npm - @deepsql/mcp - Versions diffs - 0.5.0 → 0.6.0 - Mend

@deepsql/mcp 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/package.json +5 -2
package/src/cli.js +64 -1
package/src/commands/_users.js +55 -0
package/src/commands/access.js +225 -0
package/src/commands/admin.test.js +135 -0
package/src/commands/permissions.js +149 -0
package/src/commands/setup.js +220 -0
package/src/commands/slow-queries.js +340 -0
package/src/commands/users.js +276 -0
package/src/ui/editor.js +61 -0
package/src/ui/prompts.js +60 -0
package/src/ui/sse.js +97 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@deepsql/mcp",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "DeepSQL CLI and stdio MCP server for self-hosted deployments",
   "bin": {
     "deepsql": "./bin/deepsql.js",
@@ -22,5 +22,8 @@
   "engines": {
     "node": ">=20"
   },
-  "license": "UNLICENSED"
+  "license": "UNLICENSED",
+  "dependencies": {
+    "@inquirer/prompts": "^8.4.2"
+  }
 }

package/src/cli.js CHANGED Viewed

@@ -24,6 +24,11 @@ const COMMANDS = {
   explain: () => require("./commands/explain"),
   schema: () => require("./commands/schema"),
   digest: () => require("./commands/digest"),
+  users: () => require("./commands/users"),
+  access: () => require("./commands/access"),
+  permissions: () => require("./commands/permissions"),
+  "slow-queries": () => require("./commands/slow-queries"),
+  setup: () => require("./commands/setup"),
 };
 const HELP = `deepsql — DeepSQL CLI
@@ -63,6 +68,35 @@ Commands:
   digest show <id> [--connection <name>] [--json]
                                   Show one digest by id.
+Admin commands (require ADMIN role on the calling token):
+  users list | get <ref> | add [<email>] [--role <r>] [--name <n>] [--password-stdin]
+        | set-role <ref> <role> | lock|unlock|disable <ref>
+        | resend-invite <ref> | reset-password <ref> [--password-stdin]
+        | delete <ref> [--yes]
+                                  Manage workspace users.
+  access list --user <ref> | --connection <name>
+        | grant   --user <ref> --connection <name> --level read|write|admin
+        | revoke  --user <ref> --connection <name>
+        | policy  <user> <connection>     (opens $EDITOR)
+                                  Per-connection access grants and chat policies.
+  permissions list [--role <ROLE>] [--json]
+        | override --role <ROLE> --permission <PERM> --grant|--revoke [--reason "..."]
+        | reset    --role <ROLE> --permission <PERM>
+                                  Role-based permission overrides.
+  slow-queries latest --connection <name>
+        | history --connection <name> [N]
+        | analyze --connection <name> [--time-range LAST_24_HOURS|LAST_HOUR]
+                                       [--threshold-ms <n>] [--limit <n>]
+        | optimize --connection <name> --query-id <id>
+                  (streams AI optimization steps to stderr; result to stdout)
+        | delete (--history-id <id> | --connection <name>) [--yes]
+                                  Read, trigger, and clean up slow-query analyses.
+  setup [--skip-email] [--skip-slack] [--skip-complete]
+                                  Post-install wizard: SMTP/email, Slack
+                                  (digests + bot), then mark setup complete.
+                                  Org and LLM config are set at install time
+                                  and are NOT touched by this wizard.
 Global options:
   --url <url>     Override the DeepSQL base URL.
   --token <tok>   Override the auth token (also: DEEPSQL_AUTH_TOKEN).
@@ -118,21 +152,50 @@ function buildOpts(parsed) {
     url: f.url || null,
     token: f.token || null,
     json: !!f.json,
+    // Login-flow selectors
     device: !!f.device,
     browser: !!f.browser,
     noBrowser: !!f.noBrowser,
-    password: !!f.password,
+    // password may be `true` (login flow flag) OR a string value (`users add
+    // --password secret`, `users add --password=secret`). Each command
+    // interprets whichever shape it expects.
+    password: f.password ?? null,
     passwordStdin: !!f.passwordStdin,
     email: f.email || null,
     label: f.label || null,
+    // Connection / users / chat
     connection: f.connection || f.c || null,
     chat: f.chat || null,
     user: f.user || null,
     project: f.project || null,
+    name: f.name || null,
+    username: f.username || null,
+    role: f.role || null,
+    // List / pagination
     limit: f.limit,
     count: f.count || f.n || null,
     timeoutSeconds: f.timeoutSeconds,
     file: f.file || null,
+    // RBAC / access
+    level: f.level || null,
+    permission: f.permission || null,
+    grant: !!f.grant,
+    revoke: !!f.revoke,
+    reason: f.reason || null,
+    // Slow queries
+    timeRange: f.timeRange || null,
+    thresholdMs: f.thresholdMs || null,
+    queryId: f.queryId || null,
+    queryText: f.queryText || null,
+    sampleQuery: f.sampleQuery || null,
+    historyId: f.historyId || null,
+    // Setup wizard
+    force: !!f.force,
+    skipEmail: !!f.skipEmail,
+    skipSlack: !!f.skipSlack,
+    skipComplete: !!f.skipComplete,
+    // Confirmations
+    yes: !!f.yes || !!f.y,
   };
 }

