@bonnard/cli 0.2.10 → 0.2.12

package/dist/bin/bon.mjs

@@ -1,56 +1,90 @@
 #!/usr/bin/env node
+import { n as getProjectPaths, t as BONNARD_DIR } from "./project-Dj085D_B.mjs";
+import { a as loadCredentials, i as clearCredentials, n as get, o as saveCredentials, r as post, t as del } from "./api-DqgY-30K.mjs";
+import { i as ensureBonDir, n as addLocalDatasource, o as loadLocalDatasources, r as datasourceExists, s as removeLocalDatasource, t as isDatasourcesTrackedByGit } from "./local-ByvuW3eV.mjs";
 import { createRequire } from "node:module";
 import { program } from "commander";
 import fs from "node:fs";
 import path from "node:path";
-import { fileURLToPath } from "node:url";
+import os from "node:os";
 import pc from "picocolors";
+import { fileURLToPath } from "node:url";
 import YAML from "yaml";
-import os from "node:os";
 import http from "node:http";
 import crypto from "node:crypto";
-import { execFileSync } from "node:child_process";
 import { encode } from "@toon-format/toon";
 
 //#region \0rolldown/runtime.js
-var __defProp = Object.defineProperty;
-var __exportAll = (all, no_symbols) => {
-	let target = {};
-	for (var name in all) {
-		__defProp(target, name, {
-			get: all[name],
-			enumerable: true
-		});
-	}
-	if (!no_symbols) {
-		__defProp(target, Symbol.toStringTag, { value: "Module" });
-	}
-	return target;
-};
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
-//#region src/lib/project.ts
-/**
-* The subdirectory name used for Bonnard cube/view files.
-* Keeps Bonnard files namespaced to avoid conflicts with existing
-* project directories (e.g. dbt's models/).
-*/
-const BONNARD_DIR = "bonnard";
+//#region src/lib/update-check.ts
+const CACHE_DIR = path.join(os.homedir(), ".config", "bon");
+const CACHE_FILE = path.join(CACHE_DIR, "update-check.json");
+const CHECK_INTERVAL_MS = 1440 * 60 * 1e3;
+const REGISTRY_URL = "https://registry.npmjs.org/@bonnard/cli/latest";
+const FETCH_TIMEOUT_MS = 3e3;
+function readCache() {
+	try {
+		const raw = fs.readFileSync(CACHE_FILE, "utf-8");
+		return JSON.parse(raw);
+	} catch {
+		return null;
+	}
+}
+function writeCache(data) {
+	try {
+		fs.mkdirSync(CACHE_DIR, { recursive: true });
+		fs.writeFileSync(CACHE_FILE, JSON.stringify(data));
+	} catch {}
+}
+function isNewer(latest, current) {
+	const l = latest.split(".").map(Number);
+	const c = current.split(".").map(Number);
+	for (let i = 0; i < 3; i++) {
+		if ((l[i] ?? 0) > (c[i] ?? 0)) return true;
+		if ((l[i] ?? 0) < (c[i] ?? 0)) return false;
+	}
+	return false;
+}
+async function fetchLatestVersion() {
+	try {
+		const controller = new AbortController();
+		const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+		const res = await fetch(REGISTRY_URL, { signal: controller.signal });
+		clearTimeout(timeout);
+		if (!res.ok) return null;
+		return (await res.json()).version ?? null;
+	} catch {
+		return null;
+	}
+}
 /**
-* Resolve Bonnard project paths relative to the working directory.
-* All cube/view operations should use these paths.
+* Start a background version check. Returns a function that,
+* when called, prints an update notice if a newer version exists.
+* The check is cached for 24 hours and never blocks the CLI.
