@gopherhole/cli 0.4.1 → 0.6.0

package/src/index.ts

@@ -20,7 +20,7 @@ const brand = {
 };
 
 // Version
-const VERSION = '0.4.1';
+const VERSION = '0.6.0';
 
 // ========== API KEY RESOLUTION ==========
 // Precedence: --api-key flag > GOPHERHOLE_API_KEY env var > .env file in cwd
@@ -968,6 +968,9 @@ ${chalk.bold('Examples:')}
   $ gopherhole agents config agent-abc123 --no-auto-approve
   $ gopherhole agents config agent-abc123 --price 0.01 --price-unit request
   $ gopherhole agents config agent-abc123 --visibility public
+  $ gopherhole agents config agent-abc123 --alias support
+  $ gopherhole agents config agent-abc123 --email-enabled
+  $ gopherhole agents config agent-abc123 --no-email-enabled
 `)
   .option('--auto-approve', 'Enable auto-approve (instant access for marketplace)')
   .option('--no-auto-approve', 'Disable auto-approve (require manual approval)')
@@ -978,6 +981,9 @@ ${chalk.bold('Examples:')}
   .option('--category <category>', 'Set category')
   .option('--tags <tags>', 'Set tags (comma-separated)')
   .option('--description <text>', 'Update description')
+  .option('--alias <alias>', 'Set email alias (<alias>[.<tenant-slug>]@gopherhole.io). Triggers 30-day grace redirect from the previous alias if email is enabled')
+  .option('--email-enabled', 'Enable inbound + outbound email for this agent (requires an alias)')
+  .option('--no-email-enabled', 'Disable email for this agent (inbound rejects with 550, Postie refuses to send)')
   .action(async (agentId, options) => {
     const sessionId = config.get('sessionId') as string;
     if (!sessionId) {
@@ -1021,29 +1027,71 @@ ${chalk.bold('Examples:')}
       body.description = options.description;
     }
 
-    if (Object.keys(body).length === 0) {
+    const aliasChange: string | undefined = options.alias;
+    const emailEnabledChange: boolean | undefined = options.emailEnabled;
+
+    if (Object.keys(body).length === 0 && aliasChange === undefined && emailEnabledChange === undefined) {
       console.log(chalk.yellow('No changes specified.'));
       console.log(chalk.gray('Use --help to see available options.'));
       return;
     }
 
     const spinner = ora('Updating agent config...').start();
-    log('PATCH /agents/' + agentId, body);
 
     try {
-      const res = await fetch(`${API_URL}/agents/${agentId}`, {
-        method: 'PATCH',
-        headers: {
-          'Content-Type': 'application/json',
-          'X-Session-ID': sessionId,
-        },
-        body: JSON.stringify(body),
-      });
+      if (Object.keys(body).length > 0) {
+        log('PATCH /agents/' + agentId, body);
+        const res = await fetch(`${API_URL}/agents/${agentId}`, {
+          method: 'PATCH',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Session-ID': sessionId,
+          },
+          body: JSON.stringify(body),
+        });
 
-      if (!res.ok) {
-        const err = await res.json();
-        logError('config', err);
-        throw new Error(err.error || 'Failed to update agent');
+        if (!res.ok) {
+          const err = await res.json();
+          logError('config', err);
+          throw new Error(err.error || 'Failed to update agent');
+        }
+      }
+
+      // Alias rename has its own endpoint because it also writes the
+      // 30-day grace redirect into agent_alias_history.
+      if (aliasChange !== undefined) {
+        log('PATCH /agents/' + agentId + '/alias', { alias: aliasChange });
+        const res = await fetch(`${API_URL}/agents/${agentId}/alias`, {
+          method: 'PATCH',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Session-ID': sessionId,
+          },
+          body: JSON.stringify({ alias: aliasChange }),
+        });
+        if (!res.ok) {
+          const err = await res.json().catch(() => ({ error: `HTTP ${res.status}` }));
+          logError('alias', err);
+          throw new Error((err as { error?: string }).error || 'Failed to set alias');
+        }
+      }
+
+      // Email toggle is a dedicated endpoint that enforces alias-first.
+      if (emailEnabledChange !== undefined) {
+        log('PATCH /agents/' + agentId + '/email-enabled', { enabled: emailEnabledChange });
+        const res = await fetch(`${API_URL}/agents/${agentId}/email-enabled`, {
+          method: 'PATCH',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Session-ID': sessionId,
+          },
+          body: JSON.stringify({ enabled: emailEnabledChange }),
+        });
+        if (!res.ok) {
+          const err = await res.json().catch(() => ({ error: `HTTP ${res.status}` }));
+          logError('email-enabled', err);
+          throw new Error((err as { error?: string }).error || 'Failed to toggle email');
+        }
       }
 