package/src/commands/_users.js ADDED Viewed

@@ -0,0 +1,55 @@
+"use strict";
+/**
+ * Resolve a user reference (numeric id, email, or username) to a {id, email,
+ * username, role, ...} record.
+ *
+ * Backend `GET /admin/users` returns the full list, so we fetch once per
+ * invocation and match locally. Cheap for typical org sizes.
+ */
+const { request } = require("../api/client");
+let cachedUsers = null;
+async function listUsers(session) {
+  if (cachedUsers) return cachedUsers;
+  cachedUsers = await request(session.baseUrl, "/admin/users", { token: session.token });
+  if (!Array.isArray(cachedUsers)) cachedUsers = [];
+  return cachedUsers;
+}
+function clearUserCache() {
+  cachedUsers = null;
+}
+async function resolveUser(session, ref) {
+  if (ref == null || String(ref).trim() === "") {
+    throw new Error("Pass a user email, username, or numeric id.");
+  }
+  const trimmed = String(ref).trim();
+  // Numeric id — short-circuit if list isn't already cached.
+  if (/^\d+$/.test(trimmed)) {
+    const users = await listUsers(session);
+    const hit = users.find((u) => String(u.id) === trimmed);
+    if (hit) return hit;
+    throw new Error(`User id ${trimmed} not found.`);
+  }
+  const users = await listUsers(session);
+  const lower = trimmed.toLowerCase();
+  const exactEmail = users.find((u) => (u.email || "").toLowerCase() === lower);
+  if (exactEmail) return exactEmail;
+  const exactUsername = users.find((u) => (u.username || "").toLowerCase() === lower);
+  if (exactUsername) return exactUsername;
+  const available = users
+    .map((u) => u.email || u.username)
+    .filter(Boolean)
+    .slice(0, 20);
+  const hint = available.length ? ` Available: ${available.join(", ")}.` : "";
+  throw new Error(`User "${trimmed}" not found.${hint}`);
+}
+module.exports = { listUsers, resolveUser, clearUserCache };

