat), handles 409 conflicts and 204 no-ops.
+
+## [0.11.16.0] - 2026-03-24 — Telemetry Security Hardening
+
+### Fixed
+
+- **Telemetry RLS policies tightened.** Row-level security policies on all telemetry tables now deny direct access via the anon key. All reads and writes go through validated edge functions with schema checks, event type allowlists, and field length limits.
+- **Community dashboard is faster and server-cached.** Dashboard stats are now served from a single edge function with 1-hour server-side caching, replacing multiple direct queries.
 
 ### Changed
 
-- **One decision per question — everywhere.** Every skill now presents decisions one at a time, each with its own focused question, recommendation, and options. No more wall-of-text questions that bundle unrelated choices together. This was already enforced in the three plan-review skills; now it's a universal rule across all 23+ skills.
+- **Telemetry sync uses `GSTACK_SUPABASE_URL` instead of `GSTACK_TELEMETRY_ENDPOINT`.** Edge functions need the base URL, not the REST API path. The old variable is removed from `config.sh`.
+- **Cursor advancement is now safe.** The sync script checks the edge function's `inserted` count before advancing — if zero events were inserted, the cursor holds and retries next run.
+
+### For contributors
+
+- New migration: `supabase/migrations/002_tighten_rls.sql`
+- New smoke test: `supabase/verify-rls.sh` (9 checks: 5 reads + 4 writes)
+- Extended `test/telemetry.test.ts` with field name verification
+- Untracked `browse/dist/` binaries from git (arm64-only, rebuilt by `./setup`)
+
+## [0.11.15.0] - 2026-03-24 — E2E Test Coverage for Plan Reviews & Codex
+
+### Added
+
+- **E2E tests verify plan review reports appear at the bottom of plans.** The `/plan-eng-review` review report is now tested end-to-end — if it stops writing `## GSTACK REVIEW REPORT` to the plan file, the test catches it.
+- **E2E tests verify Codex is offered in every plan skill.** Four new lightweight tests confirm that `/office-hours`, `/plan-ceo-review`, `/plan-design-review`, and `/plan-eng-review` all check for Codex availability, prompt the user, and handle the fallback when Codex is unavailable.
+
+### For contributors
+
+- New E2E tests in `test/skill-e2e-plan.test.ts`: `plan-review-report`, `codex-offered-eng-review`, `codex-offered-ceo-review`, `codex-offered-office-hours`, `codex-offered-design-review`
+- Updated touchfile mappings and selection count assertions
+- Added `touchfiles` to the documented global touchfile list in CLAUDE.md
 
 ## [0.11.14.0] - 2026-03-24 — Windows Browse Fix
 
 
@@ -29,7 +29,7 @@ against the previous run.
 **Diff-based test selection:** `test:evals` and `test:e2e` auto-select tests based
 on `git diff` against the base branch. Each test declares its file dependencies in
 `test/helpers/touchfiles.ts`. Changes to global touchfiles (session-runner, eval-store,
-llm-judge, gen-skill-docs) trigger all tests. Use `EVALS_ALL=1` or the `:all` script
+llm-judge, gen-skill-docs, touchfiles) trigger all tests. Use `EVALS_ALL=1` or the `:all` script
 variants to force all tests. Run `eval:select` to preview which tests would run.
 
 ## Testing
@@ -165,6 +165,19 @@ symlink or a real copy. If it's a symlink to your working directory, be aware th
 gen-skill-docs pipeline, consider whether the changes should be tested in isolation
 before going live (especially if the user is actively using gstack in other windows).
 
