@gopherhole/cli 0.5.0 → 0.6.1

package/src/index.ts

@@ -20,7 +20,7 @@ const brand = {
 };
 
 // Version
-const VERSION = '0.4.1';
+const VERSION = '0.6.1';
 
 // ========== API KEY RESOLUTION ==========
 // Precedence: --api-key flag > GOPHERHOLE_API_KEY env var > .env file in cwd
@@ -2807,6 +2807,70 @@ ${chalk.bold('Examples:')}
     }
   });
 
+// ========== REQUEST ACCESS (agent-to-agent via API key) ==========
+
+program
+  .command('request-access <agentId>')
+  .description(`Request access to another agent (agent-to-agent, uses API key)
+
+If the target has auto-approve enabled, access is granted immediately.
+Otherwise it's queued for manual approval by the target tenant.
+
+${chalk.bold('Examples:')}
+  $ gopherhole request-access agent-abc123
+  $ gopherhole request-access agent-abc123 --reason "Need data feed"
+  $ gopherhole request-access agent-abc123 --scopes "messages:send,memory:read"
+`)
+  .option('--api-key <key>', 'API key (overrides env / .env)')
+  .option('--scopes <scopes>', 'Comma-separated scopes to request (default: messages:send)')
+  .option('--reason <text>', 'Reason for the request (shown to target tenant)')
+  .action(async (agentId, options) => {
+    const apiKey = await resolveApiKey(options.apiKey);
+    if (!apiKey) {
+      console.error(chalk.red('No API key found.'));
+      console.error(chalk.gray('Set GOPHERHOLE_API_KEY, pass --api-key, or run gopherhole init'));
+      process.exit(1);
+    }
+
+    const scopes = options.scopes
+      ? options.scopes.split(',').map((s: string) => s.trim())
+      : ['messages:send'];
+
+    const spinner = ora(`Requesting access to ${agentId}...`).start();
+    try {
+      const res = await fetch(`${API_URL}/access/request`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${apiKey}`,
+        },
+        body: JSON.stringify({
+          targetAgentId: agentId,
+          scopes,
+          reason: options.reason,
+        }),
+      });
+
+      if (!res.ok) {
+        const err = await res.json().catch(() => ({}));
+        throw new Error((err as any).error || `HTTP ${res.status}`);
+      }
+
+      const data = await res.json() as { grant: { id: string; status: string } };
+
+      if (data.grant.status === 'approved') {
+        spinner.succeed(`Access granted immediately (auto-approved). You can now message ${chalk.cyan(agentId)}.`);
+      } else {
+        spinner.succeed(`Access request submitted (pending approval).`);
+      }
+      console.log(`  Grant ID: ${chalk.cyan(data.grant.id)}`);
+      console.log(`  Status:   ${data.grant.status}`);
+    } catch (err) {
+      spinner.fail(chalk.red((err as Error).message));
+      process.exit(1);
+    }
+  });
+
 // ========== MEMORY COMMANDS (agent-to-agent via memory agent) ==========
 
 const MEMORY_AGENT = process.env.GOPHERHOLE_MEMORY_AGENT || 'agent-memory-official';
@@ -3159,5 +3223,613 @@ wsMembers
     }
   });
 
+// ========== KEYS COMMAND ==========
+
+const keys = program
+  .command('keys')
+  .description(`Manage API keys
+
+${chalk.bold('Examples:')}
+  $ gopherhole keys list
+  $ gopherhole keys create --name "prod" --agent agent-abc123
+  $ gopherhole keys delete key-abc123
+`);
+
+keys
+  .command('list')
+  .description('List all API keys on the tenant')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching API keys...').start();
+    try {
+      const res = await fetch(`${API_URL}/api-keys`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch API keys');
+      const data = await res.json() as { keys: any[] };
+      const keysList = Array.isArray(data) ? data : data.keys || [];
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(keysList, null, 2)); return; }
+      if (keysList.length === 0) { console.log(chalk.yellow('\nNo API keys found.\n')); return; }
+
+      console.log(chalk.bold('\nAPI Keys:\n'));
+      for (const k of keysList) {
+        console.log(`  ${chalk.cyan(k.id)} — ${k.name || 'unnamed'}`);
+        console.log(`    Agent: ${k.agentId || k.agent_id || 'none'} | Prefix: ${chalk.gray(k.prefix || '???')} | Scopes: ${k.scopes?.join(', ') || 'default'}`);
+        console.log('');
+      }
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+keys
+  .command('create')
+  .description('Create a new API key')
+  .requiredOption('--name <name>', 'Human-readable label for this key')
+  .requiredOption('--agent <agentId>', 'The agent this key authenticates as')
+  .option('--scopes <scopes>', 'Comma-separated scopes (e.g., "messages:send,memory:read")')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Creating API key...').start();
+    try {
+      const body: any = { name: options.name, agentId: options.agent };
+      if (options.scopes) body.scopes = options.scopes.split(',').map((s: string) => s.trim());
+      const res = await fetch(`${API_URL}/api-keys`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to create key'); }
