@baseworks/account 0.2.0

package/src/__tests__/cli-members.test.ts

@@ -0,0 +1,94 @@
+/// <reference types="vitest/globals" />
+import { beforeAll, afterEach, afterAll, describe, it, expect } from 'vitest'
+import { run, mocks, server } from './helpers.js'
+
+beforeAll(() => server.listen({ onUnhandledRequest: 'warn' }))
+afterEach(() => server.resetHandlers())
+afterAll(() => server.close())
+
+const MEMBER1 = {
+  userId:   '019f10aa-1111-7000-0001-aaaaaaaaaaaa',
+  email:    'ali@dotlabs.io',
+  name:     'Ali',
+  role:     'admin',
+  joinedAt: 1782507760630,
+}
+
+const MEMBER2 = {
+  userId:   '019f10ab-2222-7000-0002-bbbbbbbbbbbb',
+  email:    'zeynep@dotlabs.io',
+  name:     'Zeynep',
+  role:     'member',
+  joinedAt: 1782507771000,
+}
+
+// ── list ─────────────────────────────────────────────────────────────────────
+
+describe('flect members (list)', () => {
+  it('default columns: EMAIL → NAME → ROLE', async () => {
+    mocks.mockGet('/v1/account/members', { members: [MEMBER1, MEMBER2] })
+    const r = await run(['members'])
+    expect(r.exitCode).toBe(0)
+    expect(r.stdout).toContain('ali@dotlabs.io')
+    expect(r.stdout).toContain('admin')
+    expect(r.stdout.indexOf('EMAIL')).toBeLessThan(r.stdout.indexOf('NAME'))
+    expect(r.stdout.indexOf('NAME')).toBeLessThan(r.stdout.indexOf('ROLE'))
+  })
+
+  it('does not show full UUID in default view', async () => {
+    mocks.mockGet('/v1/account/members', { members: [MEMBER1] })
+    const r = await run(['members'])
+    expect(r.stdout).not.toContain(MEMBER1.userId)
+  })
+
+  it('-o wide adds JOINED and USER ID columns', async () => {
+    mocks.mockGet('/v1/account/members', { members: [MEMBER1] })
+    const r = await run(['members', '-o', 'wide'])
+    expect(r.exitCode).toBe(0)
+    expect(r.stdout).toContain('JOINED')
+    expect(r.stdout).toContain('USER ID')
+    expect(r.stdout).toContain(MEMBER1.userId)
+  })
+
+  it('-o json returns raw array', async () => {
+    mocks.mockGet('/v1/account/members', { members: [MEMBER1] })
+    const r = await run(['members', '-o', 'json'])
+    const parsed = JSON.parse(r.stdout)
+    expect(Array.isArray(parsed)).toBe(true)
+    expect(parsed[0].email).toBe('ali@dotlabs.io')
+  })
+})
+
+// ── role ─────────────────────────────────────────────────────────────────────
+
+describe('flect members role', () => {
+  it('works with email', async () => {
+    const captured = mocks.mockPatchCapture('/v1/account/members/ali@dotlabs.io/role', { ok: true })
+    const r = await run(['members', 'role', 'ali@dotlabs.io', 'member'])
+    expect(r.exitCode).toBe(0)
+    expect((captured.body as Record<string, unknown>).role).toBe('member')
+  })
+
+  it('works with userId', async () => {
+    const captured = mocks.mockPatchCapture(`/v1/account/members/${MEMBER1.userId}/role`, { ok: true })
+    const r = await run(['members', 'role', MEMBER1.userId, 'viewer'])
+    expect(r.exitCode).toBe(0)
+    expect((captured.body as Record<string, unknown>).role).toBe('viewer')
+  })
+})
+
+// ── remove ────────────────────────────────────────────────────────────────────
+
+describe('flect members remove', () => {
+  it('works with email', async () => {
+    mocks.mockDelete('/v1/account/members/ali@dotlabs.io')
+    const r = await run(['members', 'remove', 'ali@dotlabs.io'])
+    expect(r.exitCode).toBe(0)
+  })
+
+  it('works with userId', async () => {
+    mocks.mockDelete(`/v1/account/members/${MEMBER1.userId}`)
+    const r = await run(['members', 'remove', MEMBER1.userId])