 */
-function getProjectPaths(cwd) {
-	const bonnardRoot = path.join(cwd, BONNARD_DIR);
-	return {
-		root: bonnardRoot,
-		cubes: path.join(bonnardRoot, "cubes"),
-		views: path.join(bonnardRoot, "views"),
-		config: path.join(cwd, "bon.yaml"),
-		localState: path.join(cwd, ".bon")
+function startUpdateCheck(currentVersion) {
+	const cached = readCache();
+	const now = Date.now();
+	if (cached && now - cached.lastCheck < CHECK_INTERVAL_MS) return async () => {
+		if (isNewer(cached.latestVersion, currentVersion)) printUpdateNotice(cached.latestVersion, currentVersion);
+	};
+	const fetchPromise = fetchLatestVersion();
+	return async () => {
+		const latest = await fetchPromise;
+		if (latest) {
+			writeCache({
+				lastCheck: now,
+				latestVersion: latest
+			});
+			if (isNewer(latest, currentVersion)) printUpdateNotice(latest, currentVersion);
+		}
 	};
 }
+function printUpdateNotice(latest, current) {
+	console.error(`\nUpdate available: ${pc.yellow(latest)} (currently installed ${current})\nRun ${pc.cyan("npm install -g @bonnard/cli")} to update\n`);
+}
 
 //#endregion
 //#region src/lib/dbt/profiles.ts
@@ -83,7 +117,8 @@ function mapDbtType(dbtType) {
 		postgresql: "postgres",
 		redshift: "redshift",
 		bigquery: "bigquery",
-		databricks: "databricks"
+		databricks: "databricks",
+		duckdb: "duckdb"
 	}[dbtType.toLowerCase()] ?? null;
 }
 /**
@@ -156,6 +191,8 @@ const PYTHON_PACKAGES = {
 	"dbt-postgres": "dbt",
 	"dbt-bigquery": "dbt",
 	"dbt-databricks": "dbt",
+	"dbt-duckdb": "dbt",
+	duckdb: "duckdb",
 	dagster: "dagster",
 	sqlmesh: "sqlmesh",
 	"apache-airflow": "airflow",
@@ -340,7 +377,8 @@ function extractWarehouseFromEnv(cwd) {
 				postgres: "postgres",
 				redshift: "redshift",
 				bigquery: "bigquery",
-				databricks: "databricks"
+				databricks: "databricks",
+				duckdb: "duckdb"
 			}[cubeDbType[1].trim().toLowerCase()];
 			if (type) return {
 				type,
@@ -361,6 +399,11 @@ function extractWarehouseFromEnv(cwd) {
 			source: "env",
 			config: {}
 		};
+		if (content.match(/^MOTHERDUCK_TOKEN=/m) || content.match(/^CUBEJS_DB_DUCKDB_DATABASE_PATH=/m)) return {
+			type: "duckdb",
+			source: "env",
+			config: {}
+		};
 	} catch {}
 	return null;
 }
@@ -625,41 +668,14 @@ async function initCommand() {
 	}
 }
 
-//#endregion
-//#region src/lib/credentials.ts
-const CREDENTIALS_DIR = path.join(os.homedir(), ".config", "bon");
-const CREDENTIALS_FILE = path.join(CREDENTIALS_DIR, "credentials.json");
-function saveCredentials(credentials) {
-	fs.mkdirSync(CREDENTIALS_DIR, {
-		recursive: true,
-		mode: 448
-	});
-	fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(credentials, null, 2), { mode: 384 });
-}
-function loadCredentials() {
-	try {
-		const raw = fs.readFileSync(CREDENTIALS_FILE, "utf-8");
-		const parsed = JSON.parse(raw);
-		if (parsed.token && parsed.email) return parsed;
-		return null;
-	} catch {
-		return null;
-	}
-}
-function clearCredentials() {
-	try {
-		fs.unlinkSync(CREDENTIALS_FILE);
-	} catch {}
-}
-
 //#endregion
 //#region src/commands/login.ts
-const APP_URL$1 = process.env.BON_APP_URL || "https://app.bonnard.dev";
+const APP_URL = process.env.BON_APP_URL || "https://app.bonnard.dev";
 const TIMEOUT_MS = 120 * 1e3;
 async function loginCommand() {
 	const state = crypto.randomUUID();
 	const { port, close } = await startCallbackServer(state);
-	const url = `${APP_URL$1}/auth/device?state=${state}&port=${port}`;
+	const url = `${APP_URL}/auth/device?state=${state}&port=${port}`;
 	console.log(pc.dim(`Opening browser to ${url}`));
 	const open = (await import("open")).default;
 	await open(url);
@@ -788,53 +804,6 @@ async function logoutCommand() {
 	console.log(pc.green("Logged out"));
 }
 
-//#endregion
-//#region src/lib/api.ts
-var api_exports = /* @__PURE__ */ __exportAll({
-	del: () => del,
-	get: () => get,
-	post: () => post
-});
-const APP_URL = process.env.BON_APP_URL || "https://app.bonnard.dev";
-const VERCEL_BYPASS = process.env.VERCEL_AUTOMATION_BYPASS_SECRET;