package/src/commands/access.js ADDED Viewed

@@ -0,0 +1,225 @@
+"use strict";
+/**
+ * `deepsql access` — per-connection access grants and chat-policy editing.
+ *
+ *   deepsql access list --user <ref>            → connections this user can see
+ *   deepsql access list --connection <name>     → users who can see this connection
+ *   deepsql access grant --user <ref> --connection <name> --level read|write|admin
+ *   deepsql access revoke --user <ref> --connection <name>
+ *   deepsql access policy <user> <connection>   → opens $EDITOR with the
+ *     plain-English chat policy; on save, validates via the preview endpoint
+ *     and PUTs the result.
+ */
+const { ApiError, request } = require("../api/client");
+const { resolveSession } = require("./_session");
+const { resolveUser } = require("./_users");
+const { resolveConnectionId, listConnections } = require("./_connections");
+const { editText } = require("../ui/editor");
+const SUBCOMMANDS = {
+  list: cmdList,
+  grant: cmdGrant,
+  revoke: cmdRevoke,
+  policy: cmdPolicy,
+};
+async function run(opts, io = {}) {
+  const sub = opts.positional[0];
+  if (!sub) throw new Error("Usage: deepsql access <list|grant|revoke|policy> ...");
+  const handler = SUBCOMMANDS[sub];
+  if (!handler) throw new Error(`Unknown access subcommand: ${sub}.`);
+  return wrap(handler)(
+    { ...opts, positional: opts.positional.slice(1) },
+    io,
+  );
+}
+function wrap(handler) {
+  return async (opts, io) => {
+    try {
+      return await handler(opts, io);
+    } catch (err) {
+      if (err instanceof ApiError && err.status === 403) {
+        throw new Error("Access denied — managing access requires ADMIN role.");
+      }
+      throw err;
+    }
+  };
+}
+// ─── list ──────────────────────────────────────────────────────────────────
+async function cmdList(opts, { stdout = process.stdout } = {}) {
+  const session = resolveSession(opts);
+  if (opts.user) {
+    const user = await resolveUser(session, opts.user);
+    const grants = await request(session.baseUrl, `/admin/users/${user.id}/connection-access`, {
+      token: session.token,
+    });
+    if (opts.json) {
+      stdout.write(`${JSON.stringify(grants, null, 2)}\n`);
+      return;
+    }
+    if (!Array.isArray(grants) || grants.length === 0) {
+      stdout.write(`${user.email || user.username} has no connection grants.\n`);
+      return;
+    }
+    printGrants(stdout, grants, "user");
+    return;
+  }
+  if (opts.connection) {
+    const connectionId = await resolveConnectionId(session, opts.connection);
+    const grants = await request(
+      session.baseUrl,
+      `/admin/connections/${encodeURIComponent(connectionId)}/connection-access`,
+      { token: session.token },
+    );
+    if (opts.json) {
+      stdout.write(`${JSON.stringify(grants, null, 2)}\n`);
+      return;
+    }
+    if (!Array.isArray(grants) || grants.length === 0) {
+      stdout.write(`No grants on ${opts.connection}.\n`);
+      return;
+    }
+    printGrants(stdout, grants, "connection");
+    return;
+  }
+  throw new Error("Pass --user <ref> or --connection <name>.");
+}
+// ─── grant ─────────────────────────────────────────────────────────────────
+async function cmdGrant(opts, { stdout = process.stdout } = {}) {
+  if (!opts.user) throw new Error("--user <ref> is required.");
+  if (!opts.connection) throw new Error("--connection <name> is required.");
+  const level = (opts.level || "READ").toUpperCase();
+  if (!["READ", "WRITE", "ADMIN"].includes(level)) {
+    throw new Error(`Invalid --level "${level}". Pick read, write, or admin.`);
+  }
+  const session = resolveSession(opts);
+  const user = await resolveUser(session, opts.user);
+  const connectionId = await resolveConnectionId(session, opts.connection);
+  await request(
+    session.baseUrl,
+    `/admin/users/${user.id}/connection-access/${encodeURIComponent(connectionId)}`,
+    {
+      method: "PUT",
+      token: session.token,
+      json: { accessLevel: level },
+    },
+  );
+  stdout.write(
+    `Granted ${level} on ${opts.connection} to ${user.email || user.username}.\n`,