+    expect(r.exitCode).toBe(0)
+  })
+})

package/src/__tests__/cli-tokens.test.ts

@@ -0,0 +1,96 @@
+/// <reference types="vitest/globals" />
+import { beforeAll, afterEach, afterAll, describe, it, expect } from 'vitest'
+import { run, mocks, server } from './helpers.js'
+
+beforeAll(() => server.listen({ onUnhandledRequest: 'warn' }))
+afterEach(() => server.resetHandlers())
+afterAll(() => server.close())
+
+const TOKEN = {
+  id:         '019f20cc-3333-7000-aaaa-ffffffffffff',
+  keyPrefix:  'flect_a1b2c3',
+  name:       'CI deploy',
+  lastUsedAt: null,
+  createdAt:  1782507760630,
+}
+
+const TOKEN2 = {
+  id:         '019f20cd-4444-7000-bbbb-eeeeeeeeeeee',
+  keyPrefix:  'flect_x9y8z7',
+  name:       'Local dev',
+  lastUsedAt: 1782507990000,
+  createdAt:  1782507760000,
+}
+
+// ── list ─────────────────────────────────────────────────────────────────────
+
+describe('flect tokens (list)', () => {
+  it('default columns: PREFIX → NAME → LAST USED', async () => {
+    mocks.mockGet('/v1/account/me/tokens', { tokens: [TOKEN, TOKEN2] })
+    const r = await run(['tokens'])
+    expect(r.exitCode).toBe(0)
+    expect(r.stdout).toContain('flect_a1b2c3')
+    expect(r.stdout).toContain('CI deploy')
+    expect(r.stdout.indexOf('PREFIX')).toBeLessThan(r.stdout.indexOf('NAME'))
+  })
+
+  it('does not show full UUID in default view', async () => {
+    mocks.mockGet('/v1/account/me/tokens', { tokens: [TOKEN] })
+    const r = await run(['tokens'])
+    expect(r.stdout).not.toContain(TOKEN.id)
+  })
+
+  it('-o wide adds CREATED and FULL ID columns', async () => {
+    mocks.mockGet('/v1/account/me/tokens', { tokens: [TOKEN] })
+    const r = await run(['tokens', '-o', 'wide'])
+    expect(r.exitCode).toBe(0)
+    expect(r.stdout).toContain('FULL ID')
+    expect(r.stdout).toContain(TOKEN.id)
+  })
+
+  it('-o json returns raw array', async () => {
+    mocks.mockGet('/v1/account/me/tokens', { tokens: [TOKEN] })
+    const r = await run(['tokens', '-o', 'json'])
+    const parsed = JSON.parse(r.stdout)
+    expect(Array.isArray(parsed)).toBe(true)
+    expect(parsed[0].keyPrefix).toBe('flect_a1b2c3')
+  })
+})
+
+// ── create ────────────────────────────────────────────────────────────────────
+
+describe('flect tokens create', () => {
+  it('sends name, shows prefix in output', async () => {
+    const captured = mocks.mockPostCapture('/v1/account/me/tokens', {
+      token: { ...TOKEN, raw: 'flect_a1b2c3_secretpart' },
+    })
+    const r = await run(['tokens', 'create', '--name', 'CI deploy'])
+    expect(r.exitCode).toBe(0)
+    expect((captured.body as Record<string, unknown>).name).toBe('CI deploy')
+    expect(r.stdout).toContain('flect_a1b2c3')
+  })
+
+  it('shows raw token in output once', async () => {
+    mocks.mockPost('/v1/account/me/tokens', {
+      token: { ...TOKEN, raw: 'flect_a1b2c3_secretpart' },
+    })
+    const r = await run(['tokens', 'create', '--name', 'CI deploy'])
+    expect(r.stdout).toContain('flect_a1b2c3_secretpart')
+  })
+})
+
+// ── revoke ────────────────────────────────────────────────────────────────────
+
+describe('flect tokens revoke', () => {
+  it('works with prefix', async () => {
+    mocks.mockDelete('/v1/account/me/tokens/flect_a1b2c3')
+    const r = await run(['tokens', 'revoke', 'flect_a1b2c3'])
+    expect(r.exitCode).toBe(0)
+  })
+
+  it('works with full id', async () => {
+    mocks.mockDelete(`/v1/account/me/tokens/${TOKEN.id}`)
+    const r = await run(['tokens', 'revoke', TOKEN.id])