+## Compiled binaries — NEVER commit browse/dist/
+
+The `browse/dist/` directory contains compiled Bun binaries (`browse`, `find-browse`,
+~58MB each). These are Mach-O arm64 only — they do NOT work on Linux, Windows, or
+Intel Macs. The `./setup` script already builds from source for every platform, so
+the checked-in binaries are redundant. They are tracked by git due to a historical
+mistake and should eventually be removed with `git rm --cached`.
+
+**NEVER stage or commit these files.** They show up as modified in `git status`
+because they're tracked despite `.gitignore` — ignore them. When staging files,
+always use specific filenames (`git add file1 file2`) — never `git add .` or
+`git add -A`, which will accidentally include the binaries.
+
 ## Commit style
 
 **Always bisect commits.** Every commit should be a single logical change. When
 
@@ -212,7 +212,7 @@ gstack includes **opt-in** usage telemetry to help improve the project. Here's e
 - **What's never sent:** code, file paths, repo names, branch names, prompts, or any user-generated content.
 - **Change anytime:** `gstack-config set telemetry off` disables everything instantly.
 
-Data is stored in [Supabase](https://supabase.com) (open source Firebase alternative). The schema is in [`supabase/migrations/001_telemetry.sql`](supabase/migrations/001_telemetry.sql) — you can verify exactly what's collected. The Supabase publishable key in the repo is a public key (like a Firebase API key) — row-level security policies restrict it to insert-only access.
+Data is stored in [Supabase](https://supabase.com) (open source Firebase alternative). The schema is in [`supabase/migrations/`](supabase/migrations/) — you can verify exactly what's collected. The Supabase publishable key in the repo is a public key (like a Firebase API key) — row-level security policies deny all direct access. Telemetry flows through validated edge functions that enforce schema checks, event type allowlists, and field length limits.
 
 **Local analytics are always available.** Run `gstack-analytics` to see your personal usage dashboard from the local JSONL file — no remote data needed.
 
 
@@ -1 +1 @@
-0.11.14.1
+0.11.16.1
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # gstack-community-dashboard — community usage stats from Supabase
 #
-# Queries the Supabase REST API to show community-wide gstack usage:
+# Calls the community-pulse edge function for aggregated stats:
 # skill popularity, crash clusters, version distribution, retention.
 #
 # Env overrides (for testing):
@@ -30,51 +30,40 @@ if [ -z "$SUPABASE_URL" ] || [ -z "$ANON_KEY" ]; then
   exit 0
 fi
 
-# ─── Helper: query Supabase REST API ─────────────────────────
-query() {
-  local table="$1"
-  local params="${2:-}"
-  curl -sf --max-time 10 \
-    "${SUPABASE_URL}/rest/v1/${table}?${params}" \
-    -H "apikey: ${ANON_KEY}" \
-    -H "Authorization: Bearer ${ANON_KEY}" \
-    2>/dev/null || echo "[]"
-}
+# ─── Fetch aggregated stats from edge function ────────────────
+DATA="$(curl -sf --max-time 15 \
+  "${SUPABASE_URL}/functions/v1/community-pulse" \
+  -H "apikey: ${ANON_KEY}" \
+  2>/dev/null || echo "{}")"
 
 echo "gstack community dashboard"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
 
 # ─── Weekly active installs ──────────────────────────────────
-WEEK_AGO="$(date -u -v-7d +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || echo "")"
-if [ -n "$WEEK_AGO" ]; then
-  PULSE="$(curl -sf --max-time 10 \
-    "${SUPABASE_URL}/functions/v1/community-pulse" \
-    -H "Authorization: Bearer ${ANON_KEY}" \
-    2>/dev/null || echo '{"weekly_active":0}')"
-
-  WEEKLY="$(echo "$PULSE" | grep -o '"weekly_active":[0-9]*' | grep -o '[0-9]*' || echo "0")"
-  CHANGE="$(echo "$PULSE" | grep -o '"change_pct":[0-9-]*' | grep -o '[0-9-]*' || echo "0")"
-
-  echo "Weekly active installs: ${WEEKLY}"
-  if [ "$CHANGE" -gt 0 ] 2>/dev/null; then
-    echo "  Change: +${CHANGE}%"
-  elif [ "$CHANGE" -lt 0 ] 2>/dev/null; then
-    echo "  Change: ${CHANGE}%"
-  fi
-  echo ""
+WEEKLY="$(echo "$DATA" | grep -o '"weekly_active":[0-9]*' | grep -o '[0-9]*' || echo "0")"
+CHANGE="$(echo "$DATA" | grep -o '"change_pct":[0-9-]*' | grep -o '[0-9-]*' || echo "0")"
+
+echo "Weekly active installs: ${WEEKLY}"
+if [ "$CHANGE" -gt 0 ] 2>/dev/null; then
+  echo "  Change: +${CHANGE}%"
+elif [ "$CHANGE" -lt 0 ] 2>/dev/null; then
+  echo "  Change: ${CHANGE}%"
 fi
+echo ""
 