+      const data = await res.json() as any;
+      spinner.succeed('API key created!');
+      console.log('');
+      console.log(`  ID:  ${chalk.cyan(data.id)}`);
+      console.log(`  Key: ${brand.green(data.key || data.secret)}`);
+      console.log('');
+      console.log(chalk.yellow('  Store this key securely — it will not be shown again.'));
+      console.log('');
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+keys
+  .command('delete <keyId>')
+  .description('Revoke and delete an API key')
+  .option('-y, --yes', 'Skip confirmation')
+  .action(async (keyId, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    if (!options.yes) {
+      const { confirm } = await inquirer.prompt([{
+        type: 'confirm', name: 'confirm', message: `Permanently revoke key ${keyId}?`, default: false,
+      }]);
+      if (!confirm) { console.log(chalk.gray('Cancelled.')); return; }
+    }
+
+    const spinner = ora('Revoking key...').start();
+    try {
+      const res = await fetch(`${API_URL}/api-keys/${keyId}`, {
+        method: 'DELETE',
+        headers: { 'X-Session-ID': sessionId },
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to delete key'); }
+      spinner.succeed(`Key ${chalk.cyan(keyId)} revoked and deleted.`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== TEAM COMMAND ==========
+
+const team = program
+  .command('team')
+  .description(`Manage team members
+
+${chalk.bold('Examples:')}
+  $ gopherhole team list
+  $ gopherhole team invite user@example.com --role admin
+  $ gopherhole team remove member-abc123
+`);
+
+team
+  .command('list')
+  .description('List team members')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching team...').start();
+    try {
+      const res = await fetch(`${API_URL}/team/members`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch team');
+      const data = await res.json() as any;
+      const members = Array.isArray(data) ? data : data.members || [];
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(members, null, 2)); return; }
+      if (members.length === 0) { console.log(chalk.yellow('\nNo team members.\n')); return; }
+
+      console.log(chalk.bold('\nTeam Members:\n'));
+      for (const m of members) {
+        const role = m.role === 'admin' ? chalk.red(m.role) : chalk.gray(m.role);
+        console.log(`  ${chalk.bold(m.name || m.email)} (${chalk.cyan(m.id)})`);
+        console.log(`    Role: ${role}${m.joinedAt ? ` | Joined: ${m.joinedAt}` : ''}`);
+        console.log('');
+      }
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+team
+  .command('invite <email>')
+  .description('Invite someone to your tenant')
+  .option('--role <role>', 'Role: admin, member, viewer (default: member)')
+  .action(async (email, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora(`Sending invite to ${email}...`).start();
+    try {
+      const body: any = { email };
+      if (options.role) body.role = options.role;
+      const res = await fetch(`${API_URL}/team/invites`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to send invite'); }
+      spinner.succeed(`Invitation sent to ${chalk.cyan(email)} with role: ${options.role || 'member'}`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+team
+  .command('remove <memberId>')
+  .description('Remove a team member')
+  .option('-y, --yes', 'Skip confirmation')
+  .action(async (memberId, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    if (!options.yes) {
+      const { confirm } = await inquirer.prompt([{
+        type: 'confirm', name: 'confirm', message: `Remove team member ${memberId}?`, default: false,
+      }]);
+      if (!confirm) { console.log(chalk.gray('Cancelled.')); return; }
+    }
+
+    const spinner = ora('Removing member...').start();
+    try {
+      const res = await fetch(`${API_URL}/team/members/${memberId}`, {
+        method: 'DELETE',
+        headers: { 'X-Session-ID': sessionId },
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to remove member'); }
+      spinner.succeed(`Team member ${chalk.cyan(memberId)} removed.`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== USAGE COMMAND ==========
+
+const usage = program
+  .command('usage')
+  .description(`View usage statistics
+
+${chalk.bold('Examples:')}
+  $ gopherhole usage summary
+  $ gopherhole usage summary --period week
+  $ gopherhole usage agents
+`);
+
+usage
+  .command('summary')
+  .description('Get high-level usage overview')
+  .option('--period <period>', 'Time window: day, week, month (default: month)')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching usage...').start();
+    try {
+      const params = new URLSearchParams();
+      if (options.period) params.set('period', options.period);
+      const qs = params.toString() ? `?${params}` : '';
+      const res = await fetch(`${API_URL}/usage/summary${qs}`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch usage');