+    expect(r.exitCode).toBe(0)
+  })
+})

package/src/__tests__/helpers.ts

@@ -0,0 +1,42 @@
+import { Command }       from 'commander'
+import {
+  buildLoginCommand, buildLogoutCommand, buildWhoamiCommand,
+  buildMeCommand, buildMembersCommand, buildTokensCommand,
+  type AccountCliDeps,
+} from '../cli.js'
+import { createApiClient }      from '@baseworks/cli/client'
+import { createContextManager } from '@baseworks/cli/context'
+import { runCommand, createMocks, server } from '@baseworks/cli/testing'
+
+export { runCommand, server }
+
+export const TEST_BASE = 'http://flect.test'
+export const mocks = createMocks(TEST_BASE)
+
+export let lastLoginResult: unknown = null
+
+export function makeProgram(token = 'test-token') {
+  const ctx  = createContextManager('account-test')
+  const http = createApiClient(() => token, () => TEST_BASE)
+  const deps: AccountCliDeps = {
+    http,
+    ctx,
+    appBase:  TEST_BASE,
+    apiBase:  TEST_BASE,
+    cliName:  'flect',
+    onLoginSuccess: (r) => { lastLoginResult = r },
+  }
+
+  const program = new Command('flect').exitOverride().enablePositionalOptions()
+  program.addCommand(buildLoginCommand(deps))
+  program.addCommand(buildLogoutCommand(deps))
+  program.addCommand(buildWhoamiCommand(deps))
+  program.addCommand(buildMeCommand(deps))
+  program.addCommand(buildMembersCommand(deps))
+  program.addCommand(buildTokensCommand(deps))
+  return program
+}
+
+export function run(args: string[]) {
+  return runCommand(makeProgram(), args)
+}

package/src/cli.ts

@@ -0,0 +1,356 @@
+import { Command }                from 'commander'
+import { clr, kv, table, success, warn, fatal, printOutput, outputOption } from '@baseworks/cli/display'
+import { fmtDate }               from '@baseworks/cli/fmt'
+import type { ColDef }           from '@baseworks/cli/display'
+import type { ApiClient }        from '@baseworks/cli/client'
+import type { ContextManager }   from '@baseworks/cli/context'
+
+// ─── Types ────────────────────────────────────────────────────────────────────
+
+export interface LoginResult {
+  token:     string
+  user:      { id: string; email: string; name: string | null } | null
+  role:      string | null
+  org:       { slug: string; id: string }
+  workspace: { slug: string; id: string }
+  project:   { slug: string; id: string }
+  env:       { slug: string; id: string }
+}
+
+export interface AccountCliDeps {
+  http:           ApiClient
+  ctx:            ContextManager<Record<string, string | undefined>>
+  appBase:        string
+  apiBase:        string
+  cliName?:       string
+  onLoginSuccess: (result: LoginResult) => void
+}
+
+type MemberRow = {
+  userId:   string
+  email:    string | null
+  name:     string | null
+  role:     string
+  joinedAt: number
+}
+
+type TokenRow = {
+  id:        string
+  keyPrefix: string
+  name:      string
+  lastUsedAt: number | null
+  createdAt:  number
+}
+
+// ─── buildLoginCommand ────────────────────────────────────────────────────────
+
+export function buildLoginCommand(deps: AccountCliDeps): Command {
+  const base = deps.apiBase.replace(/\/+$/, '')
+
+  const cmd = new Command('login').description('Log in via browser (OIDC)')
+
+  cmd.addCommand(
+    new Command('browser')
+      .description('Open browser for OIDC login (default)')
+      .action(async () => {
+        const { exec } = await import('child_process')
+
+        const startRes = await fetch(`${base}/v1/auth/start`)
+        if (!startRes.ok) fatal(`Auth start failed (${startRes.status})`)