+  );
+}
+// ─── revoke ────────────────────────────────────────────────────────────────
+async function cmdRevoke(opts, { stdout = process.stdout } = {}) {
+  if (!opts.user) throw new Error("--user <ref> is required.");
+  if (!opts.connection) throw new Error("--connection <name> is required.");
+  const session = resolveSession(opts);
+  const user = await resolveUser(session, opts.user);
+  const connectionId = await resolveConnectionId(session, opts.connection);
+  await request(
+    session.baseUrl,
+    `/admin/users/${user.id}/connection-access/${encodeURIComponent(connectionId)}`,
+    { method: "DELETE", token: session.token },
+  );
+  stdout.write(`Revoked ${opts.connection} for ${user.email || user.username}.\n`);
+}
+// ─── policy ────────────────────────────────────────────────────────────────
+const POLICY_HEADER =
+  "# Plain-English chat access policy. Lines starting with # are kept as-is —\n" +
+  "# DeepSQL doesn't strip them. Save and quit to commit; quit without changes\n" +
+  "# (e.g. :cq in vi) to abort.";
+async function cmdPolicy(opts, { stdout = process.stdout, stderr = process.stderr } = {}) {
+  const userRef = opts.positional[0];
+  const connRef = opts.positional[1];
+  if (!userRef || !connRef) {
+    throw new Error("Usage: deepsql access policy <user> <connection>");
+  }
+  const session = resolveSession(opts);
+  const user = await resolveUser(session, userRef);
+  const connectionId = await resolveConnectionId(session, connRef);
+  const existing = await request(
+    session.baseUrl,
+    `/admin/users/${user.id}/connection-access/${encodeURIComponent(connectionId)}/chat-policy`,
+    { token: session.token },
+  );
+  const initial = (existing && existing.plainEnglishPolicy) || "";
+  stderr.write(
+    `Editing policy for ${user.email || user.username} on ${connRef}…\n`,
+  );
+  const { content, changed } = await editText(initial, {
+    suffix: ".policy.md",
+    header: POLICY_HEADER,
+  });
+  if (!changed) {
+    stderr.write("No changes.\n");
+    return;
+  }
+  // Validate via preview before committing.
+  const preview = await request(session.baseUrl, "/admin/connection-chat-policies/preview", {
+    method: "POST",
+    token: session.token,
+    json: { connectionId, plainEnglishPolicy: content },
+  });
+  if (preview && preview.error) {
+    throw new Error(`Policy preview rejected: ${preview.error}`);
+  }
+  const saved = await request(
+    session.baseUrl,
+    `/admin/users/${user.id}/connection-access/${encodeURIComponent(connectionId)}/chat-policy`,
+    {
+      method: "PUT",
+      token: session.token,
+      json: { plainEnglishPolicy: content, active: true },
+    },
+  );
+  stdout.write(`Saved policy for ${user.email || user.username} on ${connRef}.\n`);
+  if (opts.json) {
+    stdout.write(`${JSON.stringify(saved, null, 2)}\n`);
+  }
+}
+// ─── helpers ───────────────────────────────────────────────────────────────
+function printGrants(stdout, grants, mode) {
+  const rows = grants.map((g) => ({
+    a: mode === "user" ? (g.connectionName || g.connectionId || "") : (g.email || g.username || ""),
+    level: (g.accessLevel || g.level || "").toUpperCase(),
+    grantedBy: g.grantedBy || "",
+  }));
+  const headerA = mode === "user" ? "CONNECTION" : "USER";
+  const widthA = Math.max(headerA.length, ...rows.map((r) => r.a.length));
+  const widthLevel = Math.max("LEVEL".length, ...rows.map((r) => r.level.length));
+  const widthGrantedBy = Math.max("GRANTED BY".length, ...rows.map((r) => r.grantedBy.length));
+  stdout.write(
+    `${headerA.padEnd(widthA)}  ${"LEVEL".padEnd(widthLevel)}  ${"GRANTED BY".padEnd(widthGrantedBy)}\n` +
+      `${"-".repeat(widthA)}  ${"-".repeat(widthLevel)}  ${"-".repeat(widthGrantedBy)}\n`,
+  );
+  for (const r of rows) {
+    stdout.write(`${r.a.padEnd(widthA)}  ${r.level.padEnd(widthLevel)}  ${r.grantedBy.padEnd(widthGrantedBy)}\n`);
+  }
+}
+// listConnections used in __mocks elsewhere; expose for tests if needed
+module.exports = { run, _internal: { listConnections } };