+      const data = await res.json();
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(data, null, 2)); return; }
+
+      console.log(chalk.bold(`\nUsage Summary (${options.period || 'month'}):\n`));
+      const d = data as any;
+      if (d.messagesSent !== undefined) console.log(`  Messages Sent:     ${brand.green(d.messagesSent)}`);
+      if (d.messagesReceived !== undefined) console.log(`  Messages Received: ${brand.green(d.messagesReceived)}`);
+      if (d.tasksCreated !== undefined) console.log(`  Tasks Created:     ${brand.green(d.tasksCreated)}`);
+      if (d.connections !== undefined) console.log(`  Connections:       ${brand.green(d.connections)}`);
+      if (d.creditsUsed !== undefined) console.log(`  Credits Used:      ${brand.green(d.creditsUsed)}`);
+      console.log('');
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+usage
+  .command('agents')
+  .description('Per-agent usage breakdown')
+  .option('--period <period>', 'Time window: day, week, month (default: month)')
+  .option('--limit <n>', 'Max agents to show (default: 20)')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching per-agent usage...').start();
+    try {
+      const params = new URLSearchParams();
+      if (options.period) params.set('period', options.period);
+      if (options.limit) params.set('limit', options.limit);
+      const qs = params.toString() ? `?${params}` : '';
+      const res = await fetch(`${API_URL}/usage/agents${qs}`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch agent usage');
+      const data = await res.json() as any;
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(data, null, 2)); return; }
+
+      const agents = Array.isArray(data) ? data : data.agents || [];
+      if (agents.length === 0) { console.log(chalk.yellow('\nNo usage data.\n')); return; }
+
+      console.log(chalk.bold(`\nPer-Agent Usage (${options.period || 'month'}):\n`));
+      for (const a of agents) {
+        console.log(`  ${chalk.bold(a.name || a.agentId)} (${chalk.cyan(a.agentId || a.id)})`);
+        if (a.messages !== undefined) console.log(`    Messages: ${a.messages}`);
+        if (a.tasks !== undefined) console.log(`    Tasks: ${a.tasks}`);
+        if (a.credits !== undefined) console.log(`    Credits: ${a.credits}`);
+        console.log('');
+      }
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== WEBHOOKS COMMAND ==========
+
+const webhooks = program
+  .command('webhooks')
+  .description(`Manage webhooks
+
+${chalk.bold('Examples:')}
+  $ gopherhole webhooks list
+  $ gopherhole webhooks create --url https://example.com/hook --events message.received,task.completed
+  $ gopherhole webhooks delete wh-abc123
+  $ gopherhole webhooks test wh-abc123
+`);
+
+webhooks
+  .command('list')
+  .description('List configured webhooks')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching webhooks...').start();
+    try {
+      const res = await fetch(`${API_URL}/webhooks`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch webhooks');
+      const data = await res.json() as any;
+      const hooks = Array.isArray(data) ? data : data.webhooks || [];
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(hooks, null, 2)); return; }
+      if (hooks.length === 0) { console.log(chalk.yellow('\nNo webhooks configured.\n')); return; }
+
+      console.log(chalk.bold('\nWebhooks:\n'));
+      for (const h of hooks) {
+        console.log(`  ${chalk.cyan(h.id)} — ${h.url}`);
+        console.log(`    Events: ${h.events?.join(', ') || 'all'}${h.description ? ` | ${chalk.gray(h.description)}` : ''}`);
+        console.log('');
+      }
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+webhooks
+  .command('create')
+  .description('Create a new webhook')
+  .requiredOption('--url <url>', 'HTTPS URL to deliver events to')
+  .requiredOption('--events <events>', 'Comma-separated event types (e.g., "message.received,task.completed")')
+  .option('--description <text>', 'Label for this webhook')
+  .option('--secret <secret>', 'Signing secret for HMAC-SHA256 verification')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Creating webhook...').start();
+    try {
+      const body: any = {
+        url: options.url,
+        events: options.events.split(',').map((e: string) => e.trim()),
+      };
+      if (options.description) body.description = options.description;
+      if (options.secret) body.secret = options.secret;
+      const res = await fetch(`${API_URL}/webhooks`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to create webhook'); }
+      const data = await res.json() as any;
+      spinner.succeed('Webhook created!');
+      console.log(`\n  ID:     ${chalk.cyan(data.id)}`);
+      console.log(`  URL:    ${data.url || options.url}`);
+      console.log(`  Events: ${body.events.join(', ')}\n`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+webhooks
+  .command('delete <webhookId>')
+  .description('Delete a webhook')