       spinner.succeed('Agent config updated');
@@ -1073,6 +1121,12 @@ ${chalk.bold('Examples:')}
         const desc = body.description as string;
         changes.push(`  Description: ${chalk.gray(desc.slice(0, 50))}${desc.length > 50 ? '...' : ''}`);
       }
+      if (aliasChange !== undefined) {
+        changes.push(`  Alias: ${brand.green(aliasChange)}`);
+      }
+      if (emailEnabledChange !== undefined) {
+        changes.push(`  Email: ${emailEnabledChange ? brand.green('enabled 📬') : chalk.gray('disabled')}`);
+      }
 
       if (changes.length > 0) {
         console.log('');
@@ -3105,5 +3159,613 @@ wsMembers
     }
   });
 
+// ========== KEYS COMMAND ==========
+
+const keys = program
+  .command('keys')
+  .description(`Manage API keys
+
+${chalk.bold('Examples:')}
+  $ gopherhole keys list
+  $ gopherhole keys create --name "prod" --agent agent-abc123
+  $ gopherhole keys delete key-abc123
+`);
+
+keys
+  .command('list')
+  .description('List all API keys on the tenant')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching API keys...').start();
+    try {
+      const res = await fetch(`${API_URL}/api-keys`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch API keys');
+      const data = await res.json() as { keys: any[] };
+      const keysList = Array.isArray(data) ? data : data.keys || [];
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(keysList, null, 2)); return; }
+      if (keysList.length === 0) { console.log(chalk.yellow('\nNo API keys found.\n')); return; }
+
+      console.log(chalk.bold('\nAPI Keys:\n'));
+      for (const k of keysList) {
+        console.log(`  ${chalk.cyan(k.id)} — ${k.name || 'unnamed'}`);
+        console.log(`    Agent: ${k.agentId || k.agent_id || 'none'} | Prefix: ${chalk.gray(k.prefix || '???')} | Scopes: ${k.scopes?.join(', ') || 'default'}`);
+        console.log('');
+      }
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+keys
+  .command('create')
+  .description('Create a new API key')
+  .requiredOption('--name <name>', 'Human-readable label for this key')
+  .requiredOption('--agent <agentId>', 'The agent this key authenticates as')
+  .option('--scopes <scopes>', 'Comma-separated scopes (e.g., "messages:send,memory:read")')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Creating API key...').start();
+    try {
+      const body: any = { name: options.name, agentId: options.agent };
+      if (options.scopes) body.scopes = options.scopes.split(',').map((s: string) => s.trim());
+      const res = await fetch(`${API_URL}/api-keys`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to create key'); }
+      const data = await res.json() as any;
+      spinner.succeed('API key created!');
+      console.log('');
+      console.log(`  ID:  ${chalk.cyan(data.id)}`);
+      console.log(`  Key: ${brand.green(data.key || data.secret)}`);
+      console.log('');
+      console.log(chalk.yellow('  Store this key securely — it will not be shown again.'));
+      console.log('');
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+keys
+  .command('delete <keyId>')
+  .description('Revoke and delete an API key')
+  .option('-y, --yes', 'Skip confirmation')
+  .action(async (keyId, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    if (!options.yes) {
+      const { confirm } = await inquirer.prompt([{
+        type: 'confirm', name: 'confirm', message: `Permanently revoke key ${keyId}?`, default: false,
+      }]);
+      if (!confirm) { console.log(chalk.gray('Cancelled.')); return; }
+    }
+
+    const spinner = ora('Revoking key...').start();
+    try {
+      const res = await fetch(`${API_URL}/api-keys/${keyId}`, {
+        method: 'DELETE',
+        headers: { 'X-Session-ID': sessionId },
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to delete key'); }
+      spinner.succeed(`Key ${chalk.cyan(keyId)} revoked and deleted.`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== TEAM COMMAND ==========
+
+const team = program
+  .command('team')
+  .description(`Manage team members
+
+${chalk.bold('Examples:')}
+  $ gopherhole team list
+  $ gopherhole team invite user@example.com --role admin