package/src/commands/admin.test.js ADDED Viewed

@@ -0,0 +1,135 @@
+"use strict";
+const test = require("node:test");
+const assert = require("node:assert/strict");
+const { parseArgs, buildOpts } = require("../cli");
+function opts(argv) {
+  return buildOpts(parseArgs(argv));
+}
+// users -----------------------------------------------------------------------
+test("users add positional email + role/name flags", () => {
+  const o = opts(["add", "x@y.com", "--role", "DEVELOPER", "--name", "X"]);
+  assert.deepEqual(o.positional, ["add", "x@y.com"]);
+  assert.equal(o.role, "DEVELOPER");
+  assert.equal(o.name, "X");
+});
+test("users delete --yes flag", () => {
+  const o = opts(["delete", "alice@x.com", "--yes"]);
+  assert.equal(o.yes, true);
+  assert.deepEqual(o.positional, ["delete", "alice@x.com"]);
+});
+test("users reset-password --password-stdin flag", () => {
+  const o = opts(["reset-password", "alice@x.com", "--password-stdin"]);
+  assert.equal(o.passwordStdin, true);
+  assert.equal(o.password, null); // stays null since it's a separate flag
+});
+// access ----------------------------------------------------------------------
+test("access grant requires user/connection/level", () => {
+  const o = opts([
+    "grant",
+    "--user",
+    "alice@x.com",
+    "--connection",
+    "mylocalpg",
+    "--level",
+    "read",
+  ]);
+  assert.equal(o.user, "alice@x.com");
+  assert.equal(o.connection, "mylocalpg");
+  assert.equal(o.level, "read");
+});
+test("access policy passes positional user + connection", () => {
+  const o = opts(["policy", "alice@x.com", "mylocalpg"]);
+  assert.deepEqual(o.positional, ["policy", "alice@x.com", "mylocalpg"]);
+});
+// permissions -----------------------------------------------------------------
+test("permissions override --grant + --reason", () => {
+  const o = opts([
+    "override",
+    "--role",
+    "DEVELOPER",
+    "--permission",
+    "USE_CHAT",
+    "--grant",
+    "--reason",
+    "Beta access",
+  ]);
+  assert.equal(o.role, "DEVELOPER");
+  assert.equal(o.permission, "USE_CHAT");
+  assert.equal(o.grant, true);
+  assert.equal(o.revoke, false);
+  assert.equal(o.reason, "Beta access");
+});
+test("permissions override --revoke flips to revoke", () => {
+  const o = opts(["override", "--role", "DEVELOPER", "--permission", "USE_CHAT", "--revoke"]);
+  assert.equal(o.grant, false);
+  assert.equal(o.revoke, true);
+});
+// slow-queries ----------------------------------------------------------------
+test("slow-queries history N positional", () => {
+  const o = opts(["history", "--connection", "mylocalpg", "5"]);
+  assert.deepEqual(o.positional, ["history", "5"]);
+  assert.equal(o.connection, "mylocalpg");
+});
+test("slow-queries analyze flags", () => {
+  const o = opts([
+    "analyze",
+    "--connection",
+    "mylocalpg",
+    "--time-range",
+    "LAST_HOUR",
+    "--threshold-ms",
+    "200",
+    "--limit",
+    "20",
+  ]);
+  assert.equal(o.timeRange, "LAST_HOUR");
+  assert.equal(o.thresholdMs, "200");
+  assert.equal(o.limit, "20");
+});
+test("slow-queries optimize uses --query-id", () => {
+  const o = opts(["optimize", "--connection", "mylocalpg", "--query-id", "q-123"]);
+  assert.equal(o.queryId, "q-123");
+});
+test("slow-queries delete --history-id with --yes", () => {
+  const o = opts(["delete", "--history-id", "42", "--yes"]);
+  assert.equal(o.historyId, "42");
+  assert.equal(o.yes, true);
+});
+// setup -----------------------------------------------------------------------
+test("setup --force --skip-email", () => {
+  const o = opts(["--force", "--skip-email"]);
+  assert.equal(o.force, true);
+  assert.equal(o.skipEmail, true);
+});
+// password flag stays a flag for login + value for users -----------------------
+test("--password alone (login flow) leaves password truthy", () => {
+  const o = opts(["--password"]);
+  assert.equal(!!o.password, true);
+});
+test("--password=secret keeps the string value (still truthy)", () => {
+  const o = opts(["--password=secret"]);
+  assert.equal(o.password, "secret");
+});