+  .option('-y, --yes', 'Skip confirmation')
+  .action(async (webhookId, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    if (!options.yes) {
+      const { confirm } = await inquirer.prompt([{
+        type: 'confirm', name: 'confirm', message: `Delete webhook ${webhookId}?`, default: false,
+      }]);
+      if (!confirm) { console.log(chalk.gray('Cancelled.')); return; }
+    }
+
+    const spinner = ora('Deleting webhook...').start();
+    try {
+      const res = await fetch(`${API_URL}/webhooks/${webhookId}`, {
+        method: 'DELETE',
+        headers: { 'X-Session-ID': sessionId },
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to delete webhook'); }
+      spinner.succeed(`Webhook ${chalk.cyan(webhookId)} deleted.`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+webhooks
+  .command('test <webhookId>')
+  .description('Send a test event to a webhook')
+  .action(async (webhookId) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Sending test event...').start();
+    try {
+      const res = await fetch(`${API_URL}/webhooks/${webhookId}/test`, {
+        method: 'POST',
+        headers: { 'X-Session-ID': sessionId },
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to test webhook'); }
+      const data = await res.json() as any;
+      spinner.succeed(`Test event sent. Response: ${data.status || data.statusCode || 'delivered'}`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== TENANT COMMAND ==========
+
+const tenant = program
+  .command('tenant')
+  .description(`View and manage tenant settings
+
+${chalk.bold('Examples:')}
+  $ gopherhole tenant settings
+  $ gopherhole tenant update --name "Acme Corp" --slug acme
+`);
+
+tenant
+  .command('settings')
+  .description('View current tenant settings')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching tenant settings...').start();
+    try {
+      const res = await fetch(`${API_URL}/auth/tenant/settings`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch tenant settings');
+      const data = await res.json() as any;
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(data, null, 2)); return; }
+
+      console.log(chalk.bold('\nTenant Settings:\n'));
+      if (data.name) console.log(`  Name:    ${brand.green(data.name)}`);
+      if (data.slug) console.log(`  Slug:    ${chalk.cyan(data.slug)}`);
+      if (data.plan) console.log(`  Plan:    ${data.plan}`);
+      if (data.email) console.log(`  Email:   ${data.email}`);
+      if (data.id) console.log(`  ID:      ${chalk.gray(data.id)}`);
+      console.log('');
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+tenant
+  .command('update')
+  .description('Update tenant name or slug')
+  .option('--name <name>', 'New display name')
+  .option('--slug <slug>', 'New URL-safe slug')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const body: any = {};
+    if (options.name) body.name = options.name;
+    if (options.slug) body.slug = options.slug;
+    if (Object.keys(body).length === 0) {
+      console.log(chalk.yellow('No changes specified. Use --name or --slug.'));
+      return;
+    }
+
+    const spinner = ora('Updating tenant...').start();
+    try {
+      const res = await fetch(`${API_URL}/auth/tenant`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to update tenant'); }
+      spinner.succeed('Tenant updated.');
+      if (body.name) console.log(`  Name: ${brand.green(body.name)}`);
+      if (body.slug) console.log(`  Slug: ${chalk.cyan(body.slug)}`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== PROFILE COMMAND ==========
+
+program
+  .command('profile')
+  .description(`Update your user profile
+
+${chalk.bold('Examples:')}
+  $ gopherhole profile --name "Jane Smith"
+  $ gopherhole profile --avatar https://example.com/photo.jpg
+`)
+  .option('--name <name>', 'Display name')
+  .option('--avatar <url>', 'Avatar image URL')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const body: any = {};
+    if (options.name) body.name = options.name;
+    if (options.avatar) body.avatarUrl = options.avatar;
+    if (Object.keys(body).length === 0) {
+      console.log(chalk.yellow('No changes specified. Use --name or --avatar.'));
+      return;
+    }
+
+    const spinner = ora('Updating profile...').start();
+    try {
+      const res = await fetch(`${API_URL}/auth/me`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to update profile'); }
+      spinner.succeed('Profile updated.');
+      if (body.name) console.log(`  Name: ${brand.green(body.name)}`);
+      if (body.avatarUrl) console.log(`  Avatar: updated`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== SECRETS COMMAND (workspace secrets) ==========
+
+const secrets = program
+  .command('secrets')
+  .description(`Manage workspace secrets
+
+${chalk.bold('Examples:')}
+  $ gopherhole secrets list ws-abc123
+  $ gopherhole secrets set ws-abc123 OPENAI_API_KEY sk-abc...