+  $ gopherhole team remove member-abc123
+`);
+
+team
+  .command('list')
+  .description('List team members')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching team...').start();
+    try {
+      const res = await fetch(`${API_URL}/team/members`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch team');
+      const data = await res.json() as any;
+      const members = Array.isArray(data) ? data : data.members || [];
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(members, null, 2)); return; }
+      if (members.length === 0) { console.log(chalk.yellow('\nNo team members.\n')); return; }
+
+      console.log(chalk.bold('\nTeam Members:\n'));
+      for (const m of members) {
+        const role = m.role === 'admin' ? chalk.red(m.role) : chalk.gray(m.role);
+        console.log(`  ${chalk.bold(m.name || m.email)} (${chalk.cyan(m.id)})`);
+        console.log(`    Role: ${role}${m.joinedAt ? ` | Joined: ${m.joinedAt}` : ''}`);
+        console.log('');
+      }
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+team
+  .command('invite <email>')
+  .description('Invite someone to your tenant')
+  .option('--role <role>', 'Role: admin, member, viewer (default: member)')
+  .action(async (email, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora(`Sending invite to ${email}...`).start();
+    try {
+      const body: any = { email };
+      if (options.role) body.role = options.role;
+      const res = await fetch(`${API_URL}/team/invites`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to send invite'); }
+      spinner.succeed(`Invitation sent to ${chalk.cyan(email)} with role: ${options.role || 'member'}`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+team
+  .command('remove <memberId>')
+  .description('Remove a team member')
+  .option('-y, --yes', 'Skip confirmation')
+  .action(async (memberId, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    if (!options.yes) {
+      const { confirm } = await inquirer.prompt([{
+        type: 'confirm', name: 'confirm', message: `Remove team member ${memberId}?`, default: false,
+      }]);
+      if (!confirm) { console.log(chalk.gray('Cancelled.')); return; }
+    }
+
+    const spinner = ora('Removing member...').start();
+    try {
+      const res = await fetch(`${API_URL}/team/members/${memberId}`, {
+        method: 'DELETE',
+        headers: { 'X-Session-ID': sessionId },
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to remove member'); }
+      spinner.succeed(`Team member ${chalk.cyan(memberId)} removed.`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== USAGE COMMAND ==========
+
+const usage = program
+  .command('usage')
+  .description(`View usage statistics
+
+${chalk.bold('Examples:')}
+  $ gopherhole usage summary
+  $ gopherhole usage summary --period week
+  $ gopherhole usage agents
+`);
+
+usage
+  .command('summary')
+  .description('Get high-level usage overview')
+  .option('--period <period>', 'Time window: day, week, month (default: month)')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching usage...').start();
+    try {
+      const params = new URLSearchParams();
+      if (options.period) params.set('period', options.period);
+      const qs = params.toString() ? `?${params}` : '';
+      const res = await fetch(`${API_URL}/usage/summary${qs}`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch usage');
+      const data = await res.json();
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(data, null, 2)); return; }
+
+      console.log(chalk.bold(`\nUsage Summary (${options.period || 'month'}):\n`));
+      const d = data as any;
+      if (d.messagesSent !== undefined) console.log(`  Messages Sent:     ${brand.green(d.messagesSent)}`);
+      if (d.messagesReceived !== undefined) console.log(`  Messages Received: ${brand.green(d.messagesReceived)}`);
+      if (d.tasksCreated !== undefined) console.log(`  Tasks Created:     ${brand.green(d.tasksCreated)}`);
+      if (d.connections !== undefined) console.log(`  Connections:       ${brand.green(d.connections)}`);
+      if (d.creditsUsed !== undefined) console.log(`  Credits Used:      ${brand.green(d.creditsUsed)}`);
+      console.log('');