+        const { state, url: authUrl } = await startRes.json() as { state: string; url: string }
+
+        warn(`Login URL: ${clr.cyan}${authUrl}${clr.reset}`)
+        warn('Opening browser…')
+        const opener = process.platform === 'win32' ? 'start'
+                     : process.platform === 'darwin' ? 'open' : 'xdg-open'
+        exec(`${opener} "${authUrl}"`)
+        warn('Waiting for browser login… (Ctrl+C to cancel)')
+
+        let token: string | undefined
+        const deadline  = Date.now() + 300_000
+        const startedAt = Date.now()
+        let attempt = 0
+
+        while (Date.now() < deadline) {
+          await new Promise(r => setTimeout(r, attempt < 10 ? 1_000 : 2_000))
+          attempt++
+
+          try {
+            const pollRes = await fetch(`${base}/v1/auth/poll/${state}`)
+            if (!pollRes.ok) continue
+            const body = await pollRes.json() as { status: string; token?: string }
+            if (body.status === 'done' && body.token) { token = body.token; break }
+            if (body.status === 'expired') fatal('Auth session expired — run login again.')
+          } catch { /* keep polling */ }
+
+          if (attempt % 5 === 0) {
+            const elapsed = Math.round((Date.now() - startedAt) / 1000)
+            process.stderr.write(`\r  Waiting for browser… ${elapsed}s`)
+          }
+        }
+
+        if (!token) { process.stderr.write('\n'); fatal('Login timed out.') }
+        process.stderr.write('\n')
+
+        const meRes = await fetch(`${base}/v1/account/me`, { headers: { Authorization: `Bearer ${token}` } })
+        if (!meRes.ok) fatal(`Failed to fetch user info (${meRes.status})`)
+        const me = await meRes.json() as {
+          user: { id: string; email: string; name: string | null } | null
+          org:  { id: string; slug: string; name: string }
+          role: string | null
+        }
+
+        const orgSlug = me.org.slug
+        let ws  = { id: '', slug: 'default' }
+        let prj = { id: '', slug: 'default' }
+        let env = { id: '', slug: 'production' }
+
+        try {
+          const headers = { Authorization: `Bearer ${token}` }
+          const wsRes = await fetch(`${base}/v1/orgs/${orgSlug}/workspaces`, { headers })
+          if (wsRes.ok) {
+            const b = await wsRes.json() as { workspaces: { id: string; slug: string }[] }
+            if (b.workspaces[0]) ws = b.workspaces[0]!
+          }
+          if (ws.id) {
+            const prjRes = await fetch(`${base}/v1/orgs/${orgSlug}/workspaces/${ws.slug}/projects`, { headers })
+            if (prjRes.ok) {
+              const b = await prjRes.json() as { projects: { id: string; slug: string }[] }
+              if (b.projects[0]) prj = b.projects[0]!
+            }
+          }
+          if (prj.id) {
+            const envRes = await fetch(`${base}/v1/orgs/${orgSlug}/workspaces/${ws.slug}/projects/${prj.slug}/envs`, { headers })
+            if (envRes.ok) {
+              const b = await envRes.json() as { envs: { id: string; slug: string }[] }
+              if (b.envs[0]) env = b.envs[0]!
+            }
+          }
+        } catch { /* defaults */ }
+
+        const result: LoginResult = {
+          token: token!,
+          user:      me.user,
+          role:      me.role,
+          org:       { id: me.org.id, slug: orgSlug },
+          workspace: ws,
+          project:   prj,
+          env,
+        }
+
+        deps.onLoginSuccess(result)
+        success('Logged in.')