 # ─── Skill popularity (top 10) ───────────────────────────────
 echo "Top skills (last 7 days)"
 echo "────────────────────────"
 
-# Query telemetry_events, group by skill
-EVENTS="$(query "telemetry_events" "select=skill,gstack_version&event_type=eq.skill_run&event_timestamp=gte.${WEEK_AGO}&limit=1000" 2>/dev/null || echo "[]")"
-
-if [ "$EVENTS" != "[]" ] && [ -n "$EVENTS" ]; then
-  echo "$EVENTS" | grep -o '"skill":"[^"]*"' | awk -F'"' '{print $4}' | sort | uniq -c | sort -rn | head -10 | while read -r COUNT SKILL; do
-    printf "  /%-20s %d runs\n" "$SKILL" "$COUNT"
+# Parse top_skills array from JSON
+SKILLS="$(echo "$DATA" | grep -o '"top_skills":\[[^]]*\]' || echo "")"
+if [ -n "$SKILLS" ] && [ "$SKILLS" != '"top_skills":[]' ]; then
+  # Parse each object — handle any key order (JSONB doesn't preserve order)
+  echo "$SKILLS" | grep -o '{[^}]*}' | while read -r OBJ; do
+    SKILL="$(echo "$OBJ" | grep -o '"skill":"[^"]*"' | awk -F'"' '{print $4}')"
+    COUNT="$(echo "$OBJ" | grep -o '"count":[0-9]*' | grep -o '[0-9]*')"
+    [ -n "$SKILL" ] && [ -n "$COUNT" ] && printf "  /%-20s %s runs\n" "$SKILL" "$COUNT"
   done
 else
   echo "  No data yet"
@@ -85,12 +74,12 @@ echo ""
 echo "Top crash clusters"
 echo "──────────────────"
 
-CRASHES="$(query "crash_clusters" "select=error_class,gstack_version,total_occurrences,identified_users&limit=5" 2>/dev/null || echo "[]")"
-
-if [ "$CRASHES" != "[]" ] && [ -n "$CRASHES" ]; then
-  echo "$CRASHES" | grep -o '"error_class":"[^"]*"' | awk -F'"' '{print $4}' | head -5 | while read -r ERR; do
-    C="$(echo "$CRASHES" | grep -o "\"error_class\":\"$ERR\"[^}]*\"total_occurrences\":[0-9]*" | grep -o '"total_occurrences":[0-9]*' | head -1 | grep -o '[0-9]*')"
-    printf "  %-30s %s occurrences\n" "$ERR" "${C:-?}"
+CRASHES="$(echo "$DATA" | grep -o '"crashes":\[[^]]*\]' || echo "")"
+if [ -n "$CRASHES" ] && [ "$CRASHES" != '"crashes":[]' ]; then
+  echo "$CRASHES" | grep -o '{[^}]*}' | head -5 | while read -r OBJ; do
+    ERR="$(echo "$OBJ" | grep -o '"error_class":"[^"]*"' | awk -F'"' '{print $4}')"
+    C="$(echo "$OBJ" | grep -o '"total_occurrences":[0-9]*' | grep -o '[0-9]*')"
+    [ -n "$ERR" ] && printf "  %-30s %s occurrences\n" "$ERR" "${C:-?}"
   done
 else
   echo "  No crashes reported"
@@ -101,9 +90,12 @@ echo ""
 echo "Version distribution (last 7 days)"
 echo "───────────────────────────────────"
 