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+usage
+  .command('agents')
+  .description('Per-agent usage breakdown')
+  .option('--period <period>', 'Time window: day, week, month (default: month)')
+  .option('--limit <n>', 'Max agents to show (default: 20)')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching per-agent usage...').start();
+    try {
+      const params = new URLSearchParams();
+      if (options.period) params.set('period', options.period);
+      if (options.limit) params.set('limit', options.limit);
+      const qs = params.toString() ? `?${params}` : '';
+      const res = await fetch(`${API_URL}/usage/agents${qs}`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch agent usage');
+      const data = await res.json() as any;
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(data, null, 2)); return; }
+
+      const agents = Array.isArray(data) ? data : data.agents || [];
+      if (agents.length === 0) { console.log(chalk.yellow('\nNo usage data.\n')); return; }
+
+      console.log(chalk.bold(`\nPer-Agent Usage (${options.period || 'month'}):\n`));
+      for (const a of agents) {
+        console.log(`  ${chalk.bold(a.name || a.agentId)} (${chalk.cyan(a.agentId || a.id)})`);
+        if (a.messages !== undefined) console.log(`    Messages: ${a.messages}`);
+        if (a.tasks !== undefined) console.log(`    Tasks: ${a.tasks}`);
+        if (a.credits !== undefined) console.log(`    Credits: ${a.credits}`);
+        console.log('');
+      }
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== WEBHOOKS COMMAND ==========
+
+const webhooks = program
+  .command('webhooks')
+  .description(`Manage webhooks
+
+${chalk.bold('Examples:')}
+  $ gopherhole webhooks list
+  $ gopherhole webhooks create --url https://example.com/hook --events message.received,task.completed
+  $ gopherhole webhooks delete wh-abc123
+  $ gopherhole webhooks test wh-abc123
+`);
+
+webhooks
+  .command('list')
+  .description('List configured webhooks')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching webhooks...').start();
+    try {
+      const res = await fetch(`${API_URL}/webhooks`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch webhooks');
+      const data = await res.json() as any;
+      const hooks = Array.isArray(data) ? data : data.webhooks || [];
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(hooks, null, 2)); return; }
+      if (hooks.length === 0) { console.log(chalk.yellow('\nNo webhooks configured.\n')); return; }
+
+      console.log(chalk.bold('\nWebhooks:\n'));
+      for (const h of hooks) {
+        console.log(`  ${chalk.cyan(h.id)} — ${h.url}`);
+        console.log(`    Events: ${h.events?.join(', ') || 'all'}${h.description ? ` | ${chalk.gray(h.description)}` : ''}`);
+        console.log('');
+      }
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+webhooks
+  .command('create')
+  .description('Create a new webhook')
+  .requiredOption('--url <url>', 'HTTPS URL to deliver events to')
+  .requiredOption('--events <events>', 'Comma-separated event types (e.g., "message.received,task.completed")')
+  .option('--description <text>', 'Label for this webhook')
+  .option('--secret <secret>', 'Signing secret for HMAC-SHA256 verification')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Creating webhook...').start();
+    try {
+      const body: any = {
+        url: options.url,
+        events: options.events.split(',').map((e: string) => e.trim()),
+      };
+      if (options.description) body.description = options.description;
+      if (options.secret) body.secret = options.secret;
+      const res = await fetch(`${API_URL}/webhooks`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to create webhook'); }
+      const data = await res.json() as any;
+      spinner.succeed('Webhook created!');
+      console.log(`\n  ID:     ${chalk.cyan(data.id)}`);
+      console.log(`  URL:    ${data.url || options.url}`);
+      console.log(`  Events: ${body.events.join(', ')}\n`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+webhooks
+  .command('delete <webhookId>')
+  .description('Delete a webhook')
+  .option('-y, --yes', 'Skip confirmation')