+        const rows: [string, string][] = []
+        if (result.user) { rows.push(['user', result.user.email], ['role', result.role ?? '—']) }
+        rows.push(
+          ['org',       result.org.slug],
+          ['workspace', result.workspace.slug],
+          ['project',   result.project.slug],
+          ['env',       result.env.slug],
+          ['token',     token!.slice(0, 14) + '…'],
+        )
+        kv(rows)
+      }),
+  )
+
+  // flect login → default to browser subcommand
+  cmd.action(async () => {
+    const sub = cmd.commands.find(c => c.name() === 'browser')!
+    await sub.parseAsync([], { from: 'user' })
+  })
+
+  return cmd
+}
+
+// ─── buildLogoutCommand ───────────────────────────────────────────────────────
+
+export function buildLogoutCommand(deps: AccountCliDeps): Command {
+  const { ctx } = deps
+  return new Command('logout')
+    .description('Remove saved token and clear active context')
+    .option('--all', 'Remove all stored org tokens')
+    .action((opts: { all?: boolean }) => {
+      const cfg = ctx.loadConfig() as Record<string, unknown>
+      if (opts.all) {
+        delete cfg['orgs']
+        delete cfg['activeOrg']
+      } else {
+        const activeOrg = cfg['activeOrg'] as string | undefined
+        const orgs = cfg['orgs'] as Record<string, unknown> | undefined
+        if (activeOrg && orgs) {
+          delete orgs[activeOrg]
+          if (Object.keys(orgs).length === 0) delete cfg['orgs']
+        }
+        delete cfg['activeOrg']
+      }
+      ctx.clearContext()
+      ctx.saveConfig(cfg as never)
+      success(opts.all ? 'All tokens removed.' : 'Logged out.')
+    })
+}
+
+// ─── buildWhoamiCommand ───────────────────────────────────────────────────────
+
+export function buildWhoamiCommand(deps: AccountCliDeps): Command {
+  const { ctx } = deps
+  const cli      = deps.cliName ?? 'cli'
+  return new Command('whoami')
+    .alias('wh')
+    .description('Show active token and context')
+    .action(() => {
+      const cfg       = ctx.loadConfig() as Record<string, unknown>
+      const activeOrg = cfg['activeOrg'] as string | undefined
+      const orgs      = cfg['orgs'] as Record<string, { token?: string }> | undefined
+      const token     = (activeOrg && orgs?.[activeOrg]?.token) ?? (cfg['token'] as string | undefined)
+
+      if (!token) { warn(`No token set. Run: ${cli} login`); return }
+
+      const rows: [string, string][] = [['token', clr.cyan + token.slice(0, 14) + '…' + clr.reset]]
+      if (activeOrg) rows.push(['org', clr.bold + activeOrg + clr.reset])
+      if (orgs && Object.keys(orgs).length > 1) {
+        rows.push(['other orgs', clr.dim + Object.keys(orgs).filter(s => s !== activeOrg).join(', ') + clr.reset])
+      }
+      kv(rows)
+    })
+}
+
+// ─── buildMeCommand ───────────────────────────────────────────────────────────
+
+export function buildMeCommand(deps: AccountCliDeps): Command {
+  const { http } = deps
+  const cli = deps.cliName ?? 'cli'
+  return new Command('me')
+    .description('Current user and org membership')
+    .option(...outputOption())
+    .action(async (opts: { output: string }) => {
+      type MeRes = {
+        user: { id: string; email: string; name: string | null; picture: string | null } | null
+        role: string | null
+        org:  { id: string; slug?: string; name?: string }
+      }
+      const res = await http.get<MeRes>('/v1/account/me').catch(e => { console.error(e.message); process.exit(1) })
+      if (!res.user) {
+        warn(`Org-level token (no user identity). Run: ${cli} login`)
+        kv([['org_id', res.org.id]])
+        return
+      }
+      printOutput(res as unknown as Record<string, unknown>, opts.output, () => kv([
+        ['email',   res.user!.email],
+        ['name',    res.user!.name ?? '—'],
+        ['role',    clr.bold + (res.role ?? '—') + clr.reset],