-if [ "$EVENTS" != "[]" ] && [ -n "$EVENTS" ]; then
-  echo "$EVENTS" | grep -o '"gstack_version":"[^"]*"' | awk -F'"' '{print $4}' | sort | uniq -c | sort -rn | head -5 | while read -r COUNT VER; do
-    printf "  v%-15s %d events\n" "$VER" "$COUNT"
+VERSIONS="$(echo "$DATA" | grep -o '"versions":\[[^]]*\]' || echo "")"
+if [ -n "$VERSIONS" ] && [ "$VERSIONS" != '"versions":[]' ]; then
+  echo "$VERSIONS" | grep -o '{[^}]*}' | head -5 | while read -r OBJ; do
+    VER="$(echo "$OBJ" | grep -o '"version":"[^"]*"' | awk -F'"' '{print $4}')"
+    COUNT="$(echo "$OBJ" | grep -o '"count":[0-9]*' | grep -o '[0-9]*')"
+    [ -n "$VER" ] && [ -n "$COUNT" ] && printf "  v%-15s %s events\n" "$VER" "$COUNT"
   done
 else
   echo "  No data yet"
 
@@ -106,18 +106,29 @@ if [ -d "$STATE_DIR/sessions" ]; then
 fi
 
 # Generate installation_id for community tier
+# Uses a random UUID stored locally — not derived from hostname/user so it
+# can't be guessed or correlated by someone who knows your machine identity.
 INSTALL_ID=""
 if [ "$TIER" = "community" ]; then
-  HOST="$(hostname 2>/dev/null || echo "unknown")"
-  USER="$(whoami 2>/dev/null || echo "unknown")"
-  if command -v shasum >/dev/null 2>&1; then
-    INSTALL_ID="$(printf '%s-%s' "$HOST" "$USER" | shasum -a 256 | awk '{print $1}')"
-  elif command -v sha256sum >/dev/null 2>&1; then
-    INSTALL_ID="$(printf '%s-%s' "$HOST" "$USER" | sha256sum | awk '{print $1}')"
-  elif command -v openssl >/dev/null 2>&1; then
-    INSTALL_ID="$(printf '%s-%s' "$HOST" "$USER" | openssl dgst -sha256 | awk '{print $NF}')"
+  ID_FILE="$HOME/.gstack/installation-id"
+  if [ -f "$ID_FILE" ]; then
+    INSTALL_ID="$(cat "$ID_FILE" 2>/dev/null)"
+  fi
+  if [ -z "$INSTALL_ID" ]; then
+    # Generate a random UUID v4
+    if command -v uuidgen >/dev/null 2>&1; then
+      INSTALL_ID="$(uuidgen | tr '[:upper:]' '[:lower:]')"
+    elif [ -r /proc/sys/kernel/random/uuid ]; then
+      INSTALL_ID="$(cat /proc/sys/kernel/random/uuid)"
+    else
+      # Fallback: random hex from /dev/urandom
+      INSTALL_ID="$(od -An -tx1 -N16 /dev/urandom 2>/dev/null | tr -d ' \n')"
+    fi
+    if [ -n "$INSTALL_ID" ]; then
+      mkdir -p "$(dirname "$ID_FILE")" 2>/dev/null
+      printf '%s' "$INSTALL_ID" > "$ID_FILE" 2>/dev/null
+    fi
   fi
-  # If no SHA-256 command available, install_id stays empty
 fi
 