-function getToken() {
-	const creds = loadCredentials();
-	if (!creds) {
-		console.error(pc.red("Not logged in. Run `bon login` first."));
-		process.exit(1);
-	}
-	return creds.token;
-}
-async function request(method, path, body) {
-	const token = getToken();
-	const url = `${APP_URL}${path}`;
-	const headers = {
-		Authorization: `Bearer ${token}`,
-		"Content-Type": "application/json"
-	};
-	if (VERCEL_BYPASS) headers["x-vercel-protection-bypass"] = VERCEL_BYPASS;
-	const res = await fetch(url, {
-		method,
-		headers,
-		body: body ? JSON.stringify(body) : void 0
-	});
-	const data = await res.json();
-	if (!res.ok) {
-		const message = data.error || res.statusText;
-		throw new Error(message);
-	}
-	return data;
-}
-function get(path) {
-	return request("GET", path);
-}
-function post(path, body) {
-	return request("POST", path, body);
-}
-function del(path) {
-	return request("DELETE", path);
-}
-
 //#endregion
 //#region src/commands/whoami.ts
 async function whoamiCommand(options = {}) {
@@ -859,163 +828,6 @@ async function whoamiCommand(options = {}) {
 	}
 }
 
-//#endregion
-//#region src/lib/local/datasources.ts
-/**
-* Local datasource storage (.bon/datasources.yaml)
-*
-* Single file containing both config and credentials.
-* Credentials may contain:
-* - Plain values: "my_password"
-* - dbt env var syntax: "{{ env_var('MY_PASSWORD') }}"
-*
-* Env vars are resolved at deploy time, not import time.
-*/
-const BON_DIR$2 = ".bon";
-const DATASOURCES_FILE$1 = "datasources.yaml";
-function getBonDir(cwd = process.cwd()) {
-	return path.join(cwd, BON_DIR$2);
-}
-function getDatasourcesPath$1(cwd = process.cwd()) {
-	return path.join(getBonDir(cwd), DATASOURCES_FILE$1);
-}
-/**
-* Ensure .bon directory exists
-*/
-function ensureBonDir(cwd = process.cwd()) {
-	const bonDir = getBonDir(cwd);
-	if (!fs.existsSync(bonDir)) fs.mkdirSync(bonDir, { recursive: true });
-}
-/**
-* Load all local datasources
-*/
-function loadLocalDatasources(cwd = process.cwd()) {
-	const filePath = getDatasourcesPath$1(cwd);
-	if (!fs.existsSync(filePath)) return [];
-	try {
-		const content = fs.readFileSync(filePath, "utf-8");
-		return YAML.parse(content)?.datasources ?? [];
-	} catch {
-		return [];
-	}
-}
-/**
-* Save all local datasources (with secure permissions since it contains credentials)
-*/
-function saveLocalDatasources(datasources, cwd = process.cwd()) {
-	ensureBonDir(cwd);
-	const filePath = getDatasourcesPath$1(cwd);
-	const file = { datasources };
-	const content = `# Bonnard datasources configuration
-# This file contains credentials - add to .gitignore
-# Env vars like {{ env_var('PASSWORD') }} are resolved at deploy time
-
-` + YAML.stringify(file, { indent: 2 });
-	fs.writeFileSync(filePath, content, { mode: 384 });
-}
-/**
-* Add a single datasource (updates existing or appends new)
-*/
-function addLocalDatasource(datasource, cwd = process.cwd()) {
-	const existing = loadLocalDatasources(cwd);
-	const index = existing.findIndex((ds) => ds.name === datasource.name);
-	if (index >= 0) existing[index] = datasource;
-	else existing.push(datasource);
-	saveLocalDatasources(existing, cwd);
-}
-/**
-* Remove a datasource by name
-*/
-function removeLocalDatasource(name, cwd = process.cwd()) {
-	const existing = loadLocalDatasources(cwd);
-	const filtered = existing.filter((ds) => ds.name !== name);
-	if (filtered.length === existing.length) return false;
-	saveLocalDatasources(filtered, cwd);
-	return true;
-}
-/**
-* Get a single datasource by name
-*/
-function getLocalDatasource(name, cwd = process.cwd()) {
-	return loadLocalDatasources(cwd).find((ds) => ds.name === name) ?? null;
-}
-/**
-* Check if a datasource name already exists locally
-*/
-function datasourceExists(name, cwd = process.cwd()) {
-	return getLocalDatasource(name, cwd) !== null;
-}
-/**
-* Resolve {{ env_var('VAR_NAME') }} patterns in credentials
-* Used at deploy time to resolve env vars before uploading
-*/
-function resolveEnvVarsInCredentials(credentials) {
