fix: resolve supabase-storage crash-loop by adding missing s3 config variables

supabase-storage crashes with "Region is missing" after upstream image
update because @aws-sdk/client-s3vectors requires REGION env var.

- add REGION, GLOBAL_S3_BUCKET, STORAGE_TENANT_ID to .env.example
- auto-generate S3_PROTOCOL_ACCESS_KEY_ID/SECRET in secret generation
- sync new env vars to existing supabase/docker/.env during updates
  (append-only, never overwrites existing values)
- bump version 1.3.3 → 1.4.1

.env.example

@@ -421,6 +421,25 @@ IMGPROXY_ENABLE_WEBP_DETECTION=true
 # Add your OpenAI API key to enable SQL Editor Assistant
 OPENAI_API_KEY=
 
+
+############
+# Storage - Configuration for S3 protocol endpoint
+############
+
+# S3 bucket when using S3 backend, directory name when using 'file'
+GLOBAL_S3_BUCKET=stub
+
+# Used for S3 protocol endpoint configuration
+REGION=stub
+
+# Equivalent to project_ref (S3 session token authentication)
+STORAGE_TENANT_ID=stub
+
+# Access to Storage via S3 protocol endpoint
+S3_PROTOCOL_ACCESS_KEY_ID=
+S3_PROTOCOL_ACCESS_KEY_SECRET=
+
+
 # ============================================
 # Cloudflare Tunnel Configuration (Optional)
 # ============================================

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 ## [Unreleased]
 
+## [1.4.1] - 2026-03-23
+
+### Fixed
+- **Supabase Storage** - Fix crash-loop (`Region is missing`) by adding missing S3 storage configuration variables (`REGION`, `GLOBAL_S3_BUCKET`, `STORAGE_TENANT_ID`) from upstream Supabase
+- **Supabase** - Sync new environment variables to existing `supabase/docker/.env` during updates (previously only populated on first install)
+
 ## [1.4.0] - 2026-03-15
 
 ### Added

VERSION

@@ -1 +1 @@
-1.3.3
+1.4.1

scripts/03_generate_secrets.sh

@@ -115,6 +115,8 @@ declare -A VARS_TO_GENERATE=(
     ["RAGFLOW_MINIO_ROOT_PASSWORD"]="password:32"
     ["RAGFLOW_MYSQL_ROOT_PASSWORD"]="password:32"
     ["RAGFLOW_REDIS_PASSWORD"]="password:32"
+    ["S3_PROTOCOL_ACCESS_KEY_ID"]="hex:32"
+    ["S3_PROTOCOL_ACCESS_KEY_SECRET"]="hex:64"
     ["SEARXNG_PASSWORD"]="password:32" # Added SearXNG admin password
     ["SECRET_KEY_BASE"]="base64:64" # 48 bytes -> 64 chars
     ["TEMPORAL_UI_PASSWORD"]="password:32" # Temporal UI basic auth password

start_services.py

@@ -71,18 +71,40 @@ def clone_supabase_repo():
         os.chdir("..")
 
 def prepare_supabase_env():
-    """Copy .env to .env in supabase/docker."""
+    """Copy .env to supabase/docker/.env, or sync new variables if it already exists."""
     if not is_supabase_enabled():
         print("Supabase is not enabled, skipping env preparation.")
         return
     env_path = os.path.join("supabase", "docker", ".env")
-    env_example_path = os.path.join(".env")
-    # Do not overwrite existing Supabase env to avoid credential drift
+    root_env_path = ".env"
     if os.path.exists(env_path):
-        print(f"Supabase env already exists at {env_path}, not overwriting.")
+        # Sync new variables from root .env that don't exist in supabase .env
+        print(f"Syncing new variables from root .env to {env_path}...")
+        root_env = dotenv_values(root_env_path)
+        supabase_env = dotenv_values(env_path)
+        new_vars = []
+        for key, value in root_env.items():
+            if key not in supabase_env and value is not None:
+                # Quote values to handle special characters safely
+                if '$' in value:
+                    new_vars.append(f"{key}='{value}'")
+                else:
+                    new_vars.append(f'{key}="{value}"')
+        if new_vars:
+            with open(env_path, 'r') as f:
+                existing_content = f.read()
+            sync_header = "# --- Variables synced from root .env ---"
+            with open(env_path, 'a') as f:
+                if sync_header not in existing_content:
+                    f.write(f"\n{sync_header}\n")
+                for var in new_vars:
+                    f.write(f"{var}\n")
+            print(f"Synced {len(new_vars)} new variable(s) to Supabase env.")
+        else:
+            print("Supabase env is up to date, no new variables to sync.")
         return
     print("Copying .env in root to .env in supabase/docker...")
-    shutil.copyfile(env_example_path, env_path)
+    shutil.copyfile(root_env_path, env_path)
 
 def clone_dify_repo():
     """Clone the Dify repository using sparse checkout if not already present."""