 # Local-only fields (never sent remotely)
 
@@ -3,11 +3,12 @@
 #
 # Fire-and-forget, backgrounded, rate-limited to once per 5 minutes.
 # Strips local-only fields before sending. Respects privacy tiers.
+# Posts to the telemetry-ingest edge function (not PostgREST directly).
 #
 # Env overrides (for testing):
 #   GSTACK_STATE_DIR           — override ~/.gstack state directory
 #   GSTACK_DIR                 — override auto-detected gstack root
-#   GSTACK_TELEMETRY_ENDPOINT  — override Supabase endpoint URL
+#   GSTACK_SUPABASE_URL        — override Supabase project URL
 set -uo pipefail
 
 GSTACK_DIR="${GSTACK_DIR:-$(cd "$(dirname "$0")/.." && pwd)}"
@@ -19,15 +20,15 @@ RATE_FILE="$ANALYTICS_DIR/.last-sync-time"
 CONFIG_CMD="$GSTACK_DIR/bin/gstack-config"
 
 # Source Supabase config if not overridden by env
-if [ -z "${GSTACK_TELEMETRY_ENDPOINT:-}" ] && [ -f "$GSTACK_DIR/supabase/config.sh" ]; then
+if [ -z "${GSTACK_SUPABASE_URL:-}" ] && [ -f "$GSTACK_DIR/supabase/config.sh" ]; then
   . "$GSTACK_DIR/supabase/config.sh"
 fi
-ENDPOINT="${GSTACK_TELEMETRY_ENDPOINT:-}"
+SUPABASE_URL="${GSTACK_SUPABASE_URL:-}"
 ANON_KEY="${GSTACK_SUPABASE_ANON_KEY:-}"
 
 # ─── Pre-checks ──────────────────────────────────────────────
-# No endpoint configured yet → exit silently
-[ -z "$ENDPOINT" ] && exit 0
+# No Supabase URL configured yet → exit silently
+[ -z "$SUPABASE_URL" ] && exit 0
 
 # No JSONL file → nothing to sync
 [ -f "$JSONL_FILE" ] || exit 0
@@ -66,6 +67,8 @@ UNSENT="$(tail -n "+$SKIP" "$JSONL_FILE" 2>/dev/null || true)"
 [ -z "$UNSENT" ] && exit 0
 
 # ─── Strip local-only fields and build batch ─────────────────
+# Edge function expects raw JSONL field names (v, ts, sessions) —
+# no column renaming needed (the function maps them internally).
 BATCH="["
 FIRST=true
 COUNT=0
@@ -75,13 +78,10 @@ while IFS= read -r LINE; do
   [ -z "$LINE" ] && continue
   echo "$LINE" | grep -q '^{' || continue
 
-  # Strip local-only fields + map JSONL field names to Postgres column names
+  # Strip local-only fields (keep v, ts, sessions as-is for edge function)
   CLEAN="$(echo "$LINE" | sed \
     -e 's/,"_repo_slug":"[^"]*"//g' \
     -e 's/,"_branch":"[^"]*"//g' \
-    -e 's/"v":/"schema_version":/g' \
-    -e 's/"ts":/"event_timestamp":/g' \
-    -e 's/"sessions":/"concurrent_sessions":/g' \
     -e 's/,"repo":"[^"]*"//g')"
 
   # If anonymous tier, strip installation_id
@@ -106,21 +106,31 @@ BATCH="$BATCH]"
 # Nothing to send after filtering
 [ "$COUNT" -eq 0 ] && exit 0
 
-# ─── POST to Supabase ────────────────────────────────────────
-HTTP_CODE="$(curl -s -o /dev/null -w '%{http_code}' --max-time 10 \
-  -X POST "${ENDPOINT}/telemetry_events" \
+# ─── POST to edge function ───────────────────────────────────
+RESP_FILE="$(mktemp /tmp/gstack-sync-XXXXXX 2>/dev/null || echo "/tmp/gstack-sync-$$")"
+HTTP_CODE="$(curl -s -w '%{http_code}' --max-time 10 \
+  -X POST "${SUPABASE_URL}/functions/v1/telemetry-ingest" \
   -H "Content-Type: application/json" \
   -H "apikey: ${ANON_KEY}" \
-  -H "Authorization: Bearer ${ANON_KEY}" \
-  -H "Prefer: return=minimal" \
+  -o "$RESP_FILE" \
   -d "$BATCH" 2>/dev/null || echo "000")"
 