package/src/commands/permissions.js ADDED Viewed

@@ -0,0 +1,149 @@
+"use strict";
+/**
+ * `deepsql permissions` — global role-based permission overrides.
+ *
+ *   deepsql permissions list [--role <r>] [--json]
+ *   deepsql permissions override --role <r> --permission <p> --grant|--revoke [--reason "..."]
+ *   deepsql permissions reset --role <r> --permission <p>
+ *
+ * Backed by /permissions/** (overrides require ROLE_ADMIN).
+ */
+const { ApiError, request } = require("../api/client");
+const { resolveSession } = require("./_session");
+const SUBCOMMANDS = {
+  list: cmdList,
+  override: cmdOverride,
+  reset: cmdReset,
+};
+async function run(opts, io = {}) {
+  const sub = opts.positional[0];
+  if (!sub) throw new Error("Usage: deepsql permissions <list|override|reset> ...");
+  const handler = SUBCOMMANDS[sub];
+  if (!handler) throw new Error(`Unknown permissions subcommand: ${sub}.`);
+  return wrap(handler)(
+    { ...opts, positional: opts.positional.slice(1) },
+    io,
+  );
+}
+function wrap(handler) {
+  return async (opts, io) => {
+    try {
+      return await handler(opts, io);
+    } catch (err) {
+      if (err instanceof ApiError && err.status === 403) {
+        throw new Error("Access denied — managing permissions requires ADMIN role.");
+      }
+      throw err;
+    }
+  };
+}
+// ─── list ──────────────────────────────────────────────────────────────────
+async function cmdList(opts, { stdout = process.stdout } = {}) {
+  const session = resolveSession(opts);
+  const [registry, roles, overrides] = await Promise.all([
+    request(session.baseUrl, "/permissions/registry", { token: session.token }),
+    request(session.baseUrl, "/permissions/roles", { token: session.token }),
+    request(session.baseUrl, "/permissions/overrides", { token: session.token }),
+  ]);
+  if (opts.json) {
+    stdout.write(`${JSON.stringify({ registry, roles, overrides }, null, 2)}\n`);
+    return;
+  }
+  const roleList = Array.isArray(roles) ? roles : roles?.roles || [];
+  const overrideList = Array.isArray(overrides) ? overrides : overrides?.overrides || [];
+  if (opts.role) {
+    const wanted = String(opts.role).toUpperCase();
+    const role = roleList.find(
+      (r) => (r.code || r.role || r.name || "").toUpperCase() === wanted,
+    );
+    if (!role) {
+      const available = roleList.map((r) => r.code || r.role || r.name).filter(Boolean).join(", ");
+      throw new Error(`Role "${opts.role}" not found. Available: ${available}.`);
+    }
+    const code = role.code || role.role || role.name;
+    stdout.write(`${code} permissions (effective):\n`);
+    const perms = role.effectivePermissions || role.permissions || [];
+    for (const p of perms) {
+      stdout.write(`  - ${typeof p === "string" ? p : p.code || p.name}\n`);
+    }
+    return;
+  }
+  if (overrideList.length === 0) {
+    stdout.write("No active overrides — every role has its default permissions.\n");
+  } else {
+    stdout.write("Active overrides:\n");
+    for (const o of overrideList) {
+      const role = o.role || "";
+      const perm = o.permissionCode || o.permission || "";
+      const granted = o.granted ? "GRANT" : "REVOKE";
+      const reason = o.reason ? ` — ${o.reason}` : "";
+      stdout.write(`  ${role.padEnd(12)} ${granted.padEnd(7)} ${perm}${reason}\n`);
+    }
+  }
+  if (roleList.length > 0) {
+    stdout.write("\nRoles:\n");
+    for (const r of roleList) {
+      const name = r.code || r.role || r.name || "?";
+      const count = (r.effectivePermissions || r.permissions || []).length;
+      stdout.write(`  ${name.padEnd(12)} ${count} permission(s)\n`);
+    }
+    stdout.write("\nUse `--role <NAME>` to see one role's full permission list.\n");
+  }
+}
+// ─── override ──────────────────────────────────────────────────────────────
+async function cmdOverride(opts, { stdout = process.stdout } = {}) {
+  if (!opts.role) throw new Error("--role <ROLE> is required.");
+  if (!opts.permission) throw new Error("--permission <PERMISSION> is required.");
+  if (!opts.grant && !opts.revoke) {
+    throw new Error("Pass --grant or --revoke.");
+  }
+  if (opts.grant && opts.revoke) {
+    throw new Error("--grant and --revoke are mutually exclusive.");
+  }
+  const granted = !!opts.grant;
+  const session = resolveSession(opts);
+  const result = await request(session.baseUrl, "/permissions/overrides", {
+    method: "POST",
+    token: session.token,
+    json: {
+      role: String(opts.role).toUpperCase(),
+      permission: String(opts.permission).toUpperCase(),
+      granted,
+      reason: opts.reason || null,
+    },
+  });
+  stdout.write(`${result?.message || "Override applied."}\n`);
+}
+// ─── reset ─────────────────────────────────────────────────────────────────
+async function cmdReset(opts, { stdout = process.stdout } = {}) {
+  if (!opts.role) throw new Error("--role <ROLE> is required.");
+  if (!opts.permission) throw new Error("--permission <PERMISSION> is required.");
+  const session = resolveSession(opts);
+  const result = await request(session.baseUrl, "/permissions/overrides", {
+    method: "DELETE",
+    token: session.token,
+    json: {
+      role: String(opts.role).toUpperCase(),
+      permission: String(opts.permission).toUpperCase(),
+    },
+  });
+  stdout.write(`${result?.message || "Override removed."}\n`);
+}
+module.exports = { run };