+  .action(async (webhookId, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    if (!options.yes) {
+      const { confirm } = await inquirer.prompt([{
+        type: 'confirm', name: 'confirm', message: `Delete webhook ${webhookId}?`, default: false,
+      }]);
+      if (!confirm) { console.log(chalk.gray('Cancelled.')); return; }
+    }
+
+    const spinner = ora('Deleting webhook...').start();
+    try {
+      const res = await fetch(`${API_URL}/webhooks/${webhookId}`, {
+        method: 'DELETE',
+        headers: { 'X-Session-ID': sessionId },
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to delete webhook'); }
+      spinner.succeed(`Webhook ${chalk.cyan(webhookId)} deleted.`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+webhooks
+  .command('test <webhookId>')
+  .description('Send a test event to a webhook')
+  .action(async (webhookId) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Sending test event...').start();
+    try {
+      const res = await fetch(`${API_URL}/webhooks/${webhookId}/test`, {
+        method: 'POST',
+        headers: { 'X-Session-ID': sessionId },
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to test webhook'); }
+      const data = await res.json() as any;
+      spinner.succeed(`Test event sent. Response: ${data.status || data.statusCode || 'delivered'}`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== TENANT COMMAND ==========
+
+const tenant = program
+  .command('tenant')
+  .description(`View and manage tenant settings
+
+${chalk.bold('Examples:')}
+  $ gopherhole tenant settings
+  $ gopherhole tenant update --name "Acme Corp" --slug acme
+`);
+
+tenant
+  .command('settings')
+  .description('View current tenant settings')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching tenant settings...').start();
+    try {
+      const res = await fetch(`${API_URL}/auth/tenant/settings`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch tenant settings');
+      const data = await res.json() as any;
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(data, null, 2)); return; }
+
+      console.log(chalk.bold('\nTenant Settings:\n'));
+      if (data.name) console.log(`  Name:    ${brand.green(data.name)}`);
+      if (data.slug) console.log(`  Slug:    ${chalk.cyan(data.slug)}`);
+      if (data.plan) console.log(`  Plan:    ${data.plan}`);
+      if (data.email) console.log(`  Email:   ${data.email}`);
+      if (data.id) console.log(`  ID:      ${chalk.gray(data.id)}`);
+      console.log('');
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+tenant
+  .command('update')
+  .description('Update tenant name or slug')
+  .option('--name <name>', 'New display name')
+  .option('--slug <slug>', 'New URL-safe slug')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const body: any = {};
+    if (options.name) body.name = options.name;
+    if (options.slug) body.slug = options.slug;
+    if (Object.keys(body).length === 0) {
+      console.log(chalk.yellow('No changes specified. Use --name or --slug.'));
+      return;
+    }
+
+    const spinner = ora('Updating tenant...').start();
+    try {
+      const res = await fetch(`${API_URL}/auth/tenant`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to update tenant'); }
+      spinner.succeed('Tenant updated.');
+      if (body.name) console.log(`  Name: ${brand.green(body.name)}`);
+      if (body.slug) console.log(`  Slug: ${chalk.cyan(body.slug)}`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== PROFILE COMMAND ==========
+
+program
+  .command('profile')
+  .description(`Update your user profile
+
+${chalk.bold('Examples:')}
+  $ gopherhole profile --name "Jane Smith"
+  $ gopherhole profile --avatar https://example.com/photo.jpg
+`)
+  .option('--name <name>', 'Display name')
+  .option('--avatar <url>', 'Avatar image URL')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const body: any = {};
+    if (options.name) body.name = options.name;
+    if (options.avatar) body.avatarUrl = options.avatar;
+    if (Object.keys(body).length === 0) {
+      console.log(chalk.yellow('No changes specified. Use --name or --avatar.'));
+      return;
+    }
+