-	const resolved = {};
-	const missing = [];
-	const envVarPattern = /\{\{\s*env_var\(['"]([\w_]+)['"]\)\s*\}\}/;
-	for (const [key, value] of Object.entries(credentials)) {
-		const match = value.match(envVarPattern);
-		if (match) {
-			const varName = match[1];
-			const envValue = process.env[varName];
-			if (envValue !== void 0) resolved[key] = envValue;
-			else {
-				missing.push(varName);
-				resolved[key] = value;
-			}
-		} else resolved[key] = value;
-	}
-	return {
-		resolved,
-		missing
-	};
-}
-
-//#endregion
-//#region src/lib/local/credentials.ts
-/**
-* Credential utilities (git tracking check)
-*/
-const BON_DIR$1 = ".bon";
-const DATASOURCES_FILE = "datasources.yaml";
-function getDatasourcesPath(cwd = process.cwd()) {
-	return path.join(cwd, BON_DIR$1, DATASOURCES_FILE);
-}
-/**
-* Check if datasources file is tracked by git (it shouldn't be - contains credentials)
-*/
-function isDatasourcesTrackedByGit(cwd = process.cwd()) {
-	const filePath = getDatasourcesPath(cwd);
-	if (!fs.existsSync(filePath)) return false;
-	try {
-		execFileSync("git", [
-			"ls-files",
-			"--error-unmatch",
-			filePath
-		], {
-			cwd,
-			stdio: "pipe"
-		});
-		return true;
-	} catch {
-		return false;
-	}
-}
-
-//#endregion
-//#region src/lib/local/index.ts
-var local_exports = /* @__PURE__ */ __exportAll({
-	addLocalDatasource: () => addLocalDatasource,
-	datasourceExists: () => datasourceExists,
-	ensureBonDir: () => ensureBonDir,
-	getLocalDatasource: () => getLocalDatasource,
-	isDatasourcesTrackedByGit: () => isDatasourcesTrackedByGit,
-	loadLocalDatasources: () => loadLocalDatasources,
-	removeLocalDatasource: () => removeLocalDatasource,
-	resolveEnvVarsInCredentials: () => resolveEnvVarsInCredentials,
-	saveLocalDatasources: () => saveLocalDatasources
-});
-
 //#endregion
 //#region src/lib/dbt/mapping.ts
 /**
@@ -1104,6 +916,19 @@ function mapDatabricks(config) {
 	};
 }
 /**
+* Map DuckDB dbt config to Bonnard format
+*/
+function mapDuckDB(config) {
+	const dbPath = getString(config, "path") || getString(config, "database");
+	return {
+		config: {
+			...dbPath && { database_path: dbPath },
+			...getString(config, "schema") && { schema: getString(config, "schema") }
+		},
+		credentials: { ...getString(config, "motherduck_token") && { motherduck_token: getString(config, "motherduck_token") } }
+	};
+}
+/**
 * Map a parsed dbt connection to Bonnard format
 * Values are copied as-is, including {{ env_var(...) }} patterns
 */
@@ -1123,6 +948,9 @@ function mapDbtConnection(connection) {
 		case "databricks":
 			mapped = mapDatabricks(config);
 			break;
+		case "duckdb":
+			mapped = mapDuckDB(config);
+			break;
 		default: throw new Error(`Unsupported warehouse type: ${type}`);
 	}
 	return { datasource: {
@@ -1317,6 +1145,26 @@ const WAREHOUSE_CONFIGS = [
 			secret: true,
 			required: true
 		}]
+	},
+	{
+		value: "duckdb",
+		label: "DuckDB",
+		configFields: [{
+			name: "database_path",
+			flag: "databasePath",
+			message: "Database path (file path, :memory:, or md:db_name for MotherDuck)",
+			required: true
+		}, {
+			name: "schema",
+			message: "Schema name",
+			default: "main"
+		}],
+		credentialFields: [{
+			name: "motherduck_token",
+			flag: "motherduckToken",
+			message: "MotherDuck token (required for md: paths)",
+			secret: true
+		}]
 	}
 ];
 /**
@@ -1332,8 +1180,10 @@ function formatType$1(type) {
 	return {
 		snowflake: "Snowflake",
 		postgres: "Postgres",
+		redshift: "Redshift",
 		bigquery: "BigQuery",
-		databricks: "Databricks"
+		databricks: "Databricks",
+		duckdb: "DuckDB"
 	}[type] || type;
 }
 /**
@@ -1367,7 +1217,7 @@ async function importFromDbt(options) {
 	}
 	if (connections.length === 0) {
 		console.log(pc.yellow("No supported connections found in dbt profiles."));
-		console.log(pc.dim("Supported types: snowflake, postgres, bigquery, databricks"));
+		console.log(pc.dim("Supported types: snowflake, postgres, redshift, bigquery, databricks, duckdb"));
