fix(dev): route Supabase same-origin via /__supabase proxy

app-dev built with --mode production was baking the PROD Supabase URL (.env)
into the bundle, so browser auth went cross-origin to supa.classroomcopilot.ai
and was CORS-blocked (and hit the wrong user store). Mirror the /__ccapi fix:
- Dockerfile: nginx /__supabase/ -> dev Supabase .94:8000 (+WS upgrade for realtime)
- supabaseClient.ts: resolve a leading-slash VITE_SUPABASE_URL against
  window.location.origin so supabase-js gets an absolute same-origin URL
- docker-compose.dev.yml: bake VITE_SUPABASE_URL=/__supabase (like VITE_API_BASE)
Browser now talks only to the app host (Tailscale or LAN), no CORS, dev .94 store.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Dockerfile

@@ -67,6 +67,15 @@ RUN echo 'server { \
     proxy_set_header X-Real-IP $remote_addr; \
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; \
     } \
+    location /__supabase/ { \
+    proxy_pass http://192.168.0.94:8000/; \
+    proxy_set_header Host $host; \
+    proxy_set_header X-Real-IP $remote_addr; \
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; \
+    proxy_set_header Upgrade $http_upgrade; \
+    proxy_set_header Connection "upgrade"; \
+    proxy_http_version 1.1; \
+    } \
     location /api/ { \
     proxy_pass http://192.168.0.64:18000/api/; \
     proxy_set_header Host $host; \

docker-compose.dev.yml

@@ -20,16 +20,21 @@ services:
         # same-origin and pass through Dockerfile's /__ccapi proxy. The proxy
         # strips that prefix before forwarding, preserving mixed backend routes
         # such as /api/exam, /me/bootstrap, and /database/timetable.
-        # .env.dev still points at the LAN API for local Vite/dev tooling.
+        # Supabase is likewise routed same-origin via Dockerfile's /__supabase
+        # proxy -> dev Supabase .94 (no CORS, browser-network-agnostic). The
+        # leading-slash URL is resolved against window.location.origin in
+        # supabaseClient.ts. Provide the matching .94 anon key as a build arg
+        # (VITE_SUPABASE_ANON_KEY) so it pairs with the .94 backend.
+        # .env.dev still points at the LAN API/Supabase for local Vite/dev tooling.
         VITE_API_BASE: /__ccapi
         VITE_API_URL: /__ccapi
+        VITE_SUPABASE_URL: /__supabase
         VITE_APP_NAME: ${VITE_APP_NAME:-Classroom Copilot}
         VITE_APP_HMR_URL: ${VITE_APP_HMR_URL:-}
         VITE_DEV: ${VITE_DEV:-false}
         VITE_FRONTEND_SITE_URL: ${VITE_FRONTEND_SITE_URL:-}
         VITE_SEARCH_URL: ${VITE_SEARCH_URL:-}
         VITE_SUPABASE_ANON_KEY: ${VITE_SUPABASE_ANON_KEY:-}
-        VITE_SUPABASE_URL: ${VITE_SUPABASE_URL:-}
         VITE_SUPER_ADMIN_EMAIL: ${VITE_SUPER_ADMIN_EMAIL:-}
         VITE_TLSYNC_URL: ${VITE_TLSYNC_URL:-}
         VITE_WHISPERLIVE_URL: ${VITE_WHISPERLIVE_URL:-}

src/supabaseClient.ts

@@ -1,9 +1,17 @@
 import { createClient, SupabaseClient } from '@supabase/supabase-js';
 import { logger } from './debugConfig';
 
-const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
+const rawSupabaseUrl = import.meta.env.VITE_SUPABASE_URL;
 const supabaseAnonKey = import.meta.env.VITE_SUPABASE_ANON_KEY;
 
+// Same-origin proxy support: a leading-slash value (e.g. "/__supabase") is
+// resolved against the current browser origin so supabase-js receives an
+// absolute URL while every request stays same-origin (no CORS) and routes
+// through the app host's /__supabase nginx proxy to the backend Supabase.
+const supabaseUrl = rawSupabaseUrl?.startsWith('/')
+  ? `${window.location.origin}${rawSupabaseUrl}`
+  : rawSupabaseUrl;
+
 if (!supabaseUrl || !supabaseAnonKey) {
   throw new Error('Missing Supabase configuration');
 }