 # ─── Update cursor on success (2xx) ─────────────────────────
 case "$HTTP_CODE" in
-  2*) NEW_CURSOR=$(( CURSOR + COUNT ))
-      echo "$NEW_CURSOR" > "$CURSOR_FILE" 2>/dev/null || true ;;
+  2*)
+    # Parse inserted count from response — only advance if events were actually inserted.
+    # Advance by SENT count (not inserted count) because we can't map inserted back to
+    # source lines. If inserted==0, something is systemically wrong — don't advance.
+    INSERTED="$(grep -o '"inserted":[0-9]*' "$RESP_FILE" 2>/dev/null | grep -o '[0-9]*' || echo "0")"
+    if [ "${INSERTED:-0}" -gt 0 ] 2>/dev/null; then
+      NEW_CURSOR=$(( CURSOR + COUNT ))
+      echo "$NEW_CURSOR" > "$CURSOR_FILE" 2>/dev/null || true
+    fi
+    ;;
 esac
 
+rm -f "$RESP_FILE" 2>/dev/null || true
+
 # Update rate limit marker
 touch "$RATE_FILE" 2>/dev/null || true
 
 
@@ -160,25 +160,22 @@ fi
 mkdir -p "$STATE_DIR"
 
 # Fire Supabase install ping in background (parallel, non-blocking)
-# This logs an update check event for community health metrics.
-# If the endpoint isn't configured or Supabase is down, this is a no-op.
-# Source Supabase config for install ping
-if [ -z "${GSTACK_TELEMETRY_ENDPOINT:-}" ] && [ -f "$GSTACK_DIR/supabase/config.sh" ]; then
+# This logs an update check event for community health metrics via edge function.
+# If Supabase is not configured or telemetry is off, this is a no-op.
+if [ -z "${GSTACK_SUPABASE_URL:-}" ] && [ -f "$GSTACK_DIR/supabase/config.sh" ]; then
   . "$GSTACK_DIR/supabase/config.sh"
 fi
-_SUPA_ENDPOINT="${GSTACK_TELEMETRY_ENDPOINT:-}"
+_SUPA_URL="${GSTACK_SUPABASE_URL:-}"
 _SUPA_KEY="${GSTACK_SUPABASE_ANON_KEY:-}"
 # Respect telemetry opt-out — don't ping Supabase if user set telemetry: off
 _TEL_TIER="$("$GSTACK_DIR/bin/gstack-config" get telemetry 2>/dev/null || true)"
-if [ -n "$_SUPA_ENDPOINT" ] && [ -n "$_SUPA_KEY" ] && [ "${_TEL_TIER:-off}" != "off" ]; then
+if [ -n "$_SUPA_URL" ] && [ -n "$_SUPA_KEY" ] && [ "${_TEL_TIER:-off}" != "off" ]; then
   _OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
   curl -sf --max-time 5 \
-    -X POST "${_SUPA_ENDPOINT}/update_checks" \
+    -X POST "${_SUPA_URL}/functions/v1/update-check" \
     -H "Content-Type: application/json" \
     -H "apikey: ${_SUPA_KEY}" \
-    -H "Authorization: Bearer ${_SUPA_KEY}" \
-    -H "Prefer: return=minimal" \
-    -d "{\"gstack_version\":\"$LOCAL\",\"os\":\"$_OS\"}" \
+    -d "{\"version\":\"$LOCAL\",\"os\":\"$_OS\"}" \
     >/dev/null 2>&1 &
 fi