 		process.exit(0);
 	}
 	if (typeof options.fromDbt === "string") {
@@ -1483,7 +1333,7 @@ async function addManual(options) {
 	const warehouseConfig = WAREHOUSE_CONFIGS.find((w) => w.value === warehouseType);
 	if (!warehouseConfig) {
 		console.error(pc.red(`Invalid warehouse type: ${warehouseType}`));
-		console.log(pc.dim("Valid types: snowflake, postgres, bigquery, databricks"));
+		console.log(pc.dim("Valid types: snowflake, postgres, redshift, bigquery, databricks, duckdb"));
 		process.exit(1);
 	}
 	const config = {};
@@ -1507,6 +1357,7 @@ async function addManual(options) {
 		let value;
 		if (field.name === "password" && options.passwordEnv) value = envVarRef(options.passwordEnv);
 		else if (field.name === "token" && options.tokenEnv) value = envVarRef(options.tokenEnv);
+		else if (field.name === "motherduck_token" && options.motherduckTokenEnv) value = envVarRef(options.motherduckTokenEnv);
 		else value = getOptionValue(options, field);
 		if (!value && !nonInteractive) if (field.secret) value = await password({ message: field.message + ":" });
 		else value = await input({ message: field.message + ":" });
@@ -1630,7 +1481,7 @@ async function listRemoteDatasources() {
 		return;
 	}
 	try {
-		const { get } = await Promise.resolve().then(() => api_exports);
+		const { get } = await import("./api-B7cdKn9j.mjs");
 		const result = await get("/api/datasources");
 		if (result.dataSources.length === 0) {
 			console.log(pc.dim("No remote data sources found."));
@@ -1691,7 +1542,7 @@ async function removeRemote(name) {
 		process.exit(1);
 	}
 	try {
-		const { del } = await Promise.resolve().then(() => api_exports);
+		const { del } = await import("./api-B7cdKn9j.mjs");
 		await del(`/api/datasources/${encodeURIComponent(name)}`);
 		console.log(pc.green(`✓ Removed "${name}" from remote server`));
 	} catch (err) {
@@ -1709,7 +1560,7 @@ async function validateCommand() {
 		console.log(pc.red("No bon.yaml found. Are you in a Bonnard project?"));
 		process.exit(1);
 	}
-	const { validate } = await import("./validate-Bc8zGNw7.mjs");
+	const { validate } = await import("./validate-C4W_Vto2.mjs");
 	const result = await validate(cwd);
 	if (result.cubes.length === 0 && result.views.length === 0 && result.valid) {
 		console.log(pc.yellow(`No cube or view files found in ${BONNARD_DIR}/cubes/ or ${BONNARD_DIR}/views/.`));
@@ -1783,7 +1634,7 @@ async function deployCommand(options = {}) {
 		process.exit(1);
 	}
 	console.log(pc.dim("Validating cubes and views..."));
-	const { validate } = await import("./validate-Bc8zGNw7.mjs");
+	const { validate } = await import("./validate-C4W_Vto2.mjs");
 	const result = await validate(cwd);
 	if (!result.valid) {
 		console.log(pc.red("Validation failed:\n"));
@@ -1852,9 +1703,9 @@ async function deployCommand(options = {}) {
 * Returns true if any connection failed (strict mode)
 */
 async function testAndSyncDatasources(cwd, options = {}) {
-	const { extractDatasourcesFromCubes } = await import("./cubes-9rklhdAJ.mjs");
-	const { loadLocalDatasources } = await Promise.resolve().then(() => local_exports);
-	const { pushDatasource } = await import("./push-Bv9AFGc2.mjs");
+	const { extractDatasourcesFromCubes } = await import("./cubes-BvtwNBUG.mjs");
+	const { loadLocalDatasources } = await import("./local-BkK5XL7T.mjs");
+	const { pushDatasource } = await import("./push-BOkUmRL8.mjs");
 	const references = extractDatasourcesFromCubes(cwd);
 	if (references.length === 0) return false;
 	console.log();
@@ -3891,6 +3742,110 @@ async function metabaseAnalyzeCommand(options) {
 	console.log(pc.dim(`Full report: ${outputPath}`));
 }
 
+//#endregion
+//#region src/commands/keys/list.ts
+function formatDate(dateStr) {
+	if (!dateStr) return "—";
+	return new Date(dateStr).toLocaleDateString("en-US", {
+		month: "short",
+		day: "numeric",
+		year: "numeric"
+	});
+}
+function printKeyTable(keys, title, description) {
+	console.log(pc.bold(title));
+	console.log(pc.dim(description));
