Bug report

I’m running self-hosted Supabase locally using npx supabase start (Supabase CLI, not docker-compose or kubernetes). My API/Auth requests keep failing with invalid JWT: unable to parse or verify signature, token signature is invalid: signing method HS256 is invalid. I checked my auth session cookie/token and it is signed with alg: ES256 (so Supabase is generating ES256 tokens), but somewhere my app/backend is still sending an HS256 JWT (likely old anon/service_role key or a manually generated token), and GoTrue rejects it. Earlier I also saw GoTrue using GOTRUE_JWT_KEYS (ES256 JWK) and even got failed to decode signing keys: json: cannot unmarshal object into Go value of type []config.JWK when the key format was wrong. I tried forcing HS256 by setting jwt_secret = "env(AUTH_JWT_SECRET)" in supabase/config.toml and AUTH_JWT_SECRET=... in supabase/.env, cleared supabase/.temp, restarted, but HS256 still fails. I want to understand how to properly force Supabase CLI local setup to use HS256 only, or if Supabase CLI is meant to run ES256 and I should only use the keys shown by npx supabase status and stop using any HS256 JWTs.