+        ['org',     res.org.slug ?? res.org.id],
+        ['user_id', res.user!.id],
+      ]))
+    })
+}
+
+// ─── buildMembersCommand ──────────────────────────────────────────────────────
+
+export function buildMembersCommand(deps: AccountCliDeps): Command {
+  const { http } = deps
+
+  const cmd = new Command('members')
+    .alias('member')
+    .description('Org member management')
+    .enablePositionalOptions()
+    .option(...outputOption())
+    .action(async (opts: { output: string }) => {
+      const res = await http.get<{ members: MemberRow[] }>('/v1/account/members').catch(e => { console.error(e.message); process.exit(1) })
+      printOutput(res.members, opts.output, (wide) => {
+        table(res.members, [
+          { key: 'email',    label: 'EMAIL' },
+          { key: 'name',     label: 'NAME',    fmt: v => (v as string | null) ?? '—' },
+          { key: 'role',     label: 'ROLE' },
+          { key: 'joinedAt', label: 'JOINED',  fmt: v => fmtDate(v as number), wide: true },
+          { key: 'userId',   label: 'USER ID', wide: true },
+        ] as ColDef<MemberRow>[], { wide, emptyHint: `No members yet.` } as { wide: boolean; emptyHint: string })
+      }, 'email')
+    })
+
+  cmd.addCommand(
+    new Command('role').argument('<ref>').argument('<role>')
+      .description('Change member role (admin+). ref = email or userId')
+      .action(async (ref: string, role: string) => {
+        await http.patch(`/v1/account/members/${ref}/role`, { role }).catch(e => { console.error(e.message); process.exit(1) })
+        success(`Role updated → ${role}`)
+      }),
+  )
+
+  cmd.addCommand(
+    new Command('remove').argument('<ref>')
+      .description('Remove member from org (admin+). ref = email or userId')
+      .action(async (ref: string) => {
+        await http.del(`/v1/account/members/${ref}`).catch(e => { console.error(e.message); process.exit(1) })
+        success('Member removed.')
+      }),
+  )
+
+  return cmd
+}
+
+// ─── buildTokensCommand ───────────────────────────────────────────────────────
+
+export function buildTokensCommand(deps: AccountCliDeps): Command {
+  const { http } = deps
+
+  const cmd = new Command('tokens')
+    .alias('token')
+    .description('API token management')
+    .enablePositionalOptions()
+    .option(...outputOption())
+    .action(async (opts: { output: string }) => {
+      const res = await http.get<{ tokens: TokenRow[] }>('/v1/account/me/tokens').catch(e => { console.error(e.message); process.exit(1) })
+      printOutput(res.tokens, opts.output, (wide) => {
+        table(res.tokens, [
+          { key: 'keyPrefix', label: 'PREFIX' },
+          { key: 'name',      label: 'NAME' },
+          { key: 'lastUsedAt', label: 'LAST USED', fmt: v => fmtDate(v as number | null) },
+          { key: 'createdAt', label: 'CREATED',    fmt: v => fmtDate(v as number), wide: true },
+          { key: 'id',        label: 'FULL ID',    wide: true },
+        ] as ColDef<TokenRow>[], { wide, emptyHint: 'No tokens.' } as { wide: boolean; emptyHint: string })
+      }, 'keyPrefix')
+    })
+
+  cmd.addCommand(
+    new Command('create')
+      .description('Create a new API token')
+      .requiredOption('--name <name>', 'Token name')
+      .action(async (opts: { name: string }) => {
+        const res = await http.post<{ token: TokenRow & { raw: string } }>('/v1/account/me/tokens', { name: opts.name }).catch(e => { console.error(e.message); process.exit(1) })
+        success('Token created — save it now, it will not be shown again:')
+        console.log(`\n  ${clr.cyan}${clr.bold}${res.token.raw}${clr.reset}\n`)
+        kv([['prefix', res.token.keyPrefix], ['name', res.token.name]])
+      }),
+  )
+
+  cmd.addCommand(
+    new Command('revoke').argument('<ref>')
+      .description('Revoke a token. ref = prefix or full id')
+      .action(async (ref: string) => {