+	console.log();
+	if (keys.length === 0) {
+		console.log(pc.dim("  No keys."));
+		return;
+	}
+	const maxNameLen = Math.max(...keys.map((k) => k.name.length), 4);
+	const maxPrefixLen = Math.max(...keys.map((k) => k.key_prefix.length + 3), 3);
+	const header = `  ${"NAME".padEnd(maxNameLen)}  ${"KEY".padEnd(maxPrefixLen)}  ${"CREATED".padEnd(14)}  LAST USED`;
+	console.log(pc.dim(header));
+	console.log(pc.dim("  " + "─".repeat(header.length - 2)));
+	for (const k of keys) {
+		const name = k.name.padEnd(maxNameLen);
+		const prefix = (k.key_prefix + "...").padEnd(maxPrefixLen);
+		const created = formatDate(k.created_at).padEnd(14);
+		const lastUsed = formatDate(k.last_used_at);
+		console.log(`  ${pc.bold(name)}  ${pc.dim(prefix)}  ${created}  ${lastUsed}`);
+	}
+}
+async function keysListCommand() {
+	try {
+		const result = await get("/api/web/keys");
+		printKeyTable(result.publishableKeys, "Publishable Keys", "Client-side, read-only access");
+		console.log();
+		printKeyTable(result.secretKeys, "Secret Keys", "Server-side, full access");
+		const total = result.publishableKeys.length + result.secretKeys.length;
+		console.log();
+		console.log(pc.dim(`${total} key${total !== 1 ? "s" : ""} total`));
+	} catch (err) {
+		console.error(pc.red(`Error: ${err.message}`));
+		process.exit(1);
+	}
+}
+
+//#endregion
+//#region src/commands/keys/create.ts
+async function keysCreateCommand(options) {
+	const { name, type } = options;
+	if (type !== "publishable" && type !== "secret") {
+		console.error(pc.red("Error: --type must be 'publishable' or 'secret'"));
+		process.exit(1);
+	}
+	try {
+		const result = await post("/api/web/keys", {
+			name,
+			type
+		});
+		console.log(pc.green("Key created successfully."));
+		console.log();
+		console.log(pc.bold("  Name:  ") + result.name);
+		console.log(pc.bold("  Type:  ") + type);
+		console.log(pc.bold("  Key:   ") + result.key);
+		console.log();
+		console.log(pc.yellow("⚠ Save this key now — it won't be shown again."));
+	} catch (err) {
+		console.error(pc.red(`Error: ${err.message}`));
+		process.exit(1);
+	}
+}
+
+//#endregion
+//#region src/commands/keys/revoke.ts
+async function keysRevokeCommand(nameOrPrefix) {
+	try {
+		const result = await get("/api/web/keys");
+		let match;
+		let type;
+		for (const k of result.publishableKeys) if (k.name === nameOrPrefix || k.key_prefix.startsWith(nameOrPrefix)) {
+			match = k;
+			type = "publishable";
+			break;
+		}
+		if (!match) {
+			for (const k of result.secretKeys) if (k.name === nameOrPrefix || k.key_prefix.startsWith(nameOrPrefix)) {
+				match = k;
+				type = "secret";
+				break;
+			}
+		}
+		if (!match || !type) {
+			console.error(pc.red(`No key found matching "${nameOrPrefix}".`));
+			console.error(pc.dim("Use `bon keys list` to see available keys."));
+			process.exit(1);
+		}
+		await del(`/api/web/keys/${match.id}?type=${type}`);
+		console.log(pc.green(`Revoked ${type} key "${match.name}" (${match.key_prefix}...).`));
+	} catch (err) {
+		console.error(pc.red(`Error: ${err.message}`));
+		process.exit(1);
+	}
+}
+
 //#endregion
 //#region src/bin/bon.ts
 const { version } = createRequire(import.meta.url)("../../package.json");
@@ -3900,7 +3855,7 @@ program.command("login").description("Authenticate with Bonnard via your browser
 program.command("logout").description("Remove stored credentials").action(logoutCommand);
 program.command("whoami").description("Show current login status").option("--verify", "Verify session is still valid with the server").action(whoamiCommand);
 const datasource = program.command("datasource").description("Manage warehouse data source connections");