+  $ gopherhole secrets delete ws-abc123 OPENAI_API_KEY
+`);
+
+secrets
+  .command('list <workspaceId>')
+  .description('List secret keys in a workspace (values are never shown)')
+  .option('--json', 'Output as JSON')
+  .action(async (workspaceId, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching secrets...').start();
+    try {
+      const res = await fetch(`${API_URL}/workspaces/${workspaceId}/secrets`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch secrets');
+      const data = await res.json() as any;
+      const secretsList = Array.isArray(data) ? data : data.secrets || [];
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(secretsList, null, 2)); return; }
+      if (secretsList.length === 0) { console.log(chalk.yellow('\nNo secrets in this workspace.\n')); return; }
+
+      console.log(chalk.bold('\nWorkspace Secrets:\n'));
+      for (const s of secretsList) {
+        console.log(`  ${chalk.cyan(s.key || s.name)}`);
+      }
+      console.log('');
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+secrets
+  .command('set <workspaceId> <key> <value>')
+  .description('Create or update a workspace secret')
+  .action(async (workspaceId, key, value) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora(`Setting secret ${key}...`).start();
+    try {
+      const res = await fetch(`${API_URL}/workspaces/${workspaceId}/secrets`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'X-Session-ID': sessionId },
+        body: JSON.stringify({ key, value }),
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to set secret'); }
+      spinner.succeed(`Secret ${chalk.cyan(key)} stored.`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+secrets
+  .command('delete <workspaceId> <key>')
+  .description('Delete a workspace secret')
+  .option('-y, --yes', 'Skip confirmation')
+  .action(async (workspaceId, key, options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    if (!options.yes) {
+      const { confirm } = await inquirer.prompt([{
+        type: 'confirm', name: 'confirm', message: `Delete secret ${key}?`, default: false,
+      }]);
+      if (!confirm) { console.log(chalk.gray('Cancelled.')); return; }
+    }
+
+    const spinner = ora(`Deleting secret ${key}...`).start();
+    try {
+      const res = await fetch(`${API_URL}/workspaces/${workspaceId}/secrets/${key}`, {
+        method: 'DELETE',
+        headers: { 'X-Session-ID': sessionId },
+      });
+      if (!res.ok) { const err = await res.json(); throw new Error((err as any).error || 'Failed to delete secret'); }
+      spinner.succeed(`Secret ${chalk.cyan(key)} deleted.`);
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
+// ========== CREDITS COMMAND ==========
+
+program
+  .command('credits')
+  .description(`View credit balance
+
+${chalk.bold('Examples:')}
+  $ gopherhole credits
+`)
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const sessionId = config.get('sessionId') as string;
+    if (!sessionId) { console.log(chalk.yellow('Not logged in. Run: gopherhole login')); process.exit(1); }
+
+    const spinner = ora('Fetching balance...').start();
+    try {
+      const res = await fetch(`${API_URL}/credits/balance`, { headers: { 'X-Session-ID': sessionId } });
+      if (!res.ok) throw new Error('Failed to fetch credits');
+      const data = await res.json() as any;
+      spinner.stop();
+
+      if (options.json) { console.log(JSON.stringify(data, null, 2)); return; }
+
+      console.log(chalk.bold('\nCredit Balance:\n'));
+      if (data.remaining !== undefined) console.log(`  Remaining:  ${brand.green(data.remaining)}`);
+      if (data.total !== undefined) console.log(`  Total:      ${data.total}`);
+      if (data.used !== undefined) console.log(`  Used:       ${data.used}`);
+      console.log('');
+    } catch (err) { spinner.fail(chalk.red((err as Error).message)); process.exit(1); }
+  });
+
 // Parse and run
 program.parse();