+        await http.del(`/v1/account/me/tokens/${ref}`).catch(e => { console.error(e.message); process.exit(1) })
+        success(`Token ${ref} revoked.`)
+      }),
+  )
+
+  return cmd
+}
+
+// ─── buildAccountCommand ──────────────────────────────────────────────────────
+
+export function buildAccountCommand(deps: AccountCliDeps): Command {
+  const cmd = new Command('account')
+    .alias('acc')
+    .description('Identity, members, and token management')
+
+  cmd.addCommand(buildLoginCommand(deps))
+  cmd.addCommand(buildLogoutCommand(deps))
+  cmd.addCommand(buildWhoamiCommand(deps))
+  cmd.addCommand(buildMeCommand(deps))
+  cmd.addCommand(buildMembersCommand(deps))
+  cmd.addCommand(buildTokensCommand(deps))
+
+  return cmd
+}
+
+// ─── backward compat ─────────────────────────────────────────────────────────
+export { buildAccountCommand as accountCommand }

package/src/index.ts

@@ -0,0 +1,2 @@
+export * from './types.js'
+export * from './repo/index.js'

package/src/repo/api-tokens.ts

@@ -0,0 +1,91 @@
+import { and, eq, isNull } from 'drizzle-orm'
+import { generateId } from '@baseworks/core'
+import type { ApiToken } from '../types.js'
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+type AnyDB = any
+
+export function createApiTokenRepo(db: AnyDB, schema: { apiTokens: any }) {
+  const { apiTokens } = schema
+
+  return {
+    async create(data: {
+      organizationId: string
+      name:           string
+      tokenHash:      string
+      keyPrefix:      string
+      userId?:        string
+      scopes?:        string[]
+      expiresAt?:     number
+    }): Promise<ApiToken> {
+      const now = Date.now()
+      const row: ApiToken = {
+        id:             generateId(),
+        organizationId: data.organizationId,
+        userId:         data.userId ?? null,
+        name:           data.name,
+        tokenHash:      data.tokenHash,
+        keyPrefix:      data.keyPrefix,
+        scopes:         JSON.stringify(data.scopes ?? []),
+        lastUsedAt:     null,
+        expiresAt:      data.expiresAt ?? null,
+        revokedAt:      null,
+        createdAt:      now,
+        updatedAt:      now,
+      }
+      await db.insert(apiTokens).values(row)
+      return row
+    },
+
+    async findByHash(tokenHash: string): Promise<ApiToken | undefined> {
+      const rows: ApiToken[] = await db
+        .select()
+        .from(apiTokens)
+        .where(and(eq(apiTokens.tokenHash, tokenHash), isNull(apiTokens.revokedAt)))
+        .limit(1)
+      return rows[0]
+    },
+
+    async touch(id: string): Promise<void> {
+      await db
+        .update(apiTokens)
+        .set({ lastUsedAt: Date.now(), updatedAt: Date.now() })
+        .where(eq(apiTokens.id, id))
+    },
+
+    async revoke(id: string): Promise<void> {
+      const now = Date.now()
+      await db.update(apiTokens).set({ revokedAt: now, updatedAt: now }).where(eq(apiTokens.id, id))
+    },
+
+    async listByOrg(organizationId: string): Promise<ApiToken[]> {
+      return db
+        .select()
+        .from(apiTokens)
+        .where(and(eq(apiTokens.organizationId, organizationId), isNull(apiTokens.revokedAt)))
+    },
+
+    async listByUser(userId: string): Promise<ApiToken[]> {
+      return db
+        .select()
+        .from(apiTokens)
+        .where(and(eq(apiTokens.userId, userId), isNull(apiTokens.revokedAt)))
+    },
+
+    async countActive(organizationId: string, userId?: string): Promise<number> {
+      const rows: unknown[] = await db
+        .select({ id: apiTokens.id })
+        .from(apiTokens)
+        .where(
+          and(
+            eq(apiTokens.organizationId, organizationId),
+            isNull(apiTokens.revokedAt),
+            userId ? eq(apiTokens.userId, userId) : isNull(apiTokens.userId),
+          ),
+        )
+      return rows.length
+    },
+  }
+}
+
+export type ApiTokenRepo = ReturnType<typeof createApiTokenRepo>