-datasource.command("add").description("Add a data source to .bon/datasources.yaml. Use --name and --type together for non-interactive mode").option("--demo", "Add a read-only demo datasource (Contoso retail dataset) for testing").option("--from-dbt [profile]", "Import from dbt profiles.yml (optionally specify profile/target)").option("--target <target>", "Target name when using --from-dbt").option("--all", "Import all connections from dbt profiles").option("--default-targets", "Import only default targets from dbt profiles (non-interactive)").option("--name <name>", "Datasource name (required for non-interactive mode)").option("--type <type>", "Warehouse type: snowflake, postgres, bigquery, databricks (required for non-interactive mode)").option("--account <account>", "Snowflake account identifier").option("--database <database>", "Database name").option("--schema <schema>", "Schema name").option("--warehouse <warehouse>", "Warehouse name (Snowflake)").option("--role <role>", "Role (Snowflake)").option("--host <host>", "Host (Postgres)").option("--port <port>", "Port (Postgres, default: 5432)").option("--project-id <projectId>", "GCP Project ID (BigQuery)").option("--dataset <dataset>", "Dataset name (BigQuery)").option("--location <location>", "Location (BigQuery)").option("--hostname <hostname>", "Server hostname (Databricks)").option("--http-path <httpPath>", "HTTP path (Databricks)").option("--catalog <catalog>", "Catalog name (Databricks)").option("--user <user>", "Username").option("--password <password>", "Password (use --password-env for env var reference)").option("--token <token>", "Access token (use --token-env for env var reference)").option("--service-account-json <json>", "Service account JSON (BigQuery)").option("--keyfile <path>", "Path to service account key file (BigQuery)").option("--password-env <varName>", "Env var name for password, stores as {{ env_var('NAME') }}").option("--token-env <varName>", "Env var name for token, stores as {{ env_var('NAME') }}").option("--force", "Overwrite existing datasource without prompting").action(datasourceAddCommand);
+datasource.command("add").description("Add a data source to .bon/datasources.yaml. Use --name and --type together for non-interactive mode").option("--demo", "Add a read-only demo datasource (Contoso retail dataset) for testing").option("--from-dbt [profile]", "Import from dbt profiles.yml (optionally specify profile/target)").option("--target <target>", "Target name when using --from-dbt").option("--all", "Import all connections from dbt profiles").option("--default-targets", "Import only default targets from dbt profiles (non-interactive)").option("--name <name>", "Datasource name (required for non-interactive mode)").option("--type <type>", "Warehouse type: snowflake, postgres, redshift, bigquery, databricks, duckdb (required for non-interactive mode)").option("--account <account>", "Snowflake account identifier").option("--database <database>", "Database name").option("--schema <schema>", "Schema name").option("--warehouse <warehouse>", "Warehouse name (Snowflake)").option("--role <role>", "Role (Snowflake)").option("--host <host>", "Host (Postgres)").option("--port <port>", "Port (Postgres, default: 5432)").option("--project-id <projectId>", "GCP Project ID (BigQuery)").option("--dataset <dataset>", "Dataset name (BigQuery)").option("--location <location>", "Location (BigQuery)").option("--hostname <hostname>", "Server hostname (Databricks)").option("--http-path <httpPath>", "HTTP path (Databricks)").option("--catalog <catalog>", "Catalog name (Databricks)").option("--database-path <databasePath>", "Database path: file path, :memory:, or md:db_name for MotherDuck (DuckDB)").option("--motherduck-token <token>", "MotherDuck token (DuckDB, for md: paths)").option("--motherduck-token-env <varName>", "Env var name for MotherDuck token, stores as {{ env_var('NAME') }}").option("--user <user>", "Username").option("--password <password>", "Password (use --password-env for env var reference)").option("--token <token>", "Access token (use --token-env for env var reference)").option("--service-account-json <json>", "Service account JSON (BigQuery)").option("--keyfile <path>", "Path to service account key file (BigQuery)").option("--password-env <varName>", "Env var name for password, stores as {{ env_var('NAME') }}").option("--token-env <varName>", "Env var name for token, stores as {{ env_var('NAME') }}").option("--force", "Overwrite existing datasource without prompting").action(datasourceAddCommand);