+    const spinner = ora('Updating profile...').start();
+    try {
+      const res = await fetch(`${API_URL}/auth/me`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to update profile'); }
+      spinner.succeed('Profile updated.');
+      if (body.name) console.log(`  Name: ${brand.green(body.name)}`);
+      if (body.avatarUrl) console.log(`  Avatar: updated`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== SECRETS COMMAND (workspace secrets) ==========
+
+const secrets = program
+  .command('secrets')
+  .description(`Manage workspace secrets
+
+${chalk.bold('Examples:')}
+  $ gopherhole secrets list ws-abc123
+  $ gopherhole secrets set ws-abc123 OPENAI_API_KEY sk-abc...
+  $ gopherhole secrets delete ws-abc123 OPENAI_API_KEY
+`);
+
+secrets
+  .command('list <workspaceId>')
+  .description('List secret keys in a workspace (values are never shown)')
+  .option('--json', 'Output as JSON')
+  .action(async (workspaceId, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching secrets...').start();
+    try {
+      const res = await fetch(`${API_URL}/workspaces/${workspaceId}/secrets`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch secrets');
+      const data = await res.json() as any;
+      const secretsList = Array.isArray(data) ? data : data.secrets || [];
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(secretsList, null, 2)); return; }
+      if (secretsList.length === 0) { console.log(chalk.yellow('\nNo secrets in this workspace.\n')); return; }
+
+      console.log(chalk.bold('\nWorkspace Secrets:\n'));
+      for (const s of secretsList) {
+        console.log(`  ${chalk.cyan(s.key || s.name)}`);
+      }
+      console.log('');
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+secrets
+  .command('set <workspaceId> <key> <value>')
+  .description('Create or update a workspace secret')
+  .action(async (workspaceId, key, value) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora(`Setting secret ${key}...`).start();
+    try {
+      const res = await fetch(`${API_URL}/workspaces/${workspaceId}/secrets`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify({ key, value }),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to set secret'); }
+      spinner.succeed(`Secret ${chalk.cyan(key)} stored.`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+secrets
+  .command('delete <workspaceId> <key>')
+  .description('Delete a workspace secret')
+  .option('-y, --yes', 'Skip confirmation')
+  .action(async (workspaceId, key, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    if (!options.yes) {
+      const { confirm } = await inquirer.prompt([{
+        type: 'confirm', name: 'confirm', message: `Delete secret ${key}?`, default: false,
+      }]);
+      if (!confirm) { console.log(chalk.gray('Cancelled.')); return; }
+    }
+
+    const spinner = ora(`Deleting secret ${key}...`).start();
+    try {
+      const res = await fetch(`${API_URL}/workspaces/${workspaceId}/secrets/${key}`, {
+        method: 'DELETE',
+        headers: { 'X-Session-ID': sessionId },
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to delete secret'); }
+      spinner.succeed(`Secret ${chalk.cyan(key)} deleted.`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== CREDITS COMMAND ==========
+
+program
+  .command('credits')
+  .description(`View credit balance
+
+${chalk.bold('Examples:')}
+  $ gopherhole credits
+`)
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching balance...').start();
+    try {
+      const res = await fetch(`${API_URL}/credits/balance`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch credits');
+      const data = await res.json() as any;
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(data, null, 2)); return; }
+
+      console.log(chalk.bold('\nCredit Balance:\n'));
+      if (data.remaining !== undefined) console.log(`  Remaining:  ${brand.green(data.remaining)}`);
+      if (data.total !== undefined) console.log(`  Total:      ${data.total}`);
+      if (data.used !== undefined) console.log(`  Used:       ${data.used}`);
+      console.log('');
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
 // Parse and run
 program.parse();