 datasource.command("list").description("List data sources (shows both local and remote by default)").option("--local", "Show only local data sources from .bon/datasources.yaml").option("--remote", "Show only remote data sources from Bonnard server (requires login)").action(datasourceListCommand);
 datasource.command("remove").description("Remove a data source from .bon/datasources.yaml (local by default)").argument("<name>", "Data source name").option("--remote", "Remove from Bonnard server instead of local (requires login)").action(datasourceRemoveCommand);
 program.command("validate").description("Validate YAML syntax in bonnard/cubes/ and bonnard/views/").action(validateCommand);
@@ -3911,11 +3866,17 @@ program.command("annotate").description("Annotate deployment changes with reason
 program.command("mcp").description("MCP connection info and setup instructions").action(mcpCommand).command("test").description("Test MCP server connectivity").action(mcpTestCommand);
 program.command("query").description("Execute a query against the deployed semantic layer").argument("<query>", "JSON query or SQL (with --sql flag)").option("--sql", "Use SQL API instead of JSON format").option("--limit <limit>", "Max rows to return").option("--format <format>", "Output format: toon or json", "toon").action(cubeQueryCommand);
 program.command("docs").description("Browse documentation for building cubes and views").argument("[topic]", "Topic to display (e.g., cubes, cubes.measures)").option("-r, --recursive", "Show topic and all child topics").option("-s, --search <query>", "Search topics for a keyword").option("-f, --format <format>", "Output format: markdown or json", "markdown").action(docsCommand).command("schema").description("Show JSON schema for a type (cube, view, measure, etc.)").argument("<type>", "Schema type to display").action(docsSchemaCommand);
+const keys = program.command("keys").description("Manage API keys for the Bonnard SDK");
+keys.command("list").description("List all API keys for your organization").action(keysListCommand);
+keys.command("create").description("Create a new API key").requiredOption("--name <name>", "Key name (e.g. 'Production SDK')").requiredOption("--type <type>", "Key type: publishable or secret").action(keysCreateCommand);
+keys.command("revoke").description("Revoke an API key by name or prefix").argument("<name-or-prefix>", "Key name or key prefix to revoke").action(keysRevokeCommand);
 const metabase = program.command("metabase").description("Connect to and explore Metabase content");
 metabase.command("connect").description("Configure Metabase API connection").option("--url <url>", "Metabase instance URL").option("--api-key <key>", "Metabase API key").option("--force", "Overwrite existing configuration").action(metabaseConnectCommand);
 metabase.command("explore").description("Browse Metabase databases, collections, cards, and dashboards").argument("[resource]", "databases, collections, cards, dashboards, card, dashboard, database, table, collection").argument("[id]", "Resource ID (e.g. card <id>, dashboard <id>, database <id>, table <id>, collection <id>)").action(metabaseExploreCommand);
 metabase.command("analyze").description("Analyze Metabase instance and generate a structured report for semantic layer planning").option("--output <path>", "Output file path", ".bon/metabase-analysis.md").option("--top-cards <n>", "Number of top cards to include in report", "50").action(metabaseAnalyzeCommand);
-program.parse();
+const showUpdateNotice = startUpdateCheck(version);
+await program.parseAsync();
+await showUpdateNotice();
 
 //#endregion
-export { getProjectPaths as i, resolveEnvVarsInCredentials as n, post as r, getLocalDatasource as t };
+export {  };